Introduction

Distributed denial of service (DDoS) attacks vary from regular denial of service (DoS) attacks due mainly to the extra “D,” which stands for “distributed.” Typically, a DDoS attack is launched from many machines which are generally PC’s that have been infected with a virus or trojan allowing them to be controlled by a “bot herder,” who gathers the infected machines into a single collective. An attacker can then issue commands to the collective, transparently ordering the machines to attack a specific target. The following diagram helps illustrate this concept:





There are many different types of DDOS attacks. In this presentation, we will go over all of them. I feel people learn more by doing then seeing, which is why before I talk about an attack, I will demo the implementation and its effectiveness.


Attack Techniques

DDoS Amplification Attack - Demo

In this attack, the attacker sends one request to a specific gateway, which takes in the request and sends out a bigger request to the victim. The use of multiple computers or gateways is highly necessary for this attack since as more computers get involved, the more effective the attack gets. In this attack, the hacker is considered the bot herder, while victims are called the zombies.



ICMP flood

A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. To combat denial of service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action such as filtering.

Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping" command from unix-like hosts (the -t flag on Windows systems is much less capable of overwhelming a target, also the -l (size) flag does not allow sent packet size greater than 65500 in Windows). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim. Ping of death is based on sending the victim a malformed ping packet, which might lead to a system crash.




(S)SYN flood - Demo

A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends


Teardrop attacks

A teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack. Around September 2009, a vulnerability in Windows Vista was referred to as a "teardrop attack", but the attack targeted SMB2 which is a higher layer than the TCP packets that teardrop used.


Low-rate Denial-of-Service attacks - Demo

The Low-rate DoS (LDoS) attack exploits TCP’s slow-time-scale dynamics of retransmission time-out (RTO) mechanisms to reduce TCP throughput. Basically, an attacker can cause a TCP flow to repeatedly enter a RTO state by sending high-rate, but short-duration bursts, and repeating periodically at slower RTO time-scales. The TCP throughput at the attacked node will be significantly reduced while the attacker will have low average rate making it difficult to be detected


Peer-to-peer attacks - Demo

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections per second before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the incoming connections.

While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses, there are other problems to consider. For instance, there is a brief moment where the connection is opened on the server side before the signature itself comes through. Only once the connection is opened to the server can the identifying signature be sent and detected, and the connection torn down. Even tearing down connections takes server resources and can harm the server.

This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited.




The Distributed Denial of Service (DDoS) Intelligence Gap

The major problem with DDoS attacks does not exist entirely within the attacks themselves, rather it is the lack of intelligence within the information systems security community. Every day the media reports on DDoS attacks, outlines trends, creates infographics, and touts the latest in protection technologies. At the time of this writing there were about 1970 articles written or syndicated in the past week on these very topics. You see, the actual problem is that the vast majority of DDoS mitigation intelligence was created by, or derived from, vendors of DDoS mitigation solutions.

In essence, there is very limited independently verifiable data available concerning the actual size and frequency of DDoS attacks. Even the most respected journalists and security experts are forced to rely on hearsay or potentially biased reports, whitepapers, and presentations. As a result, much of what is known about DDoS today has been implanted by biased security experts vs. independent research.




Historical Observations

The earliest DDoS attacks can be traced back to CERT Incident Note 99-04 from Thursday, July 22nd, 1999 detailing a vulnerability where backdoors could be installed on servers using remote procedure calls. This eventually lead to CERT Incident Note 99-07, detailing “trinoo” and “Tribe Flood Network,” the first known DDoS malware. On Wednesday, December 8th, 1999 Black Lotus was formed as a security think tank with the goal of solving the DDoS problem.

At the time, there was no known solution for mitigating a DDoS attack. Bandwidth was very expensive (eg. $500 – 1000/Mbps vs. today’s wholesale rates of $2 – 10/Mbps were not uncommon). As a result, victims of DDoS attacks were vilified and prohibited from conducting business with any host or ISP that saw them as a risk. The goal of Black Lotus was to counter this logic by identifying the missing piece of the puzzle. In the following years, DDoS and mitigation of DDoS attacks remained very rudimentary: Most attacks were less than 100 Mbps in total size and could be easily filtered by hand, so long as the ISP was willing to absorb the cost of bandwidth (which was generally not the case).

Today, DDoS attacks are far more complex, often reaching into the gigabits (Gbps) per second and millions of packets per second (Mpps). While it is possible to combat these threats on highly capable networks by using organic capabilities or DDoS mitigation appliances, many businesses resort to service providers for a more rapidly deployable solution. Despite years of development, there are still very few providers capable of effectively defending their customers against DDoS attacks. Black Lotus is at the forefront of DDoS mitigation technology, with zero day detection and mitigation that remains on the bleeding edge.




The Importance of Layer 7 Heuristics

Generally speaking, DDoS mitigation techniques can be viewed as either signature or heuristic based. With a signature based approach attacks are automatically dropped by a purpose built packet filter when an attack is identified using its unique fingerprint, similar to how viruses are detected on PC’s using virus definition files. Despite being the most common method of DDoS mitigation, this has inherent flaws when relied upon exclusively. “Zero day” attacks, those which are previously unknown, strike frequently and will bypass a signature based appliance until the signature has been updated.