Denial of Service, DoS, and Distributed Denial of Service, DDoS attacks are by far two of the most insidious and destructive cyberattacks for a business to encounter. They can cause significant damage to a company, both financially and reputational. Not to mention their effect can be far-reaching and long-lasting. So how does one protect their company from this type of attack?
First, you have to understand the nature of the beast. It is essential to determine which type of these attack you are facing and its potential ramification. It is vital to ensure you are implementing the right counter and mitigating measures for protecting your business. To understand the severity and impact a DDoS attack can inflict, look no further than to the takedown of Dyn, a domain name service provider. This was the largest and most destructive in recent times.
According to a Cisco report, this problem will only worsen, as illustrated by the chart below.
There are several different types of DoS attacks that an attacker employs against their targets. In this blog, I will cover the hierarchy of DoS and DDoS and countermeasures to fight them.
I will explain in brief the differences between these two attack types. There are significant differences in which the two are launched at their target. A DoS attack is where a single machine targets and overwhelms a server with both TCP and UDP packets. This attack is usually executed via a script or a tool, e.g., LOIC ( Low Orbit Ion Cannon) and XoiC. On the other hand, a DDoS attack is where an attacker uses a swarm or multiple systems to target a single system with a DoS attack, thus Distributed Denial of Service (DDoS). These attacks became more prevalent in recent times due to the proliferation of high-speed Internet connection.
Almost everyone misunderstands who the DoS attackers are and the differences between them and the ordinary hackers. There are differences in profile and motive. First of all, anyone with a basic understanding of IT system can launch a DoS attack. One does not have to be a hacker to be able to execute such an attack. Most of the DoS attacks are carried out by individuals, not consider hackers. These individuals usually download prefabricated and ready-made tools on the regular Internet and the dark web. DoS attacker usually exploits a single flaw in the Net to achieve their goal. They typically do not have a specific purpose other in mind than to create havoc.
Now for the seasoned, ordinary, or organized culprits, it is a different story. When the so-called “regular” hacker employs DoS and DDoS, they use it to identify vulnerabilities and weaknesses to exploit them for other purposes; this is where you will see data theft, such as personal and proprietary information.
Hacker Types |
Profile |
Motive |
DoS/DDoS attacks |
Classification |
|
Ethical hackers- test existing internet infrastructures to research loopholes in the system and work with companies and clients to secure their business. |
They create algorithms and utilize multiple methodologies to break into systems, only to strengthen them. Historically they have been pivotal in ensuring that large corporations maintain a robust network framework so that it is unbreakable against all other types of hacking. |
No |
Professional/Ethical Hackers |
|
Seekers of fame and monetary benefits from exploiting the loopholes in internet frameworks. |
This hacker breaks into systems purely with malicious intentions. Famous black hat hackers have notoriously robbed banks and financial institutions of millions of dollars and invaluable private data. |
DoS/DDoS attackers |
Cybercriminal |
|
Rogue/Opportunist/ Cyber Mercenary/Hired gun. Break into systems but never for their benefit. |
Famous grey hat hackers have exploited systems only to make the information public and bring to limelight vast datasets of information containing wrongdoings. |
No |
Professional/Cybercriminal |
|
Unskilled hackers/Newbies |
Disruption of the Internet: Downloads hacking software, or pre-written scripts, these hackers would just run a website against software and disrupt it’s working. |
DoS/DDoS attackers |
Nuisance/Amateurs/ |
|
Use automated scripts to attack their targets. |
Primarily Revenge: Similar to a Script Kiddie ( see no. 4 ). Deploys readily available techniques but specifically targets an entity out of a bad intention. Usually, these are revenge attacks made using amateur techniques like affecting a website with too much traffic using a script. |
DoS/DDoS attackers |
Amateurs/Cybercriminal |
|
Newbie/ Enthusiasts |
Unlike a script kiddie, the green hat hacker is a newbie to the hacking game but works passionately to excel in hacking. Also referred to as a neophyte or “noob,” this is a hacker who is fresh in the hacking world and often gets flak for it, having little to no knowledge of the inner workings of the web. |
Suspect of launching some DDoS attacks. |
Amateurs |
|
Notoriety seeker |
Fame or money - This hacker’s actions mimic that of a suicide bomber, thus the name. They act, knowing that there is a likely possibility that he/she will be identified and jailed. |
Not known for launching DoS attacks against their target. |
Cybercriminal |
|
Hunters of criminal hackers |
Destruction of criminal hackers and the infrastructure they utilize to commit crimes. |
Not known for launching DoS attacks against their target. |
Professional |
|
Hacktivists for social injustices |
Protesters of the Internet. This type breaks into systems and infrastructure to demand attention to a particular social cause. |
Defacement and uploading of promotional and offensive materials to target websites. |
Provocateur/Cybercriminal |
|
|
As its name implies, they focus on hacking social media accounts by using various techniques. This hacker type is similar to black hat hackers for their criminal intentions, data theft. |
Not known for launching DoS attacks against their target. |
Cybercriminal |
Figure. 2
WHY DOS ATTACK?
Now, the question is why these two attacks. DoS attacks are very effective; cybercriminals employ them both as a shock and awe effect and as a psychological tool in their arsenal. Companies that are hit with a DoS attack immediately go into a “panic meltdown,” further exacerbating the problem. This is especially true if the target company does not have an effective incident management process in place.
Being the victim of these attacks is both an embarrassing and humble experience. Humbling because you will quickly realize that it will take potentially every available resource to recover. Awkward because there are simple things to do to avoid being a victim of DoSAs. For companies that have been attacked, it’s an indication your network and systems are not set nor appropriately configured, or you do not have appropriate countermeasures in place. It is akin to “ getting your wallet taken in a strip bar, for which you cannot tell your wife or girlfriend.”
Attackers utilize DoSAs for various reasons, depending on their intended goals. DoS attacks are usually used to mask other nefarious activities such as the exfiltration of databases, proprietary information, or plant malware such as Advanced Persistent Threats (APTs) on a network for future exploitation.
WHAT IS A DDOS ATTACK?
A DDoS attack is one of the most common types of DoS attacks in use by cybercriminals today. A DDoS utilizes multiple system vector to target a single system ( server or router) and overwhelm it with malicious traffic, thereby preventing legitimate traffic from getting through.
In layman’s or technical terms, it’s the communication process between a client and a server., work like this.
Whenever a client wants to communicate with a server, it sends out an SYN (synchronize) message to the server.
The server replies/acknowledges the request by sending back an “Acknowledgement,” an ACK back to the corresponding client.
In turn, the client responds with an ACK; the connection between the device is established. This interaction is called a TCP three-way handshake.
Now, the problem comes when the client does not respond to the server with the expected ACK. In this situation, the server will wait for the ACK by keeping the connection open, as such legitimate traffic cannot get through, thereby overwhelming the server’s resources, causing a “Denial of Service for other legitimate client connections.
BOTNET
WHAT IS BOTNET?
At the heart of any DoS attack is its architecture. In this case, it is the botnet. A botnet is a swarm of computers compromised by cyber agitators, cybercriminals, script kiddies, and hackers to conduct illegal activities such as theft and harassment. These computers are regular internet users’ devices or bot’. Simply put, a botnet is a series of connected devices use to perform a task. In this case, a “DoS” attack.
Figure.3
A botnet, at its core, is a technology that, in its inception, was intended for more honorable purposes. It was designed by interconnecting a series of computers to conduct automated tasks such as managing and maintaining chatrooms. Thus the term bot=computer, net= network, botnet. However, hackers and cybercriminals have taken this technology and employee it for dark purposes.
These computers are sometimes referred to as “zombies.” Some of the reasons why botnets are so useful and hard to detect. 1. In almost most cases, the compromise devices’ owner (s) are entirely unaware that they are part of a botnet, and 2. It also renders the operator of the botnet completely anonymous.
How do you acquire a botnet? Anyone with knowledge of Python can pretty much create their botnet. The other way is on the Dark Net. Botnets for sale on the Dark Net are usually designed for illegal and dark purposes. A botnet, such as the Mirai botnet, can be easily purchased on the Dark Net.
HOW DOES IT WORK?
A botnet operates on the following principle. You have an attacker, sometimes refer to as a ( Botmaster), who has a Command and Control Center ( C&C), and with that, he has a swarm of bots; these could be in the 100s or 1000s. He can point them to a single victim machine whenever he wants, as is illustrated in (figure 2).
In most cases, the very mention of the word “botnet” conjures up all kinds of misunderstandings and distrust. No thanks to hackers and cybercriminals. However, this is far from reality. Botnets have been around for some time, performing routine work until cybercriminals weaponized it. Botnets can and are used for good in many areas of research and development. A case in point is SETI ( Search for Extraterrestrial Intelligence) who uses an array of global computer networks (botnet) to aid its search for Extraterrestrial Intelligence. And GUPGRID, a volunteer distributed computing group for biomedical research at the Universitat Pompeu Fabra in Barcelona, Spain. These are just a few mentions of a botnet being used for the betterment of society.
FACTS
DoS attacks account for significant impact and loss to companies annually. This attack is responsible for well over 50% of Internet-borne attacks against companies each year.
On average, DoS attack cost
It is estimated that on average, it cost approximately:
USD $300,000 - $1,000,000 per hour to mitigate
Percentage of companies affected
45% of organizations have been attacked!
74% have been attacked more than once!
91% have been attacked in the last 12 months!
10% are attacked on a weekly!
Timeline and attack length
2/3 or attacks lasted 6+ hours
% Duration of attacks
49% of attacks lasted 6-24 hours
37% lasted 0-6 hours
4% lasted 7+ days
8% lasted 1-7 days
TYPES OF ATTACKERS
Now, this is where things get a bit confusing. There are generally two types of DoS attackers. 1. Organized, and 2. Disorganized. A more complex and focus agendas drive the organized group, usually criminals, competitors, hackers seeking ransom through bitcoin pay off, or data theft. The Disorganized group consists of disgruntled employees, amateurs, and Script kiddies. Members of this group launch most of your DoS attacks.
FIVE OF THE MOST RENOWNED DDoS ATTACKS TO DATE
In chronological order:
WHO ARE THE TARGETS?
There is no particular target profile for DoS attacks. It could be any company, organization, or individual. In most cases, these attacks are indiscriminate, “targets of opportunity.” The targets are determined by what the objective is, the goal, how easily they can access it, or what damage they can inflict. It would be incorrect to say that a particular industry gets attacks more than others. However, in saying that, there seems to be a trend. According to the numbers, the Gaming and Gambling industries and IoT are the top victims of DDoS.