
One of the more common attacks we see in the media is something referred to as a DDoS attack. in this article, I wanted to take some time to qualify exactly what a DDoS attack is, some of the ways attackers achieve these types of attacks and why someone would want to partake in this activity
So What the Hell is DDoS ?
DDoS stands for Distributed Denial of Service. It's an attack that prevents a web resource such as an online bank, an internet based game or a corporate website the ability to function due to an attack that is either causing the service to hang or having the service inundated with so much traffic that it cannot process it all. This is usually done by a large volume of internet connected devices all sending traffic to the same source at the same time. There are many ways this can be done and there are limited ways to mitigate this kind of an attack.
A Completely Transparent CYA Public Service Announcement
Understand that DDoS in most of the world violates a law be it the Computer Fraud and Abuse Act, the Computer Misuse Act or others. Do not do this on a network you do not have explicit permission to test on. Just don't. Years in Jail, heavy fines and a massive cloud of a felony criminal record are not worth the trade off. And most DDoS attacks are easy to trace. Just ask this guy. They caught him in two weeks:
TLDR: Don't attack computer systems. Learn on your own lab. Criminal activity is bad.
How do attackers perform DDoS attacks?
To be clear and precise, DDoS is not really a hacking endeavor. It requires little to no actual skill to perform and in many cases can be done by novices who read a few articles on the web. There are many ways that DDoS can be done but before I start, I want to touch briefly on something that makes this kind of thing really possible.
Battle Botnets
The single most effective way for an organized attacker to perform a DDoS attack is to control a Botnet. A Botnet is simply a huge army of what we call zombie machines. it allows an attacker to remotely control thousands, maybe tens of thousands of internet connected devices. The purpose of which can be anything from malware distribution to DDoS attacks or anything a malicious attacker may want to do with a machine that they have no real world connection to. Most of the time, creating a Botnet is achieved through malware as what were regular ordinary machines were infected into doing zombie criminal activity.

An Array of DDoS Options
One of the methods most commonly made famous by the Hacktivist group Anonymous was the use of a program called the Low Orbit Ion Cannon. This was a network stress testing application that can flood a network with UDP or TCP traffic. If one is simply testing their own network, this is a fine application to verify how much incoming traffic your infrastructure can handle. But this can also be used to flood an unsuspecting victim with a huge volume of traffic that can prevent legitimate traffic the ability to connect. The LOIC has evolved into versions that leverage Javascript and even a web version called the Low Orbit Web Cannon that uses a web brower. There is even an updated version of the software called the High Orbit Ion Cannon that provides additional features and customization. This makes the barrier to entry into the world of DDoS exceedingly low.
Another very basic DDoS tactic is the simple ping flood. A ping flood sends massive volumes of ICMP echo requests packets known as ping packets to a target. This attack vector isn't very efficient as it stresses the source just as much as the destination. This is kind of attack also has a rather low success rate as many corporations simply block pings from their websites directly.
A more elegant attack than a ping flood that can DDoS a network is an abuse of the Layer 4 TCP protocol known as a SYN Flood attack. SYN Floods are an attack on an endpoint that keeps sending half completed TCP handshakes causing a server to respond to each and wait for a response. This type of attack floods a network with half formed TCP connections sometimes called Embryonic Sessions. The attacker will send a TCP Syn request to a target. By nature of the TCP Protocol, the endpoint will send back a response known as a SYN ACK. The sender will never respond to these SYN ACKs causing the target to keep that handshake open and wait for a reply. If you send enough of these attacks to a router or a server, this will drain the available resources of that endpoint very quickly. Fortunately, most firewalls have means to mitigate this kind of attack. A good example would be Cisco ASAs using Modular Policy Framework.
The more technical means to perform DDoS require some knowledge of network protocols. The goal being to send a command that has a very small network footprint and to get a reply that has a significantly larger volume of network traffic in return. This resolves the efficiency issues we have with ping floods. Once you have done that, you simply spoof the source address you wish to use and you can send massive volumes of traffic to an unsuspecting target.
A common means to perform this kind of attack on a network is to use a technique known as NTP Amplification. NTP stands for Network Time Protocol and is a standard protocol used to keep our clocks synchronized throughout our networks. This is generally a useful service and required to keep our networks running properly. However, the NTP protocol has a command within it known as Monlist. The Monlist command provides details of the last 600 targets to access NTP services from the server. This will send over 200 times more data to the target than the Monlist request required. Most NTP servers are provided large bandwidth connections as they are designed to handle millions of legitimate NTP requests. Coordinate this with enough source machines (hence your friendly Botnet) all targeting one endpoint and that destination address can be rendered unusable.
Another amplification attack that may be used leveraged is a DNS Amplification Attack. DNS stands for Domain Name Service which is used to convert internet URLs that we type into web browsers into IP addresses that web servers can understand. For example, If I type in www.yahoo.com , A DNS server will convert that into the IP address 98.137.246.8 . What an attacker will do to abuse this is they will find a target they want to DDoS. They will then send DNS queries to a large DNS server that asks for all the DNS addresses for a large corporation which will include many subdomains. For example, asking for all the subdomains of Amazon should include significant results on a DNS query. Then the attacker spoofs the source address to the address they wish to attack. The end result is a massive volume of DNS queries for Amazon being flooded to the victim endpoint.
Low and Slow
In the world of well cooked brisket or BBQ, we like to cook the meat low and slow to get that signature flavor. Sometimes in the world of DDoS, we like to do the same. A far more elegant attack vector that is sometimes used is the world of protocol attacks. One of the most well known of these is another precooked attack tool called RUDY which stands for R U Dead Yet? Rudy works by abusing the HTTP Post command. When a website has a form that has input that an end user is designed to fill out, that website is vulnerable to a RUDY attack. What RUDY does it sends the HTTP Post that contains the web form one byte at a time at random time intervals. It does this with as many connections as the website has. After a short while, the website is under the impression that there are a huge volume of people submitting webforms all with God awful internet connections painfully slowly. The result is that the website will no longer be able to handle requests and issue time outs for legitimate traffic.
Another attack vector very similar to this is the Slow Loris attack that does essentially the same thing only it attacks primarily Apache web servers and it sends HTTP Get requests instead to all the sockets available on a web server. These low and slow attacks are far more difficult for vendors to mitigate because the traffic they are sending is legitimate in the eyes of most firewalls and AV software. They are just abusing the way the HTTP protocol works by attacking the time out maximums and socket designs.
But Why?

The question we have to ask ourselves next is why. Why would anyone want to DDoS a target? Well, there are a few reasons why people choose to DDoS a target. The most common answer is money. In some cases, a criminal organization may choose to target a company and send a message to them asking for payment in order to stop the attack. In other cases, the DDoS attack is just a diversionary tactic that is used to perform other hacking activities while the DDoS is occurring, forcing manpower and resources to deter the DDoS instead of the actual attack. Another reason why DDoS attack occur is simple vandalism. DDoS attacks can prevent companies from making money with their website or an attacker may want to just abuse a company or corporation they do not support. Many young people, particularly who partake in online gaming, often leverage DDoS as a means of revenge or a way to reclaim power when things go wrong in their games. Blizzard Entertainment, the company famous for the online game World of Warcraft just suffered a DDoS attack on its World of Warcraft Classic servers in September of 2019. The suspect who was responsible for that attack was apprehended two weeks later. Another individual who was a frequent online gaming participant launched DDoS attacks on Daybreak Games, Epic Games and Riot Games. This individual was sentenced to two years in prison. In this circle, DDoS seems to be a way for certain angry young people to lash out and results in some life changing consequences.
Mitigation Options
DDoS is an attack vector that has many viable options and with the explosive growth of the internet of things, easier to perform with the notion that larger more powerful botnets will exist as a result. While there are limited things we can do about a truly massive attack, there are precautions we can take for many of the attack vectors. Setting up Firewall Access Control Lists to prevent pings, mitigate embryonic sessions and deep packet inspection to filter malicious traffic can defeat the more limited attack vectors. But the truth is, a truly massive DDoS attack, one in the Terabytes of data per second, would be difficult for only the most massive enterprise and service provider networks to withstand.
Have you been affected by a DDoS Attack to a website you wanted to use? What other questions or concerns might there be with Distributed Denial of Service? Let me know in the comments below!
Comments