DoS / DDoS Attacks

Overview of DoS /

Denial of service (DoS) and distributed denial of service (DDoS) attacks are among the most common cyber threats on the Internet. The mechanisms behind these attacks are more or less the same and they share the same evil goal of degrading the performance or exhausting resources of the target systems, rendering them unusable or inaccessible. Such targeted systems include websites, email services, Domain Name System (DNS) and web-based applications, etc.

DoS attacks usually involve only a small number of hosts, or even just one host, with an intention to overwhelm the capacity of the target system. If the target system cannot handle the requests sent by the hosts who launched the attack, the availability of the target system will be compromised.

DDoS attacks, on the other hand, are large-scale DoS attacks. The attacker will orchestrate a synchronised DoS attacks to target a specific service / network / server by remotely control a number of compromised hosts. Attackers may adopt common attack techniques like reflective amplification to upscale the attack and cause as much operational disruption as possible. According to a news report, an information technology service provider experienced a DDoS attack on DNS which caused service outage around the globe for several hours in April 2021. Some of the cloud services provided by the service provider became inaccessible. The incident shows that DDoS attacks can significantly affect the service of an organisation which may in turn result in potential loss.

Figure 1: Typical DoS / DDoS Attack Diagram

Moreover, DDoS attacks are sometimes used as a decoy to distract an organisation’s cyber security operations while other malicious activities, such as data theft or network infiltration, are underway.

For simplicity, DDoS is quoted to include DDoS and DoS in the subsequent sections.

Impacts of DDoS Attacks

The impact of a DDoS incident can be devastating to an organisation from both financial and operational perspectives. The consequences of a DDoS attack may include:

Service interruption – Computer systems overwhelmed with unusual traffic and system services become unavailable to users and customers (e.g. disrupted online sales services and loss of shareholders’ confidence).

Business operation interruption – DDoS attacks may affect the performance of the organisation’s computer network, degrading its performance or even bringing it to a halt (i.e. services level agreement breach).

Damage to organisation reputation – Unavailability of IT services may trigger customer complaints which will in turn damage the organisation’s reputation.

Financial loss – An attacker sends emails to the organisation demanding ransoms in exchange for the cancellation of DDoS attacks against the organisation.

Impeding cyber defence capabilities – An attacker uses DDoS as a decoy to distract attention of the IT security teams while trying to breach the security perimeter of the organisation’s system with malware attacks or network intrusion.

Typical DDoS Attacks

DDoS attacks can be broadly classified into the following four major categories:

Flood or volumetric attacks – Massive amount of packets delivered by attackers seek to consume all the available Internet bandwidth of an organisation and disrupt legitimate users’ traffic to make the system services inaccessible.

Examples: User Datagram Protocol (UDP) floods, Internet Control Message Protocol (ICMP) floods and DNS flood attack

Connection state attacks (also known as protocol attacks) – Connection state resources located in network infrastructures and servers have to conform to the application protocol, which often involves protocol handshakes. These handshakes are designed to be coordinated connections which require the destination servers to respond to them. The attackers exploit the mechanism of the protocol handshakes by disguising as seemingly legitimate connections with the goal of exhausting the resources of the victim’s servers, generating traffic that is difficult to be mitigated by stateless firewall or edge router. The traffic created by these connections may eventually exhaust the victim’s system resources and prevent access by legitimate users.

Examples: SYN flood and Secure Sockets Layer (SSL) / Transport Layer Security (TLS) exhaustion

Figure 2: Example of a SYN flood attack

Application layer attacks – An attacker launches malicious activities which target the application layer of specific functions of an application. The victim’s application is overloaded with requests for resources, which exhaust all available resources and result in failure to respond to legitimate user requests.

Examples: Slowloris DoS / DDoS attacks, HTTP get / post floods

Reflection and amplification attacks – An attacker leverages the UDP or Transmission Control Protocol (TCP) to send small spoofed requests to vulnerable open servers (also known as amplifiers) that request a large amount of data, which can be megabytes or gigabytes of traffic, to be sent to the IP address of DDoS’s target. The target needs to receive and response to the massive amount of network packets, which may result in server resource exhaustion and lead to denial of service.

Examples: Connection-less Lightweight Directory Access Protocol (CLDAP) amplification attacks, DNS amplification attacks, distributed reflective denial of service (DRDoS) attacks

Figure 3: Example of a CLDAP amplification attack

Best Practices to Protect Against DDoS Attacks

The followings are some best practices for organisations to protect against DDoS attacks.

Centralised data gathering and analysis

Build centralised monitoring dashboards, including packet monitoring system, to oversee the entire network, systems and traffic patterns for early detection of possible DDoS attacks.

Scalable and flexible infrastructure

Consider diverting to a cloud-based security solution such as content delivery network (CDN) and distributed DNS service when attack volumes are close to the bandwidth saturation level.

Increase network resilience by making use of Internet access services from multiple Internet Service Providers (ISPs).

Layered defence approach

Block the malicious traffic using network security measures like , source address filtering services and DDoS scrubbing, etc.

Set up a demilitarised zone (DMZ) network for Internet facing servers and locate internal computing facilities behind firewalls.

Divide organisation network into multiple subnets so that the critical network can operate normally even if the other networks are under DDoS attacks.

Consider adopting always-on or on-demand DDoS mitigation services to protect organisation network from DDoS attacks.

Review and profile application behaviours

Review and profile normal application behaviours, including the performance and usage pattern, in order to react promptly if unusual application behaviours occur, which may result from application layer attacks.

Prepare a DDoS response plan

Developing a DDoS response plan in advance of DDoS attacks can allow organisations to respond more quickly and calmly and minimise any potential operational and financial damage.

Conduct IT security risk assessments and audits

Perform security risk assessments and audits regularly to ensure adequate security measures against DDoS attacks have been adopted.

How to Detect DDoS Attacks

Organisations should monitor the network traffic and usage of system resources regularly to detect traces of DDoS attacks so that they can take prompt action to contain the damages caused and eradicate the DDoS attacks.

Monitor internal network traffic and usage of server resources, such as DNS and web server, to detect early traffic spikes and abnormal utilisation of system resources.

Work with ISPs or security service providers to monitor the Internet traffic at their operation centres.

Log security events and review alerts generated by security systems, such as or , anti-malware solution, Internet gateway and firewall, to detect suspicious activities.

What to do if Attacked by DDoS Attacks

Containment
Organisations should contain the damages caused by DDoS attacks before they overwhelm resources and increases the damage caused.

Disconnect the affected network devices from organisations’ network.

Work with ISPs or security service providers to analyse anomalous traffic load like traffic and IP reputation, check for known DDoS attack signatures and block the DDoS traffic at their operation centres.

Implement DDoS black hole routing / filtering by creating designated IP-traffic routes that redirect all the DDoS attack traffic to a “black hole” (i.e. drop the DDoS traffic).

Consider reporting cases and seeking advice from relevant organisations, such as the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) about suspicious attacks. Report cases to law enforcement agencies or regulatory bodies such as the Hong Kong Police Force if criminal activities are involved.

Recovery
Organisations should evaluate the damages caused by DDoS attacks and draw up suitable recovery measures in order to resume the affected services and prevent the same attacks from compromising the services again in future.

Follow the DDoS response plan to recover the services.

Conduct analysis to identify the root causes of an incident and fix any underlying security weaknesses.

Consider upgrading the level of security protection against DDoS attacks using measures like increasing network capacity, adopting third-party DDoS protection services, implementing WAF to prevent a possible DDoS attack with greater scale in the future.

Extended Readings

National Cyber Security Centre (NCSC) – Denial of Service (DoS) guidance

Cybersecurity & Infrastructure Security Agency (CISA) - Understanding Denial-of-Service Attacks

MITRE Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) - Network Denial of Service

Australian Cyber Security Centre (ACSC) - Preparing for and Responding to Denial-of-Service Attacks

Hong Kong Computer Emergency Response Team (HKCERT) - Beware of Latest DDoS Extortion Attacks

Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before downloading and using them.