Friday, 28 January 2011

Denial of Service Attacks

For as long as modern technology has been around there have been those willing to throw systems into disarray. Early computers that ran on punch cards could be upset with a 'lace card' – one which had every hole punched through and would collapse and become jammed in the card-reading apparatus. Fax machines have suffered from similar mischief, with loops of black paper being used to send endless messages and eat through an enemy's toner supplies. Now that mankind has linked a legion of computers together via the Internet, such things as viruses, worms, trojans and malware have been unleashed and most users are aware of the need to protect their vulnerable computers from attack. However, many are still unaware of the silent abuse of computers as hackers use them to bring down entire websites, and so this entry looks at the phenomenon that is the Denial of Service attack.

Are You Being Served?

Denial of Service (DoS) is exactly what it sounds like – users are unable to use something that usually works, be it a particular website or an individual Internet connection. This isn't particularly different from the lace card mentioned above – DoS attacks simply involve finding a set of works and introducing a digital spanner.

There are many ways in which a hacker can bring down a server or Internet connection through the use of malicious software tools. In some cases, this involves sending some mangled data to the victim's machine, thus forcing a fatal error. Meanwhile, many modern attacks instead involve bombarding a machine with nonsense to the point that it becomes entirely preoccupied with processing rubbish. The following are just a few examples of DoS attacks:

  • Ping of death – a ping is a signal sent to a computer asking for an immediate reply in order to test the connection. The time taken for a ping to return to the sender can be used to measure connection speed. The size of the ping can be varied to determine the maximum amount of data that a single packet can accommodate. Pings over a certain size are not allowed as they would cause a system error. However, many older operating systems would allow an oversized ping to be sent through in several smaller pieces, with the system crashing due to an inability to handle the so-called 'ping of death' once it has been reassembled.

  • Ping flood – it takes longer to reply to a ping than to send one, and this fact is used in a ping flood. The attacker sends the victim's computer an overwhelming volume of 'pings' such that the victim's machine is completely flooded.

  • Smurf attack – when a computer replies to a ping, it does so by sending an acknowledgement message to the return address. Using a program called SMURF (as opposed to smurf), a hacker can send pings with a victim's address on them such that the victim receives the acknowledgement message. The clever part is that the program can send the ping to a whole network of computers (a 'smurf amplifier') that will each send a reply to the victim, thus resulting in a similar effect to a ping flood.

  • Teardrop attack – as well as the 'ping of death', older operating systems are vulnerable to fragments of data that have been deliberately mangled to make them oversized and overlapping.

  • Nuke – a nuke uses the ping facility to repeatedly send a flawed string of data that causes the victim's computer to crash and, in the case of WinNuke attacks against Windows 95 machines, display a rather pretty blue screen.

  • SYN flood – when opening a connection to a server, a user's computer sends a SYN message1 . The server then sends out a SYN-ACK message in response and may allocate the new user some of its processing. The user's computer then sends an ACK message, and dialogue between the two machines proceeds. In a SYN flood, a hacker sends the server a SYN message but either fakes the return address or never sends an ACK, thus leaving the server without a user but with resources allocated. The server will then wait patiently for the ACK and, if the hacker sends multiple requests, it may take up all its time processing fake requests and be unable to respond to genuine web traffic.

A particularly malicious form of DoS is that of 'phlashing', otherwise known as a Permanent Denial of Service attack. This involves hacking into a victim's machine and installing faulty software into their printer, router or network hub such that the hardware cannot function at all. The word 'brick' is aptly used to describe a piece of hardware disabled in this manner.

Though often malicious, Denial of Service can also occur if a site receives more interest than expected – this problem was encountered by Universal Tube & Rollform Equipment Corporation when their website utube.com gained thousands of accidental users, none of whom could spell correctly. The company's story eventually made the news, following which it was surely bombarded with even more web traffic. Those who have studied the Internet say this sort of thing happens all the time, and that we are powerless to prevent it; however, the tube company felt the need to recoup the cost of changing their website's name and took legal action against YouTube, now part of Internet giant Google.

Distributed Attacks

In 1999, the Distributed Denial of Service (DDoS) attack first arrived with the release of a hacking tool called Trinoo. Once it had infected enough computers, Trinoo could be used to target a web server with SYN attacks from hundreds of 'zombie' computers concurrently. Within months many more tools had been developed, including the Tribe Flood Network, Stacheldraht ('barbed wire' in German) and Trinity, each of which offers multiple techniques ranging from SYN floods to smurf attacks. Computers infected with a particular tool effectively form a hidden network that can be called upon at any time to launch a massive, debilitating attack against any computer globally.

When perpetrating a DDoS attack, it is common for the attacker to hack remotely into another machine, onto which they will load a range of software tools. This hacked computer becomes the 'master' and is used to infect hundreds of other computers, which become the 'zombies' used to perform the actual attack. To initiate the attack, the attacker sends a command to the master, which is then passed onto its zombie puppets. The zombies all initiate a DoS attack at once, and the victim's site suffers an attack that seems to come from everywhere and nowhere, and which cannot be fought by blocking off individual zombie puppets. Similar attacks can be orchestrated on peer-to-peer file sharing networks by forcing all the users to switch from using the network to contacting the victim's address.

The Victims

Despite growing concerns about the presence of DDoS tools on the web, none of the big internet sites were prepared for what the Independent called 'The day the Net stood still'. On 7 February, 2000, Yahoo was hit by a DDoS attack that lasted for three hours, during which the site lost £300,000 worth of business. The following day, further attacks were aimed at eBay, Amazon, buy.com and CNN. Some websites admitted to losing vast amounts of revenue, while others kept quiet in an attempt to avoid embarrassment.

Though the initial victims were big businesses, everything from XBox Live consoles to entire countries has become a target for DDoS attacks. Online gamers can now buy a quick DDoS for their rivals, knocking them out of the game without the need for tiresome fragging. Meanwhile, a number of ex-Soviet Bloc countries including Estonia, Kyrgyzstan and Georgia have all suffered from politically-orientated attacks, with a Russian attack in January 2009 leaving most of Kyrgyzstan offline for around a week.

Prevention

When dealing with crippling DDoS attacks it is difficult to trace the perpetrators, and so the ultimate responsibility lies with the entire Internet community. Networks can be set up so as to prevent hackers from using them for malicious purposes, and anti-virus, anti-malware and firewall programs can be used to prevent individual computers from being used as zombie puppets. In the end, it's down to every user to prevent their computers from being used as proxies for abuse – only if we work together can we help keep the Internet running.


1 SYN stands for 'synchronize' and is used to indicate that a piece of data represents the beginning of a transmission. ACK, on the other hand, indicates that a piece of data represents an acknowledgement message.

No comments:

Post a Comment