HostLabs DDoS Attacks Guide

Hackers have been using DoS attacks for over two decades. And although DoS and DDoS attacks are slightly different, they both do the same thing, which is to target a server and overwhelm it with request until services can no longer be rendered. DoS attacks can be fatal to a business and it’s important to take precautions and to use a hosting provider that takes web security seriously.

In this guide, we will go in-depth about these types of attacks and some of the steps you can take to mitigate against this malicious attack.

How the Internet Works

To understand DDoS attacks we have to first understand some basics of how the internet works.

The internet is an interconnected network of computers (clients) and web servers (servers). Web servers are simply specialized computers that are made specifically to contain and serve content. However, the process of accessing the internet is quite complex as there are many things going on at once with different variables and resources required in order for a smooth transaction to take place.

What Happens When a User Clicks on a Website Link?
When a user clicks on a link or types a website address into a browser and clicks enter the following process is a simplified structure of what takes place…

1. The computer will first look for the destination host in your “domain name system” (DNS) cache, which is where your computer stores information about websites that you visit. If the host is found there, it will use that information. If not, the computer will perform DNS queries to find the IP address of the source.

2. Once the IP address is located, the browser will open a “transmission control protocol” (TCP) connection and send a request through via “hypertext transfer protocol” (HTTP) to the server.

3. The server will, in turn, look for the requested resources and if found, will respond by sending data back to the browser also via HTTP.

4. The browser will re-create a document structure using a “hypertext markup language” (HTML) parser, which will appear on the user’s screen.

Of course, there is a lot more to it than that where other activities may occur, different tools may be used, or more resources may be needed. For instance;

• Requests may use a different HTTP version such as HTTP 1.0 or HTTP 1.1.

• The browser may also check for redirects, authorization codes, errors, or conditional responses that may result in different ways of handling the outcomes rather than with normal responses.

• The browser may also close or reuse the TCP connection.

• Responses may be stored in computer caches, if cacheable or need to be decoded (e.g. if it is gzipped).

What is DoS Attack?

“DoS” is actually an acronym for “denial of service”. A DoS can happen for a number of reasons, including when too many people are trying to access the same website at the same time or are sending too much information to the same site all at once. This is usually done purposely to take down a website or other online service, either temporarily or permanently.

Imagine a store with a large crowd of people trying to get through the same door at once. This would prevent potential customers from entering as the entrance would be blocked, which is usually the goal of this type of cyber attack.

Years ago, a DoS attack could have been carried out by just one individual with only one computer. In fact, in 1974, David Dennis, an Illinois student — who was just 13 years old — carried out the very first DOS attack all by himself.

Another attack was done by Khan C. Smith in 1997 at a DEF CON event that left the Las Vegas Strip without internet access for more than an hour. Moreover, the sample code was released that led to the attacks of EarthLink, Sprint, E-Trade, and other major corporations the following year.

Also, during the ’90s, conflicts took place continuously known as, the “king of the hill”, battles. Hackers would battle it out to gain control of non-registered chat room channels in Internet Relay Chat (IRC). When an administrator would log off, they would lose their powers, leaving control of the channel up for grabs. To gain administrator privileges, a user would have to be the last one left in the room. Therefore, hackers would try to force others to log out by using bandwidth-based IRC chat floods and DoS attacks.

How Does a DDoS Attack Work?

It didn’t take long before the servers were upgraded to prevent DoS attacks from taking down websites. However, hackers soon found another way of attacking their targets that’s not only much more powerful than DoS, but also more difficult to detect and block. This new attack method is called, “distributed denial of service” (DDoS) attack.

A DDoS attack is carried out by sending the target web server, a huge number of requests simultaneously, from a large volume of computers. The resources of the web server reach max capacity and either slows down significantly or comes to a complete halt, therefore, visitors are unable to access the server. Mission accomplished.

The difference between DoS attacks and DDoS attacks is, only one computer and an internet connection are needed for DoS attacks to flood a system where DDoS attacks require multiple internet connections and computers to synchronize an attack on a target.

In addition, a DDoS attack can send large volumes of phony traffic to a targeted web server along with any websites and services connected to it, hence using up almost all of the target’s bandwidth and resources to prevent legitimate traffic from getting through and this attack can continue for long periods of time.

Layer 3 and 4 attacks are typically the easiest to pull off as you simply flood servers and networks until legitimate traffic can’t get through. However, layer 7 attacks are more complex as they can mimic a real user clicking on an “add to cart” button or using an app to search for content on the website.

Why Hackers Choose DDoS Attacks?

With DDoS attacks at their fingertips, hackers are able to utilize improved methods and tools to take on bigger, more prominent targets such as government sites, banks, major corporations, and other highly populated websites.

DDoS involves the distribution of hosts, which gives the attacker numerous advantages:

• By leveraging a larger volume of computers an extremely disruptive attack can be executed.
• Due to the random locations of distributors included in the attack, which are scattered throughout the world, and because they are disguised as other systems, it is rather difficult to detect the location of the actual attacker.
• It is very difficult to block multiple machines.

While there have been innovative mechanisms developed to defend against almost all forms of DoS attacks, the internet is still vulnerable to DDoS attacks due to its distinctive elements.

Different Types of DDoS Attacks

Throughout the years there have been thousands of DDoS attacks carried out on a global scale. Attempts to consume a network’s entire bandwidth and resources are an ongoing thing of today and come in a wide array of different types. The following are just some of the many DDoS attacks known today:

• User Datagram Protocol (UDP) Flood
• Internet Control Message Protocol (ICMP) Flood
• Internet Group Management Protocol (IGMP) Flood
• Amplification Attacks
• Connection-Oriented Attacks
• Connectionless Attacks
• Reflective Attacks
• TCP/IP Weaknesses
• TCP SYN Flood
• TCP RST Attack
• TCP PSH+ACK Flood
• “Low and Slow” Attacks
• Sock stress
• Secure Socket Layer (SSL) -Based Attacks
• Encrypted-based HTTP Attacks (HTTPS floods)
• THC-SSL-DoS
• HTTP Flood
• DNS Flood
• Slow HTTP GET Request
• Slow HTTP POST Request
• Regular Expression DoS Attacks
• Hash Collisions DoS Attacks
And more

Here, we will discuss some of these threats in further detail:

User Datagram Protocol (UDP) Flood
The UDP flood protocol does not require a connection to communicate between two devices. It uses datagrams that are embedded in IP packets to communicate. A specific vulnerability is not the focus in a UDP flood attack as it typically abuses regular behavior patterns at a level that’s high enough to invoke congestion of a network. It works by sending numerous UDP datagrams to targets random ports from spoofed potential IP addresses.

The server is not able to process so many requests but consumes all its bandwidth in its efforts to attempt to send ICMP unreachable packets.

Internet Control Message Protocol (ICMP) Flood
An ICMP flood is used for IP operations, errors, and diagnostics and is another connectionless protocol. Like a UDP, an ICMP (or ping) flood does not rely on a particular vulnerability to attain a denial-of-service. This type of flood attack can include any ICMP message type, including a ping echo request and a ping echo reply.

When enough traffic has been sent to the target server, after attempting to process so many requests, the server finally becomes overwhelmed, which results in a denial-of-service issued.

Internet Group Management Protocol (IGMP) Flood
An IGMP flood is also connectionless. It is used by routers and computers (IP hosts) to multicast group memberships for contiguous routers allowing multicasts — as it is non-vulnerability based — and sends huge amounts of IGMP messages to a router or network to slow it down enough to prevent legitimate traffic from getting through to the target network.

Amplification Attacks
An Amplification attack uses a gap between a sent request and a reply during communications. One example of this attack is, using a router like an amplifier to send messages to numerous IP addresses where the source IP gets spoofed to the target IP. These types of attacks include Fraggle attacks (UDP amplification) and Smurf attacks (ICMP amplification).

Connection-Oriented Attacks
A connection-oriented attack takes place when an attacker establishes a connection before launching a DDoS attack that results in affecting a server’s application resource or the server, itself. Some examples of DDos connection oriented attacks are HTTP or TCP based attacks.

Connectionless Attacks
A connectionless attack is one of the easiest attacks to launch as it doesn’t require a complete connection to the target. This attack targets network resources resulting in a denial-of-service before malicious packets even have a chance to reach the server. ISMP and UDP floods are some examples of DDos connectionless attacks.

Reflective Attacks
Reflective attacks happen when an attacker uses a possible legitimate third party to send loads of attacking traffic to conceal his/her identity.

Warning Signs of DDoS Attack

When your server is under attack, it will most likely, crash, slow down significantly, or in some cases, it will result in a “server unavailable” error. In any case, a user trying to access the site or service will experience considerable lag at first that can persist for extended periods or will end with an error message finally being displayed.

Using the Netstat Command to Check for Attacks
One way to find out if your server is being attacked is by using “netstat”, a utility tool included in all Windows and Linux operating systems.

To check for system or server attacks using the Netstat utility, open a command prompt and type “netstat -an” in the command field then hit enter. Results will display that include:

• Active TCP connections
• Ports the computer is listening on
• Ethernet statistics
• IP routing table
• IPv4 statistics (for the ICMP, UDP, TCP, and IP protocols)
• IPv6 statistics (for the ICMPv6, IPv6, TCP over IPv6, and UDP over IPv6 protocols)

Using just the “netstat” command without the “-an” parameter will only include active TCP connections in the results.

A normal outcome would appear something like this:

In a normal scenario, the outcome will display various IP addresses connected to different ports while the state would most likely list either “ESTABLISHED” or “LISTENING”.

While being attacked something like this will be displayed:

As you can see from the above table, the same IP addresses are connected to immediate ports resulting in the connection timing out. This is a clear indication that an attack launched from the visible IP is in effect and trying to flood the server with meaningless requests.

This is just a brief example of a few connections; however, real DDoS attacks can contain thousands of connections.

Examples of Dos Attacks

For nearly two decades, hackers and more have distributed Denial-of-service attacks to sites and servers everywhere. These attacks were carried out for profit, for fun, to protest, or as a diversion to take the attention from an even bigger attack planned.

1. Anonymous Uses DDos to Attack PayPal
In 2010, as part of cyber protests “Operation Avenge Assange” and “Operation Payback”, the hacktivist group known as Anonymous carried out a DDoS attack on PayPal in an attempt to disrupt the site’s services for four days.

The protest that cost PayPal hundreds of thousands was done due to political pressure on behalf of Julian Assange programmer of WikiLeaks and resulted in misdemeanor charges for Anonymous members.

Businesses have seen this incident as a wake-up call and began taking measures to protect their servers from DDoS attacks.

2. GITHUB AT 1.35 TBPS
On February 28, 2018, the well-known developer platform, “Github” was suddenly hit with an ambush of traffic that was clocked at 1.35 TPS. This was not only a massive amount of traffic, but it was also record-breaking. Github claimed there were more than one thousand autonomous systems traced back across tens of thousands of distinct endpoints. The good news is GitHub was prepared for a DDoS attack, but the bad news is they weren’t ready for something of this scale.

3. OCCUPY CENTRAL, HONG KONG AT 500 GBPS
In 2014, Occupy Central, which is a grassroots movement based in Hong Kong, was campaigning for a democratic voting system when they were hit by a DDoS attack. The attackers responded to Occupy Central’s pro-democracy message by sending huge amounts of traffic to five of their supporters’ sites, including two independent sites and three web hosting services; one was an online mock election site called “PopVote”, and another was a news site called “AppleDaily”.

This attack implemented five botnets to flood servers with packets masquerading as legitimate traffic that peaked levels of traffic at 500 gigabits per second. At the time, this DDoS attack was the biggest in history.

4. CLOUDFLARE AT 400 GBPS
The attack directed at a customer of content delivery network and security provider, “CloudFlare”, targeted European servers in 2014. Taking advantage of a computer clock synchronization protocol, “Network Time Protocol” (NTP) vulnerability, the server was bombarded with around 400 GPS of traffic. Although the attack was aimed at one customer, it was so powerful that it affected the entire CloudFlare network.

Ultimately, the attacker tricked source addresses into sending massive loads of NTP server responses to the target. This technique is known as “reflection” due to the ability to amplify and mirroring traffic.

According to the “Computer Emergency Readiness” team of the U.S., because the data responses come from valid servers, NTP Amplification Attackers are very hard to block.

5. SPAMHAUS 300 GBPS
Spamhaus, a non-profit threat intelligence provider may have blacklisted the wrong guy as the attack launched on them in 2013 was traced back to a Dutch company member with the handle “Cyberbunker” whom they previously banned from their site.

Although the anti-spam organization was attacked regularly, the DDoS attack, they were hit with was so large it knocked their website, and some of their email services, right offline.

Reflection was used in this attack to overload servers with 300 GPS of traffic.

6. U.S. BANKS AT 60 GBPS
In 2012 six major banks of the U.S. were the target of a string of DDoS attacks. These banks included;

• JP Morgan Chase
• Bank of America
• PNC Bank
• Citigroup
• U.S. Bancorp

The attackers hijacked hundreds of servers to carry out this attack that created their own peak floods of over 60 GPS of traffic. The attacker used numerous methods to find out which would work.

Protecting and Mitigating Against DDoS Attacks

DDoS attacks are growing not just in strength but in quantity as well. Websites are being attacked all the time unexpectedly using diverse strategies that consist of volume, protocol, or application layers.

Unfortunately, as soon as we find a way to combat one strategy, attackers come up with new ways to bring websites down, which is why it’s imperative that your mitigation software is versatile enough to handle a variety of attacks.

Hosting providers have multiple plans available to choose from that may include dedicated servers and shared hosting plans with a variety of features, services, and solutions to protect your network, website, and resources from malicious software, viruses, and cyber-attacks. In order to know what protection, they offer, it is important to ask questions. Keep in mind that DDoS attacks could be fatal to your business.

The following are some safety measures to take to secure your network and resources.

DDoS protection filters can be used to weed out illegitimate traffic connections when the protocol or volume-based attacks try to flood your network and server resources with traffic.

• Use vulnerability scanning tools to search your system for vulnerability issues and weaknesses that would make it possible for intruders to access and/or attack your system.

• Ensure your system has enough bandwidth to accommodate excess traffic. Bear in mind that bandwidth can be expensive; however, the more you have, the harder it will be to block your connection.

Backup your internet connection regularly and store your files in a secure location that is separate from your network. That way, if your server should get attacked, you won’t lose important files and information.

Intrusion detection systems (IDS) are equipped with features that can help protect systems against DDoS attacks. IDS use connection verification methods that will inhibit requests before reaching the servers, and may also take other corrective measures to prevent attacks.

• You can configure your firewall to monitor and filter out malicious IP addresses thus preventing malevolent traffic from spoofing IP’s.

Update routers, software, firewalls, network hosts, and security patches regularly as older versions may become vulnerable to cyber-attacks.

HostLabs operates from three state-of-the-art, peerless data centers across the U.S. We offer data centers that are PCI & HIPAA compliant. Offering multi-tier redundant power systems, 24/7 security and staffed by highly trained personnel, our data centers ensure our server runs smoothly and efficiently to protect your business.

Top Tier Security

Over the years, attack technology has evolved into massive, widespread cyber-attacks affecting thousands of networks, both big and small, of all industries. What’s more is attacks are not just being carried out by young computer geeks or script youngsters testing their skills, anymore. Rather, advanced experts with high technical skills have banned together to target and attack websites.

These attackers are known as “hacktivists” or so-called “extraordinary bandits” (e-bandits) such as the group known as “Anonymous” who mean well, in their efforts to take down various websites, however, committing acts of cyber-attacks and organized crimes are still illegal.

Regardless of their motivation or cause, with such experts at the wheel, who possess such advanced technical knowledge, it is important to choose a hosting provider that offers top-tier security amazing support and can combat that knowledge with industry expertise.

Categories Guides