This blog looks at how cyber criminals flood websites with traffic until the target cannot respond or simply crashes, preventing access for legitimate users.
This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands to raise awareness among businesses and the public. If you require any further information, assistance or guidance please contact the EMSOU Protect Team.
The very first DoS attack, way back in 1999, occurred when a network of 114 computers at the University of Minnesota were infected with a malicious script called “Trin00”.
Over twenty years later, and DoS attacks are now one of the most common and most difficult types of attacks to address.
How does it work:
Most DoS attacks flood a target with so much traffic that it simply cannot respond or crashes, preventing access for legitimate users. Affected services include email, websites, online accounts, and remote working services. For this reason, DoS attacks cost organisations both time and money - how can you continue to operate when your employees cannot access your network or your website no longer responds?
The most common attacks include:
There are many different types of DoS attacks, but let's take a quick look at a few:
• Smurf Attack: The adversary asks the target machine whether they are experiencing any communication problems and whether data is being received in a timely manner. This is known as an ICMP or ‘ping’ request. The attack is successful because the adversary generates hundreds of these ping requests from fake systems and the targeted machine crashes when trying to reply to them all.
• SYN Flood: The adversary asks the target machine whether it is happy to connect and communicate. The connection process requires 3 distinct steps (known as the 3-way handshake), but the attacker’s machine never completes these steps. Instead, it sends more and more requests to connect, leaving the server in a metaphorical limbo and unavailable for legitimate users.
• Teardrop: If someone wanted to send information to another computer over the internet, the message is broken down into tiny 'packets' of data. This is known as 'fragmentation'. Of course, these packets contain instructions so that the recipient machine, can reassemble them into the original message. In a teardrop attack, a cybercriminal will 'fudge' these packets so that the receiving machine gets confused and crashes.
• Exploits: Web pages are stored on web servers such as Apache and Tomcat. Web servers are a bit like restaurant waiters. They greet you, check your booking information, and then bring you lunch. Similarly, the web server runs a few security checks and then brings you the website you wanted to look at. Of course, if the web server contains out of date software, has default configurations or some other form of vulnerability, an attacker can launch an 'exploit' - to knock that server offline.
• Other type of attack: These an include the use of radio jammers to interfere with your Wi-Fi (RF interference), or Account take-overs - when your essential online accounts is hijacked - often as a result of poor passwords. This is particularly serious if your organisation depends upon cloud services, as the attacker can disable your infrastructure and prevent you from gaining access to fix the problem.
What is a Distributed Denial of Service Attack (DDos):
A DDoS attack occurs when there are many machines (called bots) working together to attack a targeted system. These bots represent hijacked computers, and are as much a victim as the target of the DDoS.
Cybercriminals can even hire bots to perform these attacks, if they lack the necessary skills to set up their own botnet. DDoS allows for exponentially more requests to be sent to the target, increasing the attack power. It also increases the difficulty of attribution, as the true source of the attack is harder to identify.
How do you know if a DoS attack is happening:
Symptoms of a Denial of Service (DoS) can resemble a network availability issue or other non-malicious availability issues. Typical symptoms are:
• Unusually slow network performance (opening files or accessing websites)
• Unavailability of a particular website, or an inability to access any website or cloud service
• Enrol in a DoS protection service that detects abnormal traffic flows, filters malicious packets and passes clean traffic to your network.
• Contact your ISP to ask if there is an outage on their end or even if their network is the target of the attack and you are an indirect victim. In either case, they may be able to give advice.
• Harden you web or DNS server by using good patch management, removing default accounts, using strong passwords and two factor authentication where possible, removing unnecessary services and following vendor configuration settings.
• Use vulnerability scanning to identify weakness and penetration testing to see if internet facing devices are exploitable. There are a number of free scanners, but the latter will require some investment.
• Most cloud services offer rapid elasticity - meaning that applications and infrastructure can be quickly expanded to cope with heavier traffic. Put time aside to see if your service level agreement cover your critical systems and services and what the financial implications will be for heavier usage.
• Many organisations will use multiple service providers to create better resiliency. Whilst this is more difficult to manage - especially if systems have to be integrated - it does afford better protection from this type of attack.
• Create and test an incident response plan. This will ensure that you understand:
What systems are critical and how DoS attacks will adversely affect the organisation;
How much you are prepared to invest protecting such systems o How you will identify when an attack is taking place and judge its severity;
How you will isolate, mitigate and recover systems when an attack is taking place;
Who will do what and when and how efficient lines of communication will be maintained during the crisis.
• Quite often, an organisation must implement a graceful degradation of services to cope with an attack. It is critical, therefore to understand what your business can tolerate before irreparable harm is done. For example, will your business survive if web traffic is effectively halved or response times take half as long? Knowing this threshold will help response teams implement mitigation strategies that work for you.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).