Basic network attacks. What is a network attack. Determining host vulnerabilities

I talked a little about who hackers are, and in this article I want to continue this topic and write about the types of hacker attacks and give recommendations for preventing them.

Attack(attack) on an information system is an action or sequence of interconnected actions by an intruder that leads to the implementation of a threat by exploiting the vulnerabilities of this information system. Let's start studying the attacks:

Fishing

Fishing (or Phishing). Its purpose is to obtain information (passwords, credit card numbers, etc.) or money from users. This technique is aimed not at one user, but at many. For example, letters supposedly from the technical support service are sent to all known clients of a bank.

The letters usually contain a request to send a password to your account, allegedly due to some technical work being carried out. Such letters are usually very plausible and well-written, which may captivate gullible users.

Recommendations: Paranoia is the best defense. Don't trust anything suspicious, don't give your information to anyone. Administrators do not need to know your password if it is used to access their server. They fully control the server and can view the password themselves or change it.

Social engineering

Social engineering is not a technical, but a psychological technique. Using the data obtained during the inventory, an attacker can call a user (for example, on a corporate network) on behalf of the administrator and try to find out his password, for example.

This becomes possible when, in large networks, users do not know all the employees, and even more so cannot always accurately recognize them over the phone. In addition, complex psychological techniques are used, so the chance of success increases greatly.

Recommendations: the same. If there is really a need, then provide the necessary information in person. If you have written down your password on paper, do not leave it anywhere and, if possible, destroy it, and do not just throw it in the trash.

DoS

DoS (Denial of Service or Refusal of Service). This is not a separate attack, but the result of an attack; used to disable the system or individual programs. To do this, the hacker creates a request to a program in a special way, after which it stops functioning. A reboot is required to return the program to a working state.

Smurf

Smurf (an attack aimed at protocol implementation errors). Now this type of attack is considered exotic, but earlier, when the TCP-IP protocol was quite new, it contained a number of errors that made it possible, for example, to spoof IP addresses.

However, this type of attack is still used today. Some experts distinguish TCP Smurf, UDP Smurf, ICMP Smurf. Of course, this division is based on the type of packages.

UDP Storm

UDP Storm (UDP storm) - used if at least two UDP ports are open on the victim, each of which sends some kind of response to the sender. For example, port 37 with the time server sends the current date and time to the request. The attacker sends a UDP packet to one of the victim's ports, but specifies the victim's address and the victim's second open UDP port as the sender.

Then the ports begin to endlessly respond to each other, which reduces performance. The storm will stop as soon as one of the packets disappears (for example, due to resource overload).

UDP Bomb

UDP Bomb – an attacker sends a packet with incorrect service data fields to the UDP system. The data can be damaged in any way (for example, incorrect field lengths, structure). This may result in a crash. Recommendations: Update the software.

Mail Bombing

Mail Bombing. If the attacked computer has a mail server, then a huge number of mail messages are sent to it in order to disable it.

In addition, such messages are saved on the server's hard drive and can fill it up, which can cause DoS. Of course, now this attack is more of a story, but in some cases it can still be used. Recommendations: proper configuration of the mail server.

Sniffing

Sniffing (Sniffing or listening to the network). In the event that hubs are installed instead of switches in the network, the received packets are sent to all computers on the network, and then the computers determine whether this packet is for them or not.

If an attacker gains access to a computer that is included in such a network, or gains access to the network directly, then all information transmitted within the network segment, including passwords, will become available.

The attacker will simply put the network card in listening mode and will accept all packets regardless of whether they were intended for him.

You can find out more in the article ““.

IP Hijack

IP Hijack (IP hijack). If there is physical access to the network, then an attacker can “cut” into the network cable and act as an intermediary in the transmission of packets, thereby listening to all traffic between two computers. A very inconvenient method that often does not justify itself, except in cases where no other method can be implemented.

Such inclusion in itself is inconvenient, although there are devices that simplify this task a little, in particular, they monitor the numbering of packets to avoid failure and possible detection of channel intrusion.

Dummy DNS Server

Dummy DNS Server (false DNS Server). If the network settings are set to automatic mode, then when connected to the network, the computer “asks” who will be its DNS server, to which it will subsequently send DNS requests.

If there is physical access to the network, an attacker can intercept such a broadcast request and respond that his computer will be the DNS server.

After this, he will be able to send the deceived victim along any route. For example, a victim wants to go to a bank’s website and transfer money, an attacker can send it to his computer, where a password entry form will be fabricated. After this, the password will belong to the cracker.

This is a rather complicated method, because the attacker needs to respond to the victim before the DNS server.

IP Spoofing

IP-Spoofing (Spoofing or IP address substitution). The attacker replaces his real IP with a fictitious one. This is necessary if only certain IP addresses have access to the resource. The attacker needs to change his real IP to a “privileged” or “trusted” one to gain access. This method can be used in other ways.

After two computers have established a connection with each other by checking their passwords, the attacker can cause the victim to overload network resources with specially crafted packets. Thus, he can redirect traffic to himself and thus bypass the authentication procedure.

Recommendations: the threat will be reduced by reducing the time of the response packet with the SYN and ACK flags set, and also by increasing the maximum number of SYN requests for establishing a connection in the queue (tcp_max_backlog). You can also use SYN-Cookies.

Software vulnerabilities

Software vulnerabilities. Exploiting bugs in software. The effect may vary. From receiving insignificant information to gaining complete control over the system. Attacks through software errors are the most popular of all times.

Old errors are corrected by new versions, but in new versions new errors appear that can again be used.

Viruses

The problem most known to the common user. The idea is to introduce a malicious program into the user's computer. The consequences can be different and depend on the type of virus that infects the computer.

But in general - from stealing information to sending spam, organizing DDoS attacks, as well as gaining complete control over the computer. In addition to the file attached to the letter, viruses can enter the computer through some OS vulnerabilities.

Recommendations: Use antivirus software. Don't limit yourself to just DrWEB or Kaspersky Anti-Virus (because they don't check the registry), use specialized antiviruses against Malware, for example Ad-Aware, SpyBot, XSpy.

Also, do not open suspicious attachments or generally open programs from unknown senders. Even if the sender is familiar to you, still check with an antivirus first.

Attack classification

1. By the nature of the impact

passive
active

Passive impact on a distributed computing system- an impact that does not directly affect the operation of the system, but may violate its security policy.

Passive remote exposure is virtually undetectable.

Example: listening to a communication channel on a network.

Active influence on a distributed computing system- an impact that has a direct impact on the operation of the system (change in the configuration of the DCS, malfunction, etc.) and violates the security policy adopted in it.

Almost all types of remote attacks are active influences. A feature of active influence compared to passive influence is the fundamental possibility of its detection, since as a result of its implementation certain changes occur in the system. Unlike active, passive exposure does not leave any traces.

2. According to the purpose of influence

violation of information confidentiality
violation of information integrity
disruption of system performance (availability)

When information is intercepted, its confidentiality is violated.

Example: listening to a channel on the network.

When information is distorted, its integrity is violated.

Example: introducing a false object into a DVR.

In the event of a malfunction, unauthorized access does not occur, i.e. The integrity and confidentiality of the information is maintained, but access to it by legal users is also impossible.

3. According to the condition of the beginning of the impact

Attack on request from the attacked object
Attack upon the occurrence of an expected event on the attacked object
Unconditional attack

In the case of a request, the attacker expects a request of a certain type to be sent from the potential target of the attack, which will be the condition for starting the impact.

Example: DNS and ARP queries in the TCP/IP stack.

In the event of an event, the attacker constantly monitors the state of the operating system of the remote target of the attack and, when a certain event occurs in this system, begins to influence it.

The initiator of the attack is the attacked object.

Example: interrupting a user's session with a server in a network OS without issuing the LOGOUT command.

In the case of an unconditional attack, the beginning of its implementation is unconditional in relation to the target of the attack, that is, the attack is carried out immediately and regardless of the state of the system and the attacked object. Therefore, in this case, the attacker is the initiator of the attack.

4. Based on the presence of feedback from the attacked object

with feedback
without feedback (unidirectional attack)

Feedback attack- an attack during which the attacker receives a response from the attacked object to part of his actions. These responses are needed to be able to continue the attack and/or carry it out more effectively, responding to changes occurring on the attacked system.

Attack without feedback- an attack that occurs without reacting to the behavior of the attacked system.

Example: denial of service (DoS).

5. By the location of the attacker relative to the attacked object

intrasegmental
intersegmental

Intra-segment attack- an attack in which the subject and object of the attack are located within the same network segment, where the segment is a physical combination of stations using communication devices no higher than the link level.

Inter-segment attack- an attack in which the subject and target of the attack are located in different network segments.

6. By the number of attackers

distributed
unallocated

Distributed attack- an attack carried out by two or more attackers on the same computer system, united by a single plan and time.

Undistributed attack carried out by one attacker.

7. According to the level of the ISO/OSI reference model at which the impact is carried out

physical
duct
network
transport
sessional
representative
applied

2. Classification of methods for detecting and protecting against attacks

Classification of security means

information on model levels ISO/OSI

in ISO 7498-2 standard.

Physical level.

The facilities provided at this level are limited to connection confidentiality and data flow confidentiality, according to ISO 7498-2. Confidentiality at this level is typically provided through bit encryption. These facilities can be implemented as almost transparent, that is, without the appearance of additional data (except for establishing a connection).

Integrity and authentication are usually not possible here due to the fact that the interface at the bit level of this layer does not have the capabilities to carry the additional data required to implement these facilities. However, the use of appropriate encryption technologies at this level can providethese funds at higher levels.

For example, cryptographic models such as DES in output feedback mode do not provide verythere are a lot of errors when modifying the ciphertext, so this mode would be a bad choice if you need more than just confidentiality. In contrast, a DES mode, such as single encrypted bit feedback mode, provides the required error performance, and can provide a suitable basis for integrity and authentication. Physical and data link layer secrecy means are usually implemented in the form of additional hardware.

Data Link Layer

According to ISO 7498-2, the facilities provided at the data link layer are connection confidentiality and datagram confidentiality.

Link layer secrecy is typically provided on a point-to-point basis, similar to physical layer secrecy. Again, the scope of the funds shouldend in places where interacting peer entities, that is, end systems and switches, are located. In a LAN (WAN) environment, privacy means can also be provided for broadcast or multicast transmission, based on LAN technologies, as well as a point-to-point link.

Network layer

Network layer secrecy can be provided between end systems on the network, regardless of the switches used (eg X.25 packet switches). ISO 7498-2 notes the applicability of several privacy controls at this level: connection confidentiality, datagram confidentiality, data flow confidentiality, integrity (for non-recovery connections and for datagrams), authentication of data source and communicating entities, and access control.

Transport layer

For the transport layer, ISO 7498-2 defines the following security measures: confidentiality (for connections or datagrams), integrity (anything exceptindividual fields), authentication of data source and interacting entities, and access control. There is only one difference between the secrecy facilities provided for datagram communication ontransport layer and facilities offered above the network layer. It lies in the ability to provide protection in intermediate systems (using network layer mechanisms) and not just in end systems (using transport layer mechanisms).

Session layer

ISO 7498-2 does not allow facilities to be provided at the session level. This level provides little in terms of means of interaction compared to transport orapplication level. Based on the principle that there is no point in providing secrecy that is inconsistent with the underlying interoperability at that layer, one might argue against providing secrecy at the session layer. Additionally, it can be argued that privacy features are better provided at the transport, presentation, or application layers.

Representative level

Since this layer is used to convert data between regular and network representations, it is beneficial to encrypt data at this layer rather than at the application layer. If the application performs encryption, it protectsrepresentative level from the implementation of this function. This is an argument against implementing application-level encryption for applications that communicate directly (rather than through intermediaries). An alternative to this is to duplicate presentation layer capabilities across applications. In the TCP/IP stack, because the presentation functions are embedded within applications rather than in a separate layer, this conflict is resolved.

Application layer

ISO 7498-2 states that all secret capabilities can be provided at the application layer, and control over communication participants can only be provided at this layer. However, providing some fundsat this level causes problems due to conflict with the capabilities of the representative level. This limitation is circumvented for applications with multi-stage data delivery, such as email orreference book (X.400 and X.500 specifications). This conflict is also overcome in the TCP/IP stack, in which presentation functions are typically included in applications.

In fact, applications such as email and directory tools can only be secured using application layer secrecy. Email requires security at this level for several reasons.

First, some of the secrecy features it uses can only be provided at this level, such as participant control. Secondly, messages are usually addressed to groups of recipients (multicast transmission).application layer), and delivery is carried out in several stages using message switches. Protection at lower levels is often provided only in real time, for point-to-point links.

For emailUsing secrecy mechanisms at lower levels can provide protection from sender to message switch (MTA), protection between MTAs, between MTAs and recipients, but only incrementally. Ensuring end-to-end author-reader privacy requires the use of email-specific technologies.

For directory tools, similar problems prevent lower-level security tools from adequately meeting privacy requirements. For example, a request from a user to a directory server may be redirected to other servers in the process of issuing a response. If the directory server that ultimately receives the request must make a decision to grant access based on the identity of the requester, then that decision cannot be made based on information from lower layer protocols.

Moreover, without trusting the servers that forwarded this request, the responding server cannot be sure ofthat the request has not been modified. Therefore, this application, like email, illustrates the root cause of application-level secrecy, that is, the inability to satisfy secrecy requirements based on lower-layer capabilities alone.

Classification of attack detection methods.

By detection technology

· anomaly detection

This approach focuses on forming a statistical model of normal user behavior. Deviation from the pattern is a sign of attack. The approach suffers from the fact that it generates too many false alarms.

· misuse detection

With this approach, the system looks for known signatures and raises an alarm when it finds them. More reliable and feasible. Almost all attack detection systems offered on the market today are based on this approach. Now there are changes in the development of the first approach.

By detection level

Detection of attacks at the network level

Network layer attack detection systems use raw network packets as a data source for analysis. Typically, network-level Intrusion Detection Systems (IDS) use a network adapter operating in promiscuous mode and analyze traffic in real time as it passes through a network segment. The attack recognition module uses four well-known methods to recognize the attack signature:

· Compliance of traffic with a pattern (signature), expression or bytecode indicating an attack or suspicious action;

· Monitoring the frequency of events or exceeding a threshold value;

· Correlation of multiple low priority events;

· Detection of statistical anomalies.

Once an attack is detected, the response module provides a wide range of options for notification, alarm, and countermeasures in response to the attack. These options vary from system to system, but typically include: notifying the administrator via console or email, terminating the connection with the attacking host, and/or recording the session for later analysis and evidence collection.

Advantages of attack detection systems at the network level

Network-level IDSs have many advantages that system-level intrusion detection systems lack. In fact, many customers use network layer intrusion detection system due to its low cost and timely response. Below are the main reasons that make network-level attack detection the most important component of effective security policy implementation.

1.Low cost of operation . Network layer IDS must be installed at critical locations on the network to control traffic flowing between multiple systems. Network layer systems do not require intrusion detection software to be installed on every host. Since the number of places in which IDS are installed to monitor the entire network is small, the cost of operating them in an enterprise network is lower than the cost of operating attack detection systems at the system level.

2.Detect attacks that are missed at the system level . Network layer IDSs examine network packet headers for suspicious or hostile activity. System-level IDSs do not deal with packet headers, hence they cannot detect these types of attacks. For example, many network attacks such as denial-of-service and teardrop can only be identified by analyzing the packet headers as they traverse the network. This type of attack can be quickly identified using a network layer IDS, which monitors traffic in real time. Network layer IDSs can examine the contents of a packet's data body, looking for commands or specific syntax used in specific attacks. For example, when a hacker tries to use the Back Orifice program on systems that are not yet affected by it, this fact can be discovered by examining the contents of the data body of the package. As discussed above, system-level systems do not operate at the network level and are therefore unable to recognize such attacks.

3.It is more difficult for a hacker to remove traces of his presence . Network layer IDS use live traffic to detect attacks in real time. Thus, the hacker cannot remove traces of his presence. The analyzed data includes not only information about the attack method, but also information that can help in identifying the attacker and proving it in court. Because many hackers are intimately familiar with logs, they know how to manipulate these files to hide traces of their activities, reducing the effectiveness of the system-level systems that require this information in order to detect an attack.

4.Real-time detection and response . Network-level IDS detect suspicious and hostile attacks AS THEY HAPPEN and therefore provide much faster notification and response than system-level IDS. For example, a hacker launching a TCP-based network layer denial of service attack can be stopped by a network layer IDS sending a set Reset flag in the TCP packet header to terminate the connection with the attacking host before the attack causes destruction or damage to the target. hosta System-level IDSs typically do not recognize attacks until the attack has been logged and respond after the attack has been logged. At this point, the most critical systems or resources may already be compromised or the system running the system-level IDS may be compromised. Real-time notification allows you to quickly respond according to predefined parameters. These reactions range from allowing infiltration in a surveillance mode in order to gather information about the attack and the attacker, to immediately ending the attack.

5.Detection of failed attacks or suspicious intent . A network layer IDS installed on the outside of the firewall can detect attacks targeting resources behind the firewall, even though the firewall may repel these attempts. System-level systems do not see reflected attacks that do not reach the host behind the firewall. This lost information may be the most important when evaluating and improving security policies.

6.OS independence . Network-level IDSs are independent of the operating systems installed on the corporate network. System-level intrusion detection systems require specific operating systems to function properly and generate the required results.

System-level attack detection

In the early 1980s, before networking took off, the most common attack detection practice was to review logs for events that would indicate suspicious activity. Modern system-level attack detection systems remain a powerful tool for understanding past attacks and identifying appropriate techniques to mitigate future exploits. Modern system-level IDSs still use logs, but they have become more automated and include sophisticated detection techniques based on the latest mathematical research.

Typically, system-level IDS monitor system, events, and security logs (security logs or syslogs) on networks running Windows NT or Unix.When any of these files change, IDS compares the new entries with attack signatures to see if there is a match. If such a match is found, the system sends an alarm to the administrator or activates other specified response mechanisms. System-level IDS are constantly evolving, gradually incorporating more and more new detection methods. One such popular method is to check the checksums of key system and executable files at regular intervals to check for unauthorized changes. The timeliness of the response is directly related to the frequency of the survey. Some products listen to active ports and notify the administrator when someone tries to access them.

Advantages of system-level attack detection systems

While system-level intrusion detection systems are not as fast as their network-level counterparts, they offer advantages that the latter do not. These benefits include more rigorous analysis, closer attention to host-specific event data, and lower implementation costs.

1.Confirms the success or failure of the attack . Since system-level IDSs use logs containing data about events that actually took place, IDSs of this class can determine with high accuracy whether an attack was actually successful or not. In this regard, system-level IDSs provide an excellent complement to network-level intrusion detection systems. This combination provides early warning of the onset of an attack using the network component and the success of an attack using the system component.

2.Controls the activity of a specific node . A system-level IDS monitors user activity, file access, changes in file permissions, attempts to install new programs, and/or attempts to gain access to privileged services. For example, a system-level IDS can monitor all logon and logoff activities of a user, as well as the actions each user performs while connected to the network. It is very difficult for a network layer system to provide this level of event detail. System-level intrusion detection technology can also monitor activities that would normally only be conducted by an administrator. Operating systems log any event where user accounts are added, deleted, or modified. System-level IDSs can detect a corresponding change as soon as it occurs. System-level IDSs can also audit security policy changes that affect how systems track their logs, etc.

Ultimately, system-level intrusion detection systems can monitor changes to key system files or executable files. Attempts to overwrite such files or install Trojan horses can be detected and stopped. Network layer systems sometimes miss this type of activity.

3.Detect attacks that network layer systems miss . System-level IDSs can detect attacks that network-level tools cannot detect. For example, attacks originating from the attacked server itself cannot be detected by network-level attack detection systems.

4.Well suited for encrypted and switched networks . Because a system-level IDS is installed on various hosts in an enterprise network, it can overcome some of the challenges encountered when operating network-level systems on switched and encrypted networks.

Switching allows large-scale networks to be managed as multiple small network segments. As a result, it can be difficult to determine the best location to install a network layer IDS. Sometimes managing ports and mirror ports, span ports of traffic on switches can help, but these methods are not always applicable. Detection of attacks at the system level ensures more efficient operation in switched networks, because... allows you to place IDS only on those nodes where it is needed.

Certain types of encryption also pose challenges to network layer intrusion detection systems. Depending on where encryption is performed (link or subscriber), the network layer IDS may remain “blind” to certain attacks. System-level IDSs do not have this limitation. In addition, the OS, and therefore the system-level IDS, analyzes the decrypted incoming traffic.

5.Near real-time detection and response . While system-level attack detection does not provide a truly real-time response, it can be achieved at near real-time scale when implemented correctly. Unlike legacy systems that check the status and contents of logs at predetermined intervals, many modern system-level IDSs receive an interrupt from the OS as soon as a new log entry appears. This new entry can be processed immediately, significantly reducing the time between recognizing an attack and responding to it. There remains a delay between the time the operating system writes an event to the log and the time the intrusion detection system recognizes it, but in many cases the attacker can be detected and stopped before any damage is done.

6.No additional hardware required . System-level intrusion detection systems are installed on existing network infrastructure, including file servers, Web servers and other resources used. This capability can make system-level IDSs very cost-effective because they do not require another node on the network to attend to, maintain, and manage.

7.Low price . Although network-level intrusion detection systems provide traffic analysis of the entire network, they are often quite expensive. The cost of one intrusion detection system can exceed $10,000. On the other hand, system-level intrusion detection systems cost hundreds of dollars per agent and can be purchased by the buyer if the buyer needs to monitor only some nodes of the enterprise, without monitoring network attacks.

The goal of any attack is to eliminate a competitor who is taking away customers, or simply unique visitors. Many webmasters do not always use only “white hat” methods to promote their brainchild. We can’t do without “blacks”. Through promotion using black methods, the owner of a company or just a website is promoted to the TOP of search results by destroying his competitors.

But the worst thing is that completely innocent sites can become victims of an attack, perhaps even those that have only recently been created; this can happen if the entire server is attacked. By the way, this is the very reason why you need to buy a dedicated IP for your website. And even though these attacks are punishable by law, this does not stop the majority.

It is impossible to protect your website 100%. If attackers have a large budget for this matter and a strong desire, then hardly anything can stop them.

Targets of attacks

There are several main goals:

— Theft of user passwords, access to closed sections;

— “Destruction” of the server. The goal is to bring it to a non-working state;

— Get unlimited access to the server;

— Implantation of links, various viruses and other things into the code;

— Lowering the site in search results until it disappears completely.

In addition to the above, attacks are divided into internal and external. TO internal can include various hacks to access a site or server, and to external, slander or spam.

It is possible to fight against internal types of attacks quite actively. As for external ones, everything is much more complicated. The thing is that the server owner cannot take control of the situation, which makes him very vulnerable.

Types of attacks

Ddos attack

This is, I apologize, the most disgusting variety. The consequence of such an attack will be a complete shutdown of the server, and maybe even several servers. The worst thing is that there is no 100% complete DDoS protection. If the attack is not weak, then the server will be inoperative until the attack is stopped.

Another characteristic feature of DDoS attacks is its availability. To “overwhelm” a competitor’s server, you don’t need to be a professional hacker. To do this, you only need money or your own botnet (Botnet is a network of infected computers). And for a weak DDoS, several computers are enough.

Ddos – the translation of this abbreviation sounds like “distributed denial of service”. The point of the attack is a simultaneous, huge access to the server, which occurs from numerous computers.

TCP Reset

TCP Reset is performed by manipulating RST packets on a TCP connection. The RST packet is a header that signals that a reconnection is necessary. This is usually used when some error has been detected or you want to stop loading data. An attacker can interrupt a TCP connection by constantly sending an RST packet with valid values, making it impossible to establish a connection between the source and the destination.

This type of attack can be prevented by monitoring each transmitted packet and making sure that the sequence of numbers arrives in the right order. Deep traffic analysis systems can handle this.

Nowadays, the main goal of hacking devices is to organize DDoS attacks or cause damage by restricting user access to a website on the Internet. Therefore, telecom operators themselves, Internet providers and other companies, including VAS Experts, also offer and organize solutions for DDoS protection - real-time traffic monitoring to track anomalies and bursts in bandwidth usage, the Carrier Grade NAT function, which allows you to “hide » the subscriber’s device from intruders, blocking access to it from the Internet, as well as other intelligent and even self-learning systems.

The fundamental concepts of cyber security are availability, integrity and confidentiality. Attacks Denial of Service (DoS) affect the availability of information resources. A denial of service is considered successful if it leads to the unavailability of an information resource. The difference between the success of an attack and the impact on target resources is that the impact causes damage to the victim. For example, if an online store is attacked, a prolonged denial of service can cause financial losses to the company. In each specific case, DoS activity can either directly cause harm or create a threat and potential risk of loss.

First D V DDoS means distributed: distributed denial of service attack. In this case, we are talking about a huge mass of malicious requests arriving at the victim’s server from many different places. Typically, such attacks are organized through botnets.

In this article, we will take a closer look at what types of DDoS traffic and what types of DDoS attacks exist. For each type of attack, brief recommendations for preventing and restoring functionality will be provided.

Types of DDoS traffic

The simplest type of traffic is HTTP requests. With the help of such requests, for example, any visitor communicates with your site through a browser. The basis of the request is the HTTP header.

HTTP header. HTTP headers are fields that describe what kind of resource is being requested, such as a URL or a form, or a JPEG. HTTP headers also inform the web server what type of browser is being used. The most common HTTP headers are ACCEPT, LANGUAGE and USER AGENT.

The requester can use as many headers as he likes, giving them the desired properties. DDoS attackers can modify these and many other HTTP headers, making them difficult to detect. In addition, HTTP headers can be written in such a way as to control caching and proxy services. For example, you can instruct the proxy server not to cache information.

HTTP GET

HTTP(S) GET request is a method that requests information from the server. This request may ask the server to pass some file, image, page or script in order to display it in the browser.
HTTP(S) GET flood is a DDoS attack method of the application layer (7) of the OSI model, in which the attacker sends a powerful stream of requests to the server in order to overwhelm its resources. As a result, the server cannot respond not only to hacker requests, but also to requests from real clients.

HTTP POST

HTTP(S) POST request is a method in which data is placed in the body of the request for subsequent processing on the server. An HTTP POST request encodes the transmitted information and places it on a form, and then sends this content to the server. This method is used when it is necessary to transfer large amounts of information or files.
HTTP(S) POST flood is a type of DDoS attack in which the number of POST requests overwhelms the server to the point that the server is unable to respond to all requests. This can lead to exceptionally high system resource usage, which can lead to a server crash.

Each of the HTTP requests described above can be transmitted over a secure protocol HTTPS. In this case, all data sent between the client (attacker) and the server is encrypted. It turns out that “security” here plays into the hands of attackers: in order to identify a malicious request, the server must first decrypt it. Those. you have to decrypt the entire stream of requests, of which there are a lot during a DDoS attack. This creates additional load on the victim server.

SYN flood(TCP/SYN) establishes half-open connections with the host. When the victim receives a SYN packet on an open port, it must respond with a SYN-ACK packet and establish a connection. After this, the initiator sends a response with an ACK packet to the recipient. This process is conventionally called a handshake. However, during a SYN flood attack, the handshake cannot be completed because the attacker does not respond to the SYN-ACK of the victim server. Such connections remain half-open until the timeout expires, the connection queue becomes full, and new clients are unable to connect to the server.

UDP flood are most often used for broadband DDoS attacks due to their sessionless nature, as well as the ease of creating Protocol 17 (UDP) messages in various programming languages.

ICMP flood. The Internet Control Message Protocol (ICMP) is used primarily for error messages and is not used for data transmission. ICMP packets can accompany TCP packets when connecting to a server. ICMP flood is a DDoS attack method at layer 3 of the OSI model, using ICMP messages to overload the network channel of the attacked person.

MAC flood- a rare type of attack in which the attacker sends multiple empty Ethernet frames with different MAC addresses. Network switches consider each MAC address separately and, as a result, reserve resources for each of them. When all the memory on the switch is used, it either stops responding or turns off. On some types of routers, a MAC flood attack can cause entire routing tables to be deleted, thereby disrupting the entire network.

Classification and goals of DDoS attacks by OSI levels

The Internet uses the OSI model. In total, there are 7 levels in the model, which cover all communication media: starting from the physical environment (1st level) and ending with the application level (7th level), at which programs “communicate” with each other.

DDoS attacks are possible at each of the seven levels. Let's take a closer look at them.

OSI Layer 7: Applied

What to do: Application monitoring - systematic software monitoring that uses a specific set of algorithms, technologies and approaches (depending on the platform on which the software is used) to identify 0-day application vulnerabilities (layer 7 attacks). By identifying such attacks, they can be stopped once and for all and their source traced. This is done most simply on this layer.

OSI Layer 6: Executive

What to do: To mitigate the damage, consider measures such as distributing SSL encryption infrastructure (i.e., hosting SSL on a great server, if possible) and inspecting application traffic for attacks or policy violations on the application platform. A good platform will ensure that traffic is encrypted and sent back to the originating infrastructure with the decrypted content residing in the secure memory of the secure bastion node.

OSI Layer 5: Session

What to do: Keep your hardware firmware up to date to reduce the risk of a threat.

OSI Layer 4: Transport

What to do: Filtering DDoS traffic, known as blackholing, is a method often used by providers to protect customers (we use this method ourselves). However, this approach makes the client's site inaccessible to both malicious traffic and legitimate user traffic. However, access blocking is used by providers to combat DDoS attacks to protect customers from threats such as network equipment slowdowns and service failures.

OSI Layer 3: Network

What to do: Limit the number of processed requests via the ICMP protocol and reduce the possible impact of this traffic on the speed of the Firewall and Internet bandwidth.

OSI Layer 2: Duct

What to do: Many modern switches can be configured in such a way that the number of MAC addresses is limited to reliable ones that pass authentication, authorization and accounting checks on the server (AAA protocol) and are subsequently filtered.

OSI Layer 1: Physical

What to do: Use a systematic approach to monitoring the performance of physical network equipment.

Mitigation of large-scale DoS/DDoS attacks

Although an attack is possible at any level, attacks at layers 3-4 and 7 of the OSI model are especially popular.

DDoS attacks at the 3rd and 4th levels - infrastructure attacks - types of attacks based on the use of a large volume, powerful data flow (flood) at the network infrastructure level and transport level in order to slow down the web server and “fill” the channel , and ultimately prevent other users from accessing the resource. These types of attacks typically include ICMP, SYN, and UDP floods.
DDoS attack at level 7 is an attack that involves overloading some specific elements of the application server infrastructure. Layer 7 attacks are particularly sophisticated, hidden, and difficult to detect due to their similarity to useful web traffic. Even the simplest Layer 7 attacks, such as attempting to log in with an arbitrary username and password or repeating arbitrary searches on dynamic web pages, can critically load the CPU and databases. DDoS attackers can also repeatedly change the signatures of Layer 7 attacks, making them even more difficult to recognize and eliminate.

Some actions and equipment to mitigate attacks:

Firewalls with dynamic packet inspection
Dynamic SYN proxy mechanisms
Limiting the number of SYNs per second for each IP address
Limit the number of SYNs per second for each remote IP address
Installing ICMP flood screens on a firewall
Installing UDP flood screens on a firewall
Limiting the speed of routers adjacent to firewalls and networks