-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
A DoS Explainer
Written on October 28, 2006
Leave a Comment
|
Bots and botnets are in the news – so I thought I’d take a few minutes to talk about DDoS attacks.
A DoS (Denial of Service) attack is characterized by one computer transmitting a lot of meaningless requests to another computer, typically a server. In attempting to respond to every meaningless request, the server is unable to provide its regular services to its client computers. While the server struggles to keep up with the high volume of meaningless requests, things like web services, email services, or database services are effectively denied from operating.
DoS attacks are nothing new and have been around since the dawn of modern Internet computing. Some of the most famous DoS attacks involved operating system vulnerabilities like TearDrop or Nuke attacks, which sent malformed data and choked-up Windows9x, causing it to freeze up or restart on a user. More frequently, DoS attacks involve starving a target server of network resources to cripple its capability to service its users. To an administrator, the attack may look like a general network failure and some time may be taken to diagnose the downtime as a legitimate attack.
There are a few variations on the DoS theme:
Distributed Denial of Service (DDoS) attacks are when multiple computers – often infected by a form of a virus called a bot – are instructed to launch a DoS attack a single target all at once. Slave computers infected with the virus immediately respond and begin passing garbage network instructions to the target server. Tens of thousands of computers may attack all at once, clogging all of the target company’s available bandwidth and effectively shutting down their Internet connection. There’s a reporting structure to a DDoS attack whereas a Master computer (the general of the attack) instructs a few Handler computers (Lieutenants) to launch the attack, and the Handlers instruct the Daemons (Foot Soldiers) to begin. The virus infecting the machine may be operating in Handler or Daemon capacity; there is generally only one or two Masters.
Reflected Denial of Service (RDoS) attacks are DDoS attacks that bounce forged (spoofed) attacks to a huge number of computers that then reply to the request back to the target victim. Essentially, the malicious attacker spoofs, or, impersonates, the target server and sends a request to thousands of computers, who then reply and flood the target server. In this way, the attacker gets numerous uninfected computers to perform a DDoS simply through the way the Internet works.
Echo Requests are a form of RDoS attacks that send ICMP (ping, or, echo requests) packets to a broadcast address which encourages a large number of responding computers to send ICMP responses to the target victim computer.
DNS Amplification is another, more recent and more popular form of DDoS that increases the packet size of responses. For example, a packet that would usually be only 20 bytes in length can be “amplified” to become 8,500 bytes in length through manipulating network services, in this case, the Domain Name System of the Internet. Using DNS tools, you can ask a DNS server to return “any” content that it has in its database for a particular website. If a hacker can insert a large text record into the authoritative DNS server for the domain (several kilobytes), all of this content could be sent to the victim computer with an ANY command through spoofing. Throw in the fact that several thousand DNS servers could be contacted to perform the attack, the attacker effectively has a botnet (a group of daemons) by which to attack the victim computer. This flood of bogus data overwhelms the target computer. Amplification attacks are hard to overcome. Services like DNS are critical to the ongoing operation of your network and turning it off isn’t practical.
Think it takes a serious programmer or a rocket scientist to pull this off? Think again: there are easily downloaded and free programs that would allow your kids to do it. Here are a few examples:
Think twice, though, if you wanted to download a few of these and play backyard hacker. Wee – it’s fun, but DoS attacks are a federal crime under the National Information Infrastructure Protection Act of 1996. Penalties include but aren’t limited to fines and imprisonment. That would be an anti-climatic ending to your hacker career.
How can you tell if your PC has been conscripted into becoming a zombie-daemon computer? You can’t! At least, not very easily, but do try to install the recent anti-virus package updates on your computer and scan regularly.
Some believe that setting up a firewall remedies this problem of DoS or DDoS attack. Well, yes and no, and mostly no. Modern firewalls can employ something called ingress and egress filtering which authenticates traffic prior to routing it which prohibits multiple daemons from effectively crossing the firewall’s filter to the trusted network. However, the firewall’s presence is all that must be worried about – the sheer volume of traffic being sent across the Internet connection renders the firewall useless. Clogging the line is just as effective as downing a server. Therefore, the presence of a firewall is a moot point: you still haven’t the bandwidth to see the outside world during an attack, and attacks can go on for hours or days.
Instead, administrators would be encouraged to capture the packets being transmitted for posterior analysis. Literally, we can dump the traffic to a file so we can see who is transmitting a DoS and follow-up with our ISP or law enforcement. If the attacker is very stupid and uses their own IP to attack a target, then there’s a chance they could be discovered and prosecuted. Most times, in particular with DDoS, the daemons are just conscripted computers whose users have no idea their PC is engaged in malicious activities… it just seems, to them, the Internet is a bit slower today.
Your company’s ISP can firewall the offending IP addresses before the flood gets to your Internet connection. The ISP may even involve the FBI to investigate the attack. However, ISP’s are often resource challenged and leave much of the preventative measures and corrective action to you.
To overcome DDoS attacks, companies may setup networks within networks (DMZ’s – Demilitarized Zones), or, setup load balancing gateways that filter traffic through various tests and security programs before it’s allowed to touch the actual server. Either way, it’s more investment and administration – and a strategy – that allows a company to overcome these kinds of attacks.
Those who believe that they’re under attack do have some recourse – if they’re able to access the Internet, they can contact the National Infrastructure Protection Center (http://www.nipc.gov) to file a complaint and work through the investigation process. This isn’t entirely ineffective, however, it doesn’t solve the immediate problem of stopping the attack and restoring business services. The broader fix to this is improving Internet security but this isn’t likely to happen any time soon.
R
Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.