DoS (Denial of Service) is a network attack where attackers seek to overload the site, exhaust its resources and make it unable to respond to user requests.

DDoS (Distributed Denial of Service) is an attack on a site from many devices at once, i.e. the site is blocked by sending a large number of requests that exceed the capabilities of the site. A large number of devices puts a large load on the server that increases the likelihood of making the site unavailable. Also, the danger of an attack depends on its duration: the longer the time attack, the more dangerous it is. A DDoS attack can disrupt any service that has an Internet connection (networks, databases, mobile devices, applications, etc.). The main such an attack goal is to reload online resources to the point of being unable to respond to requests. A possible DDoS attack may be indicated by unusually slow site loading. If this is followed by a «503 Service Unavailable» error message, a DDoS attack will most likely occur.

How a DDoS attack works

Such an attack occurs by compromising a number of IoT devices. The target device becomes infected with remote control malware and connects to other compromised devices, creating a botnet in the process. The size of such a botnet may not be limited. Malicious traffic requests are cumulative and can be directed to a single target. In this case, the RAM and CPU may not be able to handle such traffic.

Types of DDoS attacks

1. Volume-based attack – directs and suppresses traffic to web resources.

• UDP flood: An attack that floods a random port on a host machine using UDP packets. The victim receives a huge number of UDP packets per unit of time from a large number of IP addresses. As a result, the system is overloaded and gradually becomes inaccessible to users. Protection can be blocking UDP traffic.
• ICMP flood: the target system is attacked by ICMP packets. The system must respond to such a packet, resulting in a large number of packets that reduce throughput. Protection can be blocking ICMP traffic.

2. Protocol or network DDoS attacks – direct a large volume of packets to management tools and network infrastructure.

• SYN flood: The attack occurs by sending a large number of SYN requests in a short period of time. A SYN request is a TCP connection request. There are 2 types of such attacks: one-on-one (SYN packets are sent by one machine), many-on-one (SYN packet attack occurs from many programs that are installed on different servers). Protection mechanism: cleanup of older half-open connections; increase the limit of half-open connections; creation of TCP SYN cookies; using a firewall.
• Smurf attack: In this attack, the attacker floods the target server with bogus IP and ICMP packets.

3. Application layer attacks – sending a lot of requests that require computing power (HTTP flood, DNS flood). This type of attack is often difficult to prevent and is carried out against a specific «target».

Prevention:

• Study of network configuration;
• Blocking of unused ports;
• Carrying out test and controlled DDoS attacks;
• Action plan development.