Security in the Modern Web Part 2: DDoS Attacks

It has been a while since I wrote one of these computer security related posts, but in light of Sony’s troubles during the holidays and the seeming ubiquity of this manner of attack on the modern web I figured I would put together a little primer on what a DDoS, or distributed denial of service, attack is and how it actually functions.

If you play games online at all you are likely familiar with all of the symptoms of a DDoS attack: you cannot connect to your favorite online service and when you do the connection is slow and unreliable. This connectivity issue can last for as short as a few minutes and it can last for as long as days or weeks, but during that whole time you can’t use that service at all. Then, in an instant, the issue just disappears and everything goes back to normal. If you have experienced what I just described, you have likely witnessed a DDoS attack. The reason why you cannot connect to Steam, PSN, or Xbox Live during a DDoS attack is that the servers that host the service you want are being actively overloaded with requests by a malicious party. An ordinary internet connection involves an http request being sent from your computer to a server that you want to connect to. That malicious party is flooding the servers of your favorite service with so many http requests that those servers are overwhelmed and, as such, cannot process your request.

Imagine trying to order a Pizza from a local Pizza Hut during rush hour (imagine that you have to actually call and talk to a human). You might get a busy signal when you call, and even if you get through the delivery time is 20 minutes longer than normal thanks to all of the other orders they have to process. Now imagine that rather than ordinary rush hour calls, a group of people who hate pizza decide to call Pizza Hut continuously for 5 hour in the middle of the day, only to hang up as soon as a human being picks up the phone. Very few pizza lovers would be able to get a call through to Pizza Hut under these circumstances because of the ubiquity of the fake calls. For that 5 hours the Pizza Hut phone lines are effectively useless. Even worse than that, the owners of the Pizza Hut have very few options to stop this attack because their business relies on providing customers with a working phone line to call. Unplugging the phone will stop the attack, but it will also stop legitimate users from placing orders over the phone. The Pizza hut could change its phone number, but that would force all of its legitimate customers to learn a new number and the pizza haters would just learn that new number eventually. The owners of the Pizza Hut are mostly stuck. The scenario I described is what happens during a basic DDoS attack, except Sony is the Pizza Hut and their websites are the phone line.

In the case of a real DDoS attack the tons of http request (phone calls) that are needed to clog up an entire corporate server structure can be generated by a number of different sources depending on the scale of the target and the sophistication of the attackers. If the target is a relatively small website, then the attack could be the result of a hand full of people running a piece of software designed to spam a given url or ip address with http requests. If the target is larger, then botnets, thousands of computers that are remote controlled via a virus, are used to hammer the target server with requests. The larger the target the more resources needed to bring it down.

Now the manner of DDoS attack that I’ve described up until now is the absolute simplest version of the attack and in truth that is not necessarily what hackers use in practice. Maintaining a constant barrage of connections for hours or days on end is expensive and it can be thwarted. If a Pizza Hut kept getting prank calls from one phone number all day long, they would just block that phone number or ask the phone company to look into that number. The more troublesome attacks attempt to trip up servers by more closely mimicking situations where a users intent is difficult to discern.

Back to the Pizza Hut example! The same group of pizza haters, whose first phone numbers were all turned off by the phone company, decide that they need to be a bit craftier if they want to ruin pizza for everyone. This time they are going to call Pizza Hut and act like an ordinary caller, but they are going to act like their phone is dropping in and out of coverage. The Pizza Hut clerks answer the phone as normal and they try to take orders from the attackers for a few minutes each, but they never manage to get any real orders out of them. However, while the clerks are dealing with the attackers the phone lines are still tied up! Unlike the earlier attack, where the sheer number of calls made the phone lines unusable, this new attack ties up the phone by mimicking an ordinary user with a common and understood phone issue: a cell phone losing signal. The number of calls don’t need to be as huge when each call lasts much longer than the brute force calls did.

In the real world the kind of attack I just described involves sending fragmented http packets that look like the type of garbled stuff that can come from a bad internet connection. The targeted server expects the rest of the fragmented packet to show up eventually so it waits, but that packet fragment is never coming. With every moment that the server waits for the rest of the packet fragments to show up, a legitimate user is unable to connect. Thousands of fragmented packets can jam up a server just as effectively as hundreds of thousands of regular http requests since servers are built to expect this kind of lag from users. While there are answers to this form of attack as well, such as turning down the amount of time a server will wait for a fragmented packet to arrive before dropping the connection all together, the answers involve trade-offs that impact legitimate users on slow connections.

There are even more types of DDoS attacks than what I’ve covered here and there is much more to say on the ones I have covered, but I hope you can appreciate what a nasty problem they can present. DDoS attacks take the service oriented nature of the internet and use it as a means to attack a public facing service. They take the established server-user relationship and weaponize it to attack businesses and services.

Another great explanation, particularly enjoying the continued use of Magic cards as well as the addition of Pizza Hut.

From time to time I panic that my computer could be part of a botnet, and I'd never know.

Haha, that was a fun way of explaining that. Good stuff.

I absolutely despise and completely fail to get the point of DDoS attacks. We should hang those fuckers in the streets as far as I'm concerned, and when people get upset over the barbarism, just say we "did it for the lulz".

Nice!

Is there any way to detect if your computer is part of a botnet? I am dangerously ignorant about this entire subject so apologies if that's a stupid question.

Don't worry about it. Most botnet computers are in China and Russia.

@bollard: @sweep: It isn't a dumb question at all! My computer security teacher's answer when I asked him was to just assume your computer is in a botnet and act accordingly. Botnet programs are hard to catch because they don't do anything until they are needed and they are incredibly important to criminals. A virus that just wrecks stuff for the sake of wrecking stuff can be really obvious in how it works because there is no money to be made from being subtle. A botnet program is only useful so long as it is undetectable, so the coders of botnets try to stay ahead of the curve.

Your ordinary antivirus should be the first place to start, but to really know if your computer is doing stuff you don't know about you would need to packet capture the network traffic that your computer is generating. The best way to avoid getting into a botnet in the first place is to avoid sketchy internet activity like torrenting and dowloading stuff from untrusted sources.

@notnert427: Thanks! It is worth mentioning that "we did it for the lulz" is not always the reason for DDoS attacks on visible targets. It could be a criminal with a botnet displaying how powerful their network is to a potential buyer or renter. Like a James Bond villain blowing up an uninhabited island to show off a doomsday weapon. The DDoS could also be a cover for another, subtler attack.

@dudeglove: Considering that botnets are really non-trivial to build and that a lot of real-world DDoS attacks require more sophisticated tactics than a straight brute force of packets, I would say that the term hacker is appropriate for the perpetrators. Taking down a small site could just be some random kids with a pre-made program and no clue, but stuff on the scale of Sony or Microsoft are the work of people with some degree of expertise. The DDoS by heavy traffic in the cases you described were extraordinary amounts of load on services that never expected the whole world to hit one url at once.

@bollard: You gotta appeal to that huge MTG/ computer security crossover demographic!

@corevi: I know that most of the botnet computers we know about are in China and Russia thanks (thanks old versions of windows!), but that doesn't preclude American machines form being in a botnet. Just because most of the attacks come from compromised machines in those countries does not mean that other machines aren't compromised. It just means that the known botnets are still sufficient for the types of attacks that are being launched. A good criminal doesn't show off a new weapon just because they have it. I would bet that once someone figures out how to mitigate the attacks that come from those known hotbeds of attack we will find out that the botnet problem is much bigger than we thought. That is just my slightly informed 2 cents. I am not an expert on these matters though so take it with a grain of salt. I know enough to explain the philosophy and mechanics to others, but I am not plugged in to all of the latest news and techniques that are popping up in the wild.

@dudeglove: That sounds as good as anything to me. I've used Malwearbytes before and a few other AV programs and I haven't noticed anything happening with my PC. I'm not an expert in the field, but from what I know even taking precautions and knowing about AV programs separates you from the easy targets. Like a lot of the compromised computers are in Russia and China because there are a lot of old computers running pirated software full of nasty hidden viruses/malware over there.