home » the Internet » The difference between dos and ddos. What is a DDoS attack? Who can suffer from DoS and DDoS attacks

The difference between dos and ddos. What is a DDoS attack? Who can suffer from DoS and DDoS attacks

A DoS attack is an attack that paralyzes a PC or server. This happens due to the fact that a huge number of requests are sent, which arrive at a fairly high speed on the attacked web resource. A DDoS attack is an attack that is carried out simultaneously from a huge number of computers.

Learn more about DoS attack

DoS (English Denial of Service) literally means "denial of service". This attack has two options. If the attack is carried out in the first way, then the vulnerability of the software installed on the computer that will be attacked is used. This vulnerability can cause a fatal error on a computer, resulting in a system-wide malfunction. If the second method is used, then a DoS attack is carried out by sending a very large number of information packets to a computer. Each packet of information that is sent from one computer to another is processed for some time.

If another request arrives during processing, then it "enters the queue" and takes up a certain amount of physical resources of the entire system. But if a large number of information packets are sent to a computer, then such a huge load will make the computer urgently disconnect from the Internet or simply freeze, which is what the organizers of the DoS attack are trying to achieve.

Learn more about DDoS attack

A DDoS attack (Distributed Denial of Service) is a kind of DoS attack. This attack is being organized by a huge number of computers. Because of this, even such servers that have a huge bandwidth of Internet channels are susceptible to attack.

But a DDoS attack does not always take place due to someone's ill will. Sometimes this effect can happen by accident. This can happen if, for example, a link (link) in a very popular web resource was placed on a site located on a server. This phenomenon is called the splashdot effect.

You need to know that a DDoS attack is almost always carried out for commercial purposes, because its organization will require a huge amount of both time and material costs, which, you must admit, not everyone can afford. Quite often, when organizing a DDoS attack, a special network of computers called a botnet is used.

What is a botnet? A botnet is a network of computers that have been infected with a special type of virus. All infected computers are remotely owned by cybercriminals, often the owners of these computers do not even know that they are taking part in a DDoS attack. Computers become infected with a specific virus or a program that masquerades as useful. Then, with the help of this program, malicious code is installed into the computer, which works in the so-called "invisible" mode, so antiviruses do not notice it. At a certain point, the botnet owner activates these programs and starts sending requests to the server attacked by the cybercriminals.

When conducting a DDoS attack, cybercriminals often use the so-called "DDoS cluster". DDoS cluster is such a special three-tier PC network architecture. In such a structure, there is usually one or more controllable consoles that signal the beginning of a DDoS attack.

This signal is then transmitted to the host computers (host computers are something like intermediaries between consoles and agent computers). Agent computers are the computers that attack the server. Often, the owners of host computers and agent computers are unaware that they are participating in an attack.

DDoS protection can be different. This is due to the fact that the types of these attacks themselves differ. There are four main types: UDP flood, TCP flood, TCP SYN flood, and ICMP flood. A DDoS attack becomes even more dangerous if attackers combine all or some of these methods.

A universal method of protection against this type of attack has not yet been invented. But if you follow a few simple rules, the risk of an attack can be reduced to almost zero. It is necessary to eliminate software vulnerabilities, and it is also necessary to increase resources, and also to disperse them. The computer must have a package of protection programs against this type of attack (at least minimal).

One of the common mistakes encountered among amateur cyberjournalists is confusion in terms of the types of attacks on Internet resources. For example, DoS and DDoS are not the same thing. Although the acronyms differ by only one letter, there is a huge factual difference behind it.

Today, it is rather rare to write about what a DoS attack ( Denial of Service)since these attacks are practically not used due to their low efficiency. However, it is the DoS scheme that is at the heart of modern denial of service cyberattacks.

A DoS attack is the generation of junk traffic from one device (IP address) to a victim resource (for example, a website). The goal is to exhaust the computing and other powers of the "victim" in order to block the work of the latter.

Because The Internet, computer hardware and network equipment are developing rapidly, gaining power, the volume of one DoS attack very soon became too small to block any significant resource. Therefore, hackers found the most obvious way to amplify a DoS attack: conduct it from multiple devices (IP addresses) simultaneously. This is how a distributed (or massive) cyberattack on denial of service - DDoS ( Distributed Denial of Service)... It is much more difficult to filter out, and the power can reach 1 Tbps.

In addition, a DoS attack can be easily repelled when it has already begun: calculate the IP from which the malicious traffic packets are coming and enter it into. And when the attack comes from multiple IP addresses, the task becomes more difficult. For example, to protect a resource, you can block all requests coming from one country to which legally attacking IPs are "tied", but then legitimate users from there will be denied access to the site.

In a sense, if we talk about the definition of DDoS, it is a subtype of DoS attack that originated from it by changing the scheme, but there are no other forms of such attacks and the first has supplanted the second from the hacker's arsenal. Therefore, in the overwhelming majority of cases, it would be more correct to use the term DDoS attack or the Russian translation - a distributed denial of service attack.

The scheme of such an attack consists of three key elements: a control machine, from which control signals are sent to the console, through which signals are distributed to millions of user devices (hacked or infected with malicious code). It is these devices that are called bots. Whereas earlier they were mainly PCs, today a botnet attack can be carried out using routers, video recorders, smartphones, etc. - any device that has an interface for connecting to the Internet. The bot user most often does not even know that he is being used for illegal acts.

Today on the Internet in the free access you can find many offers to organize DDoS testing of any site for a ridiculous payment of $ 15-20. Such "hackers" usually do not have a powerful server or botnet (a network of compromised devices) for organizing a massive cyberattack, and for that kind of money, the maximum amount of DoS will be carried out, which any competent system administrator can handle.

However, the importance of DoS should not be underestimated - it is on them that novice attackers train, and since such cases are rarely investigated, many go unpunished.

If you work in the field of computer technology or network security, I'm sure you are familiar with the term "denial of service", which is colloquially referred to as "DoS attack". It is currently one of the most common types of network attacks carried out on the Internet. For those who are not in the subject, I will conduct an educational program and try to explain what a DoS attack is in the most accessible and understandable form.
It all started with the fact that one of the working sites was lying about two hours yesterday. The site is hosted on NIC.RU, not the cheapest, and it seems that they are not newbies, but, as the saying goes, "there is a hole in the old woman."

DDoS - Denial of Service

What is a DOS attack?
Denial of service or "DoS" attacks are a type of network attack designed to flood target networks or machines with a lot of useless traffic so as to overload the attacked machine and eventually bring it to its knees. The main point of a DoS attack is to make the services running on the target machine (for example, website, DNS server, etc.) temporarily unavailable to intended users. DDoS attacks are usually carried out on web servers that host vital services such as banking services, e-commerce, personal data processing, credit cards.
A common variant of DOS attack known as DDoS (Distributed Denial of Service) attack has become quite popular in recent years because it is a very powerful and hard to detect attack. A DoS attack has a single origin, while a DDoS attack comes from multiple IP addresses spread across multiple networks. How DDoS works is shown in the following diagram:

Unlike a DoS attack, when an attacker uses a single computer or network to attack a target, a DDoS attack comes from multiple computers and servers previously infected, usually belonging to different networks. Since the attacker uses computers and servers from different networks, and even different countries, the incoming traffic, at first, does not arouse suspicion among the security services, since it is difficult to detect.

Can you fight DoS / DDoS attacks?
DoS attackers can easily be added to the firewall's blacklist by using all sorts of scripts and filters (by IP addresses or address ranges) from which there are too many requests or connections. DDoS attacks are too difficult to identify, since incoming requests look more or less natural, because sometimes, say, an influx of clients, etc. In this case, it is difficult to tell the difference between genuine and malicious traffic. Over-hardening the security measures on the firewall can lead to false positives and therefore real clients may be rejected by the system, which is not very good.

When the influx of false "clients" begins to increase exponentially, it becomes too late to do anything, unless, of course, you have a whole staff of system administrators and programmers responsible for protecting against attacks of this kind, your servers become slow and agile, and in the end, they stop responding to "external stimuli", waiting for the end of this stream of spam.
Meanwhile, evil hackers bring their dark plans to life.

DoS attack (Denial of Service attack) - an attack on a computer system in order to bring it to failure, that is, the creation of such conditions under which the legitimate (legitimate) users of the system cannot gain access to the resources (servers) provided by the system, or this access is difficult. The failure of an "enemy" system can also be a step towards mastering the system (if in an emergency situation the software gives out any critical information - for example, a version, a part of the program code, etc.). But more often it is a measure of economic pressure: downtime of the service that generates revenue, bills from the provider and measures to avoid an attack significantly hit the target.

If an attack is carried out simultaneously from a large number of computers, they talk about DDoS attack (from the English Distributed Denial of Service, a distributed denial of service attack)... In some cases, the actual DDoS attack is triggered by an unintended action, for example, placing a link on a popular Internet resource to a site hosted on a not very productive server (slashdot effect). A large influx of users leads to exceeding the permissible load on the server and, consequently, denial of service for some of them.

Types of DoS attacks

There are various reasons why a DoS condition can occur:

* Error in the program codethat leads to access to an unused portion of the address space, the execution of an invalid instruction, or other unhandled exception when the server program crashes. A classic example is a call to a null address. Insufficient verification of user data, leading to an infinite or long cycle or increased long-term consumption of processor resources (up to the exhaustion of processor resources) or the allocation of a large amount of RAM (up to the exhaustion of available memory).

* Flood (English flood - "flood", "overflow") - an attack associated with a large number of usually meaningless or formed in the wrong format requests to a computer system or network equipment, which has as its goal or led to a failure of the system due to exhaustion of system resources - processor, memory or communication channels.

* Type II attack - an attack that seeks to cause a false operation of the protection system and thus lead to the unavailability of a resource. If an attack (usually a flood) is launched simultaneously from a large number of IP addresses - from several computers dispersed in the network - then it is called a distributed denial of service (DDoS) attack.

Flood types

A flood is a huge stream of meaningless requests from different computers in order to occupy an "enemy" system (processor, RAM or communication channel) with work and thus temporarily disable it. The notion of "DDoS attack" is practically equivalent to the notion of "flood", and in everyday life both are often interchangeable ("flood the server" \u003d "dump the server").

To create a flood, both ordinary network utilities like ping (this is known, for example, the Internet community "Upyachka"), and special programs can be used. DDoS capabilities are often "stitched" into botnets. If a cross-site scripting vulnerability or the ability to include images from other resources is found on a site with high traffic, this site can also be used for a DDoS attack.

Any computer that communicates with the outside world via TCP / IP is prone to the following types of flooding:

* SYN flood - in this type of flood attack, a large number of SYN packets are sent over the TCP protocol to the attacked host (requests to open a connection). At the same time, after a short time, the number of sockets (software network sockets, ports) available for opening on the attacked computer runs out and the server stops responding.

* UDP flood - this type of flood attacks not the target computer, but its communication channel. ISPs reasonably assume that UDP packets need to be delivered first, while TCP packets can wait. A large number of UDP packets of different sizes clog up the communication channel, and the server running over the TCP protocol stops responding.

* ICMP flood - the same, but using ICMP packets.

Many services are designed in such a way that a small request can cause a large consumption of computing power on the server. In this case, it is not the communication channel or the TCP subsystem that is attacked, but the service itself (service) itself - by a flood of such "sick" requests. For example, web servers are vulnerable to HTTP flooding - a simple GET / or a complex database query like GET /index.php?search\u003d can be used to disable a web server.<случайная строка>.

DoS attack detection

It happened that the negative consequences of an attack (flood attack) resulted in unnecessary expenses for paying for excess Internet traffic, which was revealed only upon receipt of an invoice from an Internet provider. In addition, many intrusion detection methods are ineffective near the target, but effective on network backbones. In this case, it is advisable to install the detection systems there, and not wait for the attacked user to notice it and ask for help. In addition, in order to effectively counter DoS attacks, it is necessary to know the type, nature and other characteristics of DoS attacks, and detection systems allow you to quickly obtain this information.

DoS attack detection methods can be divided into several large groups:

* signature - based on qualitative traffic analysis,

* statistical - based on quantitative traffic analysis,

* hybrid (combined) - combining the advantages of both of the above methods.

DoS protection

Countermeasures against DoS attacks can be divided into passive and active, as well as preventive and reactive. Below is a short list of the main methods.

* Prevention. Prevention of the reasons prompting certain persons to organize and undertake DoS attacks. (Very often, cyberattacks are generally the result of personal grievances, political, religious and other disagreements, provoking behavior of the victim, etc.)

* Filtering and blackholing. Blocking traffic from attacking machines. The effectiveness of these methods decreases as you get closer to the object of the attack and increases as you approach the attacking machine.

* Elimination of vulnerabilities. Does not work against flood attacks, for which the "vulnerability" is the finiteness of certain system resources.

* Building up resources. Naturally, it does not provide absolute protection, but it is a good background for the application of other types of protection against DoS attacks.

* Dispersal. Building distributed and duplicating systems that will not stop serving users, even if some of their elements become unavailable due to a DoS attack.

* Evasion. Moving the immediate target of the attack (domain name or IP address) away from other resources, which are often also affected along with the direct target of the attack.

* Proactive response. Influencing the sources, organizer or attack control center, both by man-made and by organizational and legal means.

* Using equipment to repel DoS attacks. For example DefensePro® (Radware), Perimeter (MFI Soft), Arbor Peakflow® and other manufacturers.

* Purchasing a service to protect against DoS attacks. Relevant if the flood exceeds the bandwidth of the network channel.

On a computer system in order to bring it to failure, that is, the creation of such conditions under which legal (legitimate) users of the system cannot access the resources (servers) provided by the system, or this access is difficult. Failure of an "enemy" system can also be a step towards mastering the system (if in an emergency situation the software gives out any critical information - for example, a version, a part of the program code, etc.). But more often it is a measure of economic pressure: downtime of the service that generates revenue, bills from the provider, and measures to avoid an attack significantly hit the target.

If an attack is carried out simultaneously from a large number of computers, they talk about DDoS attack (from the English. Distributed Denial of Service, distributed denial of service attack). In some cases, the actual DDoS attack is triggered by an unintended action, for example, placing a link on a popular Internet resource to a site hosted on a not very productive server (slashdot effect). A large influx of users leads to exceeding the permissible load on the server and, consequently, denial of service for some of them.

Types of DoS attacks

There are various reasons why a DoS condition can occur:

Error in the program code, leading to an access to an unused fragment of the address space, the execution of an invalid instruction, or other unhandled exception situation when an abnormal termination of the server program - the server program occurs. A classic example is zero reversal (eng. null) address.
Insufficient validation of user data, leading to an infinite or long cycle or increased long-term consumption of processor resources (up to the exhaustion of processor resources) or the allocation of a large amount of RAM (up to the exhaustion of available memory).
Flood (eng. flood - "flood", "overflow") - an attack associated with a large number of usually meaningless or incorrectly formed requests to a computer system or network equipment, aimed at or leading to a system failure due to the exhaustion of system resources - a processor, memory or communication channels.
Type II attack - an attack that seeks to cause a false operation of the protection system and thus lead to the unavailability of a resource.

If an attack (usually a flood) is carried out simultaneously from a large number of IP addresses - from several computers dispersed in the network - then in this case it is called distributed denial of service attack ( DDoS).

Exploiting errors

Exploit refers to a program, a piece of software code, or a sequence of software commands that exploits vulnerabilities in software and is used to attack a cyber system. Among the exploits leading to a DoS attack, but unsuitable, for example, for taking control of an "enemy" system, the most famous are WinNuke and Ping of death.

Flood

For a flood as a violation of netiquette, see Flood.

Flood call a huge stream of meaningless requests from different computers in order to occupy the "enemy" system (processor, RAM or communication channel) with work and thus temporarily disable it. The notion of "DDoS attack" is practically equivalent to the notion of "flood", and in everyday life both are often interchangeable ("flood the server" \u003d "override the DDoS server").

To create a flood, both ordinary network utilities like ping (this is known, for example, the Internet community "Upyachka"), and special programs can be used. DDoS capabilities are often "sewn up" into botnets. If a cross-site scripting vulnerability or the ability to include images from other resources is found on a site with high traffic, this site can also be used for a DDoS attack.

Communication channel flooding and TCP subsystems

Any computer that communicates with the outside world via TCP / IP is subject to the following types of flooding:

SYN flood - in this type of flood attack, a large number of SYN packets are sent over the TCP protocol (requests to open a connection) to the attacked host. In this case, after a short time, the number of sockets available for opening (software network sockets, ports) on the attacked computer is exhausted and the server stops responding.
UDP flood - this type of flood does not attack the target computer, but its communication channel. ISPs reasonably assume that UDP packets need to be delivered first, but TCP can wait. A large number of UDP packets of different sizes clog up the communication channel, and the server running over the TCP protocol stops responding.
ICMP flood - the same, but with ICMP packets.

Application level flood

DoS attack detection

It is believed that special tools are not required to detect DoS attacks, since the fact of a DoS attack cannot be overlooked. In many cases, this is true. However, successful DoS attacks were quite often observed, which were noticed by the victims only after 2-3 days. It happened that the negative consequences of the attack ( floodattacks) resulted in unnecessary expenses for paying for excess Internet traffic, which was revealed only when receiving an invoice from an Internet provider. In addition, many intrusion detection methods are ineffective near the target, but effective on network backbones. In this case, it is advisable to install the detection systems there, and not wait for the attacked user to notice it and ask for help. In addition, in order to effectively counter DoS attacks, it is necessary to know the type, nature and other characteristics of DoS attacks, and detection systems allow you to quickly obtain this information.

DoS attack detection methods can be divided into several large groups:

signature - based on qualitative traffic analysis.
statistical - based on quantitative traffic analysis.
hybrid (combined) - combining the advantages of both of the above methods.

DoS protection

Countermeasures against DoS attacks can be divided into passive and active, as well as preventive and reactive.

Below is a short list of the main methods.

Prevention. Prevention of the reasons prompting certain persons to organize and undertake DoS attacks. (Very often, cyberattacks are generally the result of personal grievances, political, religious and other disagreements, provoking behavior of the victim, etc.)
Filtering and blackholing. Blocking traffic from attacking machines. The effectiveness of these methods decreases as you get closer to the object of the attack and increases as you approach the attacking machine.
Reverse DDOS - redirecting the traffic used for the attack to the attacker.
Elimination of vulnerabilities. Doesn't work against flood-attacks for which the "vulnerability" is the finiteness of certain system resources.
Building up resources. Naturally, it does not provide absolute protection, but it is a good background for the application of other types of protection against DoS attacks.
Dispersal. Building distributed and duplicating systems that will not stop serving users, even if some of their elements become unavailable due to a DoS attack.
Evasion. Moving the immediate target of the attack (domain name or IP address) away from other resources, which are often also affected along with the direct target of the attack.
Proactive response. Influencing the sources, organizer or attack control center, both by man-made and by organizational and legal means.
Using equipment to repel DoS attacks. For example DefensePro® (Radware), Perimeter (MFI Soft), Arbor Peakflow® and other manufacturers.
Purchasing a service to protect against DoS attacks. Relevant if the flood exceeds the bandwidth of the network channel.

Notes

Literature

Chris Kaspersky Computer viruses inside and out. - Peter. - SPb. : Peter, 2006. - S. 527. - ISBN 5-469-00982-3
Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederik. Analysis of typical security breaches in networks \u003d Intrusion Signatures and Analysis. - New Riders Publishing (English) SPb .: Publishing house "Williams" (Russian), 2001. - P. 464. - ISBN 5-8459-0225-8 (Russian), 0-7357-1063-5 ( English)
Morris, R.T \u003d A Weakness in the 4.2BSD Unix TCP / IP Software. - Computing Scienece Technical Report No.117. - AT&T Bell Laborotories, Feb 1985.
Bellovin, S. M. \u003d Security Problems in the TCP / IP protocol Suite. - Computer Communication Review, Vol. 19, No.2. - AT&T Bell Laborotories, April 1989.
\u003d daemon9 / route / infinity "IP-spooling Demystified: Trust Realationship Exploitation". - Phrack Magazine, Vol.7, Issue 48 .-- Guild Production, July 1996.
\u003d daemon9 / route / infinity "Project Neptune". - Phrack Magazine, Vol.7, Issue 48 .-- Guild Production, July 1996.