Your network sometimes gets unusually slow or disconnected suddenly, possibly due to a Denial-of-Service attack being carried out, let’s find out what it is? How do you overcome?
1. What is a Denial-of-Service (DoS) attack?
Denial-of-Service (DoS) is an attack to shutdown or disconnect, causing users to stop accessing. DoS attacks usually work by overwhelming or overloading the target with requests until it cannot be processed, resulting in a denial of service to the user. In both cases, DoS deprives users of their rights to use the service or legal resources. A DoS attack is characterized by using a single computer to launch the attack.
Victims of DoS attacks are usually emails, websites, online accounts … there are also networks, machines or a program. Although DoS is difficult to steal important information, it can take victims a lot of time. and money to deal with the consequences. Because a DoS attack can easily be done from any object, finding the person responsible is difficult.
There are two types of DoS attacks: Flooding attack or crashing attack.
Flooding occurs when the system receives too much traffic, causing the system to slow down and eventually stop. Common types of flooding attacks include:
- Buffer overflow attacks – The most common DoS attack. Buffer overflow can cause the machine to consume hard disk space, memory or CPU time available. This form often leads to sluggish behavior, system crashes … leading to denial of service.
- ICMP flood – Taking advantage of misconfigured network devices. First, send fake packets to ping every computer that is accessing the target network, then amplify network traffic. This attack is also known as smurf attack or ping of death .
- SYN flood – Often called a three-way handshake but only connects host and server. The server received a request to handshake, but the handshake was never completed. Continue until all opened ports are saturated with requests and there is no room for legitimate users.
A crashing attack that exploits system vulnerabilities or translations. In these attacks, taking advantage of errors in the target then causes the system to crash or be seriously damaged, thus unable to access or suspend its use.
2. How DoS attack works
The main focus of a DoS attack is to overload the capacity of the targeted machine, resulting in a denial of service for additional requests.
There are many similarities between a DoS attack and non-malicious network connection errors such as: Network technical issues, system maintenance, etc. However, the following symptoms may indicate an attack. DoS:
- Unusually slow network performance such as slow file downloads or websites
- Could not load any website
- Sudden loss of connection between devices on the same network
The best way to detect and identify a DoS attack would be through network traffic monitoring and analysis. Network traffic can be monitored via firewalls or intrusion detection systems.
A DoS attack prevents users from accessing the service by overwhelming its physical resources or network connections. The attack essentially floods the service with lots of traffic or data that no one else can use until the malicious flow is processed.
One way to overload the physical resources of a service is to send it so many requests in such a short time that it takes up hard disk space, memory or CPU time available. In extreme cases, this can even result in damage of physical components to these resources.
Similarly, to break the service’s network connections, a DoS attack can send invalid, malformed input, or just a large number of requests to connect to it. While these are being addressed, connection requests from legitimate users cannot be completed.
Sometimes, a DoS attack exploits a flaw in a program or website to force resource usage or network connections improperly, which can also result in denial of service.
Some malware also includes the ability to launch DoS attacks. When they infect a computer or device, these threats can use the resources of the infected machine to carry out the attack. If multiple infected machines launch attacks on the same target, this is called a Distributed-Denial-of-Service (DDoS) attack.
The amount of data used during a DoS or DDoS attack can be enormous, up to several gigabits per second. Botnets are often used to perform DDoS attacks, since many services do not have the resources needed to counter an attack from thousands or even hundreds of thousands of infected devices.
Unlike viruses or malware, a DoS attack does not depend on a program to run. Instead, it takes advantage of an inherent flaw in the way computer networks communicate.
For example: Say you want to visit an ecommerce website to buy gifts. Your computer sends a small packet of information to the website. This package acts as a greeting, carrying the message “Hi, I’d like to visit you, please let me in”. When the server receives a message on your computer, it sends a short message, like “OK, are you real?”. Your computer responds “Yes!” and the connection is established. Your computer and server continue to communicate when you click the link, place an order, and perform other tasks.
In a DoS attack, a computer is equipped to send not only one referral to a server, but hundreds or thousands. The server cannot know if the referrals are fake, sends back the response, waits up to a minute in each case to hear the response. When the response is not received, the server shuts down the connection and the computer performs a repeat attack, sending a new series of fake requests.
DoS attacks mainly affect organizations and connections. For users, attacks hinder access to services or websites.
There are many causes of a DoS attack, but mostly for profit:
- A lot of cases of DoS attacks are launched for personal reasons. Hacking services can slow down or crash over a period of hours to days. For many businesses that cause disruptions, even financial losses.
- Because of company or political competition.
3. How to prevent DoS attack
A general rule: The sooner you identify an ongoing attack, the faster you can prevent damage. Here are some things you can do.
Method 1: Use attack detection tools
Companies often use anti-DDoS technology or services to help protect themselves. These can help you recognize between legitimate abnormal spikes in network traffic and a DDoS attack.
Method 2: Contact your Internet service provider
If you find your company is under attack, you should notify your Internet service provider as soon as possible.
Method 3: Investigate black hole routing
Internet service providers can use black hole routing. It directs excessive traffic to an empty route, also known as a black hole. This can help prevent the target website or network from crashing. Both legal and illegal traffic are routed.
Method 4: Configure firewalls and routers
Firewalls and routers should be configured to deny bogus traffic. Update firewalls and routers with the latest security patches.
Method 5: Consider front-end hardware
Front-end hardware is integrated into the network before traffic to the server can help analyze and filter data packets. Hardware classifies data as priority because it is often dangerous when a system is compromised. It can also help block threat data.
Without adequate protection, simply restarting the service, but may not be effective if the attack has not ended.
4. Differentiate DDoS attack and DOS attack
Distributed-Denial-of-Service (DDoS) is a type of DoS attack that comes from many distributed sources, such as DDoS botnet attacks.
DoS attacks often exploit security holes in network, software and hardware design. These attacks have become less common because DDoS attacks have a greater ability to break through and are relatively easy to create available tools. In fact, most DoS attacks can also be turned into DDoS attacks.
DoS uses a single connection, while a DDoS attack uses multiple traffic sources, usually in the form of a botnet.
DDoS attacks are considered the next step in the development of DoS attacks. Cybercriminals started using DDoS attacks around 2000. This is why DDoS attacks have become the weapon of choice for breaking connections, servers and websites.
Security holes in Internet-of-Things devices can easily launch DDoS attacks.
A DDoS attack occurs when multiple machines are working together to attack a target. DDoS attackers often take advantage of botnet use. A group of internet-connected devices were attacked to carry out large-scale attacks. An attacker takes advantage of security vulnerabilities or weaknesses of a device to control multiple devices that use software. Once under control, an attacker can order their botnet to conduct DDoS on the target. In this case, the infected device is also the victim of the attack.
DDoS allows sending multiple exponential requests to the target, thereby increasing attack power. It also increases the difficulty of attribution, because the source of the attack is harder to identify.
DDoS offers an attacker many advantages:
- Utilize larger machine volumes to perform a serious disruptive attack
- The location of an attack is difficult to detect due to the random distribution of attack systems (usually worldwide).
- Turning off many machines is harder than one
- Attack groups are really difficult to identify, because they are disguised behind many systems
Modern security technologies have developed mechanisms to combat most types of DoS attacks, but due to the unique characteristics of DDoS, it is still considered a high threat and a high concern. than for organizations.