DDoS attacks: attack types and OSI model layers

The fundamental concepts of cyber security are accessibility, integrity and confidentiality. Denial of Service (DoS) attacks affect the availability of information resources. Denial of service is considered successful if it has led to the unavailability of an information resource. The success of the attack and the impact on the target resources are different in the damage impact on the victim. For example, if an online store is attacked, a long-term denial of service can cause financial losses to the company. In each case, DoS activity can either directly cause harm, or create a threat and potential risk of losses.

The first D in DDoS means distributed: a distributed denial of service attack. In this case, we are talking about a huge mass of malicious requests coming to the victim's server from many different places. Typically, such attacks are organized through botnets.

In this article we will look at what types of DDoS traffic and what types of DDoS attacks exist. For each type of attack, brief recommendations will be made how to prevent and restore security.

Types of DDoS-traffic

The simplest type of traffic - HTTP requests. With the help of such requests, for example, any visitor communicates with your site through a browser. The request is based on the HTTP header.

HTTP-header. HTTP headers are fields that describe which particular resource is being requested, for example, a URL or form, or JPEG. HTTP headers also inform the web server which browser type is being used. The most common HTTP headers are: ACCEPT, LANGUAGE and USER AGENT.

The requester can use as many headers as necessary, giving them the desired properties. DDoS attackers can attack these and many other HTTP headers, making them difficult to recognize in order to detect an attack. In addition, HTTP headers can be written in such a way as to control caching and proxy services. For example, you can tell the proxy server not to cache information.

HTTP GET:

  • HTTP (S) GET request is a method that requests information on the server. This request may ask the server to transfer some file, image, page or script to display them in the browser.
  • HTTP (S) GET flood - an application level DDoS attack method (7) of the OSI model, in which an attacker sends a powerful stream of requests to the server in order to overflow its resources. As a result, the server cannot respond not only to the malicious requests, but also to the legitimate requests from real clients.

HTTP POST:

  • Price: the cost of renting a virtual dedicated server is usually significantly higher than the cost of virtual shared hosting. But we offer comparable prices.
  • The need for administration: the virtual server must be administered as a physical one, so the user needs certain knowledge and skills in this area. The presence of the control panel facilitates the performance of typical tasks: for our clients we offer the

Comparison of VDS / VPS to physical dedicated server.

Advantages of using VDS / VPS compared to a dedicated server

  • HTTP (S) POST request is a method in which data is placed in the request body for subsequent processing on the server. An HTTP POST request encodes the transmitted information and puts it in a form, and then sends this content to the server. This method is used when you need to transfer large amounts of information or files.
  • HTTP (S) POST flood is a type of DDoS attack, in which the number of POST requests overflows the server so that the server is unable to respond to all requests. This can lead to extremely high utilization of system resources, and, subsequently, to an emergency stop of the server.

Each of the HTTP requests described above can be transmitted over HTTPS. In this case, all data transferred between the client (the attacker) and the server is encrypted. It turns out that the “security” here plays into the hands of attackers: in order to detect a malicious request, the server must first decrypt it. Thus you have to decrypt the entire stream of requests, and there are a lot of them during a DDoS attack. This creates an additional load on the victim server.

SYN flood (TCP / SYN) establishes half-open connections to the host. When the victim receives a SYN packet through the open port, it must send a SYN-ACK packet in response and establish a connection. After that, the initiator sends the response with the ACK packet to the recipient. This process is usually called a handshake. However, during a SYN flood attack, the handshake cannot be completed, because the attacker does not respond to the victim server's SYN-ACK. Such connections remain half-open before the timeout expires, the connection queue becomes full and new clients cannot connect to the server.

UDP floods are often used for large scale DDoS attacks due to their connectionless nature, as well as the simplicity of creating protocol 17 (UDP) messages in various programming languages.

ICMP flood. The Internet Control Message Protocol (ICMP) is used primarily for transmission of reporting and messages and is not used for data transmission. ICMP packets can accompany TCP packets when connecting to a server. ICMP flood - a method of DDoS attacks on the 3rd layer of the OSI model, using ICMP messages to overload the network channel of the attacker.

MAC flood is a rare attack type in which an attacker sends multiple empty Ethernet frames with different MAC addresses. Network switches consider each MAC address separately, and create separate entries for them in their internal tables. When all the memory on the switch is spent, it either stops responding or turns off. On some types of routers, a MAC flood attack may cause the removal of entire routing tables, thus disrupting the operation of the entire network.

Classification and objectives of DDoS attacks by OSI layers

Internet uses the OSI network model. In total, the model has 7 layers that cover all communication environments: from the physical environment (1st layer) to the application level (7th layer), at which computer programs “communicate” with each other.

Internet uses the OSI network model. In total, the model has 7 layers that cover all communication environments: from the physical environment (1st layer) to the application level (7th layer), at which computer programs “communicate” with each other.

OSI 7th layer: Application

Data TypeData
Layer DescriptionStart of data packets creation. Connection and access to data. Custom protocols such as FTP, SMTP, Telnet, RAS
ProtocolsFTP, HTTP, POP3, SMTP, and gateways that use them
Examples of DoS technologyPDF GET requests, HTTP GET, HTTP POST (form web sites: login, upload your photos / videos, feedback confirmation)
Consequences of DDoS-attacksLack of resources. Excessive utilization of system resources by running services on the attacked server.

What to do: Application monitoring - systematic monitoring of software using a specific set of algorithms, technologies and approaches (depending on the platform on which this software is used) to detect 0day-vulnerabilities of applications (layer 7 attacks). Once the attack is identified, it can be stopped and prevented for the future, origin of the attack can be tracked. Attacks mitigation on this layer is rather simple.

OSI Layer 6: Presentation

Data TypeData
Layer DescriptionTransmission of data from Source to Recipient
ProtocolsData Compression and Protocols (ASCII, EBCDIC)
Examples of DoS technologyFake SSL Encryption Requests: SSL encrypted packet processing is very resource intensive, attackers use SSL to carry out HTTP attacks on victim's server
Consequences of DDoS-attacksAttacked systems may stop accepting SSL connections or automatically restart

What to do: To reduce harm, pay attention to the distribution of an SSL encryption infrastructure (i.e., performing SSL encryption on a separate server, if possible) and controlling application traffic for attacks or policy violations on the application platform. A reliable platform ensures that the traffic is encrypted and sent back to the initial infrastructure with the decrypted content stored in the secure memory of the safe bastion node.

OSI 5th layer: Session

Data TypeData
Layer DescriptionManage connection setup and termination, session synchronization within an operating system via a network (for example, when you enter / exit)
ProtocolsIn / Out protocols (RPC, PAP)
Examples of DoS technologyAn attack on the Telnet protocol uses the vulnerabilities of the Telnet server's software on the switch, making the server inaccessible.
Consequences of DDoS-attacksMakes it impossible for the administrator to control the switch.

What to do: Keep the firmware of the hardware up to date to reduce the risk of a threat.

4th OSI Layer Transport

Data TypeSegments
Layer DescriptionSecuring error-free transmission of information between nodes, transmission control messages 1 to 3 layers
ProtocolsTCP, UDP
Examples of DoS technologySYN-flood, Smurf-attack ( attack using ICMP-requests with spoofed addresses)
Consequences of DDoS-attacksOverloading limits on communication link bandwidth or number of allowed connections, disruption of network equipment operation.

What to do: Filtering DDoS traffic, known as blackholing, is a method often used by providers to protect customers. However, this approach makes the client’s site inaccessible both for the attacker’s traffic and for the users’ legitimate traffic. Despite that, access blocking is used by providers to fight against DDoS attacks to protect customers from threats such as slowing down of network equipment and the failure of services.

OSI Layer 3: Network

Data TypePackets
Layer DescriptionRouting and information transmission between different networks
ProtocolsIP, ICMP, ARP, RIP
Examples of DoS technologyICMP flood- DDOS attacks on the third layer of the OSI model, that use ICMP-messages to overload the capacity of the target network
Consequences of DDoS-attacksReduced bandwidth, target network congestion and possible firewall overload

What to do: Limit the amount of processed ICMP-requests to reduce abilityof this traffic to affect firewall performance and available Internet bandwidth.

2nd OSI layer: Data link

Data Typeframe
Layer DescriptionEstablishing and maintaining of the transmission of the physical layer communications
ProtocolsProtocols 802.3, 802.5, as well as controllers, access points and bridges that use them.
Examples of DoS technologyMAC-flood - network switching hardware overflow with data packets
Consequences of DDoS-attacksdata streams from the sender to the receiver block operation of all ports on the receiver’s end.

What to do: Many modern switches can be configured to allow only those MAC addresses, which have been passed through authentication, authorization and accounting server (AAA protocol) and are trusted..

OSI Level 1: Physical

Data TypeBits
Layer DescriptionBinary Data
ProtocolsProtocols 100BaseT, 1000 Base-X, and hubs, sockets and patch panels that use them
Examples of DoS technologyPhysical destruction of network equipment or physical disturbance of network management means
Consequences of DDoS-attacksNetwork equipment becomes unusable and needs to be repaired to resume operation.

What to do: use a systematic approach to monitor the operation of physical network equipment.

Elimination of large-scale DoS / DDoS attacks

Although the attack is possible at any layer, attacks at 3-4 and 7 layer of the OSI model are very popular.

  • DDoS attacks at the 3rd and 4th level - infrastructure attacks - attack types based on the use of a large volume, powerful data flow (flood) at the network infrastructure level and transport level in order to slow down the web server, “fill” the channel , and ultimately prevent other users from accessing the resource. These types of attacks typically include ICMP, SYN, and UDP flood.
  • DDoS attack at the 7th level is an attack consisting in overloading some specific elements of the application server infrastructure. Level 7 attacks are particularly difficult, hidden and difficult to detect due to their similarity to useful web traffic. Even the simplest attacks of the 7th level, for example, an attempt to log in with a random username and password or repeated random searches on dynamic web pages, can critically load the CPU and databases. Also, DDoS attackers can repeatedly change the signatures of level 7 attacks, making them even more difficult to recognize and eliminate.

DeviceLevelOptimized forDDoS protection
Firewall4-7Flow check, deep checkScreens, session restrictions, SYN cookie
Router3-4Batch check, frame checkLine access control lists, speed limit

Some actions and equipment to eliminate attacks:

  • Dynamic Firewalls packet inspection
  • Dynamic mechanisms of the SYN proxy
  • Limiting the number of SYN-s per second for each IP-address
  • Limit the number of SYN-s per second for each remote IP-address
  • Setting screens on the firewall against ICMP flood
  • Setting screens on the firewall against UDP flood
  • Limiting the speed of the routers next to the firewall and protected network