A Distributed Denial of Service (DDoS) attack attempts to deny legitimate users of a web service by tying up server resources. Typically, a DDoS attack uses a botnet to send a large volume of traffic to the targeted web service. Botnets are available for hire to DDoS attackers for from $5 to $200 per hour. Generally DDoS attacks continue for about a day and can cause considerable disruption to the targeted organisation.

We can group DDoS attacks into three categories:

A: Direct attacks

In direct attacks, the attacker ties up the targeted server resources by sending a high volume of requests directly to the target from a botnet. There are various requests which can be sent in order to tie up the target server’s resources, such as:

– Get request. A Get request is used to request a file or webpage from a web server. In this attack the botnet will send a high number of requests for the largest file available (such as an image file or document) in order to tie up the server in replying to these requests.

– ICMP Ping Flood. Here the botnet issues a high volume of ICMP (Internet Control Message Protocol) pings to the target. The targeted server is tied up generating replies, preventing it from servicing legitimate users. This attack was used in the well-known attacks on Estonia and Georgia.

– UDP Flood. The attacking botnet sends a high volume of UDP (User Datagram Protocol) packets to the target, tying up it’s resources in generating replies.

– Syn (synchronisation) Flood. The attacking botnet sends a large volume of synchronisation packets (used in the handshaking process with the web server), tying up the server in generating ack (acknowledgement) packets.

– THC SSL attack. This attack is designed to take down sites that use the SSL (Secure Sockets Layer) protocol. During an SSL session, client and server encryption keys are exchanged during a handshake process. The client can also renegotiate encryption keys during the session. During this attack, the client (botnet) requests a renegotiation of keys a large number of times, thus typing up the server in the key exchange process as each SSL handshake consumes 15 times more resources on the server side than on the client side. This prevents the server from serving legitimate users.

B. Slow attacks

In slow attacks, the server processing is consumed by drawing out processes. Examples include:

– Slowloris. Here the client sends an http Get request without a termination sequence. The web server leaves the connection open, and allocates resources waiting for the termination sequence. A large number of such requests will eventually cause the web server to stop handling new requests when all the resources are consumed.

– Rudy (R U Dead Yet?). This method is designed to attack websites containing forms or webmail. Normally when a user completes a web form, the data is sent to the server using an http Post request, generally through one or two packets. The server then closes the connection to free up resources. Using Rudy, the data is sent through many packets, each containing only one byte of data. This draws out the process. In addition, the packets are sent at random time intervals. Eventually the server’s resources are fully consumed and it cannot service legitimate users.

– Frag Flood. Frag (fragmented) packets are sent from the botnet to the target site. The first packet has all the information on how to reassemble the following packets. In a Frag flood attack, the reassemble instructions are missing, thus tying up the server as it awaits the instructions to reassemble.

C Spoofed attacks

Spoofed attacks involve sending a request to an internet component such as a DNS server, with the reply address spoofed to the target site.

– DNS amplification (or reflection) attack. The attack involves sending a large number of DNS queries to misconfigured DNS servers, where the response address is spoofed as the target server. This is a very powerful attack which can produce massive amounts of traffic very quickly and can take down even the largest infrastructures. It can produce 10 to 100 times more traffic than what is takes to generate. This was the method used in the recent Cyberbunker attack on Spamhaus.

DNS amplification attacks are proving the biggest threat at the moment in causing disruption to organisations. So much traffic can be directed at the target that a botnet may not even be necessary. The Open DNS Resolver Project has identified 25 million of the 27 million DNS servers as posing a significant risk.