DDoS Attacks

Target Audience

Undergraduate
Graduate

Keywords

DDoS attacks
reflective DDoS attacks
IP Spoofing

Introduction

Overview

On March 18, 2013, there were numerous DDoS attacks targeted at the website spamhaus.org, lasting a week. The attacks peaked at a whopping 300 Gbps. Hackers used a mass of systems to be able to launch attacks with high volume, taking the form of a DDoS (Distributed Denial of Service) Attack. These attacks are often done by using “botnets”, a mass of compromised systems that are centrally controlled by an attacker.

Vulnerability Details

The largest source of traffic in the attack came from DNS amplification. This type of attack is done by sending spoofed requests to misconfigured DNS servers, resulting in an overwhelming amount of traffic to be directed towards Spamhaus. These requests are crafted in such a way that the response from the DNS server is much larger in size than the original request. Even a small number of requests can generate a massive amount of traffic. First, the attacker sends a request for a large DNS zone file to various open DNS resolvers with the source IP spoofed to the victim’s address. The resolvers respond to the request, sending the DNS zone answer to the intended victim. The attacker’s original requests are only a small fraction of the responses, which means they can effectively amplify the attack multiple times the size of the bandwidth resources they actually have.

Learning Objectives

Explain DDoS attacks
Explain Reflective DDoS attacks
Explain IP Spoofing and traffic amplification
Describe common defense mechanisms to defeat DDoS attacks

Download

Remote Terminal

Terminal Description

In this lab, you'll simulate the process of a DoS (Denial of Service) attack against a local system running a webserver. This exercise will help in understanding the fundamentals of how a DoS attack works, and its results on a small scale.

Use the help-module3 command to explore available commands.
The target system is located at 192.168.1.22. Assume port 80 is open.
Determine that the system is up using ping.
Send a test SYN packet to the system on port 80 to gauge the server’s response.
Initiate the SYN Flood DoS attack on the system on port 80.
Determine the current status of the target system while the attack is ongoing

Module Questions

What is a DDoS attack?An attempt to increase the speed of a server or networkA method to encrypt sensitive data on a serverAn attempt to disrupt the operations of a server, service, or network by flooding it with trafficA strategy to enhance network security by blocking legitimate users

How did attackers maliciously use open DNS resolvers in DDoS attacks?By directly targeting the physical infrastructure of the serverBy sending legitimate DNS queries to overload the server's response timeBy sending spoofed DNS queries with the target IP address as the source to the resolversBy deploying firewalls to block incoming traffic from open DNS resolvers

What are some possible ways to create a packet with spoofed IP addresses?Sending packets through a VPN for anonymityUsing legitimate IP addresses provided by the ISPUtilizing packet manipulation tools/libraries in python, c, etc.Requesting IP addresses from a DNS server

Explain how rate limiting and packet filtering could be used to prevent DDoS attacks.Rate limiting involves increasing the speed of incoming traffic to overwhelm the attackerPacket filtering involves redirecting all incoming traffic to a single server for inspectionRate limiting involves setting limits on the number of requests or packets a server can receive within a certain time framePacket filtering involves encrypting all incoming packets to prevent spoofing

DDoS attacks have been prominent since the 2000s up until the early 2010s, and have tapered off in recent years. Why do you think this is the case?Due to increased collaboration among attackers to launch more sophisticated attacksBecause of a decline in internet usage globallyAs a result of increased awareness and improved security implemented by organizations, ISPs, and security companiesBecause of advancements in technology that have made DDoS attacks obsolete