The terms Denial of Service attack and Distributed Denial of Service attack (DoS and DDoS) are a collective term for attack methods that have the goal of making a service unavailable or unreachable. These attacks usually have an ideological, political, or monetary motivation, such as impacting business operations of an organization or damaging its reputation, attacking critical infrastructure in economic or military conflicts, or extortion. Denial of service attacks are common and can cause great damage, especially if they affect services used by very large numbers of users or if the affected organization cannot tolerate outages. It is not uncommon for victims of such attacks to try to understate their vulnerability against such attacks and their impact out of concern for their reputation and from damaging effects on their business. In Switzerland, too, several examples of DDoS attacks have recently seen press coverage.

Types of DoS Attacks

Denial of service attacks are divided into volume-based attacks and those that exploit technical weaknesses in protocols or applications or inappropriately configured infrastructures. Combinations of these also exist.

Volume based denial of service attacks

Many of today’s denial of service attacks use volume-based techniques. This involves generating a very large amount of network traffic and directing it to the attack target, such as a website or an organization’s Internet connection. This saturates the bandwidth available at the victim, making it impossible to serve legitimate requests from regular users. This type of DoS attack simply uses the power of mass, which makes it evident that the party with the greater capacity has the upper hand.

Years ago, when systems with powerful Internet connections were not as widespread as they are today, attackers tried to take control of central systems that had large bandwidth in order to abuse them for attacks. Today, fast Internet access is widespread among consumers. Attackers take control of as many such systems as possible and thus have a large number of attack points at their disposal, often without the owners being aware of it. PCs remotely controllable through malware infection (botnets), virtual servers at cloud providers, and insufficiently secured or vulnerable IoT devices (Thing Bots) are frequently used, often they are geographically widely distributed and independent of each other.

To generate the largest possible volume of network traffic, attackers can exploit properties of certain protocols in so-called amplification attacks. In this case, the attacker sends a query, for example to a DNS server, which then sends back a much larger response, thus achieving the amplification effect. In the example below, a DNS query with the size of 49 bytes results in a response of 2969 bytes.

$ dig any admin.ch @8.8.8.8

; <<>> DiG 9.18.16 <<>> ANY admin.ch @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20628
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 31, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;admin.ch.                      IN      ANY

;; ANSWER SECTION:
admin.ch.               3600    IN      SOA     ins1.admin.ch. dnsmaster.admin.ch. 15468811 10800 600 604800 600
admin.ch.               0       IN      RRSIG   NSEC3PARAM 8 2 0 20230719162234 20230716032224 45579 admin.ch. hqm9Fy1SvIXRxLM5qX++gR4sG7ObQ9O3aWJmngMY2Yy5JJoVJlq6CGfn AKWdFZ770l0SlPXlhjIw5KJMMufJxX2BG4IDoHGNQKhOhkCNCgAgjIvU 9T22FIlDsMABODIWbUVdigqc+KfHxhaoteskYxCwX1ZSQ2SW+CdiaMcX bsg=
admin.ch.               0       IN      NSEC3PARAM 1 0 10 C325EB22E4AEEEE1
admin.ch.               3600    IN      CAA     0 issue "swisssign.com"
admin.ch.               3600    IN      CAA     0 iodef "mailto:hostmaster@admin.ch"
<...>
admin.ch.               3600    IN      RRSIG   TXT 8 2 3600 20230719135336 20230715130237 45579 admin.ch. kqcymnajyNwwihW4DcOSxgi8eJPXDpdwTyLtXCcyqmgw6Fqhts39JTRI YNUEk3xL/+Gh4SLPBT5jYhtu9vpbJbuiCNtKBOL4KO8FIQ6mvtI6WFRj O5K55AOcckaQs2P6G5RGxUiqSSPHZanE6zZSYA+3ZgOQKQVQfNtUYOHT aHQ=
admin.ch.               3600    IN      RRSIG   MX 8 2 3600 20230719213237 20230715212017 45579 admin.ch. Nc5qSYgsBVRyB1MqfLbC3yyTzp8EpaAfsQD/lUkuC/nAeZn+2QudwjYW aq1IoLg2vAyfi/F9bM7ywmAYtaRquJsEKXJHDFn5HDd0owLJzpNjb0Gr bAMNTRg6lcSgHvyeTotZ8arzi50a5HqOibrWtQFhFoaLqDPx6DaOGSKP luA=
admin.ch.               3600    IN      RRSIG   A 8 2 3600 20230718001155 20230714000318 45579 admin.ch. F33Kt7KMXuoYBTtrEJW9T+H5wIKsleyj4+4H2Aykvk1J07vNONFzvTMJ rhi0cqvVXpFWuMTsmADl644VZevoViAUZVZv7yD1UdUZ3qWqCJpxaqiO gGtd9NTZg1Stbe4XJzAVK8qWkC4EPAqcJgsAjdjiHr/Cg0Q71YdNpXHh UBk=
admin.ch.               3600    IN      RRSIG   CAA 8 2 3600 20230717165531 20230713162756 45579 admin.ch. h/RlqwV+fwITtxf0HFzgnDtFDTTu/YmN5bpR7j96gFYVvjoZ+kHPJcCC 70L1Il2JV636/Cz0hgr4l7Vzt++04XyHqRnXErejTC0U0kLUx8bO139+ NAIHDokvytAwlWrvNhHdY/hPymrT2RXLC0OMkB2agIqvUj6u1EX2N3pU rxA=

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (TCP)
;; WHEN: Sun Jul 16 16:02:16 CEST 2023
;; MSG SIZE  rcvd: 2969

To use this for DDoS attacks, it must be possible to direct the response to the target instead of the original sender. In principle, this can be achieved with network protocols that do not require a handshake. In this case, the sender of a request is not verified by the recipient, but the recipient trusts that the sender address contained in the request is correct. It therefore sends the response to this address. By spoofing the sender’s address, the response is then sent to the spoofed address rather than to the original sender. These two properties that are necessary for amplification attacks are combined in some UDP-based protocols such as DNS, NTP or SNMP and in applications like memcached. They can be exploited if the operators of such services do not restrict access sufficiently.

Volume-based attacks simply have the goal of sending an overwhelmingly large amount of network traffic to a victim. They can use different techniques to do this and use different layers of the OSI layer, with bandwidth saturation due to network volume being the defining characteristic.

Denial of Service due to technical weaknesses

This category of denial of service attacks exploits vulnerabilities that lead to the failure or inaccessibility of services. These can be vulnerabilities or configuration errors in applications, but also exploitable properties of systems, infrastructure components or protocols.

An attacker can attempt to systematically lock out accounts in a web application by entering invalid credentials, making the application unusable for regular users. Uploading a file with certain properties, for example a compressed file that becomes huge when unpacked, can cause the server’s resources to become overloaded and the application to become unresponsive. Or an attacker may try to send many parallel requests to a service and keep them active at the same time, completely occupying the number of possible simultaneous connections.

Many vulnerabilities have been found in firewalls and other network devices, causing errors and failures when processing unexpected data. Attackers can use specially crafted data packets with the intention of causing such failures. Devices not designed to be connected to public networks, such as industrial machine controllers, are often poor at handling unknown input and can sometimes be easily crashed. Finally, ransomware attacks are often a form of denial of service, although they are not usually called that.

Detection

Volume-based DDoS attacks are characterized by anomalies in data traffic. Attacks with very large amounts of data will usually be noticed quickly by the Internet providers through their network monitoring. Volume-based attacks on individual services, for example a single web server, can be detected by monitoring the number of requests, sudden deviations or errors or anomalies such as unusual source addresses. For application and protocol-based DDoS attacks, network traffic may look similar to legitimate traffic, which can make detection difficult. In these cases, detecting for anomalies and monitoring system and application logs can be helpful.

Once a DDoS attack is detected, the services or parts of them are usually already unavailable or at least severely impaired. Rapid action is therefore essential, which is difficult without suitable preparations.

Prevention and Mitigation

There are various approaches to protect against DDoS attacks and their damages. Volume-based attacks usually attempt to block network traffic on its way between the attacker and the victim. This can be done at the level of the large data lines on the Internet or at the level of individual Internet providers or within smaller network segments. Appropriate configuration and filtering is used to ensure that data packets sent by the attacker cannot reach their destination or are filtered out, which usually requires communication and cooperation among the involved organizations. The DDoS mitigation services of Internet providers use such routing and filtering mechanisms to keep attacks from reaching their customers networks.

Application-specific services can be used to protect individual applications where two of the best-known are probably Akamai and Cloudflare. The service provider’s powerful infrastructure is placed between the application and its users. The service provider then provides filtering, redirection, load balancing, and global presence with the goal of enabling maximum availability even in the event of attacks.

Generally speaking, the recommendations for protection against non-volume-based DDoS attacks are the same as elsewhere in IT security: Always ensure fully up-to-date and securely configured systems and applications, use appropriate protection systems, perform regular security tests, and use monitoring and alerting.

Conclusion

DDoS attacks are widespread and, unfortunately, it must be assumed that they will continue to be a serious threat. When protecting against such attacks, it is important to analyze exactly what to protect against, which measures are suitable and what the necessary preparations are. For example, a well-configured web application firewall can make a valuable security contribution, but it cannot protect against volume-based DDoS attacks. A DDoS mitigation service can help to maintain the availability of services, but often mitigation is not started automatically, requiring an organization to request its activation at his provider. Mitigating large scale DDoS attacks often requires coordination and collaboration of multiple independent organizations, something that unfortunately often fails for non-technical reasons. Finally, it is important to realize that in volume-based DDoS attacks, the party with the greater amount of resources will win, thus an organization should evaluate how much it is willing and able to invest in prevention and protection.

About the Author

Tomaso Vasella has a Master in Organic Chemistry at ETH Zürich. He is working in the cybersecurity field since 1999 and worked as a consultant, engineer, auditor and business developer. (ORCID 0000-0002-0216-1268)

Links

• https://apnews.com/article/microsoft-outage-ddos-attack-hackers-outlook-onedrive-7a23f92ab3cc2b7f0c590c7d08cf03fe
• https://www.inside-it.ch/bundesanwaltschaft-untersucht-ddos-angriff-auf-parlamentsdienste-20230612
• https://www.inside-it.ch/erneut-schweizer-websites-von-ddos-betroffen-20230615
• https://www.scip.ch/?labs.20190103
• https://www.theregister.com/2016/10/21/dyn_dns_ddos_explained/