Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack

As our dependence on computers and computer network connectivity grows so do the vulnerabilities and the risk of falling victim to a costly cyber-attack(s). We tend to forget that most computer systems and their underlying technologies are susceptible to cyber-attacks. According to Kaspersky researchers, Denial of Service (DoS) and Distributed Denial of Service (DDoS) are the most prevalent type of cyber-attacks in 2019. But what is Denial of service attack – DoS attack is a malicious attempt to slow down or render a website or computer unavailable by flooding a server or network with a large number of simultaneous requests. When the network and computer resources are exhausted, the victims’ system is unable to fulfill legitimate requests and the victim’s website or computer becomes inaccessible. The DDoS attack is more sophisticated as it uses hundreds or even millions of compromised devices to lunch a Denial of Service attack.   

Here is the list of most common DoS attacks:

• SYN Flood:  SYN flood targets the TCP layer. In general to establish a connection in TCP/IP network a three-way handshake method is used, whereby both client and server exchange SYNchronize-ACKnowledge (SYN/ACK) packets (SYN, SYN-ACK, SYN).  Hackers attack the server by sending a series of SYN requests; the server responds with SYNC-ACK and leaves an open port ready to receive the response from the client. In order words, attackers create multiple half-open connections with the server in an attempt to exhaust the system resources to the point that the system becomes unresponsive to the legitimate traffic.

• UDP Flood: It targets the User Datagram Protocol (UDP), unlike TCP the UDP protocol does not require a three-way handshake however when server receives a UDP packet at a specific port, it first looks for the application listening to the port and if there are no applications receiving the packets server responds with Internet Control Message Protocol (ICMP), notifying the client that the destination was unreachable. When Hackers lunch their attacks by sending series of UDP packet requests to random ports server has to go through the above-mentioned process as a result system is forced to send multiple ICMP packets to the point the server becomes unreachable to legitimate requests/clients.

• HTTP Flood: this is an application layer attack whereby HTTP client (web browser) sends an HTTP GET or POST request to the application or web server. Attackers utilizing multiple bots to send GET requests to retrieve the large image, documents or files from the server. In HTTP POST attack hackers try to trigger a complex and resource-intensive process like database search.  In both cases, the webserver is overwhelmed and unable to service the legitimate request.  

According to Kaspersky in 2019, 84% of DoS attacks are SYN flood, 8.9% UDP flood and 3.3% HTTP flood. Due to the nature of these types of attacks no organization is 100% immune. One of the most high profile DDoS attacks in 2018 was the GitHub, hackers launched the first wave of attacks peaked at 1.35Tbps followed by 400Gbps secondary attack which brought down the host. In a separate incident in September 2016 OVH was under DDoS attack peaking over 600Gbps which affected their operations. 

The reality is that due to the nature of DDoS attacks no one is 100% immune, however, there are various DDoS mitigation and resilience options available to reduce the impact of DDoS attacks.

• Over Provisioning, Increase bandwidth capacity improves resilience to withstand low to mid-volume DoS attacks and provides much needed extra time to take action to mitigate the attack. At the server level, extra resources combine with solutions like mod_ evasive is a good place to start.
• Cloud DDoS mitigation services, whereby the incoming traffic goes through a 3^rd party network that has a much bigger bandwidth which means they will absorb the attack before it reaches your server. They are specialized in early DoS attack detection and mitigation.
• A hybrid solution, for an enterprise organization a hybrid solution –a combination of cloud and on-premise DDoS mitigation – strikes a balance between security and flexibility.

Here at Cirrus Tech. we are continuously monitoring and improving our infrastructure. In order to increase our resilience against DDoS attacks, we have significantly improved our capacity and peak throughput by upgrading our core routers and networking gears. We are on track to increase our pipeline by almost tenfold by the end of 2019. We recommend our web hosting clients to scan their website, application, and plugins and eliminate any vulnerability from their website; keep their PHP, WordPress, and plugins up-to-date. We also suggest to our Linux VPS and Cloud VM clients to configure mod_ evasively or if you lack the expertise you can contact our support team for assistance and recommendations.