Jump to content
3DXChat Community

Understanding what a DDOS attack is, and understanding mitigation isnt always easy


Recommended Posts

What is DDoS mitigation?

DDoS mitigation refers to the process of successfully protecting a targeted server or network from a distributed denial-of-service (DDoS) attack. By utilizing specially designed network equipment or a cloud-based protection service, a targeted victim is able to mitigate the incoming threat.

DDoS Mitigation Stages

There are 4 stages of mitigating a DDoS attack using a cloud-based provider:

  1. Detection - in order to stop a distributed attack, a website needs to be able to distinguish an attack from a high volume of normal traffic. If a product release or other announcement has a website swamped with legitimate new visitors, the last thing the site wants to do is throttle them or otherwise stop them from viewing the content of the website. IP reputation, common attack patterns, and previous data assist in proper detection.
  2. Response - in this step, the DDoS protection network responds to an incoming identified threat by intelligently dropping malicious bot traffic, and absorbing the rest of the traffic. Using WAF page rules for application layer (L7) attacks, or another filtration process to handle lower level (L3/L4) attacks such as memcached or NTP amplification, a network is able to mitigate the attempt at disruption.
  3. Routing - By intelligently routing traffic, an effective DDoS mitigation solution will break the remaining traffic into manageable chunks preventing denial-of-service.
  4. Adaptation - A good network analyzes traffic for patterns such as repeating offending IP blocks, particular attacks coming from certain countries, or particular protocols being used improperly. By adapting to attack patterns, a protection service can harden itself against future attacks.

There are 16 other types of DDOS attacks, so hang in there guys, they are doing the best they can. 

Edited by GoddessOfTheDawn
Link to comment
Share on other sites

12 minutes ago, GoddessOfTheDawn said:

What is DDoS mitigation?

DDoS mitigation refers to the process of successfully protecting a targeted server or network from a distributed denial-of-service (DDoS) attack. By utilizing specially designed network equipment or a cloud-based protection service, a targeted victim is able to mitigate the incoming threat.

DDoS Mitigation Stages

There are 4 stages of mitigating a DDoS attack using a cloud-based provider:

  1. Detection - in order to stop a distributed attack, a website needs to be able to distinguish an attack from a high volume of normal traffic. If a product release or other announcement has a website swamped with legitimate new visitors, the last thing the site wants to do is throttle them or otherwise stop them from viewing the content of the website. IP reputation, common attack patterns, and previous data assist in proper detection.
  2. Response - in this step, the DDoS protection network responds to an incoming identified threat by intelligently dropping malicious bot traffic, and absorbing the rest of the traffic. Using WAF page rules for application layer (L7) attacks, or another filtration process to handle lower level (L3/L4) attacks such as memcached or NTP amplification, a network is able to mitigate the attempt at disruption.
  3. Routing - By intelligently routing traffic, an effective DDoS mitigation solution will break the remaining traffic into manageable chunks preventing denial-of-service.
  4. Adaptation - A good network analyzes traffic for patterns such as repeating offending IP blocks, particular attacks coming from certain countries, or particular protocols being used improperly. By adapting to attack patterns, a protection service can harden itself against future attacks.

There are 16 other types of DDOS attacks, so hang in there guys, they are doing the best they can. 

awesome article :)

Link to comment
Share on other sites

Oh yea there are many solutions to a DDOS attack but first they need to locate where the attack is coming from and depending on what type of attack it is then they could terminate the attacker and secure the system again. But it's taking a few days cuz I'm pretty sure they are doing a process of elimination to be able to identify the type the ddos attacker is. Which is why they are doing the testing. 

Link to comment
Share on other sites

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination.

DDoS Attack

How does a DDoS attack work?

A DDoS attack requires an attacker to gain control of a network of online machines in order to carry out an attack. Computers and other machines (such as IoT devices) are infected with malware, turning each one into a bot (or zombie). The attacker then has remote control over the group of bots, which is called a botnet.

Once a botnet has been established, the attacker is able to direct the machines by sending updated instructions to each bot via a method of remote control. When the IP address of a victim is targeted by the botnet, each bot will respond by sending requests to the target, potentially causing the targeted server or network to overflow capacity, resulting in a denial-of-service to normal traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.

What are common types of DDoS attacks?

Different DDoS attack vectors target varying components of a network connection. In order to understand how different DDoS attacks work, it is necessary to know how a network connection is made. A network connection on the Internet is composed of many different components or “layers”. Like building a house from the ground up, each step in the model has a different purpose. The OSI model, shown below, is a conceptual framework used to describe network connectivity in 7 distinct layers.

The OSI Model

While nearly all DDoS attacks involve overwhelming a target device or network with traffic, attacks can be divided into three categories. An attacker may make use one or multiple different attack vectors, or cycle attack vectors potentially based on counter measures taken by the target.

Link to comment
Share on other sites

The Goal of the Attack:

Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the resources of the target. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is cheap to execute on the client side, and can be expensive for the target server to respond to as the server often must load multiple files and run database queries in order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult to flag as malicious.

Application Layer Attack Example:

http-flood-ddos-attack.png

HTTP Flood

This attack is similar to pressing refresh in a web browser over and over on many different computers at once – large numbers of HTTP requests flood the server, resulting in denial-of-service.

This type of attack ranges from simple to complex. Simpler implementations may access one URL with the same range of attacking IP addresses, referrers and user agents. Complex versions may use a large number of attacking IP addresses, and target random urls using random referrers and user agents.

Protocol Attacks

The Goal of the Attack:

Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by consuming all the available state table capacity of web application servers or intermediate resources like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.

Protocol Attack Example:

Syn Flood DDoS Attack

SYN Flood

A SYN Flood is analogous to a worker in a supply room receiving requests from the front of the store. The worker receives a request, goes and gets the package, and waits for confirmation before bringing the package out front. The worker then gets many more package requests without confirmation until they can’t carry any more packages, become overwhelmed, and requests start going unanswered.

This attack exploits the TCP handshake by sending a target a large number of TCP “Initial Connection Request” SYN packets with spoofed source IP addresses. The target machine responds to each connection request and then waits for the final step in the handshake, which never occurs, exhausting the target’s resources in the process.

Volumetric Attacks

The Goal of the Attack:

This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.

Amplification Example:

NTP Amplification AttackHonestly the list can go on and on for the specific types of attacks but to answer your question LeeLoo that's a strong possibility. And if that's the case,  the attacker can continue attacking and overloading the system. Which is why it takes time to be able to find out what type of attack it is and once they know that they then have to track down the source but doing this takes a lot of time yet the 3dxchat team is making remarkable progress to get the game up n running. They really are doing the best they can. AND REMEMBER:     .  Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.

Link to comment
Share on other sites

Well it's a good thing I didn't claim that the information came from me now isn't it?  I simply copied and pasted cuz they explain it very clear and wonderfully simple. I apologize for your misinterpretation. I don't recall saying that they were my words but that's negligible because a perfectly reliable source was being copied and posted to help others understand exactly what it means Even though that's precisely why that information is accessible to the public anyways. But next time I'll make sure to cite my sources so know it alls don't feel the need to comment on such ridiculous posts. I didn't post it for smarta**es I posted it for other people who may  be curious, confused or interested in what it is. No matter how I explain it id still be referring to a website or a textbook.  

SOURCES:

What does know it all mean?

Definition of know-it-all : one who claims to know everything also : one who disdains advice informal + disapproving : a person who talks and behaves like someone who knows everything : a person who always claims to know everything
www.merriam-webster.com/dictionary/know-it-all
Edited by GoddessOfTheDawn
Link to comment
Share on other sites

But that is a spectacular suggestion, I completely agree that if they liked to find out more about this information they can go to that website that leopardnuts so thoughtfully  posted. It's a great site, it breaks everything down simply and there's a lot of illustrations they've created to make it more interesting,  its well put and yes that is where the information above came from just in case its mistaken that the information had came from myself.  

Link to comment
Share on other sites

Lol.Thank You. 🙂 I thought it was extremely well put and thought I should share it with others who may be interested . Your so welcome. And the wise guys dont bother me at all. I should have cited the source but I didn't think someone would think too much on it to where they'd copy and paste into google. So it actually was my mistake but its now water under the bridge. 😎

Have a great day to everyone. I hope everyone stays healthy and covid free.

 

Link to comment
Share on other sites

Wow, such a nasty response! 

I totally agree the material is very well written and informative, but my point was to re-dress the legal risk that you exposed yourself and this website to, by making it clear that the information you posted was Cloudbase's copywritten work.  Cloudbase clearly care about this by virtue of stating their copywrite ownership of the works on their website.   

By not acknowledging the work as theirs they could easily claim that your intention was to pretend it was yours, even if that wasn't your intent.  You didn't need to explicitely claim the work as yours to create the risk.  By not say it wasn't your work, you created the risk.

Edited by Leopardus
Link to comment
Share on other sites

we are less than 2000 subscribers I think, could we record the ip of users and exclude others (example I am on vacation I want to connect ... I could not because the IP address is not the same ... suddenly a reply by email to confirm that it is you and saved the new ip address). would that help?

Link to comment
Share on other sites

That's IP Spoofing and I've used  cloudflare for a while now and Christy girl,  its better I  show u their explanation because they explain it far better than I  ever can.  Hopefully it answers your question, if not, feel free to message me so we can get you your answer. :)

IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both. It is a technique often used by bad actors to invoke DDoS attacks against a target device or the surrounding infrastructure.

Sending and receiving IP packets is a primary way in which networked computers and other devices communicate, and constitutes the basis of the modern internet. All IP packets contain a header which precedes the body of the packet and contains important routing information, including the source address. In a normal packet, the source IP address is the address of the sender of the packet. If the packet has been spoofed, the source address will be forged.

IP Spoofing DDoS Attack

IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address listed. If the person receiving the package wants to stop the sender from sending packages, blocking all packages from the bogus address will do little good, as the return address is easily changed. Relatedly, if the receiver wants to respond to the return address, their response package will go somewhere other than to the real sender. The ability to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks.

DDoS attacks will often utilize spoofing with a goal of overwhelming a target with traffic while masking the identity of the malicious source, preventing mitigation efforts. If the source IP address is falsified and continuously randomized, blocking malicious requests becomes difficult. IP spoofing also makes it tough for law enforcement and cyber security teams to track down the perpetrator of the attack.

spoofing is also used to masquerade as another device so that responses are sent to that targeted device instead. Volumetric attacks such as NTP Amplification and DNS amplification make use of this vulnerability. The ability to modify the source IP is inherent to the design of TCP/IP, making it an ongoing security concern.

Tangential to DDoS attacks, spoofing can also be done with the aim of masquerading as another device in order to sidestep authentication and gain access to or “hijack” a user’s session.

How to protect against IP spoofing (packet filtering)

While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a network. A very common defense against spoofing is ingress filtering, outlined in BCP38 (a Best Common Practice document). Ingress filtering is a form of packet filtering usually implemented on a network edge device which examines incoming IP packets and looks at their source headers. If the source headers on those packets don’t match their origin or they otherwise look fishy, the packets are rejected. Some networks will also implement egress filtering, which looks at IP packets exiting the network, ensuring that those packets have legitimate source headers to prevent someone within the network from launching an outbound malicious attack using IP spoofing.

 

Link to comment
Share on other sites

I thought that for the longest time too.  Then i enrolled in software development and learned how they sound similar ish but they are different in purpose.  lol damn i suck at explaining things to ppl but Ill show u the similarities and differences to just u k leeloo.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...