“Ghosting” Bad Actors to Prevent DoS Attacks

A denial of service (DoS) attack is a malicious attempt to bring down or disrupt a network, servers, or devices connected to the internet so legitimate users can’t use its services. It’s accomplished by crashing the server or flooding the target network with more traffic than it can handle.
Crashing the server is made possible by the “reflex” actions of the TCP/IP protocol, where the server replies to communications that access it. For example, if a server receives a synchronization request (SYN flag) to open a communication, it will reply with an acknowledgement (ACK or SYN ACK flag) and prepares to start a session. When it receives the ACK flag, the bad actor knows it hit its target. Then it proceeds to send numerous SYN flags to create new sessions to use up the server’s memory or CPU.
That’s an example of a SYN attack. There are also ACK attacks, RST attacks, FIN attacks, and combinations of the above and more, which can also crash the server.
Then there are flood attacks. Once the bad actor knows the IP address of the target, they can overwhelm the network with more traffic than it can buffer, eventually causing it to stop.
Then there’s the Distributed Denial of Service (DDoS) attack, a variation of DoS attack where the bad actor organizes multiple signals from different IP addresses and locations to stop the services or flood the network. There are many more types of DoS attacks, limited only by the malicious actor’s imagination.
Each one of those attacks requires a different solution when you have a server that is exposed to the internet.
What information does the bad actor need to conduct a DoS attack?
To carry out a DoS attack, the bad actor needs two things:
- The IP address of the target network
- The port numbers that are open for services
Once they have that information, they can start collecting details about the networks, such as routers, servers, services they are providing, software, operating systems, and so on.
So the first thing the bad actor will do is to look for the IP address using tools like ping and DNS lookup. If there’s no DNS associated with the network they’re trying to bring down, they can figure it out by searching the internet for IP addresses used by the company’s ISP. They can use pinging and routing tools to see which ISP is associated with this company.
Once they have the IP address, the bad actors scans for open ports to know which ports to attack. They know they’re successful when they get a response, followed by slower and slower responses. They assume they succeeded in bringing down the service when they don’t get a response at all. (In our next post we will explain how we use this assumption for defense or offense.)
DoS protection today is imperfect
Vendors today offer various solutions to protect networks from DoS attacks, but they are not good enough. Bad actors succeed in denying services to and from networks despite DoS “protections.”
Great Wing has devised different solutions for protecting networks from DoS attacks. Our solutions differentiate between two categories of network services:
- Public services like web servers and SMTP servers
- Private services like PLCs or remote desktop applications
Tailoring the DoS solution to the different types of services provides almost perfect DoS protection. In this article we will discuss protection for the second scenario where the network provides private services while allowing access from any IP address.
How to protect your network with private services from DoS attacks
For networks providing private services, the first step in protecting your server and devices is to not use DNS.
Great Wing products don’t require DNS. And we advise our customers not to list their IP addresses on the company name so there won’t be an easy way to find an association between the IP addresses and the organization.
Great Wing developed the Wormhole™ protocol that solves most of the problems inherent to TCP/IP protocol and their automatic reflex actions. The Great Wing Ghost™ software translates TCP/IP to the Wormhole protocol and back again to TCP/IP. The Ghost doesn’t remain at a specific IP address or port, but jumps from place to place.
If a bad actor tries to run a DoS attack on the Ghost, they will have to find the IP address where there’s no DNS and no IP address associated with the organization. That’s the first obstacle. Then they have to find an open port. The malicious actor won’t find open ports because there aren’t any open ports in the Wormhole.
Because the Ghost jumps from place to place and the bad actor needs to know where the Ghost is to attack it, it makes it practically impossible for the bad actor to attack.
With the Ghost software, the hacker:
- Doesn’t get a response (unless we want to send one to mislead them into thinking they succeeded)
- Doesn’t know if they succeeded
- Doesn’t know if they attacked the right IP address
With Great Wing, there’s no DNS, no assigned IP addresses, and no open ports.
If they try to attack a random IP address and the network is protected by Great Wing, they still won’t succeed because they cannot find an open port.
Great Wing also offers a solution that blocks DoS attacks from servers that you want to expose to the internet, such as mail servers and web servers. We will discuss that solution in a separate article.