In recent years, cyber attacks have shown that they are an important source of threat by affecting millions of internet users and hundreds of thousands of websites. One of the most important of these attacks, which occur for many different reasons such as leaking information, making profit, political purposes and even arbitrary requests, is the DDoS attacks, the number of which is expected to reach 10 million in 2017. What are DDoS attacks in this article? How is it done? and How to prevent it? We answered your questions for you.
What is DDoS?
In its simplest definition, DDoS (Distrubuted Denial of Service Attack) is a cyber attack that is carried out to prevent the broadcasting of sites and render them dysfunctional, by creating a fake density that is much higher than systems such as websites, e-mail systems, online payment systems, or by consuming the resources of the target system at high rates. are attacks. The main purpose of DDoS attacks is not to leak information or make a profit, but to cause the target system to become inoperable.
DDoS attacks are generally carried out with “botnets” created using “zombie” machines.
Zombie; They are computer systems that have been compromised by viruses or trojans without the knowledge of the owner and used for various purposes. The main reasons for the creation of zombie computers; is that attackers want to hide and perform transactions without endangering themselves and strengthen their attack networks. For these reasons, zombies are an important source for DDoS attacks.
Botnets, on the other hand, can be defined as armies of virtual computers created using zombies. Botnets are created for purposes such as sending spam, spreading viruses and malware, and being used in cyber attacks, and are used as intermediate elements in DDoS attacks.
What are the DDoS Symptoms?
Today, we can call all kinds of data traffic that occurs outside of normal as DDoS. Websites that are sluggish or not working at all can be the cause of a DDoS attack. Excessive network usage is the biggest symptom of DDoS attacks.
In addition to these, excessive UDP, SYN and GET/POST requests can also be shown among the symptoms of DDoS attacks.
What are the DDoS Types?
DDoS attacks can be divided into 3 main groups in general. These;
Volume Based DDoS
Volume based DDoS is the most commonly performed and the simplest type of attack among DDoS attacks with a rate of 65%. Volume based DDoS is carried out with UDP, ICMP and other spoofed-packet floods and the aim is to saturate the bandwidth of the attacking system.
Protocol Based DDoS
Protocol-based DDoS attacks are carried out by using a weakness in the “layer 3” or “layer 4” OSI (Open Systems Interconnection) layer. TCP Syn flood is the most common example of protocol-based DDoS attacks, which includes Syn flood, ping of death, smurf DDoS, and more.
Application Layer DDoS
It is a type of DDoS that is more sophisticated, harder to detect and mitigate than other types of DDoS, which includes low and slow attacks, GET/POST floods, attacks targeting Apache, Windows or OpenBSD vulnerabilities, and more.
When we consider it in lower categories, some DDoS types are as follows;
SYN Flood DDoS
SYN flood attacks are the most common type of DDoS attack today. The purpose of SYN flood attacks is to cause the system’s resources to become inoperable by sending SYN-flagged TCP packets over its capacity to the targeted system. With this feature, it is generally carried out for web servers and web pages are prevented from serving.
You can use the “Netstat –an –p tcp” command on Linux and Windows operating systems to see if you have received a SYN flood attack. If you see a large number of “SYN_RECEIVED” lines when you run this command, you are most likely experiencing a SYN flood attack.
UDP Flood DDoS
UDP flood attacks are a type of DDoS that affects UDP, which is a connectionless and sessionless network protocol, and its main purpose is to fill the session table of the firewall that protects the UDP service, making it inaccessible.
The operation of UDP flood attacks is based on the principle of sending a large number of UDP packets to random ports of the target system. The target system, which is exposed to a large number of UDP packets, first checks whether there is an application listening on the port. Seeing that there is no application listening on the port after each check, the system responds with an ICMP (Internet Control Message Protocol) “target unreachable” packet. At the end of this cycle, the target system, which has to respond to a large number of UDP packets with a large number of ICMP packets, becomes inaccessible.
Ping of Death
This type of DDoS attack is an attacker’s use of malformed or oversized ping packets with a simple ping command to destabilize, freeze, or render the target system inoperable. However, ping of death attacks have become obsolete as all operating systems take countermeasures.
Ping Flood
The main purpose of ping flood attacks, also known as ICMP flood, is to make the system inoperable by overloading both the outgoing and incoming bandwidth of the target system with ICMP request packets, also known as ping.
Normally, ping requests are used to measure the time elapsed between the request and the response to the request, when an ICMP request is sent between two computers. However, they are also used to create an overload on the target system in such attacks.
The viability of a ping flood attack depends on the attackers knowing the IPs of the target systems. Therefore, attacks can be divided into three categories depending on the target and how the IP address is resolved.
-Locally targeted ping floods where a single computer is targeted on a local network. In these attacks, the attacker must have physical access to the target computer to be able to discover the IP address.
-Router-targeted ping floods target routers to interrupt communication between computers on a network. The attacker needs to know the IP address of the local router.
-Blind ping floods use an external program to reveal the IP address of the target computer or router before the attack is carried out.
How to Protect from DDoS?
Unfortunately, there is no surefire and permanent solution to avoid being the target of DDoS attacks. However, there are some methods that can reduce the probability of being a target and the effects of attacks.
In general, if you think that the above-mentioned DDoS symptoms are experienced on your system, it is very important to take early action as it is one of the best defenses. However, distinguishing these symptoms from instantaneous and normal performance increases / decreases in your system requires the right technology and expertise.
In terms of businesses, first of all, the well-designed network infrastructure and the high level of system and TCP/IP knowledge of the relevant personnel are the primary protection measures.
Apart from this, it is possible to protect from DDoS attacks or reduce the attack effect with some applications to be carried out.
Router Level Protection
Packets sent to target systems first pass through the router and are forwarded to other systems. With this feature, routers are the first systems to encounter an attack and the precautions to be taken over the routers are very important in terms of meeting the attack from the first moment. If some settings to be made on the routers and the features for the incoming packets during the attack can be determined, the attacks can be prevented or their effects can be reduced with the access control list to be created.
Firewall Level Protection
Another application is the precautions that can be taken at the firewall level. At the beginning of these measures is the use of the “rate limiting” feature. If the relevant device supports this feature, the maximum number of packets that will come from a certain IP address can be determined with rate limiting, and IPs exceeding the maximum value can be blocked.
From the point of view of individual users;
- Timely and complete system updates
- Using anti virus programs
- Active use of the firewall
- Using filters required for secure e-mail traffic and blocking spam traffic
It is useful to take simple precautions such as Despite these measures, if a problem is still thought to be experienced, contacting the internet service provider will be the best solution.