Apart from individuals, organizations worldwide that host data and conduct business over the internet are always at the risk of a ddos attack. These ddos attacks are getting more extreme with hackers getting easy access to botnet farms and compromised devices, as can be seen in the graph. Three of the six strongest ddos attacks were launched in 2021, with the most extreme attack occurring just last year in 2020. Lately cyber criminals have been actively seeking out new services and protocols for amplifying these ddos attacks. Active involvement with hacked machines and botnets allow further penetration into the consumer space, allowing much more elaborate attack campaigns apart from general users. Multinational corporations have also had their fair share of problems. Github a platform for software developers was the target of a ddos attack in 2018.. Widely suspected to be conducted by chinese authorities, this attack went on for about 20 minutes, after which the systems were brought into a stable condition. It was the strongest ddos attack to date at the time and made a lot of companies reconsider the security practices to compare such attacks. Even after years of experimentation, ddos attacks are still at large and can affect anyone in the consumer and corporate space, hey everyone. This is bev from simply learn and welcome to this video on what is a ddos attack. Lets take a look at the topics we will be covering today. We start by learning what is a ddos attack and how it works on a face by phase level.
We learn about the distinct categories in ddos attacks and the potential aim of hackers when they launch a ddos attack campaign. We also look at some preventive measures that can be taken to protect oneself from these ddos attacks. Finally, we have a demonstration of how such attacks can hamper the working of a server system using vmware and parrot security operating system, but before moving forward make sure you are subscribed to the simply learn youtube channel dont forget to hit the bell icon to receive updates About more informative videos from our channel so lets learn more about what is a ddos attack. A distributed. Denial of service attack or ddos is when an attacker or attackers attempt to make it impossible for a service to be delivered. This can be achieved by thwarting access to virtually anything servers, devices, services, networks, applications and even specific transactions within applications in a dos attack. Its one system that is sending the malicious data or requests a ddos attack comes from multiple systems. Generally, these attacks work by drowning. A system with requests for data this could be sending a web server, so many requests to serve a page that it crashes under the demand or it could be a database being hit with a higher volume of queries. The result is available. Internet bandwidth, cpu and ram capacity become overwhelmed. The impact could range from a minor annoyance from disrupted services to experiencing entire websites applications or even entire businesses taking offline.
More often than not, these attacks are launched using machines in a botnet. A botnet is a network of devices that can be triggered to send requests from a remote source, often known as the command and control center. The bots in the network attack a particular target, thereby hiding the original perpetrator of the ddos campaign. But how do these devices come under the botnet and what are the requests being made to the web? Servers lets learn more about these and how dos attack work. A ddos attack is a two phase process. In the first phase, a hacker creates a botnet of devices. Simply put a vast network of computers are hacked via malware, ransomware or just simple social engineering. These devices become a part of the botnet which can be triggered anytime to start bombarding a system or a server on the instruction of the hacker that created the botnet. The devices in this networks are called bots or zombies. In the second phase, a particular target is selected for the attack when the hacker finds the right time to attack all the zombies in the botnet network. Send these requests to the target, thereby taking up all the servers available bandwidth. These can be simple ping requests or complex attacks like syn flooding and udp flooding. The aim is to overwhelm them with more traffic than the server or the network can accommodate. The goal is to render the website or service inoperable. There is a lot of wiggle room when it comes to the type of ddos attack.
A hacker can go with, depending on the targets vulnerability. We can choose one of the three broad categories of ddos attacks: volume based attacks use massive amounts of bogus traffic to overwhelm a resource. It can be a website or a server. They include icmp, udap and spoofed packet flood attacks. The size of volume based attack is measured in bits per second, these attacks focus on clogging all the available bandwidth for the server, thereby cutting the supply shot. Several requests are sent to the server, all of which warrant a reply, thereby not allowing the target to cater to the general legitimate users. Next, we have the protocol level attacks. These attacks are meant to consume essential resources of the target server. They exhaust the load, balancers and firewalls, which are meant to protect the system against the ddos attacks. These protocol attacks include syn floods and smurf ddos, among others, and the size is measured in packets per second, for example, in ssl. Handshake server replies to the hello message sent by the hacker, which will be the client in this case, but since the ip is proved and leads nowhere, the server gets stuck in an endless loop of sending the acknowledgement without any end in sight. Finally, we have the application level attacks application layer attacks are conducted by flooding applications with maliciously crafted requests. The size of application layer attacks is measured in request per second, these are relatively sophisticated attacks that target the application and operating system level vulnerabilities.
They prevent the specific applications from delivering necessary information to users and hawk the network bandwidth up to the point of a system crash. Examples of such an attack are http flooding and bgp. Hijacking a single device can request data from a server using http post or get without any issues. However, when the requisite botnet is instructed to bombard the server with thousands of requests, the database bandwidth gets jammed and it eventually becomes unresponsive and unusable. But what about the reasons for such an attack? There are multiple lines of thought as to why a hacker decides to launch a ddos attack on unsuspecting targets. Lets take a look at a few of them. The first option is to gain a competitive advantage. Many ddos attacks are conducted by hacking communities against rival groups. Some organizations hire such communities to stagger their rivals. Resources at a network level to gain an advantage in the playing field since being a victim of a ddos attack, indicates a lack of security. The reputation of such a company takes a significant hit, allowing the rivals to cover up some ground. Secondly, some hackers launch these ddos attacks to hold multinational corporations at ransom. The resources are jammed and the only way to clear the way is if the target company agrees to pay a designated amount of money to the hackers. Even a few minutes of inactivity is detrimental to a companys reputation in the global market and it can cause a spiral effect both in terms of market value and product security index.
Most of the time a compromise is reached and the resources are freed after a while tdos attacks have also found use in the political segment. Certain activists tend to use ddos attacks to voice their opinion spreading. The word online is much faster than any local rally or forum, primarily political. These attacks also focus on online communities, ethical dilemmas or even protests against corporations. Lets take a look at a few ways that companies and individuals can protect themselves against edos attacks. The company can employ load, balancers and firewalls to help protect the data from such attacks, load balancers reroute, the traffic from one server to another in a ddos attack. This reduces the single point of failure and adds resiliency to the server data. A firewall blocks unwanted traffic into a system and manages the number of requests made at a definite rate. It checks for multiple attacks from a single ip and occasional slowdowns to detect a ddos attack in action. Early detection of a ddos attack goes a long way in recovering the data lost in such an event. Once youve detected the attack, you will have to find a way to respond. For example, you will have to work on dropping the malicious jdos traffic before it reaches your server so that it doesnt throttle and exhaust your bandwidth heres, where you will filter the traffic so that only legitimate traffic reaches the server by intelligent routing. You can break the remaining traffic into manageable chunks that can be handled by your cluster resources.
The most important stage in ddos mitigation is where you will look for patterns of redos attacks and use those to analyze and strengthen your mitigation techniques, for example, blocking an ip thats repeatedly found to be offending is a first step cloud providers like amazon, web services and Microsoft azure, who offer high levels of cyber security, including firewalls and threat monitoring software, can help protect your assets and network from ddos criminals. The cloud also has greater bandwidth than most private networks, so it is likely to fail if, under the pressure of increased tdos attacks. Additionally, reputable cloud providers offer network redundancy, duplicating copies of your data systems and equipment so that if your service becomes corrupted or unavailable due to a ddos attack, you can switch to a secure access on backed up versions without missing a beat. One can also increase the amount of bandwidth available to a host server being targeted since ddos attacks fundamentally operate on the principle of overwhelming systems with heavy traffic. Simply provisioning extra bandwidth to handle unexpected traffic spikes can provide a measure of protection. This solution can prove expensive, as a lot of that bandwidth is going to go unused. Most of the time, a content, delivery network or a cdn distributes your content and boosts performance by minimizing the distance between your resources and end users. It stores the cached version of your content in multiple locations, and this eventually mitigates ddos attacks by avoiding a single point of failure when the attacker is trying to focus on a single target.
Popular cdns include akamai, cdn, cloudflare, aws, cloudfront, etc. Lets start with our demo. Regarding the effects of ddos attacks on a system for a demo, we have a single device that will attack a target, making it a dos attack of sorts. Once a botnet is ready, multiple devices can do the same and eventually emulate a ddos attack to do so. We will use the virtualization software called vmware with an instance of parrot security operating system running for a target machine. We will be running another vmware instance of a standard linux distribution, known as linux, light in a target device. We can use wireshark to determine when the attack begins and see the effects of the attack accordingly. This is linux like which is a target machine, and this is parrot security which is used by the hacker when trying to launch a ddos attack. This is just one of the distros that can be used to launch the attack. We must first find the ip address of our target so to find the ip address we open the terminal, we use the command ifconfig, and here we can find the ip address. Now. Remember were launching this attack in vmware now, the both the instances of parrot security and linux light are being run on my local network. So the address that you can see here is 192.168.72.129, which is a private address. This ip cannot be accessed from outside the network. Basically, anyone who is not connected to my wifi when launching attacks with public servers or public addresses it will have a public ip address that does not belong to the 192168 subnet.
Once we have the ip address, we can use a tool called hping3. Hping3 is an open source packet, generator and analyzer for the tcp ip protocol to check what are the effects of an attack we will be using wireshark wireshark is a network traffic analyzer. We can see whatever traffic that is passing through the linux light. Distro is being displayed over here with the ip address, the source, ip and the destination ip as to where the request is being transferred to. Once we have the dos attack launched, you can see the results coming over here from the source, ip, which will be parrot security now to launch the hping3 command. We need to give sudo access to the console, which is the root access. Now we have the root access for the console. The hping3 command will have a few arguments to go with it, which are, as you can see, on the screen: minus s and a flood, a hyphen v hyphen p80 and the ip address of the target, which is 168 72.129 in this command. We have a few arguments, such as the minus s, which specifies syn packets, like in an ssl handshake. We have the syn request that the client sends to the server to initiate a connection. The hyphen flood aims to ignore the replies that the server will send back to the client in response to the syn packets. Here the parent security os is the client and linux slide being the server minus v stands for verbosity, as in where we will see some output when the requests are being sent.
The hyphen p80 stands for port 80, which we can replace the port number. If we want to attack a different port and finally, we have the ip address of our target as of right now, if we check wireshark, it is relatively clear and there is no indication of a ddos attack incoming now, once we launch the attack over here, we Can see the requests coming in from this ip, which is 192 168 72.128 till now even the network is responsive, and so is linux lite the requests keep on coming and we can see the http flooding has started in flood mode after a few seconds of this Attack continuing the server will start shutting down now. Remember linux light is a distro that can focus on one that serves as a back end now remember: linux light is a distro, and such linux distros are served as backend to many servers across the world. For example, a few seconds have passed from the attack. Now the system has become completely irresponsive. This has happened due to the huge number of requests that came from pirate security. You can see whatever i press, nothing is responded. Even the wireshark has stopped capturing new request, because the cpu usage right now is completely 100 and at this point of time, anyone who is trying to request some information from this linux distro or where this linux distro is being used as a backend for a server Or a database cannot access anything else.
The system has completely stopped responding and any request. Any legitimate request from legitimate users will be dropped once you stop the attack over here. It takes a bit of time to settle down now, remember its still out of control, but eventually the traffic dies down and the system regains its strength. It is relatively easy to gauge right now. The effect of a dos attack now remember this linux light is just a vm instance, actual website servers and web databases. They have much more bandwidth and are very secure and its tough to break into. That is why we cannot use a single machine to break into them. That is where a ddos attack comes into play. What we did right now is a dos attack, as in a single system is being used to penetrate a target server, using a single request. Now, when a ddos attack, multiple systems, such as multiple parallel security instances or multiple zombies or bots in a botnet network, can attack a target server to completely shut down the machine and drop any legitimate request, thereby rendering the service and the target completely unusable and inoperable. As a final note, we would like to remind that this is for educational purposes only and we do not endorse any attacks on any one domains, only test this on servers and networks that you have permission to test on hope. You learned something interesting today. If you have any questions regarding the lesson feel free to ask us in the comments section, and we will get back to you as soon as possible.
Thank you for watching hi there.