Distributed Denial-of-Service (DDoS) Attacks have been a threat to internet sites and
users since 1999. It is the aim of a DDoS attack to render the targeted website
unavailable. While websites are the main target of DDoS attacks, the technical target is the
computer/server on which the website operate while the intended target might actually be a
single user as has been the case in the 2009 Russian attacks against Twitter, Facebook
and other social networking sites which aimed at silencing a Georgian user who used the
said websites to express his opposition to Russian policies. Essentially the idea behind a
DDoS attack is to overwhelm the computer in question. Internet users might be familiar
with the effect that a website is temporarily unavailable if too many users try to access
a website at the same time, e.g., due to increased popular interest in the website
which exceeds the bandwith assigned to the website. DDoS attacks do the same artificially
and on a large scale by using large number of `hijacked' computers (zombies),
targeting bandwith, router processing capacity or
network stack resources, which essentially breaks the connection between the server on which the targeted website is physically
located and the rest of the Internet. The owners/users of the computers which are used
for the attack are usually unaware of the fact that their hardware has been abused for
such an attack. Yet, it is internet users who fail to secure their hardware properly
against being taken over, who make such attacks possible. As has been explained shortly
after the first DDoS attacks at the turn of the millennium: "[T]he perpetrator starts by
breaking into weakly-secured computers, using well-known defects in standard network
service programs, and common weak configurations in operating systems. On each system,
once they break in, they perform some additional steps. First, they install software to
conceal the fact of the break-in, and to hide the traces of their subsequent activity. For
example, the standard commands for displaying running processes are replaced with versions
that fail to display the attacker's processes.
These replacement tools are collectively
called a `rootkit', since they are installed once you have `broken root', taken over
system administrator privileges, to keep other `root users' from being able to find you. Then
they install a special process, used to remote-control the burgled machine. This process
accepts commands from over the Internet, and in response to those commands it launches
an attack over the Internet against some designated victim site. And finally, they make
a note of the address of the machine they've taken over. All these steps are
highly automated. A cautious intruder will begin by breaking into just a few sites, then
using them to break into some more, and repeating this cycle for several steps, to reduce
the chance they are caught during this, the riskiest part of the operation. By the time
they are ready to mount the [...] attacks [...] they have taken over thousands of
machines and assembled them into a DDoS network; this just means they all have the
attack software installed on them, and the attacker knows all their addresses (stored in a
file on their control system)." This is the difference between ordinary Denial-of-Service
(DoS) attacks and Distributed Denial-of-Service (DDoS) attacks: "In a DDoS attack, the
attacking packets come from tens or hundreds of addresses rather than just one, as in a
`standard' DoS attack. Any DoS defense that is based upon monitoring the volume of packets
coming from a single address or single network will then fail since the attacks come from
all over. Rather than receiving, for example, a 1,000 gigantic Pings per second from
an attacking site, the victim might receive one Ping per second from 1,000 attacking
sites. One of the other disconcerting things about DDoS attacks are that the handler can
choose the location of the agents. So, for example, a handler could target several NATO
sites as victims and employ agents that are in countries known to be hostile to NATO.
The human attacker, of course, might be sitting in Canada. Like DoS attacks, all of the
DDoS attacks employ standard TCP/IP messages, but employ them in some non-standard
ways. Common DDoS attacks have such names as Tribe Flood Network (TFN),
Trin00, Stacheldraht, and
Trinity." The attack is then started with a single command to
the `hijacked' machines to send packets (formatted blocks of information which are
carried by packet mode computer
networks) and thereby to start one of a number of
different possible flooding attacks against the chosen
victim until the attack is stopped by
sending another command. As for the technical response to DDoS attacks, there are some
ideas but not really what amounts to a strategic doctrine. |