DDOS (Distributed Denial of Service)

Attacks
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the regular
functioning of a targeted server, service, or network by overwhelming it with a flood of traffic
from multiple sources. The goal of a DDoS attack is to make the targeted resource unavailable to
its intended users, causing downtime, slowdowns, or complete unresponsiveness.

The working process of DDOS Attacks

Botnets: Attackers use a network of compromised computers, known as a botnet, to launch

the attack. These compromised computers are often infected with malware that allows the
attacker to control them remotely.

Traffic Flood: The attacker instructs the compromised computers to send a large volume of
traffic to the target. This flood of traffic can take various forms, including simple data packets,
connection requests, or even malicious payloads.

Overwhelm Resources: The massive influx of traffic overwhelms the target's resources,
such as bandwidth, processing power, memory, and network connections. As a result, the target
becomes unable to respond to legitimate requests from genuine users.

Service Disruption: With the target's resources exhausted, the service or server becomes
unavailable to legitimate users. This leads to downtime, loss of revenue, and potential damage
to the target's reputation.

Mitigation: Network administrators and security teams often use various strategies to
mitigate DDoS attacks. These may include filtering traffic to separate legitimate requests from
malicious ones, redistributing traffic across multiple servers, or relying on content delivery
networks (CDNs) that can absorb and manage traffic spikes.
There are several types of DDoS attacks, each with different methods and
objectives:

Volumetric Attacks: These attacks flood the target with an overwhelming amount of
traffic, aiming to saturate its network capacity. UDP floods and DNS amplification attacks fall
into this category.

TCP State Exhaustion Attacks: These attacks focus on consuming the available
connections or resources of a target's server, causing it to be unable to accept new connections.
SYN floods and ACK floods are examples of this type.

Application Layer Attacks: These attacks target the application layer of a service,
aiming to exhaust specific resources like CPU or memory. Examples include HTTP floods and
Slowloris attacks.

Protocol Attacks: These attacks exploit weaknesses in networking protocols, causing

disruption. For example, ICMP floods target the ICMP protocol used for network diagnostics.

Reflective/Amplification Attacks: These attacks exploit poorly configured servers to

amplify the traffic directed at the target. Examples include DNS amplification and NTP
amplification attacks.

UDP Floods: Attackers flood the target with a large volume of User Datagram Protocol
(UDP) packets, often from spoofed IP addresses, overwhelming the target's network.

ICMP Floods: Attackers flood the target with Internet Control Message Protocol (ICMP)
Echo Request packets, often referred to as "ping" requests.
TCP State Exhaustion Attacks:
SYN Floods: Attackers send a flood of TCP SYN packets to initiate connections but never
complete the three-way handshake, causing the target to exhaust its resources managing half-
open connections.

ACK Floods: Attackers send a flood of TCP ACK packets to consume the target's resources,
leading to resource exhaustion.

Application Layer Attacks:

HTTP Floods: Attackers send a high volume of seemingly legitimate HTTP requests,
overwhelming the target's web server and application layer resources.

Slowloris: Attackers initiate multiple slow and incomplete HTTP requests, keeping the
connections open and consuming server resources.

RUDY (R-U-Dead-Yet): Similar to Slowloris, RUDY sends slow and incomplete POST requests
to exhaust server resources.

HTTP POST Floods: Attackers send a large number of POST requests to overwhelm the
server's processing capacity.

HTTP GET/POST Floods: A combination of GET and POST requests targeting different
resources to exhaust both the network and server resources.

Amplification Attacks:
DNS Amplification: Attackers send small DNS queries with spoofed source IP addresses to
open resolvers, which then send large responses to the target, amplifying the attack.

NTP Amplification: Attackers exploit Network Time Protocol (NTP) servers that respond with
larger packets than the requests they receive, amplifying the attack.

SSDP Amplification: Attackers exploit Simple Service Discovery Protocol (SSDP) servers, often
used in home routers and IoT devices, to amplify traffic.

Memcached Amplification: Attackers abuse vulnerable Memcached servers to generate

massive traffic to the target.
Protocol Exploitation Attacks:

Smurf Attack: Attackers send ICMP Echo Request packets with a victim's spoofed IP address
to broadcast networks, causing all devices to respond to the victim, overwhelming it.

Fraggle Attack: Similar to Smurf, Fraggle targets UDP services using IP broadcast addresses.
.

The Purpose Behind DDOS Attacks :

The main purpose of Distributed Denial of Service (DDoS) attacks is to disrupt the normal
functioning of a targeted system, service, or network by overwhelming it with a massive volume
of traffic. This disruption renders the target unable to handle legitimate user requests, causing
downtime, slowdowns, and unresponsiveness. The primary objectives of DDoS attacks can vary
based on the motivations of the attackers:

Financial Gain: Some DDoS attacks are launched with the intent of extorting money
from the target. Attackers may threaten to continue the attack unless a ransom is paid.

Hacktivism: Hacktivists launch DDoS attacks to promote a political or social message.

These attacks are meant to raise awareness or create inconvenience, rather than for financial
gain.

Competitive Advantage: Some attackers might target competitors' websites or

services to gain a competitive edge, especially during critical periods like product launches or
promotions.

Revenge: Individuals or groups might target specific organizations or individuals they have
personal grievances against, seeking to cause harm or disruption.
Disruption: DDoS attacks can be used to disrupt critical infrastructure, public services, or
high-profile events. For example, attacks might target government websites, news
organizations, or online services during major events.

Espionage: State-sponsored attackers might use DDoS attacks as a diversion tactic to

distract security teams while attempting more stealthy cyber espionage activities.

Testing and Experimentation: Some attackers might use DDoS attacks as a means
of testing security measures, vulnerabilities, and the resilience of networks and systems.

Distraction: DDoS attacks can serve as a diversion to draw attention away from other
cyberattacks, like data breaches or malware infiltrations.

Demonstration of Power: Some attackers launch DDoS attacks to showcase their

hacking skills or demonstrate their control over a botnet.