DDoS Basics Introduction Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade services provided by a computer at a given Internet Protocol 1 (IP) address. This paper will explain, in extremely basic terms, the various types of DDoS attacks. We will explain the motivations of the miscreants behind these attacks and outline the differing functionality of each attack type, providing examples and suggesting measures that could be employed to mitigate future incidents. This paper is not intended to serve as a comprehensive technical guide, but merely a relatively non-technical overview for the novice. We will try to avoid jargon and explain it where we have no alternative. Figure 1: This image shows the relative number of machines in various countries on a single recent date that were known to be infected with at least one computer virus. The numbers fluctuate regularly but most of these infected machines will be part of botnets. 1 Think of these, in very basic terms, like phone numbers for computers on the internet: unique numbers that identify areas and unique machines on the network.
Motivations The Underground Economy (UE) is a term used to describe the massive communications and economic infrastructure used by criminals who engage in crime against, and facilitated by, the Internet and its users. Primarily designed for acquisitive crime, transactions seen in the UE generally tend to shy away from DDoS attacks, after all nobody makes any money if you break the Internet. However, DDoS attacks clearly do occur, for some of the following reasons: Revenge attacks against a rival, typically to take that person s shell 2 or home connection offline, traditionally part of petty disputes on Internet Relay Chat (IRC). Demonstration DDoS attacks normally utilize botnets: networks of computers that are all infected with the same virus that are all under the control of one person. DDoS attacks can be used to prove the size and power of a botnet before it is rented or sold in the UE. Many apparently motiveless attacks have been demonstrations with a victim picked essentially at random. Extortion a favorite of Russian Organized Crime groups, DDoS attacks on e- commerce, and legitimate online gambling sites in particular, can yield ransoms of a few tens of thousands of dollars in exchange for allowing the victim site to resume business. Interviews with perpetrators now in prison have confirmed that they will ignore potential victims who ignore their demands and move onto new targets in the hope of engaging in negotiations with them. Competitive advantage DDoS services can be rented to take a competitor s website offline, causing lost business or embarrassment and forcing current or potential customers to use a rival who can often claim plausible deniability for any attack. 2 A shell is an account on a remote server that can be used to hide your identity or perform other functionality that you would not want to occur on your local machine.
Figure 2: The average daily number of infected machines over the last 12 months for the Americas Collateral damage often many thousands of sites will be hosted on the same server and IP address. An attack on one site will have the effect of taking them all offline. Due to the topology of the Internet, huge attacks will often cripple companies that provide connectivity, well before the attack even reaches the final intended target. Routers can be attacked just as websites and end users can be, resulting in connectivity issues for perhaps millions of users that the attacker had no reason to want to impact. Combination attacks one that is only theoretical at this stage, but involving a conventional attack in the real world (bank robbery, terrorist bombing) that also disrupts communications links to cause panic and hinder first responders. Political attacks now a mainstay of all conventional conflicts since the Balkans, these attacks often involve regular, otherwise law abiding, Internet users or the re-tasking of botnets that are normally engaged in conventional UE activities. These attacks often impact IP addresses in geographic regions or the IP space used by specific function within a government, to further a political cause. Protest attacks are also generally considered to be a form of political attack, an example being the recent activity of the group known as Anonymous.
Figure 3: The average daily number of infected machines over the last 12 months for Europe DDoS types When reading this section, it might help to understand what a Protocol is in Internet terms - think of it like a language: ICMP is the language used by computers on the Internet to talk to each other about errors and other status related issues. Whilst they are generally considered to be low priority messages, some ICMP messages perform an important role. Oothers are less important and can be easily filtered. Generally ICMP messages used in a DDoS attack can be easily filtered although it is easy to blast out large volumes of packets using this protocol as there is no built in flow control mechanism. TCP is the language that computers use to order their data that needs to be in defined, ordered streams when you have to make sure you get it all completely right, all the time such as with web browsing or email. It is slightly harder to use TCP for DDoS attacks as you have to prevent the management of the connection to speed up the flow of attacking packets. UDP is another way for computers to transfer data but it is one that is used for data that does not need to be in a reliable stream; it does not matter if some of it gets lost en route or delivered out of sequence as it s better to keep
the stream moving along fast and you cope with a few lost packets. Again, as with ICMP packets, it is relatively easy to use UDP for blasts of DDoS packets as there is no built in mechanism to control the rate that packets are sent at. UDP is often used for streaming videos, VoIP phones and Domain Name System (DNS) queries. IMCP ping flood One of the simplest and oldest methods, this one was used to great effect during the Estonia and Georgia attacks of recent years. Otherwise law abiding citizens simply typed ping and an IP address from their home computers. The combined impact of hundreds of thousands of such simultaneous commands can be enough to disrupt communications with a website. As with many of these types of attack, there are tools to automate this over a large number of infected machines in a botnet.
UDP flood This involves sending a stream of UDP packets to various ports 3 on the victim machine. Upon receipt of one of these packets, the victim machine will have to check to see if any of its programs are set up to accept incoming data on that port. It will probably find that there are not indeed any programs listening for data coming in on that port and it will then normally send a reply to the originator of that 3 Ports are like tiny doors into a computer system. If you find one that is open, you can probably get into the system. This is why we have Firewalls - to act as guard dogs at these doors into your computer.
packet, to the effect that there s a problem, there s nothing here for you on that port. This reply is called a ICMP Destination Unreachable Packet. If you send enough of these UDP packets, eventually the victim machine will be so busy responding with these ICMP Destination Unreachable Packets, that any legitimate requests will be unable to get through. In fact, with UDP, it s quite easy to fake (or spoof ) where you are coming from, making it easy to spoof the true origin of the UDP packets and preventing any attacker s machines from getting swamped with the ICMP Destination Unreachable Packets and making attribution even harder. Smurf attack An old attack, now rare as network administrators have been able to immunize their networks against these faked IMCP broadcast pings. Basically, you send a packet called an Echo Request to routing devices on a network but you fake the source address of that data with the IP address of your intended victim. This echo request gets sent to all the devices on the network that can be
reached on the broadcast address, causing every device that received it to send back the requested echo reply to the victim machine. SYN flood When you connect to a website, the two computers go through a short conversation to agree on the way they plan to communicate. The start of this negotiation involves the sending of a specific packet of data called a SYN (short for synchronization ), causing the receiving computer to send a reply and then wait to continue the conversation. A SYN flood attack involves sending a large number of these packets to a server, causing a lot of corresponding replies called ACKs and consequent pauses. This quickly eats up all the available resources on the server, making it impossible for any legitimate traffic to get through.
GET request When you visit a web site, your computer makes a request for the page you want to see using a GET request. In exactly the same way, miscreants can instruct machines that are part of a botnet to all request, for example, a large image. Doing this constantly, using a large number of machines, causes legitimate requests for content from that site to not reach the server as the available connections are all already saturated.
Frag flood During normal operations on the Internet, sometimes packets of data have to be split up, or "fragmented", due to their size and restrictions on the networks they are passing through. Various parts of the Internet infrastructure (routers, firewalls, and servers) may sometimes be configured to attempt to reassemble these fragments to analyze or work with the full original packet. A frag flood works in two ways; first, like most other DDoS attacks, it hopes to overwhelm routers, firewalls, servers, and network links with sheer volume of data. Second, it sends specially crafted fragments that cannot possibly be re-assembled, because the "first fragment", the part of the packet with information about the other fragments, is never
actually created and sent. In some cases this can overwhelm re-assembly mechanisms and cause devices to lock up and crash, in addition to simply filling up their network links with garbage packets to be discarded. DNS Amplification attack This is a very different type of attack that does not use botnets at all. DNS servers are critical to how the internet works, telling our computers what IP address the sites we need to visit can be found at. These DNS servers are often misconfigured to allow any computer to make these queries and fake where the reply should be sent back to. If you ask the question of the misconfigured DNS server in a certain way it s possible to get a huge reply sent back to an IP address you want to attack. Arrange for hundreds of thousands of such queries to be sent simultaneously to a large number of these misconfigured DNS servers and, if they all send their huge replies to the faked victim IP address, you can achieve enormous attack sizes. This, as with most DDoS attacks, can simply fill the networks pipes with garbage, preventing any legitimate traffic from getting through.
We have seen some of the largest attacks on record using this relatively simple method, capable of saturating the bandwidth of entire countries. Luckily they remain rare. Team Cymru has a free service where we will tell networks if they have any such misconfigured DNS servers in their network. Figure 4: This image shows the locations of DNS servers that participated in a recent massive DNS Amplification attack. The strength of the dot relates to the frequency that IP sent data. Mitigation There are a few tried and tested methods to lessen the pain of an attack although they can be expensive and they are always a reactive tool. Networks find it difficult to really avoid the impact of an attack without major investment in redundant topologies and excessive bandwidth. Although there are many other technical responses to DDoS attacks, here is an overview of some of the main options: Filtering If you can examine the traffic attacking you, you might be able to spot similarities between the DDoS packets: they might all be coming predominantly into one port or with a specific feature such as packet size. If this is the case, you can set your routers to drop packets that match these criteria. Unfortunately this might only be a temporary solution as the miscreants only have to adjust their attacks to use a different port, packet size or any other factor you are filtering on. Judicious use of Firewalls can
prevent unwanted traffic such as UDP floods from ever reaching an intended victim machine. You can make Smurf attacks harder by setting your routers to not forward anything to broadcast addresses now the standard setting for routers. It is also helpful to prevent machines from responding to pings and broadcast packets. Increase bandwidth If your site normally resides at a hosting provider that gives you an average amount of bandwidth, that bandwidth will easily be consumed by a sustained, medium sized DDoS attack. You could purchase additional bandwidth from your current or a larger hosting provider to absorb the effects of the attack. This, again, might only be a temporary solution if the attackers simply add more bots to the attack to absorb any increased bandwidth. Some companies provide a form of insurance in that they will host major sites on huge links that can absorb large attacks. They also employ some clever techniques to prevent these large (often e-commerce) sites from going down but they cost a lot of money. IP address changes An attack that targets the IP address your computer is at, could be avoided by simply moving to a new IP address. Unfortunately, many attacks target domains rather than IP addresses (for example www.google.com as opposed to the IP address that the Domain Name Servers tell computers that Google is currently at). Even when the DDoS attack is only targeting an IP address, it s trivial to react to a move and target the new IP address. Some attacks have been going on literally for years like this. Attribution The most difficult and effective method of stopping a DDoS attack is to work out who is behind it and for them to be arrested. The issues raised by this course of action warrant their own document alone, save to say it is unfortunately very rare for the miscreants responsible for these attacks to get the punishments that serve as a deterrent against future crimes.
Figure 5: This image shows the origin (C&C server location) and destination of the victim of DDoS attacks for a recent 24 hour period. Conclusion DDoS attacks have been around almost since the birth of the Internet. They seem to be slightly less frequent now, probably as they are difficult to monetize, and generally just form part of the background noise in the Underground Economy. They remain a potent threat however, and we continue to see occasional attacks that have evolved in both technical sophistication and power. Hard to understand and react to, hopefully this paper will arm you with the knowledge to at least become familiar with the basics. Who is team Cymru? Team Cymru Research NFP is a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure. By researching the 'who' and 'why' of malicious Internet activity worldwide, Team Cymru helps organizations identify and eradicate problems in their networks. There are many way to keep up with what Team Cymru are doing, see the lower part of: http://www.team-cymru.org/about/contact.html plus: * join our announce list via cymru-announce-subscribe@cymru.com * see what we see, www.team-cymru.org/monitoring/graphs * probably the best news feed in the world, www.team-cymru.org/news * cool stuff you can use, www.team-cymru.org/services/ * see our Twitter feed at http://twitter.com/teamcymru * The weekly Who and Why Show: www.youtube.com/teamcymru