What is DoS and DDoS attack?
15 minute(s) read
Published on: Nov 25, 2021
Updated on: Mar 24, 2022
What are a DOS and DDOS?
It is worth noting that each of the DDOS and DOS
is one of the most dangerous and newest attacks that can happen on the Internet and can cause a lot of damage to people. DDoS also stands for Distributed Denial of Service. The purpose and motive are not to disable the system and the site altogether and destroy it. Instead, the purpose and explanation of this are to prevent the design and the site from providing services to the user for a while. In other words, the damage that Distributed Denial of Service attacks will do is not to eradicate your system but to shut down your site and design for a while until you can reach out to users. Provide services yourself. This affects the server and network of the site and plans to prevent them from providing services to users and make the site unable to provide some assistance to its users. It is worth noting that this type of destruction and damage is for a while, and this problem can be solved after a while. But it is essential that these attacks can cause the inability of the site to provide services in a compassionate time. Become a site, and another site cannot respond to the requests of its users and serve them. The site is occupied by data packets sent by attackers so that the site cannot fulfill the demands and services of its users. As the number of attackers' demands and the data packets sent increases, the place closes and becomes inaccessible.
As mentioned above, this type of support damages the site's inability to respond to user requests and generally does not cause the site to crash. It is better not to worry in these situations because doing some tricks can reduce requests and data packets sent, which will lead to site liberalization.
What is a dos attack?
In this type, the information packets are sent directly from the hacker system or the attacking system to the victim system.
What methods are used in them?
Some of the methods used in different DDos and DOS attacks are as follows.
- ICMP flood
- SYN flood
- Teardrop attacks
- Low-rate Denial-of-Service attacks
- Asymmetry of resource utilization in starvation
- Permanent denial-of-service
- Application-level floods
- Reflected / Spoofed
- Unintentional denial of service
- Denial-of-Service Level II
This type of method, used in DDos, and DOS, send pings to the victim system, causing the victim system to fail or weaken, refusing to respond and provide services to users and customers. By sending a large volume and more ICMP requests in a network, it responds to all the site hosts and network. This is called easier to understand. Suppose that sending ICMP requests causes it to request all the hosts on the site. Assuming that all the hosts are responding to a duplicate submission, the rejection may be that as the volume of requests and network traffic increases, the site will become inaccessible and not provide some services to its users. As the number of requests increases, a large volume of responses is routed to the access point within the network, which also causes the switch to fail. To prevent this type of attack from occurring and the site from becoming inaccessible, it is better to disable all ping requests sent to the site so that a large volume of submissions can not cause the site to become unavailable.
It should be noted that the Teardrop attack can be sent via mangled Ip with overlap and cause a high load for the victim system network card. This is a weakness because there are bugs in the network layer and TCP / IP. However, some operating systems with versions 3.1, 95, NT, and Linux 2.0.332 and 2.1.63 can resist this type of attack and prevent such events from occurring. To avoid this type and with these methods, it is better to update the operating system and our entire system to avoid this type.
It should be noted that one of the oldest methods of Dos is the Nuke method. This method also sends many Ping requests that are mistaken to the victim system until they finally shut down the network. Another popular software designed and developed for this type is WinNuke. After creating this type of software ( in Czech: développement de logiciels de sécurité ), this method of Dos can be done quickly. It is possible to know that this program can take advantage of the Netbios vulnerability in Windows 95 to attack.
In this way, sending a string of information to port 139 will display a blue screen in this version of the operating system. R-U-Dead-Yet This type of attack method can also be attacked using sessions requested by web applications. Slowloris is also a program that can keep most of the sessions related to the web server open. RUDY can also cause this webserver to crash by exploiting requests sent to high-volume headers.
To stop this type and prevent this type, we must use a system of agents with updated versions. Because some vulnerabilities and vulnerabilities that exist in operating systems are eliminated in the updated versions, and other hackers and attackers cannot use these points to attack and attack. In addition to updating operating systems is better than some Firewalls such as ISA Server, TMG, and SQUID. I also use some modules like IIS to block the IPs and domains that manage and direct these types of attacks.
What is a syn flood attack? It should be noted that an SYN attack is a type of attack that aims to affect the Hand-Shake process of the TCP protocol and focuses more on this type of process and protocol. In this type, a three-step process, the TCP connection, is half-abandoned by the attacker, which causes the server to wait for the other steps to be performed. If the number or type of requests increases, the server will no longer communicate with the new requests, and then it can easily be out of reach.
What are the differences between them?
It is worth noting that both attacks cause the victim system to fail and the inability to provide services, but the difference between the two types of attacks is in their sources. In the DOS method, the attacker executes the program required to cause the sabotage from one system. Still, the attacker uses several techniques to generate the sabotage in the DDOS method. So, we know that the purpose of these two types of attacks is to disable the victim system from providing services so that the victim system cannot provide services to its user. But in the DDOS method, the attacker uses many techniques to do this. How are Dos attacks classified?
1-Is that at the level of network equipment:
Dos attack type Dos attacks use some of the weaknesses and vulnerabilities in the software of hardware operating systems to cause equipment crashes or cause some hardware problems. For example, we can say that in the old series of routers from Cisco Bug companies, there was a Buffer over follow, which when clicked on it to enter the password, in the part where they had to enter the long password, the operating system crashed and caused There was a service disruption.
2- Is that at the level of the operating system:
In this type of attack, some operating system protocols were used to cause the operating system to fail. For example, for this type of Dos attack, we can say that ping of death attacks is of this type of attacks, which also used the ICMP protocol of the operating system to send many packets and large requests from average to some large victim systems. These attacks usually cause the victim system to crash, which eventually causes the system to crash.
3- Based on applications:
In this type of attack, the attacker and attacker try to process and focus on different apps on the network. This type of attack works because the attacker attempts to focus on the apps on the system to force a weakness and a bug through which he can cause the app to use all the resources of the system and the server. The result is crashing and crashes, inability to serve, and being out of reach of the system. One type of this attack is the finger bomb, in which the user creates a malicious routine that is endless.
4- Dose it through a large amount of data:
In this type, the attacker also attacks, and the attacker tries to send a large amount of data to the victim system. These types of data packets are meaningless but straightforward, the large number of them causing the victim system to fail and no longer be able to provide services. In this type, the attacker and attacker try to target the entire bandwidth of the victim and use it to process data and requests that process all the essential and meaningless data sent to the victim system. An example of this type of attack is Flood pinging, which can also be performed in various DDoS attacks. Firewalls can also be used to prevent this type of attack.
What are the features of protocols in DDos and dos?
In this type, attackers and attackers try to take advantage of some protocol features to make the victim system unavailable.
One of these attacks is the DNS cache itself or some malicious clock that sends to the victim system. Half of the victim server sends query-related responses to the attacker, half the server caches incorrect information.
If DoS attacks are carried out from multiple systems, packets are sent from various systems, which is called a DoS attack in which various IPs are involved. What is the structure of DDoS attacks?
1- The actual attacker in attacks:
which is the malicious user who sends DDoS packets to the victim system.
2- Handlers or actual handlers in it:
It is worth mentioning that it is a system through which the malicious user can send malicious DDoS packages. Of course, some software is also installed on these strategies that can manage agents.
3- Agents or Zombies:
These are also unique systems on which some special programs are installed, and these types of programs and procedures can be responsible for sending and managing DDoS packages. Of course, these systems can also be used to prevent attackers from being traced outside the network. Steps to prepare for DDoS attacks
1- Selecting agents for it:
In this step, the attacker must select the agents that can perform the attacks. Of course, it should be noted that these machines must have some vulnerabilities before the attacker can control and manage them. In addition to vulnerabilities to exploit them, they must contain many resources to produce some stronger attack currents.
It is worth mentioning that attackers use security holes and vulnerabilities of operating machines to use the attack code. In addition, they try to protect the code so that no one can detect it and change or disable it. Owners of such systems and operating machines are unaware that their systems have created this type of attacker, also part of the DDoS attack.
3- Communication in it:
The attacker and the attacker communicate with the processors until they can identify which of the above factors were running. After scheduling an attack time or upgrading some agents, agents can also communicate with attackers depending on how the attacker configures the network. Communication between attackers and drivers and drivers and operating systems can be done through TCP, UDP, or ICMP protocols.
4- Start it:
At this stage, the attacker gives the command to start until they start the attack.
What tools are used in different types of these attacks?
It is worth noting that TRINOO is the first tool that can be used in DDoS attacks. TRINOO is also a market that can be used to drain bandwidth, and it can be used to send large amounts of data and packets via UDP traffic to one or more IPs. Most Trino agents are installed on a buggy system. Handlers also use UDP or TCP to communicate with agents.
This tool was written in 1999, and like TRINOO is a tool that can be used to drain bandwidth. The device also uses a command-line interface to communicate between the attacker and the main control program. Still, it does not provide encryption between Agents and Handlers or Handlers and Attackers.
It is a German word that means barbed wire. It is based on early versions of TFN and tries to eliminate some weaknesses. Stacheldraht can integrate Trinoo features, agents and drivers, with some TFN features. In addition, Stacheldraht can automatically perform some updates on agents, meaning that an attacker can build this ability. Install files on any unknown server, and when an agent is turned on and connected to the Internet, the agent can also be automatically updated.
What can we do to prevent this?
- Software and hardware reconfiguration:
Routers can be configured to prevent some simple ping attacks by filtering out some unnecessary protocols to stop some invalid IP addresses. Intrusion detection systems can also provide capabilities to detect the use of proper protocols. These methods can be used in conjunction with firewalls to block traffic in emergencies automatically.
- Consult some experts:
Some companies specialize in this type eand can deal with this type to increase and secure systems. It is possible to cooperate with this type of specialized company so that the system is not out of reach while providing users and services can be delivered to them. Even in such attacks, their damage can be prevented if the amount of damage is not high.
One of these services offer online is CloudFlare, which can also provide some free services to counteract the attacks. Apply on your site.
- To prevent such attacks from occurring, you should always plan:
To get started, contact the Internet server of the site server, and review some protocols that can be done in such situations.
Prepare and allow access to some lists of IP addresses and protocols that you can use during attacks.
If the probability and risks of attacks in your company are very high, it is better to prepare some specialized software and hardware and use them.
Identify items and resources that may be targeted by attackers and attackers and restrict access to them so that they have less access to such resources. Or you can even address their weaknesses and vulnerabilities.
How can we deal with it on Linux?
You can use the commands below to get a list of IP addresses connected to the server and the number of their connections in Linux systems.
Be sure to enter the CSF configuration and delete PORT 80 from the TCP_IN and TCP_OUT lists. By doing this, you can block port 80 for your server.
After closing port 80, you must enter ConfigServer Firewall and make the following changes.
Modify the CSF.conf file as follows:
Your server will then be protected from DOS and DOS attacks.Website SEO analysis services