Why is it difficult to prevent a DoS attack?

Denial of Service attack, also known as DoS attack, is an attempt to remove machine and network resources from the reach of authorized users. Any attack on accessibility is considered a denial of service attack. Although the purpose of a DoS attack and the motive for doing it may vary, it generally involves trying to temporarily or permanently interrupt or suspend the services of an Internet-connected host.

DoS attacks typically target sites or web server hosting services with appropriate features such as banks, credit cards, and even root servers. One common method of attack involves saturating the target machine with external communication requests. The target machine can not respond to legal traffic, or responses are given at a low speed or unavailable. Such attacks lead to high server overhead. The DoS attack forces the target computer to reset or consume its resources, so it can not serve the services in question and violates the policies that Internet service providers accept. So in this article, we will check the reasons that make it hard to prevent these kinds of attacks.

What is the difference between DoS and DDoS attacks?

A denial-of-service (DoS) attack fills a server with traffic and renders a website or resource inaccessible. A distributed denial-of-service (DDoS) attack is an attack that uses multiple computers or machines on a single target. Both types of attacks target a server or web application intending to interrupt high-traffic services. Because the server is full of user data packets (TCP / UDP) that cannot be processed, the server may be crashed, data may be corrupted, resources may be misdirected, or even the system may crash. The main difference between DoS and DDoS is that DoS has one attack on one system, while DDoS includes several systems that attack a single system. Distributed Denial of Service is a more advanced strategy than Denial of Service (DoS) attacks. In DoS, a single system tries to overcrowd another system to block access to its services.

DDoS has the same goal but is more powerful. Instead of one machine working to eliminate an overtime system, several related machines run the attack, increasing its efficiency widely and making system recovery more difficult. However, there are other differences between these two kinds of attack, including:

• Ease of detection: Because a DoS comes from a single location, it is easier to identify its source and disconnect its connection. On the other hand, a DDoS attack is carried out from multiple remote locations and hides its origin.

• Attack speed: Because a DDoS attack is performed from multiple locations, it can be deployed much faster than a DoS attack originating from one location. Increasing the speed of the attack makes it more difficult to detect, meaning more damage or even a catastrophic outcome.

• Traffic volume: A DDoS attack uses multiple remote machines (zombies or robots), meaning that it can send large amounts of traffic from multiple locations simultaneously, filling up server traffic and being unrecognizable.

• Runup process: A DDoS attack synchronizes multiple hosts infected with malware (bots) and creates a botnet managed by a command and control (C&C) server. In contrast, a DoS attack typically uses a script or tool to carry out the attack.

• Source tracking: Using a botnet in a DDoS attack means that tracking the real source is much more complex than tracking the source of a DoS attack. A botnet is a network of multiple computers that are secretly controlled without their owners' knowledge by a Bot Master to perform malicious activities and often DDoS attacks or spam emails.

Types of attacks

DoS and DDoS attacks can take many forms and use a variety of tools that may cause a company to lose business, cripple a competitor, or simply cause trouble and be fixed quickly. There are some common forms of such attacks below:

• Teardrop Attack: A DoS attack sends countless pieces of Internet Protocol (IP) data to a network. It cannot succeed when the network tries to recompile the components into their original packages; it cannot succeed. For example, an attacker might take large data packets and split them into several pieces to reassemble the system. However, the attacker changes the way the packet is disassembled to confuse the target system, after which it is unable to reassemble the parts into the original packets.

• Flooding: A flood attack is a DoS attack that sends several connection requests to one server but does not respond to complete the connection process because these attacks try to minimize the server's capacity to respond to requests by sending requests and keeping the server busy and prevent users from accessing the service. For example, an attacker might send various requests to connect as a client, but when the server tries to reconnect to confirm the connection, the attacker refuses to respond. After countless repetitions of this process, the server becomes so immersed in suspended requests that real clients can not connect to it, and the server is "busy" or even crashes.

•  IP(IP Fragmentation Attack): An IP Fragmentation attack is a DoS attack that delivers modified network packets that the receiving network cannot retrieve. The network is caught up in bulky unassembled packages and consumes all its resources.

•  Volumetric: Volumetric attack is a type of DDoS attack used to target bandwidth sources. For example, an attacker uses a botnet to send large packets to a network, causing the service to be reduced or even stopped altogether.

• Protocol: A protocol invasion is a type of DDoS attack that exploits the vulnerabilities of Layers 3 and 4 of the OSI model. For example, an attacker could exploit a TCP connection sequence, disrupting the service by consuming all the capacity of the table available on web application servers or intermediate resources such as firewalls and load balancing.

• Application-based: A program-based attack is a type of DDoS attack that targets Layer 7 of the OSI model. An attack, for example, in which an attacker sends partial requests for a hypertext transfer protocol (HTTP) but does not complete them. HTTP headers are sent periodically for each request, closing network resources. The attacker continues to attack until the server makes no new connections. This type of attack is very difficult to detect because instead of sending corrupt packets, it sends small packets and uses a small amount of bandwidth.

DOS and DDOS prevention tools

• Firewall: They are regulated so that they accept or reject the protocols according to the rules. For example, in the event of a raid from multiple unusual IPs, a rule can be used to ignore packets sent by attackers.

• Switches: Most switches have Rate-Limiting and ACL (Access Control List) capabilities. Some switches automatically provide capabilities for detecting and modifying DOS attacks.

• Routers: Routers, like switches, have Rate-Limiting and ACL capabilities. Routers can be configured to prevent simple ping attacks by filtering out unnecessary protocols.

• Application Front End Hardware: It is intelligent hardware that gets in the way of the network before the traffic reaches the server and analyzes the packets as soon as they enter the system and identifies them based on priority, being normal or dangerous.

• IPS-based prevention: Intrusion-prevention systems (IPS) are effective in Signature Associated attacks.

• DDS-based defense: It can block DOS Connection-Based attacks and legitimate malicious content. It should be noted that DDS is the first line of defense against DDoS attacks and the flow of service requests.

• Blackholing and Sinkholing: All the attacked DNS traffic or IP address is sent to the black hole using these two methods. A black hole is where packets are dumped, and no information about dropped packets is sent to the source. The DNS repository is used to direct and prevent malicious attacks and activities by redirecting bad traffic to an alternative server.

• Clean pipes: In this way, traffic passes through methods such as proxies, tunnels, or even direct circuits that separate bad traffic and other Internet attacks.