Methods of DoS Attacks
A Denial of Service attack does not necessarily need thousands of "Zombies" flooding a system with requests, it can be
as simple as a single packet of data that confuses the receiving host, a malformed request to a portmapper service or
a null data packet with flags set in an unexpected way. These types of attacks are known as asymmetric
attacks because the target host and the attacking host need not have the same level of processing power.
Attackers will study Request For Comments (RFCs) as well as other documentation and use critical thinking. These specs
usually just describe what is supposed to happen, but the attacker questions what might happen it things do not happen
as expected.
If full disruption of service is needed, there are two options. One, to consume the resources within the host, or, two,
consume the bandwidth on the network. This often requires the use of multiple attackers focusing on a particular host
or network segment. Bouncing packets off of unsuspecting hosts that volunteer to participate. They are volunteering
not because they have been compromised, but rather because of how the protocols work.
Still another form of Denial of Service can occur that involves affecting the configuration of a service or client.
If the host can be compromised, configuration files can be changed that make the service operate in such a way that it
is not accessible.
Types of DoS Attacks
There are five basic Denial of Service attacks. These are:
- Smurf and Fraggle
- Buffer Overflows
- Ping of Death
- Teardrop
- SYN Flood
Smurf attacks happen when an attacker on an external network sends ICMP echo requests to the broadcast
address of a network segment. The source is spoofed to be one of the hosts inside the segment. This attack causes
each host on the broadcast domain to reply to the target.
This attack is an example of amplification and reflection. One packet can generate many other packets in the response
and this results in bandwidth consumption. The attacker can send a stream of these packets into a vulnerable network
that will reflect off of the target resulting in packets being sent to other targets.
Fortunately, this type of attack is easily defensible. Hosts can be configured not to respond to broadcast pings;
Windows does this by default. Routers can have Access Control Lists (ACLs) configured that do not allow traffic to
enter a network to which the source is on the destination segment.
Fraggle is the UDP version of the Smurf attack. UDP packets are sent to the echo (Port 7) or to
chargen (Port 19) services of a vulnerable host while spoofing the true victim's IP address. The chargen (Character
Generator) and the echo are part of the simple TCP/IP service packages on a Windows system and are also supported on
a Linux based system.
Buffer Overflows
Computer systems do not fair well in ambiguous conditions. If explicit instructions on how to handle input by the
program, the result can be a kernel panic or Blue Screen of Death (BSOD). A system can be destabilized by simply
making sure it cannot understand the answer to a question.
Fuzzing, is a technique used to scan for buffer overflows that crash a system or provide a backdoor
access. This is accomplished by sending random strings of characters of various lengths to an application by the
fuzzer. This technique is used by software developers and vendors to test for stability.
Ping of Death
An IP packet cannot be larger than 64k in size, according to RFC 791. The attacker can use fragmentation techniques to
disguise a packet larger than 64k. In doing so, the receiving host begins to reassemble the packet but doesn't realize
the size until the buffer is full and there is more space to store it.
IP cannot deal with this situation as it was designed to be a stateless, unreliable protocol. The result of these actions
cause a system crash. ICMP is often used in this type of attack because it is easy to add as much data as necessary into
the data field of an echo request message.
Teardrop
Using the IPv4 Identification (IPID) field, the More Fragment (MF) status flag and the data field known as "offset value", fragmented packets
are reassembled. Here, each fragment of a packet gets a new IP header and the IPID field will be the same for each, thus
indicating that they are all fragments of the same packet. An illustration of this follows.
The first fragment is called the "Oth" fragment. The MF status is set and the offset value is 0. This tells
the receiver to load this fragment at byte 0 in the buffer.
The 0th fragment is 1500 bytes in size and occupies bytes 0 - 1499 in the buffer. The next fragment has the
MF flag set and the offset value will be 1500. It is also 1500 bytes in size and will occupy bytes 1500 - 2900 of the
buffer. The next fragment will have an offset of 3000. This process continues until the MF bit clears indicating there
are no more fragments to reassemble.
In a teardrop attack, the offset fields are adjusted to cause an overlap of the fragments when they are loaded into the
buffer. If the 0th fragment is exactly 1500 bytes, it will occupy 0 - 1499 as normal. The next fragment
will not have the expected offset value of 1500. The attacker will set it to a smaller value, perhaps 1200, so when
it is placed in the buffer at byte 1200, there is a 300 byte overlap. That data is simply overwritten. The next
fragment should have an offset of 2700 but its offset will be set to 2400 instead. This process continues until the
MF bit clears.
The result of this will be a datagram shorter than it is supposed to be. In a vulnerable host, the IP function will be
confused and crash. There is a variation of the teardrop attack and called the unarmed attack. This is where
the offset value is increased and causes the packet to expand by gaps between the fragment as they load into memory.
SYN Flood
There are three steps to establish and synchronize a connection in the TCP handshake. In a SYN flood, the attacker
sends multiple SYN flags to begin the handshake process but never finishes with the ACK flag. With this, the target
is left in a state of waiting for each half opened port to move to the established state. These ports will eventually
time out, but if the attacker send traffic at a faster rate, it will open sockets up much faster than they can time
out. This ends up using the system resources on the target.
The attacker aims the SYN request to an open port on the target host and increments their source port value
each time so that each new SYN is treated as a new socket. Since the return traffic is not necessary, the source
IP could be spoofed thus making it difficult to figure out where the attack is originating from.
DoS Attack Tools
There are many DDoS attack tools used by attackers, some old and some new. Here is a brief list of seven of the most
commonly used, (at least at the time of this publishing) tools used in DDoS attacks.
- LOIC
- HOIC
- hping
- Slowloris
- R U Dead Yet? (R.U.D.Y.)
- #Refref
- Botnets as DDoS Attack Tools
LOIC - Low Orbit Ion Cannon (LOIC) is a simple flooding tool that can generate massive volumes of TCP,
UDP, or HTTP traffic to subject a server to a heavy network load. This also is the “Hacktivist” group Anonymous’
initial tool of choice. Praetox Technologies, LOIC’s original developers,intended the tool to be used by developers
who wanted to subject their own servers to heavy network traffic loads for testing purposes. Anonymous, however,
used the open-source tool to launch coordinated DDoS attacks. LOIC was later given its “Hivemind” feature, allowing
any LOIC user to point a copy of LOIC at an IRC server and transfer control of that server to a master user who can
then send commands over IRC to every connected LOIC client simultaneously. This configuration enabled much more
effective DDoS attacks. LOIC doesn’t obscure its users’ IP addresses however, and this lack of anonymity led to the
2011 arrest of LOIC attackers around the world. Anonymous then broadcast a message across IRC channels,
“Do NOT use LOIC.”
HOIC - High Orbit Ion Cannon (HOIC) was used to target the U.S. Department of Justice in response to
its decision to take down Megaupload.com. HOIC is a simple cross-platform basic script for sending HTTP POST and GET
requests that are wrapped in a GUI. Its effectiveness, however, stems from add-on booster scripts—text files that
contain additional basic code. This code is interpreted by the main application upon DDoS attack launch. Booster
scripts also allow users to specify lists of target URLs and identifying information when generating attack traffic.
This makes HOIC attacks anonymous and harder to block. HOIC continues to be one of the DDoS attack tools used by
Anonymous to launch DDoS attacks worldwide.
hping - hping is a basic command line utility similar to the ping utility, however, it offers more
functionality than simply sending an ICMP echo request. Hping can be used to send large volumes of TCP traffic to a
target while spoofing the source IP addresses making it appear to be random or even to originate from a specific
user-defined source. This tool is among Anonymous’ current DDoS attack tools of choice.
Slowloris - The more intricate low and slow DDoS attack types rely on easy-to-use tools yielding denial
of service attacks that are much harder to detect. Slowloris, developed by a gray hat hacker who goes by the handle
'RSnake', creates a DoS condition for a server by using a very slow HTTP request. By sending HTTP headers to the target
site in tiny chunks as slowly as possible, the server is forced to continue to wait for the headers to arrive. If
enough connections are opened to the server in this way the server becomes unable to handle legitimate requests.
R U Dead Yet? (R.U.D.Y.) - This is another slow-rate DDoS attack tool. It achieves denial of service
by using long-form field HTTP POST submissions rather than HTTP headers like Slowloris does. By injecting one byte
of information into an application POST field at a time, a R.U.D.Y. attack causes application threads to await the end
of never-ending posts in order to perform processing. R.U.D.Y. causes the target web server to hang while it waits
for the rest of an HTTP POST request. This way a user can create many simultaneous connections to the server
ultimately exhausting the server’s connection table and causing a denial of service condition.
#Refref - #RefRef, another tool in Anonymous’ arsenal, is based on vulnerabilities in SQL database
software that allow for injection attacks. Using an SQL injection, #RefRef forces a target server to use a special SQL
function that repeatedly executes SQL expressions. The nonstop execution of a few lines of code consumes the target
servers’ resources resulting in denial of service for a target server.
Unlike LOIC or HOIC, #RefRef does not require a large number of machines to take down a server due to the nature of its
attack vector. If the server’s backend uses SQL, and is vulnerable, only a few machines are needed to cause significant
outage. While developing the tool, Anonymous ran #RefRef on a single machine and caused outages on various sites for
minutes at a time. For example, a 17-second attack on Pastebin took the site offline for 42 minutes.
Botnets, the Other DDoS Attack Tool - Regardless of the DDoS attack tools used, the ability to launch an attack
from hundreds, thousands or millions of computers amplifies the potential of that attack to cause denial of service,
which is why botnets are common DDoS attack tools used. Botnets are large collections of compromised computers, often
referred to as zombies that are infected with malware allowing an attacker to control them. Botnet owners,
or herders can control the machines in the botnet using a covert channel, for example IRC, issuing commands to
perform malicious activities such as DDoS attacks, distribution of spam mail and theft of Personal Identification
Information.
Creating the DDos Traffic
A Distributed Denial of Service (DDoS) attack happens when there are multiple attackers focusing their efforts on a single
network, domain or host. With the combination of both reflection and amplification techniques, along with a large
group of hosts all under the attacker's control, the attacker can generate enough traffic to make services unreachable
for from a few hours up to several days.
Reflection is when traffic is aimed at a host using the IP address of the intended target given as a
source. Packets are sent in response to the target and from the position of the reflector, it will appear to be the
source. Some of the perfect reflectors are DNS servers, HTTP servers and most routers as they will always respond
to certain types of traffic.
Other amplification attacks include sending DNS requests into a chain of servers that support recursive queries. These
requests are random strings to which there is no answer. However, each DNS server will ask it's neighbor thus causing
traffic. There can be as many as 74 additional UDP packets generated from one request.
Backscatter is the traffic that reflects off the victim and heads back in the direction of the source.
Tracing backscatter to determine the cource of a DDoS attack is difficult but not impossible. After the reflector
attack is discovered, the next step is to determine its source which will be the initial sender. Traffic will have been
sent to the reflector from the attacker that points back to him. If that traffic can be associated with the spoofed
packets that have been used in the DDoS attack, the source can be determined. For this reason the attacker often sends
their packets via a proxy server or they use a multi-tiered botnet.
DDoS attacks can be unintentional as well. For instance, should a website become overloaded with traffic due to receiving
more traffic than it has been designed to handle, it can be brought down. This can happen if, for instance there is a
major breaking news event in the works and the news site reporting it is flooded with visitors wanting to read about the
breaking news. An unexpected influx of visitors may be more than the server can handle and will be brought down.
The DDoS Network Structure
Zombies, also known as agents or handlers in the more complex systems are used to build the
DDoS network. They are "commanded" from a central location called the Command and Control (C&C).
Zombies are usually created with the use of malware. Additionally, Trojan Horse applications, malware injected through
buffer overflow exploits, scripts and executable files that are "dropped" by worm spreaders are some examples of the
most common vectors. Rootkits can also be used in order to hide the process and library files that reside on an
infected system.
The DDoS network can consist of many different levels of hierarchal control. The handlers receive commands sent from
the attacker at the C&C who in turn command a number of agents. In a multi-tiered approach, the attacker gains greater
control of the activities of the network and allows the attacker to launch the DDoS attacks from different locations
asynchronously or at the same time for an all-out assault.
Again, analyzing the backscatter becomes difficult as the source of the attack changes. The reflectors can be the same
or changes as well. For example, a small DDoS network consists of 100,000 machines that are divided into ten segments
of 10,000 machines. The attacker needs to directly communicate with ten handlers who then tell each agent to bounce
traffic off of 100,000 reflectors.
The end result would be 1,000,000,000 packets that are focused on the target, who, in turn might try to respond at a
minimum by doubling the packets sent on its local network segment.
Botnets
The Evolution of Botnets
In an effort to create an automated repetitive activity on the Internet Relay Chat (IRC) network, botnets were
created. The owner of a chat room would create a robot so that the owner would not have to be there 24
hours a day. One of the first examples of this type of robot was the GM bot. This bot could actually play a game
with real users, that game bing "Hunt the Wumpus."
The Pretty Park worm spread the first malicious botnet and was famous for displaying the 3D pipes screen
saver on the infected hosts. This bot could steal information and receive updates from he bothearder (the user
that owned or collected botnets.)
The next botnet to arrive was Subseven. It included features common to Remote Access & Administration Tools
(RATs). Most botnets were being collected via Trojans. Users were sent emails containing malicious code attachments.
Through clever social engineering, the user was convinced to run the code. Another method of deployment of malicious
code was through Instant Messaging Spam (SPIM).
It was soon realized that DDoS attacks were far from being the only reason to set up a botnet and the SD Bot soon
evolved botnets to a whole new level. With this, the author provided source code and tools for creating illicit
servers. Within a short time, a small community of contributors participated and variants were created that added
new spreading vectors and other capabilities.
A multistage approach with modular code that could be updated on command was added by the Agabot malware.
A backdoor access is created in the first stage and contacts the Command and Control chat room. The second stage
would download a module that would turn off or block anti-malware scanners and firewalls. The third stage would
download a module that could block a host from accessing update sites and online security sites. Agabot with it's
module nature meant more and more variants could be created meaning that there was almost and endless way to the
combinations of spreaders and payloads.
In 2004 a large botnet was created by a team of Dutch hackers paid by a Lithuania organized crime group. The reasoning
was that if the mob could make money with a botnet, so could they. They began to use their botnet to distribute
adware for 180Solutions. 180Solutions at that time was under fire and suffering from bad public relations due to
their methods of using spam and peer to peer networks in their advertising services.
Once 180Solutions changed it's policy to exclude the botnet type of delivery and refused payment to the hackers, the
hackers used the botnet to send a DDoS attack against the company as an attempt to extort payment. The FBI soon
became involved and the hackers were caught. A civil suit was filed against them.
Botnets result from a mix of commercial interests, organized crime and cyber warfare. It is not how many machines
can be herded, but rather how many hosts, how powerful can the malware be and what purpose it will be used for was
the main question. Botnets can be sold or rented by the hour and botherders actually battle each other for taking
ownership of the C&C. Storm and Conficker were sophisticated enough to adapt to many defensive
efforts. They encrypted their traffic and used proxy chains to make it difficult for researchers to figure out
what they were up to as far as the C&C was based. Today, some botnets can actually be updated and patched as well
as given new capabilities.
Defense Against Botnet Attacks
The two-step approach defense against DDoS attacks are, one, not to make enemies, and two, don't be cheap when it
comes to the hardware you purchase for your network perimeter. Your best defense against a DDoS attack is a well
designed network.
Most of the damaging DDoS attacks were because the attacker was trying to make a point and get attention or because
they were insulted and wanted revenge. Once the DDoS has begun, it is difficult to stop. Usually the ISP has to
become involved but most are reluctant to do so. DDoS attacks are a waste of resources and mostly affect many
networks and not just the target.