DoS, DDoS & Order 66 of the Internet
When you hear terms like “Server is Down”, or see that annoying loading screen on browsers, here’s what probably has happened.
Denial of Service is an event when we put more load on a computer than it was built to handle.
The Internet is basically a network of Computers that take a Request and provide a Service.
However, for every computer, there is a limit to the number of Requests it can Serve.
When the number of Requests is beyond this limit, the computer is Overwhelmed and said to have crashed.
Similarly, there is also a limit to the number of connections a network/router can handle. A router can be similarly Overwhelmed and Crashed.
In both cases above, we would be unable to use the services of the Server. This is called a Denial of Service.
Imagine the Server as a hotel and the network as a road to the hotel. A hotel cannot serve more people than it is built for. Similarly, a traffic jam can also stop people from accessing the hotel.
While Denial of Service is sometimes an unintended event resulting from an unexpected rise in network traffic or poorly configured network or both, it is also used as an Attack on Servers.
Attackers either try to overwhelm the Server by repeatedly and rapidly sending out obnoxious Requests to server, or simply flood the network with packets.
The Requests sent need not be extremely engineered packets. As small as an ICMP ping packet maybe enough to bring down a few websites hosted on personal computers.
Some websites are configured Smart to handle billions of transactions without failure and disregard such ICMP packets.
But none of them is absolutely immune to failure. We have seen Facebook servers going down due to DNS misconfigurations a few months ago.
There are a few different types of attacks that can lead to a DoS:
1. ICMP flood: sending too many ping packets to the server to crash it. These days, most Firewalls can detect and stop such attacks.
2. SYN flood: A TLS Handshake has three steps:
— User sends a SYN request to server
— Server send a SYN-ACK to User
— User send back a ACK to the server.
In a SYN flood, the user sends a large number of SYN packets. The server tries to reply to each SYN with a SYN-ACK and waits for a ACK back. But the user wouldn’t send the ACK. This keeps the server waiting for till a timeout thus rendering it unusable for others.
3. Yo-Yo attack: Cloud services are built such that they can auto-scale. When there is heavy traffic, it scales up to meet the requirements. A Yo-Yo attack uses this to its advantage. It first floods a network and when the network starts scaling up, it withdraws resulting in the service again scaling down. When the service is scaled down, the attack restarts.
This makes resource wastage for scaling up and down while the server cannot attend to legitimate requests.
4. Ping of Death: The maximum size of a ping packet is 65,535 bytes. The maximum size allowed through Data Link layer is 500 bytes. Thus, larger packets will be broken down to smaller packets and recombined in the end. A Ping of Death packet has malicious code that will lead to a packet larger than 65,535 bytes when reassembled.
This is one of those Highly Engineered packets.
5. If one wants to go an extra step, one can play with the DNS of a Server or the Routing Table of a Router and wreak havoc.
An advanced form of DoS is the Distributed Denial of Service.
The DDoS attack is where the attacker does not take the responsibility of bringing down a system alone. He shares it among other people.
The attacker first would prepare a malware and then spread it to victims. That would sit hidden inside people’s systems like a “Sleeper Cell”.
The malware is mostly spread in the form of cracked software, keygens, cracked games, etc.
One day when he is ready to attack, he calls his sleeper cells to wake. All the infected systems carry out his command and start attacking the Target.
This ensures that there is no lack of firepower from the Attacker and his “Botnet”.
This also ensures that his identity is not easily revealed due to the presence of a large number of Bots that behave exactly the same way as the Attacker. It is difficult to differentiate Bots from the Attacker system.
While all these attacks can be extremely Powerful, none of them are completely unavoidable. With smart configurations and good security practices, a lot of such attacks can be avoided.
But more about that, in the next story.