DoS and DDoS attack.

Denial of service is basically, one to one attack with the use of single internet
connection. In this attack, one system floods his packets to server to
overload the bandwidth and resources of his target. On the other side, DDoS
(Distributed Denial of Service) attack floods his target from many sources
and many different IP addresses. According to Akamai's Prolexic Security
Engineering and Research Team, numbers of attacks occurring in todays
world have increased four-fold and they are getting more and more (Four-fold
increase in DDoS attacks, 2014).
According to statistics from the surveys, out of people who believe about the
reality of attacks and their threats, only 22 percent accept about being target
by criminals through DDoS. Apart from this, any system or device of anyone
even who doesnt store anything valuable on his system can be a part of any
attack by turning it into bot. Bot is basically, an internet robot that start
automated job over the internet through remote access.
Fig 1.1 shows the attack breakdown on the basis of area of activities.

Fig 1.1.

The growth of computing devices is also increasing the probability of DDoS

attacks. DDoS attacks basically, develop huge traffic that weakened system
resources and bandwidth. There are various tools present in market to
produce DDoS attack and one of them is LOIC (Low Orbit Ion Canon), a
famous tool, because of it multiple use done by Internet Hacktivist group
called Anonymous. They have use this tool on their many targets one of
them is with the famous Title of Project Chanology for Church of Scientology
and second is Operation Payback to companies that opposed Wiki leaks.
Even some countries have already taken action towards people using LOIC
for attack (LOIC attack).
Types of DDoS Attacks (Denial of Service Attacks)
1. Volume based attacks: This attack use UDP, ICMP packet floods. The
main motive of this attack is to penetrate the bandwidth of target site.
This attack is measured in terms of Bps. In this attack, UDP, attacker
floods any arbitrary port on the victims system with a session-less
networking protocol packets. This whole thing makes the system to
check every time with his listening port and reply to the system ICMP
packet of destination unreachable. On the other side ICMP protocol has
same use to flood the target system as UDP flood.
2. Application Layer attacks: This attack exploit the vulnerabilities of
particular software and application such as Web servers.
Most
Application attacks include HTTP requests. These attacks are very rare
as compare to other because they work on their victims
vulnerabilities. For example in year 2011, there was a huge
disturbance because of bug present in Apache web server that could
give the edge to memory overload.
3. Protocol attack: Most popular attack at accounted for 24 percent of all
attacks. In this type attacker use TCP handshake by starting session
with SYN packet and obviously, receiver will send SYN/ACK and after
this attacker doesnt complete the handshake process and he doesnt
send ACK back to victim. Even cheap router offer protection from SYN
flood with timing out option. Moreover, by sending these packets of
SYN, a normal router can feel overwork quickly. Numbers of SYN
packets are more enough to obstruct the bandwidth of victim.
As we discussed above in first attack, it send so many unwanted traffic
and fill the whole bandwidth with junk stuff and that force to kick off its
server. In this attack, cybercriminals build their own botnets by send
malware to other people through emails, websites and software. With the

help of these botnets they attack their targets, for example Bank
websites login page or downloading any PDF file such as annual report, if
attacker launch thousands system to open and download same file from
website it creates DDoS attack. Second type that is most common is one
that related to applications, in this method source system send any server
based application command that try to use all the resources and max out
their memories and processors. For example, if one will type *.* to
search in system, it will use all resources of system including memory and
CPU to process this request. (crosman, 2013).
To detect an attack, there is very important to have an expertise on the
top to look into this attack because automated system can work up to
some level. On the other side, if people will analyze the attack, then they
would determine the attack vectors easily. This is also one reason of
appointing an expertise for analyzing a attack and sometime automated
system cause a same level of problem as done by attack. To monitor the
traffic, most of the firms have installed correlation and analytical
technology in their infrastructure. Apart from this, expert always keep
their eye on both side of networks i.e. inside the network through viewing
their appliances and outside through internet monitoring. With the help of
this they find out any changes in response time, functioning of site and
possible site that can be scheduled for an attack (Mansfield-Devine,
2011).
There are various steps in way to mitigate these attacks. First step is to
confirm that the system is perfect order. It is proven that most of the
victim firms have poorly IPS devices and firewalls, but it is not only one
stand enough solution to stop DDoS attack. Sometime having huge
amount of bandwidth helps a lot and the amount of bandwidth to deal is
really expensive and will usable only when attack will happen.
Network operation centre has the authority to work within ISP to monitor
the traffic and then filter them. But to make it more affecting, they can
build connections with other ISPs and only need is to coordinate from
different central router around the globe. After this, use of null route will
help to stop the attack before two or max three. In this case most of
traffic is similar but with the different IP address; same structure, TCP
header and sequence number and that makes easy to find out this traffic
and then block or redirect them.

There are some areas those are needed to look into, in terms of
prevention from the successful DDoS (McGregory, 2013).
Attack the Victim: The best way to check the status and level of
security is to attack the secured area and this way it is easy to calculate
the level of mitigation measures. These attacks must be similar to real
attack such as help from some professionals to create the same volume of
attack.
Combine application load and attacks: This will help to understand
the scenario where the possibility of attack is high. Administrator can
produce large amount of traffic from real application with the possibilities
of unique protocols. There are so many applications that generate DDoS
attacks such as Slowloris and Rudy. Slowloris opens so many connections
to server and try to keep them open for long time. It use the traditional
method by send http request to target system and all the request are
incomplete (Slowloris|DDoS).
Test with application layer attacks: As we discussed above this DDoS
can target many application with the only aim of max out the CPU and
memory limit of servers. These attacks are more effective than TCP/ UPD
attacks with the requirement of very less network connections. Apart from
this, these attack are very hard to detect because of the involvement of
less number of connections and they are seems like a normal traffic.
Test with big range of attacks: Implement the whole system that
create and test the infrastructure with attacks. To make the system best,
there is always a need to calculate the level of defense against new
techniques. There are some listed attacks those are must be considered in
library.

Slowloris attack
DNS flood
UDP flood
IP fragment attack
HTTP fragmentation attack
TCP fragmentation flood
VoIP flood

Mitigation services are very well known for their DDoS mitigations. Now a
days, the attacking pattern has changed from multinational companies to

small and medium sized businesses. Verisign is one of the services that
offered to large and multinational corporate who were paying huge money. In
mitigation services of DDoS, they analyze the network behavior that
basically includes monitoring of everything that helps to construct behavioral
pattern. It use the very huge number of metrics to measure any out of
character traffic. Once it find something that need to be stop it turns in to
different mode that advance in mitigation.
As we all know DDoS mitigation services are very expensive, so it is very
important to analyze the risk. This phase of finding is very tricky, but it can
be simple just with the little research on past DDoS attacks. Actually, all type
of organization see themselves as possible victim of DDoS attack but the
possibilities are very high for E-Commerce, financial services and online
gambling. This is not security problem but it is the thing of being reliable for
business continuity.

Reference
crosman, P. (2013). How to Block the DDoS Attack. American Banker.
Denial of Service Attacks. (n.d.). Retrieved from Incapsula:
https://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html
Four-fold increase in DDoS attacks. (2014). Network Security, 2.
LOIC attack. (n.d.). Retrieved from radware: http://security.radware.com/knowledgecenter/DDoSPedia/loic-low-orbit-ion-cannon/
Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network Security, 5-12.
McGregory, S. (2013). Preparing for the next DDoS attack. Network Security, 5-6.
Slowloris|DDoS. (n.d.). Retrieved from Incapsula:
https://www.incapsula.com/ddos/attack-glossary/slowloris.html