Denial of service attack or DoS attack is one of the most common and popular way to exploit and cripple the target (victim) machine. These attacks isolates the victim from its resources like web sites and services by crashing the servers or slowing them down. The DoS attack can be initiated by flooding target machine with so many request at the same time that makes victim’s server crash or unable to respond.
Let’s take an example, suppose you are involved in a group discussion and you have a very important point to share. There’s an another guy John, who doesn’t want you to speak out anyway, so what he can do is engage you with his useless questions and you will continuously answer or argue with him without giving any thought, this will isolate you from rest of the group and other guys won’t be able to communicate with you to conclude the discussion. In above scenario you were the victim and John was the attacker. This scenario is quite similar to the DoS attack.
However a simple DoS attacks can be easily prevented by identifying the source of the requests by its IP and blocking or blacklisting it. By doing this, server (victim) can now identify these blacklisted IPs and can ignore any request generated from it.
DoS attacks can also be carried out by injecting packets and disturbing protocol handlers. Some examples of DoS attacks are
- Ping of death: Pinging victim with ridiculously large packets (>65,535 bytes).
- Teardrop attack: Fragmented overlapping packets.
- LAND attack: LAND stands for Local Area Network Denial, it uses spoofed packets (TCP SYN with senders IP = victim’s IP) to lock the network.
- Others: WinNuke / Out-of-band.
This remedy gave birth to a very smart and new kind of DoS attack which is known as Distributed Denial of Service of DDoS attacks which is explained below.
Distributed Denial of Service Attack (DDoS)
In DDoS attacks, attacker needs a amplifying network through which attacker can distribute spoofed requests over the network, this makes it impossible for victim to identify the origin of attack because the packets/requests are originating from different source within the network , hence blocking or blacklisting particular IP won’t be able to stop the attack.
Attacker sends control packets to Masters over distributed network and these Masters send similar control packets to zombies /agents which converts this packets into attack packets and sends all the way into the victim server, here masters and zombies/agents are compromised computers running attacker’s code.
The amplifying network mentioned above amplifies the rate and size of packets.
Difference between DoS and DDoS
Let’s consider a rather simple example, suppose you took a vow to take revenge from John (from previous example) who has some webpage hosted over the network. At first you opened victim’s (John’s) web page and start pressing F5 (refresh) continuously by which lots of request is fired to victim’s server making it slow and non-responsive. John however saw this attack (spoofed traffic) and immediately blocked attacker’s (yours) IP address and started ignoring all further request/packets from you.
This was DoS attack and its prevention, but as you also knew the working of DDoS, you called all of your friends and told them to keep refreshing victim’s (John’s) web page. Now John is having hard time to determine which request is spoofed and which is natural, due to which it became impossible for victim to avoid it. This is how simple DDoS attacks are implemented.
Motives of DoS/DDoS attacks
- Extortion by threatening victim to launch DoS attack.
- For exploiting or training – Some tech junkies perform these attacks because they can, there’s no solid motive or goal behind it. Majority of these attackers are youth mischief who has desire to feel the power to “rule the world”.
- Cyber warfare – To avoid information exchange.
- Revenge- To take revenge from particular organization. Attackers might attack over little disagreement