DDOS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems -- which are usually infected with a Trojan -- are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
According to this report on eSecurityPlanet, in a DDoS attack, the incoming traffic flooding the victim originates from many different sources � potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
Distributed Denial of Service Attack (DDoS) Definition
A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.
Types of DoS Attacks
The most common type of Denial of Service attack involves flooding the target resource with external communication requests. This overload prevents the resource from responding to legitimate traffic, or slows its response so significantly that it is rendered effectively unavailable.
Resources targeted in a DoS attack can be a specific computer, a port or service on the targeted system, an entire network, a component of a given network any system component. DoS attacks may also target human-system communications (e.g. disabling an alarm or printer), or human-response systems (e.g. disabling an important technician's phone or laptop).
DoS attacks can also target tangible system resources, such as computational resources (bandwidth, disk space, processor time); configuration information (routing information, etc.); state information (for example, unsolicited TCP session resetting). Moreover, a DoS attack can be designed to: execute malware that maxes out the processor, preventing usage; trigger errors in machine microcode or sequencing of instructions, forcing the computer into an unstable state; exploit operating system vulnerabilities to sap system resources; crash the operating system altogether.
The overriding similarity in these examples is that, as a result of the successful Denial of Service attack, the system in question does not respond as before, and service is either denied or severly limited.
Sources of Denial of Service Attacks
"If you spend more on coffee than on IT security, you will be hacked.
What�s more, you deserve to be hacked.�
Richard Clarke
DoS attacks are low-cost, and difficult to counter without the right tools. This makes them highly-popular even for people with technical knowledge. In fact, DoS services are offered on some web sites starting at $50. These services have grown more and more sophisticated, and can effectively exploit application vulnerabilities and evade detection by firewalls.
According to market research, DoS attacks largely originate from people with a grudge or complaint against a web site or company, competitors looking to increase market share by damaging commercial web availability, or criminal elements that systematically extort web site owners by holding his assets for ransom.
Difference Between DoS and DDoS Attack
It is important to differentiate between Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
In a DoS attack, one computer and one internet connection is used to flood a server with packets, with the aim of overloading the targeted server�s bandwidth and resources.
A DDoS attack, uses many devices and multiple Internet connections, often distributed globally into what is referred to as a botnet. A DDoS attack is, therefore, much harder to deflect, simply because there is no single attacker to defend from, as the targeted resource will be flooded with requests from many hundreds and thousands of multiple sources.
Types of DDoS Attacks
DDoS attacks can divided in three types:
Volume Based Attacks - This type of attack includes UDP floods, ICMP floods, and other spoofed packet floods. The goal of this DDoS attack is to saturate the bandwidth of the attacked site. The magnitude of a volume-based attack is usually measured in Bits per second.
Protocol Attacks - This type of DDoS attack consumes the resources of either the servers themselves, or of intermediate communication equipment, such as routers, load balancers and even some firewalls. Some examples of protocol attacks include SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. Protocol attacks are usually measured in Packets per second.
Application Layer Attacks - Perhaps the most dangerous type of DDoS attack, application layer attacks are comprised of seemingly legitimate and innocent requests. The intent of these attacks is to crash the web server. SDome examples of application layer attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. The magnitude of this type of attack is measured in Requests per second.
Preventing Denial of Service Attacks
Rapid identification and response can prevent DoS attacks. The first challenge for any DoS protection scheme is to quickly and effectively identify incoming traffic as malicious. Once the flood of traffic is indentified as a DoS attack, rather than � for example � a spike in legitimate site traffic, an effective response will generally involve setting up a scalable infrastructure to absorb the attack, until the source is identified and blocked.
A specifically targeted DDoS attack is impossible to prevent, but there are excellent and effective tools that can help mitigate the impact of such an attack.
Mitigating DoS and DDoS Damage with Incapsula
Deployed in minutes without installing hardware or software, Incapsula�s cloud-based DoS and DDoS Protection Service delivers immediate and comprehensive protection for DoS attacks, scaling on-demand to counter multi-gigabyte malicious attacks.
Incapsula�s DDoS Protection Service delivers complete defence against any types of DDoS threats, including network-based attacks like SYN or UDP floods, and application attacks. Incapsula also blocks more advanced attacks that exploit application and Web server vulnerabilities, like Slowloris.
Unlike appliance-based DDoS protection products, that are limited by the hosting provider bandwidth capacity, Incapsula's global network of scrubbing centres scales, on demand, to counter multi-gigabyte DDoS attacks. This ensures that the mitigation is applied outside of your network, allowing only filtered traffic to reach your hosts.
Incapsula's visitor identification technology differentiates legitimate website visitors (humans, search engines etc.) from automated or malicious clients, filtering them out while under a DDoS attack. In an Application Layer Attack scenario, where requests appear legitimate, this technology makes all the difference. Most DDoS protection services are based on techniques that are easy to evade and prone to false positives, like rate limiting or showing an annoying delay screen to every visitor. Incapsula can actually classify visitors - telling humans and bots apart by leveraging an extensive bot directory and bot identification technologies that let "good" bots in, while �bad� bots are kept out.
Incapsula protects websites using an extensive DDoS threat knowledge base, which includes new and emerging attack methods. This information is aggregated across the entire network to identify new attacks as they happen and to detect known malicious users. Based on this aggregated information, mitigation rules can be applied in real-time across all protected websites.
Thanks for the detailed explanation. Much appreciated !