Distributed Denial of Service
(OBJ 2.4)
Denial of Service (DoS Attack)
- Used to describe an attack that attempts to make a computer or server’s resources unavailable
Flood Attacks
Specialized type of DoS which attempts to send more packets to a single server or host than it can handle
-
Ping Flood
- Overloading a server with ICMP echo requests (pings)
- Often countered by blocking echo replies and simply having firewall blocking these request whenever they are seen
-
SYN Flood
- Initiating multiple TCP sessions but not completing the 3-way handshake
- Consumes server resources and prevents legitimate connections
- Countermeasures
- Flood guard
- Will detect when a SYN Flood is being attempted, and it'll block the requests at the network boundary, freeing up the server.
- Can be a feature in some firewalls
- Timeout configurations
- Free up resources and prevent the Denial of Service condition from happening
- Intrusion prevention systems
- Can detect and respond to SYN floods as they're being attempted
- Flood guard
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250714123548.png)
Permanent Denial of Service (PDOS) Attack
- Exploits security flaws to break a networking device permanently by re-flashing its firmware
- Cause the device to unable to reboot itself because its OS is overwritten.
- Requires a full firmware reload to bring the device back online
Fork Bomb
- Attack creates a large number of processes, consuming processing power
- Gets its name because a process is called a 'Fork', and it can be forked into two processes and then four processes, and so on until it eats up all resources
- Not considered a worm, as it doesn't infect programs or use the network
- A Fork Bomb only spread out inside the processor's cache on a single computer that it's being attacked
- Self-replicating nature causes a denial of service condition
Distributed Denial of Service (DDoS Attacks)
-
Malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic
-
Involves multiple machines attacking a single server simultaneously.
-
Attackers often use compromised machines within a botnet
-
Techniques like DNS amplification can amplify the attack's impact
- DNS Amplification Attack
- Specialized DDoS that allows an attacker to initiate DNS requests from a spoof IP address to flood a website
- A DNS request uses very little bandwidth to send but the response usually takes up a lot more bandwidth.
- Allows the attack to be amplified against the victim server.
- DNS Amplification Attack
-
DDoS attacks aim to force the target server offline temporarily
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250714124235.png)
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250714124330.png)
Surviving and Preventing DoS and DDoS Attacks
- Black Hole or Sinkhole
- Routes attacking IP traffic to a non-existent server through a null interface
- Effective but temporary solution
- Attackers can move to a new IP and restart the attack all over again.
- Intrusion Prevention Systems
- Can identify and respond to DoS attacks for small-scale incidents
- Work for small scale attacks against your network
- Not enough processing power to handle a large scale DDoS attack
- Elastic Cloud Infrastructure
- Scaling infrastructure when needed to handle large-scale attacks-
- May result in increased costs from service providers
- Specialized Cloud Service Providers
- Providers like CloudFlare and Akamai offer DDoS protection services
- Provide web application filtering, content distribution, and robust network defenses
- Help organizations withstand DDoS and high-bandwidth attacks