In this text, I will describe different (D) DoS techniques, clarify types of DDoS attacks, server vulnerabilities, attack tools, and who are doing the attacks and who are the most common targets. The text is intended for people who are interested in IT security risks to better understand them and better provide their digital good
Who is attacking?
A large number of tools and scripts that can be used in programs and on web sites are available on the Internet. Valuable and clever hackers use them to understand these failures and learn how to do it, and script-kiddies use them to make their own fun, to impress others, revenge someone who has offended them on social networks, to humiliate a rival fan group and the like. Attack by script-kiddies may disable access to the site, undermine its appearance, compromise orders, passwords, and private information of registered members. There have been cases in the world where such attacks were targeted at large sites (Yahoo, eBay, CNN) with minor or greater consequences, including cases involving assailants and condemnation of parole or imprisonment (e.g., Malcolm Michael Calce and eighteen years – Jeffrey Lee Parson).
Hacktivist is an expression created in 1995 by the word “hack” and “activist” and describes a person who uses computers and computer networks to protest or cause damage to political, economic, and other social subjects. Hacktivist often does deface attacks that disrupt the appearance and content of the sites to leave messages that come to the visitors, and hacking also comes to information that is otherwise hidden from the public and obeying them. Bearing in mind that their activities are essentially forms of civil disobedience, often directed against dictatorial governments, globalism, and capitalism, it is not surprising that the media and state organs say that Hacktivists are mostly cyber terrorists. Site attacks, however, are not the main activity hacktivists – are more often organized for the purpose of spreading certain ideas and information, censorship and privacy enhancement.
Anonymous is a decentralized virtual community of hacktivists, with no leaders, membership, and authoritarian commands gathered around the idea of a free and open Internet. Since 2004, anonymous has organized numerous actions directed against censorship, control, and monitoring of the Internet, against the Sentencing Church, sites with child pornography, governments, and organizations that supported the SOPA and PIPA laws and the ACTA agreement. Businesses who denied their services to Wikileaks and the websites run by a number of censorship countries were also targeted. They are also active outside the network – participate in civic protests and street demonstrations around the world, such as Occupy and 99% protest, hiding their identity with the styled Gaj Foks masks, which they want to send the message to belong to a larger group of dissatisfied and not lonely in their ideas.
Communication and coordination of activists through social networks and IRCs are open and announced actions can be linked to each other. You just have to install a program like LOIC, and so help to get the targeted site stolen.
Botnet, in the context of illegal network and computer activities, is a set of compromised computers and/or computers infected with viruses, trojans and other software dealers who have identified a person or group of people who can control the account and execute their commands. Examples of activities that are done through botnets are sending spam, theft of personal and trusted information such as credit card numbers, attacks on other computers, and DDoS attacks. The owners of computers who are part of botnet almost never know that they have a stake in such activities, and the identity of the attacker is difficult to determine.
The size of the botnet is different from 200-500 computers to hundreds of thousands. For interested customers who want to hurt competitors or opponents, botnets are available through DDoS and Booter (e.g. ddossite.biz and top10booters.com) at prices ranging from $ 10 to $ 100 per hour. Payments are made through PayPal, Moneypak, Webmoney and similar payment services or Bitcoins.
Who are the targets of the attack?
According to the Quarterly Global DDoS Attack Report Q1, a Prolexic company dealing with DDoS attack mitigation, in the first three months of 2019, the largest number of attacks in the world was directed against the media and entertainment industry (49.8%), including news and television companies. Secondly, 17% are software and technology companies, followed by security service companies (12%) and financial services (9%).
Media attacks are a particularly sensitive topic because they can be linked to censorship. By refusing access to web pages, the right to freedom of expression is hampered and the dissemination of information is hindered.
Types of DoS attacks
Denial-of-Service or Shortened DoS attacks are activities that an attacker performs to disable the regular work of servers and services that deliver some content or provide some services. By exploiting a failure in the operating system, web server, or application that is used for site use, a server drop or spending of all available resources (memory, CPU, disk space, network flow) causes unavailability of the site.
When it is known that a certain version of the software or web application has a flaw that can be used for DoS, there is probably a program or script available to the Internet that the inexperienced script-kiddie can do without much effort to make the site inaccessible or difficult. Administrators and webmasters can greatly increase the resistance of their sites to such types of attacks by regularly updating their software and using basic tools to prevent exploitation. However, there are also DoS attacks that are difficult to protect against.
Flood is an attack in which a large number of legitimate or fake requests are made to a particular service, which is used by server resources so that regular users are hindered or denied access. They can be performed on all four levels of the TCP / IP model.
Today, the line is largely overtaken by the attack pattern on the network access layer in which the Ethernet packets are sent with fake MAC addresses to fill the MAC tabs of the chime or occupy the complete memory of the router. It can cause interruption of communication in one network segment or allow an attacker to eavesdrops the communication of other users of that network to obtain the information needed to perform other attacks.
The Internet Control Message Protocol (ICMP), one of the basic inter-band communications protocol that sends error messages and diagnoses network conditions, can be used to attack a large number of ICMP packets. Except that these packets can fill the available network flow, it may happen that a targeted attack with its limited processor power and memory cannot be able to handle all packets so it causes unavailability.
UDP flood attacks are the most common type of flood attacks today, since the UDP packet does not need to have a prior connection, and it is easy to lure the source IP address of the packet. Mass delivery of large UDP packets from different sources to a specific destination may be destabilized by the link, both incoming traffic and return ICMP messages that the destination port is unavailable.
SYN flood DoS Attack abuses the way TCP connections are established. To connect the client to the server, it first sends an SYN packet requesting connection to a specific TCP port. The server then accepts the connection by sending the SYN-ACK packet to the client and disconnects the memory for information about that connection, so that the subsequent client packets with the set ACK hook can be processed as part of the TCP connection. This connection setup process is called a “three-way handshake”. When executing SYN flood attacks, thousands of SYN packets are sent with a fake source IP address. The server sends SYN-ACK packets to fake IP addresses that are most likely to be ignored at the destination because it has not even asked for connection, but some time (60 seconds) on the server will be a separate memory for the new, half-open connection.