Your One-Stop I.T. Source

Tuesday 03 December 2024  



This Page Updated:
5/17/04 8:13 PM
Original Creation Date:
Pre 2004
* All times are in EST

Join the Mailing List:
Name: 
Email:  


Hosted By:



Basic Architecture behind a DDoS Attack

By Erik Rodriguez

This article describes the methods used to launch a DDoS (Distributed Denial of Service Attack) on machines such as servers or routers. This is a common problem because attacks are launched using compromised machines, usually without the consent of the owner.


DDoS attacks are becoming more common, partly because of the Microsoft Windows operating system and its plethora of security holes. A DDoS or DoS is an attack launched at a certain target to deny its internet service. There is no difference between a DoS and DDoS except that a DDoS uses multiple sources. Hackers often attack a website or server using a DDoS to bring it "offline." These attacks are illegal! I know several network administrators that have dealt with a DDoS before and in most cases it is just annoying. Although these types of attacks do not destroy data or physically harm any equipment, they can cause an increase in bandwidth. Depending on the agreement of the target machine's ISP, this could mean a hefty bill. Network administrators spend hours on the phone with ISPs to stop a DDoS. Sometimes victims of a DDoS attack have done something to provoke an attack. A large DDoS attack that involved over 10,000 machines was launched against SCO, a company currently suing IBM, for 1 billion dollars over a dispute involving the Linux source code. However, some of the first major DDoS attacks were launched against .com successes such as Ebay, Amazon, and Yahoo in mid 2000.


How Machines are Compromised...


So how are these machines compromised? The most common way is through a trojan horse. If a trojan is loaded on your machine, it will run continuously unless you take certain actions to stop it. These programs are usually downloaded by users because they are commonly disguised as something else. There are TONS of these programs on Kazza, edonkey, etc. Historically, the first trojans were easy to spot. They usually had suspicious names and most virus scanners picked them up. Some of the trojans used today have been named carefully to pass as normal windows services. For example, RUNDLL32.EXE is used in conjunction with all kinds of windows program and installers. Hackers have developed a trojan named RUND1L32.EXE. Notice that the first "L" is really a "one." Common trojans come in variations of the Back Orifice, Backdoor.Trojan, Sub7 and others.


What a Trojan Does...


What does a trojan do? Once a machine is infected with a trojan, it reports "home." "Home" is usually an IRC channel. I'm not going to get into what IRC is. Personally, I think its one of the stupidest things ever created. It even has a few RFCs. Other machines infected will also enter the channel, and the hacker known as the "master" will send commands to the compromised machines known as "slaves" or "zombies." The master has the ability to send a multitude of commands. Many of the trojans have a real-time key logger. This can be used to record user names and passwords of anything including bank and email accounts. However, the hacker will most often just use the slaves to launch a DDoS attack. This can be done several ways.


Ping of Death...


The ping of death involves commanding the slaves to send a command such as !p4 192.168.0.1. This launches the same command that can be performed in windows by typing ping 192.168.0.1 -l 65500 -n 10000. This, in effect, pings the target machine 192.168.0.1 continuously [10,000 times] with 64 kBs of data. A ping command is not a problem because many programs will use an initial ping before connecting to a host. However, if this is done by multiple machines, the target machine can become congested with ping requests and will be unable to processes legit requests.


UDP Flooding...


When the master sends a !udp 207.71.92.193 9999999 0 command to the slaves, a true DDoS will occur. This command sends a flood of 9,999,999 very large UDP packets with no delay between each packet. Unlike the transmission of TCP packets, this command is specified to have "O" delay between each packet. This, in effect, will flood the targets bandwidth making it unable to process legit requests. The UDP attack is much worse than a ping attack. It also requires fewer clients to do damage.


Tracing the Attack...


Tracing the source of these attacks can be very hard or even impossible. Most of the time, the hackers launching these attacks know what they are doing and have taken the proper steps to protecting themselves. See telnet hacking for an example.


Stopping a DDoS Attack...


Stopping a DDoS attack can be tricky because the traffic comes from multiple sources. If the traffic is coming from one network, it is easy to create a rule in the router to expressly block traffic from that source. However, if the attack is coming from multiple networks, you may need the assistance of your ISP to redirect the traffic, create a filter, or change your communication channel.




Have Skullbox Webmail? Check it here





Copyright © 2002-2004 Skullbox.Net All Rights Reserved.
By using this site you agree to its Terms and Conditions.
Contact the .