DDOS Distributed Denial of Service Attack
DDOS Distributed Denial of Service Attack
Contents
1 Introduction (Slides 1-2) 2
1
1 Introduction (Slides 1-2)
Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) At-
tacks are hard to defeat and commonly used against networked systems. Recall
the introductory lecture, the Maa Boy, and the story of extortion from the
New Yorker. Beyond those, many incidents, notably of DDoS attacks, have
been observed these past years. The targets of such attacks can be interna-
tional companies,
1 national authorities, 2 , 3 or even countries4 , 5 .
Security agnostic design: Early Internet protocols were designed with func-
tionality and eciency in mind, not security. The same is true for other
networking technologies in their rst stages of development; for example,
Mobile Ad Hoc Networks (MANETs) and notably routing protocols were
initially proposed circa 2000 assuming a benign, collaborative environ-
ment.
Various types of DoS attacks can take place in all layers of communication
networks. For example, Jamming attacks are a type of DoS attacks launched at
the Physical Layer, the lowest layer of the ISO/OSI reference Model (slide 4).
In all cases, a successfully mounted DoS attack degrades performance or
even denies service, i.e., prevents access to resources or brings down the system.
2
access. One such frame is the de-authentication frame used by wireless devices
to terminate their connection to the Access Point (AP). As such frames are
not authenticated, an attacker can send de-authentication frames on behalf of
another mobile device. This will result in the targeted device being disconnected
from the wireless network (the AP). Such an attack can render the wireless
network unavailable for a specic mobile host. .
7
7 http://sysnet.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-html/aio.html
8 http://www.theregister.co.uk/2011/08/24/devastating_apache_vuln/
9 http://seclists.org/fulldisclosure/2011/Aug/301
10 http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_
flooding_attacks.html
11 http://tools.ietf.org/html/rfc793
3
ACK Message Client to server message: acknowledgement of the SY N −
ACK message. At this point, the connection between the client and the
server is considered established.
As the server has to keep state for half-open TCP connections, it consumes
resources. The attacker can try to initiate as many half-open TCP connections
in an eort to exhaust the resources of the targeted server. Additionally, given
the attacker does not intent to establish an actual TCP session, the IP address
of the IP header can be/is spoofed (not the attacker's actual IP address).
A reading reference you may nd useful: http://www.cisco.com/web/about/
ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html.
12 http://datatag.web.cern.ch/datatag/WP3/sctp/primer.htm
4
Question to ponder, as we continue with the upcoming lectures: Where
would you implement DDoS defenses, on the server itself, on another machine
(which one?), or both?
5
5.1 DDoS Attacks (Slides 19-23)
A brief description of DDoS incidents.
Handlers: The control over the BotNet is done through Handlers. The
Bot-Master communicates with the Handlers in order to command and
control the BotNet.
Zombie machines: The machines that have been infected with some sort
of malicious code and have been recruited to the BotNet.
6
Random Scanning: The attacker randomly selects an IP address from
the address space. If this IP is in use, then the corresponding machine
is examined for vulnerabilities. In case vulnerabilities are discovered, the
attacker tries to exploit them and get control of the machine. If successful,
a piece of malicious code is installed at the targeted machine. This piece
of code will allow the attacker to take control of the machine on-demand.
It is noteworthy that random scanning needs not necessarily to be per-
formed by the attacker. Any zombie computer already part of the DDoS
network can perform it. This is feasible due to the automated techniques
for vulnerability scanning that are broadly available. In this case, a list
with the addresses of vulnerable machines will be sent to the attacker so
that the manual process of exploitation takes place later.
Again the scanning trac can be either in the form of Direct Scanning (in
this case Handlers scan for vulnerable machines) or Indirect Scanning (IRC
communication channels are used).
7
the resources of the targeted server. Of course, it is clear that the Distributed
version of TCP ooding is much more eective.
16 http://delivery.acm.org/10.1145/1150000/1146894/a47-naoumov.pdf?ip=130.229.
175.66&acc=ACTIVE\%20SERVICE&CFID=68695286&CFTOKEN=84237470&__acm__=1330688466_
1ff4fee4e0984a9b6d8f6be0892f9099
17 http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon