Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Denial-of-service attack
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Types== Denial-of-service attacks are characterized by an explicit attempt by attackers to prevent legitimate use of a service. There are two general forms of DoS attacks: those that crash services and those that flood services. The most serious attacks are distributed.<ref name="Taghavi Zargar 2046β2069">{{cite web|url=http://d-scholarship.pitt.edu/19225/1/FinalVersion.pdf |archive-url=https://web.archive.org/web/20140307201217/http://d-scholarship.pitt.edu/19225/1/FinalVersion.pdf |archive-date=2014-03-07 |url-status=live |title=A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks |first=Saman |last=Taghavi Zargar |publisher=IEEE Communications Surveys & Tutorials |volume=15 |issue=4 |pages=2046β2069 |date=November 2013 |access-date=2014-03-07}}</ref> ==={{visible anchor|Distributed DoS|Distributed_attack}}=== A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the [[Bandwidth (computing)|bandwidth]] or resources of a targeted system, usually one or more web servers.<ref name="Taghavi Zargar 2046β2069"/> A DDoS attack uses more than one unique IP address or machines, often from thousands of hosts infected with [[malware]].<ref>{{cite book | last1=Amiri | first1=I.S. | last2=Soltanian | first2=M.R.K. | title=Theoretical and Experimental Methods for Defending Against DDoS Attacks | publisher=Syngress | year=2015 | isbn=978-0-12-805399-7}}</ref><ref>{{cite news|title=Has Your Website Been Bitten By a Zombie?|url=http://blog.cloudbric.com/2015/08/has-your-website-been-bitten-by-zombie.html|access-date=15 September 2015|agency=Cloudbric|date=3 August 2015}}</ref> A distributed denial of service attack typically involves more than around 3β5 nodes on different networks; fewer nodes may qualify as a DoS attack but is not a DDoS attack.<ref name="Infosec7Layer"/><ref>{{cite book | last =Raghavan | first =S.V. | title =An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks | publisher =Springer | date =2011 | isbn =9788132202776}}</ref> Multiple attack machines can generate more attack traffic than a single machine and are harder to disable, and the behavior of each attack machine can be stealthier, making the attack harder to track and shut down. Since the incoming traffic flooding the victim originates from different sources, it may be impossible to stop the attack simply by using [[ingress filtering]]. It also makes it difficult to distinguish legitimate user traffic from attack traffic when spread across multiple points of origin. As an alternative or augmentation of a DDoS, attacks may involve forging of IP sender addresses ([[IP address spoofing]]) further complicating identifying and defeating the attack. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.{{Citation needed|date=April 2024}} The scale of DDoS attacks has continued to rise over recent years, by 2016 exceeding a [[terabit per second]].<ref name="Goodin">{{cite web|last=Goodin |first=Dan |date=28 September 2016 |title=Record-breaking DDoS reportedly delivered by >145k hacked cameras |website=Ars Technica |url=https://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/ |archive-url=https://web.archive.org/web/20161002000235/http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/ |archive-date=2 October 2016 |url-status=live}}</ref><ref>{{Cite web |url=https://thehackernews.com/2016/09/ddos-attack-iot.html |title=World's largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices |last=Khandelwal |first=Swati |date=26 September 2016 |publisher=The Hacker News |archive-url=https://web.archive.org/web/20160930031903/https://thehackernews.com/2016/09/ddos-attack-iot.html |archive-date=30 September 2016 |url-status=live }}</ref> Some common examples of DDoS attacks are [[UDP flood attack|UDP flooding]], [[SYN flooding]] and [[#Amplification|DNS amplification]].<ref>{{Cite book|title=DDoS attacks : evolution, detection, prevention, reaction, and tolerance| last1=Bhattacharyya | first1=Dhruba Kumar | last2=Kalita | first2=Jugal Kumar|author2-link= Jugal Kalita |isbn=9781498729659|location=Boca Raton, FL| publisher=CRC Press|oclc=948286117|date = 2016-04-27}}</ref><ref>{{cite web |title=Imperva, Global DDoS Threat Landscape, 2019 Report |url=https://www.imperva.com/resources/reports/Imperva_DDOS_Report_20200131.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.imperva.com/resources/reports/Imperva_DDOS_Report_20200131.pdf |archive-date=2022-10-09 |url-status=live |website=Imperva.com |publisher=[[Imperva]] |access-date=4 May 2020}}</ref> ====Yo-yo attack==== A '''[[yo-yo]]''' attack is a specific type of DoS/DDoS aimed at [[cloud-hosted]] applications which use [[autoscaling]].<ref>{{cite journal |url=https://dl.acm.org/doi/10.1145/2829988.2790017 |title=Yo-Yo Attack: Vulnerability In Auto-scaling Mechanism |journal=ACM SIGCOMM Computer Communication Review |date=17 August 2015 |volume=45 |issue=4 |pages=103β104 |doi=10.1145/2829988.2790017 |last1=Sides |first1=Mor |last2=Bremler-Barr |first2=Anat |author-link2=Anat Bremler-Barr |last3=Rosensweig |first3=Elisha}}</ref><ref>{{cite book |title=Proceedings of the 11th International Conference on Cloud Computing and Services Science |chapter=Kubernetes Autoscaling: Yo ''Yo'' Attack Vulnerability and Mitigation |year=2021 |doi=10.5220/0010397900340044 |arxiv=2105.00542 |last1=Barr |first1=Anat |last2=Ben David |first2=Ronen |pages=34β44 |isbn=978-989-758-510-4 |s2cid=233482002}}</ref><ref>{{cite journal |title=Towards Yo-Yo attack mitigation in cloud auto-scaling mechanism |year=2020 |doi=10.1016/j.dcan.2019.07.002 |last1=Xu |first1=Xiaoqiong |last2=Li |first2=Jin |last3=Yu |first3=Hongfang |last4=Luo |first4=Long |last5=Wei |first5=Xuetao |last6=Sun |first6=Gang |journal=Digital Communications and Networks |volume=6 |issue=3 |pages=369β376 |s2cid=208093679 |doi-access=free}}</ref> The attacker generates a flood of traffic until a cloud-hosted service scales outwards to handle the increase of traffic, then halts the attack, leaving the victim with over-provisioned resources. When the victim scales back down, the attack resumes, causing resources to scale back up again. This can result in a reduced quality of service during the periods of scaling up and down and a financial drain on resources during periods of over-provisioning while operating with a lower cost for an attacker compared to a normal DDoS attack, as it only needs to be generating traffic for a portion of the attack period. ===Application layer attacks=== An '''application layer DDoS attack''' (sometimes referred to as '''layer 7 DDoS attack''') is a form of DDoS attack where attackers target [[application layer|application-layer]] processes.<ref>{{cite book | last =Lee | first =Newton | title =Counterterrorism and Cybersecurity: Total Information Awareness | publisher =Springer | date =2013 | isbn =9781461472056 }}</ref><ref name="Infosec7Layer">{{cite news | title =Layer Seven DDoS Attacks | newspaper =Infosec Institute }}</ref> The attack over-exercises specific functions or features of a website with the intention to disable those functions or features. This application-layer attack is different from an entire network attack, and is often used against financial institutions to distract IT and security personnel from security breaches.<ref>{{cite news | title =Gartner Says 25 Percent of Distributed Denial of Services Attacks in 2013 Will Be Application - Based | newspaper =Gartner | date =21 February 2013 | url =http://www.gartner.com/newsroom/id/2344217 | archive-url =https://web.archive.org/web/20130225073934/http://www.gartner.com/newsroom/id/2344217 | url-status =dead | archive-date =February 25, 2013 | access-date =28 January 2014 }}</ref> In 2013, application-layer DDoS attacks represented 20% of all DDoS attacks.<ref name="AbABankinJournal">{{cite news | last =Ginovsky | first =John | title =What you should know about worsening DDoS attacks | newspaper =ABA Banking Journal| date =27 January 2014 | url =http://www.ababj.com/component/k2/item/4354-what-you-should-know-about-worsening-ddos-attacks |archive-url=https://web.archive.org/web/20140209003822/http://ababj.com/component/k2/item/4354-what-you-should-know-about-worsening-ddos-attacks | archive-date=2014-02-09 }}</ref> According to research by [[Akamai Technologies]], there have been "51 percent more application layer attacks" from Q4 2013 to Q4 2014 and "16 percent more" from Q3 2014 to Q4 2014.<ref>{{cite web|url=https://blogs.akamai.com/2015/01/q4-2014-state-of-the-internet---security-report-some-numbers.html|title=Q4 2014 State of the Internet - Security Report: Numbers - The Akamai Blog|website=blogs.akamai.com}}</ref> In November 2017; Junade Ali, an engineer at Cloudflare noted that whilst network-level attacks continue to be of high capacity, they were occurring less frequently. Ali further noted that although network-level attacks were becoming less frequent, data from Cloudflare demonstrated that application-layer attacks were still showing no sign of slowing down.<ref>{{cite web|last1=Ali|first1=Junade|title=The New DDoS Landscape|url=https://blog.cloudflare.com/the-new-ddos-landscape/|website=Cloudflare Blog|date=23 November 2017}}</ref> ====Application layer==== The [[OSI model]] (ISO/IEC 7498-1) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into [[abstraction layer]]s. The model is a product of the [[Open Systems Interconnection]] project at the [[International Organization for Standardization]] (ISO). The model groups similar communication functions into one of seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the communications path needed by applications above it, while it calls the next lower layer to send and receive packets that traverse that path. In the OSI model, the definition of its application layer is narrower in scope than is often implemented. The OSI model defines the application layer as being the user interface. The OSI application layer is responsible for displaying data and images to the user in a human-recognizable format and to interface with the [[presentation layer]] below it. In an implementation, the application and presentation layers are frequently combined. ====Method of attack==== The simplest DoS attack relies primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resources. Bandwidth-saturating floods rely on the attacker's ability to generate the overwhelming flux of packets. A common way of achieving this today is via distributed denial-of-service, employing a [[botnet]]. An application layer DDoS attack is done mainly for specific targeted purposes, including disrupting transactions and access to databases. It requires fewer resources than network layer attacks but often accompanies them.<ref>{{cite news |last=Higgins |first=Kelly Jackson |title=DDoS Attack Used 'Headless' Browser In 150-Hour Siege |newspaper=Dark Reading |publisher=InformationWeek |date=17 October 2013 |url=http://www.darkreading.com/attacks-breaches/ddos-attack-used-headless-browsers-in-15/240162777 |access-date=28 January 2014 |url-status=dead |archive-url=https://web.archive.org/web/20140122165039/http://www.darkreading.com/attacks-breaches/ddos-attack-used-headless-browsers-in-15/240162777 |archive-date=January 22, 2014 }}</ref> An attack may be disguised to look like legitimate traffic, except it targets specific application packets or functions. The attack on the application layer can disrupt services such as the retrieval of information or search functions on a website.<ref name="AbABankinJournal" /> ===Advanced persistent DoS=== An '''advanced persistent DoS''' (APDoS) is associated with an [[advanced persistent threat]] and requires specialized [[DDoS mitigation]].<ref name=":0">{{Cite book|title=Cyberwarfare Sourcebook|last=Kiyuna and Conyers|year=2015|publisher=Lulu.com |isbn=978-1329063945}}</ref> These attacks can persist for weeks; the longest continuous period noted so far lasted 38 days. This attack involved approximately 50+ petabits (50,000+ terabits) of malicious traffic.<ref>{{cite news |last1=Ilascu |first1=Ionut |title=38-Day Long DDoS Siege Amounts to Over 50 Petabits in Bad Traffic |url=https://news.softpedia.com/news/38-Day-Long-DDoS-Siege-Amounts-to-Over-50-Petabits-in-Bad-Traffic-455722.shtml |access-date=29 July 2018 |agency=Softpedia News |date=Aug 21, 2014}}</ref> Attackers in this scenario may tactically switch between several targets to create a diversion to evade defensive DDoS countermeasures but all the while eventually concentrating the main thrust of the attack onto a single victim. In this scenario, attackers with continuous access to several very powerful network resources are capable of sustaining a prolonged campaign generating enormous levels of unamplified DDoS traffic. APDoS attacks are characterized by: * advanced reconnaissance (pre-attack [[open-source intelligence|OSINT]] and extensive decoyed scanning crafted to evade detection over long periods) * tactical execution (attack with both primary and secondary victims but the focus is on primary) * explicit motivation (a calculated end game/goal target) * large computing capacity (access to substantial computer power and network bandwidth) * simultaneous multi-threaded OSI layer attacks (sophisticated tools operating at layers 3 through 7) * persistence over extended periods (combining all the above into a concerted, well-managed attack across a range of targets).<ref>{{cite web|url=http://www.scmagazineuk.com/video-games-company-hit-by-38-day-ddos-attack/article/367329/|archive-url=https://web.archive.org/web/20170201181833/https://www.scmagazineuk.com/video-games-company-hit-by-38-day-ddos-attack/article/541275/|archive-date=2017-02-01|title=Video games company hit by 38-day DDoS attack|last=Gold|first=Steve|date=21 August 2014|work=SC Magazine UK|access-date=4 February 2016}}</ref> ===Denial-of-service as a service=== {{Main|Stresser}} Some vendors provide so-called ''booter'' or ''stresser'' services, which have simple web-based front ends, and accept payment over the web. Marketed and promoted as stress-testing tools, they can be used to perform unauthorized denial-of-service attacks, and allow technically unsophisticated attackers access to sophisticated attack tools.<ref>{{Cite web|url=http://krebsonsecurity.com/2015/08/stress-testing-the-booter-services-financially/|title=Stress-Testing the Booter Services, Financially|last=Krebs|first=Brian|date=August 15, 2015|website=Krebs on Security|access-date=2016-09-09}}</ref> Usually powered by a botnet, the traffic produced by a consumer stresser can range anywhere from 5-50 Gbit/s, which can, in most cases, deny the average home user internet access.<ref>{{Cite journal|last1=Mubarakali|first1=Azath|last2=Srinivasan|first2=Karthik|last3=Mukhalid|first3=Reham|last4=Jaganathan|first4=Subash C. B.|last5=Marina|first5=Ninoslav|date=2020-01-26|title=Security challenges in internet of things: Distributed denial of service attack detection using support vector machine-based expert systems|url=https://onlinelibrary.wiley.com/doi/10.1111/coin.12293|journal=Computational Intelligence|language=en|volume=36|issue=4|pages=1580β1592|doi=10.1111/coin.12293|s2cid=214114645|issn=0824-7935}}</ref> ===Markov-modulated denial-of-service attack=== A Markov-modulated denial-of-service attack occurs when the attacker disrupts control packets using a [[hidden Markov model]]. A setting in which Markov-model based attacks are prevalent is online gaming as the disruption of the control packet undermines game play and system functionality.<ref>{{Cite journal |title=Risk-Sensitive Control Under Markov Modulated Denial-of-Service (DoS) Attack Strategies |url=https://ieeexplore.ieee.org/document/7070734 |access-date=2023-10-19 |journal=IEEE Transactions on Automatic Control |date=2015 |doi=10.1109/TAC.2015.2416926 |s2cid=9510043 |language=en-US |last1=Befekadu |first1=Getachew K. |last2=Gupta |first2=Vijay |last3=Antsaklis |first3=Panos J. |volume=60 |issue=12 |pages=3299β3304 }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)