The Anatomy of a DDoS Cyber Attack

Google+ Pinterest LinkedIn Tumblr +

By Derek Mutiso

How Hackers Execute these Strikes

Local online news platforms were recently awash with news about a Distributed Denial-of-Service (DDoS) attack purportedly carried out by Anonymous Sudan against a host of Kenyan websites. Anonymous Sudan is a black-hat hacking syndicate that has claimed responsibility for several other DDoS attacks, in Europe, and West Africa. The hackers are said to have launched a sustained barrage of attacks that affected the e-Citizen platform, M-Pesa, Kenya Power, and Lighting Company, among other online service providers.

In recent months, the group has also attacked Microsoft, and AO3, which is an American website. Anonymous Sudan has also threatened to launch similar attacks. The integration of the internet into our daily lives has reached such a profound level that it now stands as a primary catalyst for criminal activities.

These days, single-machine Simple Denial-of-Service (DoS) attacks have become rare, and instead, they have been overtaken by DDoS attacks. These assaults originate from numerous computers scattered across the internet, often involving hundreds or even thousands of systems simultaneously. Typically, the attacking machines are not acting on their own accord but are compromised machines forming a botnet under the control of hackers.

These hackers utilize the collective power of the botnet to target websites or systems effectively. Due to the vast number of machines involved, countering these attacks by merely blocking traffic from specific machines becomes challenging. Additionally, the attackers manipulate the IP addresses of the attacking computers, making it even more problematic for defenders to filter and mitigate the traffic based on IP addresses.

To carry out these attacks effectively, the group takes advantage of public cloud server infrastructure, which helps generate massive traffic and flooding. Additionally, they utilize free and open proxy infrastructures to obscure and randomize the origins of their attacks, making it challenging to trace them back to the actual perpetrators. “One reason why Anonymous Sudan’s campaigns are effective is they target “layer 7,” or the application layer, of victims’ internet infrastructure — that’s where web servers receive input from users and, in a computationally draining process,” Charl van der Walt, head of cybersecurity research for Orange cyber-defense, said in an interview with Bloomberg.

The Handshake-Top of Form

When you visit a website, a “handshake” process happens between your web browser and the website’s server. This process helps establish a connection and allows your browser to request and receive the website’s content.

Here’s how it works:

You enter the website’s address in your browser’s address bar. Your browser finds the website’s IP address by sending a request to a DNS (Domain Name System) server. Your browser establishes a reliable connection with the web server using a communication protocol called TCP (Transmission Control Protocol).

The connection is established through a three-step process called the three-way handshake: SYN, SYN-ACK, and ACK.a. SYN (Synchronize): The browser sends a SYN packet to the server, indicating its intention to establish a connection. b. SYN-ACK (Synchronize- Acknowledgment): The server responds with a SYN-ACK packet, acknowledging the request and indicating its readiness to establish a connection. c. ACK (Acknowledgment): Finally, the browser sends an ACK packet to acknowledge the server’s response. At this point, the TCP connection is established, and both the browser and server can exchange data. Once the connection is set up, your browser sends a request for the web page’s content using the HTTP protocol.

(Hypertext Transfer Protocol). This request contains specific information, such as the type of resource (webpage, image, etc.) the browser wants to access. The web server processes the request and sends back the requested content as an HTTP response and starts rendering/ displaying the webpage.

Common DDOS Tactics

Researchers from the cyber security firm, Radware have discovered that Anonymous Sudan employs a distinctive approach in their attacks, employing a combination of Web DDoS attacks, along with alternating waves of UDP and SYN floods. These attacks stem from an extensive array of tens of thousands of unique source IP addresses. The UDP traffic can surge up to 600Gbps (billions of bits per second), while the HTTPS request floods reach several million RPS (requests per second). The goal of UDP and SYN floods is to make the targeted website or online service inaccessible to legitimate users by consuming its resources and network bandwidth.

User Datagram Protocol (UDP) Flood Attack

In a UDP flood attack, the attacker sends a massive number of UDP packets to the target web server without waiting for any responses. Since UDP is a connectionless protocol, there is no handshake or verification process, making it easier for attackers to generate and send large volumes of UDP packets quickly. The server, upon receiving these UDP packets, tries to process them like any other legitimate request. However, because there is no built-in mechanism to verify the sender or establish a connection, the server consumes resources in processing these packets without any actual purpose. As a result, the server’s resources (such as CPU, memory, and network bandwidth) become overloaded, causing the web server to slow down or become unresponsive. This can make the website inaccessible to legitimate users trying to establish a connection through the normal handshake process.

Synchronization (SYN) Flood Attack:

In a SYN flood attack, the attacker exploits a vulnerability in the TCP three- way handshake process. The three-way handshake (SYN, SYN-ACK, ACK) is designed to establish a connection between the client (user’s web browser) and the server. In a SYN flood attack, the attacker sends a large number of SYN

(Synchronize) packets to the server but never responds to the SYN-ACK packets sent by the server.

The server, expecting a response to the SYN-ACK, keeps the connection half- open and reserves resources for each incomplete handshake. This means that the server dedicates resources to respond to a connection that doesn’t exist, and since the attacker does not respond to the SYN-ACK, these resources remain tied up. Over time, the server’s resources become depleted, and legitimate users’ connection requests cannot be processed. This results in denial of service, as the server becomes overwhelmed and unresponsive.

What are the potential consequences of cyber-attacks?

Kenyan businesses, particularly financial institutions, have emerged as high-priority targets for hackers. A report from the Central Bank of Kenya indicates that Saccos face significant losses of over Ksh 201,000 ($1,404) every day due to hacking incidents. In 2022, Kenyans transacted a staggering 35.86 trillion shillings via M-pesa. The figure for daily transactions works out to a significant amount of money as well. Just imagine what half a day of missed business would mean for Safaricom’s bottom line.

Back in 2013, a DDoS attack targeted multiple Dutch government websites, causing severe disruptions to the Netherlands’ DigiD system. This system is used by citizens for digital identification to access various municipal services. As a result of the attack, around 10 million people faced difficulties in paying bills and taxes online. Moreover, major financial institutions like ING and ABN Amro, as well as the national airline KLM, were also impacted by the attack.

In Costa Rica, a ransomware attack that occurred in April 2022 led the government to declare a nationwide state of emergency. Commenting on the issue, Emily Taylor, CEO of Oxford Information Labs and fellow at the International Security Programme said, “I think internationally there is an urgent need to bring every country up to a similar standard where possible because so much is interlinked these days with the global economy there is a risk to everyone. If one country gets so severely impacted like this, it can have a wider knock-on effect.”

Methods of mitigation

At its core, mitigating UDP flood attacks involves finding a balance between filtering out malicious traffic and ensuring legitimate traffic is not affected. The traditional method of limiting the rate of ICMP (Internet Control Message Protocol) responses by operating systems does have some drawbacks, as it may impact genuine traffic.

Similarly, relying solely on firewalls to block malicious UDP packets is becoming less effective in the face of modern high-volume attacks, as these attacks can easily overwhelm firewalls that were not designed for suchheavy loads.

Companies like Imperva market DDoS protection packages that take a different approach by using distributing the DDos attack load across a global network of powerful scrubbing servers. These servers conduct a thorough Deep Packet Inspection (DPI) process using specialized scrubbing software. They identify and filter out malicious DDoS packets based on factors like IP reputation, abnormal attributes, and suspicious behavior. This DPI process is performed at the edge and without any delay, ensuring only clean traffic reaches the origin server.

In addition to this advanced protection, other proactive measures can be taken. Continuously monitoring network traffic and analyzing logs allow for swift detection and response to suspicious activities. By identifying potential threats early on, action can be taken to prevent an attack from overwhelming valuable resources.

Implementing SYN cookies is another effective defense mechanism. SYN cookies allow servers to handle connection requests without keeping a full connection state until the three-way handshake is successfully completed.

This prevents the server’s resources from being tied up with half-open connections during a SYN flood attack. While DDoS attacks can be disruptive and cause temporary inconvenience to web users, they are generally manageable and can be defended against effectively. They may result in lost business during the attack, but they do not typically reach catastrophic levels or qualify as worst-case scenarios on their own. However, it’s crucial to recognize that when combined with other malicious activities like data breaches, DDoS attacks can play a supporting role and contribute to the success of a broader cyber assault.

Implementing robust defense strategies along with the mitigation tactics we’ve looked at in this article, can significantly mitigate the impact of DDoS attacks and ensure the continuous availability and security of online services. With proactive measures in place, organizations and Governments can confidently safeguard their systems and customer from the disruption caused by DDoS attacks and other cyber threats.

The Writer is a business writer and project coordinator Omeriye Foundation

Email: [email protected]


About Author

Leave A Reply