Distributed Denial of Service (DDoS) Attacks

distributed denial of serviceIn the previous article, we discussed denial of service (DoS) attacks. These attacks involve the use of a single client to launch an attack on a system or service. Distributed denial of service (DDoS) attacks use the same basic attack methodologies as outlined in the previous article, with the exception that the attacks are initiated from multiple client systems.

The way this typically works is that malicious parties will use viruses to subtly gain control over large numbers of computers (typically poorly-defended home computers connected to broadband Internet connections). Unbeknownst to the owner of the computer (which generally continues to function as normal) the system is essentially a zombie waiting to be given instructions. Once the malicious party has gathered an army of zombie computers they are instructed to participate in massive distributed denial of service attacks on unsuspecting victims. A large enough volume of zombie systems can, and indeed have been known to bring down even the largest and most scalable enterprise infrastructure, and even bring parts of the Internet itself to a grinding halt. Merely purchasing more incoming bandwidth than the current volume of attack might not help, because the attacker might be able to simply add more attack machines.

Distributed Denial of Service Attacks: Advantages and Types

There are several advantages to launching a distributed denial of service attack:

  1. Multiple machines can generate more attack traffic than one machine.
  2. Multiple machines are harder to turn off than one attack machine.
  3. The behavior of each attack machine can be stealthier, making it harder to track and shut down.

Distributed denial of service can take several forms. Malware can carry distributed denial of service attack mechanisms. One of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. this type of distributed denial of service involved hardcoding the target IP address prior to the release of the malware. No further interaction was necessary to launch the attack.

A system may also be compromised with a trojan, allowing the attacker to download a zombie agent, or the trojan may contain one. Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. A compromised system becomes known as a bot, and they are controlled by handlers run by the attacker, known as botnets. Many of these tools use classic DoS attack methods centered on IP spoofing and amplification like smurf and fraggle attacks, as well as SYN floods.

A distributed denial of service attack may involve sending forged requests to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means that all the replies will go to and flood the target.

The primary line of defense for blocking distributed denial of service attacks, as with DoS attacks, is the firewall. Firewalls can be set up to have simple rules to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop all incoming traffic from those attackers. But most complex attacks will be hard to block with simple rules. Additionally, firewalls may be too deep in the network hierarchy, although they can prevent users from launching simple flooding type attacks from machines behind the firewall.

Some stateful firewalls, like OpenBSD’s pf (and pfSense, since it’s based on pf), can act as a proxy for connections. Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. pf can proxy the handshake: pf itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. In the case of a TCP SYN flood attack, the attacker never completes the three-way handshake, so the attacker’s packets never reach the protected server, but legitimate clients will complete the handshake and get passed. this minimizes te impact of spoofed TCP SYN floods on the protected service, handling it in pf instead.

Most switched also have some automatic and system-wide rate limiting, traffic shaping, delayed binding, deep packet inspection and Bogon (bogus IP) filtering to detect and block denial of service attacks. This will work as long as the distributed denial of service attack is something that can be prevented by using them. SYN floods can be prevented using delayed binding. Content-based DoS or DDoS may be prevented using deep packet inspection. And attacks originating from dark addresses can be prevented using Bogon filtering.

External Links:

Denial of service attack on Wikipedia

PF: Packet Filtering at www.openbsd.org

© 2013 David Zientara. All rights reserved. Privacy Policy