Denial-of-Service Attack

Discussion

• What are the statistics for DoS attacks worldwide?

  

  Geographic distribution of suspicious clients. Source: Akamai 2022.

  One research showed that more than 20M DoS attacks happen, targeting about 2.2M / 24 IPv4 network blocks. The figure depicts attacks that are most prominent around the world. There is also a 1-10 grading system, where 10 is the most fatal attack experienced. London has the highest DoS attack with a cumulative score of 230. This is followed by Milano with 202, Ashburn with 121, Frankfurt with 117, Buenosaires with 87, Saopaulo and Seoul with 68, Amsterdam with 52, Singapore with 50, and Portland with 50. After this, Mumbai is next, with a cumulative score of 47 from the top 20 places having fatal attacks.

  Country	Targets	%
  US	1232k	29.50%
  China	416k	9.96%
  France	323k	7.73%
  GB	266k	6.37%
  Germany	216k	5.18%
  Other	1727k	41.26%

  The table tells the number of IP addresses targeted with the percentage of all observed attacks with the help of Honeypot. The observation is based on the NetAcuity Edge IP geolocation database.

• In what ways can a DoS attack be a threat to systems?

  Specific resources become targets through DoS attacks. An attack can compromise the network bandwidth, aiming at the connection between the web server, the global internet, or any appliances connected to the network. Some of the attacks on web services can be SOAP array attack, XML entity expansion or oversized cryptography.

  System resources are the next target where the system becomes overloaded with continuous requests. These obstruct responses to the actual users. One example is when the attacker sends a massive number of virtual connections to consume the memory and CPU resources of the target server. In application resources, a specific application in the system is attacked, making it unavailable.

  Firewalls and Intrusion Detection Systems (IDSs) can be DoS attack targets. Such attacks fall into two classes:

  • Stateful: Attack causes an excessive state or state with a pathological structure.
  • Stateless: Attack exhausts the processing resources.

  Attacks on an IDS face the same problems as firewalls but differ because some detectable attacks will be missed instead of denying services.

• What are the types of DoS attacks that attackers use?

  

  Types of DoS attacks. Source: Obaid 2020.

  DoS attacks are categorised as weakness-based or flooding attacks.

  Weakness-based attack uses weaknesses of the internet system. Ping of death attack, TCP-SYN attack, HTTP Post and HTTP Get and Slowloris come under weakness-based attacks.

  Flooding attack creates traffic in the system and fulfils its goal of making it inaccessible. UDP Flood, ICMP Flood (Ping Flood) and SSL Traffic Flood are examples of flooding attacks.

  In some research papers, DoS attacks are divided into Bandwidth or Volume-based attacks (UDP flood and ICMP flood), Protocol attacks (SYN attack and Ping of Death attack) and Application Layer attacks (Teardrop attack and Spam).

• Which tools are commonly used for DoS attacks?

  One popular tool used for DoS attacks is LOIC (Low Orbit Ion Cannon). LOIC can send millions of packets (UDP, TCP or HTTP requests) and flood the user's internet connection. Praetox Technologies developed this for experimental purpose. However, hackers have adopted this tool to create TCP, HTTP or UDP traffic.

  There are also other tools:

  • High Orbit Ion Cannon (HOIC): Can send massive TCP traffic and spoof the source IP addresses to make them appear random.
  • Hping or hping3: Transmits an ICMP echo request while sending massive TCP traffic to the victim.
  • Slowloris: Targets the victim server by sending them an HTTP header slowly, bit by bit until a timeout happens.
  • Trinity and Trinoo: Use UDP packets to attack.
• What is the aim behind DoS attacks?

  The motivation for DoS attack can be extortion and profit, causing a distraction or collateral damage. In recent years Hack-Activism has been a term concerning a famous group called Anonymous (famous internet activist). They are known to attack certain online services for political reasons.

  We note the following reason for DoS attacks:

  • Financial/economic gain: attacks are difficult to stop and are mostly concerns of cooperation
  • Revenge : done by attackers with lower technical capabilities or frustrated individuals seeking revenge
  • Intellectual challenge: attacks occur for experimental purpose from researchers trying new techniques
  • Cyberware: attackers are military or terrorist organisations
  • Service unavailability: attackers block the victims from getting any kind of resources or suffering slow performance
  • Ideological belief: same as Hack-Activism
• How can we detect and protect against DoS attacks?

  

  Mechanisms for defense against DoS attack. Source: Abliz 2011.

  While creating a defence against DoS attacks, three significant points should be highlighted:

  • Attack Prevention: Prevention happens before the attack. The techniques mostly applied are artificial intelligence, game theory, soft computing and multi-agent approaches. These examples can be Game Theoretic Approach, An Ant Based Framework, Message Observation Technique and Protection using KDS. Firewalls are used to protect the system from any suspicious incoming and outgoing messages. Messages that don't meet security criteria are blocked.
  • Attack Detection: Detection takes place during the attack. Analysing the attack helps us learn the attack pattern and avoid similar attacks in the future.
  • Attack Response: Response happens taken after the attack is detected. It is crucial to have an intrusion response team to identify the attack and track down the host. One possible response is to nullify the attack or shut down the network.
• How are DDoS attacks different from DoS attacks?

  DoS (Denial of Service) attacks and DDoS (Distributed Denial of Service) attacks have the same aim but different methods of attacking. In a DoS attack, a single attacker uses a single system to attack a single target. In a DDoS attack, a single attacker uses multiple systems to attack a single target.

  There is less traffic in a DoS attack as a single system creates traffic. In a DDoS attack, due to multiple systems attacking the victim, there is heavy traffic. The attack is easy to trace in the case of a DoS attack but difficult to trace in DDoS. In both cases, the attack period is short, but the DoS attack process is slow while the DDoS attack is fast.

Milestones

1974

An incident occurs in CERL (Computer-based Education Research Laboratory) at the University of Illinois Urban-Champaign. David Dennis, a 13-year-old student at University High School, comes to know about external command (ext) in TUTOR, a programming language in PLATO. Through this command, he writes a program sending "ext" to everyone within a range of site numbers. The next morning around 31 users power off their system at once. He also experiments on some sites around the country, and a mass posting on notes files about locking out happens.

1988

Robert Tappan Morris develops the Morris Worm for research and experimentation. Nevertheless, a bug is found in the code where the system cannot detect whether it already has the code installed. Due to this, the worm replicates itself, creating a Denial of Service attack.

Sep
1996

A DoS attack occurs in PAINX, where there is an SYN Flood attack. On a Friday evening, the main mail host system of the PAINX is attacked. The attacker forges the source addresses on attack packets, so that it becomes difficult to identify the attacker. On Monday, the attacker starts to attack telnet ports, routers and web services.

Feb
2000

Michael Calce, known as Mafiaboy on the Internet, launches a Rivolta (meaning "Rebellion" in Italian). Rivolta takes place in YAHOO through a DoS attack, which then continues to eBay, CNN and Amazon. The damages from this attack are around $7.5 million and $1.2 billion at the global level.

Dec
2003

DoS attack on SCO Group. Source: Moore and Shannon 2020.

A DoS attack occurs from December 10, 2003, 3:20 AM PST to December 11, 2003, 10:40 AM PST. The first attack on SCO Group happens on Dec 10. Their web servers become the target of a SYN flood attack of approximately 34,000 packets per second. This causes their switchboards to flood. On December 11, their web server and FTP servers are SYN flooded, reaching 50,000 packets per second. By 10:40 AM, it is reduced to 3,700 packets per second.

2007

A huge wave of DDoS attacks takes place in Estonia, targeting Estonia's essential infrastructures, telecommunications, name servers, websites, e-mail, and DNS. The attack appears to be politically motivated. Estonia's biggest bank shuts down, causing a loss of $1 million.

Oct
2016

A DDoS attack on Dyn occurs due to the Mirai Botnet. Mostly North America and Europe are affected. Major internet platforms including Twitter, Amazon, GitHub, and the New York Times become unavailable. The recovery expenses are estimated to cost each organisation, on average, $2.5 million.

References

1. Abliz, Mehmud. 2011. "Internet Denial of Service Attacks and Defense Mechanisms." University of Pittsburgh Technical Report, No. TR-11-178, pp. 1–50, March. Accessed 2022-09-12.
2. Abushwereb, Mohamed, Muhannad Mustafa, Mouhammd Al-kasassbeh, and Malik Qasaimeh. 2020. "Attack based DoS attack detection using multiple classifier." arXiv, v1, January 16. Accessed 2022-09-07.
3. Akamai. 2022. "Global Client Reputation Visualization." Akamai. Accessed 2022-09-20.
4. Colatin, Samuele De Tomas. 2021. "Cyber attacks against Estonia (2007)." The Cyber Law Toolkit, September 17. Accessed 2022-10-28.
5. Cub Cyber. 2022. "14 year old boy takes down Amazon, CNN, Yahoo!, and eBay. Also CMMC and DDoS Attacks..." Cub Cyber. Accessed 2022-09-29.
6. Dear, Brian. 2010. "PLATO History." Blog, Plato History, February 11. Accessed 2022-09-30.
7. Handley, Mark J., Eric Rescorla, and IAB. 2015. "RFC 4732: Internet Denial-of-Service Considerations." IETF, October 14. Accessed 2022-10-29.
8. Jonker, Mattijs, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. 2017. "Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem." IMC '17: Proceedings of the 2017 Internet Measurement Conference, ACM Digital Library, November. doi: 10.1145/3131365.3131383. Accessed 2022-11-01.
9. Masdari, Mohammad, and Marzie Jalali. 2016. "A survey and taxonomy of DoS attacks in cloud computing: DoS attacks in cloud computing." Security Comm. Networks, John Wiley & Sons, vol. 9, no. 16, pp. 3724-3751. doi: 10.1002/sec.1539. Accessed 2022-09-03.
10. Moore, David, and Colleen Shannon. 2020. "SCO Offline from Denial-of-Service Attack." CAIDA, August 04. Accessed 2022-09-14.
11. Muharish, Essa Yahya M. 2016. "Packet Filter Appro Ter Approach to Detect Denial of Service Attacks." Electronic Theses, Projects, and Dissertations. 342, CSUSB ScholarWorks, June. Accessed 2022-08-20.
12. Obaid, Hadeel S. 2020. "Denial of Service Attacks: Tools and Categories." International Journal of Engineering and Technical Research, vol. 9, no. 3, March. doi: 10.17577/IJERTV9IS030289. Accessed 2022-11-13.
13. Patil, Shital, and Sangita Chaudhari. 2016. "DoS Attack Prevention Technique in Wireless Sensor Networks." 7th International Conference on Communication, Computing and Virtualization, pp. 715 – 721, ScienceDirect, April 09. doi: 10.1016/j.procs.2016.03.094. Accessed 2022-09-01.
14. Prasad, K. Munivara, A. Rama Mohan Reddy, and K. Venugopal Rao. 2014. "DoS and DDoS Attacks: Defense, Detection and Traceback Mechanisms -A Survey." Global Journal of Computer Science and Technology: ENetwork, Web & Security Volume 14 Issue 7 Version 1.0, Global Journals. Accessed 2022-11-01.
15. Richtel, Matt. 2000. "Canada Arrests 15-Year-Old In Web Attack." The New York Times, April 20. Accessed 2022-10-28.
16. Rosen, Alexis. 1996. "Panix's Messages to Customers." The Wall Street Journal, September 12. Accessed 2022-09-29.
17. Sadiq, Kolawole Abubakar, Femi Oyedepo, and J Kehinde. 2020. "A Lightweight Economic Denial of Sustainability (EDOS) Defence in Cloud Network using Fog Computing." European Journal of Computer Science and Information Technology Vol.8, No.3, pp.57-64, European-American Journals, June. Accessed 2022-10-27.
18. Shaker, Kamrul. 2014. "Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques." American International University-Bangladesh (AIUB), Academia, January. Accessed 2022-09-05.
19. Verma, Deepanker. 2011. "LOIC (low orbit ion cannon) – DOS attacking tool." Infosec Institute, December 21. Accessed 2022-10-28.
20. Wikipedia. 2022. "Morris worm." Wikipedia, October 31. Accessed 2022-09-08.
21. Young, Kelli. 2022. "Cyber Case Study: The Mirai DDoS Attack on Dyn." CoverLink Insurance, January 10. Accessed 2022-10-28.

Further Reading

1. Chao-yang, Zhang. 2011. "DOS Attack Analysis and Study of New Measures to Prevent." 2011 International Conference on Intelligence Science and Information Engineering, IEEE Xplore, August 25. doi: 10.1109/ISIE.2011.66. Accessed 2022-09-20.
2. Park, Kihong, and Heejo Lee. 2000. "A Proactive Approach to Distributed DoS Attack Prevention using Route-Based Packet Filtering" Department of Computer Science Technical Reports Paper 1495 Report Number:00-017 , Semantic Scholar, December 03. Accessed 2022-08-28.
3. Yang, Chao, Wen Yang, and Hongbo Shi. 2018. "DoS attack in centralised sensor network against state estimation." IET Control Theory Appl., 2018, Vol. 12 Iss. 9, pp. 1244-1253, Institution of Engineering and Technology, June 01. doi: 10.1049/iet-cta.2017.0819. Accessed 2022-09-24.
4. Agah, Afrand, Kalyan Basu, and Sajal K Das. 2005. "Preventing DoS attack in Sensor Networks: A Game Theoretic Approach." Conference: Communications, 2005. ICC 2005. 2005 IEEE International Conference on Volume: 5, August 15. doi: 10.1109/ICC.2005.1495019. Accessed 2022-09-23.

Article Stats

Author-wise Stats for Article Edits

Author

No. of Edits

No. of Chats

DevCoins

LavaJ

10

3

1634

arvindpdmn

1

6

712

DevCoins due to articles, chats, their likes and article hits are included.

Cite As