Malware DDoS

Published on June 2016 | Categories: Documents | Downloads: 48 | Comments: 0 | Views: 460
of 8
Download PDF   Embed   Report

Comments

Content

Malware DDoS (Distributed Denial of Service)
Denial of Service attack or DoS attack (not to be confused with DDoS attack) is the process by which requests are sent across a network from a singular attack point to a single or multiple target (destination) server and over-whelming it with requests that are bogus. By over-whelming the request, genuine requests are not entertain and thus – denial of service is experienced. Distributed Denial of Service (DDoS) Attacks are the same thing pretty much as a Denial of Service (DoS) attacks, except more than one attack computer is used, hence the word distributed attack. In DoS attacks, the source IP that is attacking you is ‘singular’ (one). In DDoS there are many, many source IPs.

In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server. In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.

How to block a "denial of service" attack
One of the more common methods of blocking a "denial of service" attack is to set up a filter, or "sniffer," on a network before a stream of information reaches a site's Web servers. The filter can look for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the Web servers from having their lines tied up.

Distributed Denial of Service Attacks
Sometimes a cracker uses anetwork of zombie computers to sabotage a specific Web site or server. The idea is pretty simple -- a cracker tells all the computers on his botnet to contact a specific server or Web site repeatedly. The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely. We call this kind of an attack a Distributed Denial of Service (DDoS) attack. Some particularly tricky botnets use uncorrupted computers as part of the attack. Here's how it works: the cracker sends the command to initiate the attack to his zombie army. Each computer within the army sends an electronic connection request to an innocent computer called a reflector. When the reflector receives the request, it looks like it originates not from the zombies, but from the ultimate victim of the attack. The reflectors send information to the victim system, and eventually the system's performance suffers or it shuts down completely as it is inundated with multiple unsolicited responses from several computers at once. From the perspective of the victim, it looks like the reflectors attacked the system. From the perspective of the reflectors, it seems like the victimized system requested the packets. The zombie computers remain hidden, and even more out of sight is the cracker himself. The list of DDoS attack victims includes some pretty major names. Microsoft suffered an attack from a DDoS called MyDoom. Crackers have targeted other major Internet players like Amazon, CNN, Yahoo and eBay. The DDoS names range from mildly amusing to disturbing:    Ping of Death - bots create huge electronic packets and sends them on to victims Mailbomb - bots send a massive amount of e-mail, crashing e-mail servers Smurf Attack - bots send Internet Control Message Protocol (ICMP) messages to reflectors, see above illustration



Teardrop - bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result Once an army begins a DDoS attack against a victim system, there are few things the system administrator can do to prevent catastrophe. He could choose to limit the amount of traffic allowed on his server, but this restricts legitimate Internet connections and zombies alike. If the administrator can determine the origin of the attacks, he can filter the traffic. Unfortunately, since many zombie computers disguise (or spoof) their addresses, this isn't always easy to do.

A denial-of-service (DoS) attack aims to render a Web resource unavailable to its everyday users. It works by flooding a Web server with more requests to serve a Web page than it can handle. That means that during the attack period, the hosted site will be dramatically slower to load or may not load at all. Another type of DoS attack, known as an "e-mail bomb," targets an organization's servers by sending more e-mail than the systems can handle. A distributed denial-of-service attack (DDoS) is when multiple compromised PCs are used to overwhelm a Web site's bandwidth or resources. The machines used in such attacks are collectively known as a botnet, or zombie network, and will have previously been infected with malicious software, meaning they can be remote-controlled by the attacker. The cybercriminal fraternity uses denial-of-service attacks as aweapon to blackmail e-commerce businesses, which rely on their Web sites being accessible in order to make money. Online gambling sites are popular targets, due to the nature of their business and the lure of ready money. But attacks are not always financially motivated. Perpetrators can simply be seeking to cause disruption or make a name for themselves.

In its simplest form, a Denial of Service (DoS) attack is an attack against any system component that attempts to force that system component to limit, or even halt, normal services.

A DoS attack may be directed to a specific computer operating system, to a specific port or service on a targeted system, to a network, or network component, to a firewall or to any other system component. More obscure examples could include human-system communication processes, such as disabling a printer or alarm system, or even humanresponse systems, such as disabling a key technician's home phone or transportation. The key similarity in all of these examples is that, after a successful attack, the system does not respond to a request for service as before, and some expected service, or group of services, is denied or limited to authorized users. In its simplest form, a Distributed Denial of Service (DDoS) attack is a DoS attack that occurs from more than one source, and/or from more than one location, at the same time. Often, the DDoS attackers are not aware that they are engaging in a DoS attack against a site, and are duped (technically or physically) into joining the attack by a third party. A simple analogy might clarify the difference between a DoS and a DDoS, and point out some interesting subtleties. If a bored teen-ager repeatedly 'prank' calls your telephone, you may soon get tired of answering, and may start to ignore subsequent incoming calls. The teenager has successfully performed a DoS attack on your telephone service, because you are denied normal telephone services (even though you denied them yourself, by choosing not to answer). However, it is easy to screen incoming calls from the teen-agers number, so in many cases, not all services are interrupted -- just incoming calls from a specific number. This also make the location of the attacker easy to trace, and therefore relatively easy to stop. If, however, the teen-ager called a local radio station and duped them into believing that you had special concert tickets for sale at a very low price, causing your telephone number to be broadcast, you may be

inundated with many 100's of calls, from many people. In this DDoS example, you are again denied normal phone services (the DoS component) but the distributed nature of the attack means that most calls that do not originate from a known number would need to be blocked, and if enough people responded, almost no calls could get through. In this case, questioning or tracing any of the apparent attackers is pointless, since they have been duped into calling, and have no evidence to offer at all about the identity of the real attacker. In fact, only the original point of attack (in this case, a call to the radio station) is of any interest in determining who attacked. The teenager may not have even phoned you (so the real attacker, the initiator of the DDoS, did not participate in the actual DoS attack). Simple DoS and DDoS Attacks and Defenses Some authors claim that "the problem with denial of service on the Internet is that it is impossible to prevent"
Security and network management vendors Prolexic and Arbor Networks recently reported that distributed-denial-of-service attacks are on the rise. What can we do to make prevention a forethought? According to Prolexic Chief Technology Officer Paul Sop, the recent trends include a shorter attack duration, but a bigger packet-per-second attack volume. This "bigger packet-per-second attack volume" is likely going to be generated by a DDoS (distributed denial of system), which is a coordinated attack from lots of dispersed nodes usually with a few central controllers. A recent high-profile example was the hacker group "Anonymous" allegedly using the LOIC tool (Low Orbit Ion Cannon). While Anonymous' use of LOIC was originally opt-in--end users would download the tool and choose to participate in the attack--the tool was allegedly later changed to a more traditional "botnet" or "zombie" style, in which clicking a link would perform a "drive-by download" to install the tool and target it without the user's permission.

Whereas older DoS attacks would affect servers by using up resources-signaling the start of a conversation, with no intention to actually converse--a DDoS typically is designed to affect the network by creating so much traffic that the WAN link(s) become saturated, unable to carry "normal" traffic. You may have noticed at home that, if you stream a video, your Web browsing gets slowed down. A DDoS is the same concept taken to an industrialized (and weaponized) scale. I asked Jim MacLeod, product manager at WildPackets his recommendation on thwarting these attacks. Via e-mail, e said that traditional approaches to DoS mitigation such as using ACLs (access control lists) or firewall rules to keep attack traffic from reaching the server are not adequate because three factors in a DDoS require a different reaction. First, the attack is against the network infrastructure, not the servers. A firewall can only protect what's behind it, so if it's on premise, it can't prevent the WAN link from being flooded. DDoS responses often require coordination with the WAN carrier to block the traffic upstream. Second, the attack is going to come from a large number of IP addresses. The scale will make it impossible to add entries by hand for each node. While it's possible to filter aggregated blocks of addresses to create fewer rules faster, the "wolves among the sheep" nature of botnets implies that the addresses will be widely dispersed rather than clustered together, so a lot of legitimate traffic would potentially be blocked too. Finally, the speed at which the attack commences--sometimes referred to as a "thundering herd" effect--doesn't leave much time to react to counter the problem. MacLeod suggests that the key to combating DDoS attacks is to turn the attack's strength into its weakness. Industrial-scale attacks will be diverse in source addresses, but fairly homogenous above the IP layer. Many of these attacks are surprisingly simple from a protocol perspective, but they rely on brute force, not cleverness. What you need to find is a signature or behavior within the packets common to the attack traffic, but not on your normal traffic. If your packet analyzer dashboard has visualizations or

expert analysis, your tool may even identify a useful characteristic for you. While I've touched on preventing network attacks before--this should serve as a reminder that if you don't have a DDoS mitigation plan already, now is a good time to create one before it's too late.

Imagine that the Internet is a city. It would undoubtedly be the most remarkable and diverse city on the planet, but it would also be incredibly seedy and dangerous. You could find the world's most comprehensive libraries there alongside X-rated theaters. Inside this city, you would also discover that not everyone is who they seem to be -even yourself. You might find out that you've been misbehaving, although you don't remember it. Like the unwitting agent in "The Manchurian Candidate," you discover you've been doing someone else's bidding, and you have no idea how to stop it. A zombie computer is very much like the agent in "The Manchurian Candidate." A cracker -- a computer hacker who intends mischief or harm -- secretly infiltrates an unsuspecting victim's computer and uses it to conduct illegal activities. The user generally remains unaware that his computer has been taken over -- he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer's suspicious activities. The user might find that his Internet Service Provider (ISP) has cancelled his service, or even that he's under investigation for criminal activity. Meanwhile, the cracker shrugs off the loss of one of hiszombies because he has more. Sometimes, he has a lot more -- one investigation allegedly discovered that a cracker's single computer controlled a network of more than 1.5 million computers [source: TechWeb]. In this article we'll look at how crackers can commandeer your computer, why they do it and the best way to protect yourself from malicious attacks.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close