What is DDOS layer 7 and Layer 4 and Low-Rate Ddos

Introduction

Very recently some hacactivist named as Lulzsec and Anonymous were very famous because they use to hack some of the government website and they use to hack the data and all.

This brings my interest and to know how they are doing all this, as we all know as this is now pretty old and you might be knowing about Ddos but here I am telling you about Ddos layer 3 and 4 attack.

The attacks which are be done by hack activist was layer 7 attack and you may do this kind of attack is by simply pressing the refresh button over your browser.

If hundreds of thousands of people will do this then at some point of time the server will become irresponsible and so it so server stop serving the users.

But for this kind of Ddos we need too many computers some of them might knew that they are being part of this attack or sometimes the people got involved unknowingly as they are under some malware .

So what Layer 3 and layer 4 Ddos .

As the Anonymous got active there got 1 person active against them by the name of “th3j35tor”  who claimed to be ex Security personal.

It was the 1st time when I cam across this level of Ddos which he was executing through a 3G connection over cellphone and was taking down some 3-4 big servers by using just 1 connection.

So what exactly Layer 4 Attack is?

A Layer4 DoS attack is often referred to as a SYN flood. It works at the Transport Protocol (TCP) layer. A TCP connection is established in what is known as a 3-way hand shaking. The client sends a SYN packet, the server responds with a SYN ACK, and the client responds tothat with an ACK. After the “three-way handshake” is complete, the TCP connection is considered established. It is as this point that applications begin sending data using a Layer 7 or application layer protocol, such as HTTP.

A SYN flood uses the inherent patience of the TCP stack to overwhelm a server by sending a flood of SYN packets and then ignoring the SYN ACKs returned by the server. This causes the server to use up resources waiting a configured amount of time for the anticipated ACK thatshould come from a legitimate client. Because web and application servers are limited in the number of concurrent TCP connections they can have open, if an attacker sends enough SYN packets to a server it can easily chew through the allowed number of TCP connections, thus preventing legitimate requests from being answered by the server.

SYN floods are fairly easy for proxy-based application delivery and security products to detect. Because they proxy connections for the servers, and are generally hardware-based with a much higher TCP connection limit, the proxy-based solution can handle the high volume of connections without becoming overwhelmed. Because the proxy-based solution is usually terminating the TCP connection (i.e. it is the “endpoint” of the connection) it will not pass the connection to the server until it has completed the 3-way handshake. Thus, a SYN flood is stopped at the proxy and legitimate connections are passed on to the server with alacrity.

The attackers are generally stopped from flooding the network through the use of SYN cookies.  SYN cookies utilize cryptographic hashing and are therefore computationally expensive, making it desirable to allow a proxy/delivery solution with hardware accelerated cryptographic capabilities handle this type of security measure. Servers can implement SYN cookies, but the additional burden placed on the server alleviates much of the gains achieved by preventing SYN floods and often results in available, but unacceptably slow performing servers and sites.

LDos (I got limited knowledge of this which I am sharing  if you got something more then do share that with me):

Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP’s congestion control mechanism.

They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric – Congestion Participation Rate (CPR) – and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows.

A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach

 

My project for the protection against DDos layer 7 attack.

I have created this Ddos protection script which is under the GPL license and it’s useful for protecting the server form leyer 7 Ddos protection.

This is useless for any of layer 3 and layer 4 Ddos attacks and a lot of code is still needed to be completed which I will be completing when got some free time.If you feel like completing then please go ahead and ask me what ever you feel like.

The Script can be download from here will GIT it ASAP.

I am sorry as the previous link was not working so I have uploaded it to GIT now you can get it form here, it’s under GPL license so you can use it for free 🙂
https://github.com/unknownhad/ddos-protection

Hope you like this and do share your views.