Denial of Service Attack

Introduction
A denial of service attack (DoS) is a form of cyber attack used to either significantly slow down or shutdown a system or network undefined. The reasons attackers would use such an attack vary, and there are several techniques to execute such an attack, but the outcome ultimately results in significant losses for the victim. Hacktivists often use DoS attacks in the form of protests usually targeted at organizations and governments for particular actions that some may feel have a negative impact on society, or if some form of injustice is taking place. The hacking group, Anonymous, is well-known for using this form of attack against its opponents on some occasions, often high-profile targets.

Types of Denial of Service Attacks
There are two main types of DoS attacks which are a standard denial of service attack and a distributed denial of service attack (DDoS).

Denial of Service Attack
This usually consists of one system attacking the target system, often by flooding it with packets and overloading the system, rendering it almost inoperable for an indeterminable amount of time. This is commonly used against individual targets or small systems undefined. An attacker would need to have a very powerful system in order to attack a large target system, which can become a very expensive endeavor for the attacker. For example, Facebook's servers are designed to handle immense amounts of data traffic at a time, therefore an attacker using a single computer would not be able to launch a DoS attack on Facebook.

Distributed Denial of Service Attack
A DDoS attack is almost identical to a standard DoS attack, however it is more complex and used to attack very powerful systems, and is significantly harder to withstand undefined. For example, if an attacker wanted to bring down the servers of an organization like Facebook, then a DDoS would have a better chance of achieving this. A DDoS often makes use of hundreds or thousands of zombie computers in a botnet to flood the targeted system or network. By using botnets, attackers can remotely use other computers worldwide to simultaneously send large and persistent amounts of network traffic to the target system, thereby overloading it and either slowing down or crashing servers.

Between the two, the DDoS is more commonly used as attackers usually have no interest in individuals or small organizations, but instead target large corporations and government systems. Even if the attack is targeted at an individual, it is usually a high-profile person who is part of a large organization, and launching a DDoS against the organization results in higher losses and damages affecting the target individual.

Advanced Persistent DoS (APDoS)
However, another type of DoS attack does exist, which is known as an advanced persistent DoS (APDoS). This is a type of DoS attack often associated with state-funded hackers. These hackers are usually well funded, have access to very powerful resources and are highly skilled. This form of DoS attack can send millions of requests per second to a target system which will effectively shut it down, and it can do the same to a service provider even if it's using DDoS mitigation policies and mechanisms. An APDoS can last several days, with the longest on record being 38 consecutive days, and the system was attacked with over 50 petabits (over 6.5 million gigabytes) of traffic.

The First DoS Attack (1974)
The first ever record of a DoS attack was in 1974, where a student at the University High School in Illinois, was able to take down 31 terminals down at the Computer-Based Education Research Laboratory (CERL). CERL was using a PLATO system which had a command called 'external' (or 'ext'), which allowed communication with external devices connected to the terminals. However if the command was run and no devices were connected, the terminal would crash and have to be rebooted undefined. The student wrote a program that would run the 'ext' command on multiple terminals simultaneously and when tested on the system, all 31 users' terminals crashed and had to be rebooted.

Morris Worm (1988)
One of the first large scale DoS attacks that took place can be attributed to the Morris Worm in 1988. Although the worm was not designed to be malicious or trigger a DoS attack, it was still able to bring down an estimated 10% of the internet worldwide undefined. The initial idea behind the worm was to determine the actual size of the internet, but a coding mistake resulted in almost grinding the internet to a halt, and damages between $100 000 to $10 million.

DoS Battle (1990s)
In the late 1990s, Internet Relay Chat (IRC) was becoming a popular form of online communication. Non-registered channels would usually make the first person to logon to them the administrator, and often users fought over this administrative privilege. Hackers would flood the IRC chats which would essentially kick all users off and then the hacker would quickly logon first to become the administrator undefined.

First DDoS Attack (1999)
The first recorded event of a DDoS attack took place in 1999, which was launched against the University of Minnesota. A tool called Trinoo was used which made use of compromised systems, some called masters and others called daemons. The attacker sent instructions to the master systems, which there were only a few of, and these masters would send those instructions to hundreds of daemons undefined. This created a UDP flood and effectively brought down the university's network down for two days. A total of 227 systems were rendered inoperable.

First High Profile DDoS Attack (2000)
One of the first high profile DDoS attacks were that of a Canadian teenager, Michael Calce, in 2000. By using botnet, he was able to effectively shut down major websites, such as CNN, Amazon, FIFA, eBay, Dell and Yahoo! undefined. The estimated damages cost caused by the DDoS attack were around $1.2 billion undefined.

Attacking the Internet (2002)
As DDoS attacks were becoming better understood and improved, attackers were targeting larger and larger entities. Large corporations and government agencies were becoming popular targets, however in 2002 some attackers were targeting the internet's root domain name service (DNS) servers, which are vital as they take web addresses and translate them into IP addresses. By taking down these servers, the internet would become useless unless the user knows the website's IP address.

Increasing Complexity and Size (2006 - Present)
DDoS attacks have become more sophisticated over the years, with attackers now being able to spoof their IP addresses, thereby making it harder to identify the source of the DDoS attack. By this time the hacker group, Anonymous, were frequently using DDoS attacks for hacktivism and internet vigilantism, targeting large organizations, websites and government agencies worldwide.

The evolution of the Internet of Things (IoT) has made it much easier for attackers to launch bigger and more powerful DDoS attacks. The IoT essentially consists of any electronic device connected to the internet, one way or another. Before, attackers had to rely purely on computers for botnets to launch DDoS attacks. Now there have been cases where smartphones, security cameras, printers, smart TVs, and even smart fridges (in some cases), have been part of a botnet responsible for DDoS attacks. This has allowed attackers to send record-breaking amounts of data to target systems to overload them and shut them down.

Methods of Attack
There are a wide range of attack methods that can be used to launch a DoS attack. Often the method of attack may depend on the target's system configuration, security measures in place and objective of the attack.

Application Layer Attacks
This attack is mainly directed at making applications inoperable and raising costs for the application manager. A common technique used to achieve this is a buffer overflow attack. This method would be used to try fill up disk space and processing power thereby slowing down the application or making it impossible for it to operate due to lack of resources available.

The attacker can also flood the application's port with large amounts of traffic, thereby limiting bandwidth and resources that application would need in order to work efficiently undefined. In order to successfully flood an application, the attacker must have higher bandwidth and stronger resources than the target, and in most cases this is where a botnet would be used.

Buffer Overflow Attack
This form of attack one of the most common used to take down applications and networks. Essentially the attacker will send more traffic to the network or application than what either target is designed to handle. Ultimately, the memory and processing capabilities of the system may become overloaded and result in a significant decline in performance or even crash undefined.

Degradation of Service Attack
The goal of this attack is to decrease server performance and response times, however the server is not meant to crash as a result. Computers in a botnet will send large amounts of traffic to the server in quick periodic bursts so that just enough flooding is created that the server slows down but continues to run undefined. This type of attack can be difficult to detect as the victim will need to try prove if they are genuinely under attack or if there is just an increase in user traffic.

Fork Bomb
This form of attack is when a process keeps replicating itself to the point where the target system's memory gets used up and either slows down severely or crashes. A similar variant that has been seen is a malicious application rapidly opening standard applications found on an operating system continuously in order to use up the system's memory and quickly making it almost impossible for the victim to close the applications as they open.

HTTP POST DoS Attack
A POST request is a method used in the HTTP protocol that requests a web server accepts information enclosed in the body of a request undefined. This technique consists of sending a legitimate HTTP POST header, which also contains the content length (or the size) of the message. The attacker sends the request at an extremely slow rate. Since the request is legitimate, the server will wait until the entire content length of the message has been received, which will take a very long time.

The attacker will make hundreds or thousands of these requests at a time to the target server, effectively hogging the resources used for receiving connections. This will prevent legitimate connections from reaching the server until all the attacker's connections have been sent. What makes this attack unique is that it does not overload the server, therefore the victim will still have enough bandwidth to use the server, but their connections will be unsuccessful undefined. A large amount of servers world wide use Apache servers which can accept up to 2 gigabyte request sizes by default, meaning this attack can delay connections for very long periods of time.

Like a degradation of services attack, the HTTP POST attack can be difficult to differentiate between the server being under attack or if there is simply a spike in traffic. As the requests are legitimate and not altered in anyway, this attack can easily bypass a number of security systems.

ICMP Flood
An internet control message protocol (ICMP) is a protocol used for reporting errors to the source IP address of a network when a network error prevents the IP packet from being delivered to its destination undefined. Attackers make use of misconfigured network devices that can send large amounts of packets to all computers on the target network and the source address made to appear as the target's IP address. This will rapidly consume the network's bandwidth and result in legitimate packets from reaching their destination undefined. This type of attack is also called a smurf attack.

Multi-Vector Attack
This type of DoS attack is often very complex to initiate and involves using multiple attack points and tools at once to bring down the target system or network undefined. This type of attack can be extremely difficult to combat and mitigate because there are a number of different attack points, tools and affected resources at play in a single attack. In some cases it's possible for the mitigation systems or policies to fail if the attack is powerful enough.

Nuke
This type of DoS attack is quite dated and not used as much anymore. It was carried out by sending corrupt ICMP packets to the target, and by continuously doing this the system would quickly slow down until it crashed. A nuke was often used against Windows 95 systems which would result in the blue screen of death (BSOD) to be displayed.

Peer-to-Peer (P2P) Attack
A P2P attack is where the attacker redirects traffic from a P2P network to the target system. This does not require a botnet and the attacker simply instructs the computers of the P2P network to disconnect from their network and connect to the target system which is not designed to handle high volumes of traffic and ultimately slows down or crashes the system.

Permanent DoS Attack
This is a type of DoS attack that has had such a severe and damaging effect on its target that replacement or reinstallation of the damage components is required undefined. To achieve this the attacker will most likely need to exploit a vulnerability that will grant them remote administration of the target system that would allow them to alter interfaces of the system's hardware. This would allow the attacker to change the hardware's firmware with their own modified version or a corrupt version, thereby preventing the hardware from working.

As a result, the hardware may need to have its firmware reinstalled or it may have to be replaced. This altered firmware, in rare occasions, can physically destroy the hardware by overworking it more than what it was designed to and eventually burning the component out. A PDoS attack is usually much less resource intensive and easier to perform than a traditional DoS or DDoS attack, with embedded devices being a particularly popular target.

Ping of Death
The ping of death is a simple technique where the attacker modifies an IP packet's size and sends it to the target system. The maximum size an IP version 4 (IPv4) protocol can accept is 65 535 bytes, so when data larger than that are sent to a server, they are broken down into smaller packets and reassembled at the destination address. Th attacker's packet will be a single packet with a size greater than 65 535 bytes and sent to the server. Because this exceeds the protocol's limit, the server often crashes and has to be rebooted.

Reflected Attack
This attack makes use of IP address spoofing to trick the target system. The attacker can make the source address appear the same as the target system's address, so when the target tries replying to these spoofed packets, it will end up flooding itself and grinding to a halt.

SYN Flood
SYN is short for synchronization and is a type of TCP packet involved in a three-way handshake. It is used to request a connection between two systems. The receiving system will send a SYN/ACK (where ACK stands for acknowledge) back to the requesting system, and finally the requesting system will send an ACK packet to complete the handshake undefined.

The attacker will send thousands of SYN packets using forged addresses that usually don't exist. This will result in the target system starting half-open connections and because the source addresses are fake, the handshake cannot be completed. As a result the number of available connections the server can handle at one time become used up and prevent legitimate packets from establishing connections.

Notable Attacks
Over the years, there have been a number of high profile attacks that made news headlines. Below is a summarized list of some of these attacks.

BBC (2015)
The BBC was hit with a massive DDoS attack on New Year's Eve, 2015. Their entire domain was shutdown for three hours with technical problems reported throughout the rest of the day. The rate of the attack was believed to be around 600 Gigabits per second (75 Gigabytes per second), however later reports claimed it was not undefined.

Dyn (2016)
Dyn is the company responsible for running and controlling most of the internet's DNS's. On the 21st of October 2016, they were hit by a record breaking DDoS attack that shutdown their servers for almost an entire day. High profile websites like Facebook, Twitter, CNN, Reddit, The Guardian and more were down as a result. The attackers made use of the famous Mirai botnet, which not only consists of compromised computers, but also thousands of IoT devices. Around 100 000 devices were believed to have been involved in the botnet which was able to send data at a rate of 1.2 Terabits per second (153.6 Gigabytes per second) undefined.

Pro-Democracy Websites (2014)
In 2014, a number of DDoS attacks were launched against pro-democracy websites as a retaliation against the occupancy central protests in Hong Kong. Several independent news websites were taken down after an attack recorded at 500 Gigabits per second (62.5 Gigabytes per second) overloaded their servers. These websites were in support of granting political voting rights to Hong Kong and it's believed the Chinese were behind the attack undefined.

OHV (2016)
The French hosting provider, OVH, fell victim to the largets DDoS attack in history (just before the attack on Dyn). It was believed that over 150 000 IoT devices were involved in the botnet and reached a rate of 1 Terabit per second (128 Gigabytes persecond) undefined.

Sony Playstation Network (2011)
Sony has been the victim of a number of cyber attacks but the DDoS attack of 2011 was one of the most costly attacks to hit the company. It was believed that Anonymous was behind the attack, however the group denied it. The attack lasted two days until Sony was forced to shutdown the Playstation Network for 23 days. It was also discovered that over 77 million user's details were exposed in the attack undefined. The resulting damages of the attack totaled $1.2 billion.