Distributed Denial of Service

Introduction

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a flood of Internet traffic. DDoS attacks leverage multiple compromised computer systems as sources of attack traffic. These systems can include computers and other networked resources such as IoT devices. In a DDoS attack, the incoming traffic flooding the victim originates from many different sources, making it impossible to stop the attack by blocking a single IP address.

Core Mechanisms

At its core, a DDoS attack involves three primary components:

• Attacker: The entity orchestrating the attack.
• Botnet: A network of compromised devices, also known as 'zombies', that are used to carry out the attack.
• Target: The server, network, or service that is being attacked.

The attacker uses the botnet to send a high volume of traffic to the target, overwhelming its resources and causing service disruption.

Attack Vectors

DDoS attacks can be executed through various methods, each targeting different layers of the OSI model:

1. Volume-Based Attacks:

   • These include UDP floods, ICMP floods, and other spoofed-packet floods.
   • Their goal is to saturate the bandwidth of the attacked site.

2. Protocol Attacks:

   • Examples include SYN floods, fragmented packet attacks, and Ping of Death.
   • These attacks consume actual server resources or intermediate communication equipment.

3. Application Layer Attacks:

   • These attacks target the application layer (Layer 7) and include HTTP floods, DNS query floods, etc.
   • They are more sophisticated and can be harder to detect as they mimic legitimate traffic.

Defensive Strategies

Defending against DDoS attacks involves a combination of strategies and technologies:

• Rate Limiting: Restrict the number of requests a server will accept within a certain time frame.
• Web Application Firewalls (WAF): Protects against application-layer attacks by filtering and monitoring HTTP requests.
• Anycast Network Diffusion: Utilizes multiple data centers to distribute attack traffic.
• Blackhole Routing: Directs malicious traffic into a null route, effectively dropping it.
• Traffic Analysis: Continuous monitoring to detect unusual traffic patterns.

Real-World Case Studies

GitHub DDoS Attack (2018)

In February 2018, GitHub was hit by a record-breaking DDoS attack that peaked at 1.35Tbps. The attack was a memcached DDoS, which exploited an amplification vulnerability in the memcached protocol. Despite the scale, GitHub's defenses were able to absorb the traffic and mitigate the attack within minutes.

Dyn DDoS Attack (2016)

In October 2016, a massive DDoS attack targeted Dyn, a major DNS provider, which affected many high-profile websites like Twitter, Netflix, and Reddit. The attack was notable for its use of the Mirai botnet, which took control of IoT devices across the globe.

Architecture Diagram

The following diagram illustrates a typical DDoS attack flow:

In this diagram:

• Attacker sends commands to the Botnet.
• The Botnet generates a flood of traffic directed at the Target Server.
• The Target Server experiences Service Disruption due to the overwhelming amount of traffic.

In conclusion, DDoS attacks remain a significant threat to cybersecurity, requiring robust and adaptive defense mechanisms to protect networked systems from their devastating impact.