What is DoS and DDoS?
What is Denial of Service exactly?
Denial of Service is just that, Denial of Service. To be a bit more
descriptive, Denial of Service is either accidental or purposeful
attempts to deny users access to resources. This can be in the form of
stealing bandwidth which is the most common form of attack, it can be
in the form of eating disk space, it can be in the form eating
processor, and various other resource stealing. Oftentimes this is
accidental. The Slashdot effect is often an accidental denial of
service. However, sometimes this can be on purpose. An attacker can
launch software that will steal resources from a target.
In a more general outlook, there are attacks called Land Attacks where
an attacker will launch an attack that will cause a server or other
target to attempt to respond to itself. Eventually this will cause the
server to eat up the allocated connection tables and will not respond
to any more requests. Other attacks such as the Ping of Death eat up
bandwidth until the target is so saturated that it cannot respond any
more. Typically a Ping of Death involves IP spoofing. Many other
attacks are out there and will eat up other resources.
So what is a Distributed Denial of Service attack?
DDoS, or Distributed Denial of Service attack is pretty
self-explanatory. This is a Denial of Service attack this coming from
multiple directions. Slashdot effect is a good example of a DDoS. The
above-mentioned attacks can also be DDoS attacks if multiple hosts are
involved. You'll typically see DDoS attacks from zombies, or computer
that have been infected with a piece of malware to allow them to be
controlled by an attacker. This is typical of botnets, or computers
that have been infected with a malware that forces the computer to join
an IRC channel for control of the attacker. These computers can then be
controlled to launch port scans against a target, be it a single
computer or network, launch SYN floods or whatever else the malware
author coded.
How does this affect web application?
Typically a user of web application will not see a DDoS. What they will
see instead is a DoS. This can come in several forms, but most common
are registration flooding, searching flooding, and post flooding. What
makes these types of attacks unique is that HTTP attacks require a 3
way handshake. In other words, the IP address cannot be spoofed. This
doesn't mean that it cannot be masked (think proxies), but the 3 way
handshake is a component of the stateful TCP (Transmission Control
Protocol). Without going really low-level in networking protocols, the
host must send a packet saying "I'm here, I want to communicate with
you" and the target (victim or not) will send a reply saying "Okay, I'm
ready for you" and then the host will reply saying "Okay, here comes
the information." This is the 3 way handshake.
Prevention methods, are they available?
Yes and no. Eventually a DoS or DDoS will win. There are mitigation
methods and countermeasures however. On the lower networking level
(layers 2 and 3 for those familiar with the OSI model) there are
mitigation methods. One method is routing the attack to a blackhole.
Another method is using QoS (Quality of Service). Another method is
tarpitting. Tarpitting will only work for TCP and not IP however. The
average user will not have access to do this however, even owners of
dedicated or colocation. On up the OSI model to the application layer
to say phpBB, there is very little to be done. Some mitigation methods
possible are the use of Visual Confirmation (visual turing, captcha,
whatever name you like), ensuring users must validate email addresses,
or better still, the administrator must validate an account. Apache has
an anti-DoS module that can be used.
A DoS or DDoS will eventually become successful because the router or
other device will eventually have its resources taken trying to
mitigate the attack and will fail. So either the owner of the device
will have to take it offline until the attack subsides, or the victim
will be taken offline by the attack.
|