2.2.5 Distributed Denial of Service (DDOS)

Questions and Answers

What is the primary goal of a Distributed Denial of Service (DDoS) attack?

• To deface the target website with propaganda or malicious content.
• To overload a website or network with malicious traffic, making it unavailable to legitimate users. (correct)
• To gain unauthorized access to the target network's internal systems.
• To steal sensitive user data from the target website.

In what way does a DDoS attack exploit 'legitimate connections'?

• By using stolen credentials to access and disrupt services.
• By overwhelming the targeted system with a volume of traffic that mimics genuine user activity. (correct)
• By redirecting legitimate user traffic to malicious sites.
• By injecting malicious code into the data streams of legitimate connections.

Why is blocking individual IP addresses often ineffective in mitigating a DDoS attack?

• Because blocking IP addresses can inadvertently block legitimate users, causing collateral damage.
• Because DDoS attacks are distributed across a large number of IP addresses, making it impractical to block them all. (correct)
• Because modern networks automatically reroute traffic around blocked IP addresses.
• Because attackers use sophisticated encryption techniques to hide their IP addresses.

Which layer of the OSI model is targeted by an HTTP flood attack?

Application Layer (A)

What is the primary purpose of a botnet in a DDoS attack?

To amplify the attack's volume by leveraging a large number of compromised machines. (A)

Which type of DDoS attack involves exploiting the three-way handshake process?

SYN Flood (B)

In a SYN flood attack, what is the significance of spoofing the source IP address?

It causes the server to send SYN-ACK packets to nonexistent or unreachable hosts, wasting resources. (C)

Which type of DDoS attack relies on amplifying traffic by exploiting DNS servers?

DNS Amplification (C)

Why is it difficult to distinguish malicious traffic from legitimate traffic in some DDoS attacks?

Because attackers often use the same protocols and methods as legitimate users. (C)

What is a key characteristic of volumetric DDoS attacks?

They aim to saturate the target's network bandwidth with a high volume of traffic. (D)

What is the main advantage for an attacker in using DNS amplification for a DDoS attack?

It enables them to amplify the volume of traffic they can generate with a limited number of resources. (D)

What is the most common symptom experienced by legitimate users during a successful DDoS attack?

They experience slow loading times or are unable to access the targeted website or service. (D)

Why is it important to implement specialized DDoS mitigation techniques, rather than relying solely on traditional network security measures?

Because traditional network security measures are designed to protect against different types of threats. (A)

What is the role of compromised machines in a DDoS attack?

They generate and send malicious traffic to the target system. (D)

In the context of DDoS attacks, what does the term 'overload' refer to?

Exceeding the computational or network capacity of the targeted system. (C)

Which of the following is a characteristic of 'application layer' DDoS attacks?

They consume server resources by making seemingly legitimate requests. (C)

What is the primary difference between a 'protocol attack' and a 'volumetric attack' in the context of DDoS?

Protocol attacks exploit vulnerabilities in network protocols, while volumetric attacks aim to saturate bandwidth. (C)

Why are botnets often composed of devices whose owners are unaware of their involvement in a DDoS attack?

Because the devices have been infected with malware that operates without the owner's knowledge or consent. (B)

How does the computational imbalance between client and server contribute to the effectiveness of application layer DDoS attacks?

It means that the server expends significantly more resources responding to a request than the client does making it, amplifying the impact of each malicious request. (A)

In a SYN flood attack, what is the state of connections left waiting for the second part of the three-way handshake?

They remain in a hung state, consuming server resources. (B)

What is the key difference between an amplification-based DDoS attack and other types of DDoS attacks, in terms of the resources required by the attacker?

Amplification attacks require less bandwidth from the attacker, as they rely on third-party servers to amplify the traffic. (A)

What is the primary impact of a successful volumetric DDoS attack on legitimate application users?

They experience reduced application performance due to network congestion. (D)

In a DNS amplification attack, why are DNS servers targeted?

Because DNS servers have high bandwidth capacity and can generate large responses to small queries. (B)

What is a key challenge in mitigating DDoS attacks that mimic legitimate traffic?

Distinguishing between malicious and legitimate requests without blocking legitimate users. (D)

Why is it difficult to implement single IP address blocks to prevent all types of DDoS Attacks?

Due to the distributed nature of the attacks with the attack coming from a vast number of hosts. (A)

Which statement is most accurate regarding the owners of devices used in a botnet?

Device owners are typically unaware that their devices are part of a botnet. (C)

What is the role of 'spoofed IP addresses' in SYN flood and DNS amplification attacks?

To prevent the target from identifying the true source of the attack traffic. (B)

Which scenario best describes an application layer DDoS attack?

Sending a high volume of HTTP requests to a specific web page to exhaust server resources. (B)

What makes a 'volumetric attack' different from other DDoS attack types?

Volumetric attacks are characterized by a massive flood of traffic, overwhelming network bandwidth. (B)

How does the architecture of a network with 'auto scaling' help in mitigating DDoS attacks?

It dynamically adjusts server capacity to handle increased traffic loads. (B)

An attacker sets up a botnet comprised of low-powered IoT devices to flood a target server with seemingly legitimate HTTP requests. The aim is to exhaust the server's resources and prevent legitimate users from accessing the service. Which type of DDoS attack is being employed?

Application Layer Attack (HTTP Flood) (B)

A network administrator observes a sudden surge in network traffic consisting of small DNS requests originating from numerous unique IP addresses, all directed towards a handful of public DNS resolvers. The responses from these resolvers are significantly larger than the requests and are directed towards the organization's web servers, causing them to become unresponsive. Which type of DDoS attack is likely occurring?

DNS Amplification (C)

An attacker leverages a botnet to send a massive number of TCP SYN packets to a target server with spoofed source IP addresses. The server responds to each SYN packet with a SYN-ACK packet, but because the source IP addresses are spoofed, the final ACK packet in the TCP handshake is never received. This leaves the server with numerous half-open connections, exhausting its resources. Which type of DDoS attack is being conducted?

SYN Flood (C)

A company's web application experiences a sudden and unexplainable slowdown. Upon investigation, the network security team discovers that the web servers are receiving an abnormally high volume of seemingly legitimate HTTP GET requests for resource-intensive pages, such as those involving complex database queries or image processing. These requests are originating from a large number of distinct IP addresses spread across the globe. Which type of DDoS attack is most likely in progress?

Application Layer Attack (HTTP Flood) (B)

A network engineer notices an unusually high volume of inbound UDP traffic flooding their organization's network. The traffic is originating from a large number of distinct IP addresses and is directed towards a wide range of ports on the organization's servers. The network's bandwidth is being saturated, causing legitimate traffic to be dropped and resulting in widespread service disruptions. Which type of DDoS attack is most likely occurring?

UDP Flood (D)

An attacker manages to infiltrate a cluster of web servers running behind a load balancer. After gaining administrative access to each server, they deploy a malicious script that causes each server to repeatedly request a large file download from a single backend database server. The database server quickly becomes overwhelmed, causing database queries for legitimate user requests to time out and the entire application to become unavailable. What kind of attack is this?

Internal Resource Exhaustion Attack (C)

A government agency is investigating a series of coordinated cyberattacks against critical infrastructure targets, including power grids, water treatment plants, and communication networks. Forensic analysis reveals the attacks involved highly customized malware designed to exploit zero-day vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Furthermore, the attacks were carefully timed to coincide with specific operational events and involved the coordinated use of multiple attack vectors, including DDoS attacks to mask the attackers' activities. Which type of attack is this?

Advanced Persistent Threat (APT) (D)

A threat intelligence firm discovers a sophisticated DDoS botnet composed entirely of compromised network infrastructure devices, such as routers, switches, and firewalls, rather than end-user devices. These devices have been infected with custom firmware that allows attackers to remotely control them and launch high-volume DDoS attacks without being easily traced back to the original source. The botnet also employs advanced techniques to evade detection, such as dynamically shifting the source port and IP addresses of attack traffic. In which challenging attribute would you classify this?

Infrastructure-Level Botnet (D)

An attacker uses a global network of compromised high-reputation cloud servers each with dedicated high speed internet connections to flood a banking network with HTTPS requests. The requests all appear cryptographically valid and originate from millions of different source IP addresses worldwide. The connections all correctly negotiate TLS 1.3 encryption. What technique would be most effective to identify this attack?

Leveraging Machine Learning to Identify Behavioral Anomalies (A)

Flashcards

DDoS Attacks

Attacks designed to overload websites, competing against legitimate connections.

Botnet

A network of compromised machines used to launch DDoS attacks.

Application Layer Attack

Exploits imbalance of processing between client and server to overwhelm server.

SYN Flood

Attack using spoofed IP addresses to initiate many connection attempts, exhausting server resources.

DNS Amplification

Attack where small requests to DNS servers trigger large responses to a spoofed IP, overwhelming the target.

Volumetric Attack

Attack that exploits protocol data imbalance to overwhelm a system with large amounts of data.

Distributed Denial of Service (DDoS)

A type of cyber attack where multiple compromised devices are used to flood a target website or network with traffic.

Study Notes

Distributed Denial of Service (DDoS)

• Attacks designed to overload websites
• These attacks compete against legitimate connections
• Distributed, making it hard to block individual IPs/Ranges
• Often involve large armies of compromised machines called botnets
• Achieving the end goal of overloading websites/internet-based services can come in many forms

DDoS Attack Challenge

• When dealing with DDoS attacks its hard to identify and block traffic
• This is because there can be millions of IP addresses involved with larger internet scale attacks
• Dealing with DDoS attacks requires specific hardware or software protections

Three Categories of DDoS Attacks

• These attacks generally fall into 1 of 3 categories:
• Application Layer attacks, such as HTTP Floods
• Protocol attacks, such as SYN Floods
• Volumetric attacks such as DNS Amplification

Application Layer Attacks

• These attacks take advantage of the imbalance of processing between the client and server
• Easy to request a webpage that requires complex server processing
• Multiplying the load difference has devastating effects
• An attacker controls a network of compromised devices (botnet) via a control location, often disguising their real location
• The botnet floods the servers with requests, overwhelming them

Protocol-Based Attacks such as SYN floods

• These attacks take advantage of connection-based requests
• SYN floods spoof a source IP address and attempt to initiate a connection with a server
• Normally, a connection is initiated via a three-stage handshake
• The server tries to perform step two of the handshake.
• The process hangs, waiting for a specified duration, and consumes network resources
• Multiplying this effect has significant impact on your ability to provide a service

Volumetric Attacks such as DNS Amplification

• This attack relies on protocols like DNS that use small amounts of data to request, but can deliver a large amount of data in response
• An attack of this nature makes many requests to DNS servers, with the source address spoofed
• The DNS servers respond to what they see as legitimate requests, overwhelming a service

DDoS Attack Orchestration

• DDoS attacks are often orchestrated by one or a small number of people controlling huge botnets
• Botnets are constructed of machines, like laptops and desktops, infected with malware
• The owners of these hosts don't realize they're part of the attack

Valid Application Architecture

• This is the expected way the application should work
• A number of servers provides website functionality
• These servers are normally provisioned based on normal loads plus a buffer, or they are built to auto scale
• Servers run within a hosting environment which is connected to the public internet via data connection
• The connection has a limited amount of transferable data
• Vast majority of connections are from legitimate application users
• These users typically establish tcp/443 connections with frontend servers to upload data

Application Layer (FLOOD) Attacks

• An attacker controls a network of compromised devices (botnet) via a control location often disguised with a VPN to hide their location
• They exploit the fact that requests are cheap for clients to make but computationally expensive for servers to deliver.
• This flood of requests overwhelms the server
• The botnet floods thousands of requests directed toward the Catagram servers
• Legitimate users of the application are prevented from accessing the website because they have to compete for access with the attack
• The performance of the application is reduced to failure levels

Protocol Attack - SYN FLOODS

• A botnet generates a huge number of spoofed SYN's (connection initiations)
• The server sees these attacks as normal and sends SYN-ACK's back to the spoofed IPs
• The catagram servers will wait for an ACK (which will never happen as the remote IPs will never respond.)
• This attack prevents network resources from being used for legitimate requests, thus significantly impacting the capacity of application infrastructure
• The three way handshake is designed to work with slower or less reliable connections, the catagram.io infrastructure will wait
• These connections wait for the second part of the three-way handshake, resources are not available for legitimate connections
• A botnet can take down service entirely if there is a sufficient number of compromised hosts

Volumetric / Amplification Attack

• These attacks exploit a protocol where a response is significantly larger than the request, such as making a spoofed request to DNS
• The attack is orchestrated by a single person or a small group
• An amplification attack exploits a protocol data imbalance; A small amount of data is required to initiate a request, but larger in response
• The smaller botnet makes a large number of spoofed requests to DNS servers using the IP address of the application infrastructure
• DNS servers respond to ‘spoofed IP’, specifically the front end servers for the application, which has the effect of overwhelming the amount of data
• This prevents legitimate customers from accessing the service.

Mitigation & Remediation for Botnet Attacks

• Volume of data in each response to the front end servers is higher than the initial query to DNS and quickly overwhelmed
• The attack will mean that legitimate application users experience degraded levels of performance because they're competing to use the total capacity of the application
• The botnet does not have to consume the same amount of bandwidth as the application needs to tolerate
• Tiny amount of bandwidth needed to initiate the attack, but a large amount of bandwidth consumed on the application server
• DDoS attacks can't be combated with normal network protection due to the distributed nature of the attacks
• Not practical to implement single IP address blocks because of the large number of IPs needing to be blocked