adam's notes

Distributed DoS (DDoS) Attack

A distributed DoS (DDoS) attack involves the use of multiple compromised Internet-connected host (botnet) to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.

  • launched simultaneously by multiple hosts
  • types of DDoS attacks:
    • consume network bandwidth, denying to legitimate hosts
    • cause resource exhaustion on hosts processing requests

Types of DDoS

DDoS Indicators

  • diagnosed by traffic spikes that have no legitimate explanation
  • usually only be mitigated by providing high availability services
    • e.g., load balancing and cluster services
  • sometimes stateful firewall can detect a DDoS attack and automatically block the source
    • but often source addresses will be randomly spoofed or launched by bots

DDoS Mitigation

  • real-time analysis of log files to identify suspicious traffic and send to black hole or sinkhole
    • can automate this response
  • geolocation and IP reputation analysis can identify and block suspicious traffic
  • implement cloud-based protections for Internet-facing systems that inspect traffic before it reaches an org’s infrastructure
    • e.g., Cloudflare and Imperva
    • highly effective
    • org’s firewall is configured to allow traffic sources from the cloud provider only
    • public DNS records direct all requests to the cloud provider
      • traffic is then inspected and only passed to the org if legitimate

Botnet

botnet is a group of compromised hosts or devices that have been infected by a control program called a bot that enables attackers to exploit the hosts to mount attacks.

  • aka zombies
  • that can be used to launch DDoS and DRDoS attacks
  • to establish a botnet,
    • threat actor will first compromise one or two machines to use for command & control (C&C)
    • C&C hosts are used to compromise hundreds or thousands of devices
      • by installing bots on them via automated exploits or successful phishing attacks
    • bot establishes a persistent remote-control channel with the C&C hosts
    • allows the threat actor to launch coordinated attacks using all the devices in the botnet
  • to compromise a host,
    • attacker must install malware that opens a backdoor remote connection
    • then use malware to install bots and launch attack at same time
  • the network established between the handlers and the bots is called a command and control (C2 or C&C) network
  • can compromise IoT devices
    • create an Internet of Things botnet

Graph View

Backlinks