Study - Technical - LMS-SFC (EN) - Cyber Security - Medow
Medow SoFt HD Opinion - Cyber Security
Introduction
in DoS and DDoS (03.05.2022)
What is a Denial of
Service attack?
This attack is
represented by the action of a malicious actor in the
field of cyber security that realizes a certain
operating system that constantly sends multiple requests
that give rise to traffic that floods a target (usually
a form of server) with these requests, causing it to
become more difficult / overwhelming target traffic
(with unnecessary requests - junk) and possibly the
termination of its activity (refusal of service) for
legitimate users.
Affected services may
include e-mails, websites, online accounts (e.g.,
banking services), or other services that rely on the
attacked and affected computer or network.
The strongest attacks
generally occur in the case of
internet service providers (ISPs) of a network or cloud
service provider that have been targeted and attacked,
when the network will also face a loss of service.
The most common forms
of DoS are Smurf attacks (Smurf attacks) and SYN
flooding (SYN flood) attacks.
The Smurf attack
is represented by the broadcast of mockups on Internet
Control Message protocol to a number of hosts with a
spoofed Internet Protocol (IP) source that belongs to
the target machine. Recipients of these spoofed packages
will then respond, and the target host will be flooded
with these responses until they are denied service.
Syn flooding uses the
same propagation system but the action is represented by
sending connection requests to the target server by
initiating the SYN phase of the Transmission Control
Protocol (TCP)/ IP protocol, that of creating a
connection without continuing, thus leaving the
connected port in a busy status and unavailable for
additional requests. Thus, an attacker will continue to
send requests, saturating all open ports, and blocking
users from connecting.
The malicious effort of
the attacking computers can affect through DoS attack
individual networks without being directly targeted and
will dissipate their effort of requests, diminishing the
intensity of the attack.
What is a distributed denial of service (DDoS) attack?
It is a large-scale
form of DoS attack and occurs when multiple machines
operate together to attack a target, increasing the
computational ability that will be the basis of the
attack. To amplify the effect, since that is what
this evolution of the DoS attack is all about, attackers
use a botnet (or several) that hijacks u maximum number
of devices connected to the internet to carry out
large-scale attacks.
The botnet used is, in
fact, a command and control software and takes advantage
of security vulnerabilities or weaknesses of
infected devices. Once in control, an attacker can
command the botnet (essentially the infected car/device
itself that becomes a botnet) and thus control and focus
their attack on the chosen target either voluntarily or
automatically.
In general, this is a
process that develops over time, preparing the entire
assembly that will be created for a subsequent attack
(during this time the botnet is completely inactive). In
fact, in these times, botnets (made up of compromised
devices) have come to be rented to other potential
attackers, to appear malicious services in this regard
called "attack-for-hire" that allow users who are
unskilled or who do not have such a structure to launch
DDoS attacks.
So, DDoS is nothing but
evolution, refining DoS attacks to maximize the effect.
That's because DDoS allows exponentially sending more
requests to the target, increasing attack power, which
is also increased by the possibility of concentration of
the attack.
In addition, the
difficulty of attribution increases, since the true
source of the attack becomes much harder to identify.
DDoS attacks have grown
in scale as the attack surface area increases with the
entry of more and more devices, including those related
to the Internet of Things (IoT).
As an aside (since we
will discuss this topic a little later) that IoT devices
often use default passwords and do not have solid
security capabilities, which makes them vulnerable to
compromise and exploitation. Moreover, the
infection of IoT devices often goes unnoticed by users
and an attacker could easily compromise hundreds of
thousands, even millions of such devices to carry out a
large-scale attack without the knowledge of users (in
fact this is a fairly important goal of those who own
and control true "farms" of such compromised devices).
It is quite well known
the case of the botnet network called Botnet Meris that
appeared in mid-2021 and became the source of multiple
DDoS attacks at the high-volume application level.
Obviously, there was
also the diversification and refinement of the attacks.
Persistent DDoS attack against VoIP providers around the
world, flooding UDP (User Datagram Protocol) has become
the most common attack vectors, and there has also been
a large increase in attacks at the SMTP-based network
level.
Clearly, DDoS attacks
of extortion or ransomware (RDDoS - RDoS) began to
become a new threat, becoming more and more complex and
larger, almost from month to month recording historical
maximums in the volume of these attacks.
And the threat actors
are getting stronger, more organized, being
represented by notorious hacking groups such as Fancy
Bear, Cozy Bear, Lazarus Group, Armada Collective and
many others that appear from the shadows.
What would be the purpose, the benefit of such an attack?
Even from the
appearance of this type of attack, that it is he DoS or
its evolved form DDoS, its purpose has been blackmail
and possibly the material or image gain of the attacker
or the person served by this attacker.
Initially, through the
Attack of DoS or DDoS, the threat of a business with an
online presence or manifestation appeared whose
operational flow depends on the presence of the
Internet. For example, where a business was threatened
by an attack on the site, it was attacked (even with the
form of loading traffic and slowing down the activity,
not necessarily with the blocking of functionality), the
blackmail of making a payment for stopping the attacks
appeared (the attacker demonstrating his capability,
hence the apparent or real need for the victim to make
the payment).
For example,
ransom-motivated DDoS attacks increased by 29%
year-on-year and by 175% at the end of 2021. In December
2021 alone, one in three customers was targeted by a
DDoS attack with ransom or threatened by an attacker.
It did not last long
and this attack began to be the basis of gestures of
influence not only financially but also with social,
political, etc. impact.
And so, more and more
organizations began to emerge to host internal
infrastructure that could defend against large-scale
DDoS attacks, with the use of services such as a Content
Delivery Network (CDN) or a DDoS mitigation provider
slowly becoming essential.
It is positioned
between a so-called 'home server' that controls the
provision of content, and users of the online service on
the Internet. Thus, any content directed to an online
service will first go through CDN and DDoS mitigation,
to be controlled before touching the infrastructure that
is intended to be protected.
But what to do with the
zero-days (new hardware and/or software vulnerabilities)
that are still popping up lately?!? For example, at the
end of 2021, a log4j vulnerability appeared, which, as a
first intervention, requested a seemingly minor, but
"high" dos-type remediation that affects the log4j that
appeared in the Apache JIRA project. A situation
that attracted infinite recursion, infinite launches,
including the possibility of data exfiltration.
It seems that the
problem was fixed, but at that very moment, Google
discovered that over 35,000 Java packages had the log4j
defect, without considering the transitive dependencies
(indirect package lending).
And such problems still arise...
And such problems still arise...
We will continue!
Sources:
Understanding denial of service attacks - 04.11.2009
Securing the Internet of Things – 14.11.2019
Upgraded to log4j 2.16? Surprise, there is a remediation DoS 2.17 – 18.12.2021
Report: DDoS attacks increase year-on-year as cybercriminals demand exorbitant payments – 10.02.2022
DDoS attacks through extortion become stronger and more frequent – 10.02.2022
FBI: Thousands of organizations targeted by the RDoS extortion campaign – 03.09.2020
Sources:
Understanding denial of service attacks - 04.11.2009
Securing the Internet of Things – 14.11.2019
Upgraded to log4j 2.16? Surprise, there is a remediation DoS 2.17 – 18.12.2021
Report: DDoS attacks increase year-on-year as cybercriminals demand exorbitant payments – 10.02.2022
DDoS attacks through extortion become stronger and more frequent – 10.02.2022
FBI: Thousands of organizations targeted by the RDoS extortion campaign – 03.09.2020
Archive:
Click here to access CMS (Content Management System) in Joomla.
Source:
Note Dorin M.
This site has a
double form, one in HTML and one in Joomla (if you
are interested in the utility behind this effort you
can read the "Why
a HTML and a CMS (Joomla)" page).
That's why I suggest you, depending on your desire, to use the HTML form for simple browsing / information or the Joomla form if you want in-depth studies / searches using the CMS search engine.
That's why I suggest you, depending on your desire, to use the HTML form for simple browsing / information or the Joomla form if you want in-depth studies / searches using the CMS search engine.
Dorin M - May 01,
2022