What type of attack is being performed when multiple computers overwhelm a system with fake requests?

An active attack is a network exploit in which a hacker attempts to make changes to data on the target or data en route to the target.

There are several different types of active attacks. However, in all cases, the threat actor takes some sort of action on the data in the system or the devices the data resides on. Attackers may attempt to insert data into the system or change or control data that is already in the system.

Types of active attacks

What follows are some of the most common types of active attacks.

Masquerade attack

In a masquerade attack, the intruder pretends to be a particular user of a system to gain access or to gain greater privileges than they are authorized for. Masquerade attacks are conducted in several different ways, including the following:

• using stolen login identifications (IDs) and passwords;
• finding security gaps in programs; and
• bypassing the authentication

An attempt may come from an employee inside an organization or from an outside threat actor using a connection to the public network. Weak authentication can provide a point of entry for a masquerade attack and make it easy for an attacker to gain entry. If attackers successfully receive authorization and enter the network, depending on their privilege level, they may be able to modify or delete the organization's data. Or they may make changes to network configuration and routing information.

For example, an outside attacker can use spoofed Internet Protocol (IP) addresses to bypass the victim's firewall and gain access from an unauthorized source. To do this, the attacker may use a network sniffer to capture IP packets from the target machine. Another device is used to send a message to the firewall with the forged IP address. The firewall then permits access to the victim's machine.

Session hijacking attack

A session hijacking attack is also called a session replay attack. In it, the attacker takes advantage of a vulnerability in a network or computer system and replays the session information of a previously authorized system or user. The attacker steals an authorized user's session ID to get that user's login information. The attacker can then use that information to impersonate the authorized user.

A session hijacking attack commonly occurs over web applications and software that use cookies for authentication. With the use of the session ID, the attacker can access any site and any data that is available to the system or the user being impersonated.

Message modification attack

In a message modification attack, an intruder alters packet header addresses to direct a message to a different destination or to modify the data on a target machine. Message modification attacks are commonly email-based attacks. The attacker takes advantage of security weaknesses in email protocols to inject malicious content into the email message. The attacker may insert malicious content into the message body or header fields.

DoS attack

In a denial-of-service (DoS) attack, the attackers overwhelm the victim's system, network or website with network traffic, making it difficult for legitimate users to access those resources. Two ways a DoS attack can occur include:

1. Flooding. The attacker floods the target computer with internet traffic to the point that the traffic overwhelms the target system. The target system is unable to respond to any requests or process any data, making it unavailable to legitimate users.
2. Malformed data. Rather than overloading a system with requests, an attacker may strategically send data that a victim's system cannot handle. For example, a DoS attack could corrupt system memory, manipulate fields in the network protocol packets or exploit servers.

In a distributed DoS (DDoS) exploit, large numbers of compromised systems -- also referred to as a botnet or zombie army -- attack a single target with a DoS attack. A DDoS uses multiple devices and locations to launch requests and overwhelm a victim's system in the same way a DoS attack does.

What are passive attacks?

Active attacks contrast with passive attacks, in which an unauthorized party monitors networks and sometimes scans for open ports and vulnerabilities. Passive attackers aim to collect information about the target; they don't steal or change data. However, passive attacks are often part of the steps an attacker takes in preparation for an active attack.

Examples of passive attacks include:

• War driving. This is a wireless network reconnaissance method that involves driving or walking around with a laptop computer and portable Wi-Fi-enabled wireless Ethernet card to find unsecured wireless networks. Once found, these attackers use these networks to illegally access computers and steal confidential information.
• Dumpster diving. This passive attack involves intruders searching for information on discarded devices or for notes containing passwords in trash bins. For example, the attacker can retrieve information from hard drives or other storage media that have not been properly erased.

How to prevent an active attack

There are several ways to counter an active attack, including the following techniques:

• Firewalls and intrusion prevention systems (IPSes). Firewalls and IPSes are security systems designed to block unauthorized access to a network. A firewall is part of the network security infrastructure. It monitors all network traffic for suspicious activity and blocks any it identifies. It also has a list of trusted senders and receivers. Similarly, an IPS monitors network traffic for malicious activity and acts when an attack is detected.
• Random session keys. A session key is a temporary key created during a communication session that is used to encrypt the data passed between two parties. Once the session ends, the key is discarded. This provides security because the keys are only valid for a specific time period, which means no one else can use them to access the data after the session has ended.
• One-time passwords (OTPs). These passwords are automatically generated numeric or alphanumeric strings of characters that authenticate users. They are only valid for one use. OTPs often are used in combination with a username and password to provide two-factor authentication.
• Kerberos authentication protocol. This authentication protocol is a system for authenticating users for network services based on trusted third parties. It was developed at the Massachusetts Institute of Technology in the late 1980s. Kerberos authentication is a way to prove to a network service that a user is who they say they are. It provides a single sign-on service that enables users to use the same login credentials (username and password) to access multiple applications.

Learn how to create a cybersecurity strategy to prevent active and other types of attacks in this cybersecurity planning guide.

In a distributed denial-of-service (DDoS) attack, multiple compromised computer systems attack a target and cause a denial of service for users of the targeted resource. The target can be a server, website or other network resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.

Many types of threat actors, ranging from individual criminal hackers to organized crime rings and government agencies, carry out DDoS attacks. In certain situations -- often ones related to poor coding, missing patches or unstable systems -- even legitimate, uncoordinated requests to target systems can look like a DDoS attack when they are just coincidental lapses in system performance.

How do DDoS attacks work?

In a typical DDoS attack, the assailant exploits a vulnerability in one computer system, making it the DDoS master. The attack master system identifies other vulnerable systems and gains control of them by infecting them with malware or bypassing the authentication controls through methods like guessing the default password on a widely used system or device.

A computer or network device under the control of an intruder is known as a zombie, or bot. The attacker creates what is called a command-and-control server to command the network of bots, also called a botnet. The person in control of a botnet is referred to as the botmaster. That term has also been used to refer to the first system recruited into a botnet because it is used to control the spread and activity of other systems in the botnet.

Botnets can be composed of almost any number of bots; botnets with tens or hundreds of thousands of nodes have become increasingly common. There may not be an upper limit to their size. Once the botnet is assembled, the attacker can use the traffic generated by the compromised devices to flood the target domain and knock it offline.

The target of a DDoS attack is not always the sole victim because DDoS attacks involve and affect many devices. The devices used to route malicious traffic to the target may also suffer a degradation of service, even if they aren't the main target.

Types of DDoS attacks

There are three main types of DDoS attacks:

1. Network-centric or volumetric attacks. These overload a targeted resource by consuming available bandwidth with packet floods. An example of this type of attack is a domain name system amplification attack, which makes requests to a DNS server using the target's Internet Protocol (IP) address. The server then overwhelms the target with responses.
2. Protocol attacks. These target network layer or transport layer protocols using flaws in the protocols to overwhelm targeted resources. A SYN flood attack, for example, sends the target IP addresses a high volume of "initial connection request" packets using spoofed source IP addresses. This drags out the Transmission Control Protocol handshake, which is never able to finish because of the constant influx of requests.
3. Application layer. Here, the application services or databases get overloaded with a high volume of application calls. The inundation of packets causes a denial of service. One example of this is an Hypertext Transfer Protocol (HTTP) flood attack, which is the equivalent of refreshing many webpages over and over simultaneously.

Internet of things and DDoS attacks

The devices constituting the internet of things (IoT) may be useful to legitimate users, but in some cases, they are even more helpful to DDoS attackers. The IoT-connected devices include any appliance with built-in computing and networking capacity, and all too often, these devices are not designed with security in mind.

IoT-connected devices expose large attack surfaces and often pay minimal attention to security best practices. For example, devices are often shipped with hardcoded authentication credentials for system administration, making it simple for attackers to log in to the devices. In some cases, the authentication credentials cannot be changed. Devices also often ship without the capability to upgrade or patch the software, further exposing them to attacks that use well-known vulnerabilities.

IoT botnets are increasingly being used to wage massive DDoS attacks. In 2016, the Mirai botnet was used to attack the domain name service provider Dyn; attack volumes were measured at over 600 gigabits per second. Another late 2016 attack unleashed on OVH, the French hosting firm, peaked at more than 1 terabit per second. Many IoT botnets since Mirai use elements of its code. The dark_nexus IoT botnet is one example.

Identifying DDoS attacks

DDoS attack traffic essentially causes an availability issue. Availability and service issues are normal occurrences on a network. It's important to be able to distinguish between those standard operational issues and DDoS attacks.

Sometimes, a DDoS attack can look mundane, so it is important to know what to look for. A detailed traffic analysis is necessary to first determine if an attack is taking place and then to determine the method of attack.

Examples of network and server behaviors that may indicate a DDoS attack are listed below. One or a combination of these behaviors should raise concern:

• One or several specific IP addresses make many consecutive requests over a short period.
• A surge in traffic comes from users with similar behavioral characteristics. For example, if a lot of traffic comes from users of a similar devices, a single geographical location or the same browser.
• A server times out when attempting to test it using a pinging service.
• A server responds with a 503 HTTP error response, which means the server is either overloaded or down for maintenance.
• Logs show a strong and consistent spike in bandwidth. Bandwidth should remain even for a normally functioning server.
• Logs show traffic spikes at unusual times or in a usual sequence.
• Logs show unusually large spikes in traffic to one endpoint or webpage.

These behaviors can also help determine the type of attack. If they are on the protocol or network level-- for example, the 503 error -- they are likely to be a protocol-based or network-centric attack. If the behavior shows up as traffic to an application or webpage, it may be more indicative of an application-level attack.

In most cases, it is impossible for a person to track all the variables necessary to determine the type of attack, so it is necessary to use network and application analysis tools to automate the process.

DDoS defense and prevention

DDoS attacks can create significant business risks with lasting effects. Therefore, it is important to understand the threats, vulnerabilities and risks associated with DDoS attacks.

Once underway, it is nearly impossible to stop these attacks. However, the business impact of these attacks can be minimized through some core information security practices. These include performing ongoing security assessments to look for and resolve DoS-related vulnerabilities and using network security controls, including services from cloud service providers specializing in responding to DDoS attacks.

In addition, solid patch management practices, email phishing testing and user awareness, and proactive network monitoring and alerting can help minimize an organization's contribution to DDoS attacks across the internet.

Examples of DDoS attacks

Besides the IoT-based DDoS attacks mentioned earlier, other recent DDoS attacks include the following:

Although DDoS attacks are relatively cheap and easy to implement, they vary widely in complexity and can have a severe impact on the businesses or organizations targeted. Learn how businesses can prevent these attacks by buying a service from an internet service provider, using a content delivery network and deploying an in-house intrusion prevention system.