Narach Website Development and Design

DDoS ATTACKS: UNDERSTANDING THEM AND PREVENTION


DDoS Attack stands for Distributed Denial of Service Attack and a smaller version of it would be DoS Attack or a Denial of Service Attack. These are an act of desperation on the part of the perpetrator as the system or network or website under attack remains uncompromised and the data is secure. However, due to the temporary non-availability of the website or system or network it does cause inconvenience and annoyance to the user who desires access to it (that is the website or system or network) during the duration and progress of such attacks.

It would probably be opportune to mention that, with the latest DDoS attack on Wiki Leaks, such attacks may have gained mainstream status. The size, scale and level of sophistication of such multilevel attacks has also increased in recent times and some attacks have caused disruption of financial services of large financial institutions resulting in delayed transactions and probable loss to them and their clients.

A DDoS attack and its smaller version, that is a DoS attack are implemented by perpetrators to disable or considerably slowdown a system, network or website by overloading its resources and bandwidth capabilities; thus, rendering it inaccessible to its legitimate users and clients. On a much smaller scale would be the "session hijack" which would in a sense be a temporary DoS (Denial of Service) at the user end. Where the perpetrator would become the man-in-the-middle between the server and legitimate client or user and would intercept all traffic between the two. This in itself may have grave consequence of identity theft.

Denial of Service attacks are of two types; namely,

The objective or goal of such attacks is not to gain access to the targeted system or network or machines on them or website (thus the system is not compromised and the data is safe), but to disable the target system or network and render it inaccessible to its legitimate users. Such attack may also disrupt connections between two machines or computers. Basically, the system or network or even a specific part of them is kept otherwise busy attempting to respond to a large number of requests it is unable to complete.

DDoS attacks are perpetrated with BOTs (or robots and spiders) and BOTNETs (or robot networks), which are comprised of compromised computer systems (probably hundreds or even thousands) which the attacker uses to launch these attacks against their targets (or victims). Some methods of attack the perpetrators may use are Ping of Death, SSPing, LAND attack, WinNuke, amongst others.

The DDoS attack would comprise of three parts, consisting of the Master (or attacker), the secondary targets (comprising of compromised computer systems under the control of the perpetrator) and the primary target (or victim).

In the first stage of the attack, the perpetrator (or attacker) would compromise and take under his control weak computer systems across various networks around the world and install DDoS tools on them. These compromised computer systems are also referred to as slaves or zombies; and usually the owners and users of such compromised computer systems do not even know that they have been hacked and/or compromised. In the second stage of the attack, the perpetrator targets the slave systems to attack the primary target (or victim).

Usually, these attacks are Smurf and SYN Flood attacks; and such attacks may be prevented by applying cookies, blocks and tweaks to the system and network to be protected. For instance, to prevent a SYN Flood attack on a Windows 2000 Server, the admin would be required to change the Syn Attack Protect to 2. This would delay the creation of a socket until the 3 way handshake between the two systems (that is, the user and server) is completed.

There are many ways in which DDoS attacks may be detected and prevents or stopped. Some common security steps would revolve around network ingress filtering, black-holing web traffic from identified sources, sink-holing web traffic from identified sources, rate limiting network traffic, enabling an intrusion detection system, enabling a network tracing tool, amongst others. It would be prudent to be aware that most computer systems across the world are vulnerable and prone to session hijacks and by extension prone to be slave systems of a DDoS attack without the owner or admin of such compromised computer systems even knowing about it. To prevent such transgression and misuse of their computer systems the owners/admin must always use original and genuine software, use protected and encrypted connections such as Internet Protocol Security, SSH, and SSL for httpsS, while disabling remote access would be a good idea on most occasions. Further, the computer systems must always be kept updated with regard to its Operating System (or OS), all software (including anti-virus) and programs running on it along with relevant security patches. Some other measures would be to use encryption, use secure protocol, limit incoming connections, enabling strong authentication, amongst others.

It would only be fair to conclude that, probably a better and more secure, robust and sustainable resolution to prevent and stop such DDoS attacks would be found sometime in the future. These DDoS attacks are the symptom, the BOTNETs are the problem.