Defending from and Tracking DoS and DDoS attackers

Denial of Service attacks and Distributed Denial of Service attacks are attacks which involve one or several machines attacking the ports of a target machine to deny it from using networks or network resources. These attacks have been a problem for users of any services, and especially for businesses which rely on providing online services. DoS attacks can be largely mitigated using DoS mitigation services, and some techniques may be used to uncover the source of the attacks.

Keywords: DoS; DDoS; DoS mitigation; DoS tracing;

Denial of Service attacks and Distributed Denial of Service attacks, more commonly referred to as DoS and DDoS attacks, are one of the more common attacks anyone can face, ranging from attacks on company sites to attacks on peoples personal computers for a wide range of reasons. They mostly function on the same basic principle of flooding the ports used by a device to connect to a network, rendering it unable to communicate. The Difference between DoS and DdoS is evident from the name, DoS attacks are the result of one machine, sending superflous requests to a machines ports to block any legitimate requests from being fulfilled, while a DdoS attack can be traced back to multiple machines, usually a botnet, all simultaneously spamming a machine with requests. An example of a DdoS attack is one which occured on February 2020, where a global botnet flooded Amazon Web Services with up to 17.2 million requests every second.

DoS attacks can be categorised based on the method of attack.^[3]

• Volume Based Attacks: Includes UDP floods, ICMP floods and other spoofed-packet floods. The goal is to saturate the bandwith of the attacked machine. The magnitude of the attack is measured in bits per second (Bps)
• Protocol Attacks: Includes SYN floods, fragmented packet attacks and more. This type of attack relies on packets over bits to consume server resources and disrupt firewalls other intermediate communication equipment. As a result, these attacks are measured in packets per second (Pps)
• Application Layer Attacks: Includes low-and-slow attacks, GET/POST attacks among other. These attacks are comprised of requests usually disguised to seem legitimate to overload a server. These attacks are measured in requests per second (Rps)

• UDP floods are attacks which flood a target with UDP packets. When the target checks for the application listening at a port that has recieved one of these packets, it replies with and ICMP Destination Unreachable packet, which leads to system slowdown.
• ICMP floods are similar to UDP floods, but they use ICMP packets instead. The constant flood of incoming ICMP packets and sending of ICMP Echo Reply packets consume both incoming and outgoing bandwidth.
• SYN floods exploit the TCP handshake, where SYN is answered by SYN-ACK followed by an ACK from the initiator. In an attack, the attacker either refuses to respond to SYN-ACK or sends SYN requests from a spoofed IP address. In either case, the attack binds all possible connections until no more can be made, resulting in a denial of service.

The motivation behind DoS attacks can range from ideological hacktivism to cyber warfare between rival enterprises.^[3] Whatever the reason, DoS attacks can disrupt communication and cost companies hundreds if not millions of dollars. As DoS attacks are becoming increasingly common various strategies have emerged in order to mitigate said loss as much as possible. Outside of buying a DoS mititgation service, common strategies involve:^[5]

• Protecting organisation domain names by using registrar locking.
• Ensure 24/7 contact details are maintained for service providers and vice versa.
• Establish out-of-band contact details such as a mobile phone number for service providers to use if normal communication fails due to DoS attack.
• Partition critical online services such as email services from other online services which are likely to be targeted (e.g. web hosting services).
• Prepare a static version of a website which requires minimal processing and bandwidth to use while under DoS Attack.
• Use cloud-based hosting with high bandwidth, preferably multiple hosts to obtain redundancy.

During an attack the advised countermeasures are:^[5]

• Contact service provider for any immediate actions they may be able to take.
• Transfer services to coud-based host. Use of firewall strongly advised.
• Disable any functionality of online service which enables the current DoS attack.

Outside of these steps that can be taken by potential victims of DoS attacks, people offer DoS mitigiation services which can work on a variety of different methods. These can be on-site for optimal response speed, or cloud based for scalability, or a hybrid between the two to combine the best of both worlds. The following are the most common methods:^[2]

• Clean Pipe protection involves scrubbing all incoming traffic in order to separate malicious traffic from legitimate traffic. This method requires a Border Gateway Protocol router and hardware for termination of GRE tunnels. Detection is also a must for this method as without adequate detection the traffic will not be rerouted to the scrubbing centre. False positives and packet-based or application layer flood attacks are weaknesses of the Clean Pipe method.
• Content Delivery Network dilution by using a system of distributed networks to serve content to users. By using a CDN, bandwidth is much larger as a lot of servers are involved and more importantly, the original server is not the one responding to requests, thus it is much harder for any DoS attack to reach it. However, CDN's can not be used for proprietary TCP/UDP applications, and some countries have blocked IP addresses of popular CDN's, so some countries may not be able to access the content.
• TCP/UDP proxies can be placed to work in a similar fashion to CDN's. Data packets are sent to the reverse proxy to filter out malicious traffic. A large downside of this method is that the proxy will get a different source IP address which is a vulnerability. It is also prone to false positives like the Clean Pipe method.

DoS and especially DDoS attacks can be very difficult to trace especially if the attacker is experienced and knowledgable on the subject, however it is only human to make mistakes. In the case of DoS attacks the source is a single machine and in the case of a novice attacker, IP traceback methods could be used to find the source and the geolocation, however this is completely void in the case of experienced attackers that know how to spoof IP addresses. While DDoS is much more difficult to trace we can still use IP traceback to locate the bot's IP and location, and potentially identify the network providers of said bots. This is feasable with small botnets, but using this method on a botnet of ten thousand bots or more is hardly effective. However, with DDoS a much more reliable method is utilising forensics. DDoS attacks are commonly used to cover up a much more serious attack which are also much easier to trace. In the case of bot nets as a service, which can be found on offer on the dark web, it is possible trace a request to said service which started the attack or even follow a payment trail to find the buyer and/or seller of the service.^[1]

Denial of Service is an everpresent threat in todays online interconnected world. While specialists have made large strides in techniques involving mitigating and defending from DoS attacks, attackers have also improved their methods of attack. This is an ongoing arms race which will more than likely continue into the forseeable future. Sadly, there is no centralised place to report such attacks, and victims are unlikely to report such attacks in the first place for financial reasons or for fear of harming their reputations, not to mention network providers have to protect customer data. Hopefully some day in the future DoS attacks are treated more seriously and an organisation is created with the purpose of not only stopping attacks, but also bringing the attackers to justice.

[1] Asturias, D. (2021, January 6). How to Trace a DDoS Attack? Cloudbric.

[2] datadome.co. (n.d.). How does DDoS protection work? Datadome.

[3] Lynch, B., Hansen, R., & McKeever, G. (2021, February 14). DDoS Attack Types & Mitigation Methods. Imperva.

[4] Chickowski, E. (2020, September 17). What is DDoS mitigation and how does it work? AT&T Business.

[5] NCSC - General Security Advisory: ongoing campaign of DoS attacks affecting New Zealand entities. (2020, August 31). National Cyber Securty Centre.

[6] Higgins, K. J. (2007, October 3). How to Trace a DDOS Attack. Dark Reading.