Denial of Service Attacks: DoS vs. DDoS

Feb Wed, 2019

Denial of Service Attacks: DoS vs. DDoS Image

Today, living in a digital world has become second nature – and as organizations continue to introduce new technologies to conduct business globally, they become vulnerable to cyber threats and creative hackers determined to cause a data breach. Denial of service (DoS) and distributed denial of service (DDoS) attacks have been used by hackers for at least the last two decades and are increasingly becoming the preferred method of attack to affect enterprise organizations.

Difference Between DoS and DDoS Attacks

DoS attacks occur when a hacker uses a single system (computer) to send massive amounts of data requests through TCP and User Datagram Protocol (UDP) packets to flood and crash an organization’s server. DDoS attacks are a type of a DoS attack that is created by a hacker using multiple systems and devices to target and overload a single server’s capabilities, in order to make it unavailable. DDoS attacks can shut down a single system more easily and make it harder for the organization to determine the origin of where the attack came from. The result of both attacks can be a disruption of services, preventing other users from accessing it, interruption of network traffic, or worse a shutdown of the networks, applications, or devices that cause businesses to go offline and experience financial ramifications.

 

DDoS attacks can occur at any size of organization and within any industry. In the below table, the Verizon 2018 Data Breach Investigations Report analyzes DoS patterns across different industries, outlining the number of security incidents versus data breaches that have occurred from Denial of Service attacks.

 

dos-vs-ddos

Top 6 DoS and DDoS Attacks

Both DoS and DDoS attacks fall under three broad categories of attack types:

  1. Volume-based attacks
  2. Protocol attacks
  3. Application layer attacks

Within those categories, there are six top attack types that have been frequently used by hackers:

  1. UDP Flood: an attack that floods the network and random ports on a remote host with UDP packets, causing the host to repeatedly check for an application listening at the port. When no application has been found, the host replies with a packet that says the destination wasn’t reachable – resulting in other devices not connecting properly.
  2. ICMP (Ping) Flood: uses ICMP Echo Request or ping packets to initiate a brute force on the network in an attempt to make the network unreachable, resulting in a decline of speed across the network.
  3. SYN Flood: the hacker sends SYN requests to the network where it then responds with an SYN-ACK response. Instead of responding to the network’s ACK response, the hacker doesn’t respond which results in unanswered requests taking up network resources and preventing devices from connecting to the network.
  4. HTTP Flood: in this type of attack, the hacker uses HTTP GET or POST requests to send an attack on an individual web server or application. This type of attack requires less bandwidth on the hacker’s side to launch the attacks without using malformed or spoofed packets.
  5. Ping of Death (POD): just as the title sounds, this type of attack sends multiple malformed or malicious pings to a computer and network, sending individual IP packets that once assembled by the computer is larger than the maximum length of which an IP packet should be (65,535 bytes) – resulting in a crashed network.
  6. Slowloris: is a highly-targeted attack that doesn’t require bandwidth to bring down web servers. This attack sends partial HTTP requests with no intention of completing them until the network’s resources are tied up and the server can’t make any more connections.

In 2018, the largest-ever DDoS attack occurred to a popular developer platform called Github, with record-breaking traffic of 1.35 terabits per second. Github reported the attack came from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints using misconfigured Memcached servers to amplify the DDoS attack. Below is a graph depicting the level of traffic that occurred:

 

traffic-ddos-attack

 

For more information on how to protect your organization from DoS and DDoS attacks, contact our cybersecurity professionals at contactus@secuvant.com or 855-732-8826.