The Problematic Nature of DDoS Attacks
It’s IT security week here on Mr Computer Science (I just made that up) and I wanted to talk to you about the frequency of DDoS attacks and how it’s a significant problem for Internet freedom now and in the future.
Is a DDoS attack a DOS Attack?
A DOS attack is a denial of service attack.
A DDoS attack is a distributed, denial of service attack.
Meaning, the attack originates from more than one destination.
What Does a DDoS Attack Do?
A DDoS attack is a Distributed Denial of Service attack.
It’s basically a method of attack whereupon a collection of infected machines (the infected machines are frequently referred to as “Zombies”) continually access a server in order to overload said server.
The server overload results in the inability to process service to customers (or website visitors, whatever).
Thus, a denial of service; the intention of said attack is overload the server and create a “denial of service”.
Different Types of DDoS Attacks
There are different types of DDoS attacks. (They all stem from multiple devices and aim to overload a server, however there are varying methods of attack).
- Bonk – A bonk DDoS attack is when an attack on port 53 (DNS); the attack contains fragmented UDP packets, with fake (broken) reassembly information. This results in the futile reconstruction of packets, which, as you can imagine, takes lots of processing time.
- Boink – A boink attack is similar to a bonk attack, however a boink attack communicates via multiple ports.
- Fraggle (kinda like FraggleRock) – A Fraggle DDoS attack is based upon a large quantity of UDP packet traffic. (UDP means User Datagram Protocol which is a message oriented transport layer protocol requisite for Internet communication).
- Land – A Land DDoS attack uses TCP/IP stacks with spoofed SYNs. (A SYN is a TCP/IP handshake communication method; a SYN is a request and ACK is an acknowledgement that replies to a SYN). The Land DDoS attack uses forged headers so the SYN request appears to have the same source and destination.
- Ping Flood – In my opinion one of the most traditional DDoS attacks; a Ping Flood basically overloads a server via basic ping requests. (Think of a tap on the shoulder, only millions of them).
- SYN Flood – A SYN flood is similar to a Ping flood, but instead of pinging a server, a SYN flood sends multiple SYN requests. The attack doesn’t wait for a corresponding ACK acknowledgement.
- Smurf – (You want Fraggles? How about Smurfs?) – A DDoS Smurf attack is an attack based upon the ICMP (Internet control message protocol) echo reply. (An echo reply is a message generated prompted by an echo request, and is built into hosts and routers).
- Teardrop – (Boohoo. That’s what the site owners say when their site doesn’t load. Note to hackers: don’t DDoS me bro). A DDoS Teardrop attack is based upon overlapping and fragmented UDP packets that are impossible to reassemble correctly.
In order to understand more about DDoS attacks, their prevalence, threat to the Internet, and inherit risks, you’ll have to learn about Botnets and their prevalence, first.
What’s a Botnet?
A Botnet is a “robot network” comprised of infected devices (zombies) that are networked together and controlled by the Botnet owner.
Botnet’s by their nature aren’t necessarily malicious (well, kinda). Botnets originated on IRC (Internet relay chat) to help host certain channels or functions. An example of a legal Botnet is the eggdrop system for IRC.
The eggdrop bot allows for coordination through network connectivity. Unfortunately, Botnets are now commonly misused illegally and egregiously.
Illegal (and damn Egregious) Botnets
I’ll say it right now. Botnets are the biggest threat to your identity, security, and the future and freedom of the Internet.
Botnets are comprised of “zombies” (infected machines) and are used to send spam, viruses, and self replicating the Botnet to your email lists, contacts, and FaceBook friends.
Botnets can steal your personal and private information such as credit card numbers, bank credentials, social security numbers, and other sensitive information.
Botnets can also collect their zombies and make them commit unlawful actions simultaneously; like a DDoS attack.
What’s a zombie?
A zombie is any machine (or device; anything; laptop, cellphone, printer, Nintendo Wii; droid, any device connected on the Internet that’s connected) that has been infected with malware that connects all the “robots” into a “network” (get it? Botnet).
To prevent becoming a zombie yourself, check this guide here.
Types of Botnets
- Asprox Botnet – AKA Badsrc and Aseljo, noted for phishing scams, relies on SQL injections to self replicate
- Gumblar Botnet – AKA Troj/JSRedir-R, redirects Google searches; installs rogue security software (scareware)
- Koobface Botnet – Social Media Botnet; (works on all Operating Systems, u mad Linux fanboys?)
- Mariposa Botnet – Made popular for its cyberscamming and DDoS attacks
- Storm Botnet – AKA “Storm Worm” – Trojan horse that spreads via compromised email (once infected over 50,000,000 computer systems)
- Waledac Botnet – Used to send spam
- Zeus Botnet – A polymorphic Backdoor Banking Trojan Botnet (one bad MF – major force)
ZeuS – Polymorphic Backdoor Botnet Infestation? Oh my
Zeus is a common (and VERY difficult to detect) polymorphic backdoor banking Trojan that adds users to a Botnet.
I mention it here because of its polymorphic abilities; it’s a very unfortunate piece of malware.
I make special emphasis of the Zeus Botnet because of its polymorphism capabilities which basically means the infection can encrypt itself and hide very well; so each signature is potentially unique. (This equates to an infection that’s difficult to detect).
Anyway – Back on Point; the Problematic Nature DDoS Attacks
DDoS attacks happen all the time, go under reported, are misunderstood, and are more frequent than anyone knows because they’re inadequately reported and documented.
The unfortunate truth, is that the predominance of these attacks is alarming and they’re becoming easier and more commonplace.
They’re very devastating, and are at times impossible to prevent.
Is it possible to stop a DDoS attack?
DDoS prevention is a function of pattern recognition.
Theoretically, DDoS prevention is possible, if your server (or “filtering server”) has more processing power than the hoard of zombies swarming the server.
Sounds like a problem if the Botnet is huge, right?
Small, nondistributed (or minimally distributed) denial of service attacks are theoretically easier to prevent and combat than a massively distributed attack.
That’s because, the larger the DDoS attack, and the more distributed the attack, the more load it puts onto the targeted server.
What sounds like a bigger problem, 200 server requests, or 2,000,000 server requests?
Even if a server has a method in which to filter attacks, it still has to process each and every request. It, minimally, has to acknowledge each ping request prior to sorting it or disregarding it, right?
The Unfathomable Cost of DDoS Attack Prevention
The cost of DDoS attack prevention is immense.
The most credible services that offer DDoS attack prevention have a room full of servers that are meant to filter each request of the parent server to see if it’s a legitimate request or not.
In other words, the most modern and up to date defense mechanism against DDoS attacks is a “proxy server” that acts as a filter and determines whether or not the request is authentic.
The problem with this line of defense, is that it can be unfathomably expensive to accommodate if the DDoS attack is large enough.
So, the smaller companies and organizations cannot afford this type of DDoS prevention.
Executive Summary; why are Botnets totally scary?
Botnets are scary. They’re a problem. They’re easy to carry out, and anyone with a few grand can easily purchase a Botnet filled with plenty of “slaves” and start harvesting their own stolen data and engaging in shady DDoS attacks. (Just do a Google).
It’s a problem that’s too dangerous to leave unchecked, a problem that’s largely misunderstood, and a problem that’s largely ignored.
And a problem that’s very expensive to ignore; prevention is difficult and costly, the cost (of identity theft, credit card fraud, DDoS attacks, IT security development, and constant patching) is well into the billions.
In summary, the nature of DDoS attacks and Botnets has resulted in an IT security infrastructure that is far outgunned by the offensive measures that are easily carried out with malicious intent, and there doesn’t seem to be an end in sight regarding how to minimize the quantity of Botnet infestations and their continually evolving capacity.
In other words..
DDoS attacks and their corresponding cures reminds me of World War 1; the firepower totally out-manned the medics.
In my opinion, very large DDoS attacks are very difficult if not impossible to avoid unscathed.