Around IT in 256 seconds

#77: DDoS: take down a server, one request at a time

June 13, 2022 | 3 Minute Read

Denial-of-service attack tries to take down a server by sending specially-crafted requests. The simplest form of this attack is just sending a lot of requests in a short period of time. But more sophisticated methods are possible. For example, sending a single unusual request that overwhelms the server. One such example is a ZIP bomb, that I’ll explain later. But the most widespread technique requires a large number of attacking servers. Also known as distributed denial-of-service. DDoS for short.

Before we dive into DDoS, let’s discuss small-scale attacks. Imagine your website accepts ZIP file uploads. Nothing wrong with that? Except when you upload a ZIP bomb. A specially-crafted file that compresses very well. By how much? It is possible to create a 42 KB ZIP file that decompresses to 4.5 PB. Sounds like a toy until you find your server unavailable with dreadful No space left on device message. And you can perform that attack from a mobile phone with the smallest data plan.

But that’s just the beginning. Many attacks don’t even attempt to crash the victim. Instead they flood it with so many requests that they saturate the network connection. The server is technically up, but unresponsive. Of course, in order to generate that much traffic, we should have even larger server, right? Not really. You just have to be clever. Or own a botnet.

One technique requires so-called amplification. It’s an observation that some requests may generate much larger response. For example, a single request to DNS server may return a response that’s almost 200x larger. This alone is not enough. But what if we fake the source address? In other words, send a request with a return address that’s not ours? But instead, the address of the victim? Suddenly the victim receives a ton of unrequested traffic. Faking the source address is called IP spoofing.

This is called reflected attack, because we reflect the traffic to the victim. Another approach is SYN flood. We pretend we’d like to open a TCP/IP connection but never really finish the handshake. Simplifying a bit, the victim’s server is left with a ton of half-open connections. We saturated the victim, making it unresponsive.

However, these days distributed denial-of-service attacks are the most common. It’s the least sophisticated, but most effective technique. We simply take thousands of servers and send a ton of normal requests to victim. The traffic may come from all over the world and is hard to distinguish from normal requests.

But where do these computers come from? well, mostly they are ordinary PCs, infected with malware. They become part of an illegal botnet, controlled by criminals. You can even purchase DDoS attack on a black market. Funnily, sometimes these are not even ordinary computers. In 2016 successful DDoS attack came from hacked… CCTV cameras.

One interesting, high-level DDoS attack is known as yo-yo. It targets services that support auto-scaling. The attack lasts for a short period of time, causing the server to autoscale. Then it stops, leaving highly underutilized cluster. When it scales down, the attack repeats. This process not only destbailizes the cluster, but also generates huge costs.

So, how large can a DDoS attack be? The largest known attacks so far generated a few terabits per second.

Some attacks may be unintentional. I can think of two scenarios. First is so-called Reddit effect. Legitimate traffic from highly popular website points to a smaller one, taking it down. Another example may occur in distributed systems. In that case, a single misbehaving service may take down another service or database. How? For example, retrying too much.

We barely scratched the surface of DDoS. There is a ton of attack vectors with bizarre names, like ping of death, black nurse or R-U-Dead-Yet. DDoS protection deserves another episode.

That’s it, thanks for listening, bye!

More materials

Tags: DDoS, DoS, security

Be the first to listen to new episodes!

To get exclusive content: