|
|
 |
/ / / Bandwidth Depletion Attacks
Bandwidth Depletion Attacks
DDoS bandwidth depletion attacks can be classified into two different levels; Flood Attacks or Amplification Attacks. A flood attack is characterized by the use of zombies to send large volumes of traffic to a compromised victim system in order to congest its bandwidth. An amplification attack is similar in that it limits the victim system’s bandwidth via amplified malicious traffic; characterized by the use of zombies to send messages, but to a broadcast IP address instead, causing systems in the subnet reached by the broadcast IP address to send messages to victim systems.
Flood Attacks
During a DDoS flood attack, the zombies flood the victim system with IP traffic and prevent legitimate traffic from accessing the victim network. The large volumes of packets are sent by the zombies to flood the victim system with IP traffic, thus slowing it down significantly, which results in bandwidth saturation or even a system crash. Common types of flood attacks include Agent-Handler attacks and IRC-based attacks. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.
User Datagram Protocol (UDP) Flood Attacks
Due to its status as a connectionless protocol, when data packets are sent via UDP, no handshakes are required between sender and receiver, resulting in a mandatory processing of all received packets. This can lead to bandwidth saturation when a large number of UDP packets are sent to a victim system where legitimate service requests are prevented access to the victim system.
During a DDoS UDP Flood attack, UDP packets may be sent randomly or target specified ports on the victim system. Victim systems will try to process any data packets received to determine which applications have requested data. If no applications are run on the targeted port, the victim system will send out an ICMP packet to the sending system indicating a “destination port unreachable” message.
In some cases, attackers may spoof source IP addresses in order to hide the identity of the secondary victims and ensure that return packets from the victim system will not be directed back to the zombies, but to another computer instead with the spoofed address. Sometimes, UDP flood attacks may also affect the bandwidth connections surrounding the victim system and this may cause systems connected near to the victim system to experience connectivity issues. However, this is dependent on network architecture and line-speed.
Internet Control Message Protocol (ICMP) Flood Attacks
DDoS ICMP flood attacks are characterized by zombie attackers sending large volumes of ICMP_ECHO_REPLY (or “ping”) packets to the victim system. ICMP packets are specifically designed to assist users in locating network equipment or determine the number of hops or round-trip-time to get from a source to its destination. During an ICMP attack, these malicious packets will demand a reply from victim systems and this will lead to bandwidth saturation of victim network connections.
|
