Page 52 - index
P. 52
Verizon Data Breach Investigations Report revealed the information that the attacks target
unsecured services like NTP, DNS, SSDP and spoof IP addresses. The bandwidth used in such
attacks has two clusters (15 and 59 GBPS) while velocity has two different clusters (3 million
and 15 million packets).
DDoS attacks are constantly increasing in frequency and severity, it is easy to launch such
attacks due to availability of attack tools. Moreover, these attacks are becoming more complex
by their polymorphic nature and development of new tools that hide their true nature.
Consequently, the traditional detection methods are often inadequate and it becomes difficult to
curb the attacks.
Types of DDoS Attacks
DDoS SYN flood: In this type of attack, the client sends a SYN request. The server, which
receives the SYN request, responds with a SYN / ACK packet. Then the client sends the ACK
packet, and confirms the connection. As part of a SYN flood attack, the attacker sends SYN
packets but does not require confirmation of SYN + ACK packet to make the connection, which
causes the server to remain the connections open until no new connections is made.
DDoS TCP flood: DDoS TCP flood exploits the feature of the implementation of the TCP
protocol, but establishes a connection with the victim's server. In the case of a TCP flood attack,
once the handshake is successful, the attacker sends the "junk" data via the opened connection
by volume or by very slow speed. This overloads the server and makes unable to allocate
resources to legitimate connections.
NTP Amplification Attack:
The Network Time Protocol (NTP) helps to coordinate PC clock over the internet. In NTP
Amplification attack, an attacker can find MONLIST feature, which presents a list of the last 600
IP addresses, communicated with the server. The attacker sends target server’s spoofed IP
address to NTP server and in return, the server responds in larger amount than the original
request. With the help of infected NTP servers, attackers can compromise the target server by
sending overwhelming data packets.
Multi Vector Attack:
Compare to traditional attack, there is a trend of multiple vectors used to disable the targeted
network or server. This type of attackers is named Multi Vector Attack. It contains a combination
of volumetric attacks, State-exhaustion attacks and Application layer attacks. This type of attack
can cause greater damage to business. It needs a multi-layered approach across the whole
data center and a highly expert IT team to fight them.
DDoS HTTP flood:
During the DDoS HTTP Flood attack, the malicious individual can exploit authenticate GET /
POST requests to target the web server or Web application. This type of attack is volumetric
attack, but it does not use malformed packets or spoofing or any reflection technique and needs
less bandwidth.
52 Cyber Warnings E-Magazine – July 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
