DDOS (Distributed Denial of Service) is one of the most well known types of cyber attacks. Ask anyone working in Information Technology and they will be able to give a general explanation of what it is. If you are someone who wants learn more about DOS, than just a board over view, than this article is for you. So let's dive into DOS, and learn the different types.
What is DOS?
DOS, Denial of Service, is a cyberattack where the attacker aims to make the targeted machine or network resource unavailable to legitimate users. This is achieved by flooding the target with a large number of illegitimate requests, degrading performance to a point where it cannot respond to valid requests.
DOS can not only be Network-based, but Application-based as well.
Network-based DOS
When DOS is crafted to attack a target at the network level, it does so by abusing the networking protocols that the target depends on to function. Two easy examples to understand are TCP SYN flood and UDP Storm.
TCP SYN flood
A TCP SYN flood exploits the way the TCP(three-way)handshake process works. In a typical session between a client and a server that utilizes TCP has three steps:
The client sends SYN (synchronize) Packet to the server, in layman's term, this is the clients way of asking "Can you talk right now".
The server receives the SYN packet from the client, and responds with a SYN-ACK, saying "Yes I can talk right now".
When the client receives the SYN-ACK packet, it sends back an ACK, saying "OK".
Understanding how a three-way handshake is designed to work, we can now see how a TCP SYN flood abuses it. In a SYN flood attack, the attacker sends a large number of SYN packets to the server, but when the server sends back the SYN-ACK packet, the client does not respond. The server is waiting for the client to send the ACK, but it never comes. This eats up resources on server causing massive degradation in performance.
UDP Storm
UDP, unlike TCP is connectionless and does not require a handshake to establish a connection. This makes a UDP Storm easy to execute, because the attacker only needs to send a large number of UDP Packets towards the server. These packets often contain random or spoofed source IP addresses, making it difficult for the victim to filter or block the traffic. As a result, the target's network bandwidth, CPU, or other resources are exhausted causing legitimate traffic to be dropped or delayed.
Application-based DOS
DOS can be crafted to attack the source code of an application or service. By creating malicious payloads to target certain parts of an application that either are computationally heavy and/or have poor input validation. This will make more sense in the coming section.
Regex DOS
Regex DOS are some of the most common type of DOS in web applications today. Regexes are often used to validate form fields and make sure that data is in a format the server expects. A simple everyday example is the use in password fields to make sure a users supplies a strong password with a certain number and combinations of characters. In JavaScript that regex may look like the following:
Regular Expressions were created by mathematicians studying formal language theory to create a system of explaining the composition of strings that are formed up of subset of characters.
Most programming languages have support for regex, and use a regex parser. Generally speaking parsing a regex is a fast process, but it is possible to craft a regex that deliberately runs slow. These are called malicious regex, if a web application allows for user supplied regex's or has a malicious regex introduced to it's source code, when exploited will cause performance to degrade.
Logical DOS
In many applications there lies functions that when executed are resource intensive. When these functions are executed a massive number of times, in quick succession can cause a Denial of Service. This is known as Logical DOS, because the attacker is abusing the logic of the application, let's take a look at a simple example.
Say a web application makes use of an API endpoint that is used for image uploading. When the image is uploaded, it is placed into memory, processed to extract text from the image, and than deleted from memory.
The server-side code could look like this:
This endpoint scrapes the text from the uploaded image, and returns it to the user. This API endpoint is possibly vulnerable to a Logical DOS. If an attacker was to upload a large number of images, this would eat up memory, destroying the performance of the web application.
DDOS
The infamous DDOS, Distributed Denial of Service attack is a type of attack that overwhelms a target machine with request. These request originate from multiple compromised devices, making it difficult to mitigate because it appears as legitimate traffic, when it is in fact malicious.
These compromised devices are known as bots, and collectively as a whole are what is a called a botnet. An attacker infected the device with malware, unbeknownst to the owner. The bots will await a Command signal, telling them when to attack.
The attack could be any one of the previous mentioned DOS types. For example in a Logical DOS scenario, an attacker found the API endpoint for uploading the image, and sent a command to hit the endpoint with a large image. The number of request, plus the total sizes of the image, would cause this service to crash. Especially if the images are crafted to cause the OCR engine to run slowly, the images would be added to memory faster than they are removed. This would be a nightmare, and someone would probably be fired.
Cloud and DOS
Many organizations now host applications and service in the cloud by using AWS, Google Cloud, or Microsoft Azure. More and more organizations are migrating to cloud, to save on cost of buying and maintaining their own infrastructure. They save because they don't have to pay the initial cost of setting up machines, and pay for exactly what they use.
These cloud providers have a very neat feature called auto-scaling. Auto-scaling automatically adjust number of resources allocated to an application or service based on its current demand. When there is high traffic or workload, auto-scaling increases the resources (such as servers or instances) to handle the load, and when the demand decreases, it reduces the resources to save costs.
Auto-scaling helps protect against Denial of Service (DoS) attacks by dynamically allocating additional resources to absorb the increased traffic generated by the attack. As the attack floods the targeted system with requests, auto-scaling detects the increased load and automatically provisions more resources to handle the traffic. This ensures that the system remains available to legitimate users by scaling up to meet the demand created by the attack. Additionally, auto-scaling can also be configured to scale down once the attack subsides, allowing the system to return to its normal state and optimize resource usage.
Yo-Yo Attacks
Yo-Yo attacks abuse auto-scaling baked into cloud service providers, by sending a large number requests to the application in a short period of time. This invokes the auto-scaler to scale up resources, when the traffic suddenly stops. This causes the resources to scale back down.
This process is repeated over and over again, causing degraded user experience, and incurring costs to the organization.
Summary
DOS is still a very popular type of cyber attack, and we still probably be around for the foresee-able future. I hope you enjoyed this blog, like and subscribe for more.