DDoS - From "Security Yearbook 2021"

Place a firewall or other network defense in front of a server and it bears the brunt of the DDoS attack.?But the firewall often fails, which accomplishes the attacker’s aim. Thus, specialized equipment evolved to handle those attacks.

One of the first and more elegant denial of service attacks took advantage of a weakness in TCP/ IP. A SYN flood is a stream of connection requests ??to establish a TCP connection. The TCP socket on a server becomes overwhelmed because the short SYN requests, often from spoofed sources, are never acknowledged, leaving all available sockets open waiting for a response. Check Point Software quickly ??added SYN flood defense to Firewall–1. Later, as more DDoS methodologies were devised by attackers, specialized equipment was developed. Hardware appliances from Top Layer (rebranded Corero), Arbor ??Networks, and Radware would be deployed in front ??of the rest of the security stack. Often multiple DDoS defense devices with load balancers to multiply their power were required to squelch the flood of requests targeting the servers behind them.

But an appliance cannot stop an attack that fills ?the pipes in front of it. For that you need to build something special, something that Barrett Lyon was one of the first to create. ?Lyon was working at an IT consulting firm when one of their clients, Don Best Sports, came under fire from DDoS extortionists in Eastern Europe. Don Best provided a sports data service to Las Vegas casinos.

Lyon deployed a sufficient number of proxies in a data center and contracted with carriers to have large enough available bandwidth to counter the impending attacks and successfully warded them off.

Another type of attack, the GET flood, mimics thousands of web browsers requesting pages. This type of attack makes the web server work at maximum capacity, serving up its pages and effectively preventing legitimate traffic from getting through. ?Flood attacks using SYN and GET can be blocked if the source is known. Just block all traffic from a specific IP address.

It did not take long for hackers to develop, techniques for distributing their attacks among hundreds, thousands, and potentially millions of 60 attacking hosts. ?One of the largest, the Mirai botnet, was comprised of one hundred thousand compromised IoT devices.

?Another, attributed to North Korea, was a botnet recruited from compromised PCs by a worm.?It was used to attack dozens of websites associated with the US and South Korea, including whitehouse. gov, cia.gov, and Korean banks. Recruiting hundreds of thousands of devices makes the task of identifying and blocking the sources almost impossible. These are the most effective attack techniques known, and can be very expensive to counter. The winner is usually the one with the most available bandwidth. - Richard Stiennon

Order now (bulk rates available): https://bit.ly/3sPC5Wb

“Security Yearbook 2021” is available only at the IT-Harvest site https://lnkd.in/gh889sR

Richard Stiennon is well known in the cybersecurity arena as an analyst and as an author. Other works: “Cyberwar”, “There will be Cyberwar” and “Security Yearbook 2020”.