by Adrian McLean
DDoS is a type of denial of service attack performed by and synchronised between more than one attacking host. A denial of service attack is an attack designed to make the target system incapable of offering the service that an attcker is targeting. In some cases the target system may crash and become unusable, in other cases the attack consumes resources on the target system.
“Nukes” are attacks designed to crash a service or system whereas “Flood”attacks focus on resource consumption.
Common techniques for denial of service are:
- SYN floods
- ICMP floods (including “Smurf” attacks)
- UDP floods (including “Fraggle” attacks)
- Application level floods
- Nukes (malformed or specially crafted packets)
A SYN flood is a succession of TCP session initiation packets, often from incorrect (or “spoofed”) IP addresses. The result is that the target tries and fails to set up a number of TCP sessions, which consumes resources on the target making the system unresponsive to legitimate traffic.
An ICMP flood is a succession of ICMP echo request packets from spoofed IP addresses. Echo requests are usually answered by an echo reply packet if the target is working, so such an attack will consume resources on the target. This attack will also consume resources on the spoofed source IP addresses as they will receive a number of ICMP echo replies.
The same idea applies to a UDP flood where a sequence of UDP packets, often from spoofed IP addresses, are sent to UDP ports such as 7 (echo) or 13 (character generator). Smurf and Fraggle attacks exploit the fact that a source IP address sending an ICMP or UDP flood will be flooded with reply traffic, by flooding the broadcast address of a target network with ICMP or UDP packets. All operational hosts on the target network will respond to the spoofed source IP address.
Application level floods will depend on the application being flooded. The commonest application level flood is multiple requests for web pages directed against a web server. Similarly mail servers can be flooded with email and/or email with large attachments. In the case of email, the email sender and recipient addresses are usually spoofed.
Nukes are designed to crash remote systems. Nukes can be extremely varied depending on how the IP packets are malformed or crafted. Common examples include “Land” (where the source and destination IP addresses are the same), “Christmas Tree” (where the FIN, URG and PUSH TCP flags in the packet are set) and “Teardrop” (where IP fragments overlap when reassembled). Nukes can also occur at the application layer as demonstrated by exploits for Microsoft Windows Server Message Block (SMB) traffic.
DDoS attacks are against the law
DDoS attacks are illegal in many countries. For example, in the UK, a DDoS attack can carry a maximum penalty of 10 years in prison. Even distributing software used in DDoS attacks can be an offence.
How to DDoS?
A typical architecture of a DDoS attack network consists of three layers:
- A client computer that is operated by the attacker
- A number of handlers (also known as masters) which are controlled by the client, and
- A number of agents (also called zombies or daemons) which are controlled by the handlers and which do the denial of service attack.
The client scans hosts for a particular set of exploitable vulnerabilities and, if found, are recorded. Those vulnerable hosts are then compromised by the client. The handler software is then installed automatically on the vulnerable hosts. The handlers then do further automated scans for further vulnerable systems to compromise, which then become agents. The agents then do attacks controlled by the handlers, which are in turn directed by the client.
DDoS tools often hide themselves on the compromised systems so that system administrators and users will not be able to detect that those tools are present. They may do this by using plausible file or process names, but many DDoS tools include altered operating system commands that aim to make the DDOS tool and its processes and network activity invisible to the system user. Programs of this kind are known as “rootkits”, and a number exist for UNIX systems and, to a lesser extent, for Windows systems.
The following are common DDoS attack tools:
- LOIC (Low Orbit Ion Canon)
- Tribe Flood Network
- Tribe Flood Network 2000
Worms (such as Slapper) are being increasingly used to compromise hosts and install DDoS tools.
The following are common DoS attack tools:
- HULK (HTTP Unbearable Load King)
- DDOSIM—Layer 7 DDOS Simulator
- Tor’s Hammer
- OWASP DOS HTTP POST
- GoldenEye HTTP Denial Of Service Tool
The victim organisation can find it very difficult to handle DDoS attacks. It is common for DDoS agents to spoof the IP address of the source computer so that the agent is not flooded with reply traffic. Spoofing the source IP also obscures the origin of the attack and can make tracing the attack difficult. When a target system is attacked from several sources at once in a DDoS attack, it can be very difficult to trace back and block traffic from a number of spoofed IP addresses.