We already know what is DOS attack and how it can break up any network causing Denial of Service. If you don’t know about DOS, please read this post before proceeding. We only saw which were the ways in which an attacker can do DOS attacks. In this post, we will discuss What is DDOS attack, i.e. Distributed Denial of Service and why it is much more dangerous than DOS attack. We’ll also discuss the attacks in brief and how it is used
What is DDOS attack?
In DOS, we saw how a person or a group of people deliberately bring down a server causing denial of service to the legitimate users. The attacker can use any of the various methods to execute this attack. DDOS attack is nothing but Denial of Service attack by a group of machines on the server with each machine using different attacking method. The attacker may use zombie machines to carry out this stunt or a group of people can directly attack on server using different attacking methods thus collapsing the server and denying the service.
In DOS, we saw the various methods an attacker can use to do this attack like Echo Chargen, DNS Attacks, Ping of Death, Syn Flood, Smurf, Tear Drop.
If 4 attackers each use any 4 different methods from the above and launch an attack at the very same time, the server is bound to crash denying the service. This is DDOS attack.
Why use DDOS when you have DOS?
Well for starters DDOS is much more dangerous with higher chances of crashing a server. As discussed in the earlier post about DOS, switches and routers have extra security measures against DOS. If the router or server blocks any source, it can’t do DOS attack on it.
Also if the administrator is alert and active, the attack may fail. But when it comes to DDOS, a server can’t possibly block three or more sources at once, plus until the router/switch or administrator figures out what is going on, the server might have crashed already thus successfully executing the attack. DDOS increases your chances when you attack. Let us now discuss each method in brief.
Types of DOS attacks!
- Echo Chargen: Chargen is an IP suite protocol which helps us test the network capacity.
In this attack the attacker sets up chargen process on one host to generate echo packets to the server. The server by its nature will reply to them. But this does not end here, instead it continues thus creating an endless loop between the host and server and denying services to others at the same moment. - DNS Attacks: DNS helps the browser to find the IP address of any website. But, if the attacker attacks DNS server and changes its cache settings, all the traffic will be redirected to some other side.
If DNS is working just fine, if you enter Geekstarts.info, it’ll give the address of Geekstarts. But if attacker changes its values and you enter Geekstarts.info, it might lead you to some other site thus denying you the service. - Ping of Death: The most simple and easy DOS attack. The attacker pings the host with a packet that is well beyond competence of host. For example, if server is on 10MB line, attacker will flood it with a series of pings on a 50 MB connection line, obviously the server can’t handle this. Also, if the server accepts a packet with largest size of 20,000 and attacker pings it with a packet size of 40,000, the server will crash, thus denying the service.
- SYN flood: TCP protocol uses a three-way handshake method. In this handshake, first the source sends a packet with SYN bit on. The destination replies with a packet with SYN and ACK (Acknowledgement) bits on. The source then sends a packet with ACK bit on to tell the destination it received the packet. This is how the normal handshake works.
But in SYN flood when the source receives a packet with SYN and ACK bit on, it sends a packet again with SYN bit and floods destination with it. The destination keeps on replying with SYN and ACK bit on but source never acknowledges the packet thus keeping the destination in loop. - Smurf: Smurf attack also uses ping packets but in this, the attacker chooses a victim and carries out the attack through him. The attacker gains control of the victim’s machine and broadcasts a ping message to everyone on network. All the machines present reply to this message and end up flooding the victim’s machine with packets.
- Tear Drop: IP datagram protocol allows a packet to be fragmented and sent to the destination to enhance the network communication. Tear drop attack misuses this feature by sending incorrect lengths so that the receiver won’t be able to reassemble the fragmented parts. The packets will overlap each other and eventually the receiver crashes.
DOS attack can be performed using the above six methods. When two or more of examples are executed at the same time on a single machine then we call it as DDOS attack, as in Distributed Denial of Attack.
How attacker executes a DDOS attack?
The attacker can execute this attack in two ways.
- The attacker along with a group of his allies will attack a server with different DOS attacks all at one time.
DDOS attack by group of attackers
- The attacker plants a trojan horse in client machines in a network. Infected machinesare called as Zombie machines. Attacker can then decide a time, and using the trojan execute various DOS attacks on the server in the network all at once. In this way, the attacker alone can do the DDOS attack
DDOS attack through zombie machines
How to handle DDOS attacks?
Since there are many methods an attacker can use and do a DDOS attack, there is no full-proof prevention from DDOS attack. However, to prevent various client machines from becoming a zombie, the administrator must keep his firewall settings updated and keep the network secure using IDS. The administrator must also take special care if he/she observes any anomaly in the network.