Distributed denial-of-service (DDoS) attacks have the same goals as a DoS attack, but the structure is much more complex and wields a lot more power. Whereas a DoS attack relies on a single system as the source of the attack, a DDoS attack by having numerous sources available to deliver a devastating attack on the victim. Anything from a few to a few million systems could potentially take part in the attack. The attack is distributed over some amount of sources with a shared target of attack.
DDoS attacks has the same goals as a regular DoS attack, to deny users a service. Using only one malicious computer for a DoS attack, the goal might be to just crash the service on the target server as it will not require any particular amount of resources such as bandwidth. This could just be one packet crafted in such a way that a buffer overrun occur which result i the service crashing. A handful of malicious attackers might be able to overwhelm a fairly strong victim by using a layer 7 attack, also known as an application layer attack. For instance if the target is a web application the attacker will carefully choose a function in the web application that require a lot of resources on the victim without using any noticeable resources on the attacker system delivering the attack. Such a function could be a logon function on the target website. Attacking this kind of function may initiate a web page load, a hashing function being executed and a database query being run. A DDoS attack done by a huge amount of bots may overwhelm even the larger clustered target with plenty of bandwidth because of the sheer amount delivered in a very short time. In this sense the difference between a DoS and a DDoS attack is scale; however, in either case the end result is the same - a victim is taken offline.
DoS & DDoS Attack Vectors
There are many techniques available to amplify an attack using services combined with spoofing such as DNS amplification, broadcast amplification and more. The power of DNS is that it is trivial to send a small package to a DNS server with a spoofed source address and the DNS server will respond to the spoofed source address with a much larger response than the initial query. Initiating traffic to a broadcast address with a spoofed source address may provoke all devices that receive the broadcast to respond back to the spoofed source address hence amplifying the attack greatly.
Even though the attack may not crash the target it have the potential to exhaust all resources on the target leaving no resources for legitimate users. These kinds of attack can also be applied as a smokescreen for a hidden intrusion attempt in the hope that dangerous traffic will not be noticed amongst the overwhelming amount of traffic received.
DDoS attacks has the same goals as a regular DoS attack, to deny users a service. Using only one malicious computer for a DoS attack, the goal might be to just crash the service on the target server as it will not require any particular amount of resources such as bandwidth. This could just be one packet crafted in such a way that a buffer overrun occur which result i the service crashing. A handful of malicious attackers might be able to overwhelm a fairly strong victim by using a layer 7 attack, also known as an application layer attack. For instance if the target is a web application the attacker will carefully choose a function in the web application that require a lot of resources on the victim without using any noticeable resources on the attacker system delivering the attack. Such a function could be a logon function on the target website. Attacking this kind of function may initiate a web page load, a hashing function being executed and a database query being run. A DDoS attack done by a huge amount of bots may overwhelm even the larger clustered target with plenty of bandwidth because of the sheer amount delivered in a very short time. In this sense the difference between a DoS and a DDoS attack is scale; however, in either case the end result is the same - a victim is taken offline.
DoS & DDoS Attack Vectors
- Volumetric Attack - This kind of attack consumes all available bandwidth of the target network or service.
- Fragmentation Attack - This attack overwhelms the target with fragmented packets rendering it unable to re-assemble the fragments.
- TCP State-Exhaustion Attack - Attacking in this manner is an attempt to fill the connection state table, consume all available source port numbers or the allowed amount of half-open connections of the underlaying operating system.
- Application Layer Attack - This attack consumes as many resources from the target application as possible.
There are many techniques available to amplify an attack using services combined with spoofing such as DNS amplification, broadcast amplification and more. The power of DNS is that it is trivial to send a small package to a DNS server with a spoofed source address and the DNS server will respond to the spoofed source address with a much larger response than the initial query. Initiating traffic to a broadcast address with a spoofed source address may provoke all devices that receive the broadcast to respond back to the spoofed source address hence amplifying the attack greatly.
Even though the attack may not crash the target it have the potential to exhaust all resources on the target leaving no resources for legitimate users. These kinds of attack can also be applied as a smokescreen for a hidden intrusion attempt in the hope that dangerous traffic will not be noticed amongst the overwhelming amount of traffic received.