Nowadays DoS and DDoS attacks become very popular among the hackers and worm writers. MyDoom and Blaster are the examples for this. In this article we see what is DoS and DDoS attacks and how they can be misused while denying services.
Introduction
Have you ever tried making a telephone call but couldn't because all the telephone circuits were busy? This often happens with all of us. The reason you couldn't get through is because the telephone system is able to handle only a limited number of calls at a given time. So, if all the lines are busy, then you are unable to make a call. Imagine that a hacker wanted to attack the telephone system and make the system unusable by telephone customers. How would he do this? One of the methods employed is to make call after call in an attempt to make all circuits busy. This type of attack is called a Denial of Service, or DoS, attack. It is not likely that one caller working alone can tie up with all telephone circuits. To do that one requires making as many calls as possible from as many telephones as possible. This is called a distributed denial of service, or DDoS, attack.
Computer systems can also suffer from DoS and DDoS attacks. For example, sending large amount of bulk mail to someone could fill the computer disk where mail resides. This means that people who use the computer with the full disk cannot receive any new email until the situation changes. While this is an older style of DoS attack, it is still popular today.
In addition, intruders have turned their efforts toward denying people the services provided by networked computers. Examples of frequently attacked services are the World Wide Web, file sharing services and more recently, the Domain Name Service. Because so many of our computers are connected through the Internet, attacking one of these services can have a significant impact on the whole Internet community. For example, by launching a DoS attack on a popular merchant during a high sales period, the intruder affects not only that merchant, but also everyone who is then unable to buy their products.
To deny these services to prospective users of a computer service, intruders run specially written computer programs that send extraordinary volumes of Internet "calls" to one of the computers that provides that service, similar to the way that an intruder can tie up the telephone system.
When a computer answers such a call, most often there's no one on the other end, so answering the call turned out to be a waste of time. Unfortunately, the attacked service cannot tell this in advance, so it has to answer all calls placed on it. Answering each call takes time, and there's only so much time available. It's the supply and demand issue all over again.
In addition, the volume of traffic may be so high that the networks connecting the attacking computers to the victim's computer may also suffer from lower performance. Just like the telephone system and service computers, these networks cannot handle traffic beyond a certain limit. Users wanting services from computers on those networks are denied those services too. Those networks are also considered victims of a DDoS attack.
Computer systems can also suffer from DoS and DDoS attacks. For example, sending large amount of bulk mail to someone could fill the computer disk where mail resides. This means that people who use the computer with the full disk cannot receive any new email until the situation changes. While this is an older style of DoS attack, it is still popular today.
In addition, intruders have turned their efforts toward denying people the services provided by networked computers. Examples of frequently attacked services are the World Wide Web, file sharing services and more recently, the Domain Name Service. Because so many of our computers are connected through the Internet, attacking one of these services can have a significant impact on the whole Internet community. For example, by launching a DoS attack on a popular merchant during a high sales period, the intruder affects not only that merchant, but also everyone who is then unable to buy their products.
To deny these services to prospective users of a computer service, intruders run specially written computer programs that send extraordinary volumes of Internet "calls" to one of the computers that provides that service, similar to the way that an intruder can tie up the telephone system.
When a computer answers such a call, most often there's no one on the other end, so answering the call turned out to be a waste of time. Unfortunately, the attacked service cannot tell this in advance, so it has to answer all calls placed on it. Answering each call takes time, and there's only so much time available. It's the supply and demand issue all over again.
In addition, the volume of traffic may be so high that the networks connecting the attacking computers to the victim's computer may also suffer from lower performance. Just like the telephone system and service computers, these networks cannot handle traffic beyond a certain limit. Users wanting services from computers on those networks are denied those services too. Those networks are also considered victims of a DDoS attack.
How do intruders launch a DDoS attack against a victim's computer?
First, they build a network of computers that will be used to produce the volume of traffic needed to deny services to computer users. We'll call this an attack network.
To build this attack network, intruders look for computers that are poorly secured, such as those that have not been properly patched, or those with out-of-date or non-existent anti-virus software. When the intruders find such computers, they install new programs on the computers that they can remotely control to carry out the attack.
Intruders used to hand-select the computers that made up the attack network. These days, however, the process of building an attack network has been automated through self-propagating programs. These programs automatically find vulnerable computers, attack them, and then install the necessary programs. The process begins again as those newly compromised computers look for still other vulnerable computers. Once a DDoS program has been installed on a computer, that program identifies the computer as a member of the attack network. Because of this self-propagation, large attack networks can be built very quickly. A byproduct of the network-building phase is yet another DDoS attack, because searching for other vulnerable computers creates significant traffic as well.
Once an attack network is built, the intruder is ready to attack the chosen victim or victims. Some information security experts believe that many attack networks currently exist and are dormant, passively waiting for the command to launch an attack against the victims’ computers. Others believe that once a victim has been identified, the attack network is built and the attack is launched soon afterwards.
To reduce their chances of being discovered, intruders distribute their attack across computers in different time zones, different legal jurisdictions, and with different systems administrators. Intruders also make the electronic traffic they create appear to be from a computer different from the one that actually created it. This is called IP spoofing, and it is a commonly used method to disguise where an attack is really coming from. If the source of the attack is unknown, it is difficult to stop it, giving intruders free reign with a high likelihood of successfully remaining anonymous.
The MyDoom virus is an example of building such a DDoS attack network. In this case, the attack network was built not through technological vulnerabilities but rather through operational vulnerabilities. Computer system users were coaxed into executing a malicious program that was either sent as an email attachment or as a file downloaded through a Point-To-Point network connection, effectively enrolling their computer system into the attack network. However, instead of remotely controlling the newly installed malicious program as previously described, the intruder designed it to automatically send significant amount of traffic to www.sco.com on February 1, 2004 and www.microsoft.com on February 3, 2004.
Early DoS attack technology involved simple tools that generated and sent packets from a single source aimed at a single destination. Over a period of time, tools have evolved to execute single source attacks against multiple targets, multiple source attacks against single targets, and multiple source attacks against multiple targets. Today, the most common DoS attack type reported to the CERT/CC involves sending a large number of packets to a destination causing excessive amounts of endpoint, and possibly transit, network bandwidth to be consumed. Such attacks are commonly referred to as packet flooding attacks. Single source against single target attacks are common, as are multiple source against single target attacks. Based on reported activity, multiple target attacks are less common. The packet types used for packet flooding attacks have varied over a period of time, but for the most part, several common packet types are still used by many DoS attack tools.
To build this attack network, intruders look for computers that are poorly secured, such as those that have not been properly patched, or those with out-of-date or non-existent anti-virus software. When the intruders find such computers, they install new programs on the computers that they can remotely control to carry out the attack.
Intruders used to hand-select the computers that made up the attack network. These days, however, the process of building an attack network has been automated through self-propagating programs. These programs automatically find vulnerable computers, attack them, and then install the necessary programs. The process begins again as those newly compromised computers look for still other vulnerable computers. Once a DDoS program has been installed on a computer, that program identifies the computer as a member of the attack network. Because of this self-propagation, large attack networks can be built very quickly. A byproduct of the network-building phase is yet another DDoS attack, because searching for other vulnerable computers creates significant traffic as well.
Once an attack network is built, the intruder is ready to attack the chosen victim or victims. Some information security experts believe that many attack networks currently exist and are dormant, passively waiting for the command to launch an attack against the victims’ computers. Others believe that once a victim has been identified, the attack network is built and the attack is launched soon afterwards.
To reduce their chances of being discovered, intruders distribute their attack across computers in different time zones, different legal jurisdictions, and with different systems administrators. Intruders also make the electronic traffic they create appear to be from a computer different from the one that actually created it. This is called IP spoofing, and it is a commonly used method to disguise where an attack is really coming from. If the source of the attack is unknown, it is difficult to stop it, giving intruders free reign with a high likelihood of successfully remaining anonymous.
The MyDoom virus is an example of building such a DDoS attack network. In this case, the attack network was built not through technological vulnerabilities but rather through operational vulnerabilities. Computer system users were coaxed into executing a malicious program that was either sent as an email attachment or as a file downloaded through a Point-To-Point network connection, effectively enrolling their computer system into the attack network. However, instead of remotely controlling the newly installed malicious program as previously described, the intruder designed it to automatically send significant amount of traffic to www.sco.com on February 1, 2004 and www.microsoft.com on February 3, 2004.
Early DoS attack technology involved simple tools that generated and sent packets from a single source aimed at a single destination. Over a period of time, tools have evolved to execute single source attacks against multiple targets, multiple source attacks against single targets, and multiple source attacks against multiple targets. Today, the most common DoS attack type reported to the CERT/CC involves sending a large number of packets to a destination causing excessive amounts of endpoint, and possibly transit, network bandwidth to be consumed. Such attacks are commonly referred to as packet flooding attacks. Single source against single target attacks are common, as are multiple source against single target attacks. Based on reported activity, multiple target attacks are less common. The packet types used for packet flooding attacks have varied over a period of time, but for the most part, several common packet types are still used by many DoS attack tools.
Common DoS Attacks
TCP floods – A stream of TCP packets with various flags set are sent to the victim IP address. The SYN, ACK, and RST flags are commonly used.
ICMP echo request/reply (e.g., ping floods) – A stream of ICMP packets are sent to a victim IP address.
UDP floods – A stream of UDP packets are sent to the victim IP address. Because packet flooding attacks typically strive to deplete available processing or bandwidth resources, the packet rate and volume of data associated with the packet stream are important factors in determining to what extent the attack was successful. Some attack tools alter attributes of packets in the packet stream for a number of different reasons.
Source IP address – In some cases, a false source IP address, a method commonly called IP spoofing, is used to conceal the true source of a packet stream. In other cases, IP spoofing is used when packet streams are sent to one or more intermediate sites in order to cause responses to be sent toward a victim. The latter example is common for packet amplification attacks such as those based on IP directed broadcast packets (e.g., “smurf” or “fraggle”).
Source/destination ports – TCP and UDP based packet-flooding attack tools sometimes alter source and/or destination port numbers to make reacting with packet filtering by service more difficult.
Other IP header values – At the extreme, we have seen DoS attack tools that are designed to randomize almost all IP header options for each packet in the stream, leaving just the destination IP address consistent between packets. Packets with fabricated attributes are easily generated and delivered across the network. The TCP/IP protocol suite (IPv4) does not readily provide mechanisms to ensure the integrity of packet attributes when packets are generated or during the end-to-end transmission. Typically, an intruder need only have sufficient privilege on a system to execute tools and attacks capable of fabricating and sending packets with maliciously altered attributes.
ICMP echo request/reply (e.g., ping floods) – A stream of ICMP packets are sent to a victim IP address.
UDP floods – A stream of UDP packets are sent to the victim IP address. Because packet flooding attacks typically strive to deplete available processing or bandwidth resources, the packet rate and volume of data associated with the packet stream are important factors in determining to what extent the attack was successful. Some attack tools alter attributes of packets in the packet stream for a number of different reasons.
Source IP address – In some cases, a false source IP address, a method commonly called IP spoofing, is used to conceal the true source of a packet stream. In other cases, IP spoofing is used when packet streams are sent to one or more intermediate sites in order to cause responses to be sent toward a victim. The latter example is common for packet amplification attacks such as those based on IP directed broadcast packets (e.g., “smurf” or “fraggle”).
Source/destination ports – TCP and UDP based packet-flooding attack tools sometimes alter source and/or destination port numbers to make reacting with packet filtering by service more difficult.
Other IP header values – At the extreme, we have seen DoS attack tools that are designed to randomize almost all IP header options for each packet in the stream, leaving just the destination IP address consistent between packets. Packets with fabricated attributes are easily generated and delivered across the network. The TCP/IP protocol suite (IPv4) does not readily provide mechanisms to ensure the integrity of packet attributes when packets are generated or during the end-to-end transmission. Typically, an intruder need only have sufficient privilege on a system to execute tools and attacks capable of fabricating and sending packets with maliciously altered attributes.
What can be done about DDoS attacks?
There are no short-term solutions to eliminate DDoS attacks. Today's best practices involve making computers and networks more resilient in the face of an attack. All systems have their limits. One way of making a system more secure is to increase these limits; the more the resources, the better are the chances for the system to survive an increased demand for use. To increase the telephone system's limits, the telephone company adds more circuits. For a web service, the Webmaster might increase the number of connections that a web service can accept; for example, a site could add more web servers. This spreads the increased load over more computers and helps to ensure that no single computer operates too near its limit. The higher the limits of all the potentially affected systems – the network and the computers on that network – the better the chances that network will survive a DDoS attack.
You can do your part to ensure that your computers are never part of a DDoS attack network by following security best practices and be alert to changes in your computer or network performance.
Also check the following points:
* Are your computers running slower than usual?
* Is your Internet connection slower than usual?
* Are the activity lights on your high-speed (cable or DSL) modem solid, or on, almost all the time?
Any of these could indicate that your computer system may be a participant in a DDoS attack network. If this happens to you, contact your Internet Service Provider (ISP) and follow their recommendations. Also, you should strongly consider turning off your computer system or your high-speed modem. That will certainly stop the flow of DDoS traffic, though this is only a temporary solution.
If your computer system was a participant in a DDoS attack network, your system was compromised, and attack tools were installed on your computer. You'll need to determine what the intruders did and then repair the damage.
You can do your part to ensure that your computers are never part of a DDoS attack network by following security best practices and be alert to changes in your computer or network performance.
Also check the following points:
* Are your computers running slower than usual?
* Is your Internet connection slower than usual?
* Are the activity lights on your high-speed (cable or DSL) modem solid, or on, almost all the time?
Any of these could indicate that your computer system may be a participant in a DDoS attack network. If this happens to you, contact your Internet Service Provider (ISP) and follow their recommendations. Also, you should strongly consider turning off your computer system or your high-speed modem. That will certainly stop the flow of DDoS traffic, though this is only a temporary solution.
If your computer system was a participant in a DDoS attack network, your system was compromised, and attack tools were installed on your computer. You'll need to determine what the intruders did and then repair the damage.
Summary
Distributed denial of service attacks is a significant problem. These attacks will be with us for a while, though there is an ongoing research on how to reduce them. At the core, the problem of denial of service on the Internet has not significantly changed in recent years. Network resources remain limited and susceptible to consumption attacks, and systems still contain vulnerabilities, new and old, that either remains unpatched or is patched in a less than timely manner. Vendors continue to produce technology products that contain exploitable security vulnerabilities. Consumers continue to deploy technology products that contain security vulnerabilities, which are misconfigured such that compromise is possible, or are simply insecurely managed. Automation technology has enabled self-propagating worms to become common. Today, selective targeting has shifted to place Windows end-users and, more significantly, the routing infrastructure of the Internet at greater risk. As DoS attacks increase in potential and real impact, collateral damage has also increased in numerous ways. Automation has reached the point where attack tool propagation can, by itself, become a DoS attack.
RSS Feed