A guide to cyber attacks: Denial of Service – Part 3To conclude this 3-part series on cyber attacks, Information Age examines the various types of DoS within the cyber space.
A Denial of Service, or DoS, is a category of cyber attack that involves culprits incapacitating a targeted server from a single computer, rendering the targeted server unavailable to users.
This can usually be achieved by flooding a victim’s server with traffic or disrupting server connections.
Attackers send messages to a network or server requesting authentication of requests. These messages feature void return addresses, rendering the network or server unable to solve the issue and thus causing the connection to cease.
A key factor in these attacks is the excessive frequency of messages sent.
The ways in which a victim can tell if they have been attacked by a DoS, as cited by experts, include a decrease in network performance, unavailable access to a certain site, and a higher than average volume of spam email.
>Read more on the five biggest email security problems
The motives for a DoS attack usually lie in the wish to cause inconvenience to a particular person or organisation, but rarely is it carried out for financial gain.
The methods and motives of a DoS attack vary by the type, several of which are covered below.
Distributed Denial of Service
Arguably the most notable variety of DoS in the cyber space, Distributed Denial of Service (DDoS) is a DoS that originates from several compromised devices and is aimed at a particular server.
These devices are usually infected with a Trojan horse beforehand. The attacker then uses the Trojan as a backdoor into other devices on the same network, controlling the devices so that they can send hordes of authentication requests to a server. This is known as a botnet.
>Read more on how to detect and remove botnets from your network
This type of DoS, which is often a global matter, is frequently used by attackers to make a point against an organisation or to contribute to a cause. Attacks under this category can be split into many subtypes, including:
-Traffic attacks, which involve the sending of TCP, UDP and ICPM packets, as well as the occasional piece of malware.
-Bandwidth attacks, which cause a DoS via large volumes of junk data.
-Application attacks, which deplete application layer resources, rendering the application unavailable to users.
According to a recent report by Corero, DDoS attacks have risen by 40% within the last year, while the duration of attacks have decreased, with 77% of participants reporting attacks lasting a maximum of 10 minutes.
Additionally, one in five organisations were found to be targeted within 24 hours of an initial DDoS.
One prominent and recent DDoS case is that of the attack on poker site 888Poker, which occurred during a tournament.
Over the past few days we have been experiencing some technical issues following a series of DDoS attacks. This is of course very frustrating for all concerned and we are working 24/7 to resolve things and resume normal service as soon as possible. 1/2
— 888poker (@888poker) September 11, 2018
We apologize for any inconvenience caused. Rest assured that all account details are absolutely safe and secure. If you have any questions please contact our support team by email at email@example.com. 2/2
— 888poker (@888poker) September 11, 2018
TCP SYN Flood
A TCP SYN Flood is a type of DDoS attack that emphasises the use of SYN packets to overwhelm all server ports on a targeted device. The method aims to disrupt the Transmission Control Protocol (TCP) three-way SYN-SYN ACK-ACK handshake between two computers:
– Computer A sends ‘synchronise’ (SYN) request to Computer B; Computer B receives it.
– Computer B sends a ‘synchronise acknowledgement’ (SYN ACK) reply to Computer A; Computer A receives it.
– Computer A acknowledges the reply, and a TCP socket connection is made.
>Read more on how to combat sequence prediction attacks
In a SYN Flood attack, however, a culprit behind a compromised device and a spoofed IP address will continuously and vigorously send SYN requests to each port of another device. The attacked computer then responds each time with a SYN ACK message, but will not get the final ACK message that features in a normal three-way handshake.
Because the attacker is using invalid IP addresses, the victimised computer can not tell that it is being attacked and therefore can not reset these connections.
After some time, the victimised server’s resources become exhausted as these half-open attacks pile up, meaning that legitimate users will not be able to connect to it.
Also known as an IP fragmentation attack, teardrop attacks involve an attacker sending fragments of TCP packets to a server. As these fragments overlap, the server can not reassemble them, leading to that server closing.
The fragments are infected with a bug that makes them impossible to reassemble.
The attack’s name relates to its gradual process.
Fortunately, today’s operating systems are perfectly capable of dropping these packets so that they do not affect servers.
The Smurf DDoS involves ‘smurf’ malware creating network packets with spoofed IP addresses. These packets contain an Internet Control Message Protocol (ICMP) ‘ping’ message requesting a reply.
The packets are sent to an IP broadcast network, which in turn transmits the malware to all IP addresses on the targeted network.
As a result of these IP addresses constantly replying to these requests, an infinite loop occurs, leading to the server eventually being shut down for hours or even days.
>Read more on what’s next for Internet Protocol
This attack could also serve as a distraction from a worse attack, such as data theft.
The smurf malware has been known in the past to be possibly downloaded inadvertently from compromised websites or email links.
Ping of Death
A Ping of Death, or PoD, is a DoS that involves attackers sending IP packets that are larger than the size allowed by the IP protocol.
>Read more on wire data analysis
It has been agreed by experts that the maximum packet size allowed is 65,536 bytes.
The packets, sent from spoofed IP addresses, are sent in fragments in order to bypass the IP Protocol rules.
As dangerous as this attack sounds, modern operating systems are not vulnerable to it, due to their capability of blocking malicious ping attacks at the firewall, and had created patches that could stop it before the turn of the millennium.