In our previous articles we described the knowledge on DOS & DDOS, the attack propagation with the year 2023 as a case study and classifying DDOS attack based on certain features. This gives an insight on DDOS attack, and also assist security researcher to have a greater understanding on the nature of these attacks, with reference to the criteria’s described in the previous articles.
On classifying the DDOS Attack, one of the major targets of this form of attack, is the Network bandwidth. In this article, we will be summarizing types of networks bandwidth based DDOS, and how threat actor targets the network protocol with the aim of overwhelming the network with lots of traffic, exhausting the bandwidth, and subsequently take down the victim network or infrastructure services.
IMPORTANT NOTE:Target: The router, network or hosts distributing the DDOS Traffic.Victim: Is the actual service that has been compromised by traffic surging from the targets.
What is Network Bandwidth based DDOS Attack?
A Network based DDOS attack, occurs when a threat actor finds a way of flooding the victim with lots of dummy traffic, consequently disconnecting the victim from the rest of the network, or render their services unavailable to legitimate users.
To ensure the DDOSing is successful, the threat actor primarily targets the weakest link on the network, flooding it with illegitimate traffic, this traffic is then redirected to the victim, which in turn, results to the overwhelming of the internet pipeline of the victim network, by this illegitimate traffic.
If the victimized organization do not have a DDOS protection implemented or a mitigation plan put in place, the organization will experience a network bandwidth starvation, subsequently resulting to an impact on the availability of service to legitimate users when they try to access the network infrastructure.
Classifying Network Bandwidth Based DDOS Attack:
The DDOS network bandwidth attack is classified into two categories.
- Symmetric DDOS Attacks.
- Asymmetric DDOS Attacks.
This classification is based on the number of resources required to successfully conduct these attacks, and the amount of victim resources consumed. To further understand these attacks, let’s have a proper definition.
1. Symmetric DDOS Attacks:
In a Symmetric DDOS attack, the threat actor is able to flood the victim’s network directly with heavy traffic that consumes the network bandwidths. To be able to conduct a successful symmetric DDOS attack, the network traffic surging from the threat actors’ botnets, must be enormous enough to take down the victim’s network.
Furthermore, in symmetric DDOS Attack, both the compromised nodes and packet spoofing are utilized to generate the traffic capable of overwhelming the victim network. It is no doubt, a reason why protocols such as ICMP, and UDP are commonly used in deploying symmetric based DDOS.
2. Asymmetric DDOS Attacks:
The other form of a network based DDOS attack, is the Asymmetric DDOS Attack. This form of attack involves the threat actor being able to conceal their traffic, by reflecting the attack traffic. Asymmetric DDOS by its nature of attack is also known as “Reflection and Amplification” attack. In order to successfully carry out this type of attack, the threat actors make use of little resources, to generate a huge amount of traffic that is reflected to the target or victim.
Further breaking down the asymmetric DDOS flooding attack, gives rise to these categories:
A. Application Layer Reflection.
B. Amplification attacks.
C. Smurf Attacks.
D. Fraggle Attacks.
A. Application Layer Reflection Attack:
In the application layer reflection attack, the threat actor modifies service request packets source address field, to be the victims IP address, when these UDP services receive the request, the service provider then sends a response to the victim, instead of the attacker. The sophistication of the of the reflection attack, is that the threat actor is able to conceal itself from being detected.
The application layer reflection attacks utilize the UDP protocol.
Scenario 1 (Describing The Steps Of A Reflection Attacks):
1. The threat actors spoofs the target/victim address in the service packet request made.
2. These packets are sent to UDP services that are infested with bots, or publicly available.
3. The UDP servers receive this request and respond back to the victim IP’s address which has been spoofed by the attacker.
4. Overwhelmed by this traffic, the victim is unable to serve legitimate response from legitimate request.
5. Resulting to the entire network or server being taken down.
B. Amplification Attack:
Analysing the amplification attack; it involves the threat actor generating a small service request, however the response size of these service request is set, to generates a larger payload size, resulting in the victim server resources being exhausted. This high volume of packet response is spawned, by keeping the amplification factor as high as possible, during the service request.
Scenario 2 (Describing The Steps Of Amplification Attacks):
1. Attacker generates a small service request with the victim IP address being the source IP.
2. The response service payload is set to be enormous using the amplification factor.
3. Attacker takes advantage of publicly available UDP services infested with botnets, to send trigger packets which result into extensive response to the request.
4. Various infested devices (bots), make these response simultaneously at the same time.
5. Due to the amplification of the original request size, the response size then consumes the victim’s network bandwidth.
6. Resulting to the victim service being taken down.
C. Smurf Attack:
Although this type of attack is obsolete, threat actors are seen sending ICMP packet request, to the address on the broadcast network, while emulating the victims address at the packet source address field.
When the host (computers infested with botnets), receive these message requests, the response is then sent to the victim. In this method of attack, the threat actor is able to amplify the attack traffic based on the number of hosts (botnets), in the broadcast network. Smurf Attack are conducted using ICMP packet request.
Scenario 3 (Describing The Steps Of A Smurf Attack):
1. Attacker or Threat actor has the target IP address to broadcast over (Usually Routers).
2. The Attacker proceeds to make an ICMP “Echo” request on behalf of the Target, to all the host on the network.
3. These host of computers or networks in the target network receive these requests, and actually believe these requests are from the victim, as a result of the spoofed IP address, by the Attacker.
5. The entire host that receive these requests, then respond back with an ICMP echo reply, directing these response traffic to the victim.
6. Overwhelmed by the huge response of ICMP echo replies, from these hosts, the victim service then gets taken down, experiencing a Denial of Service.
STORY ANALYSIS OF THE SMURF ATTACK:
To have a better understanding of the mechanism or operation of the smurf attack let’s analyse this with a story. Assuming you were on a vacation in a city, and you decide to lodge in a hotel of seven rooms, your room inclusive and all rooms are occupied.
A Prankster discovered a glitch in the digital alarm bell (router), and decided to compromise the bells of six-rooms (Network), exempting your room.
Now while all rooms doors are shut, and nobody is in sight (Threat actor IP address unknown), the prankster (threat actor), proceeds to press a button which triggers the six rooms door bell (Broadcast to the network of 6 rooms), all occupants of the room responded by opening their door, but since your room is unaffected you didn’t come out, therefore all occupants of the room assumed that room number 7 is responsible for the bell prank (making the request), and instead of tracing the prankster (responding with a reply), they didn’t. Since no one sees him due to his concealment, and the only suspect insight is you (source IP address).
Leaving you as the suspect, they all decided to hit on your door at the same time (DDOS attack) yelling at you (sending the echo response/reply to you). Exhausted by the back-and-forth argument (overwhelmed by these request), you decided to take a walk and leave the room (service of the victim, going offline). Now when a visitor (Legitimate person) whom you gave the hotel address comes visiting at a certain hour and redirected to your room by the Hotel Attendant (DNS Record), unaware that you the occupant went out for a long hour without their knowledge, the visitor keeps knocking, and knocking until they are exhausted and leaves as a result of not getting access to you (Denial-Of-Service).
D. Fraggle Attack:
In a Fraggle DDOS attack, Large amount of spoofed UDP traffic comes to the router’s broadcast address, all connectivity on the network receives these requests, and then redirect the response to the victim server. The victim server tries to respond back to these requests, however, unable to handle the volume of packets received due to an overwhelming activity, the server crashes.
How Does The Fraggle Attack Operates:
The DDOS Fraggle Attack, are known to use the UDP Protocol. The attacker sends UDP packets to a network, by using target network routers to forward these UDP packets to all nodes that are present on the network (This packet contains the spoofed ip address of the victim as the source IP address), resulting to these networks becoming a traffic generator, and redirecting their response to the victim. The Fraggle Attack is similar to the Smurf attack (forward packets via routers to all nodes on the target), the only difference is that in the Fraggle UDP is utilized, while in smurf ICMP packets are used.
Scenario 4 (Describing The Steps Of A Fraggle Attack):
1. Attacker or Threat actor has the target IP address to broadcast over (Usually Routers).
2. The Attacker proceeds to make series of UDP request on behalf of the target to all the host on the network.
3. The request made are forwarded to all nodes with UDP port (7 & 19), open on the network.
4. These host of computers or networks in the target network receive these requests, and actually believe these requests are from the victim, as a result of the spoofed IP address, by the Attacker.
5. By default the UDP communications between two systems do not require authentication or credential sharing before data start flowing.
6. The entire host that receive these requests, then respond back with series of UDP replies, directing these response traffic to the victim.
7. Overwhelmed by the huge response of UDP packets, from these hosts, the victim service then gets taken down, experiencing a Denial of Service.
During this type of DDOS attack (Fraggle), the packets sent, targets the UDP port 7 and 19. A Successful Fraggle attack is capable of suspending a system, server, and network for a very long period of time.
However, since the release of RFC2644 in 1999, this type of Attacks is no more seen. The RFC2644, limits broadcast messages to a broadcast domain in a Local Area Network, and no longer forward packet directed to their broadcast addresses.
Put your comments below in the comment section on your thoughts about this.
