Nothing Special   »   [go: up one dir, main page]
Wikipedia

Denial-of-service attack: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Tag: Reverted
review: add sources, socialkeith copied from Digg
(12 intermediate revisions by 10 users not shown)
Line 3:
{{More citations needed|date=February 2024}}
{{Use dmy dates|date=May 2024}}
 
[[File:Stachledraht DDos Attack.svg|thumb|Diagram of a DDoS attack. Note how multiple computers are attacking a single computer.]]
 
Line 13 ⟶ 14:
[[Panix (ISP)|Panix]], the third-oldest [[Internet service provider|ISP]] in the world, was the target of what is thought to be the first DoS attack. On September 6, 1996, Panix was subject to a [[SYN flood]] attack, which brought down its services for several days while hardware vendors, notably [[Cisco]], figured out a proper defense.<ref>{{Cite web|url=https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-30/dos-attacks.html|title=Distributed Denial of Service Attacks - The Internet Protocol Journal - Volume 7, Number 4|website=Cisco|language=en|access-date=2019-08-26|archive-url=https://web.archive.org/web/20190826143507/https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-30/dos-attacks.html|archive-date=2019-08-26}}</ref> Another early demonstration of the DoS attack was made by Khan C. Smith in 1997 during a [[DEF CON]] event, disrupting Internet access to the [[Las Vegas Strip]] for over an hour. The release of sample code during the event led to the online attack of [[Sprint Corporation|Sprint]], [[EarthLink]], [[E-Trade]] and other major corporations in the year to follow.<ref>{{cite web|last1=Smith|first1=Steve|title=5 Famous Botnets that held the internet hostage|url=https://tqaweekly.com/episodes/season5/tqa-se5ep11.php|publisher=tqaweekly|access-date=November 20, 2014}}</ref> The largest DDoS attack to date happened in September 2017, when [[Google Cloud Platform|Google Cloud]] experienced an attack with a peak volume of {{val|2.54|u=Tb/s}}, revealed by Google on October 17, 2020.<ref>{{Cite web |last=Cimpanu |first=Catalin |title=Google says it mitigated a 2.54 Tbps DDoS attack in 2017, largest known to date |url=https://www.zdnet.com/article/google-says-it-mitigated-a-2-54-tbps-ddos-attack-in-2017-largest-known-to-date/ |access-date=2021-09-16 |website=ZDNet |language=en}}</ref> The record holder was thought to be an attack executed by an unnamed customer of the US-based service provider [[Arbor Networks]], reaching a peak of about {{val|1.7|u=Tb/s}}.<ref>{{cite web|url=https://arstechnica.com/information-technology/2018/03/us-service-provider-survives-the-biggest-recorded-ddos-in-history/|title=US service provider survives the biggest recorded DDoS in history|first=Dan|last=Goodin|date=5 March 2018|website=Ars Technica|access-date=6 March 2018}}</ref>
 
In February 2020, [[Amazon Web Services]] experienced an attack with a peak volume of {{val|2.3|u=Tb/s}}.<ref>{{Cite news|date=Jun 18, 2020|title=Amazon 'thwarts largest ever DDoS cyber-attack'|work=BBC News|url=https://www.bbc.com/news/technology-53093611|access-date=Nov 11, 2020}}</ref> In July 2021, CDN Provider [[Cloudflare]] boasted of protecting its client from a DDoS attack from a global [[Mirai botnet]] that was up to 17.2 million requests per second.<ref>{{Cite web |date=2021-08-23 |title=Cloudflare Mitigated Record-Setting 17.2 Million RPS DDoS Attack |url=https://www.securityweek.com/cloudflare-mitigated-record-setting-172-million-rps-ddos-attack/ |website=SecurityWeek}}</ref> Russian DDoS prevention provider [[Yandex]] said it blocked a HTTP pipelining DDoS attack on Sept. 5. 2021 that originated from unpatched Mikrotik networking gear.<ref>{{Cite web|title=Yandex Pummeled by Potent Meris DDoS Botnet|url=https://threatpost.com/yandex-meris-botnet/169368/|access-date=2021-12-23|website=threatpost.com|date=10 September 2021 |language=en}}</ref> In the first half of 2022, the [[WarRussian ininvasion Ukraine (2022)|war inof Ukraine]] significantly shaped the cyberthreat landscape, with an increase in cyberattacks attributed to both state-sponsored actors and global hacktivist activities. The most notable event was a DDoS attack in February, the largest Ukraine has encountered, disrupting government and financial sector services. This wave of cyber aggression extended to Western allies like the UK, the US, and Germany. Particularly, the UK's financial sector saw an increase in DDoS attacks from [[Nation state|nation-state]] actors and hacktivists, aimed at undermining Ukraine's allies.<ref name=":2">{{Cite web |last=Team |first=Azure Network Security |date=2023-02-21 |title=2022 in review: DDoS attack trends and insights |url=https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/ |access-date=2024-04-07 |website=Microsoft Security Blog |language=en-US}}</ref>
 
In February 2023, Cloudflare faced a 71 million/requests per second attack which Cloudflare claims was the largest HTTP DDoS attack at the time.<ref>{{Cite web|title=Cloudflare mitigates record-breaking 71 million request-per-second DDoS attack|url=
https://blog.cloudflare.com/cloudflare-mitigates-record-breaking-71-million-request-per-second-ddos-attack/|access-date=2024-01-13|website=The Cloudflare Blog|date=13 February 2023|language=en}}</ref> HTTP DDoS attacks are measured by HTTP requests per second instead of packets per second or bits per second. On July 10, 2023, the fanfiction platform [[Archive of Our Own]] (AO3) faced DDoS attacks, disrupting services. [[Anonymous Sudan]], claiming the attack for religious and political reasons, was viewed skeptically by AO3 and experts. Flashpoint, a threat intelligence vendor, noted the group's past activities but doubted their stated motives. AO3, supported by the non-profit [[Organization for Transformative Works]] (OTW) and reliant on donations, is unlikely to meet the $30,000 [[Bitcoin]] ransom.<ref>{{Cite web |last=Weatherbed |first=Jess |date=2023-07-11 |title=AO3 fanfiction site forced offline by wave of DDoS attacks |url=https://www.theverge.com/2023/7/11/23790860/ao3-fanfiction-archive-down-outage-ddos-attacks |access-date=2024-04-09 |website=The Verge |language=en}}</ref><ref>{{cite web |date=10 July 2023 |title=Archive of Our Own is down due to a DDoS attack |url=https://www.polygon.com/23790167/ao3-down-ddos-attack-archive-of-our-own |website=Polygon}}</ref> In August 2023, the group of hacktivists [[Noname057(16)|NoName057]] targeted several Italian financial institutions, through the execution of [[slow DoS attack]]s.<ref>{{cite web|url=https://www.redhotcyber.com/post/settimo-giorno-di-attacchi-informatici-allitalia-noname05716-torna-alle-banche-e-alle-telecomunicazioni/ |title=Settimo giorno di attacchi informatici all'Italia. NoName057(16) torna alle Banche e alle Telecomunicazioni |date=6 August 2023 }}</ref> On 14 January 2024, they executed a DDoS attack on Swiss federal websites, prompted by [[President Zelensky]]'s attendance at the [[Davos World Economic Forum]]. Switzerland's National Cyber Security Centre quickly mitigated the attack, ensuring core federal services remained secure, despite temporary accessibility issues on some websites.<ref>{{Cite web |last=swissinfo.ch |first=S. W. I. |date=2024-01-17 |title=Switzerland hit by cyberattack after Ukraine president's visit |url=https://www.swissinfo.ch/eng/politics/switzerland-hit-by-cyberattack-after-ukraine-president-s-visit/49136116 |access-date=2024-04-08 |website=SWI swissinfo.ch |language=en-GB}}</ref> In October 2023, exploitation of a new vulnerability in the [[HTTP/2]] protocol resulted in the record for largest HTTP DDoS attack being broken twice, once with a 201 million requests per second attack observed by Cloudflare,<ref>{{Cite web|title=HTTP/2 Rapid Reset: deconstructing the record-breaking attack|url=https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack
|access-date=2024-01-13|website=The Cloudflare Blog|date=10 October 2023|language=en}}</ref> and again with a 398 million requests per second attack observed by [[Google]].<ref>{{Cite web|title=Google mitigated the largest DDoS attack to date, peaking above 398 million rps|url=https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps
|access-date=2024-01-13|website=Google Cloud Blog|date=10 October 2023|language=en}}</ref> In August 2024 Global Secure Layer observed and reported on a record-breaking packet DDoS at 3.15 billion packets per second, which targeted an undisclosed number of unofficial [[Minecraft server|Minecraft game servers]].<ref>{{Cite web |title=Unprecedented 3.15 Billion Packet Rate DDoS Attack Mitigated by Global Secure Layer |url=https://globalsecurelayer.com/blog/unprecedented-3-15-billion-packet-rate-ddos-attack |access-date=2024-08-28 |website=globalsecurelayer.com |language=en-AU}}</ref>
|access-date=2024-01-13|website=Google Cloud Blog|date=10 October 2023|language=en}}</ref>
 
==Types==
Line 26 ⟶ 27:
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the [[Bandwidth (computing)|bandwidth]] or resources of a targeted system, usually one or more web servers.<ref name="Taghavi Zargar 2046–2069"/> A DDoS attack uses more than one unique IP address or machines, often from thousands of hosts infected with [[malware]].<ref>{{Cite book|title=Theoretical and experimental methods for defending against DDoS attacks|last=Khalifeh|first=Soltanian, Mohammad Reza|others=Amiri, Iraj Sadegh, 1977-|isbn=978-0128053997|location=Waltham, MA|oclc=930795667|date = 2015-11-10}}</ref><ref>{{cite news|title=Has Your Website Been Bitten By a Zombie?|url=http://blog.cloudbric.com/2015/08/has-your-website-been-bitten-by-zombie.html|access-date=15 September 2015|agency=Cloudbric|date=3 August 2015}}</ref> A distributed denial of service attack typically involves more than around 3–5 nodes on different networks; fewer nodes may qualify as a DoS attack but is not a DDoS attack.<ref name="Infosec7Layer"/><ref>{{cite book | last =Raghavan | first =S.V. | title =An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks | publisher =Springer | date =2011 | isbn =9788132202776}}</ref>
 
Multiple attack machines can generate more attack traffic than onea single machine, multiple attack machinesand are harder to turn off than one attack machinedisable, and the behavior of each attack machine can be stealthier, making itthe attack harder to track and shut down. Since the incoming traffic flooding the victim originates from different sources, it may be impossible to stop the attack simply by using [[ingress filtering]]. It also makes it difficult to distinguish legitimate user traffic from attack traffic when spread across multiple points of origin. As an alternative or augmentation of a DDoS, attacks may involve forging of IP sender addresses ([[IP address spoofing]]) further complicating identifying and defeating the attack. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.{{Citation needed|date=April 2024}} The scale of DDoS attacks has continued to rise over recent years, by 2016 exceeding a [[terabit per second]].<ref name="Goodin">{{cite web|last=Goodin |first=Dan |date=28 September 2016 |title=Record-breaking DDoS reportedly delivered by >145k hacked cameras |website=Ars Technica |url=https://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/ |archive-url=https://web.archive.org/web/20161002000235/http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/ |archive-date=2 October 2016 |url-status=live}}</ref><ref>{{Cite web |url=https://thehackernews.com/2016/09/ddos-attack-iot.html |title=World's largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices |last=Khandelwal |first=Swati |date=26 September 2016 |publisher=The Hacker News |archive-url=https://web.archive.org/web/20160930031903/https://thehackernews.com/2016/09/ddos-attack-iot.html |archive-date=30 September 2016 |url-status=live }}</ref> Some common examples of DDoS attacks are [[UDP flood attack|UDP flooding]], [[SYN flooding]] and [[DNS amplification attack|DNS amplification]].<ref>{{Cite book|title=DDoS attacks : evolution, detection, prevention, reaction, and tolerance|last1=Kumar|first1=Bhattacharyya, Dhruba|last2=Kalita|first2=Jugal Kumar|author2-link= Jugal Kalita |isbn=9781498729659|location=Boca Raton, FL|oclc=948286117|date = 2016-04-27}}</ref><ref>{{cite web |title=Imperva, Global DDoS Threat Landscape, 2019 Report |url=https://www.imperva.com/resources/reports/Imperva_DDOS_Report_20200131.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.imperva.com/resources/reports/Imperva_DDOS_Report_20200131.pdf |archive-date=2022-10-09 |url-status=live |website=Imperva.com |publisher=[[Imperva]] |access-date=4 May 2020}}</ref>
 
====Yo-yo attack====
Line 38 ⟶ 39:
 
====Method of attack====
The simplest DoS attack relies the primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resources. Bandwidth-saturating floods rely on the attacker's ability to generate the overwhelming flux of packets. A common way of achieving this today is via distributed denial-of-service, employing a [[botnet]]. An application layer DDoS attack is done mainly for specific targeted purposes, including disrupting transactions and access to databases. It requires fewer resources than network layer attacks but often accompanies them.<ref>{{cite news |last=Higgins |first=Kelly Jackson |title=DDoS Attack Used 'Headless' Browser In 150-Hour Siege |newspaper=Dark Reading |publisher=InformationWeek |date=17 October 2013 |url=http://www.darkreading.com/attacks-breaches/ddos-attack-used-headless-browsers-in-15/240162777 |access-date=28 January 2014 |url-status=dead |archive-url=https://web.archive.org/web/20140122165039/http://www.darkreading.com/attacks-breaches/ddos-attack-used-headless-browsers-in-15/240162777 |archive-date=January 22, 2014 }}</ref> An attack may be disguised to look like legitimate traffic, except it targets specific application packets or functions. The attack on the application layer can disrupt services such as the retrieval of information or search functions on a website.<ref name="AbABankinJournal" />
 
===Advanced persistent DoS===
Line 258 ⟶ 259:
 
===Routers===
Similar to switches, routers have some [[Rate limiting|rate-limiting]] and [[Access control list|ACL]] capabilities. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Nokia SR-OS using FP4 or FP5 processors offers DDoS protection.<ref>{{cite web |url=https://www.nokia.com/networks/technologies/fp-network-processor-technology/ |title=FP Network Processor Technology |access-date=2024-06-15}}</ref> Nokia SR-OS also uses big data analytics-based Nokia Deepfield Defender for DDoS protection.<ref>[https://www.nokia.com/networks/ip-networks/deepfield/defender/ Nokia Deepfield Defender]</ref> [[Cisco IOS]] has optional features that can reduce the impact of flooding.<ref>{{cite web |url=http://mehmet.suzen.googlepages.com/qos_ios_dos_suzen2005.pdf |title=Some IoS tips for Internet Service (Providers) |first=Mehmet |last=Suzen |archive-url=https://web.archive.org/web/20080910202908/http://mehmet.suzen.googlepages.com/qos_ios_dos_suzen2005.pdf |archive-date=2008-09-10 }}</ref><!--[[User:Kvng/RTH]]-->
 
===Switches===
Most switches have some rate-limiting and [[Access control list|ACL]] capability. Some switches provide automatic and/or system-wide [[rate limiting]], [[traffic shaping]], [[delayed binding]] ([[TCP splicing]]), [[deep packet inspection]] and [[Bogonbogon filtering]] (bogus IP filtering) to detect and remediate DoS attacks through automatic rate filtering and WAN Link failover and balancing.<ref name=":0" />{{Citation needed|date=September 2008}} These schemes will work as long as the DoS attacks can be prevented by using them. For example, SYN flood can be prevented using delayed binding or TCP splicing. Similarly, content-based DoS may be prevented using deep packet inspection. Attacks originating fromusing [[Martian packet|dark addresses]] or going to dark addressess can be prevented using [[bogon filtering]]. Automatic rate filtering can work as long as set rate thresholds have been set correctly. WanWAN-link failover will work as long as both links have a DoS/DDoS prevention mechanism.<ref name=":0" />{{Citation needed|date=September 2008}}
 
=== Blocking vulnerable ports ===
Threats may be associated with specific TCP or UDP port numbers. Blocking these ports at the firewall can mitigated the attack. For example, in an SSDP reflection attack; the key mitigation is to block incoming UDP traffic on port 1900 at the firewall.<ref>{{Cite web|url=https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/|title=SSDP DDoS attack &#124; Cloudflare}}</ref>
 
==Unintentional denial-of-service==
An unintentional denial-of-service can occur when a system ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users{{spaced ndash}}potentially hundreds of thousands of people{{spaced ndash}}click that link in the space of a few hours, having the same effect on the target website as a DDoS attack. A VIPDoS is the same, but specifically when the link was posted by a celebrity. When [[Death of Michael Jackson|Michael Jackson died]] in 2009, websites such as Google and Twitter slowed down or even crashed.<ref>{{cite news| url=http://news.bbc.co.uk/1/hi/8120324.stm | work=BBC News | first=Maggie | last=Shiels | title=Web slows after Jackson's death | date=2009-06-26}}</ref> Many sites' servers thought the requests were from a virus or spyware trying to cause a denial-of-service attack, warning users that their queries looked like "automated requests from a [[computer virus]] or spyware application".<ref>{{cite web|date=October 20, 2009|title=We're Sorry. Automated Query error|url=<!--last updated February 06, 2013-->http://productforums.google.com/forum/?#!category-topic/websearch/unexpected-search-results/uFcXXixhiBw|access-date=2012-02-11|work=Google Product Forums › Google Search Forum}}</ref>
 
News sites and link sites{{spaced ndash}}sites whose primary function is to provide links to interesting content elsewhere on the Internet{{spaced ndash}}are most likely to cause this phenomenon. The canonical example is the [[Slashdot effect]] when receiving traffic from [[Slashdot]]. It is also known as "the [[Reddit]] hug of death"<ref>{{cite web |url=https://medium.com/codingame/story-of-a-reddit-hug-of-death-and-lessons-learned-3565bb8a6793 |title=Story of a Reddit Hug of Death and Lessons Learned |access-date=2024-09-24}}</ref> and "the [[Digg]] effect".<ref>{{cite web |url=http://socialkeith.com/the-digg-effect-v4/ |title=The Digg Effect v4 |publisher=Social Keith |access-date=October 20, 2010 |first1=Keith |last1=Plocek |archive-url=https://web.archive.org/web/20101022060115/http://socialkeith.com/the-digg-effect-v4/ |archive-date=October 22, 2010 |url-status=dead }}</ref><!--[[User:Kvng/RTH]]-->

Routers have also been known to create unintentional DoS attacks, as both [[D-Link]] and [[Netgear]] routers have overloaded NTP servers by flooding them without respecting the restrictions of client types or geographical limitations. Similar unintentional denial-of-service can also occur via other media, e.g. when a URL is mentioned on television. If a server is being indexed by [[Google]] or another [[search engine]] during peak periods of activity, or does not have a lot of available bandwidth while being indexed, it can also experience the effects of a DoS attack.<ref name=":0" />{{failed verification|date=April 2021}}{{citation needed|reason=I've never seen Google send more than one request per minute to my server, usually much less often than that. Other crawlers may be more aggressive though. Do we have a reliable source about this?|date=March 2013}}
 
Legal action has been taken in at least one such case. In 2006, [[Universal Tube & Rollform Equipment|Universal Tube & Rollform Equipment Corporation]] sued [[YouTube]]: massive numbers of would-be YouTube.com users accidentally typed the tube company's URL, utube.com. As a result, the tube company ended up having to spend large amounts of money on upgrading its bandwidth.<ref>{{cite news |title=YouTube sued by sound-alike site |work=BBC News |date=2006-11-02 |url=http://news.bbc.co.uk/2/hi/business/6108502.stm }}</ref> The company appears to have taken advantage of the situation, with utube.com now containing ads for advertisement revenue. In March 2014, after [[Malaysia Airlines Flight 370]] went missing, [[DigitalGlobe]] launched a [[crowdsourcing]] service on which users could help search for the missing jet in satellite images. The response overwhelmed the company's servers.<ref>{{cite web|url=http://wnmufm.org/post/people-overload-website-hoping-help-search-missing-jet|title=People Overload Website, Hoping To Help Search For Missing Jet|author=Bill Chappell|publisher=NPR|date=12 March 2014|access-date=4 February 2016}}</ref> An unintentional denial-of-service may also result from a prescheduled event created by the website itself, as was the case of the [[Census in Australia]] in 2016.<ref>{{cite web|url=https://delimiter.com.au/2016/08/19/experts-cast-doubt-census-ddos-claims/|title=Experts cast doubt on Census DDoS claims|date=19 August 2016|access-date=31 January 2018|last=Palmer|first=Daniel|publisher=Delimiter}}</ref> This could be caused when a server provides some service at a specific time.
Retrieved from "https://en.wikipedia.org/wiki/Denial-of-service_attack"