DDoS is short for Distributed Denial of Service. DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
How DDoS Attacks Work
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
Steps of DDoS Attack using Malware like Saposhi:
- A malware is released into cyberspace, with specific instructions programmed into it. The instructions direct the malware to take over as many devices connected to the internet as possible.
- Depending on its programming, the malware turns internet-connected devices into ‘bots’ and starts building a botnet.
- Malware like Reaper and Saposhi are capable of identifying weaknesses in devices and exploiting them to turn the devices into bots.
- Once a large enough botnet is created, simultaneous pings are sent to a single server, causing a server failure, which is called a Distributed Denial of Service attack.
- Depending on the size of the botnet, malware can execute multiple DDOS attacks at the same time, or over a period of time.
The Difference Between DoS and DDoS Attacks
A Denial of Service (DoS) attack is different from a DDoS attack. The DoS attack typically uses one computer and one Internet connection to flood a targeted system or resource. The DDoS attack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets.
Types of DDoS Attacks
There are many types of DDoS attacks. Common attacks include the following:
- Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP and ICMP packets to the target. Legitimate requests get lost and these attacks may be accompanied by malware exploitation.
- Bandwidth attacks: This DDoS attack overloads the target with massive amounts of junk data. This results in a loss of network bandwidth and equipment resources and can lead to a complete denial of service.
- Application attacks: Application-layer data messages can deplete resources in the application layer, leaving the target’s system services unavailable.
US service provider suffered a 1.7Tbps attack.
Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the Memcached attack is going to be a feature. Network managers are going to have to take seriously in the future.
Memcached attacks are going to be this year’s thing.
Massive DDoS attacks are increasingly plaguing the internet, with the largest one to be recorded in last week hitting GitHub. This attack has reached a peak of 1.35Tbps of incoming traffic and was made possible through the use of Memcached servers, instead of the usual bots.
Memcached servers are designed to increase the speed of networks internally and should be kept protected from the internet. But, as reported by Akamai, a DDoS mitigation service, more than 50,000 of such servers are currently exposed to the internet and, therefore, vulnerable to attack. By exploiting those unsecured Memcached servers, an attacker can massively amplify an attack and easily reach those alarming terabit levels of traffic.
Memcached attack method in detail.
Mem-crashing works by exploiting Memcached database servers that have been left open to the public internet with no authentication requirements in place.
Here’s how the amplification attack works: a miscreant sends a small database command to an open Memcached server, and, in the UDP packet for that request, sets the source internet address as the victim servers. The Memcached database fires back about 50,000 times the amount of data is received in the command – a 203-byte request results in a 100MB response – and, well, you can see where this is going.
A small number of computers, running Memcached insecurely, can, therefore, be unwittingly turned into trebuchets lobbing huge boulders at unsuspecting services and websites.
As it turns out these kinds of attacks, while massive, aren’t too hard to mitigate. You can try blocking UDP traffic from port 11211, which is used by default by Memcached, at the border or upstream, as Akamai was able to.
Code for the Memcached-based DDoS attack is now public on GitHub.
To make matters worse, the tools used to launch such attacks were made public on GitHub this week, enabling anyone to perform the next record-setting terabit attack. The tools only require Python 3.x and a couple of modules installed in order to make use of a list of 17,000 IP addresses of unsecured Memcached servers.
CERT is short for Indian Computer Emergency Response Team. It is a central government body that deals with cyber attacks in India. And said in a statement that it is monitoring Saposhi malware. Saposhi is capable of taking over electronic devices and turning them into ‘bots’. Which can be then used for any purpose, including a DDoS attack which, with enough firepower, can cripple entire industries.
Articles like this take a lot of hard work and time. To keep us working we need your help in the form of donation. If you support and like our work donate us using PayPal.