DDoS Attacks

- Ayush (802332018)
- Abhinav (802332002)
- Nikhil (802332045)
 Table of Contents
1. Introduction to DDoS Attacks
2. DoS vs DDoS
3. Working
4. Signs of a DDoS Attack
5. Types & Techniques
6. Preventive Measures
7. Detection Strategies
8. Mitigation Strategies
9. Case Studies
10. Conclusion
Introduction
● Distributed Denial of Service (DDoS) attacks are malicious attempts to disrupt
the normal functioning of a network, server, or website by overwhelming it
with an excessive amount of traffic.
● Unlike traditional DoS attacks that originate from a single source, DDoS
attacks involve multiple compromised devices. These devices simultaneously
flood the target with traffic.

Need:
● Understanding DDoS attacks helps organizations defend against them
effectively
DoS vs DDoS Attack
Working
1. Botnets and Bots:
● A botnet consists of compromised computers and devices (including IoT
devices) infected with malware.
● Each individual device in the botnet is called a bot or zombie.
● The attacker remotely controls these bots.

2. Attack Execution:
● The attacker directs the botnet to flood the target’s IP address with requests
and traffic.
● Legitimate users are pushed out, resulting in a denial-of-service.
● The target’s services become slow or entirely unavailable.
3. Exploiting Normal Behavior:

● Sophisticated DDoS attacks don’t always rely on default settings or open

relays.
● Instead, they exploit normal behavior of network services (e.g., routers,
naming services).
● Attackers manipulate protocols designed to run on today’s devices.
Signs of a DDoS Attack
● Slow or Unavailable Services: The most obvious symptom.
● Suspicious Traffic Patterns:
○ Abnormal traffic from a single IP address or range.
○ Behavioral profiles (device type, geolocation) shared by users.
○ Unexplained surges in requests to specific pages or endpoints.
○ Odd traffic patterns (e.g., spikes at unusual hours).
Types & Techniques
1. Flooding with Traffic:

● Attackers flood a website or server with excessive internet traffic, overwhelming its capacity and
causing it to crash.

2. UDP Flood:

● Attackers send a flood of random data packets to the target, overloading its ability to process them
effectively.

3. TCP SYN Flood:

● Attackers send multiple connection requests to the target server but don't complete the handshake
process, tying up resources and preventing legitimate connections.
4. Application Layer Attacks:

● Attackers target vulnerabilities in specific applications or services running on the

target, such as web servers or DNS servers, with the goal of disrupting their normal
operation.

5. Reflection/Amplification Attacks:

● Attackers exploit servers that respond with larger-than-requested packets, using

them to amplify their attack traffic and overwhelm the target.

6. Slowloris Attack:

● Attackers send incomplete HTTP requests to the target server, keeping

connections open for as long as possible and exhausting its capacity to accept new
connections.
Preventive Measures
1. Implement Network Security Measures:
● Use firewalls and intrusion detection/prevention systems (IDPS) to filter and
block malicious traffic.
● Configure routers and switches to mitigate the impact of DDoS attacks by
dropping or rate-limiting suspicious traffic.

2. Deploy DDoS Mitigation Services:

● Partner with DDoS mitigation service providers that specialize in identifying
and mitigating DDoS attacks in real-time, leveraging advanced detection and
mitigation techniques.
3. Rate Limiting and Traffic Shaping:

● Implement rate limiting and traffic shaping policies to control the volume of incoming
traffic and prevent overwhelming network resources during DDoS attacks.

4. Anomaly Detection and Traffic Analysis:

● Deploy systems for anomaly detection and traffic analysis to identify patterns
indicative of DDoS attacks, allowing for early detection and proactive response.

5. Capacity Planning and Scalability:

● Ensure that network infrastructure and server resources are adequately provisioned
to handle sudden spikes in traffic, allowing for scalability and resilience against
DDoS attacks.
6. Regular Security Audits and Updates:

● Conduct regular security audits to identify and patch vulnerabilities in network

infrastructure, servers, and applications that could be exploited in DDoS
attacks.
● Keep software and firmware up to date with the latest security patches and
updates to mitigate the risk of exploitation by attackers.

7. Employee Training and Awareness:

● Train employees on recognizing and reporting signs of DDoS attacks, such as

unusual spikes in network traffic or degraded system performance.
● Raise awareness about the importance of security best practices, such as
strong password management and avoiding phishing scams, to minimize the
risk of compromise leading to DDoS attacks.
Detection Strategies
1) Server Displaying ‘Error 503’:
● The HTTP Error 503 indicates that a website’s server is unavailable or unable to handle any
requests, which could be due to a DDoS attack. You can set up alerts whenever a certain
event takes place. In Windows, you can do this in the Event Viewer. Attach a task to any
event deemed worthy of investigating, such as ‘Error 503.’

An issue can be attached in two simple steps:

1) Open Event Viewer and right-click on the event.

2) A configuration screen will open. Fill in the columns to send notification emails to selected
personnel.
2) TTL times out:
● TTL is short for Time to Live—the time a packet is set to exist in a network before a router repudiates it. You can automate ping
alerts, and several service providers do that. This way, your website will be monitored around the clock. Ping time is the
duration taken by small datasets to be transmitted from a device to a server.
● This works on the principle that DDoS or DoS attacks consume undue bandwidth, so the ping time will be too long or time out
altogether.

3) Baseline Traffic Analysis:

● Establish a baseline of normal network traffic behavior using historical data. Deviations from this baseline may
indicate a potential DDoS attack.

4) Anomaly Detection Systems:

● Implement anomaly detection systems that continuously monitor network traffic patterns. These systems use machine learning
algorithms to identify abnormal behavior indicative of a DDoS attack.
Mitigation Strategies
1. Traffic Filtering: Deploy traffic filtering mechanisms at network edges to identify and block malicious traffic
before it reaches the targeted servers. This can include IP-based filtering, blacklisting of known malicious IPs, and
rate limiting.

2. Rate Limiting: Limit the rate of incoming traffic to prevent servers from being overwhelmed. This can involve
throttling connections from suspicious sources or implementing rate-limiting policies based on source IP
addresses or other criteria.

3. Content Delivery Networks (CDNs): Utilize CDNs to distribute traffic across multiple servers and data
centers. CDNs have built-in DDoS protection mechanisms that can absorb and mitigate large-scale attacks.

4. Cloud-based DDoS Protection Services: Engage the services of cloud-based DDoS protection providers
that specialize in mitigating DDoS attacks. These services typically employ a combination of traffic scrubbing, load
balancing, and rate limiting to mitigate attacks in real-time.
 Case Studies

The New Year Attack

● It took place on December 31, 2005.
● New World Hacking took responsibility for this huge DDos attack.
● They were capable of disrupting BBC’s global website, along with Donald
Trump's website as well.
● The tool that was used to deploy these attacks is called BangStresser.
Hong Kong’s Democracy Attack
● It started in June 2014, in Hong Kong to bring destruction to the Chinese
government. This movement is called Occupy Central.
● Occupy Central used this DDoS attack against the Chinese government
because they wanted a one man one vote system when electing officials to
represent political office.
● This all led Occupy Central to push their DDoS attack forward and brought
down a major political website.
The DDoS Attack in India
● It took place on November, 2016.
● It was one of the biggest attack ever done on an ISP.
● The attack was of a huge magnitude of 200 gigabytes per second.
● This is the reason behind the recent slowing down of the internet experienced
by users around Mumbai.
● An FIR was filed against the DDoS attack with the Mumbai police.
Conclusion
● In conclusion, DDoS attacks pose a significant threat to online services, websites, and networks by overwhelming them with
a flood of malicious traffic, thereby disrupting their availability to legitimate users. These attacks can result in financial losses,
damage to reputation, and potentially severe consequences for affected organizations.

● To mitigate the impact of DDoS attacks, a multi-layered approach to prevention and response is essential. This includes
implementing traffic filtering and rate limiting, utilizing anomaly detection systems, leveraging content delivery networks
(CDNs) and web application firewalls (WAFs), maintaining scalable infrastructure, employing traffic scrubbing services,
managing IP reputation lists, establishing an incident response plan, implementing network segmentation, and continuously
monitoring and analyzing network traffic.

● By deploying these preventive measures and having robust response strategies in place, organizations can reduce their
susceptibility to DDoS attacks and minimize the potential damage caused by such incidents. However, as attackers
continually evolve their tactics and techniques, ongoing vigilance and adaptation are necessary to effectively defend against
this persistent threat.
THANK YOU!