Introduction

Denial of Service Attack Though the tools used are said to be on the decline, cyberwarfare, industrial sabotage and extortion remain motivators for attackers to still apply this form of attack.

The exploitation of software weaknesses are not necessarily behind a denial of service attack. They are more about understanding normal operations and behavior of networking protocols and the ability to generate traffic that is confusing or just a mass amount of traffic.

If you combine denial of service with other vectors of social engineering, Trojans, worms, viruses, and botnets, it is easy to imagine that potentially millions of hosts are currently connected to the Internet awaiting commands. A Distributed Denial of Service (DDoS) can be launched from anywhere and could bring down not only companies but entire countries as well.

Denial of Service (DoS) attacks generate no revenue but are rather used to cause embarrassment and damage the reputation of a company. It also makes it impossible for the company's customers to reach its services. DoS attacks can also be used to act as a decoy causing the incident response team to become busy investigating the attack while the real harm is being done elsewhere.

Types of DoS Attacks

Methods of DoS Attacks

A Denial of Service attack does not necessarily need thousands of "Zombies" flooding a system with requests, it can be as simple as a single packet of data that confuses the receiving host, a malformed request to a portmapper service or a null data packet with flags set in an unexpected way. These types of attacks are known as asymmetric attacks because the target host and the attacking host need not have the same level of processing power.

Attackers will study Request For Comments (RFCs) as well as other documentation and use critical thinking. These specs usually just describe what is supposed to happen, but the attacker questions what might happen it things do not happen as expected.

If full disruption of service is needed, there are two options. One, to consume the resources within the host, or, two, consume the bandwidth on the network. This often requires the use of multiple attackers focusing on a particular host or network segment. Bouncing packets off of unsuspecting hosts that volunteer to participate. They are volunteering not because they have been compromised, but rather because of how the protocols work.

Still another form of Denial of Service can occur that involves affecting the configuration of a service or client. If the host can be compromised, configuration files can be changed that make the service operate in such a way that it is not accessible.

Types of DoS Attacks

There are five basic Denial of Service attacks. These are:

  • Smurf and Fraggle
  • Buffer Overflows
  • Ping of Death
  • Teardrop
  • SYN Flood

Smurf attacks happen when an attacker on an external network sends ICMP echo requests to the broadcast address of a network segment. The source is spoofed to be one of the hosts inside the segment. This attack causes each host on the broadcast domain to reply to the target.

This attack is an example of amplification and reflection. One packet can generate many other packets in the response and this results in bandwidth consumption. The attacker can send a stream of these packets into a vulnerable network that will reflect off of the target resulting in packets being sent to other targets.

Fortunately, this type of attack is easily defensible. Hosts can be configured not to respond to broadcast pings; Windows does this by default. Routers can have Access Control Lists (ACLs) configured that do not allow traffic to enter a network to which the source is on the destination segment.

Fraggle is the UDP version of the Smurf attack. UDP packets are sent to the echo (Port 7) or to chargen (Port 19) services of a vulnerable host while spoofing the true victim's IP address. The chargen (Character Generator) and the echo are part of the simple TCP/IP service packages on a Windows system and are also supported on a Linux based system.

Buffer Overflows

Computer systems do not fair well in ambiguous conditions. If explicit instructions on how to handle input by the program, the result can be a kernel panic or Blue Screen of Death (BSOD). A system can be destabilized by simply making sure it cannot understand the answer to a question.

Fuzzing, is a technique used to scan for buffer overflows that crash a system or provide a backdoor access. This is accomplished by sending random strings of characters of various lengths to an application by the fuzzer. This technique is used by software developers and vendors to test for stability.

Ping of Death

An IP packet cannot be larger than 64k in size, according to RFC 791. The attacker can use fragmentation techniques to disguise a packet larger than 64k. In doing so, the receiving host begins to reassemble the packet but doesn't realize the size until the buffer is full and there is more space to store it.

IP cannot deal with this situation as it was designed to be a stateless, unreliable protocol. The result of these actions cause a system crash. ICMP is often used in this type of attack because it is easy to add as much data as necessary into the data field of an echo request message.

Teardrop

Using the IPv4 Identification (IPID) field, the More Fragment (MF) status flag and the data field known as "offset value", fragmented packets are reassembled. Here, each fragment of a packet gets a new IP header and the IPID field will be the same for each, thus indicating that they are all fragments of the same packet. An illustration of this follows.

The first fragment is called the "Oth" fragment. The MF status is set and the offset value is 0. This tells the receiver to load this fragment at byte 0 in the buffer.

The 0th fragment is 1500 bytes in size and occupies bytes 0 - 1499 in the buffer. The next fragment has the MF flag set and the offset value will be 1500. It is also 1500 bytes in size and will occupy bytes 1500 - 2900 of the buffer. The next fragment will have an offset of 3000. This process continues until the MF bit clears indicating there are no more fragments to reassemble.

In a teardrop attack, the offset fields are adjusted to cause an overlap of the fragments when they are loaded into the buffer. If the 0th fragment is exactly 1500 bytes, it will occupy 0 - 1499 as normal. The next fragment will not have the expected offset value of 1500. The attacker will set it to a smaller value, perhaps 1200, so when it is placed in the buffer at byte 1200, there is a 300 byte overlap. That data is simply overwritten. The next fragment should have an offset of 2700 but its offset will be set to 2400 instead. This process continues until the MF bit clears.

The result of this will be a datagram shorter than it is supposed to be. In a vulnerable host, the IP function will be confused and crash. There is a variation of the teardrop attack and called the unarmed attack. This is where the offset value is increased and causes the packet to expand by gaps between the fragment as they load into memory.

SYN Flood

There are three steps to establish and synchronize a connection in the TCP handshake. In a SYN flood, the attacker sends multiple SYN flags to begin the handshake process but never finishes with the ACK flag. With this, the target is left in a state of waiting for each half opened port to move to the established state. These ports will eventually time out, but if the attacker send traffic at a faster rate, it will open sockets up much faster than they can time out. This ends up using the system resources on the target.

The attacker aims the SYN request to an open port on the target host and increments their source port value each time so that each new SYN is treated as a new socket. Since the return traffic is not necessary, the source IP could be spoofed thus making it difficult to figure out where the attack is originating from.

DoS Attack Tools

There are many DDoS attack tools used by attackers, some old and some new. Here is a brief list of seven of the most commonly used, (at least at the time of this publishing) tools used in DDoS attacks.

  • LOIC
  • HOIC
  • hping
  • Slowloris
  • R U Dead Yet? (R.U.D.Y.)
  • #Refref
  • Botnets as DDoS Attack Tools

LOIC - Low Orbit Ion Cannon (LOIC) is a simple flooding tool that can generate massive volumes of TCP, UDP, or HTTP traffic to subject a server to a heavy network load. This also is the “Hacktivist” group Anonymous’ initial tool of choice. Praetox Technologies, LOIC’s original developers,intended the tool to be used by developers who wanted to subject their own servers to heavy network traffic loads for testing purposes. Anonymous, however, used the open-source tool to launch coordinated DDoS attacks. LOIC was later given its “Hivemind” feature, allowing any LOIC user to point a copy of LOIC at an IRC server and transfer control of that server to a master user who can then send commands over IRC to every connected LOIC client simultaneously. This configuration enabled much more effective DDoS attacks. LOIC doesn’t obscure its users’ IP addresses however, and this lack of anonymity led to the 2011 arrest of LOIC attackers around the world. Anonymous then broadcast a message across IRC channels, “Do NOT use LOIC.”

HOIC - High Orbit Ion Cannon (HOIC) was used to target the U.S. Department of Justice in response to its decision to take down Megaupload.com. HOIC is a simple cross-platform basic script for sending HTTP POST and GET requests that are wrapped in a GUI. Its effectiveness, however, stems from add-on booster scripts—text files that contain additional basic code. This code is interpreted by the main application upon DDoS attack launch. Booster scripts also allow users to specify lists of target URLs and identifying information when generating attack traffic. This makes HOIC attacks anonymous and harder to block. HOIC continues to be one of the DDoS attack tools used by Anonymous to launch DDoS attacks worldwide.

hping - hping is a basic command line utility similar to the ping utility, however, it offers more functionality than simply sending an ICMP echo request. Hping can be used to send large volumes of TCP traffic to a target while spoofing the source IP addresses making it appear to be random or even to originate from a specific user-defined source. This tool is among Anonymous’ current DDoS attack tools of choice.

Slowloris - The more intricate low and slow DDoS attack types rely on easy-to-use tools yielding denial of service attacks that are much harder to detect. Slowloris, developed by a gray hat hacker who goes by the handle 'RSnake', creates a DoS condition for a server by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slowly as possible, the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this way the server becomes unable to handle legitimate requests.

R U Dead Yet? (R.U.D.Y.) - This is another slow-rate DDoS attack tool. It achieves denial of service by using long-form field HTTP POST submissions rather than HTTP headers like Slowloris does. By injecting one byte of information into an application POST field at a time, a R.U.D.Y. attack causes application threads to await the end of never-ending posts in order to perform processing. R.U.D.Y. causes the target web server to hang while it waits for the rest of an HTTP POST request. This way a user can create many simultaneous connections to the server ultimately exhausting the server’s connection table and causing a denial of service condition.

#Refref - #RefRef, another tool in Anonymous’ arsenal, is based on vulnerabilities in SQL database software that allow for injection attacks. Using an SQL injection, #RefRef forces a target server to use a special SQL function that repeatedly executes SQL expressions. The nonstop execution of a few lines of code consumes the target servers’ resources resulting in denial of service for a target server.

Unlike LOIC or HOIC, #RefRef does not require a large number of machines to take down a server due to the nature of its attack vector. If the server’s backend uses SQL, and is vulnerable, only a few machines are needed to cause significant outage. While developing the tool, Anonymous ran #RefRef on a single machine and caused outages on various sites for minutes at a time. For example, a 17-second attack on Pastebin took the site offline for 42 minutes.

Botnets, the Other DDoS Attack Tool - Regardless of the DDoS attack tools used, the ability to launch an attack from hundreds, thousands or millions of computers amplifies the potential of that attack to cause denial of service, which is why botnets are common DDoS attack tools used. Botnets are large collections of compromised computers, often referred to as zombies that are infected with malware allowing an attacker to control them. Botnet owners, or herders can control the machines in the botnet using a covert channel, for example IRC, issuing commands to perform malicious activities such as DDoS attacks, distribution of spam mail and theft of Personal Identification Information.

The Workings of A DDos Attack

Creating the DDos Traffic

A Distributed Denial of Service (DDoS) attack happens when there are multiple attackers focusing their efforts on a single network, domain or host. With the combination of both reflection and amplification techniques, along with a large group of hosts all under the attacker's control, the attacker can generate enough traffic to make services unreachable for from a few hours up to several days.

Reflection is when traffic is aimed at a host using the IP address of the intended target given as a source. Packets are sent in response to the target and from the position of the reflector, it will appear to be the source. Some of the perfect reflectors are DNS servers, HTTP servers and most routers as they will always respond to certain types of traffic.

Other amplification attacks include sending DNS requests into a chain of servers that support recursive queries. These requests are random strings to which there is no answer. However, each DNS server will ask it's neighbor thus causing traffic. There can be as many as 74 additional UDP packets generated from one request.

Backscatter is the traffic that reflects off the victim and heads back in the direction of the source. Tracing backscatter to determine the cource of a DDoS attack is difficult but not impossible. After the reflector attack is discovered, the next step is to determine its source which will be the initial sender. Traffic will have been sent to the reflector from the attacker that points back to him. If that traffic can be associated with the spoofed packets that have been used in the DDoS attack, the source can be determined. For this reason the attacker often sends their packets via a proxy server or they use a multi-tiered botnet.

DDoS attacks can be unintentional as well. For instance, should a website become overloaded with traffic due to receiving more traffic than it has been designed to handle, it can be brought down. This can happen if, for instance there is a major breaking news event in the works and the news site reporting it is flooded with visitors wanting to read about the breaking news. An unexpected influx of visitors may be more than the server can handle and will be brought down.

The DDoS Network Structure

Zombies, also known as agents or handlers in the more complex systems are used to build the DDoS network. They are "commanded" from a central location called the Command and Control (C&C).

Zombies are usually created with the use of malware. Additionally, Trojan Horse applications, malware injected through buffer overflow exploits, scripts and executable files that are "dropped" by worm spreaders are some examples of the most common vectors. Rootkits can also be used in order to hide the process and library files that reside on an infected system.

The DDoS network can consist of many different levels of hierarchal control. The handlers receive commands sent from the attacker at the C&C who in turn command a number of agents. In a multi-tiered approach, the attacker gains greater control of the activities of the network and allows the attacker to launch the DDoS attacks from different locations asynchronously or at the same time for an all-out assault.

Again, analyzing the backscatter becomes difficult as the source of the attack changes. The reflectors can be the same or changes as well. For example, a small DDoS network consists of 100,000 machines that are divided into ten segments of 10,000 machines. The attacker needs to directly communicate with ten handlers who then tell each agent to bounce traffic off of 100,000 reflectors.

The end result would be 1,000,000,000 packets that are focused on the target, who, in turn might try to respond at a minimum by doubling the packets sent on its local network segment.

Botnets

The Evolution of Botnets

Botnet In an effort to create an automated repetitive activity on the Internet Relay Chat (IRC) network, botnets were created. The owner of a chat room would create a robot so that the owner would not have to be there 24 hours a day. One of the first examples of this type of robot was the GM bot. This bot could actually play a game with real users, that game bing "Hunt the Wumpus."

The Pretty Park worm spread the first malicious botnet and was famous for displaying the 3D pipes screen saver on the infected hosts. This bot could steal information and receive updates from he bothearder (the user that owned or collected botnets.)

The next botnet to arrive was Subseven. It included features common to Remote Access & Administration Tools (RATs). Most botnets were being collected via Trojans. Users were sent emails containing malicious code attachments. Through clever social engineering, the user was convinced to run the code. Another method of deployment of malicious code was through Instant Messaging Spam (SPIM).

It was soon realized that DDoS attacks were far from being the only reason to set up a botnet and the SD Bot soon evolved botnets to a whole new level. With this, the author provided source code and tools for creating illicit servers. Within a short time, a small community of contributors participated and variants were created that added new spreading vectors and other capabilities.

A multistage approach with modular code that could be updated on command was added by the Agabot malware. A backdoor access is created in the first stage and contacts the Command and Control chat room. The second stage would download a module that would turn off or block anti-malware scanners and firewalls. The third stage would download a module that could block a host from accessing update sites and online security sites. Agabot with it's module nature meant more and more variants could be created meaning that there was almost and endless way to the combinations of spreaders and payloads.

In 2004 a large botnet was created by a team of Dutch hackers paid by a Lithuania organized crime group. The reasoning was that if the mob could make money with a botnet, so could they. They began to use their botnet to distribute adware for 180Solutions. 180Solutions at that time was under fire and suffering from bad public relations due to their methods of using spam and peer to peer networks in their advertising services.

Once 180Solutions changed it's policy to exclude the botnet type of delivery and refused payment to the hackers, the hackers used the botnet to send a DDoS attack against the company as an attempt to extort payment. The FBI soon became involved and the hackers were caught. A civil suit was filed against them.

Botnets result from a mix of commercial interests, organized crime and cyber warfare. It is not how many machines can be herded, but rather how many hosts, how powerful can the malware be and what purpose it will be used for was the main question. Botnets can be sold or rented by the hour and botherders actually battle each other for taking ownership of the C&C. Storm and Conficker were sophisticated enough to adapt to many defensive efforts. They encrypted their traffic and used proxy chains to make it difficult for researchers to figure out what they were up to as far as the C&C was based. Today, some botnets can actually be updated and patched as well as given new capabilities.

Defense Against Botnet Attacks

The two-step approach defense against DDoS attacks are, one, not to make enemies, and two, don't be cheap when it comes to the hardware you purchase for your network perimeter. Your best defense against a DDoS attack is a well designed network.

Most of the damaging DDoS attacks were because the attacker was trying to make a point and get attention or because they were insulted and wanted revenge. Once the DDoS has begun, it is difficult to stop. Usually the ISP has to become involved but most are reluctant to do so. DDoS attacks are a waste of resources and mostly affect many networks and not just the target.