Overview of Denial of Service Attacks

Introduction

As technology becomes a bigger part of how we do things than using traditional manual methods we are faced with risk’s that come along with it. Although technology may seem easier and better of a method than before. One of the main risk’s company’s and even users face these days is known as DoS attacks or for short Denial of Service attacks. A Denial of Service attack is an attack sent out to either harm or cause malicious damage to a company’s information/systems. (May, 2002). DoS attacks are very simple attacks that can stress a company’s ability to handle user network packets in the system (Almomari, Manickam, Gupta, Karuppayah, & Alfaris, 2012).

In these attacks a single user sends out packets to a company’s internet protocol (IP), which then floods it with packet requests until it cannot process them anymore and causes time out errors, therefore causing the system to crash and shutdown till there is no more packets being sent to that IP (May, 2002). Another style of attack is called a DDoS (Distributed Denial of Service) these are attacks that hit a target as a large group and cause heavy amounts of bandwidth usage within a company until downtime occurs (Almomari, Manickam, Gupta, Karuppayah, & Alfaris, 2012). Since these attacks target protocols such as HTTP GET & HTTP POST they are known as layer 7 attacks or better known as the application layer attack in the OSI model (Almomari, Manickam, Gupta, Karuppayah, & Alfaris, 2012).

Becoming a victim to a DoS attacks can be frightening. These attacks can cause a company to lose revenue and customer base due to the down time an unreachability a DoS attacks bring. Not only does it cause down time to the system, it also presents a risk to the users’ data and or even confidential company information can be leaked through open backdoors (Almomari, Manickam, Gupta, Karuppayah, & Alfaris, 2012). There is no way to tell if you are going to get attacked or not but there some steps that can be taken in precaution to minimize the amount of damage and downtime that may be caused by a DoS attack (Carl, Kesidis, Brooks, & Rai, 2006).

Attack Types

Companies wonder why they are targeted when it comes to DoS attacks. In most cases the attackers are attacking to prove a point or for political reasons that their systems are weak and vulnerable to be messed with easily. Also known as a zero-day attack (Mahjabin, Xiao, Sun, & Jiang, 2017), these are attacks in which attackers find loopholes and vulnerability’s in a company’s systems. Companies often take these attacks as a learning tool and move on to fix these issues to prevent them from happening again in the future (Mahjabin, Xiao, Sun, & Jiang, 2017). In some cases, attackers will try to make revenue off these attacks, they will blackmail smaller companies asking for money and or other services. Often these blackmail attacks go unreported due to the fear of being taken down for the small size of the company if were to be reported (Sachdeva, Singh, Kumar, & Singh, 2010).

Not every hacker attempts to hold companies at ransom. Some attacks are carried out for just the fun of it. The term for these attackers is known as “script kiddies” (Sachdeva, Singh, Kumar, & Singh, 2010) which mostly consist of young adults who do it just to show people they can do so. These attackers are most commonly found on gaming platforms such as Xbox, PlayStation and PC. Script kiddies take pre-made DoS kits and attack other players home routers just for fun of it, these activities are still considered highly illegal (Sachdeva, Singh, Kumar, & Singh, 2010). Script kiddies also use network scanning tools to sniff for IP’s of other players during in game matches (Hayward, 2017).

Botnets

In DDoS attacks (Distributed Denial of Service) these are attacks that are from a pool of computers connected to act as army of computers. There are many types of tools that can cause a distributed denial of service they can range from web-based to software type methods. Most common attack methods are known to be from botnets (Pool, 2013). These attacks are knowing to be the most powerful and hardest hitting style attacks. In a botnet a user first must have a virtual server to load bots on to a VPS (Virtual Private Server) (Gazzi, 2000). These VP servers typically cost money from a hosting site. Once the user buys the VPS they can load which ever Operating System (OS) they want into it, but the Linux OS is most common for botnets due to the simplicity (May, 2002).

Once an OS has been loaded to a VPS, then the user must add “zombies” to their VPS’s network these are regular everyday computers that are infected with a trojan virus that causes them to be part of a zombie network. One way the user will have zombies join their network is by sending out emails of simple things a regular user wouldn’t second guess on opening, and inside that image file or web link will have a virus that will implement itself into a unsuspecting user’s computer. Therefore, this will cause an unsuspecting user to become part of the VPS network (Gazzi, 2000). In most cases regular users will not know they have been exposed to this type of attack, however if a user were to look at the task manager and look at the network usage and see its at a constant high percentage while idle, they would know there is something wrong. A user will continue to add several thousand zombies continually until they reach a satisfied count (Pool, 2013).

Zombies can be added to a VPS network with other means than just sending phishing emails and links to users. A technique called random scanning takes machines (computers) that are already infected with a trojan and have them probe other IP addresses with worms most commonly used worm is CRv2 (Code Red) (Mahjabin, Xiao, Sun, & Jiang, 2017). This scanning method produces heavy usage in bandwidth all while maximizing the chances of infecting more and more machines at once. As more machines are recruited, it is also common to have duplicate probing due to its random scanning method (Mahjabin, Xiao, Sun, & Jiang, 2017).

DoS Attack Methods

Once a user has a botnet assembled and ready to go that user must now find an IP and a port that the victim is vulnerable through (Carl, Kesidis, Brooks, & Rai, 2006). For most cases to get a company’s IP an attacker would need to ping the site from a command prompt and will receive a reply with the company’s IP. Moving on then the user must select a port which may consist of ports such as 80/443 (Mahjabin, Xiao, Sun, & Jiang, 2017) and or any others these are most common ports to be used in these styles of attacks. Next that user must then select an attack method can range from ICMP, UDP, SIP, TCP PUSH, LDAP, SYN and many more (Mahjabin, Xiao, Sun, & Jiang, 2017). The most common and hardest hitting protocol is called LDAP (Lightweight Directory Access Protocol) (Almomari, Manickam, Gupta, Karuppayah, & Alfaris, 2012).

Before the user click’s the send button on a DoS tool they must be sure they have spoofed their source IP (Sachdeva, Singh, Kumar, & Singh, 2010). If they do not spoof the source IP they make it very possible for a company to traceback where the attack has originated from and therefore putting the attacker in risk for being traced as the attacker (Sachdeva, Singh, Kumar, & Singh, 2010). Thereafter the user then proceeds to send out the attack using the botnet, which uses small amounts of bandwidth power from the infected machines to make an attack which if a company were to be trying to track where an attack is coming from would make it impossible since there would be thousands of IP’s flooding a company’s network traffic, none of which would seem like a legitimate IP (Carl, 2006).

Attack methods in DoS attacks vary in speeds and how effective they are (Almomari, Manickam, Gupta, Karuppayah, & Alfaris, 2012). In a TCP PUSH ACK attack (Mahjabin, Xiao, Sun, & Jiang, 2017) the attacker wants the victim to run out of memory and CPU power to make legit users from accessing their services in which will cause the system to crash. During this attack a botnet will send large TCP and ACK packets to the victim in return will cause the victim’s system to clear the memory to send the acknowledgement packets back. All while the victim’s CPU power and memory start to run out and overload. This will then cause legit users from accessing the victim’s system (Mahjabin, Xiao, Sun, & Jiang, 2017).

Web-Based Tool Attacks

Web-based DDoS attacks are simple to use since they are found readily available for small fees online for companies to use for “testing” purposes only. While some users use them for testing purposes, majority of their users are using them maliciously. These sites have disclaimer warnings and ToS (Terms of Service) agreements (Pool, 2013) which users must agree upon to use the service, but most of those sites do not care and will not monitor what it is being used for. If a company like this receives a report or a complaint reporting a user for malicious activity, then they will proceed to act against them.

Legal Repercussions

Denial of Service Attacks may seem as if they are untraceable and go unpunished for. Since DoS attacks are hard to trace, but if there is a breakthrough or a tip comes through that someone is doing it and there is enough proof that person can be held reliable they would be prosecuted for the damages. Although these it is rare for these attackers to be found. Adding on it is also federal crime to take part in DDoS attacks, if held reliable can be charged civilly and criminally. Under the CFAA (Computer Fraud and Abuse Act) describes that anyone who intentionally causes harm to a computer system that is part of a commerce or enterprise is violating the law (Kostadinov, 2015). Also, not all attacks have to be successful to be prosecuted attempted attacks also fall under the act and still can be prosecuted.

In a real-life case during the attack on PayPal in 2010, 16 members of a social justice group known as anonymous were arrested and plead guilty for the attacks, they each received a 10-year sentence prison sentence along with a $250,000 fine to pay for the damages caused (Kostadinov, 2015). DoS attack punishments are serious crimes that the government will act against and not take lightly.

Defending Against DoS Attacks

How can a company defend themselves from these attacks? There are dozens of these companies that provide DDoS mitigation services for websites and other web media. These services act such as a man in the middle for a company’s server and the user’s network. When a user would like to go to a certain site that has a service filter active, it will hold the users network packets for a set amount of time and verify that it isn’t trying to send too many packets at once. If it detects too many packets being sent it will ignore the connection trying to come in, if it passes it will allow the connection to come through. Some of these service providers can even include services that make the company’s IP private so even if its pinged, the service will send a reply to it with its own IP (Lahn, 2017).

Another way for companies to have better protection is if they have a dedicated server they are managing, that company should hire a DoS manager that takes care of all attacks and is monitoring network traffic 24/7(Rubens, 2018). In early intrusion these managers can make key moves to prevent system from going down. Responsibility’s such as calling the ISP (Internet Service Provider) and having the ISP activate their BGP (Border Gateway Protocol) in this case all traffic coming in is nulled, meaning it is dropped before reaching the host. An ISP will hate having extra bandwidth usage on their systems and will work with the victims on resolving the issue (Rubens, 2018).

There are plenty of ways for non-business users to take preventative steps to prevent them from being attacked. The first and easy way is to have a home router set to have DHCP enabled (Rubens, 2018) in which IP’s will be automatically selected and can be changed automatically by resetting or unplugging the router from the power source. In most cases DHCP is not used in a business environment due to the risks of getting an ip that is not secure thus why businesses have static (non-changing) IP’s (Mahjabin, Xiao, Sun, & Jiang, 2017). Another route to take if a user wants to be extra careful from being infected is to invest in a VPN that can spoof your IP easily and has a good speed service, when using a VPN your IP becomes spoofed and makes it appear that the user it somewhere else in the world (Furguson, Systems, Houston, & T 1998).

Conclusions

From business’s starting from full paper and manual labor to now where almost every company is web-based, and the internet is needed for their daily day to day functions. Now businesses have worry about possible attacks that cannot be controlled physically. DoS attacks against companies are frightening since they cannot predict for when they will strike or how much damage will be caused by an attack. Companies often take precautions in hope of curving the possible chance of being attacked and or be targeted against such as using mitigation services and having dedicated staff to prevent these attacks from causing system damage during the early stages.

For regular users there is no direct way to protect themselves rather than practicing safe measure while on the internet and remaining aware when receiving suspicious emails or offers that may seem to good to be true.

References

May, M. (2002). A WIDE WEB OF ATTACK. American Scientist,90(1), 29-31. Retrieved from http://www.jstor.org/stable/27857592

Gozzi, R. (2000). ZOMBIE COMPUTERS. ETC: A Review of General Semantics, 57(3), 349-352. Retrieved from http://www.jstor.org/stable/42578028

Pool, P. (2013). War of the Cyber World: The Law of Cyber Warfare. The International Lawyer, 47(2), 299-323. Retrieved from http://www.jstor.org/stable/43923953

Carl, G., Kesidis, G., Brooks, R. R., & Rai, S. (2006). Denial-of-service attack-detection techniques. IEEE Internet Computing, 10(1), 82-89. doi:http://dx.doi.org/10.1109/MIC.2006.5

Almomari, E., Manickam, S., Gupta, B., Karuppayah, S., & Alfaris, R. (2012). Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art. Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art,49(7). Retrieved September 21, 2018.

Kostadinov, D. (2015, February 13). Legality of DDoS: Criminal Deed vs. Act of Civil Disobedience. Retrieved from https://resources.infosecinstitute.com/legality-ddos-criminal-deed-vs-act-civil-disobedience/#gref

Lahn, M. (2017, July 27). How Does DDOS Protection Work? Retrieved November 18, 2018, from https://www.servermania.com/kb/articles/how-does-ddos-protection-work/

Rubens, P. (2018, June 26). How to Stop DDoS Attacks: 6 Tips for Fighting DDoS Attacks. Retrieved October 18, 2018, from https://www.esecurityplanet.com/network-security/5-tips-for-fighting-ddos-attacks.html

Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017). A survey of distributed denial-of-service attack, prevention, and mitigation techniques. International Journal of Distributed Sensor Networks,13(12), 155014771774146. doi:10.1177/1550147717741463

Sachdeva, M., Singh, G., Kumar, K., & Singh, K. (2010). Figure 2f from: Irimia R, Gottschling M (2016) Taxonomic revision of Rochefortia Sw. (Ehretiaceae, Boraginales). Biodiversity Data Journal 4: E7720. https://doi.org/10.3897/BDJ.4.e7720. DDoS Incidents and Their Impact: A Review,7(1). doi:10.3897/bdj.4.e7720.figure2f

Hayward, R. (2017). EVALUATING THE “IMMINENCE” OF A CYBER ATTACK FOR PURPOSES OF ANTICIPATORY SELF-DEFENSE. Columbia Law Review, 117(2), 399-434. Retrieved from http://www.jstor.org/stable/44159464

Furguson, P., Systems, C., Houston, G., & T. (1998). Configuring a VPN Using IPSec. Cisco Routers for the Small Business,1(1), 81-103. doi:10.1007/978-1-4302-1852-4_4