In this blog post, we’ll examine the principles behind DDoS attacks and explore common defense methods, along with real-world examples.
In the summer of 2011, the “PSN incident” became a major issue following a cyberwar between Sony and hackers worldwide. This incident began when “Geohot,” an American hacker famous for hacking the iPhone, hacked Sony’s PS3, prompting Sony to take legal action. Sony’s legal action drew the ire of global hacker groups like “Anonymous,” leading to massive cyberattacks against Sony. To counter this, cyber-terrorism response teams from various countries were mobilized, sparking a global cyberwar. The primary method used by these hacker groups was the “DDoS (Distributed Denial of Service)” attack. In Korean news as well, we often see headlines such as “○○ site paralyzed by DDoS attack” or “Damage to ○○ Company caused by DDoS attack.” So, let’s explore exactly how “DDoS” attacks are carried out and how they can be defended against.
Before examining ‘DDoS’ attacks and defenses, it is essential to first understand communication methods and terminology. Communication, like any language, requires a set of rules. The language (protocol) of communication created for interaction—such as Korean, English, or Japanese—is called a ‘protocol,’ and the most widely used protocol for the internet is the ‘TCP/IP protocol.’
The TCP/IP protocol consists of four layers, which serve as the basic building blocks of communication. The ‘application layer’ enables users to utilize services such as document editors and video players, while the ‘link layer’ directly connects devices to facilitate the actual transmission of information. The ‘network layer’ facilitates communication; its main components are ‘IP’ and ‘ICMP.’ ‘IP’ identifies a unique location, much like a home address, while ‘ICMP’ checks for problems when sending or receiving ‘IP’ packets. Finally, the ‘transport layer’ acts as a conduit connecting the ‘network layer’ and the ‘application layer.’ Its main protocols are ‘TCP’ and ‘UDP.’ ‘TCP’ filters out corrupted data to ensure the ‘application layer’ receives accurate information, while ‘UDP’ prioritizes sending data to the ‘application layer’ even if it is not entirely accurate. For example, voice data prioritizes speed over accuracy, so it uses ‘UDP’. Finally, ‘bandwidth’ is easy to understand if you think of it as a water pipe; a 10 Mbps line has a bandwidth 10 times narrower than a 100 Mbps line. While this information alone isn’t enough to fully grasp how internet communication works, it should be sufficient to understand ‘DDoS’ attacks and defenses.
A ‘DDoS (Distributed Denial of Service)’ attack paralyzes communication by launching ‘DoS’ attacks—which deny service—from distributed attack points. The basic mechanism is as follows. Malicious code or tools are distributed via the internet to create “zombie PCs” that continuously generate and send junk data. These “zombie PCs” are then used as attack points to target specific servers or PCs, preventing them from providing services or paralyzing server functions. There are several methods to achieve this, but the most common ones are: first, continuously sending invalid data via ‘UDP’ to prevent normal operation; second, continuously sending erroneous values to trigger unnecessary responses from ‘TCP’ and ‘ICMP’; and third, transmitting data volumes that exceed bandwidth limits to prevent normal use of that bandwidth. Attacks may utilize a single method, but they are often carried out by combining multiple methods.
As an example of a typical DDoS attack mechanism, if malicious code is planted on an ‘IRC Server’ to create ‘zombie PCs’ over the internet and these are used to attack a single target, the attacked server becomes inaccessible to regular users. Here, an ‘HTTP Bot’ can be thought of as a ‘zombie PC.’
If conventional hacking is akin to planting a ‘spy’ within the enemy’s ranks during a war, a DDoS attack can be likened to hundreds of thousands of soldiers launching a simultaneous assault. Therefore, rather than relying on meticulous searches at the city gates and controlling who enters and exits, one must employ strategic measures and reinforce the castle’s defenses. Let’s explore how to defend against ‘DDoS’ attacks, which differs from defending against other types of hacking.
DDoS defense can be broadly categorized into four approaches.
First, distribute and manage servers. The typical form of a DDoS attack is a concentrated assault on a single server. Even if one server cannot provide service, you can maintain normal service through other servers while buying time to recover the attacked server. This is a common method that offers significant results at a low cost. Building on this, another method involves increasing the number of servers connected to a single server to create a dual-layer defense.
Second, use specialized DDoS defense equipment. This involves using high-bandwidth connections or equipment that redirects traffic to another location when an attack is detected, filtering out the malicious data to ensure normal service continues. Since this method is costly, it is primarily used for servers belonging to large companies and critical institutions.
Third, changing the IP address. Since each server is typically assigned a single fixed IP address, changing it is difficult. While it is possible to use a non-fixed IP address, this method is rarely used because such addresses are often limited to specific geographic locations, such as university classrooms or company offices. However, depending on how it is implemented, it can be an effective measure.
Fourth, there is a method of configuring the visible site (server) with two or three separate instances. In other words, by hiding the actual service-providing server elsewhere, you can direct the attacker to target a fake server if they are not paying close attention.
Finally, a realistic defense strategy involves using a combination of these methods. For example, by distributing servers across multiple locations and operating traffic filtering equipment in conjunction with them, you can minimize damage even if malicious traffic attacks a specific server, by leveraging the distributed servers and filtering equipment.
