A DoS (Denial of Service) and a DDoS (Distributed Denial of Service) are attacks of denial of services. Both aim at generating an overload of requests in order to obstruct the network or consuming all of the resources from the server. Therefore, making impossible that the service could be provided.The difference between DoS and DDoS is the relation in the amount of devices which are carrying out the attack. The DoS involves only one attacking computer. Now the DDoS can involve even millions of attacking computers.

In order to carry the DDoS, the cracker creates a network of zombie computers, also known as botnet. These zombie computers, can be from common users around the world that don’t even know that they are infected.

By carrying out the DDoS attack, the master computer controls several computers that were infected in order to send requisitions simultaneously a target. Therefore, making it difficult for the target to protect itself since the attack will come from several computers with different IP addresses and not only from one as is the case with DoS attacks.

The three main pillars of Information Security are: availability, confidentiality and integrity. The DDoS attack aims exactly on the Availability pillar. However, denying the access to the service. With that, the attacker might be able to cause several damages to one Company or even paralyzing essential activities from governmental organs.

TYPES OF DDOS ATTACKS

On the following, we are going to identify some of the most common DDoS attacks:

Application Layer Attacks 

This type of attack can be mistaken as a failure on the implementation of the application. In this manner, the objective of such an attack is to saturate the system forcing the application to execute a process which is very demanding in terms of resources. Like, for example, complex consultations in applications that might demand a high load of processing. Example: HTTP POST – POST is a method of requisition utilized by the HTTP application protocol. The POST send data of the requests attached to its body and demand a more complex processing than the GET requisitions, which are more simple, for example. With POST solicitations that are endless the resources of the server might easily become exhausted and even the available band.

State-Exhaustion Attacks

This category aims for the exhaustion of all the capacity of a stateful connection that might be available on the server or network devices. In this manner, preventing that new connections are established. Example: SYN Flood – Package with the SYN flag is a package requesting initial connections to the TCP protocol. When the server receives the SYN package will answer with SYN/ACK leaving a TCP door opened waiting for a response (ACK). Thus, the massive sending of SYN packages for a server will be able to overload all the doors available.

Volumetric Attack

The goal of this kind of attack is to exhaust all the bandwidth available for the target. In order to reaching to this objective the cracker uses botnets and vulnerabilities in UDP services in order to amplify the traffic in direction to the target. Example: NTP Amplification – The server NTP (Network Time Protocol) is crucial for keeping the synchronization of the clicks available in network. There are several public servers that are able to provide this service. However, despite being important, if improperly configured they can be used for denial of service attacks. The cracker will be able to use a botnet to send requests to the NTP server claiming to be the target requesting a large amount of data. When the server responds to the requisitions of all the botnet machines, it will send every of them to an only target. Thus, overloading the link of that target.

PROTECTION AGAINST DDOS ATTACKS

We have seen during this article how harmful are the DDoS attacks. Especially, when an essential service is affected. Undeniably, it is crucial that the companies have manners of detecting and applying countermeasures for avoiding substantial losses.

The fist point is the visibility. Mainly in relation to traffic. The network cannot be a black box anymore, it is crucial to observe the behavior of the network in order to establish parameters which might facilitate the identification of abnormal traffic.

Alarms can be configured, for the purpose of identifying immediately a pick of traffic or for the evaluation of the alteration of the network behavior. This, in conjunction with reports, will offer the complete information about the origin and the content of the traffic.

The second point is a proactive approach. It is not enough to identify, measures need to be taken. Scripts must be configured in order to actuate blocking addresses in case they are identified as having origin as a suspicious traffic. Thus, implementing a fast response against a DDoS attack before it is successful.

FINAL CONSIDERATIONS

The TRAFip  is an analysis system which allows the determining of what, how, when, where and by whom your network is being utilized. The TRAFip in conjunction with the TRAFwatcher, besides providing total visibility of the traffic, will act in the detection and blocking of attacks such as the DDoS.

In this way, there are no doubts about the importance of investing on network management. In this same manner, bringing not only benefits to the network visibility but also being a complementary way to seek for the prevention of problems that might cause the dropping of network services.

Thinking of that, Telcomanager present in the market since 2002, and a leading Latin America brand in the sector of software for managing networks. Also counting with a unique and innovative technology, deploying smart solutions in the monitoring of data that will provide a stratified vision of the traffic, is now allowing your Company to follow the most important aspects of your network, in real time.