Over the course of the last six months we at HP DVLabs have received numerous requests for advice, consultation and protection against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. It should come as no to surprise to any watching the current events of the day that DoS and DDoS attacks are seen and utilized the world over more so today than perhaps ever before. Whether as a form of social protest in response to decisions made by those who govern countries throughout the world, as mechanisms and extension of warfare or as a natural byproduct of the supply & demand cycle which drives the cybercriminal underground, DoS and DDoS technology and attacks are the flavor du jour of the cyber realm. In the past conventional wisdom saw us focus a significant amount of time and energy on monitoring and addressing DoS and DDoS activity in specific geographic theaters. I wonder candidly if at some level information security professionals operated blissfully in denial of the notion that these attacks could and would matriculate and ultimate manifest globally in all geographies. I believe that to a degree we did believing that these matters dealt much less with ‘threat’ than they did with ‘availability’. This is, in my opinion, a faulty perspective to take and one which I vehemently denounce today. We no longer have the luxury of making this distinction and it would be dangerous, if not fool hardy to do so moving forward. Denial of Service (DoS) and Distributed Denial of Service (DDoS) fall into a category of Internet based attacks which enjoy a rich and mature pedigree which cannot be denied. The goal of these attacks is quite simple:
- Deliver, in a concert fashion, an attack which
prevents websites or services from functioning efficiently or at all.
The disruption could be temporary or, as in the case of the ill fated Blue Security, indefinite. The burden of addressing these attacks falls squarely upon data communications providers (traditional carriers, broadband providers, etc.), enterprise businesses and individuals. Recent examples have included but are not limited to:
- Retaliatory DDoS attacks launched by hacktivist group ‘Anonymous’ in response to the whistle blower group ‘WikiLeaks’. The attacked dubbed ‘Operation: Payback’ was initiated in a distributed format against Visa, MasterCard, PayPal, Bank of America, 4chan and others as a sign of civil protest. Activists behind the attacks used the Low Orbit Ion Cannon (LOIC) to flood the sites with useless traffic rendering large unavailable seriously impacting the business operations of these organizations
- Retaliatory DDoS attacks launched by hacktivist group ‘Anonymous’ in response to the failed appeal of Pirates Bay. The attack, also falling into the ‘Operation: Payback’ initiatives was launched against the International Federation of Phonographic Industry (IFPI). Activists behind the attack used the Low Orbit Ion Cannon (LOIC) to flood the site with useless traffic rendering the sites associated with the group largely unavailable for a period of twenty-four hours
- Retaliatory attacks carried out by the people by the citizens of Turkey as a form of protest against the state’s decision to block Internet content and service (in particular content and services provided by Google, Inc.)
- Ubisoft, creators of online video game ‘Assassin’s Creed’ experienced DDoS attacks , causing one of Ubisoft’s new DRM-servers to become unreachable and other aspects of the game to be rendered largely inoperable
Cyber actors who make use of these attacks represent a diverse demographic profile. Many fall into one of more of the following:
- Miscreants
- Hacktivist Organizations (4chan, Anonymous, citizenry)
- Cyber criminals
- Nation states / Sub-national entities
- Self inflicted
Methods of Attack Associated with Denial of Service (DoS) and Distributed Denial of Service (DDoS)
Though DoS and DDoS come in a variety of forms one thing is clear: there is a style and form suited for all needs. Let’s consider that for a moment. Look at the retaliatory activity that surrounded the WikiLeaks story. Consider that for the first time in history the masses were enabled with the power to willingly participate in a DDoS attack from the palm of their hands. The following table represents some yet not all types of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. It isn’t meant to be an all inclusive representation of such attacks but rather a place from which you, the reader, can derive more information:
|
Attack Type |
Attack Description |
|
· ICMP flood
|
ICMP floods are also known as Ping Floods generically. These attacks see an attacker send an overwhelming number of ICMP packets (using the ‘ping’ command). It’s a simple, and effective attack to launch. There are many variants of ICMP flood attacks some of which include but are not limited to: · Smurf attacks · Ping of Death · Nuke |
|
· Teardrop attacks |
Teardrop attacks see mangled IP packet fragments with overlapping, over-sized payloads being sent to the target. The net effect of attacks of this type is to see the intended victim machines crash. |
|
· Peer-to-peer attacks |
These attacks are leveraged by attackers to create Distributed Denial of Service (DDoS) condition. These develop via weaknesses and vulnerabilities identified and exploited by attackers in numerous peer-to-peer servers and clients. There are several types of peer-to-peer attacks though it should be noted that peer-to-peer DDoS attacks differ from botnet driven DDoS attacks. In a peer-to-peer attack, there is no need for an attacker to communicate with clients. In these scenarios the attackers tend to act as master manipulators directing compromised clients disconnect from their peer-to-peer network and connect to the victim’s website site. The result is that several thousand computers may aggressively begin trying to establish connections to the target site rendering it either unavailable or inoperable. |
|
· Asymmetry of resource utilization in starvation attacks |
These attacks consume resources on the victim / target hosts by controlling a host with great computational power or more network bandwidth or by controlling a large number of hosts and thus directing them to attack as a group creating a Distributed Denial of Service (DDoS) attack scenario. Smurf and SYN FLOOD attacks are examples of asymmetry of resource utilization in starvation attack scenarios. |
|
· Permanent denial-of-service attacks |
The concept of permanent denial-of-service (PDoS) attacks also known as phlashing involves launching an attack that damages a system so severely that it requires replacement and / or reinstallation of hardware. Unlike traditional distributed denial-of-service (DoS) attacks, PDoS attacks exploit security flaws that allow remote administration on the management interfaces of the target hardware. Examples of hardware which fall victim to this sort of attack include: · Routers · Switches · Printers Attackers exploit these vulnerabilities to remove and replace firmware with modified images. This often results in a condition known as “bricking” of the target device which sees it rendered useless.
|
|
· Application-level floods |
These types of attacks manifest at the application layer (Layer 7) of the OSI model. The conditions that influence these attacks vary as do the way in which they occur. For example: · IRC floods · Exploitation of common vulnerabilities (buffer overflows for example) · Over saturation of links · Banana or boomerang attacks |
|
· Reflected attack |
A type of Distributed Denial of Service (DDoS) attack, these attacks involve sending forged requests of one type or another to a very large number of targets that are known to reply. |
|
· Degradation-of-service attacks |
These attacks are typically seen launched by compromised hosts on an intermittent basis. These intermittent floods create a condition of degradation which sees performance slowed or crippled but not brought to a standstill. |
|
· Blind denial of service attacks |
In a blind denial of service attack, the attacker has a significant advantage. The attacker must be able to receive traffic from the victim, then the attacker must either subvert the routing fabric or use the attacker's own IP address. Either provides an opportunity for the victim to track the attacker and/or filter out his traffic. With a blind attack the attacker uses one or more forged IP addresses, making it extremely difficult for the victim to filter out those packets. The TCP SYN flood attack is an example of a blind attack |
|
· DoSNet |
DoSNets are typically seen as part of greater botnet offerings. They represent the realization of the harnessed computational power of thousands upon thousands of comprised hosts. |
|
· SYN Flood |
SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends
|
DoS and DDoS are realities of our world and as we continue
to integrate people and platforms, where traditional lines blur between social
use and professional use, it becomes more important for us to realize the
relevance of such attacks, their probability and their potential.
For Information on DoS and DDoS:
