What is DDoS Attack and How to Prevent It?

What are DDoS Attacks?

DDoS (Distributed Denial of Service) attack refers to the use of client/server technology to unite multiple computers as an attack platform to launch DDoS attacks against one or more targets, thereby significantly increasing the power of denial of service attacks. Typically, attackers use a stolen account to install DDoS master control programs on a computer, which then communicates with a large number of proxy programs installed on many computers on the network at a set time. When instructed, the proxy programs launch the attack. Leveraging client/server technology, the master control program can activate the running of hundreds or thousands of proxy programs within seconds.

Basic Definition First, let's delve into what a DDoS attack is using an analogy.

A group of bullies are trying to prevent a competitor's shop from operating normally. What methods might they employ? (This is just an example, do not imitate.) The bullies pose as regular customers and crowd the opponent's shop, refusing to leave, preventing genuine shoppers from entering; they may engage in idle chatter with the staff, disrupting their ability to serve customers effectively; they could provide false information to the shop owner, leading to chaos in the shop before realizing that it was all a ruse, ultimately driving away real customers and causing substantial losses. Additionally, sometimes these misdeeds cannot be accomplished by individuals alone and require a group effort. Well, DoS and DDoS attacks in the field of cybersecurity follow these lines of thinking.

In the three elements of information security - "confidentiality," "integrity," and "availability," DoS (Denial of Service) attacks target "availability." This type of attack exploits flaws in the network service functions of the target system or directly consumes its system resources, rendering the target system unable to provide normal services.

There are many ways to conduct DDoS attacks, with the most basic DoS attack being the use of legitimate service requests to consume excessive service resources, thereby preventing legitimate users from receiving service responses. A single DoS attack typically adopts a one-to-one approach, and its impact is significant when the target has low CPU speed, small memory, or limited network bandwidth, among other performance indicators. With the rapid advancement of computer and network technologies, the increased computing power, expanded memory, and emergence of gigabit-level networks have made DoS attacks more challenging - the target's "digestive capacity" for malicious attack packets has significantly improved. This is where the distributed denial of service attack method (DDoS) comes into play. DDoS involves using more puppet machines (botnets) to launch attacks, targeting victims on a larger scale than before.

DDoS Attack Methods

DDoS attacks aim to paralyze a network by occupying a large amount of network resources through a high volume of legitimate requests. These attack methods can be categorized as follows:

1. IP Spoofing

   IP spoofing attack involves hackers sending false packets to deceive servers. Specifically, it entails setting the source IP address in the packet to a non-existent or invalid value. Once the server receives the packet, it tries to send a response, but in reality, this response never reaches the originating computer. This approach forces the server to continuously open its listening port, wasting various system resources.

2. LAND Attack

   Similar to SYN floods, in a LAND attack, both the source and destination addresses in the attack packets are set to the IP address of the target machine. This type of attack causes the targeted machine to enter a loop, ultimately depleting its resources and crashing.

3. ICMP Floods

   ICMP floods consume system resources by sending broadcast messages to poorly configured routers.

4. Application Layer Floods

   Unlike the previously mentioned attack methods, application layer floods primarily target applications above the OSI layer. The goal remains the same: to consume system resources excessively. These attacks disrupt normal network services by requesting unrestricted resources from network service programs like IIS.

5. Attack Phenomena

6. Numerous TCP connections are waiting on the attacked host.
7. The network is flooded with a large number of useless data packets.
8. False source addresses are used to generate high volumes of useless data, causing network congestion and preventing the victim host from communicating with the outside world.
9. Exploiting vulnerabilities in the transmission protocols provided by the victim host to repeatedly and rapidly send specific service requests, overwhelming the host's ability to handle all normal requests.

10. In severe cases, it can lead to system crashes.

    Characteristics of the Attack

    Distributed Denial of Service (DDoS) attacks employ distributed attack methods, which deviate from the traditional point-to-point attack pattern. This change introduces irregular attack patterns, often utilizing common protocols and services that make it challenging to differentiate the attack based solely on protocol and service types. During the attack, the attack data packets are disguised and the source IP addresses are forged, making it difficult to pinpoint the origin of the attack and challenging to trace. This complexity renders it difficult to verify DDoS attacks using conventional detection methods.

Attack Characteristics

When analyzing distributed attacks, certain characteristics emerge. In a distributed denial-of-service attack, traffic addresses are concentrated on the target, and congestion control is not observed during the attack. Attackers often opt to use random ports for the assault, sending a large volume of data packets to the target across thousands of ports. If a fixed port is used for the attack, a substantial number of data packets are directed to that specific port.

Attack Classification

Based on the TCP/IP protocol layers, DDoS attacks can be categorized into ARP-based attacks, ICMP-based attacks, IP-based attacks, UDP-based attacks, TCP-based attacks, and application layer attacks.

1. ARP-Based Attacks

   • ARP is a connectionless protocol. When an attacker sends a falsified ARP response, the receiving end processes this information, updating the ARP cache. Misleading ARP requests or replies with erroneous source or target address details can overwhelm the upper layers, causing the target host to lose network communication capabilities, leading to denial of service, such as ARP redirection attacks.

2. ICMP-Based Attacks

   • Attackers broadcast multiple ICMP Echo request packets to a subnet's broadcast address, masking the source address as the desired target host's address. This prompts all hosts on the subnet to respond to the ICMP Echo request, flooding the target host with packets, ca
   • using network congestion.

3. IP-Based Attacks

   • Exploiting vulnerabilities in the fragmentation reassembly process of IP packets can lead to server kernel crashes. For instance, Teardrop is an IP-based attack exploiting the overlap phenomenon after IP packet fragmentation and reassembly.

4. Application Layer Attacks

   • Various application layer protocols like SMTP, HTTP, DNS, etc., can be targeted in these attacks. Attackers exploit weaknesses in these protocols to inundate servers with junk data, consuming server resources extensively.

DDoS Attack Process

Understanding a DDoS attack is more complex than infiltrating a single host. By grasping these principles, one gains insight into attackers' intentions and acquires prevention strategies. Generally, the steps involved in a DDoS attack orchestrated by hackers include: [Further details might be provided in the original text.]

Information Gathering

Hackers are particularly interested in the following intelligence when planning a DDoS attack:

• Number and addresses of target hosts
• Configuration and performance of target hosts
• Bandwidth of the target

When launching a DDoS attack, understanding the number of host machines supporting a specific website is crucial. Large websites may utilize load-balancing techniques across multiple hosts to provide the same www services for the site. Determining which address to attack is essential – causing one machine to crash while allowing others to continue providing services externally will not achieve the desired impact. In reality, each IP address often represents multiple machines due to load-balancing tactics using layer 4 or layer 7 switches. This complexity complicates the DDoS attacker's task as they may need to disrupt services on several host machines simultaneously.

Therefore, gathering intelligence beforehand is paramount for DDoS attackers as it dictates how many proxy machines are required for effectiveness. Consider this: under the same conditions, attacking two hosts on the same site might necessitate two proxy machines, while attacking five hosts could require five or more. Some argue that the more proxy machines used, the better – regardless of the number of target hosts, deploying numerous proxy machines can enhance effectiveness.

However, many hackers skip intelligence gathering and proceed directly with DDoS attacks, leading to significant blind spots and reliance on luck for success. Being a hacker requires diligence akin to that of a network administrator. The attitude towards tasks plays a crucial role in outcomes, with skill coming in second.

Occupation

Hackers are most interested in hosts exhibiting the following characteristics:

• Well-networked hosts
• High-performance hosts
• Poorly managed security hosts

This section introduces another significant category of attack methods – utilization-based attacks, which run parallel to DDoS attacks. Essentially, these attacks involve occupying and controlling targeted hosts, gaining maximum administrative privileges or at least obtaining an account with sufficient permissions to carry out DDoS attack tasks. For a DDoS attacker, having a certain number of proxy machines ready is a necessary condition. Below is their method of attacking and occupying them.

Initially, hackers typically conduct scans, either randomly or with purposeful intent, using scanning tools to identify vulnerable machines on the internet. Vulnerable areas such as program overflow vulnerabilities, CGI, Unicode, FTP, and database vulnerabilities, among others, are sought after by hackers during scans. Subsequently, intrusion attempts follow, with specific techniques which are widely documented online.

Upon successfully occupying a proxy machine, what does the hacker do next? Besides basic tasks like setting up backdoors and erasing traces, the attacker may upload the DDoS attack program through FTP. This program on the attacking machine sends malicious attack packets to the target victims, orchestrated by the hacker.

Actual Attack

After meticulous preparation in the first two stages, hackers begin targeting and preparing to launch the attack. If the initial preparations are well done, the actual attack process tends to be relatively straightforward. As depicted in the figure, the hacker logs into the puppet machine acting as the control center and issues commands to all attack machines: "Prepare, aim, fire!" At this point, the DDoS attack program embedded in the attacking machines will respond to the control center's commands, collectively sending a high volume of data packets to the target hosts at high speeds, causing them to crash or become unresponsive to legitimate requests. Hackers typically launch attacks at speeds far exceeding the target's processing capabilities, showing no mercy.

Experienced attackers not only carry out the attack but also employ various methods to monitor its effects and make adjustments when necessary. A simple approach involves continuously pinging the target host through a window and increasing traffic or commanding more puppet machines to join the attack whenever a response is received.

As DDoS attack scales continue to break limits and attack methods become more complex, relying on traditional solutions alone is insufficient for businesses and organizations. A more comprehensive DDoS protection strategy is essential. This article will discuss common attack scenarios and explore various DDoS defense measures. For those interested in this topic, please continue reading below.

Similar to access control, DDoS defense was historically observation and application-based at the network layer using techniques like rate limiting. However, for today’s large-scale public cloud providers, network layer attacks require a larger scale, often necessitating separation from the application layer. Therefore, attackers are shifting up the stack; modern DDoS attacks target the HTTP layer or the application logic itself. For instance, attackers might exploit a public library's book search API by repeatedly requesting the complete list of all books, consuming significant database resources and network bandwidth.

Regarding DDoS defense measures, several security solutions are available, including deploying high-defense IP, regularly checking server security, utilizing firewalls and intrusion detection systems, and leveraging cloud service provider defenses, all of which play a role. Proactive measures are the best defense against DDoS attacks. The key to preventing such attacks lies in possessing a system that can differentiate between malicious and legitimate traffic. To protect customers from DDoS attacks, F5's distributed cloud platform efficiently operates a global security network. This solution combines local defense with cloud-based DDoS protection to withstand targeted network and application layer attacks effectively.

In reality, when faced with choices like local protection, cloud cleaning services, and hybrid solutions, the issue is not whether to deploy a DDoS defense architecture but rather which architecture can most effectively help companies ensure service continuity and minimize losses during attacks. F5 DDoS mitigation can be deployed within the required business architecture and operational model, providing denial-of-service defense based on the application's hosting location in the cloud, on-premises, or a hybrid model, aligned with the preferred management level, offering the most suitable protection mode for the business.

How to Defend Against DDoS Attacks

DDoS, which stands for Distributed Denial of Service, in simple terms, involves flooding servers with a high volume of requests simultaneously, depleting the targeted server's resources. Server resources encompass computing power, network bandwidth, storage, and more. By various means, attackers aim to push the server's computing capacity to its limit, saturate network bandwidth, or exhaust storage space, rendering the server unable to respond to legitimate requests. Users can take the following measures to prevent DDoS attacks.

1. Reduce Exposure

   • Minimize exposing ports to the public internet as much as possible to decrease potential attack vectors.
   • Configure security groups, ACL (Access Control List), or iptables firewall rules. The objective of these three operations is essentially the same: limiting access from unidentified clients, typically further away from the server.
   • Place servers behind CDN (Content Delivery Networks) or load balancers. This serves the same purpose as the previous point. CDNs cache server resources on various edge nodes, allowing users to access the nearest edge node, thus alleviating server pressure. Load balancers can distribute traffic to backend servers based on demand and conduct personalized health checks on the backend servers, removing unhealthy servers and stopping handling requests.

2. Secure Server Hardening

   • Patch security vulnerabilities promptly.
   • Optimize kernel parameters such as half-open connection timeout duration, full connection queue length, disabling ICMP broadcasts, etc.

3. Implement Timely Damage Control

   • If defense measures fail, it is essential to implement timely damage control to minimize impact.
   • During the service deployment phase, aim to deploy only one service per cluster, ensuring that services do not interfere with each other. Even if one service is under attack, the impact can be minimized.
   • Establish a comprehensive monitoring and alert mechanism. Internally within a company, there should be monitoring of CPU usage, connection counts, etc. If thresholds are reached, alerts should be triggered and handled by designated personnel.
   • Conduct system stress testing and set up rate-limiting mechanisms. A thorough stress test of the business architecture is necessary to evaluate the throughput capability of the existing architecture. Implement rate limiting based on system performance to prevent DDoS attacks from overwhelming servers.
   • Ensure cluster scalability. When certain metrics within a cluster reach a threshold, prompt scaling of the cluster should be carried out to ensure business continuity.

4. Identify Abnormal Traffic

   • The key to preventing DDoS attacks lies in distinguishing between normal and abnormal traffic. Understanding various DDoS attack methods and implementing corresponding defense actions is crucial.
   • Servers themselves have minimal capability to identify abnormal traffic; hence, many enterprises opt to purchase anti-DDoS services or dedicated devices like WAFs to defend against DDoS attacks.

5. Ack/Fin/Rst Flood 

   
   These three types of DDoS attacks are quite similar as they all rely on sessions. If a session is not established, the packets will be directly discarded, whether they are at the server or gateway. Determining whether an attack is being received is relatively simple - comparing the ratio of packets hitting sessions to those that do not.     
    

6. Other 

   
   Other attacks such as UDP reflect, HTTP flood, and SSL flood involve requests that resemble normal traffic, making it challenging to identify abnormal traffic. Recognition may require algorithms. One can also apply defense methods similar to Syn flood by primarily identifying the source IP addresses of abnormal and normal traffic.     
   Lastly, if feasible, one could use hping3 to simulate Layer 3 and 4 DDoS attacks to test anti-DDoS functionality. Note that hping3 does not support IPv6, but many open-source IPv6 DDoS testing tools like ThcSyn6 are available online.

   Integrating with CDN5's secure protection CDN, which offers a free trial, is the best DDoS defense product available, bar none.