It’s called Denial of Service. As these things go, that’s a very good name for it. In a world filled with Trojan Horses, Gilded Pineapples and various Microorganisms, Denial of Service is refreshingly straightforward. But What does it mean, exactly? How is it achieved, and what is it commonly used for? Should we be afraid?
As always, don’t panic, don’t be afraid, get informed!
These attacks have been going on for some time. And they come in a variety of flavors. There are DDoS for wireless, email DDoS attacks, Botnet based attacks and even Zombie attacks, Smurf attacks and many many others They all have one thing in common: They overload a particular computer or network to deny access or slow down a system to virtually deny access to some web page, email server or other internet connected service. DDoS stands for Distributed Denial of Service.
Prior to common Internet usage, the same term was used to describe a local attack inside an isolated computer network. The term goes back to well before the age of the personal computer, and was well known by sysops of time sharing based mainframe systems.
My first encounter with a such a thing was back in 1974. My friend Keith was majoring in Information and Computer Science at UC Irvine, and took a bunch of us up to see his latest class project ( a program to generate guitar chord charts) on the mainframe.
He stopped the elevator between floors, and held down the “open door” button. The wall behind the elevator doors was covered in graffiti, and right in the center was a clearly lettered set of instructions on how to crash the sigma 7 ( the ∑7 was a popular computer made by Xerox Corporation, this was nearly a decade before anyone had a personal computer) The instructions told how to run what amounted to a denial of service, overloading the mainframe with requests until it crashed.
From that time forward, computers crept into our lives bit by bit, and with them they brought the specter of a DDoS attack. We heard about flood attacks, single user attacks, pranks, dirty tricks, logic bomb attacks and more. Eventually the internet brought what were once schoolboy antics to an unreasonable level.
In Tokyo, a famous DDoS was run on mobile phones instead of computers in an exploit commonly called DOCOMO911 (more on this later)
In February, 2000, MAFIABOY (a.k.a. Michael Calce of Montreal, Canada) launched what was the most famous denial of service attack up to that time. At the time, Calce was only fifteen years old but he managed to bring down the web pages of Dell, E*TRADE, Amazon, CNN, eBay, and YAHOO! He used networks of captured, (ZOMBIE) machines to launch the attack. He bragged about it on IRC channels and was caught. Canadian law kept him from adult prosecution, and even kept his identity secret–last fall he published a book about his exploits.
We have heard of criminal extortion based on threat of denial of service. (this always makes me imagine a mock-friendly mobster voice, saying: “Nice website you got here, be a shame if somebody was to shut it down”) There have also been acts of war using a DDoS. (most notably in Estonia and the Georgia, and just recently in Korea) It is, perhaps, the most aggressive of all Internet attacks.
HOW DOES IT WORK?
There are actually two components in a modern DoS attack, the first is to enlist an army of computers to launch the attack. This is only one of the many possible uses of a BOTNET. The bad guys could either choose to plant botnets and DDoS tools themselves, or they could simply purchase or rent a botnet from one of the many available for sale on the internet underground. The owners of the botnet computers do not know that their computers are being used for such a thing, or that there is a Bot on their computer at all. The captured computer is used surreptitiously, and frequently there is no visible symptom that this thing is going on.
The second component is to choose and locate a targeted system. The system is generally a server (this is why they call it a denial of service) and it has to be identified by it’s domain, url or ip address. The tighter the focus, the more effectively the attack can block off service. This is commonly referred to as a ‘brute force attack’. No malware need be planted on the targeted system(s).
At a synchronized time, all of the botnet ‘soldiers’ (typically in the thousands) will all make as many perfectly legal requests to the target as possible, this synchronized flood of internet activity overwhelms the system, which eventually gives out under the strain.
WHAT’S THE POINT?
If you need to connect to a web page, it is delivered to you via a web server. If that server is brought down via a denial of service, then you cannot go to the web page. Now you might not think that to be too much of a problem, but how much business is done online? What could be brought down by such a thing? Emergency phone service in Tokyo is a very good example. (like our 911 here in the states, this particular DOS was actually done by infecting mobile phones and making them dial the emergency number until no legit calls could get through)
Increasingly, we put the critical infrastructure of our businesses, our governments, our very lives online. If we can be denied service at the bank, at the telephone company or at the hospital, then we are vulnerable to the extent that we rely on these systems.
WHAT CAN BE DONE TO PROTECT THESE SYSTEMS?
Well, companies used to protect individual machines by making them ‘fail over’ to a new ip address, but the bad guys got smarter. Today’s attacks require sophisticated detection of incoming packets by dedicated hardware and software, that can then redirect the attacking messages to a null ip, or black hole.(I swear that’s what they call it) and thus channel the attack to nowhere. systems and domains without the means to get this protection have less alternatives. They can shut down and ride out the attack.
HOW CAN I LEARN MORE?
There is a great webpage at the US-CERT :