Denial of Services (DoS)
The purpose of DoS attacks is making a network resource unavailable. There are a lot of ways to make network resource unavailable. Some of them are targetting at an individual, others an entire service.
Talking about targeting at an individual we mean that attacker attempts to disrupt just one user. For example, the victim can be an opponent in a gaming system. Making DoS attack the attacker tries to keep the opponent offline. Another victim could be person bidding in the auction. Since the attacker is also bidding, he/she wants to get rid of the competition by denying the victim service and making the auction site unavailable just for them. Most attackers use vulnerabilities in a password reset or a login feature in order to reach their goal. It is also worth to mention that you can find DDoS(distributed denial of service) attack against an individual. These DDoS attacks are targetting victim’s IP address and flood their network with malicious traffic.
Other attacks are targeting an entire service. In this type of attack, attackers are trying to take the whole web application offline. As you see it is not about trying to keep one person offline, it’s about causing severe impact and making web application unavailable to everyone.
DoS attacks Targetting individual
Exploiting Password Resets
As you know most web applications have password reset feature. Moreover, anybody can go to the password reset page then enter anybody’s email address. Now lets in www.hack-yourself-first.com after you have registered go to the password reset page and enter your email and press reset password. You can no longer log in with the old password. But what if anyone else constantly is entering your email in the password reset page? As a result of this process, you can’t get into the system. Moreover, until you check email, you even won’t know that your password has changed. In fact, this would be very easy for the attacker. He/She can automate this process by just keep sending an HTTP request to this resource, and sending your email in the request body.
The solution to this problem is to never lock out immediately. You should always send an email with the reset link. Keep in mind that it has to be a random reset link and there are couple nuances around things like having a time-limiting. This is the essence of defending against DoS attack. Otherwise, an attacker can keep the legitimate owner of the account out.
Exploiting Account Lockouts
Let’s consider an example. You make several attempts to log in to a web application that fail and get the message: “You’ve made too many attempts, make the account unavailable.”. And you will be unable to log in for some time. But what if the attacker will use it for his purposes? Attackers can’t just use brute force to find valid credentials but also could keep sending invalid credentials to the login resource, and then even if the account gets unlocked they just get locked out again.
The question is, how should you handle multiple failed attempts? The risk that we’re talking about here is brute force. One way of you can use to defend against this attack is to slow the rate of login attempts. It doesn’t lock the legitimate user out for a long period of time, but it decreases the effectiveness of the attacker. Another way is to allow users to unlock their accounts via email. There are also options of verifying identity via other channels( for example, SMS). Of course, that requires other additional processes. At least you need to know the person’s number and need to verify it as well. Another lockout option is making that via IP address, but you need to be cautious trying to do that.
Distributed Denial of Service (DDoS)
Nowadays, Distributed Denial of Service(DDoS) attack has become enormously prevalent. During this attack, a lot of different attackers all are targetting the one service. Since all of these attackers are sending malicious traffic to the target website, it can’t service legitimate requests. In other words, the legitimate users can’t use the website, because there are too many other people trying to get through. Moreover, These attacks come from all over the world and that makes them difficult to defend against. If those attacks originate from foreign countries, tracking down the attacker and stopping them can be very difficult.
DDoS as a Service
A lot of different services have appeared in recent years. They are using different machines targeting the one web application in order to take it offline. These services could use legitimate PCs that are now under their control or use cloud-based services. Moreover, such services are available for anyone who can pay for the service. Some of them are like professional businesses because they are serving that allows you to take offline, for example, competitor websites.
Features at Risk of a DDoS Attack
Attackers who are launching DDoS attacks looking to target an application feature that results in high overhead, so anything that hashes the password(for example login, registration, change password) is the best choice for a DDoS target. Another example for the target would be a feature ( for example password reset feature) that connects to another service. There are also attacks targetting the database. As in previous examples, it’s a similar principle, it keeps the website busy dealing with the malicious traffic and it can’t serve the legitimate one.
Other DDoS Attacks and Mitigations
Day after day DDoS attacks are getting more sophisticated. Attackers are always looking for ways to make attacks more effective, so for example, they’ll try things like an amplification attack. They’re trying to make a request that generates a large response. They can request resources that return large documents from the website, they are targetting. Another example is a DNS reflection attack. Attackers carry out this making DNS queries. In that query, they are placing the originating IP address, such that the response to that query is sent to the target website. In other words, the attack is reflected back from the DNS service to the target website. It can also be amplified by making requests that will result in large responses. NTP and SNMP attack, SYN flood attack are some other examples.
Since DDoS gets larger and sophisticated over time, Defending against this attack can be very tricky. One of the solutions is perimeter defence, which implies network infrastructure that keeps malicious traffic out, but these devices can be expensive. An alternative defence method is DDoS mitigation as a service. Here you also get perimeter defence model, but it is provided by someone else (for example CloudFare model). Another option is blocking the source of incoming traffic. But in distributed denial of service attack to identify which traffic is legitimate and which is malicious, based on IP address is difficult. It could be spread out over thousands of different machines in the world. More complex DDoS defence implementations look at the pattern based behaviour. They analyze traffic and decide if it is good or malicious traffic. Obviously that another way to defence against DDoS is having the big bandwidth. Since you have the big bandwidth, a huge volume of traffic coming in is no problem for you.
It is also worth to mention that in many cases DDoS attacker is used for diversion purposes. While you are busy responding to a DDoS attack the attackers are mounting the actual attack that they wanted to launch initially.