Distributed Denial-of-Service Attacks

Tweet

A Denial-of-Service (DoS) attack is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as network saturation attack or bandwidth consumption attack. Attackers make Denial-of-Service attacks by sending a large number of protocol packets to a network. A DoS attack can cause the following to occur: * Saturate network resources. * Disrupt connections between two computers, thereby preventing communications between services. * Disrupt services to a specific computer. I mentioned earlier that DDoS attacks depend on getting the DDoS client to run on a wide range of machines. The usual trick is to package it as a " Trojan horse", an innocuous-looking but secretly malicious program that unsuspecting people will run. The key word is "unsuspecting". Many computer users don't think twice about running executable programs or attachments that they get from unknown sources, especially if they think that the program they've downloaded will give them something (like lottery winnings) for nothing. For example, I know of one DDoS attacker who would pose in AOL chat rooms as a teenage girl, offering self-running slide shows of "herself" to people who chatted with her. Of course, the "slide show" was actually a disguised Trojan; over time, this attacker was able to bag a large number of DDoS clients to do his bidding. Of course, someone who's trying to build an arsenal of DDoS clients doesn't want to waste time sending Trojans to well-educated security professionals; better to send them to people who will run the malicious code without a second thought, especially if they aren't likely to notice that their machine is infected. Once a Trojan is activated, one of the first things it typically does is register its presence somewhere, usually by sending TCP/IP packets to a well-known destination. The popular SubSeven Trojan registers itself by sending messages to an attacker-selected IRC channel. These registration messages usually indicate the IP address of the zombied machine, and it may include some useful information like the apparent bandwidth between the zombie and a preselected target. Once a machine's infected, it typically stays that way. Depending on the Trojan, it may actively attempt to disguise itself (as with the recent Code Red variant that added a second, bogus copy of explorer.exe to infected machines), or it may depend on user inattention to stay hidden. Whenever the attacker desires to, he can send a trigger command to one, or all, infected zombies; that command will tell the Trojan to attack a designated target by sending it lots of packets. The Trojan may also attempt to spread itself, and many Trojans offer an attacker direct remote control of a compromised machine. Many web hosting companies facing are this issue. Defense If you are the target of a large distributed DOS attack, there is so far no good ways to defend yourself. Several well-known Internet sites have been completely cut off by DOS attacks recently, including Yahoo.com [5]. If the attack comes from the outside then you might defend your server by disallowing requests from the servers that put a strain on your bandwidth. By setting the threshold low for those connections (e.g. allowing a maximum numberof requests per minute) you will eventually be able to cut yourself free from the attacks. The only other way is to migrate to a difference IP block all together, meaning all your customers have to change their site's DNS entries at their respective Domain Name Servers. But that is a worst case scenario and very rarely done. If your systems have been compromised and attackers are running masters or slaves on your systems, you must take immediate action to fix the security holes that were used to compromise your system [2]. Your systems may be actively participating in DOS attacks as long as the processes exist. The only way to completely eliminate this kind of attacks is to decrease the number of systems that can be compromised to a level that is too low for attackers to set up large distributed DOS networks.