Denial-of-Service and Distributed Denial-of-Service attacks have become a major threat to computer networks. These attacks attempt to make a machine or network resources unavailable to its authorized users.
Exploited machines can include computers and other devices ranging from simple mobile devices to industry level IoT. From a high level, a DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination
In terms of the gaming, DDoS impacts the availability or performance of your game by targeting it with more traffic, overloading the servers. An analogy to depict such an attack is a zombie apocalypse flooding the cities, with our necessities such as food and water limited. The players of the game will be struggling to find the connectivity to the servers, hence with the poor performance from the game application, it harms the player experience.
Usually DoS/DDoS attacks exploit vulnerabilities in the implementation of TCP/IP model protocol or bugs in a specific OS.
Examples of DoS attacks
Overloading the victim’s system with traffic
Overloading the victim’s service with events
Crashing TCP/IP ( Transmission Control Protocol / Internet Protocol ) by sending corrupted packets
Forcing a system to go on an infinite loop
Causes/Damages
Excessive consumption of scarce and nonrenewable resources
Excessive consumption of bandwidth, disk space, CPU time or data structures
Physical alteration of network components
Destructive activities/events of files in a computer system
Explanation
In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available resources of the operation system, so that the computer can no longer process other legitimate requests.
DoS attacks are a unique form of security breach that may or may not result in the theft of information. These attacks harm the target in terms of time and resources. Failure to prevent or protect against such attacks can result in loss of a service such as SMTP ( email ) or destruction of files that contains millions of information.
Botnets and DoS ‘s relationship
Attackers use bots to infect a large number of computers that form a network. This is commonly referred to as a botnet. Having a botnet allows attackers to launch DDoS attacks, spread viruses and commit other types of crime effectively and efficiently without any tedious processes.
The coordination between the bots to run DoS attacks helps attackers to run automated tasks over the Internet.
Countermeasures
Countermeasures techniques for DoS attacks usually involves profiling, detection and analysis. Early detection is the best scenario to prevent DoS attacks from extending their infiltration into the system/network. However, network traffic detectors need to distinguish between a false-positive and an actual DoS attacks. There is always confusion or false alerts of an attack when traffic generated by a legitimate network user.
However, it is impossible to scan each data packet to check their source as millions of network packet will be flowing through the servers every second. All detection techniques that are used today to define an attack involves statistical analysis of deviation to categorise malicious and genuine traffic.
Three techniques are:
Activity Profiling -> Profiling based on the average packet rate in the network traffic flow. Grouping them based on similar packet header information, such as sender’s IP addresses, ports and transport protocols used. An attack is usually indicated by an increase in activity levels among the network flow clusters or an increase in the overall number of distinct clusters.
Sequential Change-point Detection -> This filters network traffic by IP addresses, targeted port numbers, communication protocols used and stores the traffic flow in a traffic flow rate/time graph. If there is a drastic change in the traffic flow rate, a DoS attack may be occurring. This detection is based of a change-point detection algorithm.
Wavelet-based Signal Analysis -> Analyses traffic based on frequencies. Since a network signal consist of a time-localized data packet flow, this filtering will filter the anomalous traffic flow input signals from background noise. Normal network traffic is generally low-frequency traffic. Hence, during an attack, the high-frequency components of a signal increases.
Countermeasure Strategies?
Absorbing the Attack -> Use additional capacity to absorb the attack, requires pre-planning and additional resources
Degrading Services -> Allow critical services to continue functioning but non-essential services should be stopped and shut-down
(Last Resort) Shutting Down -> Shutting down all services until the attack has subsided
Prevention
Egress Filtering — Scans the headers of IP packets leaving a network, ensures that unauthorized or malicious traffic never leaves the internal network.
Ingress Filtering — Usually used by Internet Service Providers (ISP) to prevent source address spoofing of Internet traffic. This is to indirectly combat several types of net abuse by making Internet traffic traceable to its true source as the originator(source) of any activities can be traced.
TCP Intercept — Traffic filtering feature in routers to protect TCP servers from SYN-Flooding Attack ( a type of DoS attack ).
Rate Limiting — Controlling the rate of outbound and inbound traffic of a network interface controller. This technique reduces the high volume inbound traffic that causes DDoS attack.
Post Attack Forensics
Traffic Pattern Analysis — Traffic pattern analysis helps the network administrators to develop new filtering techniques for preventing the attack traffic from entering or leaving the networks. Output of traffic pattern analysis helps in updating load balancing and throttling countermeasures to enhance efficiencies and protection abilities
Packet Traceback — Like reverse engineering. Helps in identifying the true source of attack and taking necessary steps to block further attacks.
Event Log Analysis — Identifies the source of DoS traffic, helps network administrators to recognise the type of DDoS/DoS attack or a combination of attacks used.
Conclusion
DoS attacks focus on reducing, restricting and limiting accessibility of system resources to its legitimate users. DDoS is more sophisticated as it involves multiple compromised systems to attack the target, fulfilling the same objectives as a DoS attack. Botnet is usually related to DoS attacks as they are used to launch DoS attacks, similar to an airport runway or a rocket launch pad. Detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from legitimate traffic packets.