<span class="text_page_counter">Trang 1</span><div class="page_container" data-page="1">

DoS Attack And DDoS Attack

</div><span class="text_page_counter">Trang 2</span><div class="page_container" data-page="2">

<b>Table of Contents</b>

<b>A. Members’ Responsibilities</b>

<b>B. Aims of the Presentation</b>

<b>C. Topic: DoS Attack and DDoS Attack</b>

<b>I. Introduction to Denial-of-Service Attack...3</b>

1) What is DoS?...3

2) What is DDoS?...3

3) Effects of DoS and DDoS attacks...4

4) Examples of famous DoS and DDoS attacks...4

<b>II. Types of DoS Attack...5</b>

1) SYN/ACK Flooding...5

2) HTTP Flood Attack...6

3) DNS Amplification...7

4) Slowloris Attack...9

<b>III. Prevention and Control methods of DoS and DDoS attacks...10</b>

1) Protections against the DoS and DDoS attacks...10

2) How to control the attacks...10

<b>IV. Conclusion...11</b>

1) Summary of the Topic...11

2) The significance of understanding and dealing with DoS and DDoS attack...12

<b>D. References</b>

</div><span class="text_page_counter">Trang 3</span><div class="page_container" data-page="3">

❖ Nguyễn Thùy Dương: Aggregate and control the quality of final products; Responsible for content and slides for part IV.

❖ Chử Quang Long: Responsible for content and slides for part I. ❖ Nguyễn Văn Thiện: Responsible for content and slides for part II. ❖ Phạm Thanh Vỹ: Responsible for content and slides for part III.

<b>B. Aims of the Presentation</b>

❖ To distinguish DoS Attack from DDoS Attack.

❖ To comprehend their mechanisms and their consequences to the system and users. ❖ To learn how to prevent DoS and DDoS attacks and control their risks.

<b>C. Topic: DoS Attack and DDoS AttackI.Introduction to Denial-of-Service Attack</b>

<b>1) What is DoS?</b>

<b>DoS</b>, short for <b>Denial-of-Service</b>, is a type of attack where your computer is overwhelmed with traffic from a hacker's system. It is typically an online attack that targets a specific website or server. By overloading the system's resources, the computer's performance is significantly slowed down. This attack can lead to your computer becoming unresponsive or shutting down abruptly, causing severe disruptions to the system.

<b>2) What is DDoS?</b>

<b>DDoS, short for Distributed Denial-of-Service</b>, means denial of service from multiple sources through multiple locations. It is designed to flood a server with traffic to overwhelm its infrastructure. Attackers, after gaining control of multiple computers, leverage

</div><span class="text_page_counter">Trang 4</span><div class="page_container" data-page="4">

them to send malicious data and requests to other devices through websites or email addresses.

<b>3) Effects of DoS and DDoS attacks</b>

<b>❖ Website Downtime: The most immediate and obvious effect is that your website is </b>

overwhelmed and becomes unavailable. This means any business you gain via your website won’t be available to you until you get the site working again. It also impacts on your reputation as a website owner. And if you don’t fix the site quickly, it can affect your SEO as if Google crawls your site and finds it out of action, you will lose rank.

<b>❖ Website Vulnerability: A DDoS attack could render your site more vulnerable to </b>

hacking as all of your systems are focused on getting the site back online, and security systems may have been put out of action by the attack. Hackers might then find it easier to make their way onto your site via a back door once the DDoS attack has succeeded in paralyzing your site.

<b>❖ Lost Time and Money: Repairing a website that has been subject to a DDoS attack </b>

takes time. It can also take money. While the site is down, you could be losing money in revenue, especially if your site is an ecommerce store. And you may have to pay money to hire a security expert or web enveloper to rebuild your site and make sure it’s protected from future attacks.

<b>4) Examples of famous DoS and DDoS attacks</b>

These attacks often result in operational disruptions, financial losses, and heightened security concerns. This makes DoS and DDoS attacks significant threats to organizations and online systems worldwide.

<b>a) Famous DoS attacks</b>

</div><span class="text_page_counter">Trang 5</span><div class="page_container" data-page="5">

<b>❖ Yahoo Website Attack (2000): In 2000, the Yahoo website became the target of a </b>

large-scale DoS attack. This was one of the first DoS attacks to attract major media attention.

<b>❖ Taiwan Cable TV Network Attack (2015): A group of hackers from China launched</b>

a DoS attack on Taiwan's cable TV network in 2015, causing millions of users to lose access to television.

<b>b) Famous DDoS attacks</b>

<b>❖ WikiLeaks Website Attack (2010): After WikiLeaks published classified documents</b>

from the U.S. government, its website became the target of a significant DDoS attack in 2010, rendering it inaccessible for an extended period.

<b>❖ Dyn DNS System Attack (2016): In 2016, a massive DDoS attack disrupted Dyn's </b>

DNS system, a domain name management company, affecting large websites, including Twitter, Amazon, and Netflix.

<b>❖ GitHub Website Attack (2018): In 2018, the code repository website GitHub </b>

experienced a significant DDoS attack involving large-scale requests, causing disruptions for several crucial open-source projects.

<b>II.Types of DoS Attack1) SYN/ACK Floodinga) Description</b>

<b>A SYN-ACK flood is an attack method that involves sending a target server </b>

<b>spoofed SYN-ACK packet at a high rate</b>. It is a Layer 4 (transport layer) DDoS attack in the OSI model.

<b>b) How it works</b>

</div><span class="text_page_counter">Trang 6</span><div class="page_container" data-page="6">

SYN-ACK packets are part of the <b>TCP handshake</b>, a series of three steps that start a conversation between any two connected devices on the Internet. The three steps of the TCP handshake are shown in the following image.

The device that opens the connection – say, laptop A – starts the three-way handshake by sending a SYN (short for "synchronize") packet. The device at the other end of the connection, server B, replies with a SYN-ACK packet. Finally, laptop A sends an ACK packet, and the three-way handshake is complete.

Usually a server sends this SYN-ACK packet in response to a SYN packet from a client device. In a SYN-ACK DDoS attack, the attacker floods the target with SYN-ACK packets. These packets are not part of a three-way handshake at all; their only purpose is to disrupt the target's normal operations. Because a server requires significant processing power to understand why it is receiving such packets out-of-order (not in accordance with the normal SYN, SYN-ACK, ACK, which is TCP three-way handshake mechanism), it can become so busy handling the attack traffic, that it cannot handle legitimate traffic and hence the attackers achieve a denial-of-service condition.

<b>2) HTTP Flood Attacka) Description</b>

</div><span class="text_page_counter">Trang 7</span><div class="page_container" data-page="7">

<b>An HTTP flood attack is a type of volumetric DDoS attack designed to overwhelm a </b>

<b>targeted server with HTTP requests. HTTP flood attacks are a type of “layer 7” DDoS </b>

<b>b) How it works</b>

In order to achieve maximum efficiency, malicious actors will commonly employ or create botnets in order to maximize the impact of their attack. There are two varieties of HTTP flood attacks:

<b>❖ HTTP GET attack: multiple computers or other devices are coordinated to send </b>

multiple requests for images, files, or some other asset from a targeted server. When the target is inundated with incoming requests and responses, denial-of-service will occur to additional requests from legitimate traffic sources.

<b>❖ HTTP POST attack: typically when a form is submitted on a website, the server </b>

must handle the incoming request and push the data into a persistence layer, most often a database. The process of handling the form data and running the necessary database commands is relatively intensive compared to the amount of processing power and bandwidth required to send the POST request. This attack utilizes the disparity in relative resource consumption, by sending many post requests directly to a targeted server until its capacity is saturated and denial-of-service occurs.

<b>3) DNS Amplificationa) Description</b>

DNS amplification attack is a reflection-based volumetric distributed

<b>denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS </b>

<b>resolvers in order to overwhelm a target server or network with an amplified amount of </b>

traffic, rendering the server and its surrounding infrastructure inaccessible.

</div><span class="text_page_counter">Trang 8</span><div class="page_container" data-page="8">

<b>A single bot in a DNS amplification attack can be thought of in the context of a </b>

<b>malicious teenager calling a restaurant and saying “I will have one of everything, please </b>

call me back and tell me my whole order.” When the restaurant asks for a callback number,

<b>the number given is the targeted victim’s phone number. The target then receives a call </b>

<b>from the restaurant with a lot of information that they did not request.</b>

As a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed to the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers. A DNS amplification can be broken down into <b>four steps</b>:

❖ The attacker uses a compromised endpoint to send UDP packets with spoofed IP addresses to a DNS recursor. The spoofed address on the packets points to the real IP address of the victim.

❖ Each one of the UDP packets makes a request to a DNS resolver, often passing an argument such as “ANY” in order to receive the largest response possible. ❖ After receiving the requests, the DNS resolver, which is trying to be helpful by

</div><span class="text_page_counter">Trang 9</span><div class="page_container" data-page="9">

❖ The IP address of the target receives the response and the surrounding network infrastructure becomes overwhelmed with the deluge of traffic, resulting in a denial-of-service.

While a few requests is not enough to take down network infrastructure, when this sequence is multiplied across multiple requests and DNS resolvers, the amplification of data the target receives can be substantial.

<b>4) Slowloris Attacka) Description</b>

Slowloris is a denial-of-service attack program which allows an attacker to

<b>overwhelm a targeted server by opening and maintaining many simultaneous HTTP </b>

<b>connections between the attacker and the target.b) How it works</b>

Unlike bandwidth-consuming reflection-based DDoS attacks such as DNS

<b>amplification, this type of attack uses a low amount of bandwidth, and instead aims to use up</b>

<b>server resources with requests that seem slower than normal but otherwise mimic regular traffic. It falls in the category of attacks known as “low and slow” attacks.</b>

The targeted server will only have so many threads available to handle concurrent

<b>connections. Each server thread will attempt to stay alive while waiting for the slow </b>

<b>request to complete, which never occurs. To prevent the target from timing out the </b>

connections, the attacker periodically sends partial request headers to the target in order to keep the request alive. In essence saying, “I’m still here! I’m just slow, please wait for me.”

The targeted server is never able to release any of the open partial connections while waiting for the termination of the request. Once all available threads are in use, the server will be unable to respond to additional requests made from regular traffic, resulting in

</div><span class="text_page_counter">Trang 10</span><div class="page_container" data-page="10">

<b>denial-of-1) Protections against the DoS and DDoS attacks</b>

Several methods of DDoS protection exist to prevent or mitigate its effects, including:

<b>Restricting Traffic: Restricting traffic to addresses that are trusted and known can </b>

help prevent a DDoS attack from interrupting services. Additionally, services that are not needed can be shut down or blocked in a similar manner.

<b>Cloud-Based Protection: Cloud-based protection involves using a third-party </b>

service to monitor and filter incoming and outgoing traffic to a server or website. This approach provides an additional layer of security by identifying and stopping malicious requests.

<b>Intrusion Prevention Systems (IPS): IPS solutions analyze network traffic patterns</b>

in real-time and can identify malicious activity that could lead to a DDoS attack. This approach blocks known malicious traffic and can stop an attack in its tracks.

<b>Content Delivery Network (CDN): CDNs distribute incoming traffic to several </b>

different servers to reduce the strain on a single server. This approach can help prevent DDoS attacks by reallocating traffic throughout multiple servers.

<b>2) How to control the attacksa) Prevention approaches</b>

Preventing a DoS attack can be challenging, but there are several effective techniques:

<b>❖ Network segmentation: Segmenting networks into smaller, more manageable pieces,</b>

can limit the impact of a DoS attack. This can be done by creating VLANs, and firewalls can limit the spread of an attack. The optimal solution is zero trust microsegmentation. Adding device-level and device-cloaking firewalling, external to the operating system, remains the most reliable form of DoS protection.

</div><span class="text_page_counter">Trang 11</span><div class="page_container" data-page="11">

<b>❖ Load balancing: Distributing traffic across multiple servers, a DoS attack can be </b>

prevented from overwhelming a single server or resource. Load balancing can be achieved using hardware or software solutions.

<b>❖ IP blocking: Blocking traffic from known or suspected malicious sources can prevent</b>

DoS traffic from reaching its target.

<b>❖ Rate limiting: Limiting the rate of traffic to reach a server or resource can prevent a </b>

DoS attack from overwhelming it.

<b>b) Mitigation approaches</b>

If a DoS attack is underway, there are several steps that can be taken to mitigate its impact:

<b>❖ Traffic filtering can eliminate known or suspected malicious sources.</b>

<b>❖ Blackhole routing involves redirecting all traffic to a null route, effectively dropping </b>

all incoming traffic. This can be an effective way to mitigate a DoS attack, but it can also impact legitimate traffic.

<b>❖ Scrubbing services identify and filter out malicious traffic, allowing legitimate traffic</b>

to reach its destination.

<b>1) Summary of the Topic</b>

<b>Both DoS and DDoS attacks share the same primary goal: to disrupt service </b>

availability. They aim to overwhelm a network, service, or server with more traffic than it can handle, rendering it useless to its intended users.

In a DoS attack, the victim's website or server is targeted by a single system, while in a DDoS attack, the victim is targeted by multiple systems. This multi-pronged approach makes <b>DDoS attacks harder to stop</b>, as blocking one source won’t end the attack. It’s like

</div><span class="text_page_counter">Trang 12</span><div class="page_container" data-page="12">

<b>Several types of DDoS attack that are commonly used are: SYN-ACK Flood, HTTP </b>

<b>Flood, DNS Amplification, Slowloris Attack, and so on.</b>

<b>Restricting traffic, cloud-based protection, IPS, CDNs are some of the methods to </b>

ensure protection against DDoS attacks.

It can be challenging to prevent a DoS or DDoS attack. However, there are still some

<b>techniques to implement, such as Network Segmentation, Load Balancing, IP Blocking, and Rate Limiting. </b>Besides, there are also some ways to mitigate its impact, such as <b>Traffic Filtering, Blackhole Routing,</b> and <b>Scrubbing Services.</b>

<b>2) The significance of understanding and dealing with DoS and DDoS attack</b>

Understanding the mechanisms and risks of DoS and DDoS attacks is crucial in cybersecurity. While both aim to disrupt services, their mechanisms and impacts vary

<b>significantly. Knowing what you are up against can help you prepare more effectively </b>

<b>and ensure your organization’s stability and security.</b>

Each successful DDoS attack can result in your site malfunctioning, customers leaving for a competitor, and profit decline. If a web resource is socially relevant or provides important services (such as information, communications, or financial transfers), something far worse can happen: loss of reputation and customers’ trust. The reputational consequences of a denial of service are long-term and hard to tackle, which is incomparable to the time and effort it takes to launch an attack. All of these emphasize how important it is to protect your site from DoS and DDoS attacks. Furthermore, since the success of these services depends on

<b>their availability, investing in DDoS protection means safeguarding the commercial </b>

<b>viability of the service. In other words, companies that depend on the internet to run their </b>

operations should treat DDoS protection as a priority investment.

</div>