|
|
|
This Page Updated:
5/17/04 8:13 PM
Original Creation Date:
Pre 2004
* All times are in EST
Join the Mailing List:
|
|
|
Hosted By:
|
|
|
Basic Architecture behind a DDoS Attack
By Erik Rodriguez
This article describes the methods used to launch a DDoS (Distributed Denial of Service Attack) on machines such as servers or routers. This is a common
problem because attacks are launched using compromised machines, usually without the consent of the owner.
DDoS attacks are becoming more common, partly because of the Microsoft Windows operating system and its plethora of security holes. A DDoS or DoS is an attack
launched at a certain target to deny its internet service. There is no difference between a DoS and DDoS except that a DDoS uses multiple sources.
Hackers often attack a website or server using a DDoS to bring it "offline." These attacks are illegal! I know several network administrators that
have dealt with a DDoS before and in most cases it is just annoying. Although these types of attacks do not destroy data or physically harm
any equipment, they can cause an increase in bandwidth. Depending on the agreement of the target machine's ISP, this could mean a hefty bill.
Network administrators spend hours on the phone with ISPs to stop a DDoS. Sometimes victims of a DDoS attack have done
something to provoke an attack. A large DDoS attack that involved over 10,000 machines was launched against SCO, a company currently suing IBM, for 1 billion
dollars over a dispute involving the Linux source code. However, some of the first major DDoS attacks were launched against .com successes such as Ebay,
Amazon, and Yahoo in mid 2000.
How Machines are Compromised...
So how are these machines compromised? The most common way is through a trojan horse. If a trojan is loaded on your machine, it will run continuously unless you take
certain actions to stop it. These programs are usually downloaded by users because they are commonly disguised as something else. There are TONS of
these programs on Kazza, edonkey, etc. Historically, the first trojans
were easy to spot. They usually had suspicious names and most virus scanners picked them up. Some of the trojans used today have been named
carefully to pass as normal windows services. For example, RUNDLL32.EXE is used in conjunction with all kinds of windows program and
installers. Hackers have developed a trojan named RUND1L32.EXE. Notice that the first "L" is really a "one."
Common trojans come in variations of the Back Orifice, Backdoor.Trojan, Sub7 and others.
What a Trojan Does...
What does a trojan do? Once a machine is infected with a trojan, it reports "home." "Home" is usually an IRC channel. I'm not going to get
into what IRC is. Personally, I think its one of the stupidest things ever created. It even has a few RFCs. Other machines infected
will also enter the channel, and the hacker known as the "master" will send commands to the compromised machines known as "slaves" or "zombies." The master has the
ability to send a multitude of commands. Many of the trojans have a real-time key logger. This can be used to record user names and passwords of anything including
bank and email accounts. However, the hacker will most often just use the slaves to launch a DDoS attack. This can be done several ways.
Ping of Death...
The ping of death involves commanding the slaves to send a command such as !p4 192.168.0.1. This launches the same command that can be
performed in windows by typing ping 192.168.0.1 -l 65500 -n 10000. This, in effect, pings the target machine 192.168.0.1 continuously
[10,000 times] with 64 kBs of data. A ping command is not a problem because many programs will use an initial ping before connecting to a host. However, if this is
done by multiple machines, the target machine can become congested with ping requests and will be unable to processes legit requests.
UDP Flooding...
When the master sends a !udp 207.71.92.193 9999999 0 command to the slaves, a true DDoS will occur. This command sends a flood of
9,999,999 very large UDP packets with no delay between each packet. Unlike the transmission of TCP packets, this command is
specified to have "O" delay between each packet. This, in effect, will flood the targets bandwidth making it unable to process legit requests.
The UDP attack is much worse than a ping attack. It also requires fewer clients to do damage.
Tracing the Attack...
Tracing the source of these attacks can be very hard or even impossible. Most of the time, the hackers launching these attacks know what they are doing and have
taken the proper steps to protecting themselves. See telnet hacking for an example.
Stopping a DDoS Attack...
Stopping a DDoS attack can be tricky because the traffic comes from multiple sources. If the traffic is coming from one network, it is easy to create a rule in the
router to expressly block traffic from that source. However, if the attack is coming from multiple networks, you may need the assistance of
your ISP to redirect the traffic, create a filter, or change your communication channel.
|
|
|
|
Have Skullbox Webmail? Check it here
|
|