In the first two series we got to understand what DOS & DDOS is, propagation of the DDOS Attack, and statistical data of DDOS in the year 2023. In this third series, we will be discussing about the classification of the success of a DDOS attack, based on certain features.
These classifications, are based on research conducted by experts, and and are defined by a range of criteria. The diverse criteria’s help’s in having an in-depth understanding based on various characteristics of the Attack, how they can be detected, and also mitigated.
The list of these criteria’s by which various DDOS Attack are classified, are therefore based on the following :
- Degree of Automation (How these attacks are set to continuously flood the target with overwhelming traffic).
- Exploited weakness.
- Attack Rate Dynamics.
- Impact on Target.
- Source/origin address validity.
- Persistency of Agent set.
- Type of victim.
- Characterization based on possibility.
- Attack Network.
- Attack Mode.
When an attacker targets an organization, their sole purpose is to disrupt its services, and DDOS is one of the top methods of disrupting an organization services, on a larger scale.
Considering this type of attack, from a threat actor’s perspective , we can outline the various steps taken to achieve a successful DDOS attack.
These steps are:
- Saturation of Resources.
- Exploitation of System/Network vulnerabilities.
- Modifying existing configurations (Tampering).
- Misuse.
- Physical destruction of Infrastructure.
Saturation of Resources:
As the term implies “Saturation of Resources”, the goal of the threat actor, is to ensure the complete consumption/exhaustion of the target/victim’s critical infrastructure resources. These resources are usually system based resources such as CPU, memory unit, storages spaces, and the Bandwidth resources of a Network.
DDOS attack based on resource saturation, are commonly used by threat actors. Its sophistication, makes it to be one of the most common type of attacks, and difficult to be mitigated.
The Saturation of resources DDOS based attack, is further classified into two sub-categories:
1.1 Resources of System/Device.
1.2 Resources based on Network-Bandwidth.
1.1 Resources of System/Device:
The ability to exhaust a system/device resources via a DDOS attack, occurs as a result of request flooding, also known as the “Request Flooding Attacks.” When this attack is launched, it ensures that it performs the purpose, which is consuming the target/victim CPU,RAM,HDD,SSD via excessive service request.
These request usually are beyond what the system can handle at a given time. The volume of the request, then forces the system to queue these incoming request, as soon as they arrive. Unable to handle the volume of request, and exceeding the request queue, or an overflow of request queue, the additional request received are then discarded.
Commonly observed methods of Flooding attacks that exhaust System/Device resources, comprises of the following:
1.1.1 HTTP Floods.
1.1.2 Database Connection Pool Exhaustion.
1.1.3 SSL Exhaustion.
1.1.4 IPSEC Flooding.
1.1.5 Application Layer Protocol Floods (Layer-7).
1.1.1 HTTP Flooding Attack:
The HTTP Flood attack has a compound impact on both System resources & Network resources, of the target. When a HTTP flood attack is conducted by a threat actor, the target impacted by these attacks, are the system resources. The primary objective, is to exhaust these resources, and due to the nature of these type of attacks, they are named “Application Layer Attacks”, and are carried out by Botnet infested hosts.
The most Commonly used HTTP protocol requests in the HTTP Flooding attacks are “GET” or “POST”.
A. GET Request:
The GET request during HTTP Flooding, are used to retrieved static related content from the targets (e.g. HTML pages, and image contents). To exhaust the target resources which these request are made to, the Flooding attack constantly makes these GET requests continuously, and excessively. As a result of this continuous request, the server, in which these contents are hosted on gets overwhelmed, due to its resources (system and network) being consumed.
There are two Most commonly noticed HTTP Flood “GET request attack”, and they are:
A.1 Recursive GET request Flood Attacks.
A.2 Random Recursive GET request Flood Attacks.
A.1 Recursive GET request Flood Attacks:
The Recursive GET Request flood Attack methods is sophisticated in such an undetectable way. This is to ensure the attack success rate to be high, and also tend to appear as a legitimate request on the target.
The recursive mechanism which is used by the GET request Flood Attack, is able to achieve obfuscation by collecting a list of static resources (html pages and images), while appearing to be going through these collection like a normal user does, when accessing a given website. The success rate, and high impact of the Recursive GET, can be achieved by combining it with HTTP flood attack.
A.2 Random Recursive GET request Flood Attacks:
A Random Recursive GET Request Flood Attacks, on the other hand is considered a variant of the “Recursive GET Request Flood Attacks.”
This variant is mostly used to flood web-forums, blogs, and webpages that run in a sequential manner. In addition the Random Recursive GET request, also acts in the same manner as the “Recursive GET Request Flood Attacks” in viewing static resources it accesses, just the same way a legitimate user would.
However, unlike the “Recursive GET Request”, the “Random Recursive GET” utilizes random numbers from a valid range of pages, to send a new “GET” request every time to the target/victim. The main objective of the Random Recursive GET Request Flood Attacks, is to exhaust resources of the target with huge traffic of GET request, resulting to unavailability of services, to legitimate users.
B. POST Request:
The HTTP POST request on the other hand, utilizes forms (e.g. registration forms, contact forms et’ al) to send users data to the target server. The objective is to utilize this method in triggering complex events or task (e.g. storing of these data, or retrieving of these data) from the target/victim database.
1.1.2 Database Connection Pool Exhaustion:
In The Database Connection Pool Exhaustion attack, the threat actor tries to occupy all available database connections in the database connection pool. These databases usually contain resources, and credentials that are accessed to establish a connection each time a legitimate user tries to login into the website or application. So when the legitimate user tries to access a service (e.g. let’s say login into a portal), they are unable to, due to the inability of the form to establish a connection, with the said database.
1.1.3 SSL Exhaustion Flooding Attack:
SSL also known as TLS is an encryption mechanism that is used by vast network communication protocols, to enhance both security and address privacy issues. As more, and more services and transactions are conducted over SSL/TLS, so also the rise in SSL/TLS attacks are notable.
The SSL Exhaustion Flooding Attacks, are attacks associated with the exhaustion of available SSL connections slots. These slots includes CPU, and Memory of the targets. These SSL/TLS Exhaustion Flooding Attacks basically, attacks the SSL/TLS handshake protocol by sending gibberish or worthless data to the SSL/TLS server, thereby resulting to unavailability of services and connection to a legitimate user. The SSL/TLS Exhaustion Flooding Attack is achieved, by these traffics from the botnets abusing the SSL/TLS handshake protocol.
1.1.4 IPSEC Flooding Attack:
The IPSEC aka Internet Protocol Security, is a secured network protocol, primarily used to establish a connection via VPN’s (Virtual Private Network), across an unsecure network. To ensure the legitimacy of these established connections, the IPSEC uses the IKE (Internet Key Exchange) protocol. The current version of the IKE is the IKEv2.
IKEv2 (Internet Key Exchange) protocol, ensures that the secure connections is able to first authenticate, and then encrypt packets of data sent over the Internet, via IP (Internet Protocol).
IPSEC Flooding Attack just like every other attack aims to exhaust all available resources over IPSEC, which in turn results into legitimate users requests, and traffic over IPSEC VPN connections being impacted negatively.
1.1.5 Application Layer (Layer-7) Protocol Flooding Attacks:
The Application Layer, which is also known as the “Top-Most Layer of the 7-OSI Model” are common targets of DDOS Attack. These attack abuses various protocols such as:
- DNS (Domain Name System).
- FTP (File Transfer Protocol).
- SIP ( Session Initiation Protocol).
- SMTP (Simple Mail Transfer Protocol).
Application Layer (Layer 7) Protocol Flooding Attacks are more potent due to their high consumption of both server based resources, and network based resources.
Scenario 1:
A case study of a request made by a client (browser application), and server response to the request. When A user tries to access their outlook email account online, a minimal data is required to check the credentials supplied to the login form, and an excessive resources are demanded to load all relevant data’s from the email databases, while at the same time, sending back the webpage that was requested by the user of such services.
Often times, even in the absence of a login request being made, the email server receiving many request from a client (email app), has to make queries to the database, and other API (Application Interface) call, to produce a webpage.
In a state of magnified incongruity in request, due to too many devices targeting a specific web component by these Bots, the target server is then overwhelmed with lots of traffic, resulting to the services being offline. A legitimate user is then unable to access the email services.
Most common cases of the Layer-7 attack is majorly targeting the API’s which is sufficient enough to take these services offline (Denial-Of-Service).
It should be taken into account, that the Effectiveness, and Success of most DDOS attack arises from the difference in the amount of resources required to launch an attack, in reference to the amount it takes to mitigate one.
Put your comments below in the comment section on your thoughts about this.
