DDoS or Leverage

Given the current performance of servers and the widespread use of load balancing and high availability, it is virtually impossible to cause a denial of service just as described in the previous chapter. It is often necessary to find a way to apply a multiplier effect in the initial attack.

The principle is to use multiple sources (daemons) for the attack and masters (masters) who control them.

The attacker uses masters to easily control the sources. Indeed, it needs to connect (TCP) for teachers to configure and prepare attacks. The masters only send commands to the UDP sources. If there were no teachers, the attacker would have to connect to each source. The source of the attack would be detected more easily and setting up much longer. Each master daemon and discuss exchanging specific messages depending on the tool used.

These communications may also be encrypted and / or authenticated. To install the daemons and the Masters, the attacker uses known vulnerabilities (buffer overflow on RPC services, FTP, etc).

The attack itself is a SYN Flooding, UDP Flooding or a Smurf Attack. The result of a denial of service is to create an unreachable network.

Disadvantages

The drawback here is the need to work in two stages:

1. Mass hack the systems to accommodate the zombies.
2. Launch orders.

In the second step, the control package can be blocked by a detection tool or filter. Thus the evolution is to automate the launch orders from the corruption of the relay. This technique has been implemented by CodeRed whose goal was to connect the servers to corrupt website white house on a specific date. In the same vein the DDoS based on the IRC channels as channels of communication.

The objective here is not to establish a direct connection between the master and the zombies, but to use an IRC server (or rather a channel) as relays. This method, initiated in July and August 2001 by Knight and Kaiten, has many advantages:

• The commands are sent asynchronously via a flow outgoing, whether in terms of the master or agent. It is more likely that the zombie can get his orders
• With SSL support it is impossible to detect orders, and therefore identify the IRC channel relaying. Similarly the teacher is virtually undetectable
• The attacker has a platform Relay (IRC channel) distributed.

The protection against attacks from denial of service

The denial of service distributed can not be countered by identifying the IP address of the machine issuing the attacks and the banning at the firewall or server. IP packets from the hostile machine are rejected without being treated to prevent the server service is overloaded and therefore can not be found offline.

Distributed denial of service attacks are more difficult to counter. The principle of the attack by distributed denial of service is to reduce the possibility of stopping the attack.

A distributed architecture consisting of multiple servers offering the same service managed so that each client is only supported by one of them, a way of distributing access points to services and offers, in situations of attack, a degraded mode (slower) often acceptable.

According to the attacks it is also possible to put a stamp server that filters and cleans the traffic. This server, “Cleaning Center” allows in case of attack to ensure that malicious applications can not reach the target server.

The use of SYN cookies is also an option to prevent attacks like SYN flood, but this approach does not avoid the saturation of network bandwidth.

After An Attack — Back To Normal

The return to normal after an attack may require human intervention, because some software does not restart properly after an attack.

Who Are Responsible For These Attacks

The denial of service is often performed by inexperienced hackers like ‘lamers’ and ’script kiddies’.

These attacks are also used by a hacker who fails to take control of a computer trying to impersonate a trusted machine by IP spoofing. Indeed, if session request (TCP SYN) with an IP address “spoofed” to be one of the trusted machine, it is the latter who receive the TCP SYN / ACK issued by the target, so it automatically reset the connection attempt with a RST packet (since it is not the source of the request for session establishment), prohibiting the attacker to establish session.

In recent years, the attack by distributed denial of service is also used for purposes of blackmail from companies whose business relies on the availability of their website. These frauds are usually committed by criminal organizations (mafia) and not isolated hackers.

Study: From Wikipedia, the free encyclopedia. The text is available under the Creative Commons.

Related posts:

1. Denial of Service Attack DoS | Part 1
2. Denial of Service Attack DoS | Part 2
3. Denial of Service Attack DoS | Part 3
4. Denial of Service Attack DoS | Part 4

Tags: attack by dos, ddos attack, ddos attacks, denial of service attack, protection against attacks from denial of service

This entry was posted on Monday, February 15th, 2010 at 3:51 pm and is filed under Server Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.