Study - Technical - LMS-SFC (EN) - Cyber Security - Medow

Medow SoFt HD Opinion - Cyber Security

Introduction in DoS and DDoS (03.05.2022)

What is a Denial of Service attack?

This attack is represented by the action of a malicious actor in the field of cyber security that realizes a certain operating system that constantly sends multiple requests that give rise to traffic that floods a target (usually a form of server) with these requests, causing it to become more difficult / overwhelming target traffic (with unnecessary requests - junk) and possibly the termination of its activity (refusal of service) for legitimate users.

Affected services may include e-mails, websites, online accounts (e.g., banking services), or other services that rely on the attacked and affected computer or network.

The strongest attacks generally occur  in the  case  of internet service providers (ISPs) of a network or cloud service provider that have been targeted and attacked, when the network will also face a loss of service. 

The most common forms of DoS are Smurf attacks (Smurf attacks) and SYN flooding (SYN flood) attacks.

The Smurf attack  is represented by the broadcast of mockups on Internet Control Message protocol to a number of hosts with a spoofed Internet Protocol (IP) source that belongs to the target machine. Recipients of these spoofed packages will then respond, and the target host will be flooded with these responses until they are denied service.

Syn flooding uses the same propagation system but the action is represented by sending connection requests to the target server by initiating the SYN phase of the Transmission Control Protocol (TCP)/ IP protocol, that of creating a connection without continuing, thus leaving the connected port in a busy status and unavailable for additional requests. Thus, an attacker will continue to send requests, saturating all open ports, and blocking users from connecting.

The malicious effort of the attacking computers can affect through DoS attack individual networks without being directly targeted and will dissipate their effort of requests, diminishing the intensity of the attack.

What is a distributed denial of service (DDoS) attack?
It is a large-scale form of DoS attack and occurs when multiple machines operate together to attack a target, increasing the computational ability that will be the basis of the attack.  To amplify the effect, since that is what this evolution of the DoS attack is all about, attackers use a botnet (or several) that hijacks u maximum number of devices connected to the internet to carry out large-scale attacks.

The botnet used is, in fact, a command and control software and takes advantage of security vulnerabilities or weaknesses of  infected devices.  Once in control, an attacker can command the botnet (essentially the infected car/device itself that becomes a botnet) and thus control and focus their attack on the chosen target either voluntarily or automatically.

In general, this is a process that develops over time, preparing the entire assembly that will be created for a subsequent attack (during this time the botnet is completely inactive). In fact, in these times, botnets (made up of compromised devices) have come to be rented to other potential attackers, to appear malicious services in this regard called "attack-for-hire" that allow users who are unskilled or who do not have such a structure to launch DDoS attacks.

So, DDoS is nothing but evolution, refining DoS attacks to maximize the effect. That's because DDoS allows exponentially sending more requests to the target, increasing attack power, which is also increased by the possibility of concentration of the attack.

In addition, the difficulty of attribution increases, since the true source of the attack becomes much harder to identify.

DDoS attacks have grown in scale as the attack surface area increases with the entry of more and more devices, including those related to the Internet of Things (IoT).

As an aside (since we will discuss this topic a little later) that IoT devices often use default passwords and do not have solid security capabilities, which makes them vulnerable to compromise and exploitation.   Moreover, the infection of IoT devices often goes unnoticed by users and an attacker could easily compromise hundreds of thousands, even millions of such devices to carry out a large-scale attack without the knowledge of users (in fact this is a fairly important goal of those who own and control true "farms" of such compromised devices).

It is quite well known the case of the botnet network called Botnet Meris that appeared in mid-2021 and became the source of multiple DDoS attacks at the high-volume application level.

Obviously, there was also the diversification and refinement of the attacks. Persistent DDoS attack against VoIP providers around the world, flooding UDP (User Datagram Protocol) has become the most common attack vectors, and there has also been a large increase in attacks at the SMTP-based network level.

Clearly, DDoS attacks of extortion or ransomware (RDDoS - RDoS) began to become a new threat, becoming more and more complex and larger, almost from month to month recording historical maximums in the volume of these attacks.

And the threat actors are getting stronger, more organized, being  represented by notorious hacking groups such as Fancy Bear, Cozy Bear, Lazarus Group, Armada Collective and many others that appear from the shadows.

What would be the purpose, the benefit of such an attack?
Even from the appearance of this type of attack, that it is he DoS or its evolved form DDoS, its purpose has been blackmail and possibly the material or image gain of the attacker or the person served by this attacker.

Initially, through the Attack of DoS or DDoS, the threat of a business with an online presence or manifestation appeared whose operational flow depends on the presence of the Internet. For example, where a business was threatened by an attack on the site, it was attacked (even with the form of loading traffic and slowing down the activity, not necessarily with the blocking of functionality), the blackmail of making a payment for stopping the attacks appeared (the attacker demonstrating his capability, hence the apparent or real need for the victim to make the payment).

For example, ransom-motivated DDoS attacks increased by 29% year-on-year and by 175% at the end of 2021. In December 2021 alone, one in three customers was targeted by a DDoS attack with ransom or threatened by an attacker.

It did not last long and this attack began to be the basis of gestures of influence not only financially but also with social, political, etc. impact.

And so, more and more organizations began to emerge to host internal infrastructure that could defend against large-scale DDoS attacks, with the use of services such as a Content Delivery Network (CDN) or a DDoS mitigation provider slowly becoming essential.

It is positioned between a so-called 'home server' that controls the provision of content, and users of the online service on the Internet. Thus, any content directed to an online service will first go through CDN and DDoS mitigation, to be controlled before touching the infrastructure that is intended to be protected.

But what to do with the zero-days (new hardware and/or software vulnerabilities) that are still popping up lately?!? For example, at the end of 2021, a log4j vulnerability appeared, which, as a first intervention, requested a seemingly minor, but "high" dos-type remediation that affects the log4j that appeared in the Apache JIRA project.  A situation that attracted infinite recursion, infinite launches, including the possibility of data exfiltration.

It seems that the problem was fixed, but at that very moment, Google discovered that over 35,000 Java packages had the log4j defect, without considering the transitive dependencies (indirect package lending).
And such problems still arise...



Archive:

Click here to access archive content.
Click here to access CMS (Content Management System) in Joomla.

Source:

Click here to access to documentation sources.

Note Dorin M.

This site has a double form, one in HTML and one in Joomla (if you are interested in the utility behind this effort you can read the "Why  a HTML and a CMS (Joomla)" page).
That's why I suggest you, depending on your desire, to use the HTML form for simple browsing / information or the Joomla form if you want in-depth studies / searches using the CMS search engine.

Dorin M - May 01, 2022