DDoS Overview


DDoS is the abbreviation of Distributed Denial of Service. DDoS is a type of cyber-attack where multiple compromised systems will be used to target a single system (Network, Server, Application) causing a Denial of Service provided by the system targeted.

In 2014, the DDoS attack celebrated its 40th birthday. Born as an adventure work of a teenaged “computer geek,” DDoS attacks have grown in quantity and sophistication by now.

We all must remember that recently the Hacktivist Group Anonymous launched volume DDoS attacks on banks across the world which had shut down the official websites of a number of international banks. All the global hackers were invited by this Anonymous hacker group (Ghost Squad Hackers Group and Anonymous Intelligence Group) through their Facebook account to join in this massive DDoS attack launched by them against the Global Banking Sector. (https://www.facebook.com/events/964150270338381/).

The following is the summary of Kaspersky DDoS Intelligence Report for Q2 2016:

  • Resources in 70 countries were targeted by DDoS attacks in Q2 2016.

  • 4% of targeted resources were located in China.

  • China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets.

  • The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days).

  • SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter.

  • In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter.

DDoS Attacks Targeting Networks

DDoS attacks targeting networks will attempt to consume the network bandwidth by using a large volume of illegitimate traffic to saturate the company’s Internet pipe. These attacks, called network floods, are simple yet effective. Examples for these attacks are UDP Flood, ICMP Flood, IGMP Flood, Amplification Attacks.

DDoS Attacks Targeting Servers

Attacks that target servers will attempt to exhaust a server’s processing capabilities and memory, resulting in a denial of service condition. The attacker will exploit an existing vulnerability on the target server or a weakness in a communication protocol to cause the target server to become so busy handling illegitimate requests that it no longer has the resources to handle legitimate requests. “Server” most commonly refers to a Website or Web application server, but these DDoS attacks can also target firewalls and intrusion prevention systems.

TCP/IP Weaknesses

These attacks exploit the TCP/ IP protocol by exploiting some of its design weaknesses. They mostly will exploit the six control bits (or flags) of the TCP/IP protocol—SYN, ACK, RST, PSH, FIN and URG—in order to disrupt the normal mechanisms of TCP traffic. TCP/IP relies on a three-way handshake mechanism (SYN, SYN-ACK, ACK) where every request creates a half-open connection (SYN), a request for a reply (SYN-ACK), and then an acknowledgment of the reply (ACK).

DDoS Attacks attempting to exploit the TCP/IP protocol will send TCP packets in the wrong order, causing the target server to run out of computing resources as it attempts to understand such abnormal traffic.

SSL-Based Attacks

SSL-based DDoS attacks take many forms: targeting the SSL handshake mechanism, sending garbage data to the SSL server or abusing certain functions related to the SSL encryption key negotiation process. SSL-based attacks could also simply mean that the DDoS attack is launched over SSL-encrypted traffic, which makes it extremely difficult to identify.

DDoS Attacks Targeting Applications

Much like attacks targeting networks, DDoS attacks targeting applications will come in a variety of flavors, including floods and “low and slow” attacks. Low and slow approaches are particularly prominent, which will exploit the weaknesses in the HTTP protocol, which, as the most widely used application protocol on the Internet, is an attractive target for attackers. HTTP Flood and DNS Flood are the application oriented DDoS attacks.

Let us see below some of the controls to be considered that will help in preventing the occurrence of DDoS attacks:

  • Delay/ Reject suspected packets

  • Don’t let dark address packets past perimeter

  • Block unused protocols and ports

  • Limit the number of access per second per source IP

  • Limit numbers of concurrent connections per source IP

  • Filter foreign TCP packets

  • Do not forward packets with header anomalies

  • Keep unwanted guests away

  • Use specialized DDoS mitigation equipment

  • Apply software updates and patches in a timely manner to prevent buffer overflows and exploits of software vulnerabilities

  • Deploy IDS/IPS WHICH can predict and block DDoS attacks based on signature

  • Place Stateful inspection firewalls

  • Place Stateful SYN Proxy Mechanisms

  • Use layered filtering firewalls

  • Limit the number of SYNs per second per IP

  • Limit the number of SYNs per second per destination IP

  • Set ICMP flood SCREEN settings (thresholds) in the firewall

  • Set UDP flood SCREEN settings (thresholds) in the firewall

  • Apply rate limit with routers adjacent to the firewall and network perimeter

  • Remove large files placed in the website that are more vulnerable for DDoS attacks

  • Review and ensure that Web server isn’t configured for large number of open connections

  • Protect Domain Name System (DNS) - This is crucial and yet probably the most overlooked of all of the above recommendations. DNS is an extremely common target for DDoS attacks due to how critical the service is for Web availability. If a customer can’t resolve the IP address of our website (which is the job of DNS), that customer is not getting to our site no matter how much we have spent on our hosting. So protecting our DNS is a good DDoS mitigation strategy.

  • Set Optimal DNS TTLs - Time to live (TTL) is the value determining how long a piece of data is valid. In the DNS world, TTL limits how long our current DNS settings are cached with ISPs. This means that if our website’s TTL is set at three hours, other DNS servers won’t bother checking for a DNS update for our domain over that duration. Shorter TTLs can cause heavier loads on name servers because the DNS records must be updated more frequently, however, they allow for DNS changes to be propagated more rapidly. A low TTL equates to a faster reaction; this is the time it takes to get traffic routed through our solution. For example, if our TTL is set at three hours, then time-to-mitigation is the time it takes you to notice the attack plus three hours for TTL.

  • Black hole routing - Black hole routing an IP address or a range of IP addresses (i.e., intentionally causing packets coming from a specific IP address to be discarded rather than forwarded) can protect our resources from the ill effects of DDoS attacks.

  • Run the Least Amount of Services. Running the least amount of services on a machine helps minimize the chance of a successful DDoS attack.

  • Volume DDoS attacks can be detected by placing an on- premise DDoS protection device at the perimeter

  • Attacks based on true IPs masked by a CDN can be resolved by an enterprise web application firewall (WAF)

  • Load Test your web site on a periodic basis

  • Agree with the ISP on blocking the suspected IPs launching DDoS Attacks

  • Agree with the ISP on over-provisioning of bandwidth required for mitigating DDoS attacks

  • If possible, have an alternate ISP in place to support in attack period

About the Author:

Vimal has a progressive experience of 20 years in Banking & Financial Services, ICT, Oil & Gas, Aviation, Retail, Healthcare Sectors. He worked with clients in India, USA, UK, Far East and Middle East. Served four well-known companies - Deloitte, Microsoft, Philips, Accenture and Standard Chartered Bank.

As a subject matter expert in cyber security, Vimal has handled development, implementation and improvement of cyber security Architecture/Strategy/Plans, Cyber Security Governance, Cyber Risk Management, various Cyber Security Practices such as Data & Information Governance, Data Privacy, Information Security, Information Risk Management, Information Assurance, ICT Security Programs, Industrial IT Security (Such as SCADA Security),IOT Security, Healthcare Security Programs, Setting up & Managing Global SOC Operations, Managed Security Operations, Critical Infrastructure Protection, Incident Response, Penetration Testing, Red Teaming, Vulnerability & Threat Analysis, Malware Research, Digital Forensics, Cyber Crime & Digital Fraud Investigations, Vulnerability Management, Business Continuity & Disaster Recovery, Cyber Security Assurance, Cyber Security Solution Evaluations, Cyber Security Analytics, Management of ATMs, CCTVs and other Security Devices, Cyber Security Trainings and Security Transformation Projects focused on addressing variety of Cyber Security Risks

October 6, 2016


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023