ddos basics

8/3/2019 Ddos Basics

1/14

2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without

the prior written permission of Team Cymru.

DDoS Basics

Introduction

Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade

services provided by a computer at a given Internet Protocol1 (IP) address.

This paper will explain, in extremelybasic terms, the various types of DDoS attacks.

We will explain the motivations of the miscreants behind these attacks and outline

the differing functionality of each attack type, providing examples and suggesting

measures that could be employed to mitigate future incidents.

This paper is not intended to serve as a comprehensive technical guide, but merely a

relatively non-technical overview for the novice. We will try to avoid jargon and

explain it where we have no alternative.

1 Think of these, in very basic terms, like phone numbers for computers on the

internet: unique numbers that identify areas and unique machines on the network.

Figure 1: This image shows the relative number of machines in various countries on a single recent date

that were known to be infected with at least one computer virus. The numbers fluctuate regularly but

most of these infected machines will be part of botnets.


2/14



Motivations

The Underground Economy (UE) is a term used to describe the massivecommunications and economic infrastructure used by criminals who engage in

crime against, and facilitated by, the Internet and its users.

Primarily designed for acquisitive crime, transactions seen in the UE generally tend

to shy away from DDoS attacks, after all nobody makes any money if you break theInternet.

However, DDoS attacks clearly do occur, for some of the following reasons:

Revengeattacks against a rival, typically to take that persons shell2 or

home connection offline, traditionally part of petty disputes on Internet

Relay Chat (IRC).

Demonstration DDoS attacks normally utilize botnets: networks of

computers that are all infected with the same virus that are all under the

control of one person. DDoS attacks can be used to prove the size and power

of a botnet before it is rented or sold in the UE. Many apparently motiveless

attacks have been demonstrations with a victim picked essentially at

random.

Extortion a favorite of Russian Organized Crime groups, DDoS attacks on e-commerce, and legitimate online gambling sites in particular, can yield

ransoms of a few tens of thousands of dollars in exchange for allowing thevictim site to resume business. Interviews with perpetrators now in prison

have confirmed that they will ignore potential victims who ignore their

demands and move onto new targets in the hope of engaging in negotiations

with them.

Competitive advantage DDoS services can be rented to take a competitors

website offline, causing lost business or embarrassment and forcing current

or potential customers to use a rival who can often claim plausible

deniability for any attack.

2 A shell is an account on a remote server that can be used to hide your identity or

perform other functionality that you would not want to occur on your local machine.


3/14



Collateral damage often many thousands of sites will be hosted on the same

server and IP address. An attack on one site will have the effect of taking

them all offline. Due to the topology of the Internet, huge attacks will often

cripple companies that provide connectivity, well before the attack even

reaches the final intended target. Routers can be attacked just as websitesand end users can be, resulting in connectivity issues for perhaps millions of

users that the attacker had no reason to want to impact.

Combination attacks one that is only theoretical at this stage, but involvinga conventional attack in the real world (bank robbery, terrorist bombing)

that also disrupts communications links to cause panic and hinder first

responders.

Political attacks now a mainstay of all conventional conflicts since the

Balkans, these attacks often involve regular, otherwise law abiding, Internet

users or the re-tasking of botnets that are normally engaged in conventional

UE activities. These attacks often impact IP addresses in geographic regions

or the IP space used by specific function within a government, to further a

political cause. Protest attacks are also generally considered to be a form of

political attack, an example being the recent activity of the group known as

Anonymous.

Figure 2: The average daily number of infected machines over the last 12 months for the Americas


4/14



DDoS types

When reading this section, it might help to understand what a Protocol is inInternet terms - think of it like a language:

ICMP is the language used by computers on the Internet to talk to each otherabout errors and other status related issues. Whilst they

are generally considered to be low priority messages, some ICMP messages

perform an important role. Oothers are less important and can be easily

filtered. Generally ICMP messages used in a DDoS attack can be easily

filtered although it is easy to blast out large volumes of packets using this

protocol as there is no built in flow control mechanism.

TCPis the language that computers use to order their data that needs to be in

defined, ordered streams when you have to make sure you get it allcompletely right, all the time such as with web browsing or email. It is

slightly harder to use TCP for DDoS attacks as you have to prevent the

management of the connection to speed up the flow of attacking packets.

UDPis another way for computers to transfer data but it is one that is used

for data that does not need to be in a reliable stream; it does not matter if

some of it gets lost en route or delivered out of sequence as its better to keep

Figure 3: The average daily number of infected machines over the last 12 months for Europe


5/14



the stream moving along fast and you cope with a few lost packets. Again, as

with ICMP packets, it is relatively easy to use UDP for blasts of DDoS packets

as there is no built in mechanism to control the rate that packets are sent at.

UDP is often used for streaming videos, VoIP phones and Domain Name

System (DNS) queries.

IMCP ping flood

One of the simplest and oldest methods, this one was used to great effect during the

Estonia and Georgia attacks of recent years.

Otherwise law abiding citizens simply typed ping and an IP address from theirhome computers. The combined impact of hundreds of thousands of such

simultaneous commands can be enough to disrupt communications with a website.

As with many of these types of attack, there are tools to automate this over a large

number of infected machines in a botnet.


6/14



UDP flood

This involves sending a stream of UDP packets to various ports3 on the victim

machine. Upon receipt of one of these packets, the victim machine will have to check

to see if any of its programs are set up to accept incoming data on that port.

It will probably find that there are not indeed any programs listening for data

coming in on that port and it will then normally send a reply to the originator of that

3 Ports are like tiny doors into a computer system. If you find one that is open, you

can probably get into the system. This is why we have Firewalls - to act as guard

dogs at these doors into your computer.


7/14



packet, to the effect that theres a problem, theres nothing here for you on that

port . This reply is called a ICMP Destination Unreachable Packet.

If you send enough of these UDP packets, eventually the victim machine will be so

busy responding with these ICMP Destination Unreachable Packets, that any

legitimate requests will be unable to get through. In fact, with UDP, its quite easy to

fake (or spoof) where you are coming from, making it easy to spoof the true originof the UDP packets and preventing any attackers machines from getting swamped

with the ICMP Destination Unreachable Packets and making attribution even harder.

Smurf attack

An old attack, now rare as network administrators have been able to immunize theirnetworks against these faked IMCP broadcast pings.

Basically, you send a packet called an Echo Request to routing devices on a network

but you fake the source address of that data with the IP address of your intended

victim. This echo request gets sent to all the devices on the network that can be


8/14



reached on the broadcast address, causing every device that received it to send back

the requested echo reply to the victim machine.

SYN flood

When you connect to a website, the two computers go through a short conversation

to agree on the way they plan to communicate. The start of this negotiation involves

the sending of a specific packet of data called a SYN (short for synchronization),

causing the receiving computer to send a reply and then wait to continue the

conversation.

A SYN flood attack involves sending a large number of these packets to a server,causing a lot of corresponding replies called ACKs and consequent pauses. This

quickly eats up all the available resources on the server, making it impossible for

any legitimate traffic to get through.


9/14



GET request

When you visit a web site, your computer makes a request for the page you want to

see using a GET request.

In exactly the same way, miscreants can instruct machines that are part of a botnet

to all request, for example, a large image. Doing this constantly, using a large

number of machines, causes legitimate requests for content from that site to not

reach the server as the available connections are all already saturated.


10/14



Frag flood

During normal operations on the Internet, sometimes packets of data have

to be split up, or "fragmented", due to their size and restrictions on

the networks they are passing through. Various parts of the Internet

infrastructure (routers, firewalls, and servers) may sometimes be

configured to attempt to reassemble these fragments to analyze or work

with the full original packet.

A frag flood works in two ways; first, like most other DDoS attacks, it

hopes to overwhelm routers, firewalls, servers, and network links with

sheer volume of data. Second, it sends specially crafted fragments that

cannot possibly be re-assembled, because the "first fragment", the part

of the packet with information about the other fragments, is never


11/14



actually created and sent. In some cases this can overwhelm re-assembly

mechanisms and cause devices to lock up and crash, in addition to simply

filling up their network links with garbage packets to be discarded.

DNS Amplification attack

This is a very different type of attack that does not use botnets at all. DNS servers

are critical to how the internet works, telling our computers what IP address the

sites we need to visit can be found at.

These DNS servers are often misconfigured to allow any computer to make these

queries and fake where the reply should be sent back to. If you ask the question of

the misconfigured DNS server in a certain way its possible to get a huge reply sent

back to an IP address you want to attack. Arrange for hundreds of thousands of

such queries to be sent simultaneously to a large number of these misconfiguredDNS servers and, if they all send their huge replies to the faked victim IP address,

you can achieve enormous attack sizes. This, as with most DDoS attacks, can simply

fill the networks pipes with garbage, preventing any legitimate traffic from gettingthrough.


12/14



We have seen some of the largest attacks on record using this relatively simple

method, capable of saturating the bandwidth of entire countries. Luckily they

remain rare. Team Cymru has a free service where we will tell networks if they have

any such misconfigured DNS servers in their network.

Mitigation

There are a few tried and tested methods to lessen the pain of an attack although

they can be expensive and they are always a reactive tool. Networks find it difficult

to really avoid the impact of an attack without major investment in redundant

topologies and excessive bandwidth. Although there are many other technical

responses to DDoS attacks, here is an overview of some of the main options:

Filtering

If you can examine the traffic attacking you, you might be able to spot

similarities between the DDoS packets: they might all be comingpredominantly into one port or with a specific feature such as packet size. If

this is the case, you can set your routers to drop packets that match these

criteria. Unfortunately this might only be a temporary solution as the

miscreants only have to adjust their attacks to use a different port, packet

size or any other factor you are filtering on. Judicious use of Firewalls can

Figure 4: This image shows the locations of DNS servers that participated in a recent massive DNSAmplification attack. The strength of the dot relates to the frequency that IP sent data.


13/14



prevent unwanted traffic such as UDP floods from ever reaching an intended

victim machine.

You can make Smurf attacks harder by setting your routers to not forward

anything to broadcast addresses now the standard setting for routers. It isalso helpful to prevent machines from responding to pings and broadcast

packets.

Increase bandwidth

If your site normally resides at a hosting provider that gives you an average

amount of bandwidth, that bandwidth will easily be consumed by a

sustained, medium sized DDoS attack. You could purchase additional

bandwidth from your current or a larger hosting provider to absorb the

effects of the attack. This, again, might only be a temporary solution if the

attackers simply add more bots to the attack to absorb any increased

bandwidth. Some companies provide a form of insurance in that they will

host major sites on huge links that can absorb large attacks. They also

employ some clever techniques to prevent these large (often e-commerce)

sites from going down but they cost a lot of money.

IP address changes

An attack that targets the IP address your computer is at, could be avoided by

simply moving to a new IP address. Unfortunately, many attacks target

domains rather than IP addresses (for example www.google.com as opposedto the IP address that the Domain Name Servers tell computers that Google is

currently at). Even when the DDoS attack is only targeting an IP address, itstrivial to react to a move and target the new IP address. Some attacks have

been going on literally for years like this.

Attribution

The most difficult and effective method of stopping a DDoS attack is to work

out who is behind it and for them to be arrested. The issues raised by this

course of action warrant their own document alone, save to say it is

unfortunately very rare for the miscreants responsible for these attacks toget the punishments that serve as a deterrent against future crimes.


14/14



Conclusion

DDoS attacks have been around almost since the birth of the Internet. They seem to

be slightly less frequent now, probably as they are difficult to monetize, and

generally just form part of the background noise in the Underground Economy. They

remain a potent threat however, and we continue to see occasional attacks that have

evolved in both technical sophistication and power. Hard to understand and react

to, hopefully this paper will arm you with the knowledge to at least become familiar

with the basics.

Who is team Cymru?

Team Cymru Research NFP is a specialized Internet security research firm and501(c)3 non-profit dedicated to making the Internet more secure. By researching

the 'who' and 'why' of malicious Internet activity worldwide, Team Cymru helps

organizations identify and eradicate problems in their networks.

There are many way to keep up with what Team Cymru are doing, see the lower

part of: http://www.team-cymru.org/About/contact.html plus:

* join our announce list via [email protected]

* see what we see, www.team-cymru.org/Monitoring/Graphs

* probably the best news feed in the world, www.team-cymru.org/News

* cool stuff you can use, www.team-cymru.org/Services/* see our Twitter feed athttp://twitter.com/teamcymru

* The weekly Who and Why Show: www.youtube.com/teamcymru

Figure 5: This image shows the origin (C&C server location) and destination of the victim of DDoS attacks

for a recent 24 hour period.
http://www.team-cymru.org/About/contact.htmlmailto:[email protected]://www.team-cymru.org/Monitoring/Graphshttp://www.team-cymru.org/Newshttp://www.team-cymru.org/Services/http://twitter.com/teamcymruhttp://www.youtube.com/teamcymruhttp://www.youtube.com/teamcymruhttp://twitter.com/teamcymruhttp://www.team-cymru.org/Services/http://www.team-cymru.org/Newshttp://www.team-cymru.org/Monitoring/Graphsmailto:[email protected]://www.team-cymru.org/About/contact.html

ddos basics

Documents