What is a DDoS attack?

What is a DDoS attack? (2015)

I was originally paid to write this piece for atlantic.net.


Introduction

DDoS stands for 'Distributed Denial of Service' and is a type of 'Denial of Service' attack. The basic aim of a DoS attack is to render a server, PC or network resource inaccessible or unusable - denying service to anyone trying to access it. It is a malicious attack designed to cause maximum inconvenience to everyone involved.

Target Audience

This article is aimed at anyone with basic computer competency who has an interest in what DDoS attacks are and why they’ve been in the news.

Are DDoS attacks a new thing?

No, DDoS attacks are not a new phenomenon, but they have been making the headlines more in recent years as the public get more tech savvy and the targets get higher in profile. Recent examples include the attacks on the Playstation Network and Xbox Live. A hacking group known as 'Lizard Squad' used a DDoS attack to shutdown the online gaming services on Christmas Day 2014, upsetting a lot of gamers and causing significant financial and reputational damage to Microsoft and Sony.

How do they work?

In a Denial of Service attack, the attacker uses their computer to send an overwhelming amount of data to the target, which is flooded with so much traffic that it; slows down to the point of being unusable, it cannot respond to legitimate traffic, or, in the case of Permanent Denial of Service attacks (PDoS), its hardware is damaged beyond repair. In a DoS attack, only one computer is used. It is a fairly simple attack to execute now and requires minimal computer skills, as an attacker can simply acquire and run a piece of software to conduct a DoS. The 'distributed' in DDoS refers to the multiple computers used in this type of Denial of Service attack. The attacker either launches a synchronised attack with collaborators or, more commonly, uses a botnet to execute a DDoS. A botnet is a network of computers infected with malware that allows the attacker to remotely control them without the owner's knowledge. Using a botnet, an attacker dramatically increases the effect of their attack.

Amplification Attacks

Attackers can increase the impact of their DDoS-ing by using ‘Amplification Attacks’. Amplification Attacks exploit features of third party software and hardware in order to bombard the target with a large amount of data. Amplification Attacks take advantage of flaws in the User Datagram Protocol (UDP), a key networking protocol. UDP doesn’t use any ‘handshaking dialogues’ which means that it doesn’t validate IP addresses, making it easy to forge them. Attackers use ‘IP spoofing’, which involves editing the headers of the data packets, to make the data they’re sending appear as though it has come from a different source. Domain Name Systems (DNS) use UDP so, if configured a certain way, are vulnerable to being used in an amplification attack. DNS Amplification Attacks could be considered to be the opposite of the DDoS attacks described above. Rather than bombarding the target with data and requests, the attacker sends data and queries to DNS servers, while using IP spoofing to pretend to be their victim. If the DNS servers the attacker has contacted have been configured to respond to any IP contacting them then they reply to the IP address of the victim, flooding them with traffic. It’s like signing your friend up to a load of junk newsletters as a joke. Only, the attacker manipulates those responses (newsletters) to be as long as possible, making them far larger than the original query and, therefore, having a much greater impact. For example, when using a DNS for an amplification attack if an ‘ANY’ query is sent, the server will send a response with all known details about a DNS zone. Attackers have found that there are other services that use the UDP protocol and that certain responses are significantly bigger than the queries. For example, the Character Generation Protocol (CharGEN) supported by various servers will respond to a character generation request with a response that is 358.8 times larger. Similarly, the Network Time Protocl (NTP) used to sync clocks across machines, can be forced to send a response 556.9 times larger than the request.

Why are they used?

The motivations behind DDoS attacks vary. In the case of Lizard Squad , it appeared to be a publicity stunt to promote their freelance hacking services. Sometimes it is simply mindless trolling, sometimes websites are held to ransom and their owners sent extortion letters, other times it can be used as a form of industrial espionage. In the case of the Internet's most renowned and iconic hacking group Anonymous, it has been used as a tool for activism. In their on going fight against organisations such as Scientology and the Westboro Baptist Church, they have used DDoS attacks to takedown websites belonging to their targets.

How can they be fought?

DDoS attacks are difficult to fight, and mitigation is usually the best a target can hope for. A big part of dealing with DDoS attacks is simply being prepared. Here are some techniques that can be used to mitigate the effects of a DDoS attack: Some big companies will invest in excess bandwidth for their servers. The more bandwidth the target has, the harder it is to DDoS. In principle it’s the same idea as adding more lanes to a road – the wider the road, the more cars are needed to cause a traffic jam. An obvious port of call for those under attack is to contact their internet server providers and server hosts. It’s in their interests to help as the attack could also affect them and their other customers. They will also have more resources at their disposal and will often already have a DDoS mitigation plan in place. There are now many full time DDoS mitigation companies who exist purely to provide help to those suffering from DDoS attacks. The target’s traffic is redirected to the mitigation company who then ‘scrub’ the data. This involves identifying malicious traffic being used to DDoS the target and separating it from legitimate traffic, which is then rerouted back to the target. Here’s a selection of the leading DDoS mitigation companies: Black Lotus F5 Prolexic Incapsula

Am I DDoS-ing?

You’re probably going to be aware if you’re orchestrating a Distributed Denial of Service attack – that’s not the kind of thing you easily forget. Your machine may, however, be a part of a vast botnet being used to DDoS, without you even realising. The answer, as always, is to be constantly vigilant with your computer security. Ensure security updates are applied, review your security configurations and monitor your system for unusual or suspicious activity. If you’re running equipment that uses UDP (such as a DNS server) and don’t want to be used as a pawn in an amplification attack, you can simply monitor network traffic to see if there are any unusually large responses being repeatedly sent to the same IP address. Alternatively you can use an Intrusion Detection System (IDS) to monitor it for you. A DNS server can also be configured to spot possible amplification attacks and ignore suspicious traffic.