Chapter 1. DDoS Attacks: Overview

It is the morning of Christmas in 2014, a day on which, in many areas of the world, kids and adults alike awake to cheerful Christmas music and gift-wrapped presents underneath the Christmas tree. Smiling from ear to ear, many eagerly unwrap the gift of a new game console such as a Microsoft Xbox or Sony PlayStation. Others jump for joy for the latest and hottest release of online games. As they rush to fire up the new console or game, they wait patiently for the game to register online and start. They wait and wait, only to be greeted with a “Service Unavailable” error.

Upon further research, news that the gaming sites are under a Distributed Denial of Service attack, or DDoS, starts to surface. The companies’ social media outlets, shown in Figure 1-1 with over 1,000 retweets, begin to fill with angry comments from frustrated users. Rumors on the web start to swirl around as to who were the malicious actors, what their motivations were, and when the service will be restored.

It was later confirmed that the service disruption was due to a group of malicious actors called Lizard Squad launching the DDoS attack on the gaming companies. The gaming services were interrupted on one of the biggest holidays of the year and a large sum of revenue was lost. More importantly, the reputation of the companies was severely damaged and consumer confidence in the service took a punishing hit that took the companies years to regain.

Figure 1-1. Sony PlayStation “Service Unavailable” Twitter message from December 25, 2014

In this chapter, you will find answers to questions such as what DDoS attacks are and why they are effective. You will also learn about who is behind the attacks and what their motivations are, as well as common types of DDoS attacks.

Let’s get started by looking at what DDoS attacks are.

What Are DDoS Attacks?

Let’s start by separating “Distributed” from “Denial of Service” and looking at them separately. Simply put, a Denial of Service is a way to make the service unavailable, thus denying the service to users. Often times, this is done by blocking the resources required for providing the service. One of the most effective ways of doing this is to generate lots of bogus requests from different, or “Distributed,” sources, which drowns out legitimate requests.

Imagine for a minute that you own a corner bakery. As a merchant, you need certain elements to happen before you can transfer goods into the hands of customers. In order to complete the transaction, many elements are required; three of them are shown in Figure 1-2:

  1. The customers need to know how to access your store. They will need a way to look up your store address, such as by calling the local directory service.

  2. The customers need to take some kind of transportation to your store and access the goods by walking into your store through the door.

  3. The customers need to pay for the goods they wish to purchase. On the merchant side, you will need a mechanism to document the transaction so you can calculate any necessary taxes and fees as well as the price of the goods. You might also need a form to process electronic payments such as credit card transactions.

Figure 1-2. Required elements of a business transaction

Now let’s assume that I am a bad guy who does not want the transaction to succeed, or that I am somebody who is simply curious if I can stop that transaction from happening. By carefully observing the three elements above, the DDoS equivalent of blocking the service are shown in Figure 1-3:

  1. I can disallow the address lookup for your store. For example, if the address lookup is done by an operator-directed service, I can place a lot of calls to the operator, which will block new calls from coming in.

  2. I can hire a lot of people to block the street or your store entrance so the customer cannot get into your store.

  3. I can place a lot of low-level transactions to your credit card service (e.g., buying a lot of one-cent candies) thus delaying the transaction for higher dollar value items. I can also distract the cashier by asking them to do something else such as answer phone calls.

As you can see, the act of denying service usually requires a large volume of a partially legitimate act. In the analogy just given, at least in the beginning, it is hard to tell if somebody standing in front of your door is a legitimate potential customer or if their intention is to block other customers.

Figure 1-3. DDoS for different business elements

The example of the corner bakery can be extrapolated to our digital world today. The store could be your e-commerce store, the public street that leads to your store could be the various internet connections, and the cash register could be the web server that handles your check-out process. The address-lookup of the store is analogous to the domain-name-to-IP-address translation, which is a service that historically has been a target of DDoS attacks.

In the next section, we will take a look at what makes DDoS effective.

Why Are DDoS Attacks Effective?

We are living in a world that is more digitized than ever. “Software is eating the world,” declared Marc Andreessen in a 2011 Wall Street Journal article. For many people, the first thing that comes to mind when discussing cybersecurity is software bugs. Software is created by humans, and humans introduce bugs to the applications. Even software widely used by thousands of people every day can have bugs that are only discovered years after its release; a good example is the Heartbleed OpenSSL vulnerability in CVE-2014-0160. Fortunately, even though bugs exist, if the software was written using best practices by top software developers, they are difficult to catch. You have to be an expert in the given field in order to catch them. Top technology companies, like Google and Microsoft, have the so-called “bug bounties” programs that reduce the likelihood of a zero-day threat even more.

DDoS attacks are different from software bugs in that an understanding of the underlying mechanism of the software or infrastructure is not required to carry out a successful attack. An attack can be even more potent if the attacker understands the architecture, but some of the more successful attacks that we have seen were carried out by industry outsiders. The complexity of the attack relies on the ability of the attacker to control a lot of administered sources. In today’s connected world where everybody carries a smartphone in their pocket, lives in a home where every lightbulb and thermostat have embedded computers, and travel in self-driving cars with supercomputers for brains, it is not difficult to see where such hosts can be found. Later in this chapter, we will discuss the botnets and Internet-of-Things (IoT) that can be used as seemingly legitimate sources in DDoS attacks.

The simplicity of the process and the proliferation of the ever-expanding connected world we live in is what make DDoS attacks so effective, in our opinion. If anyone with a relatively small amount of money can rent a botnet and launch DDoS attacks, the chances of a successful attack increase tremendously. In defending your network against these attacks, it is worth noting that the good guys need to defend almost all attacks while the bad guys only need to succeed once to achieve their goal. For the entities needing to defend against DDoS attacks, there is a real cost in the area of equipment, knowledge, operations, and lost productivity associated with the attacks.

In Chapter 5, we will examine how to turn a passive defense into a more active offense by using honeypots and threat intelligent systems.

Who Is Behind the Attacks and What Is Their Motivation?

You might be wondering who the people are behind the DDoS attacks and what their motivations are. In general, they can be divided into several categories. We will look at some of them. 

Criminals

Perhaps the easiest group to understand is the criminals who seek financial gain from the DDoS attacks they conduct. The most straightforward way for the criminals to earn money from an attack is to make themselves available to be hired to attack designated targets on demand. This is often disguised as stress testing sites. Granted, some vendors do offer legitimate stress test services, but rogue stress test sites often do not verify the identity and source of the requester, no question is asked by the stressor regarding the target, and certainly no advance warnings are given to the target. When these conditions occur, it is often understood that they are DDoS-for-hire guys.

Often the attack is done automatically without the buyer ever being in contact with the person or group providing the attack service. The transaction is often paid for in untraceable currency, such as Bitcoin. Interestingly enough, nowadays DDoS-for-hire is a very competitive market; it is our experience when we hire some of them for attack research (we attack targets that we own, of course) that they often provide good customer service. If the attack target failed to go down, they would even offer a refund. Figure 1-4 shows an example of a self-service DDoS-for-hire website.

Another way for a criminal to earn money from DDoS attacks might be to demand ransom from institutions in exchange for not launching a DDoS attack against them. The attackers might demonstrate that they can successfully bring down the target at a smaller scale, making it inaccessible for a short period of time, before demanding a larger ransom from the victim to stop a larger attack down the road.

Figure 1-4. DDoS for Hire Botnet (source: http://bit.ly/2rXJ3NZ)

If you operate an internet-facing business and someone threatens to DDoS attack you, we recommend that you be cautious but do not give in to the threat, even if they have conducted a small-scale proof of attack. It is always a good idea to start collecting data from the threat to prepare for possible legal actions and to start preparing your infrastructure and staff by increasing visibility and operating procedures. But keep in mind that it is always a slippery slope once you start to cave in to the attackers.

Thrill Seekers and Status Seekers

There are of course people who launch DDoS attacks for the thrill of having done something that is disruptive so they feel they are in control and powerful. Besides DDoS-for-hire sites, in the world of open source projects and knowledge sharing, DDoS attack tools can often be obtained easily. Thrill seekers do not need in-depth knowledge of the tool, as many of the open source tools have simple point-and-click interfaces to successfully launch an attack. Since the attack tools can often be as simple as a programming script, sometimes we refer to thrill seekers as “script kiddies.” The ease of getting such a script might surprise some—it can be as simple as a digital trip to a hacker forum (Figure 1-5) to obtain the necessary scripts and instructions.

Besides people who DDoS attack others for fun, sometimes the motivation can be to obtain a certain status within the community they belong to. People who are seeking status often pick well-known sites that are more difficult to bring down. There is a me-against-them mentally from the attacker to the establishment. They are often eager to claim credit and brag about the event online.

Figure 1-5. Hackerforum.net for scripts

The line between thrill seekers and status seekers is often blurred. A classic example can be that of the Lizard Squad case that we mentioned earlier. The group was clearly amused by the amount of attention they got, even demanding that other Xbox and  PlayStation users write Lizard Squad on their foreheads to stop the attack. They were also eager to claim their status as “the group that brought down Xbox Live and Sony PlayStation Network.”

Angry and Disgruntled Users

Quite surprising to us when we initially looked into the DDoS security space, the most common DDoS attacks were not done by one group to another, but rather from one user to another. This is especially common in the gaming community as it consists of passionate users who are deeply invested in the environment with their time and money. It stands to reason that when one party is losing during a competition, sometimes that party would try to take a shortcut by knocking the other user offline. It is so common in the industry that there are FAQs and established standard procedures that companies direct their users to if they feel they are under a DDoS attack.

The angry and disgruntled user could also be ex-employees or angry customers who had a bad experience. It really goes to show how little friction exists today to launch a DDoS attack, therefore making it a common tool for angry and disgruntled users to turn to.

Hacktivist

The angry user scenario does not stop at the gaming industry for taking recreational activity a bit too far. Angry users can also be those who are protesting a certain company policy or value. It can also be political motivation and beliefs with no financial or criminal intentions associated with these individuals. The infamous group Anonymous was a strong hackivist group. You still see hacktivist attacks toward official government establishments, as well as the likes of North Korea and ISIS.

Common Types of DDoS Attacks

In this section, we will look at the most common types of DDoS attacks. New attacks happen often, and most of the time they can be generalized and put into existing categories. By separating one type of attack from another, we can then devise generalized mitigation strategies for each of them. Though there are different types of DDoS attacks, they all rely on traffic volume. It is worth mentioning that the attack can succeed as long as they can break the weakest link in the network since there are many different elements in the network.

Volumetric Floods

The attacker can simply flood the network with traffic to starve out the legitimate requests and render the service unavailable. The target can be any of the network components, such as a flood of requests to the DNS or web server. The DNS and web server need to be public in order for people to request service from them, and they can be a direct target for the attacker. It is worth noting that in the case of flooding, the request does not need to be properly formatted. In other words, as long as the request packet makes its way to the target the attack can potentially succeed.

Network Protocol–Level Attacks

The internet is built on common layers of technologies; this is part of the fundamental bedrock that allows different systems to communicate with each other. You might be familiar with the OSI model that standardized the communication model among computer systems. The transport layer consists of the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) that most modern applications are built on. For example, the HTTP protocol that serves web pages is built on TCP while the DNS protocol is built on UDP.

The TCP and UDP protocols are built on the idea of openness and inclusivity, just like the internet itself. Though this idealism made the internet what it is today, it also gave the attackers the same level ground as everybody else. The operation of the protocol, as well as their possible vulnerabilities, can be gleaned easily from publicly accessible documents and then used in a DDoS attack.

For example, the TCP protocol relies on a three-way handshake where the receiver keeps the state of the connection after the initial contact, known as SYN. One of the oldest DDoS attacks consists of the attacker sending the server a flood of TCP SYN packets that exhausts the server’s resources.

Amplification and Reflection

While TCP is vulnerable in that the host requires more resources to be tied up and easily exhausted in a flood situation, the connectionless nature of UDP is also susceptible to DDoS attacks and more often misused. In particular, because the UDP-based server does not verify the source in favor of a faster connection, the UDP protocol is often leveraged in an amplification and reflection attack. The amplification and reflection usually go hand in hand.

Consider the analogy in Figure 1-6 of a prank that is sometimes played by teenagers: the prankster, Bill, calls a pizza shop pretending to be Mike and orders 100 pizzas to be delivered to his house.

Figure 1-6. Pizza delivery prank

If the pizza shop does not verify that the source of the call was indeed from Mike (instead of Bill pretending to be Mike), and goes ahead and makes and delivers the 100 pizzas, both the pizza shop and Mike will be left with an ugly situation.

In the world of UDP, unlike TCP, by design it does not verify the request IP source. Therefore, the attacker can easily spoof the victim as the source by making a UDP request to a server, and reflect the response of the server toward the victim. In Figure 1-7, we illustrate a simple packet flow from a spoofed source, amplifier, and the victim.

Figure 1-7. UDP amplification and reflection

If you couple the reflection with a small size of requests that result in a large response, the amplification effect would take place. This is precisely the type of attack that would result in the victim being DDoS attacked. Some examples of such an attack include DNS amplification and NTP reflection attacks.

Application-Level Attacks

The application-level attack requires more application-level knowledge but not necessarily in-depth knowledge. For example, if you understand the basics of the HTTP protocol POST, you can launch a low-and-slow POST operation by posting one out of thousands of characters at a time to an HTTP server before the session times out. Or you can perform an HTTP GET flood knowing that the server might not have enough resources to handle the burst of GET requests.

The difference between application- and network-level attacks is the volume of traffic involved. Usually, the network-level attack is very obvious because it takes a lot more traffic to exhaust the network services, whereas the application-level attack requires a much lower volume of traffic and might be able to disguise itself until somebody familiar with the application is able to diagnose the problem.

Multivector Attacks

Of course, since the goal of the attacker is to make the service unavailable to other users, the attack can be a combination of the different types for a multivector attack. In several instances, we have seen the attack incident start out as a flood of traffic toward the network consisting of classic floods, then morphing into various other forms of attacks such as protocol-level attacks.

Botnets and IoT Devices

It is clear that the techniques of DDoS are simply a blockage of service by using a large number of distributed sources. But what are these devices? Are people knowingly giving up their computer to participate in a DDoS attack? The answer is no. Oftentimes the hosts used in the attack are unknowingly affected via malware or some kind of Trojan horse software that disguises itself as something useful or interesting to the user but in reality provides a backdoor for another computer to take control.

These infected hosts are often called bots, and the cluster of bots are referred to as botnets. The unaware users who open mail attachments that are executable programs or who download pirated movies that are actually malware often unknowingly become part of the botnets. This problem is sometimes lessened by more educated users who understand the risk and do not perform any of these actions.

However, one scary trend lately is the rise of Internet of Things (IoT) devices. The term often refers to connected homes that contain the internet-connected thermometer, doorbell, DVR, and light switches. Though they provide useful functions to benefit our lives, one problem is that these devices are relatively powerful and large in number, often unmanaged, and many times shipped with exploits that cannot be patched for some time—if ever. The most recent Mirai attack is a good example of IoT devices that are being used in a DDoS attack.

Regardless of the type of botnets, they are dormant without external instructions that direct them to send bogus requests to the attack targets. There is a controlling host that is aware of the botnets and places instructions in them when the time is right. The controlling host is referred to as the Command and Control (C&C) server. It is essentially the brain of the bots and critically important to the operations of the botnets. There are many ways a C&C server(s) or cluster of them can exist; different layers of C&C can also exist to avoid detection.

Shift to Cloud Computing

Another component is the shift towards cloud computing. Sometimes companies and end users will leave unpatched virtual machines exposed to malware and subsequently leveraged as part of a botnet.

It is worth noting that many of the botnets consist of home routers and other embedded devices. Keeping your home router firmware updated will not only keep your device out of the reach of C&C, it will also protect your digital devices at home. In Figure 1-8, you can see that only a single C&C machine can control a large number of bots.

Figure 1-8. Botnet Command and Control server (source: http://bit.ly/2BKHFh7)

Summary

In this chapter, you have seen an overview of the DDoS attacks—from the actors to the techniques used. In the next chapter, we will take a deeper look at how to detect DDoS attacks.

Get Distributed Denial of Service (DDoS) now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.