DDOS

 **DDoS (Distributed Denial-of-Service) ****

 A distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. 

 ** **What is a DDoS attack? **

In a DDoS attack, the attacking packets come from tens or hundreds of addresses rather than just one, as in a "standard" DoS attack. Any DoS defense that is based upon monitoring the volume of packets coming from a single address or single network will then fail since the attacks come from all over. Rather than receiving, for example, a thousand gigantic Pings per second from an attacking site, the victim might receive one Ping per second from 1000 attacking sites. A handler of a DDoS attack can choose the location of the agents. **DDoS attacks employ standard TCP/IP messages -- but employ them is some non-standard ways. Common DDoS attacks have such names as Tribe Flood Network (TFN), Trin00, Stacheldraht, and Trinity. DDoS attacks always involve a number of systems. 

History ** 

Denial-of-Service (DoS) attacks have been around for decades but Distributed DoS attacks are much newer. DDoS attacks first began to be seen in June and July of 1999. The first well documented DDoS attack occurred in August 1999, when a DDoS tool called Trinoo was deployed in 277 systems., where at least 114 were on Internet 2, to flood a single University of Minnesota computer, and the system was knocked off the air for more than two days. The first well-publicized DDoS attack in the public press was in February 2000. Yahoo was the victim of a DDoS attack causing Yahoo’s Internet to be inaccessible for three hours. This DDoS attack caused Yahoo to suffer a loss of e-commerce and advertising revenue in the amount of $500,000. Within that same year, Amazon.com, Buy.com, CNN, eBay, E*Trade, and ZDNet where all attacked by DDoS.


 * How does a DDoS attack work? **

1. An intruder finds one or more systems on the Internet that can be compromised and exploited. This is generally accomplished using a stolen account on a system with a large number of users and/or inattentive administrators, preferably with a high-bandwidth connection to the Internet like a college or university campuses.

2. The compromised system is loaded with any number of hacking and cracking tools such as scanners, exploit tools, operating system detectors, root kits, and DoS/DDoS programs. This system becomes the DDoS //master //. The master software allows it to find a number of other systems that can themselves be compromised and exploited. The attacker scans large ranges of IP network address blocks to find systems running services known to have security vulnerabilities. This //<span style="font-family: Arial,Helvetica,sans-serif;">initial mass-intrusion phase //<span style="font-family: Arial,Helvetica,sans-serif;"> employs automated tools to remotely compromise several hundred to several thousand hosts, and installs DDoS agents on those systems. The automated tools to perform this compromise is //<span style="font-family: Arial,Helvetica,sans-serif;">not //<span style="font-family: Arial,Helvetica,sans-serif;"> part of the DDoS toolkit but is exchanged within groups of criminal hackers. These compromised systems are the initial victims of the DDoS attack. These subsequently exploited systems will be loaded with the DDoS //<span style="font-family: Arial,Helvetica,sans-serif;">daemons //<span style="font-family: Arial,Helvetica,sans-serif;"> that carry out the actual attack (see figure below). The compromised system is loaded with any number of hacking and cracking tools such as scanners, exploit tools, operating system detectors, root kits, and DoS/DDoS programs. This system becomes the DDoS //<span style="font-family: Arial,Helvetica,sans-serif;">master //<span style="font-family: Arial,Helvetica,sans-serif;">. The master software allows it to find a number of other systems that can themselves be compromised and exploited. The attacker scans large ranges of IP network address blocks to find systems running services known to have security vulnerabilities. This //<span style="font-family: Arial,Helvetica,sans-serif;">initial mass-intrusion phase //<span style="font-family: Arial,Helvetica,sans-serif;"> employs automated tools to remotely compromise several hundred to several thousand hosts, and installs DDoS agents on those systems. The automated tools to perform this compromise is //<span style="font-family: Arial,Helvetica,sans-serif;">not //<span style="font-family: Arial,Helvetica,sans-serif;"> part of the DDoS toolkit but is exchanged within groups of criminal hackers. These compromised systems are the initial victims of the DDoS attack. These subsequently exploited systems will be loaded with the DDoS //<span style="font-family: Arial,Helvetica,sans-serif;">daemons //<span style="font-family: Arial,Helvetica,sans-serif;"> that carry out the actual attack.

3. The intruder maintains a list of //<span style="font-family: Arial,Helvetica,sans-serif;">owned systems //<span style="font-family: Arial,Helvetica,sans-serif;">, the compromised systems with the DDoS daemon. The actual //<span style="font-family: Arial,Helvetica,sans-serif;">denial of service attack phase //<span style="font-family: Arial,Helvetica,sans-serif;"> occurs when the attacker runs a program at the master system that communicates with the DDoS daemons to launch the attack. Here is where the intended DDoS victim comes into the scenario.


 * <span style="font-family: Arial,Helvetica,sans-serif;">Methods of Attack **<span style="font-family: Arial,Helvetica,sans-serif;">

A DDoS attack can be triggered in a number of ways such as a consumption of computer resources like bandwidth, disk space and processing time. A DDoS attack can also disrupt physical network components as well as routing configuration information. Also an attack can include malware that will cause a users CPU to max out and prevent the user from working on their computer as well as trigger system errors and exploit errors in an operating system and even crashing the operating system.


 * <span style="font-family: Arial,Helvetica,sans-serif;">Steps to Prevent a DDoS attack **<span style="font-family: Arial,Helvetica,sans-serif;">

1. Make sure all security vulnerabilities for the sites hardware, operating systems, and applications are patched and up to date. 2. Install firewall software to detect an attack on all systems 3. Periodically check TCP/UDP to see which ones are being used. 4. Regularly monitor system logs, looking for suspicious activity. 5. Use available tools to audit systems and servers to ensure that there have not been any unauthorized/unknown changes to the operating systems file system, registry, connection settings, user account database, etc

Above is just a few examples of how to prevent a DDoS attack, and there are others that focus on Local Area Network actions, as well as ISP actions that can be taken.

<span style="display: block; font-family: Arial,Helvetica,sans-serif; text-align: center;">

Example of a DDoS Attack

A DDoS handler is issuing instructions to computers under an attackers control, which simultaneously began sending messages to a target site. The target is flooded with messages from many different sources, making it harder to identify the DoS messages and greatly increase the number of messages hitting the targets. <span style="font-family: Arial,Helvetica,sans-serif;">

<span style="font-family: Arial,Helvetica,sans-serif;">

<span style="font-family: Arial,Helvetica,sans-serif;">

<span style="display: block; font-family: Arial,Helvetica,sans-serif; text-align: center;">Example of Reducing the Impact of DDoS Attacks by Traffic Analysis

The diagram above displays how Traffic Analysis is used to reduce the impact of a denial of service attack by placing a traffic anomaly detector in front of the main router or firewall to monitor normal traffic patterns and learns what normal traffic looks like. When there is a DDoS attack the anomaly detector recognizes sudden high traffic destined for a specific server or device and quarantines those incoming packets and a anomaly analyzer examines the quarantined traffic and tries to recognize it as normal traffic and if it passes the traffic is allowed to flow through the network.

<span style="font-family: Arial,Helvetica,sans-serif;">
 * <span style="font-family: Arial,Helvetica,sans-serif;">References: **<span style="font-family: Arial,Helvetica,sans-serif;">

<span style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-family: Arial,Helvetica,sans-serif; font-weight: normal;">Gary C. Kessler. "Defenses Against Distributed Denial of Service Attacks." November 2000. **<span style="font-family: Arial,Helvetica,sans-serif; font-weight: normal;">URL: [] ** <span style="font-family: Arial,Helvetica,sans-serif; font-weight: normal;">

Dietrich, S., D. Dittrich, and N. Long. "An Analysis of the "Shaft" Distributed Denial of Service Tool." 13 March 2000. URL: [] <span style="font-family: Arial,Helvetica,sans-serif;">

<span style="font-family: Arial,Helvetica,sans-serif; font-size: 10pt; font-weight: normal;">Viki Navratilova. “A Brief History of Distributed Denial of Service Attacks.” August 22, 2000. URL: []

Glenn Stone. “Stopping DDoS Attacks”. March 26t, 2003 URL: [] <span style="font-family: Arial,Helvetica,sans-serif;"> Hykra. “Preventing DDoS Attacks.” July 31, 2005. URL: <span style="font-family: Arial,Helvetica,sans-serif; font-size: 10pt; font-weight: normal;">[] <span style="font-family: Arial,Helvetica,sans-serif; font-size: 10pt; font-weight: normal;"> <span style="font-family: Arial,Helvetica,sans-serif;"> Kelly Jackson Higgins. “ <span style="font-family: Arial,Helvetica,sans-serif; font-weight: normal;">DIY: Defending Against A DDoS Attack” October 14, 2009 <span style="font-family: Arial,helvetica,sans-serif; font-weight: normal;">**<span style="font-family: Arial,Helvetica,sans-serif; font-weight: normal;">[|__http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=220600886&cid=RSSfeed__] ** <span style="font-family: Arial,Helvetica,sans-serif;">

FitzGerald, Dennis. "Business Data Communications & Networking". 2009. Tenth Edition <span style="font-family: Arial,Helvetica,sans-serif; font-size: medium; font-weight: normal; line-height: normal;"> <span style="font-family: Arial,Helvetica,sans-serif;">