DDoS Attack Patterns – Understanding Attacks on Cloud Environments – SCS-C02 Study Guide

DDoS Attack Patterns

There are many different DDoS attacks that can be used to achieve the end goal of disruption. The following subsections explain a couple of these at a high level to help you understand the principles of DDoS attacks.

Note

The exam will not test you on the different types of attacks and how they are initiated. This section was included as a foundation for the topic. More information on these topics is provided in the Further Reading section at the end of the chapter.

SYN Floods

This type of attack takes advantage of the three-way handshake that is used to establish a connection between two hosts, as shown in the following diagram:

Figure 3.3: A SYN flood attack

This attack is named a SYN flood because a massive number of connections are made simultaneously to the attacked host (these being the SYN packets shown in the diagram). In the host’s attempt to establish these incoming connections, it responds with a SYN/ACK packet. Typically, to complete the handshake, the sender would then respond with a further ACK packet. However, the sender does not send this final response. As a result, this leaves many open connections on the host, which results in the host unnecessarily using many resources. This, in turn, leaves minimal resources available to process legitimate requests.

HTTP floods

Similar to a SYN flood, the target in this type of attack is subjected to a substantial number of HTTP requests (for example, GET or POST requests), which, in turn, consume valuable resources on the host. This results in a lack of available resources to process and serve legitimate requests on the server, rendering the host unusable.

Ping of death (PoD)

As the name suggests, this type of attack isn’t something that will help your environment. A PoD attack is initiated by a malicious user sending many oversized IP packets to a host through a series of pings. The attack works by exploiting a vulnerability in the way the target system handles fragmented IP packets. The maximum size of an IP packet is 65,535 bytes. However, due to the packets’ fragmentation, they are larger than the allowed size when reassembled into a single packet on the host. Consequently, because the ping packet is deliberately malformed and oversized, the reassembly process can fail or cause the system to become overwhelmed. This manipulation causes the host to suffer from memory overflow, which is detrimental to its performance.

A Reflection Attack

In this type of attack, many requests are sent to the server by the attacker using the victim’s IP address as the source address. Then, the server responds to the request, sending the responses back to the victim. With many requests returning to the victim’s system, their network connection becomes overloaded, and access to the network is disrupted. This is by design by the attacker.

One of the challenges with defending against reflection attacks is that the traffic seems to be coming from legitimate sources, rather than an attacker’s address. This makes the attack hard to distinguish from legitimate traffic.