Classification of DoS Attacks
Denial-of-Service (DoS) attacks are one of the most frequent types of security incident and continue to be used extensively. In many cases, carrying out a denial-of-service attack does not require advanced knowledge. Some examples of this sort of aggression would be the attack suffered by 19,000 French web-sites in the context of the deadly assault on the premises of the satirical magazine Charlie Hebdo, the attacks against the on-line games platforms X-Box and PlayStation Network, the attack suffered by the company Dinahosting or one of the biggest attacks in history that affected CloudFlare, with peaks of 400Gbps, taking advantage of a Network Time Protocol vulnerability.
- Statistics for Cyber-Attacks in 2013 (Source: Hackmageddon)-
Before going into further detail, it is necessary to give a brief definition of what a denial of service attack is. It may be stated that a DoS is an aggression that has as its aim to downgrade the quality of service of a system or a network to the extent of rendering it inoperable or inaccessible. Such a situation can be achieved by saturating the resources available or triggering a catastrophic error that will cause some critical process or the entire system to cease to work.
Arising from conventional denial-of-service attacks, a further development was the Distributed Denial-of-Service or DDoS attack. This involves co-ordinating multiple DoS attacks from different sources against one or more targets.
This kind of attack usually has devastating effects on the systems targeted. The only effective defence can be achieved by an extensive co-operation among the various different players making up the Internet, from service providers (ISPs) down to end users. They all need to put in place the means for keeping equipment free of malware, such as botnets, that can be used in this sort of aggression.
The following are details of the various different ways in which DoS attacks are classified.
Basic Types of DoS Attack
There are a number of different classifications of DoS attacks, partly because of the large number and great diversity that exist. One classification is based on the kind of damage or effect produced:
The aim of this approach is to use up or saturate some key resource of the system. These include CPU time, memory, bandwidth, access to external systems, disk space, or system power feeds.
This approach was used in the numerous attacks carried out by the Anonymous group, which co-ordinated a large number of attackers.
- An Example of an Attack by the Anonymous Group. (Source: Imperva) -
- Modification of Configurations
The aim of this approach is to alter or erase the configuration of some key element of the system, typically servers or routers. These changes usually produce critical effects in the systems affected, putting them out of service.
An example of this sort of attack would be the one carried out by the Syrian Electronic Army group against the New York Times. The attackers gained access to an account with domain name registration privileges that was used by the newspaper changed the configuration of the Domain Name Service (DNS), redirecting traffic to another server. Another instance might use a specific vulnerability, such as that reported for Omron NS Series HMI products that allows modification of the configuration of devices.
The result of this sort of attack is the physical destruction or alteration of one or more components of the system. Although initially it was almost always necessary to have physical access to the system in order to carry out an attack of this kind, nowadays the connecting to the Internet of industrial control systems (ICS) has made it easier to perform remotely.
The attack on a German steel factory that took place in December 2014 is a striking example. This attack caused considerable physical damage, and was one of the first denial-of-service attacks of a destructive type that was carried out remotely, affecting physical elements in an industrial control system. The attackers first used a spear-phishing technique to gain access to the factory's corporate network, then infiltrated the industrial control system. The attack affected a number of systems, making it impossible to shut the blast furnaces down in a controlled way, which caused a good deal of damage.
This approach involves interrupting communications between two devices by altering the state of information, so that transferring it becomes unviable. An example is the unsolicited resetting of Transmission Control Protocol (TCP) sessions (TCP reset attacks).
This kind of technique attempts to obstruct contacts between interlocutors, preventing the victim from communicating adequately. Examples might be the filtering out of IP addresses by the Internet Service Provider (ISP), or selective removal of DNS packets. This approach is often used for legal or judicial reasons, as in the Golden Shield Project in China.
Taxonomy by Type of Attack
In the article "A Taxonomy of DDoS Attack and DDoS Defence Mechanisms", the authors propose a classification based on characteristics of the attack such as level of automation, validity of source address, vulnerability exploitation, and the like. This classification may be seen in the figure below:
A Taxonomy of DDoS Attack and DDos Defence Mechanisms
Classification by Level of OSI Layer
This sort of classification divides DoS attacks into two big groups:
- Infrastructure Level. This includes all approaches that target vulnerabilities or weaknesses in the network and transport layer of the OSI model. The protocols most often attacked are TCP, UDP or ICMP, as they support the Internet. This category is normally used in DDoS attacks because it can be directed against systems connected to the Internet.
However, there are other protocols with vulnerabilities arising from their design or implementation. One example of such protocols is the DNP3 (Distributed Network Protocol version 3). Although it was designed on the basis of a requirement for great reliability in industrial environments, security was not taken into account. This was a design error that has made it easier to disrupt communications in industrial systems.
The diagram below gives a listing of the main DDos attacks at network level.
Taxonomy of DDos attacks. (Source: RIOREY)
- Application Layer. This variety brings together attacks aimed at layer seven, the application layer of the OSI model. They involve identifying and using some characteristic or weak spot in the application to bring about a breakdown or interruption in the system service. The application layer protocol most often targeted is HTTP. However, protocols like NTP (Network Time Protocol), SMTP or DNS have been extensively used.
According to data from Akami, a Content Delivery Network (CDN) specializing in defending against DDoS, during the fourth quarter of 2014 application-layer DDoS accounted for 10% of attacks, with a rising trend.