Unlike other forms of denial of service (DDoS) attacks, DDoS often does not take advantage of the system’s security holes, but mainly relies on the “size” of traffic to “block the circuit”. for the server. This makes DDoS attacks somewhat easier to execute than DoS because there is no need to rely on new security vulnerabilities. In contrast, how to increase and focus traffic on the target is the challenge of DDoS attacks.
Due to limitations in hardware, operating systems, and especially transmission lines, it is often impractical to centralize traffic from certain individuals. On the other hand, centralizing traffic from certain sources makes prevention easier. For the above reasons, DDoS attacks often involve a large number of sources, and this is a characteristic of DDoS. One of the easiest ways to focus traffic is to “call” people. Through websites, chat… a large number of users are called to visit the target website at a certain time. The user can then use the F5 key to revisit the site to generate more traffic. This type of attack is also commonly known as an “F5 attack”. But calling people and operating this type of attack is arduous and ineffective, so it is almost no longer used. An example of this type of attack is the attack on one of the popular websites in Japan, “2ch” in 2010 from South Korea. Another variation of this type of attack is the use of tools to raise the access level from a machine much higher than using F5 movies continuously. One of the popular tools is LOIC, HOIC
Another form of DDoS attack is through botnets. Taking advantage of the loopholes of the operating system, software… a large number of botnets have been formed and are used for many different purposes. As discussed in part 1, the rapid proliferation of IoT devices has also led to the formation of more botnets. Over 100,000 Mirai bots have been reported to have participated in the 2016 Dyn attack. Using botnets makes it easier to centralize traffic from sources around the world. With just a simple command, all bots can access a certain target and create a DDoS attack.
More recently, with the discovery of security vulnerabilities, cyber-attacks that take advantage of amplification have become more common. There are many types of this type of attack, the prominent ones are NTP (core level more than 500), DNS (core level more than 50). Taking advantage of this multiplier, a 1Gbs traffic can easily become 500Gbit/s, a size that can bring down almost any website or can cripple small and medium service providers.
A half characteristic of DDoS attacks is that source IP addresses are often spoofed and the preferred protocol is UDP (or ICMP) rather than TCP. Spoofing the source address makes attacks harder to detect. And the use of connectionless protocols makes it easier to fake the source address.
Nowadays, cyber attacks are becoming more and more complex. The characteristics of DDoS attacks change frequently. Even during an attack, the attacks often change the source address, protocol, packet size, etc., in order to bypass preventive measures.