70cc710850b21f2cd1027a96d266b2e7aaf4081a

Understanding the Modern-day DoS Attacks Landscape

 

Fig. 1:  How Denial-of-Service (DoS) attacks work

DoS (Denial-of-Service) attacks were once the favorite weapon of hackers committed to disrupting the largest properties on the internet faded out into almost oblivion in favor of more financially motivated attacks. Awfully hard to protect against and potentially expensive, DoS could trigger outages of web sites and network services for organizations large and small.

Overview

DoS attacks could also be a lucrative source for criminal activities, several of whom use these cyber-attacks to extract from businesses for anywhere from hundreds of thousands to millions of dollars. Generally, these profit-oriented cyber-attacks required furtive, non-disruptive methods to get done their objective of filching invaluable data. During the intervening years, DoS attacks were used mainly for extortion. In this setting, the hackers make threats to carry out a DoS attack unless a nominal fee is received by a certain deadline. Pay and you get a nice complimentary “thank you” email; do not, and your business will go through the consequences.

How Do DoS Attacks Work?

A DoS is any type of cyber-attack where the hackers try to stop legitimate users from accessing any type of information or services. In a DoS attack, the hackers usually, flood the network with excessive messages requesting the network or server to validate and confirm requests that have invalid return addresses. This will certainly result in a network or a server is not able to locate the return address of the hacker when sending out the verification approval, causing the network or server to wait before ultimately closing the connection. When the network or server closes the connection, the hacker sends out more validation and confirmation messages requesting again with invalid return addresses. Consequently, this process of back-and-forth validation and confirmation sequences and server wait will start, again and again, keeping the network or server busy. Accessing network information or services by excessive messaging requests that tie up its resources are among the most extremely feared threats in the present-day cybersecurity environment.

Denial-of-service attacks do not just affect websites - individual home users can become victims too. Denial-of-service attacks can be difficult to distinguish from common network activity, but there are some indications that an attack is in progress.

A few years back have seen a significant resurgence of Denial-of-Service (DoS) attacks. Not only does this availability - threatening class of attack tightly and securely making a return on the radar screens of today’s network and security teams, but that the nature of the threat has significantly changed as well. If before the target of these attacks were only large Internet businesses, now every business, regardless of size or industry type, is at risk. Moreover, detecting these attacks is becoming much harder compared to in the past, as sneaky, low-bandwidth application layer variations focusing on wearing out backend resources bring together the ever-familiar, high-volume attacks aimed to flood the networks systems or knock-over vital network devices or services.

Returning with vengeance

DoS attacks have returned with a vengeance and with more intent than ever before. If way back then the target was limited to large properties on the Internet, today it is every business that is crawling on the internet. This development could be attributed foremost to being becoming a favored method for socially and politically inspired attacks. Without bias, they are an excellent fit in these instances. Now, it is not only the valuable data the hackers are up to, but getting the attention of the target is, and even more important is the public at large. Largely, a noteworthy by-product of these cyber-attacks was the release of free or low-cost toolkits for crafting DoS attacks and combining these toolkits with easy access to botnets, paving the way for the return of DoS attacks to the mainstream. They too contributed to a couple of attributes of the present DoS topography that are especially indispensable to acknowledge. Starting with low technical and financial barriers to entry means that just about anybody could effectively execute a DoS attack these days. Second, and for the very same fundamental reasons, it is currently easy to leverage the DoS modus operandi for money-wise motivated attacks as well. These attacks could be carried out either by directly disrupting the competition or by using DoS methods to obscure or confuse for a multi-vector cyber-attack ultimately meant to steal valuable information.

Understanding the DoS Landscape

Fig. 2: Understanding DoS attack landscape | Source: https://spanning.com/

In a DoS attack, hackers (attackers) attempts to hinder or stop a legitimate user from accessing information or services by targeting the computer and its network connection, or computers and networks of the sites being used. The hacker maybe able to prevent any legitimate users from accessing email, online accounts (banking systems, other financial institutions, etc.), websites, or any other services that depend on the affected computer.

A hacker could use spam email messages in launching a similar attack on a user's email account. Any legitimate user email account, whether supplied by an employer or through a free service such as Gmail, Hotmail, or Yahoo, are assigned a specific quota, which limits the amount of data in an account at any given time. Sending many, or huge email messages to the account, a hacker could use up the quota stopping a user from further receiving legitimate messages.

The most obvious type of DoS attack and by far the most common is when a hacker “floods” a network system with data. For example, by typing a URL for a particular website into the browser, a user is sending requests to that site’s computer server to view a page. A server can only process a specified number of requests at once, therefore if a hacker overburdens the server with too many requests, it then cannot process the requests. This is called “Denial-of-Service” since the site cannot be accessed.

The Progression of DoS Attacks

Fig. 3: A DoS Attack Asymmetry |Source: https://www.citrix.com/


Although its simplicity of execution has aided in the return of DoS attacks, one major change of its comeback is having a uniformly profound effect as soon as it comes up to protect against them. Generally consistent with what is transpired all through the threat topography, DoS attacks are migrating up the computing stack. Simply “migrating” implies a departure from a place of origin, but it is more precisely accurate to say that they’re toting up fresh wiles to their resource. These suggest that these high-volume, boisterous, network-centered DoS attacks are not necessarily going away anytime soon, more so when they are joined by a new breed of DoS attacks that work at upper layers of the computing stack.

 One major challenge the organization faces with these new attacks is that they often imitate legitimate sessions or transactions, a critical characteristic that allows them to pass through unobstructed across a broad range of defenses, including firewalls and other far-ranging intrusion prevention methods. Second, is the issue of their increasingly asymmetric nature. From a technical viewpoint, this means necessitating only an insignificant number of application requests and/or inconsiderable amount of bandwidth to spark off disproportionate utilization of backend resources. In one’s practical point of view, this once again means that they are more difficult to detect, as unforeseen and surprising spikes in network traffic or transaction counts are not any more indicators of their presence in the systems. 

But for all that is changed, DoS attacks remain steadfast on bringing about resource burnout at some point in the end-to-end computing sequence - be it on the network channels, the situation indices of network devices and servers, or the application host's processing capacities. Keeping focused on this datum is crucial to putting together a successful DoS alleviation policy.

High-level mitigating policies for DoS

DoS mitigation policies are classified into two general types, with each of these types are several possibilities, each with its own pros and cons. These types are the following: client premise-based devices and cloud-based service offerings.

Customer premise-based devices –

The first DoS mitigating options in this type, and one that swiftly needs to be given notice to as a lowly choice is the enterprise firewall or any intrusion prevention system. Fair enough, these devices frequently do include a few DoS safety mechanisms, certainly some more than others. Then again, these mechanisms are largely restricted to neutralizing network DoS attacks and thus provide no security against advanced variants. The necessity to intently track down the state of packets and flows passing all through them makes these devices vulnerable to DoS attacks.

The second option is the dedicated DoS mitigation devices. While they normally proffer a hardy set of multi-layer DoS defense devices, they as well have some failings. To start with, dedicated DoS mitigation devices go through the very same restriction as all other customer's premise-based solution; that of being immaterial if the attack deluges the Internet connections and stops traffic from reaching them in the first place. Moreover, they are too are likely susceptible to SSL-based attacks which of course carry a heavy processing penalty, particularly in the nonexistence of dedicated hardware for SSL inspection and termination. One other identifiable trade-off to think through is the extent to which one inimitable DoS prevention competency prevail over that of a necessity to purchasing, deploying, and maintaining yet another device at every Internet link of importance.

Cloud-based DoS mitigation service offerings –

The key benefit of cloud-based DoS mitigation alternatives is that dissimilar customer-premise based options could account for any DoS attacks concentrated on inundating the Internet bandwidth. In general, the two offerings of this type, namely, the anti-DoS service providers and the content delivery network service providers, prominently include data centers provisioned with huge amounts of bandwidth. This methodology integrally enables cloud-based DoS mitigation to better manage with volumetric-style attacks. Furthermore, these two types of solution providers have on average put up considerable investments in a wide an assortment of DoS mitigation technologies, given that their businesses basically rely on it.

Yet, there are some very noteworthy dissimilarities to be acquainted with, notably in addition to potential shortcomings. These include the following.

● Although anti-DoS scrubbing centers provide considerable coverage to all an enterprise’s traffic, these are always not on because that would be too expensive. They are instead selectively being used by a customer every time an attack is detected. This integrally makes them a poor option especially for higher-layer DoS attacks, which as always do not include strength and so, not as easy to pinpoint when they happen.

● Higher-layer DoS attacks do provide significant variability in coverage. To a certain extent, this is inevitable, because not one external provider will ever understand the attributes of an application more than you do yourself.

● Even though CDN’s are an always-on solution, generally they are merely utilized for just a subsection of an organization’s particularly important, client-facing sites and applications. But still, there are lots of methods attackers may well go around or all through the CDN itself - for instance, by means of blasting away at the controlling IPs or by way of submitting a deluge of requests that may result in cache misses and that must be served by resource infrastructure.

Conclusion

The ideal approach, which of course is not surprising is to follow-through an in-depth defense policy that merges a cloud-based service and a customer-premise service functioning in a complementary way. In view of the growing commonness of application-layer attacks, a customer-premise solution – particularly an ADC – stands to offer the biggest impact on capital investment. It is, consequently, an immense area for most organizations to start with. Investing in a DoS scrubbing service competent enough of foiling volumetric networking attacks almost certainly must not be very far-off behind, especially if you are a high-level profile target.

Previously a tactical point of control in a good number of network systems, the latest ADC represents a third, most often an ideal choice to pursue. Market-leading ADCs - for example, NetScaler - bring together the affluence of DoS mitigation competencies that answer for all layers of the computing stack. These even comprise backings for compute-intensive SSL-based DoS attacks resulting in a solution that provides more substantial coverage for DoS threat minus any need to put into operation an additional set of dedicated solution services.

 

 

_______________

References:

Citrix | Citrix NetScaler: A Powerful Defense Against Denial of Service Attacks

US-CERT | Denial of Service Attacks

eSecurity Planet | How to Prevent DoS Attacks

Technopedia | Denial-of-Service Attack (DoS)

 

Post a Comment

Previous Post Next Post
eGlobal Central US