Denial of Service and Prevention

Denial of Service (DoS) is a cyber-attack on an individual Computer or Website with the intent to deny
services to intended users. Their purpose is to disrupt an organization’s network operations by denying
access to its users. Denial of service is typically accomplished by flooding the targeted machine or
resource with surplus requests in an attempt to overload systems and prevent some or all legitimate
requests from being fulfilled. For example, if a bank website can handle 10 people a second by clicking
the Login button, an attacker only has to send 10 fake requests per second to make it so no legitimate
users can log in. DoS attacks exploit various weaknesses in computer network technologies. They may
target servers, network routers, or network communication links. They can cause computers and routers to
crash and links to bog down. The most famous DoS technique is the Ping of Death. The Ping of Death
attack works by generating and sending special network messages (specifically, ICMP packets of non-
standard sizes) that cause problems for systems that receive them. In the early days of the Web, this attack
could cause unprotected Internet servers to crash quickly. It is strongly recommended to try all
described activities on virtual machines rather than in your working environment.
Following is the command for performing flooding of requests on an IP.
HERE,
 “ping” sends the data packets to the victim.
 “ip_address” is the IP address of the victim.
 “-t” means the data packets should be sent until the program is stopped.
 “-l(65500)” specifies the data load to be sent to the victim.
Other basic types of DoS attacks involve.
 Flooding a network with useless activity so that genuine traffic cannot get through. The TCP/IP SYN
and Smurf attacks are two common examples.
 Remotely overloading a system’s CPU so that valid requests cannot be processed.
 Changing permissions or breaking authorization logic to prevent users from logging into a system.
One common example involves triggering a rapid series of false login attempts that lockout accounts
from being able to log in.
 Deleting or interfering with specific critical applications or services to prevent their normal operation
(even if the system and network overall are functional).
Another variant of the DoS is the Smurf attack. This involves emails with automatic responses. If
someone emails hundreds of email messages with a fake return email address to hundreds of people in an
organization with an autoresponder on in their email, the initially sent messages can become thousands
sent to the fake email address. If that fake email address belongs to someone, this can overwhelm that
person’s account. DoS attacks can cause the following problems:
 Ineffective services
 Inaccessible services
 Interruption of network traffic
 Connection interference
Following is the Python script for performing a denial of service attack for a small website that didn’t
expect so much socket connection.
How Do DoS Attacks Work?
DoS attacks typically exploit vulnerabilities in a target’s network or computer systems. Attackers can use
a variety of methods to generate overwhelming traffic or requests, including:
1. Flooding the target with a massive amount of data
2. Sending repeated requests to a specific part of the system
3. Exploiting software vulnerabilities to crash the system
Prevention Given that Denial of Service (DoS) attacks are becoming more frequent, it is a good time to
review the basics and how we can fight back.
 Cloud Mitigation Provider – Cloud mitigation providers are experts at providing DDoS mitigation
from the cloud. This means they have built out massive amounts of network bandwidth and DDoS
mitigation capacity at multiple sites around the Internet that can take in any type of network traffic,
whether you use multiple ISP’s, your own data center, or any number of cloud providers. They can
scrub the traffic for you and only send “clean” traffic to your data center.
 Firewall – This is the simplest and least effective method. Python scripts are often written to filter out
malicious traffic, or existing firewalls can be utilized by enterprises to block such traffic.
 Internet Service Provider (ISP) – Some enterprises use their ISP to provide DDoS mitigation. These
ISPs have more bandwidth than an enterprise would, which can help with large volumetric attacks.

Features to help mitigate these attacks:

Network Segmentation: Segmenting the network can help prevent a DoS attack from spreading
throughout the entire network. This limits the impact of an attack and helps to isolate the affected
systems.
Implement Firewalls: Firewalls can help prevent DoS attacks by blocking traffic from known malicious
IP addresses or by limiting the amount of traffic allowed from a single source.
Use Intrusion Detection and Prevention Systems: Intrusion Detection and Prevention Systems
(IDS/IPS) can help to detect and block DoS attacks by analyzing network traffic and blocking malicious
traffic.
Limit Bandwidth: Implementing bandwidth limitations on incoming traffic can help prevent a DoS
attack from overwhelming the network or server.
Implement Content Delivery Network (CDN): A CDN can help to distribute traffic and reduce the
impact of a DoS attack by distributing the load across multiple servers.
Use Anti-Malware Software: Anti-malware software can help to detect and prevent malware from being
used in a DoS attack, such as botnets.
Perform Regular Network Scans: Regular network scans can help identify vulnerabilities and
misconfigurations that can be exploited in a DoS attack. Patching these vulnerabilities can prevent a DoS
attack from being successful.
Develop a Response Plan: Having a DoS response plan in place can help minimize the impact of an
attack. This plan should include steps for identifying the attack, isolating affected systems, and restoring
normal operations.
 Distributed denial of service




Imagine a scenario where you are visiting some websites and one of them seems to be a little slow. You
might blame their servers to improve their scalability as they might be experiencing a lot of user traffic on
their site. Most of the sites already take this issue into account beforehand. Chances are, they might be a
victim of what is known as a DDoS attack, Distributed Denial of Service Attack. Refer – Denial of
Service and Prevention
In a DDoS attack, the attacker tries to make a particular service unavailable by directing continuous and
huge traffic from multiple end systems. Due to this enormous traffic, the network resources get utilized in
serving requests of those false end systems such that, a legitimate user is unable to access the resources
for himself/herself.
Types of DDoS attacks –
DDoS attacks can be divided into three major categories:

1. Application layer attacks –

These attacks focus on attacking layer 7 of the OSI model where the webpages are generated in
response to the request initiated by the end-user. For a client, generating a request does not take any
heavy load and it can easily generate multiple requests to the server. On the other hand, responding to
a request takes the considerable load for the server as it has to build all the pages, compute any queries
and load the results from the database according to the request.
Examples: HTTP Flood attack and attack on DNS Services.

2. Protocol attacks –
They are also known as state-exhaustion attacks. These attacks focus on vulnerabilities in layer 3 and
layer 4 of the protocol stack. These types of attacks consume resources like servers, firewalls, and load
balancers.
Examples: SYN Flood attack and Ping of Death.

3. Volumetric attacks –
Volumetric attacks focus on consuming the network bandwidth and saturating it by amplification or
botnet to hinder its availability to the users. They are easy to generate by directing a massive amount
of traffic to the target server.
Examples: NTP Amplification, DNS Amplification, UDP Flood attack, and TCP Flood attack.
Common DDoS attacks –
 SYN Flood attack –
An SYN Flood attack works in a similar way a mischievous child keeps on ringing the doorbell
(request) and running away. The old person inside comes out, opens the door and does not see anyone
(no response). Ultimately, after frequent such scenarios, the old person gets exhausted and does not
answer even genuine people. An SYN attack exploits TCP Handshake by sending out SYN messages
with a spoofed IP address. The victim server keeps on responding but does not receive a final
acknowledgement.
 HTTP flood attack –
In an HTTP Flood attack, multiple HTTP requests are generated simultaneously against a target
server. This leads to exhaustion of network resources of that server and thus fails to serve actual users’
requests. The variations of HTTP Flood attacks are – HTTP GET attack and HTTP POST attack.
 DNS amplification –
Assume a scenario where you call pizza hut and ask them to call you back on a number and tell all the
combinations of pizzas they have along with the toppings and desserts. You generated a large output
with a very small input. But, the catch is the number you gave them is not yours. Similarly, DNS
Amplification works by requesting a DNS server from a spoofed IP address and structuring your
request so that the DNS server responds with a large amount of data to the target victim.

DDoS mitigation –
Preventing DDoS attacks is harder than DoS attacks because the traffic comes from multiple sources and
it becomes difficult to actually separate malicious hosts from the non-malicious hosts. Some of the
mitigation techniques that can be used are:
1. Blackhole routing –
In blackhole routing, the network traffic is directed to a ‘black hole’. In this, both the malicious traffic
and non-malicious traffic get lost in the black hole. This countermeasure is useful when the server is
experiencing a DDoS attack and all the traffic is diverted for the upkeep of the network.

2. Rate limiting
Rate limiting involves controlling the rate of traffic that is sent or received by a network interface. It is
efficient in reducing the pace of web scrapers as well as brute-force login efforts. But, just rate
limiting is unlikely to prevent compound DDoS attacks.

3. Blacklisting / whitelisting –
Blacklisting is the mechanism of blocking the IP addresses, URLs, domain names, etc. mentioned in
the list and allowing traffic from all other sources. On the other hand, whitelisting refers to a
mechanism of allowing all the IP addresses, URLs, domain names, etc. mentioned in the list and
denying all other sources accessible to the resources of the network.