Main types of attacks and types of vulnerabilities. Service identification or port scanning

The lecture discusses some types of attacks on informational resources businesses exploiting specific vulnerabilities. Quite often the entry point for an attack is public internet a site through which an attacker can gain access to areas of the site intended for limited number persons, and to sensitive data.

Selection – automated process trial and error used to guess the username, password, number credit card, encryption key, etc. There are two types of selection: direct and reverse. When direct selection is used various options password for one username. If the opposite happens, they move different names users, and the password remains unchanged.

Traditional method The fight against password guessing is to limit the number of incorrect password entries. There are many options for implementing this idea, from the simplest - a static restriction, for example, no more than three errors, to complexly implemented dynamic ones, with an increasing period of prohibition time between requests.

Insecure password recovery. This vulnerability occurs when the Web server allows an attacker to unauthorizedly obtain, modify, or recover other users' passwords. For example, many servers require the user to provide his email in combination with his home address and phone number. This information can be easily obtained from online directories. As a result, the data used for verification is not a big secret. Additionally, this information could be obtained by an attacker using other methods, such as cross-site scripting or phishing.

The most effective solution is the following: the user clicks the “Recover Password” button and is taken to a page where he is asked for his login in the system and the mailbox specified during registration. Next, a notification about a password recovery request and a unique pseudo-randomly generated link to the password change page are sent to your mailbox. In this case, only the owner of the mailbox to which the account is registered can change the password.

Insufficient authorization. Occurs when a Web server allows an attacker to access important information or functions to which access should be restricted. Just because a user is authenticated does not mean that they should have access to all of the server's features and contents.

For example, some servers, after authentication, store the user's "role" identifier within the Web application in cookies or hidden fields. If access control is based on verification this parameter Without verifying role membership on every request, an attacker can escalate their privileges simply by modifying the cookie value. Methods of struggle - a clear distinction between user rights and their capabilities.

No session timeout. If the session ID or credentials do not have a timeout or their timeout value is too high, an attacker can use the old login credentials.

For example, when using a public computer, where several users have unrestricted physical access to the machine, the absence of a session timeout allows an attacker to view pages visited by another user. The method of combating this is to limit the session timeout.

Cross-site scripting (XSS). The presence of an XSS vulnerability allows an attacker to send to the server executable code, which will be redirected to the user's browser. This code is usually written in HTML/JavaScript, but VBScript, ActiveX, Java, Flash, or other browser-supported technologies can be used. The transmitted code is executed in the security context (or security zone) of the vulnerable server. Using these privileges, the code is able to read, modify, or transmit sensitive data accessible through the browser.

There are two types of cross-site scripting attacks: permanent(saved) and fickle(reflected). The main difference between them is that in the reflected version, the code is transferred to the server and returned to the client within one HTTP request, and in the stored version - in different ones. Performing a non-persistent attack requires the user to follow a link generated by the attacker (the link can be sent via email, ICQ, etc.). As the site loads, the code embedded in the URL or request headers will be passed to the client and executed in their browser. A stored type of vulnerability occurs when code is transferred to a server and stored on it for a certain period of time. The most popular targets of attacks in this case are forums, web-based mail and chats. To attack, the user does not have to follow the link; it is enough to visit the vulnerable site.

Check the site at XSS vulnerability You can do this by passing HTML code containing JavaScript to any input field. For example:

">alert()

If a dialog box appears, then the JavaScript alert() has executed, which means any malicious code can be executed.

On this moment the most common type of attack, due to the growing popularity of Web 2.0, the Internet is filled with various forms feedback, unfortunately, many of them are not filtered properly, forms in which some tags or any formatting constructs are allowed are especially difficult, but you can only protect yourself from XSS by thorough analysis and filtering data received in requests.

Implementation SQL statements(SQL Injection). These attacks are aimed at Web servers that create SQL query s to DBMS servers based on data entered by the user. If the information received from the client is not properly verified, the attacker is able to modify the SQL server query sent by the application. The request will be executed with the same level of privileges as the application component executing the request (DBMS server, Web server, etc.). As a result, an attacker can gain full control of the DBMS server and even its operating system.

The possibility of an attack arises when an SQL query to a database is formed in the code of a Web page by adding the main part and the user-supplied value. For example, the web page code contains the following code:

“Select * from Students where firstneme = ” + name + “; “

In the standard use case, the query should return all the information from the Students table for the students with the name stored in the name variable. But what happens if, instead of a name, the name variable contains an SQL query that modifies the data and database schema?

Another example from the area automatic recognition license plates:

The means of combating this are competent filtering of the received data, differentiation of access rights to the database.

Denial of Service (DoS). This class of attacks is aimed at disrupting the availability of the Web server. Typically, denial of service attacks are carried out on network level, however, they can also be aimed at application layer. Using the functions of a Web application, an attacker can exhaust critical system resources, or exploit a vulnerability that leads to the termination of system functioning. Typically DoS attacks are aimed at depleting critical system resources, such as computing power, RAM, disk space or throughput communication channels. If any of the resources reaches maximum load, the entire application will be unavailable. Attacks can be directed at any of the components of the Web application, for example, the DBMS server, authentication server, etc.

The means of protection are code optimization and the introduction of restrictions on the amount of data sent per unit of time.

Add. literature: http://www.intuit.ru/department/internet/mwebtech/

Kaspersky Internet Security protects your computer from network attacks.

Network attack is an intrusion into the operating system of a remote computer. Attackers launch network attacks to take control of the operating system, cause a denial of service, or gain access to protected information.

Network attacks are called malicious actions, which are performed by the attackers themselves (such as port scanning, password guessing), as well as actions performed by malicious programs installed on the attacked computer (such as transferring protected information to the attacker). Malware involved in network attacks includes some Trojans, DoS attack tools, malicious scripts and network worms.

Network attacks can be divided into the following types:

• Port scanning. This type of network attack is usually a preparatory stage for a more dangerous network attack. The attacker scans the UDP and TCP ports used by network services on the attacked computer and determines the level of vulnerability of the attacked computer to more dangerous types of network attacks. Port scanning also allows an attacker to determine the operating system on the target computer and select network attacks suitable for it.
• DoS attacks, or network attacks causing denial of service. These are network attacks, as a result of which the attacked operating system becomes unstable or completely inoperable.

  There are the following main types of DoS attacks:

  • Send to remote computer specially formed network packets, not expected by this computer, which cause the operating system to malfunction or stop.
  • Sending a large number of network packets to a remote computer in a short period of time. All resources of the attacked computer are used to process network packets sent by the attacker, which is why the computer stops performing its functions.
• Network attacks-intrusions. These are network attacks whose goal is to “hijack” the operating system of the attacked computer. This is the most dangerous type of network attack, since if it is successful, the operating system comes completely under the control of the attacker.

  This type of network attack is used in cases where an attacker needs to obtain confidential data from a remote computer (for example, numbers bank cards or passwords) or use a remote computer for your own purposes (for example, attack other computers from this computer) without the user’s knowledge.

On the Protection tab, in the Protection against network attacks block, uncheck the box.

You can also enable Network Attack Protection in Protection Center. Disabling your computer's protection or protection components significantly increases the risk of your computer becoming infected, which is why information about disabling protection is displayed in Protection Center.

Important: If you turned off Network Attack Protection, then after restarting Kaspersky Internet Security or rebooting the operating system, it will not turn on automatically and you will need to turn it on manually.

When dangerous network activity is detected, Kaspersky Internet Security automatically adds the IP address of the attacking computer to the list of blocked computers if this computer is not added to the list of trusted computers.

In the menu bar, click on the program icon.

In the menu that opens, select Settings.

The program settings window will open.

On the Protection tab, in the Network Attack Protection block, check the Enable Network Attack Protection box.

Click on the Exceptions button.

A window will open with a list of trusted computers and a list of blocked computers.

Open the Blocked computers tab.

If you are sure that the blocked computer does not pose a threat, select its IP address in the list and click the Unblock button.

A confirmation window will open.

At the confirmation window, do one of the following:

• If you want to unlock your computer, click on the Unlock button.

  Kaspersky Internet Security unblocks the IP address.

• If you want Kaspersky Internet Security to never block the selected IP address, click on the Unblock and add to exceptions button.

  Kaspersky Internet Security will unblock the IP address and add it to the list of trusted computers.

Click on the Save button to save your changes.

You can create a list of trusted computers. Kaspersky Internet Security does not automatically block the IP addresses of these computers when it detects dangerous network activity originating from them.

When a network attack is detected, Kaspersky Internet Security saves information about it in a report.

Open the Protection menu.

Select Reports.

The Kaspersky Internet Security reports window will open.

Open the Network Attack Protection tab.

Note: If the Network Attack Protection component has completed an error, you can view the report and try to restart the component. If you cannot solve the problem, contact Customer Service technical support.

Hacker attack is an action whose goal is to seize control (elevate rights) over a remote/local computing system, either its destabilization or denial of service. Initially, the attacks were caused by a number of limitations inherent in the TCP/IP protocol. IN earlier versions The IP protocol lacked security requirements, which did not appear until several years later. But only with the rapid development of Internet commerce, the problem became urgent, and security standards had to be implemented in a short time.

Mailbombing is considered the oldest attack method, although its essence is simple and primitive: a large number mail messages make it impossible to work with mailboxes, and sometimes with entire mail servers. Many programs have been developed for this purpose, and even an inexperienced user could carry out an attack by indicating only the victim’s e-mail, the text of the message, and the number of required messages. Many such programs made it possible to hide the real IP address of the sender, using an anonymous one for sending mail server,This attack is difficult to prevent because even mail filters providers cannot determine the real sender of spam. The provider may limit the number of emails from one sender, but the sender's address and subject are often randomly generated.

Buffer overflow. Perhaps one of the most common types of attacks on the Internet. The principle of this attack is based on the use of software errors that can cause memory violations and crash the application or execute arbitrary binary code on behalf of the user under which the vulnerable program was running. If the program runs under the system administrator account, then this attack will allow you to gain full control over the victim’s computer, so it is recommended to work under the account of an ordinary user who has limited rights on the system, and under the system administrator account to perform only operations that require administrative rights.

Viruses, Trojan horses, email worms, sniffers, Rootkits and other special programs. The next type of attack is a more sophisticated method of gaining access to sensitive information - using special programs to conduct work on the victim’s computer. Such programs are designed to be searched and transferred to its owner classified information, or simply to harm the security system and performance of the victim’s computer. The operating principles of these programs are different, so we will not consider them separately.

Network intelligence. During such an attack, the hacker does not actually perform any destructive actions, but as a result he can obtain confidential information about the structure and principles of operation of the victim’s computer system. The information obtained can be used to competently build an upcoming attack, and is usually carried out during the preparatory stages. During such reconnaissance, an attacker can perform port scanning, DNS queries, echo testing of open ports, and the presence and security of proxy servers. As a result, you can obtain information about the DNS addresses existing in the system, who they belong to, what services are available on them, and the level of access to these services for external and internal users.

Packet sniffing. Also a fairly common type of attack based on the operation of a network card in promiscuous mode, as well as monitor mode for Wi-Fi networks. In this mode, all packets received by the network card are sent for processing special application, called a sniffer, for processing. As a result, an attacker can obtain a large amount of service information: who, from where, where the packets were transmitted, and through which addresses these packets passed. Most great danger Such an attack is to obtain the information itself, for example, employee logins and passwords, which can be used to illegally enter the system under the guise of an ordinary company employee.

Promiscuous mode or promisc mode is the so-called “promiscuous” mode in which the network card allows you to accept all packets regardless of who they are addressed to; this feature is usually used in network traffic analyzers. In normal state, link layer packet filtering is used on the Ethernet interface and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not a broadcast, the packet is discarded. In "promiscuous" mode, filtering on the network interface is disabled and all packets, including those not intended for the current node, are allowed into the system. Majority operating systems require administrator rights to enable promiscuous mode. This mode allows you to monitor traffic only in a given collision domain (for Ethernet or wireless networks) or ring (for networks Token ring or FDDI), therefore the use of network hubs is a less secure solution than switches since the latter do not forward traffic to everyone, regardless of the destination address. “Promiscuous” mode is often used by sniffers - specialized programs that allow you to display and analyze network traffic to diagnose network problems. Such programs make it easy to intercept passwords and confidential data transmitted over the network in an unprotected form; to avoid this, it is recommended to use secure protocols, including SSL and various VPN/IPSec options.

Sniffer - traffic analyzer, or sniffer (from English to sniff - sniff) - network analyzer traffic, a program or hardware-software device designed for interception and subsequent analysis, or analysis only network traffic, intended for other nodes. While the sniffer is running, the network interface switches to “listening mode” (Promiscuous mode), which allows it to receive packets addressed to other interfaces on the network.

Traffic interception can be carried out: by regular “listening” of the network interface; connecting a sniffer to a channel gap; branching (software or hardware) traffic and directing a copy of it to the sniffer; through the analysis of spurious electromagnetic radiation and thus restoration of eavesdropped traffic; through an attack at the link or network layer, leading to the redirection of the victim's traffic or all traffic of a segment to the sniffer and then returning the traffic to the proper address.

· Identify malicious and unauthorized software on the network;

· Locate a network fault or network agent configuration error;

· Intercept any unencrypted user traffic in order to obtain passwords and other information;

IP spoofing. This is also a common type of attack in insufficiently protected networks, when an attacker impersonates an authorized user while inside or outside the organization. To do this, the hacker needs to use an IP address allowed in the network security system. Such an attack is possible if the security system allows user identification only by IP address and does not require additional confirmation.

Man-in-the-Middle. A type of attack when an attacker intercepts a communication channel between two systems and gains access to the entire transmitted information. By gaining access at this level, you can modify the information as needed to achieve your goals. The purpose of such an attack is to steal or falsify transmitted information, or gain access to network resources. Such attacks are extremely difficult to track because the attacker is usually located within the organization.

Injection. An attack associated with various types of injections involves the introduction of third-party commands or data into a running system in order to change the course of the system’s operation, and as a result, gain access to private functions and information, or destabilize the operation of the system as a whole. This type of attack is most popular on the Internet, but can also be carried out through the system command line.

Types of injections:

SQL injection- an attack during which the parameters of SQL queries to the database are changed. As a result, the request takes on a completely different meaning, and in case of insufficient filtering of the input data, it can not only output confidential information, but also change/delete the data. Very often this type of attack can be observed on the example of sites that use command line parameters (in in this case- URL variables) for constructing SQL queries to databases without appropriate verification.

PHP-injection– one of the ways to hack websites running on PHP. It consists of injecting a specially crafted malicious script into the web application code on the server side of the site, which leads to the execution of arbitrary commands. It is known that many free engines and forums running on PHP that are widespread on the Internet (most often these are outdated versions) contain ill-conceived modules or individual designs with vulnerabilities. Hackers analyze vulnerabilities such as unescaped variables receiving external values.

Ccrypt injection or XSS Cross Site Scripting - a type of vulnerability in interactive information systems on the web. “XSS” occurs when user scripts are included in server-generated pages for some reason. The specificity of such attacks is that instead of directly attacking the server, they use a vulnerable server as a means of attacking the client. For a long time, programmers did not pay enough attention to them, considering them harmless. However, this opinion is wrong: there may be very sensitive data on the page or in HTTP Cookies (for example, the administrator's session ID). On a popular website, the script can launch a DoS attack.

XPath injection. A type of vulnerability that involves the injection of XPath expressions into the original query to the database XML data. As with other types of injections, vulnerability is possible due to insufficient verification of input data.

DoS - (Denial of Service) - an attack aimed at making the server not respond to requests. This type of attack does not involve obtaining some secret information, but can sometimes help initiate other attacks. For example, some programs, due to errors in their code, can throw exceptions, and when services are disabled, they can execute code provided by an attacker or flood attacks, when the server cannot process a huge number of incoming packets.

DDoS - (Distributed Denial of Service) - having the same goal as DoS, but carried out not from one computer, but from several computers on the network. These types of attacks use either the occurrence of errors leading to a service failure, or the triggering of protection, leading to blocking of the service, and as a result, a denial of service. DDoS is used where regular DoS is ineffective. To do this, several computers are combined, and each produces DoS attack on the victim's system. Together this is called a DDoS attack.

Any attack is nothing more than an attempt to use the imperfection of the victim’s security system either to obtain information or to harm the system, therefore the reason for any successful attack is the professionalism of the hacker and the value of the information, as well as the insufficient competence of the security system administrator in particular, the imperfection software, and insufficient attention to security issues in the company in general.

I talked a little about who hackers are, and in this article I want to continue this topic and write about the types hacker attacks and give recommendations for their prevention.

An attack on an information system is an action or sequence of interconnected actions by an intruder that leads to the implementation of a threat by exploiting the vulnerabilities of this system. information system. Let's start studying the attacks:

Fishing

Fishing (or Phishing). Its purpose is to obtain information from users (passwords, numbers credit cards etc.) or money. This technique is aimed not at one user, but at many. For example, letters supposedly from the technical support service are sent to all known clients of a bank. The letters usually contain a request to send a password to account, allegedly due to carrying out any technical work. Such letters are usually very plausible and well-written, which may captivate gullible users.

You can find out more about phishing in the article ““.

Recommendations: Paranoia – best protection. Don't trust anything suspicious, don't give your information to anyone. Administrators do not need to know your password if it is used to access their server. They fully control the server and can view the password themselves or change it.

Social engineering

Social engineering is not a technical, but a psychological technique. Using the data obtained during the inventory, an attacker can call any user (for example, corporate network) on behalf of the administrator and try to find out, for example, the password from him. This becomes possible when large networks, users do not know all the employees, and even more so they cannot always accurately recognize them over the phone. In addition, complex psychological techniques are used, so the chance of success increases greatly.

Recommendations: the same. If there is really a need, then provide the necessary information in person. If you have written down your password on paper, do not leave it anywhere and, if possible, destroy it, and do not just throw it in the trash.

DoS

DoS (Denial of Service or Refusal of Service). This is not a separate attack, but the result of an attack; used to output the system or individual programs out of service. To do this, the hacker creates a request to a program in a special way, after which it stops functioning. Requires reboot to get back working condition programs.

Smurf

Smurf (implementation error attack) TCP-IP protocol A). Now this type of attack is considered exotic, but earlier, when the TCP-IP protocol was quite new, it contained a number of errors that made it possible, for example, to spoof IP addresses. However, this type of attack is still used today. Some experts distinguish TCP Smurf, UDP Smurf, ICMP Smurf. Of course, this division is based on the type of packages.

UDP Storm

UDP Storm (UDP storm) - used if at least two UDP ports are open on the victim, each of which sends some kind of response to the sender. For example, port 37 with the time server sends the request current date and time. The attacker sends a UDP packet to one of the victim's ports, but specifies the victim's address and the victim's second open UDP port as the sender. Then the ports begin to endlessly respond to each other, which reduces performance. The storm will stop as soon as one of the packets disappears (for example, due to resource overload).

UDP Bomb

UDP Bomb – an attacker sends a packet with incorrect service data fields to the UDP system. The data can be damaged in any way (for example, incorrect field lengths, structure). This may result in a crash. Recommendations: Update the software.

Mail Bombing

Mail Bombing. If the attacked computer has a mail server, then a huge number of mail messages are sent to it in order to disable it. In addition, such messages are saved on the server's hard drive and can fill it up, which can cause DoS. Of course, now this attack is rather history, but in some cases it can still be used. Recommendations: proper configuration of the mail server.

Sniffing

Sniffing (Sniffing or listening to the network). If hubs are installed in the network instead of switches, the received packets are sent to all computers on the network, and then the computers determine whether this packet is for them or not.

If an attacker gains access to a computer that is included in such a network, or gains access to the network directly, then all information transmitted within the network segment, including passwords, will become available. The burglar will simply install network card into listening mode and will receive all packets regardless of whether they were intended for it.

IP Hijack

IP Hijack (IP hijack). If there is physical access to the network, then an attacker can “crash” into network cable and act as an intermediary in the transmission of packets, thereby listening to all traffic between two computers. A very inconvenient method that often does not justify itself, except in cases where no other method can be implemented. Such inclusion in itself is inconvenient, although there are devices that simplify this task a little, in particular, they monitor the numbering of packets to avoid failure and possible detection of channel intrusion.

Dummy DNS Server

Dummy DNS Server (false DNS Server). If the network settings are set to auto mode, then when you turn on the network, the computer “asks” who will be its DNS server, to which it will subsequently send DNS requests. In the presence of physical access to the network, an attacker can intercept such a broadcast request and respond that his computer will be the DNS server. After this, he will be able to send the deceived victim along any route. For example, a victim wants to go to a bank’s website and transfer money, an attacker can send it to his computer, where a password entry form will be fabricated. After this, the password will belong to the hacker. Enough the hard way, because the attacker needs to respond to the victim before the DNS server.

IP Spoofing

IP-Spoofing (Spoofing or IP address substitution). The attacker replaces his real IP with a fictitious one. This is necessary if only certain IP addresses have access to the resource. The attacker needs to change his real IP to a “privileged” or “trusted” one to gain access. This method can be used in other ways. After two computers have established a connection with each other, by checking the passwords, the attacker can cause an overload on the victim network resources specially generated packages. Thus, he can redirect traffic to himself and thus bypass the authentication procedure.

Recommendations: the threat will be reduced by reducing the time of the response packet with the SYN and ACK flags set, and also by increasing maximum amount SYN requests to establish a connection in the queue (tcp_max_backlog). You can also use SYN-Cookies.

Software vulnerabilities

Software vulnerabilities. Using errors in software. The effect may vary. From receiving irrelevant information to receiving full control over the system. Attacks through software errors are the most popular of all times. Old errors are corrected by new versions, but in new versions new errors appear that can again be used.

Viruses

The most famous to a simple user problem. The key is implementation malware to the user's computer. The consequences can be different and depend on the type of virus that infects the computer. But in general - from stealing information to sending spam, organizing DDoS attacks, as well as gaining complete control over the computer. In addition to the file attached to the letter, viruses can enter the computer through some OS vulnerabilities.

Currently, DDoS is one of the most accessible and widespread types of network attacks. A few weeks ago, the results of studies on the prevalence of DDoS conducted by Arbor Networks and Verisign Inc. were published.

The research results are impressive:
Every day, attackers carry out more than 2,000 DDoS attacks;
The cost of a week-long attack on an average data center is only $150;
More than half of survey participants experienced problems due to DDoS;
A tenth of survey participants responded that their companies suffered from DDoS attacks more than six times per year;
About half of the companies experienced problems due to DDoS, the average attack time was about 5 hours;
Attacks of this type are one of the main reasons for server shutdowns and downtime.

Main types of DDoS attacks

In general, there are quite a few types of DDoS, and below we have tried to list the majority typical attacks, with a description of the operating principle of each type of attack.

UDP flood

One of the most effective, and at the same time, simple types attacks. Used UDP protocol, where establishing a session with sending any type of response is not required. In a random order, the attacker attacks the server ports, sending a huge number of data packets. As a result, the machine begins to check whether the port on which the packet arrives is being used by any application. And since there are a lot of such packages, a machine of any power simply cannot cope with the task. As a result, all the machine’s resources are “eaten up”, and the server “goes down”.

The simplest way to protect against this type of attack is to block UDP traffic.

ICMP flood

The attacker constantly pings the victim's server, during which the latter constantly responds. There are a huge number of pings, and, as a result, server resources are consumed and the machine becomes inaccessible.

As a protective measure, you can use blocking ICMP requests at the firewall level. Unfortunately, in this case, you won’t be able to ping the machine for obvious reasons.

SYN flood

This type of attack involves sending a SYN packet to the victim's server. As a result, the server responds with a SYN-ACK packet, and the attacker’s machine should send an ACK response, but it is not sent. The result is opening and freezing huge amount connections that are closed only after a timeout has expired.

When the limit on the number of requests/responses is exceeded, the victim server stops accepting packets of any type and becomes unavailable.

MAC flood

An unusual type of attack in which many types of network equipment are targeted. The attacker begins sending a large number of Ethernet packets with completely different MAC addresses. As a result, the switch begins to reserve a certain amount of resources for each of the packages, and if there are a lot of packages, the switch allocates all available requests and freezes. The worst case scenario is a routing table failure.

Ping of Death

This type of attack is not a major problem now, although it used to be a common attack type. The meaning of this type of attack is a memory buffer overflow due to exceeding the maximum available size IP packet, and as a result - server failure and network equipment from servicing any type of package.

Slowloris

A focused attack of this type allows small forces to achieve large results. In other words, using a server that is not the most powerful, you can use much more productive equipment. There is no need to use other protocols. With this type of attack, the attacker's server opens the maximum number of HTTP connections and tries to keep them open for as long as possible.

Of course, the number of connections on the server under attack ends, and useful queries cease to be accepted and processed.

Reflected attacks

An unusual type of attack when the attacker’s server sends packets with a fake sender IP, and the sending goes to the maximum possible number of machines. All servers affected by such actions send a response to the IP specified in the packet, as a result of which the recipient cannot cope with the load and freezes. In this case, the attacker’s server performance can be 10 times lower than the planned attack power. A server sending out 100 Mbps of false requests can completely destroy the gigabit channel of the victim's server.

Degradation

With this type of attack, the attacker's server simulates actions real person or an entire audience. As an example of the simple option— you can send requests for the same resource page, and do this thousands of times. The simplest way to solve the problem is to temporarily report an error and block the attacked page.

A more complex type of attack is a request for a large number of different server resources, including media files, pages and everything else, causing the victim's server to stop working.

Complex attacks of this type are quite difficult to filter out, and as a result, you have to use specialized programs and services.

Zero day attack

This is the name for attacks that exploit hitherto unknown vulnerabilities/weaknesses of the service. To combat the problem, it is necessary to study this type of attack so that something can be done.

Conclusion: the most complex type of attack is combined, where they use different kinds DDoS. The more complex the combination, the more difficult it is to defend against. A common problem for DDoS, or rather for DDoS victims, is the general availability of this type of attack. There are a large number of applications and services on the Internet that allow you to carry out powerful attacks for free or almost free of charge.