What is a DDoS Attack?
DDoS is an abbreviation of Distributed Denial of Service and is an attempt by an attacker to disrupt the traffic of a server or network through flooding it with Internet traffic sent from a botnet formed of computers or IoT devices (Internet of Things that include around 8.5 billion devices such as cameras, cars, home appliances etc) in order to overwhelm it so that it either slows significantly or fails completely.
Effectively, a DDoS attack uses many different computers to target a specific network or server in order to prevent normal users from accessing it.
How Does a DDoS Attack Happen?
A DDoS attack occurs through the use of multiple devices targeting a single network or server and those devices are directed to do so once they have been compromised so that they are under the attackers control.
The machines are infected through the use of malware that then allows for them to be connected to, controlled and used as a bot. The attacker can then control the bots remotely as a group which is known as a Botnet.
A Botnet can be controlled and directed to send data requests to the target that has been chosen by the attacker.
The greater the number of devices within the Botnet increases the amount of total traffic sent to the target which will potentially cause the target to receive more data requests than it can cope with and cause it to overflow, causing other normal traffic to be unable to connect to it which results in the Distributed Denial of Service.
It is also difficult for the target to identify which of the devices requesting data are legitimate and which are part of the attack as the Botnet is made up of normal and different devices from different geographical regions and networks.
Types of DDoS Attacks
Application Layer Attack
The Application Layer Attack targets the layer on the server where web pages are generated in response to HTTP requests.
This type of attack causes the target to need to generate a number of files and queries in response to a single HTTP request, making it easier to overwhelm the target.
HTTP Flood Attack
An HTTP Flood attack is when the devices forming the Botnet each make a large number of HTTP requests to the server that causes it to be flooded with requests and results in the denial of service to normal users.
A SYN flood attack occurs when a large number of TCP/SYN packets are sent from a BotNet, normally with spoofed IP addresses, and are handled by the server like a connection request causing it to send back a TCP/SYN acknowledgement packet and then waits for a response from the sending address, however, because the sender address does not actually exist the response never arrives.
The TCP/SYN acknowledgement requests reduce the number of connections available to the server which prevents it from responding to legitimate requests.
A DNS Amplification attack is used to magnify the bandwidth sent to a victim normally through making a request to an open DNS server with a spoofed IP address.
The spoofed IP address is that of the target which then receives a response from the DNS server that consists of a large amount of data, amplifying the attacker’s initial request.
This type of attack is difficult to defend as the requests are being made from legitimate servers and via UDP (User Data Protocol) that does not require a connection to the server meaning that the source of the request is not verified.
What Tools are Available for Conducting a DDoS Attack?
The tools are normally embedded within malicious software (malware) and the attacks are launched by the controller of the BotNet (attacker) without the knowledge of the owner of the system.
The attacker uses a program to connect to handlers that are compromised systems used to connect to and send commands to the zombie agents (a Zombie computer is one that is connected to the Internet and has been compromised by a hacker that can be used to perform malicious tasks by the attacker).
The Zombie computers are compromised by the attacker via the handlers who then issue the commands to the Zombie computers and each handler can control up to a thousand agents.
In addition to this, a user of a computer can willingly become part of a DDoS attack, for example, a LOIC (Low Orbit Ion Cannon) performs a DoS attack on a target server by flooding it with TCP or UDP packets. IRC channels and hacker forums provide access to these arranged LOIC’s.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.