DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks are attacks whose main purpose is to harm others. Indeed, these attacks aim at making the target system unusable. Either by overloading it with requests, or by making it “crash”. When the attack comes from several simultaneous sources, it is called a Distributed Denial of Service (DDoS) attack.
Moreover, a DDoS attack is extremely complex to block, because it is often impossible to differentiate a real request from a DDoS request.
In order to fully understand how this attack works, I will explain some basic network notions.
Even if it’s possible for two systems to establish a connection between them simultaneously, in the general case, one system opens a socket (access point to a TCP connection) and listens to connection requests from another system.
As you may know, the server is in charge of listening to incoming connection requests while the client transmits the requests to the server.
When a client (you) wants to communicate with an external server (dwisesoft.com for example), it must use a communication protocol, in this case the Transmission Control Protocol (TCP).
According to this protocol, the connection from the client to the server takes place in three steps: it’s called the “Three-way handshake“.
As the name suggests, the Three-way handshake is a three-step process: SYN (synchronized), SYN-ACK (synchronize, acknowledge) and ACK (acknowledge).
Without going into technical details, let’s say that the SYN allows the client to let the Server know that it wants to establish a connection. The server then sends back a SYN-ACK in response to the client’s request, letting the client know that he is ready to process the request; the client responds with an ACK, which serves here as an acknowledgement of receipt, and only once this process is completed, the exchange between the client and the server begin.
For better understanding, think of a Denial of Service (DoS) attack as pouring water into an already full glass just to overwhelm its capacity…the principle is the same for a DoS attack.
Several types of denial of service (DoS) exist. The list made here is by no means exhaustive but serves to give an idea of the types of DoS attacks that exist.
SYN Flood
The SYN Flood intervenes during the initialization of the TCP connection, and aims at disabling a server with a malicious client. The normal operation consists in performing a three-way handshake (SYN, SYN ACK, ACK):
As I explained above, the SYN is the packet sent by the client to the server to let it know that it wants to establish a connection. When the client sends the SYN packet, the server allocates resources to process the client’s request.
Now imagine that someone decides to send only SYN packets to a server; the server will allocate resources for each request and at some point, the server will run out of resources and will crash because it will be overloaded.
Today, this type of attack is practically impossible. Indeed, changes in performance, but also in load distribution, make this manoeuvre difficult.
Distributed denial of service (DoS)
This attack requires a large number of “zombie” machines.
A “zombie” or “bot” is a compromised computer under the control of an attacker who often controls many other compromised machines that together make up a botnet. The term “zombie” was coined to describe such an infected computer because the owner of the computer is often unaware that their computer is being used for malicious activity.
There are some hackers who specialize only in acquiring “zombie” machines in order to create a large-scale network for a more effective attack. These can be computers, telephones, toasters, refrigerators, any object capable of obtaining an IP address on a network.
These zombie machines are then coordinated by master machines to which the hacker is connected using the TCP protocol, which in turn will transmit attack orders to the zombie machines, most often using the UDP protocol.
Simply put, UDP is a telecommunications protocol that does not require the use of Three-way handshake and is therefore faster in data transmission.
The attacker connects directly to the master machines to configure the attack. Attacks can be of the same type as described above, or a simple HTTP request (opening the target’s web page for example).
Given the performance of today’s servers, as well as a large number of filtering and load balancing systems, previous attacks are hardly feasible. Nevertheless, distributed denial of service is today one of the relatively unstoppable methods of attack. It involves multiplying the sources of attacks so that the target server cannot detect whether it is an attack or a normal use of its service.
