NST - Denial of Service (Lesson)

Denial of Service

Introduction

In this lesson, you will learn about the types of cyberattacks that can be executed using networked systems and how to identify signs of and secure against Denial of Service (DoS) attacks.

There are four types of attacks:

  1. Denial of Service (DoS)
  2. Spoofing and Sniffing
  3. Wireless and Mobile Threats
  4. System Exploits

Each of these attacks is achieved by manipulating a protocol or service to behave in a way that was not intended. A Denial of Service (DoS) attack happens when so much traffic is sent to a victim system that it collapses. Note the name “denial of service” -- the point of this attack is to make the server unavailable to real users, to deny users access to this service.

A DoS attack is a threat to Availability! Do you remember the CIA Triad of Confidentiality, Integrity, and Availability?

Data Theft; Confidentiality Website Defacement; Integrity Denial of Service (DoS); Availability

In the past, a single attacker could bring down a server, but that is more difficult today. Operating systems and server hardware are much more robust and can withstand almost any amount of traffic that a single system could send. Because of this, Distributed Denial of Service (DDoS) came into being…

Botmaster controlling 4 BOTs that go through email, trojan horses, etc. to the victim

In a DDoS, a LOT of devices are used to send traffic. Multiple systems under the control of the attacker are used in a coordinated attack to create a traffic spike on the system. Zombies are computer systems that are unaware that they are involved in the DDoS as part of a Botnet.

As you can see in the video, the SYN Flood is a typical DDoS as it is an attempt to flood a target with data or requests, so that the target network is saturated, resulting in the loss of legitimate use of the system. In this case, the request is to connect but since the connection is not completed, the target is left with an overwhelming number of “half-open” connections -- in plain language, they are left hanging.

Let’s demo this! You are probably sitting while reviewing this video, so please stand up. Now hold out your hand to for an imaginary handshake with me. I respond by extending my hand BUT, at the last moment, you pull your hand away. You do the casual brush of your hair back instead. That is what the SYN scan is doing -- asking for a connection but then leaving the receiver (in this case, me) hanging!

handshake

A quick recap of SYN Flood attack, created by misusing the three-way handshake:

  1. Attacker sends initial SYN
  2. Victim sends SYN/ACK
  3. The attacker doesn’t send the final ACK, so the victim is left waiting for completion of the handshake.
  4. The victim keeps each SYN request in a table (queue) of “connections in progress” and holds them until they time out. Eventually the queue is full and the victim can’t accept any new connections.

How can you tell a DDoS is happening? 

  • Sudden and unexplained drop in Internet bandwidth;
  • Sudden overwhelming number of requests from multiple hosts outside of network;
  • Sudden drain on victim device resources.

Now it is not unusual for a DDoS to happen accidentally. Think about Cyber Monday shopping or tickets for a popular artist going on sale.  If the servers are swamped with users trying to connect, there can be a DDoS with no malicious intent.  The solution is to plan ahead for redundant servers in cases of heavy load.

A permanent DDoS happens when the server is not just overwhelmed but inoperable. This is usually the result of someone getting physical access to the system and doing physical damage. The solution is clear -- don’t just think about digital security, you need to also make sure your door locks function properly and security guards are on the job and pay attention (physical security)!

Famous 2016 DDoS Attack

The DDOS in October 2016 impacted the Internet using the Mirai code to create a botnet of devices instead of computers.  Devices like DVRs, nanny cams, and thermostats were used to execute a DDoS that was so big it slowed the Internet down to a crawl. It is believed that this Mirai botnet is still available for hire.

Project Shield

DDoS (Distributed Denial of Service) attacks happen on a daily basis, bringing down websites and servers for many types of organizations, such as news organizations and human rights organizations, and motivated by various reasons:

  • A restrictive government does not like critical news articles, so it attempts to stop people from seeing information with the purpose of censorship.
  • A corrupt company may not want an investigative journalist to publish data about their criminal activities. 
  • Groups that oversee the fairness of elections are often targeted by different campaigns or a dictator holding on to power.

Project Shield protects organizations by providing their HUGE internet presence to absorb the fire hose of packets being directed at victim organizations. It is a free service and only available to specific organizations that are frequently targeted, in order to thwart attempts at censorship.  Corporations or other entities needing this type of protection can purchase it from other organizations. Project Shield is a Jigsaw project, which is a unit within Google that explores threats to open societies and builds technology that inspires scalable solutions.

For example, Brian Krebs is an online journalist specializing in cybersecurity news.  In 2017 he was targeted for writing a story about the people who authored the Mirai botnet malware (2016 DDoS mentioned above).  Brian was paying a DDoS protection company, Akamai, but they had to drop him as a client because the attacks were too large for them to handle.  Project Shield brought his KrebsOnSecurity website back online and continues to protect it.

Mitigating Attacks Presentation

Reflection and Wrap-up

In this lesson, we have learned about different types of cyberattacks, focusing particularly on Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, their impact on the availability aspect of the CIA Triad (Confidentiality, Integrity, and Availability), and the mechanisms behind them, including the SYN Flood attack technique. We explored how these attacks can be recognized through symptoms like sudden drops in bandwidth, overwhelming request numbers, or resource drains on the victim's devices. Additionally, the lesson covered preventative and mitigation strategies against these attacks, such as adjusting server configurations, blocking certain types of network traffic, maintaining software updates, and employing services like Project Shield for high-risk organizations. Understanding these concepts is crucial for securing networked systems against disruption and ensuring the continuous availability of services.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON. Video courtesy of IGCSE-Computer Science, CC-BY