Understanding Denial-of-Service Attacks Security Tip (ST04-015) (CISA.gov) Cybersecurity & Infrastructure Security Agency
Here are five network packet types and protocols commonly abused in DDoS attacks and guidance on how best to monitor them.
- Transmission Control Protocol Synchronize (TCP-SYN): This type of attack uses a flood of TCP SYN (the initial packets from client to server to establish a session) packets to consume enough server resources to render the system unresponsive to all legitimate traffic. Monitoring for significant increases in TCP SYN packets will show when a flood is incoming.
- Domain Name System (DNS): Monitoring DNS activity is essential to identifying early signs of a DNS flood DDoS attack. DNS uses two types of packets: DNS Request and DNS Response. To detect attacks, both types need to be independently monitored; in the case of a DDoS attack, the number of DNS Request packets will be considerably higher than the number of DNS Response packets and SecOps should be alerted when the ratio goes beyond a rational number.
- Application Flooding: Application attacks, such as an HTTP flood, target layer 7 in the OSI model rather than network infrastructure like DNS. They’re effective because they can consume both server and network resources, less traffic is required to cause disruption, and it’s difficult for defenders to tell the difference between attack traffic and legitimate traffic.
- User Datagram Protocol (UDP): UDP fragmentation, amplification and flooding attacks were the most common type of DDoS attack in 2020 according to F5 Networks. In these attacks, an attacker sends a valid UDP request packet listing the target’s IP as the UDP source IP address to a server, which sends back a much larger response to the target’s IP. By using UDP packets over 1,500 bytes in size, the attacker can force the packet to be fragmented (as ethernet MTU is 1,500 bytes). These techniques amplify the volume of traffic directed against the victim (hence the “flooding”). Monitoring for UDP traffic outside of normal levels, especially the protocols listed below that are ripe for abuse, will allow NetOps and IT teams to see when a UDP attack may be occurring.
- Internet Control Message Protocol (ICMP): ICMP is another transmission protocol that is susceptible to storms, so monitoring the overall throughput and count of ICMP packets will provide early warning of internal or external issues. ICMP Address Mask requests and ICMP Type 9 and Type 10 protocols can also be used to launch DoS and MitM attacks. To mitigate these attacks, IT should disallow ICMP route discovery and use digital signatures to block all type 9 and type 10 ICMP packets.
monitoring solution and packet capture (PCAP) storage
Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command. By the end of the 90’s, operating systems made patches available for users to avoid the ping of death. Still, many sites block Internet Control Message Protocol (ICMP) ping messages at their firewalls to prevent any future variations of this kind of denial of service attack.
The first section focuses upon proactive threat detection
Malware (known, unknown, fileless, etc.)
Exploits of known vulnerabilities
Ransomware gaining access to your computer or device, and then locking and encrypting the data stored on it
Web application attacks such as cross site scripting (XSS) or SQL injection
Business email compromise
Denial of services (DoS) attacks
Credential theft
Advanced, multi-stage attacks involving lateral movement
Insider attacks (e.g., disgruntled employees, ransomware originating from inside the network)
Zero-day exploits of new and unknown vulnerabilities
Phishing attacks
Not sure
XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application’s database
he main difference between XSS and SQL injection is that XSS injects malicious code to the website, therefore, that code is executed in the users of the website, while SQL injection inserts the SQL code to a web form input field to obtain access and modify data.
The second section focuses upon agile threat response —that is, the technologies and processes in place at your organization to respond to a security or ransomware incident quickly, limiting its impact.
Pay the ransom directly
Have our cyber insurance pay the ransom
Restore from our standard backup solution
Restore from an offline/air-gapped vault
Not sure
Remediate and recover from a cybersecurity event
Managed service providers (MSPs)
IT infrastructure vendors
Cloud service providers (CSPs)
Backup/recovery vendors
XSS stands for Cross-Site Scripting. It is a common website attack that is capable of affecting the website as well as the users of the website. Attackers commonly use JavaScript to write malicious code in XSS. The code can steal user’s cookie details, change user settings, display various malware downloads and many more.