Those who follow the news on technology and the internet have certainly come across articles citing DoS attacks or DDoS attacks on websites or servers on the Internet. The motivations are the most diverse: protests, fraud attempts, disputes between groups that act online, etc. However, few really know what these actions mean, how they work and what their consequences are. For this reason, we present a brief explanation on the subject below.
What are DoS attacks?
DoS attacks (which stands for Denial of Service), which can be interpreted as “Denial of Service Attacks”, consist of attempts to make computers – Web servers, for example – difficult or even prevented from performing their tasks. For this, instead of “invading” the computer or even infecting it with malware, the attacker causes the machine to receive so many requests that it goes so far as to be unable to handle them. In other words, the computer is so overloaded that it denies service .
Explaining figuratively, imagine that you use a bus regularly to go to work. One day, however, a large number of people “skipped the line” and got into the vehicle, leaving it so full that you and the other regular passengers were unable to get in. Or, imagine that you were able to get on the bus, but it got so crowded that you couldn’t get out of the place because of excess weight. This bus ended up denying its service – that of transporting it to a location – because it received more requests – in this case, passengers – than it is capable of supporting.
The most common DoS attacks can be made due to some characteristics of the Transmission Control Protocol / Internet Protocol (TCP / IP), being possible to occur on any computer that uses it. A well-known form of attack, for example, is SYN Flooding, where a computer tries to establish a connection with a server using a TCP signal known as SYN (Synchronize). If the server responds to the connection request, it will send the requesting computer a signal called ACK (Acknowledgement). The problem is that, in attacks of this type, the server is unable to respond to all requests and then starts refusing new requests.
Another common form of attack is the UPD Packet Storm, where a computer makes constant requests for a remote machine to send packets of responses to the requester. The machine is so overloaded that it cannot perform its functions.
Less frequently, another example of an attack exploits security holes in software, especially operating systems (hence the importance of always keeping them up to date and protected with security tools). In this type, an attacker can scan the network for vulnerable machines and send them packets that, for some reason, cause the system to stop its activity.
What are DoS attacks?
DDoS, which stands for Distributed Denial of Service on Abbreviationfinder, is a type of large-scale DoS attack, that is, it uses up to thousands of computers to attack a particular machine, distributing the action among them. It is a form that appears constantly in the news, since it is the most common type of attack on the internet.
DDoS attacks have been carried out for some time and have already damaged well-known companies. Historically, servers from CNN, Amazon, Yahoo, Microsoft and eBay have been “victims”. In December 2010, for example, the websites of Visa, Mastercard and Paypal suffered DDoS attacks from a group defending the lack of “censorship” on the internet. In February 2012, attacks were carried out against Brazilian bank websites for similar reasons.
For DDoS attacks to be successful, it is necessary to have a large number of computers to make them part of the “army” that will participate in the action. One of the best ways found to have so many machines was to insert DDoS attack programs into viruses or malicious software.
Initially, DDoS attack organizers tried to “enslave” computers that acted as servers on the Internet. However, with the constant increase in the speed of internet access due to broadband connections, interest in the computers of home users has started to exist, since they represent an extremely large number of machines and, often, can be “enslaved” ” more easily.
To reach the mass, that is, the huge amount of computers connected to the internet, malware (ie viruses, Trojan horses, etc.) were and are created with the intention of disseminating small programs for DoS attacks. Thus, when a virus with such power contaminates a computer, it is available to be part of a DoS attack, and the user is hardly aware that his machine is being used for such purposes. Since the number of computers participating in the attack is large, it is a very complicated task to find out exactly which is the main machine of the attack.
A very common form of attack makes use of botnets, in a nutshell, a type of network formed by infected computers that can be controlled remotely by the attacker. Thus, the computers that compose it start to work in the already mentioned “enslaved” way.
In this form of attack, the use of home computers is common, as they are the majority and are often not properly protected. Thus, it is easier to infect them with malware that has instructions to make the machine participate in a DDoS attack.
When the computer becomes part of a botnet, this machine can be called a “zombie”. After contamination, “zombies” can come into contact with “master” machines, which in turn receive guidance (when, on which site / computer, type of attack, among others) from an “attacking” or “leader” computer .
A “master” computer can be responsible for up to thousands of computers. Note that in these cases, DoS attack tasks are distributed to an “army” of “enslaved” machines, living up to the name Distributed Denial of Service . The image below illustrates the botnet hierarchy in DDoS attacks:
Once infected, computers start executing the orders they receive, such as constantly sending data packets to a specific server until it can no longer respond to so many requests.
To make the attack even more efficient, several techniques can be used. In one of them, the source IP of the packets used is changed to a false sequence, making it difficult to discover the origin of the action.
Combating DoS or DDoS attacks
Since servers can have different structure and resources, there is no magic formula that works on all implementations that can prevent or combat denial of service attacks. Each case is different, not to mention that, in most cases, it is difficult to identify the problem. But it is possible to have some weapons to fight it, although none of them guarantees 100% protection.
For example, filters can be used to identify and block packets with false IP addresses (anti-spoofing). Another idea is to use tools that help identify attacks, including IDS (Intrusion Detection System) and make a decision based on the information obtained, such as increasing the processing capacity (if possible) or limiting the width. bandwidth according to the type of data packet. Depending on the application, you can also use resources that are able to identify a legitimate request (through authentication, for example) and respond only to it.
As each case is different, the ideal is to have a plan to combat the problem. In large-scale activities, such as website hosting services, for example, a well-prepared security team that knows the application’s structure well and has adequate computational tools can be quite efficient in combating attacks.
DoS or DDoS attacks are quite recurring issues, especially since there are several tools that assist in their execution, making the number of cases not necessarily small. In addition, when a well-known website is affected, the subject easily becomes a news item.
This causes certain misunderstandings to spread. When targeting financial institution websites, for example, there is a fear that customer data may be captured. However, DDoS attacks only “bring down” servers. To capture data or mischaracterize websites, it is necessary to have some kind of invasion, which is much more difficult.
It is worth noting that institutions of all sizes and home users can also perform some actions to help prevent problems such as: updating software, protecting the system with security solutions (firewall, antivirus and the like) and putting other precautions in practice can prevent that their computers are used as “zombies” in attacks, a situation that can even increase resource consumption and internet access traffic.