SECURITY EVANGELIST

You’ve just arrived home after a long work day, so long in fact that night has already set in. You wander a bit through the darkness, turn on the lights, grab two slices of bread, and put them into that old, creaking toaster. It’s nothing fancy, just a quick and dirty snack until you undress, unwind and cook a proper dish.

The moment you push down on the button to toast the bread, you hear a loud pop, and all of the lights suddenly go out.

“Damn, the fuse blew up.”

Because the toaster was faulty, it flooded the electrical installation with excessive current it wasn’t designed to handle. This blew up the fuse, and shut down the installation.

A nearly identical process takes place in DDoS attacks. Replace “electrical current” with “information”, and “installation” with the term “information processor”, and you’ve already understood the basic principle.

What does DDoS stand for?

A DDoS attack is short for “Distributed Denial of Service”, and is the bigger brother of simpler denial-of-service attacks.

The point of these exercises to take down a website or service, typically by flooding it with more information than the victim website can process.

DoS attacks typically send information from only one source (think PC’s, or other internet-connected devices), but a DDoS attack uses thousands, or hundreds of thousands, of sources to flood its target. This makes it a few orders of magnitude more powerful than its smaller sibling.

Measuring the strength of a DDoS

According to this study, 82% of attacks last less than 4 hours. In terms of bandwith volume, 34% clock in at between 100 MB’s to 1 GB’s, and only 5.3% exceed the 10 GB/s mark.

A 1 GB/s denial-of-service attack is strong enough to take down most of the websites out there, since their data hosting simply doesn’t offer enough bandwith to keep the site online.

One of the biggest ever recorded was the Mirai botnet attack in Autumn 2016, coming at over 1 terrabytes per second. It overwhelmed the Dyn DNS provider, and then the effect cascaded, temporarily taking down major websites such as Reddit or Twitter.

Nowadays, even beginner hackers who can’t even code to save their life (called script kiddies) have access to big and powerful botnets-for-hire that can flood a target with 100 GB/s. This type threat isn’t going away, quite the contrary. Quite the contrary, it will only become powerful and widely accessible than before.

Why would anybody do this?

Compared to other kinds of cyber attacks, DDoS attacks are messy, overly destructive, and very difficult to pull off. Because of this, they don’t make much sense from a financial perspective.

So cybercriminals might use them as a blunt weapon against some of their competitors. For instance, they might want to bring down a site hosting a cybersecurity tool, or bring down a small online shop operating in the same niche.

In other cases, malicious hackers use them as a form of extorsion, where the victim has to pay a fee in order for the denial of service to stop.

Also, a DDoS attack can act like a smokescreen, hiding the real endgame, such as infecting the target with malware or extracting sensitive data.

And in what constitutes a frequent scenario, the attacker might not even have a motive. Instead, he just does it for the “giggles”, seeking to test his abilities or just to cause mayhem.

How to DDoS someone, cybercriminal style

There’s more than one way of carrying out a denial-of-service attack. Some methods are easier to execute than others, but not as powerful. Other times, the attacker might want to go the extra mile, to really be sure the victim gets the message, so he can hire a dedicated botnet to carry out the attack..

Botnets

A botnet is a collection of computers or other Internet connected devices that have been infected with malware, and now respond to the orders and commands of a central computer, called the Command and Control center.

The big botnets have a web of millions of devices, and most of the owners have no clue their devices are compromised.

Usually, botnets are used for a wide variety of illegal activities, such as pushing out spam emails, phishing or cryptocurrency mining.

Some however, are available to rent for the highest bidder, who can use them in whatever way seems fit. Often times, this means a DDoS attack.

How botnets work

DDoS programs and tools

Small scale hackers who don’t have access to botnets, have to rely on their own computers. This means using specialized tools, that can direct Internet traffic to a certain target.

Of course, the amount of traffic an individual computer can send is small, but crowdsource a few hundreds or thousands of users, and things suddenly grow in scope.

This particular tactic has been successfully employed by Anonymous. In short, they send a call to their followers, asking them to download a particular tool, and be active on messaging boards, such as IRC, at a particular time. They then simultaneously attack the target website or service, bringing it down.

Here’s a sample list of tools that malicious hackers use to carry out denial of service attacks:

  • Low Orbit Ion Cannon, shortened to LOIC.
  • XOIC.
  • HULK (HTTP Unbearable Load King).
  • DDOSIM – Layer 7 DDoS Simulator
  • R-U-Dead-Yet.
  • Tor’s Hammer.

loic

How to DDoS an IP using cmd

One of the most basic and rudimentary denial-of-service methods is called the “ping of death”, and uses the Command Prompt to flood an Internet Protocol address with data packets.

Because of its small scale and basic nature, ping of death attacks usually work best against smaller targets. For instance, the attacker can target:

a)    A single computer. However, in order for this to be successful, the malicious hacker must first find out the IP address of the device.

b)    A wireless router. Flooding the router with data packets will prevent it from sending out Internet traffic to all other devices connected to it. In effect, this cuts the Internet access of any device that used the router.

In order to launch a ping denial-of-service attack, the malicious hacker first needs to find out the IP of the victim’s computer or device. This is a relatively straightforward task however.

A ping of death is small in scale, and fairly basic, so it’s mostly efficient against particular devices. However, if multiple computers come together, it’s possible for a handful of these to bring down a smallish website without the proper infrastructure to deal with this threat.

Using Google Spreadsheet to send countless requests

An attacker can use Google Spreadsheets to continuously ask the victim website to provide an image or PDF stored in the cache. Using a script, he will create a neverending loop, where the Google Spreadsheet constantly asks the website to fetch the image.

This huge amount of requests overwhelms the site, and blocks it from sending outward traffic to visitors.

Unlike other denial-of-service tactics, this one doesn’t send large information packages to flood the website, but instead it makes data requests, which are much, much smaller.

In other words, the attacker doesn’t need to rely on sizeable botnet or thousands of other users to achieve a similar effect.

Teardrop attacks

In most cases, the information transmitted between a client device and the server is too big to be sent in one piece. Because of this, the data is broken into smaller packets, and then reassembled again once it reaches the server.

The server knows the order of reassembly through a parameter called “offset”. Think of it as instructions to building a LEGO toy.

What a teardrop attack does, is to send data packets at the server that make no sense, and have overlapping or dysfunctional offset parameters. The server tries, and fails, to order the data according to the malicious offset parameters. This quickly consumes available resources until it grinds to a halt, taking down the website with it.

Amplifying a DDoS attack

To maximize every data byte, malicious hackers will sometimes amplify the flood by using a DNS reflection attack.

This is a multiple step process:

  1. The attacker will assume the identity of the victim by forging its IP address.
  2. Using the forged identity, he will then send out countless DNS queries to an open DNS resolver.
  3. The DNS resolver processes each query, and then sends the information back to victim device who had its identity stolen. However, the information packets the DNS resolver sends out are much bigger than the queries it receives.

What happens during amplification is that every 1 byte of information becomes 30 or 40 bytes, sometimes even more. Amplify this further using a botnet with a few thousand computers, and you can end up sending 100 gygabytes of traffic towards a site.

The types of DDoS attacks

Denial-of-Service attacks fall in two broad categories, depending on their main attack vector:

  • Application Layer.
  • Network Layer.

Network Layer attacks

A network layer attack works by flooding the infrastructure used to host a website with vast amounts of data.

Many providers nowadays claim they offer “unmetered” bandwith, meaning you should theoretically never have to worry about excessive amounts of traffic taking down your site. However, this “unmetered” bandwith comes with strings attached.

To put things into perspective, a website with some 15,000 monthly pageviews and hundreds of pages requires around 50 gygabytes of monthly bandwith to operate optimally. Keep in mind that this traffic is widely dispersed over the course of an entire month. A site like this has no chance to stay online if a DDoS attacks rams it with 30 or 40 gigs of traffic in a one hour period.

As a self-defense measure, the hosting provider itself will simply cut off hosting you while the traffic normalizes. Although this might seem cold, this prevents spill-over effects that might affect other clients of the hosting provider.

Network layer attacks themselves come in multiple shapes and sizes. Here are a few of the more frequent ones:

  • SYN Attacks. SYN is a shorthand for “synchronize”, and is a message that a client (such as a PC) sends to the server for the two to be in sync.
  • DNS reflecting.
  • UDP amplification attacks.

An upside to this kind of attack, if you can call it that, is that the huge amounts of traffic involved makes it easier for victims to figure out what kind of denial of service they’re facing.

Application layer attack

Application layer attacks are much more surgical in nature compared to network ones. These work by targeting certain programs or software that a website uses in its day-to-day functioning.

For instance, an application layer attack will target a sites WordPress installation, PHP scripts or database communication.

This type of software can’t handle anywhere near the load of wider network infrastructure, so even a comparatively small DDoS of a few megabytes per second can take it down.

The typical application layer DDoS is the HTTP flood. This works by abusing one of two commands, POST or GET. The GET command is a simple one that recovers static content, like the web page itself or an image on it.

The POST command is more resource intensive, since it triggers complex background processes with a greater impact on server performance.

An HTTP flood will generate a huge amount of internal server requests that the application cannot handle, so it then flops, and takes down the entire site with it.

How to stop and protect against a DDoS attack

Analyze the traffic, is it a usage spike or an attack?

Traffic spikes are a frequent occurrence, and can actually be big enough to take down poorly prepared websites. A site designed to cope with an average of 30-40 concurrent users will come under strain if a spike brings up the number to 600-700 users at the same time.

The first sign of a DDoS attack is a strong slowdown in server performance, or an outright crash. 503 “Service Unavailable” errors should start around this time. Even if the server doesn’t crash and clings on to dear life, critical processes that used to take seconds to complete now take minutes.

Source

Wireshark is a great tool to help you figure out if what you’re going through is a DDoS. Among its many features, it monitors what IP addresses connect to your PC or server, and also how many packets it sends.

Of course, if the attacker uses a VPN or a botnet, you’ll see a whole bunch of IPs, instead of a single one. Here’s a more in-depth rundown on how to use Wireshark to figure out if you’re on the wrong end of a denial-of-service.

Microsoft Windows also comes with a native tool called Netstat, which shows you what devices are connecting to your server, and other similar statistics.

To open the tool, write cmd in the Start menu search bar, and then type in netstat –an. This will take you to a screen showing your own internal IP in the left hand column, while the right hand column holds all of the external IPs connected to your device.

cmd nestat ddos

The screenshot above is for a normal connection. In it, you can see a few other IPs that communicate normally with the device.

Now, here’s how a DDoS attack would look like:

Source

On the right hand side, you can see that a single external IP repeatedly tries to connect to your own device. While not always indicative of a DDoS, this is a sign that something fishy is going, and warrants further investigation.

Have an incident response plan

This is a basic procedure that decided well in advance, that describes what steps an organization should follow in case it suffers a denial-of-service.

Every plan is different, depending on what the organization requires, but here are some basic steps and starting points:

  • Whitelist mission-critical IPs and traffic sources, such as your ISP, host or important clients and partners. Then block everything else.
  • Set up traffic alerts that notify of spikes and data floods.
  • Terminate unwanted connections.
  • Add more servers and bandwith to reduce the impact of the data flood.

Contact your ISP provider and host

Many ISPs and hosting companies have backup measures and protocols in place to deal with a DDoS, and help mitigate the damage and normalize activity.

Ideally, contact them BEFORE the attack, and plan ahead of time on how to include them in your response plan.

Look out for data leaks and malware infections

Sometimes, denial-of-service attacks are just a cover for a more complex cyber attack designed to infect an organization with malware or extract its data.

Once systems are back online, scan and search through every nook and cranny, and look for any malware. Be thorough, and don’t let anything slip through the cracks.

Here’s an article that might help you find the best antivirus, and also how to remove any malware you might find.

Use DDoS mitigation tools

Because of how widespread DDoS attacks have become, security vendors now offer several solutions to prevent and mitigate these kinds of attacks. Here are just a few of them:

Conclusion

DDoS attacks will only get more frequent as time passes and script kiddies get access to ever more sophisticated and cheap attack methods. Fortunately, denial-of-service attacks are short lived affairs, and tend to have only short-term impact. Of course, this isn’t always the case, so it’s best to be prepared for the worst case scenario.

2017.02.21 SLOW READ

How Every Cyber Attack Works – A Full List

all about botnets
2016.02.18 INTERMEDIATE READ

What is a Botnet & How to Prevent Your PC From Being Enslaved

How to back up your computer
2015.04.28 QUICK READ

How to back up your computer – the best advice in one place

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP