Awareness: This Is How Easy It Is To Recognize DDoS Attacks
As described in our last post on DDoS attacks, “DDoS attacks on websites, shops & networks – explained, ” there are various DDoS attack scenarios: DoS, DDoS and the particular form DRDoS.
But the central aspect of these attacks is always a large number of calls or actions generated by one or more computers or a so-called “botnet”.
Exceptions to this are products that are particularly in demand, such as the sales launch of the new Apple iPhone in recent years. The increased demand went so far that the website was temporarily unavailable, and the system had to be restarted.
The rationale for using a botnet is that a network of computers can generate much more traffic for this attack than a single system for a denial of service attack. Therefore, DDoS attacks have severe consequences for those affected, who usually have little opportunity to determine the true origin of the attack.
This is because cyber criminals who create these botnets use specialized software installed on internet-connected computers with insufficient security precautions and run centrally without these people’s knowledge. Such an “infection” of private and company computers often takes place months before the planned DDoS attack and “slumbers” until it is used. In the event of an attack, the individual computers act as attackers on the target intended by the cybercriminal.
The Target Of a DDoS Attack
Targets typically include the following companies:
- Online stores and shopping sites
- Any other company or organization that offers an online service or service in this regard
Attack Tactics: How To Spot DDoS Attacks
In contrast to other attacks, DDoS attacks and DoS attacks, and DRDoS attacks do not aim to compromise a system. Nevertheless, they can appear in combination with such a hacking attempt. For example, these attacks are used as a distraction to penetrate the system as an attacker.
The primary tactics of these attacks can be divided into three groups:
- the exploitation of software bugs and security vulnerabilities
- the overload of system resources,
- and bandwidth congestion.
Exploiting Software Bugs And Security Vulnerabilities
The attacking people use specific and known security gaps or software errors of an operating system or program to design DoS and DDoS attacks so that the requests trigger the known software errors up to and including system crashes.
Examples of this attack pattern:
- Ping of Death: The Ping of Death aims to crash the affected system. Hence the name “Ping of Death”. The attackers take advantage of Internet Protocol (IP) implementation errors. The IP packets are usually sent as fragments. Suppose incorrect information for assembling the packets is sent when the packages are shipped. In that case, some operating systems can be tricked into creating IP packets more significant than the maximum permissible 64 KB size. This can lead to the well-known error “buffer overflow” (buffer overflow), in which excessive amounts of data ensure that adjacent memory locations in the target memory area are overwritten.
- Land attack: Similar to the scenario above, in a land attack, the attacker sends an SYN packet as part of the TCP three-way handshake, the destination and sender address of which corresponds to the server to be attacked. This packet causes the server to send the response to the request to itself in the form of an SYN/ACK packet. This can be interpreted as a new connection request, which must be answered with an SYN/ACK packet. This creates a situation in which the system continuously answers its queries, which can lead to massive utilization and even a crash.
A DDoS Attack Overloads System Resources.
Of course, a DoS or DDoS attack targets a system’s resources. Cybercriminals take advantage of this as web servers can only establish a limited number of connections. If these are filled with meaningless or invalid requests, server services can be effectively blocked for regular users or website visitors. In this case, one speaks of flooding.
Classic DDoS attack patterns on system resources are HTTP flood, ping flood, SYN flood and UDP flood.
- HTTP flood: The HTTP flood is the simplest DDoS attack variant for resource overload. In this case, the attacker only has to access any page of the target project until the server collapses under a load of requests. This floods the web server with a large number of HTTP requests.
- Ping flood: In this attack pattern, cybercriminals use ICMP packets of the “Echo Request” type. These are usually sent en masse to attack targets by botnets. Since each request (ping) has to be answered by the target system with a data packet (pong), slow systems can be massively slowed down by ping floods.
- SYN-Flood: This attack pattern represents an abuse of the TCP three-way handshake. TCP (“Transmission Control Protocol”) is a network protocol that works with IP to ensure lossless data traffic over the Internet. A TCP connection is always set up in a three-step authentication process. To do this, a client sends a synchronization packet (SYN) to a server. This is received by the server and also answered with a synchronization packet (SYN) and an acknowledgement (ACK). The connection establishment is completed by a client-side confirmation (ACK). If this does not happen, systems can be efficiently paralyzed because the server keeps unconfirmed connections in memory.
- UDP flood: In this attack, cybercriminals rely on the connectionless User Datagram Protocol (UDP). Unlike transmission via TCP, data can also be transmitted via UDP without establishing a connection. As part of DoS and DDoS attacks, large UDP packets are sent to randomly selected ports on the target system. This tries unsuccessfully to determine which application is waiting for the transmitted data and then sends an ICMP packet back to the sender with the message “Destination address not available”. If a system is burdened with numerous requests of this type, resource consumption can lead to severely limited availability for regular users.
You Should Look Out For These Four Common DDoS Attack Signs:
- Inferring a DDoS attack’s geographic origin: Despite spoofing and distribution techniques, many DDoS attacks originate from a limited IP range, a single country or region—perhaps one that doesn’t typically generate much traffic.
- Inferring one type or the same device in the DDoS attack: Another noticeable sign of a DDoS attack is when all traffic comes from the same client, i.e. using the same operating system and web browser. In this respect, regular organic traffic would be characterized by a “natural diversity” of the devices used.
- DDoS attack on a targeted site: Traffic that falls on a single server, network port, or web page instead of being spread evenly across your site is another clue to a DDoS attack.
- Recurring Traffic Patterns: Another sign of a DDoS attack is constantly occurring in regular, recurring waves or patterns of traffic or traffic. This can also indicate a distributed denial of service attack.