Tuesday, July 19, 2011

How do DoS/DDoS work?

n the last days one could frequently read about attacks from anonymous and LulzSec against different platforms like Sony or HBGary etc. Yesterday for example they DDoS'ed soca.gov.uk and jhw.gov.cn. My question is: How did this work?

Since the PSN is a big network with a lot of traffic in common I'm wondering how much power their attacks must have. Do they just use their own machines and servers? Why can't anybody know who they are, the packets have to come from somewhere? Or did they first conquer a lot of public machines (of people that are not involved in these organizations having any kind of malware on their PC's) and let these machines do they job?

And what about the attacks itself? Is it always the same, something like ping floods, or is it depending on the target itself, searching for very expensive reactions on the target machines?

Can anyone please explain these techniques to someone never involved in DoS/DDoS?

Thanks in advance!

Disclaimer: I don't want to DoS/DDoS anything, but I want to understand how Anonymous or LulzSec or anyone else does it and get an idea of their power.

network attacks ddos dos
linkimprove this question
edited Jun 21 at 13:06
AviD♦
9,29811546
asked Jun 21 at 11:09
binfalse
2186
1
Related questions (duplicates?): security.stackexchange.com/questions/114/… and security.stackexchange.com/questions/241/…. Note that DoS and DDoS are really different beasts... – AviD♦ Jun 21 at 13:08
The real question is, "How does ADoS work?" – atdre Jun 24 at 21:55
feedback
3 Answersactiveoldestvotes
up vote
10
down vote
accepted
Anonymous tries to talk people into supporting their DDoS actions by installing a tool on their computer. It has a botnet-mode which allows the leaders to define the target for all the drowns. In other words: Anonymous uses social engineering instead of technical vulnerabilities to distribute their botnet client.

This tool just generates a lot of direct requests, so the IP-addresses will show up in the log files of the target. There has been a considerable number of arrests of people taking part in the attacks in a couple of countries in Europe according to media reports: e. g. England, Spain, France, Netherlands, Turkey. This is noteworthy because arrests normally get very little media attention in Europe compared to the USA.

In general there are roughly two types of DOS vulnerabilities:

The network connection or firewall may be too small to handle the number of packets
The application may require too many resources to handle specific requests.
Simple flooding

The first type is exploited by sending too much data for example using a botnet. Sometimes IP spoofing is used to send small requests to a large number of innocent third parties which will send a larger answer back. A commonly used example are DNS queries.

DoS vulnerabilities

The second type is more sophisticated. It exploits specific weaknesses.

On the network layer for example the attacker may send a huge number of "requests to establish a connection" (TCP SYN Flood), but never completing the handshake. This causes the target to allocate a lot of memory to stores those connections in preparation. Using SYN cookies is a countermeasure.

On the application layer there are usually some operations that take much more resources than average. For example web-servers are optimized to serve static content and they can do this really fast for many people. But a website may have a search function which is pretty slow compared to static pages. This is perfectly fine if only a few people use the search function from time to time. But an attacker can especially target it.

Another operation that is usually pretty slow are logins because they require a number of database operations: Counting the number of recently failed logins from the same ip-address, counting the number of recently failed logins for the username, validating username and password, checking account ban status.

As countermeasure the application may support a heavy-load mode, which disables resource intensive operations. A famous example of this was Wikipedia in the early days, although the high load was caused by normal users because of it's sudden popularity.

PS: Please note that both of your examples, Sony and HBGary, suffered the most damage from targeted attacks, not flooding. It is unclear if those attacks have been done by the core anonymous group.

I want to understand how Anonymous or LulzSec or anyone else does it and get an idea of their power.
I think their real power is based on fear.

In the German state Niedersachsen anonymous access to government websites is blocked now. According to the law it shall be possible to use online services anonymously. But the law goes on saying "as far as it is technical possible and acceptable". The government claims that their desire to protect themselves is more important, pointing out that there is no right for citizen to demand access to the internet services of the state. (Source: Heise, German)

linkimprove this answer
edited Jun 21 at 12:22

answered Jun 21 at 12:07
Hendrik Brummermann
3,3272525
thanks a lot for these great examples! – binfalse Jun 21 at 12:31
Nice discussion of peripheral issues of law, politics, and PR. – this.josh Jun 23 at 6:41
feedback
up vote
4
down vote
Some more technical specifics on network flooding DDoS.

As mentioned in the other answers, usually a "botnet" is used to deliver the DDoS attack. Let's have a look at this:

A number of end-user systems get infected and (parallel to their normal functioning) become part of the "botnet". They are controlled by "bot agents" which in turn are controlled by the bot masters. You may get a number of levels of control but it all leads to any kind of system that can relay commands to the "bot soldiers". Popular methods include IRC, twitter or public web sites. Both the bot masters and the person(s) controlling the bot connect to the agreed command center (e.g. a "secret" IRC channel). The attackers there issue commands, e.g. target, packet types, volume of traffic etc. and the attack starts. Each end system produces a flow of packets that when summed up cripple the victim. What's worse is that the victim itself cannot control this flow. Incoming traffic is controlled by others (the upstream providers) who must help at this moment.

In many cases it's not obvious which ones are the real attacking computers. The attack packets may have been "spoofed" (i.e. specially constructed to show a different source IP that their real one). They can do that because it's a one way attack and no answer –connection establishing - is required.

Another method that can conceal the source is the "reflection" attack. In this the attacker sends a legitimate request (like a DNS query, a BGP packet, even a web request) to a publicly available server. BUT , the return address of the request is the one of the victim. The public servers retrun their legitimate answers to the victim that had not asked for them in the first place.

The types of packets and their rates can vary according to what the attacker desires. This variation may further complicate the filtering of attack traffic at the upstream providers and requires constant configuration adjustments.

Since the attack has such a distributed nature, not much can be done at the source. Still some ISPs employ preventive measures like (a) disconnecting/throttling systems that produce unusually high volumes of traffic (b) stopping packets with the wrong source addresses.

In the case of Anonymous the whole process takes place voluntarily: there is a public tool called "Low Orbit Ion Cannon" (a sci-fi reference) that is used to test public sites under high volumes of traffic. In its latest release it allows the remote control of the local traffic generator. People who pledge to help anonymous install it and "give the keys" to the group to use as decided. If I understand correctly LOIC does not employ address spoofing, hence the attacker identifications and arrests.

linkimprove this answer
edited Jun 24 at 21:44

answered Jun 24 at 12:48
Georgios
529111
feedback
up vote
3
down vote
The simplest way is to use a botnet (you can check out the Wikipedia definition here)

This is a network of machines you can control to all send packets to the target at once. Using 100,000 machines at once can generate a lot of traffic, and some botnets are much largerm than that!

An attacker has an even greater effect if the type of attack they use requires much larger resource on the target than the source.

And to answer your specifics:

Good botnets are not obvious to most end users - the general population of the internet isn't very security/tech savvy, so compromising of their PC's isn't difficult.

Attack types vary dependent on target. Ping floods are not as likely as some others, such as SYN floods.

http://security.stackexchange.com/questions/4667/how-do-dos-ddos-work