1What is denial of service attack?

When a denial of service (DoS) attack occurs, a computer or a network user is

unable to access resources like e-mail and the Internet. An attack can be
directed at an operating system or at the network
In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an
attempt to make a machine or network resource unavailable to its intended users.
2The basic types of DoS attack include:
1. Flooding the network to prevent legitimate network traffic
2. Disrupting the connections between two machines, thus preventing access to a service
3. Preventing a particular individual from accessing a service.
4. Disrupting a service to a specific system or individual
5. Disrupting the state of information, such resetting of TCP sessions

Some of the most common tools for initiating a Botnet DDoS attack are easily
downloaded from multiple online sources, and include:
SlowLoris
Especially dangerous to hosts running Apache, dhttpd, Tomcat and GoAhead
WebServer, Slowloris is a highly-targeted attack, enabling one web server to take
down another server, without affecting other services or ports on the target network.
Qslowloris
Uses Qt libraries to execute the methods used by Slowloris, offering a graphical user
interface that makes the program highly easy to use.
Apache Killer
Utilizes an exploit in the Apache OS first discovered by a Google security engineer.
Apache Killer pings a server, tells the server to break up whatever file is transferred
into a vast number of tiny chunks, using the "range" variable. When the server tries
to comply with this request, it runs out of memory, or encounters other errors, and
crashes.
There are also many too

DDoS attacks can be broadly divided into three types:

Volume Based Attacks

Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attacks
goal is to saturate the bandwidth of the attacked site, and magnitude is measured in
bits per second (Bps).
Protocol Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and
more. This type of attack consumes actual server resources, or those of intermediate
communication equipment, such as firewalls and load balancers, and is measured in
Packets per second.
Application Layer Attacks
Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache,
Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate
and innocent requests, the goal of these attacks is to crash the web server, and the
magnitude is measured in Requests per second.

Specific DDoS Attacks Types

Some specific and particularly popular and dangerous types of DDoS attacks
include:
UDP Flood
This DDoS attack leverages the User Datagram Protocol (UDP), a sessionless
networking protocol. This type of attack floods random ports on a remote host with
numerous UDP packets, causing the host to repeatedly check for the application
listening at that port, and (when no application is found) reply with an ICMP
Destination Unreachable packet. This process saps host resources, and can
ultimately lead to inaccessibility.
ICMP (Ping) Flood
Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target
resource with ICMP Echo Request (ping) packets, generally sending packets as fast
as possible without waiting for replies. This type of attack can consume both
outgoing and incoming bandwidth, since the victims servers will often attempt to
respond with ICMP Echo Reply packets, resulting a significant overall system
slowdown.
SYN Flood
A SYN flood DDoS attack exploits a known weakness in the TCP connection
sequence (the three-way handshake), wherein a SYN request to initiate a TCP
connection with a host must be answered by a SYN-ACK response from that host,
and then confirmed by an ACK response from the requester. In a SYN flood scenario,
the requester sends multiple SYN requests, but either does not respond to the hosts

SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either
way, the host system continues to wait for acknowledgement for each of the
requests, binding resources until no new connections can be made, and ultimately
resulting in denial of service.
Ping of Death
A ping of death ("POD") attack involves the attacker sending multiple malformed or
malicious pings to a computer. The maximum packet length of an IP packet
(including header) is 65,535 bytes. However, the Data Link Layer usually poses limits
to the maximum frame size - for example 1500 bytes over an Ethernet network. In
this case, a large IP packet is split across multiple IP packets (known as fragments),
and the recipient host reassembles the IP fragments into the complete packet. In a
Ping of Death scenario, following malicious manipulation of fragment content, the
recipient ends up with an IP packet which is larger than 65,535 bytes when
reassembled. This can overflow memory buffers allocated for the packet, causing
denial of service for legitimate packets.
Slowloris
Slowloris is a highly-targeted attack, enabling one web server to take down another
server, without affecting other services or ports on the target network. Slowloris does
this by holding as many connections to the target web server open for as long as
possible. It accomplishes this by creating connections to the target server, but
sending only a partial request. Slowloris constantly sends more HTTP headers, but
never completes a request. The targeted server keeps each of these false
connections open. This eventually overflows the maximum concurrent connection
pool, and leads to denial of additional connections from legitimate clients.
NTP Amplification
In NTP Amplification attacks the perpetrator exploits publically-accessible Network
Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram
Protocol (UDP) traffic. In an NTP amplification attack, the query-to-response ratio is
anywhere between 1:20 and 1:200 or more. This means that any attacker that
obtains a list of open NTP servers (e.g., by using tool like Metasploit or data from the
Open NTP Project) can easily generate a devastating high-bandwidth, high-volume
DDoS attack.
HTTP Flood
In HTTP flood DDoS attack the attacker exploits seemingly-legitimate HTTP GET or
POST requests to attack a web server or application. HTTP floods do not use
malformed packets, spoofing or reflection techniques, and require less bandwidth
than other attacks to bring down the targeted site or server. The attack is most

effective when it forces the server or application to allocate the maximum resources
possible in response to each single request.
Zero-day DDoS Attacks
Zero-day are simply unknown or new attacks, exploiting vulnerabilities for which no
patch has yet been released. The term is well-known amongst the members of the
hacker community, where the practice of trading Zero-day vulnerabilities has become
a popular activity.

Incapsula mitigates a massive HTTP flood: 690,000,000 DDoS requests from 180,000 botnets IPs.

Sources of DDoS Attacks

DDoS attacks are quickly becoming the most prevalent types of attacks, growing
rapidly in the past year in both number and volume, according to recent market
research. The trend is towards shorter attack duration, but bigger packet-per-second
attack volume, and the overall number of attacks reported has grown markedly, as
well.
During the Q4-2011, one survey found 45% more DDoS attacks compared to the
parallel period of 2010, and over double the number of attacks observed during Q32011. The average attack bandwidth observed during this period was 5.2G bps,
which is 148% higher than the previous quarter.
Another survey of DDoS attacks found that more than 40% of respondents
experienced attacks that exceeded 1Gbps in bandwidth in 2013, and 13% were
targeted by at least one attack that exceeded 10G bps.
From a motivational perspective, recent research found that ideologically motivated
DDoS attacks are on the rise. The research also mentioned financial reasons (e.g.,
competitive feuds) as another common reason for such attacks.

LOIC (Low Orbit Ion Cannon): an "entry-level" DoS attack tool

Incapsula Solutions Mitigate DDoS Damage

Incapsula seamlessly and comprehensively protects web sites against all three types
of DDoS attacks, addressing each with a unique toolset and defense strategy:
Volume Based Attacks
Incapsula counters these attacks by absorbing them with a global network of
scrubbing centres that scale, on demand, to counter multi-gigabyte DDoS attacks.
Protocol Attacks
Incapsula mitigates this type of attack by blocking "bad" traffic before it even reaches
the site, leveraging visitor identification technology that differentiates between
legitimate website visitors (humans, search engines etc.) and automated or malicious
clients.
Application Layer Attacks
Incapsula mitigates Application Layer attacks by monitoring visitor behavior, blocking
known bad bots, and challenging suspicious or unrecognized entities with JS test,
Cookie challenge, and even CAPTCHAs.

Incapsula mitigates 100GBps DDoS attack. One of Internet's largest.

In all these scenarios, Incapsula applies its DDoS protection solutions outside of your
network, meaning that only filtered traffic reaches your hosts. Moreover, Incapsula
maintains an extensive DDoS threat knowledge base, which includes new and
emerging attack methods. This constantly-updated information is aggregated across
our entire network - identifying new threats as they emerge, detecting known
malicious users, and applying remedies in real-time across all Incapsula-protected
websites.
How do you avoid being part of the problem?
Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS
attack, but there are steps you can take to reduce the likelihood that an attacker will use
your computer to attack other computers:

Install and maintain anti-virus software (see Understanding Anti-Virus Software for
more information).
Install a firewall, and configure it to restrict traffic coming into and leaving your
computer (see Understanding Firewalls for more information).
Follow good security practices for distributing your email address (see Reducing
Spam for more information). Applying email filters may help you manage unwanted
traffic.

How do you know if an attack is happening?

Not all disruptions to service are the result of a denial-of-service attack. There may be
technical problems with a particular network, or system administrators may be
performing maintenance. However, the following symptoms could indicate a DoS or
DDoS attack:

unusually slow network performance (opening files or accessing websites)

unavailability of a particular website
inability to access any website

dramatic increase in the amount of spam you receive in your account

What do you do if you think you are experiencing an attack?

Even if you do correctly identify a DoS or DDoS attack, it is unlikely that you will be able
to determine the actual target or source of the attack. Contact the appropriate technical
professionals for assistance.

If you notice that you cannot access your own files or reach any external websites
from your work computer, contact your network administrators. This may indicate
that your computer or your organization's network is being attacked.
If you are having a similar experience on your home computer, consider
contacting your internet service provider (ISP). If there is a problem, the ISP might
be able to advise you of an appropriate course of action.

Author