11,770
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + − + + − + − + − [http://www.garykessler.net/library/ddos.html Defenses Against Distributed Denial of Service Attacks]</ref> − In February, 2000, a massive DDoS attack paralyzed high profile websites including [[Yahoo]]!, [[Buy.com]], [[eBay]], CNN, [[Amazon.com]], [[ZDNet.com]], E-Trade, and Excite, which together lost an estimated amount $1.7 billion. A suspect, a Canadian juvenile with the online alias "mafiaboy," was arrested in April of the same year. He pleaded guilty on January 18, 2001 on 56 charges of mischief and illegal use of computer services.<ref>[http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/notable.html E-Commerce Giants Crippled in DDoS Attacks]</ref>+ + − Over the years, intruders have used different DDoS tools to affect computer systems:+ − + − * [[Love Letter Worm]], a malicious VBScript which was spread through emails, Windows file sharing, IRC, USENET news and through webpages affecting more than 500,000 computer systems;<ref>[http://www.cert.org/advisories/CA-2000-04.html CERT Advisory CA-2000-04 Love Letter Worm]</ref> + − * [[T0rnkit]], also distributed by intruders using six different versions of rootkit;<ref>[http://www.cert.org/incident_notes/IN-2000-10.html Cert Incident Note IN-2000-10]</ref> + − * [[W/32/Sircam]], an e-mail-borne virus;<ref>+ − [http://www.us-cert.gov/reading_room/home-network-security/#III-B-1 Home Network Security]</ref> − * [[Leaves]], which was capable of updating and changing its functionality during a hack, affected millions of internet users in five Chinese provinces when an unknown hacker attacked the the server of [[DNSPod]], a Chinese domain name registrar in 2009;<ref>[http://news.softpedia.com/news/DDoS-Attack-Leaves-Five-Chinese-Provinces-Without-Internet-112313.shtml DDoS Attack Leaves Five Chinese Provinces Without Internet]</ref> − In August 2009, [[Twitter]] reported that its website suffered from a DDoS attack.<ref>[http://www.circleid.com/posts/twitter_taken_down_by_ddos_attack_company_confirms/ Twitter Taken Down by DDoS Attack, Company Confirms]</ref> Its 45 million users were unable to use its service for hours. A large quantity of junk e-mails were sent to the website, originating from Russia or the Republic of Georgia. According to Bill Woodcock, research director of the [[Packet Clearing House]], the cyber war between Russia and Georgia was extended to Twitter's website. Facebook and Google were also victims of DDoS attacks on the same day.<ref>[http://www.nytimes.com/2009/08/07/technology/internet/07twitter.html Online Attack Silences Twitter for Much of Day]</ref>+ − [[Network Solutions]] spokesperson [[Shashi Bellamkonda]] reported that the company experienced a consecutive DDoS attacks on June 20-21, 2011 wherein its costumers were unable to access the server and e-mail and the website became unstable. The company resolved the problem as quickly as possible.<ref>[http://dos-attacks.com/2011/06/22/network-solutions-bounces-back-after-ddos/ Network Solutions Bounces Back After DDoS]</ref>+ − + − The Packet Flooding Attack is the most common type of Denial of Service Attack. The modus operandi of intruders is sending more than an acceptable number of packets to a particular destination, thereby consuming the entire bandwidth resources. There are several types of packets used by Packet Flooding Attack tools, including:+ − * [[TCP]] Floods - SYN, ACK and RST flags are sent to the victim's [[IP]] Address − * [[ICMP]] echo request reply (Ping Floods) - A stream of ICMP is sent to the victim's IP Address − * [[UDP]] Floods - A stream of UDP is sent to the victim's IP Address − These attack tools change the characteristics of packets in the packet stream. For example, the Source IP Address is changed to hide the real source of the packet stream. The method of sending packet streams to one or more intermediate sites to create responses that will be sent to a victim is called IP Spoofing.<ref>[http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Spoofing/default.htm Spoofing]</ref> Other packet stream attributes that are altered by intruders are the Source/Destination Ports and Other IP Header Values.+ − + − According to the CERT report, "Trends in Denial Service Attack Technology," the most frequent targets are Windows end-users and Internet Routing Technology. An intruder's primary intention in conducting DoS attack is to prevent the use of computer or network resources. A computer controlled by a hacker is known as "zombie" or "bot," while a controlled computer network is referred as a "botnet" or "zombie army."<ref>[http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack Distributed Denial of Service Attack (DDoS)]</ref>+ + − + − + − * The Internet is composed of limited and consumable resources+ − * Internet security is highly interdependent<ref>[http://www.cert.org/homeusers/ddos.html Trends in Denial Service Attack Technology]</ref> − ==Frequency of DDoS Attacks==+ − On May 2011, a research commissioned by [[Verisign]] found widespread DDoS attacks on businesses in all industries. The research revealed that 63% out of the 225 IT decision-makers who respond to the survey reported that they experience more than one DDoS attack over the past year, while 11% said they experienced more than 6 attacks. Sixty seven percent (67%) of the respondents believe that the frequency of DDoS attacks within the next two years will increase or stay the same and 71% of the respondents believe that DDoS protection is important to maintain their website and services, and 71% of the respondents who lack DDoS protection plan to implent solutions within the next 12 months.<ref>[http://www.circleid.com/posts/20110509_businesses_lack_safeguards_against_ddos_attacks_dns_failures/ Businesses Lack Safeguards Against DDoS Attacks and DNS Failures, New Research Shows]</ref> − According to Ted Swearingen, Director of Security Operations at [[Neustar]], as many as 7,000 DDoS attacks may occur in one day. He also said that the rate of attacks continue to increase every year. He explained that the escalating incidences of DDoS attacks is largely due to the fact that the tools used to launch attacks have become common and easier to create.<ref>[http://www.circleid.com/posts/protecting_your_business_from_ddos_attacks_advice_from_neustar/ Protecting Your Business from DDoS Attacks: Advice from Neustar]</ref>+ + − In January, 2012, the latest State of the Internet report released by [[Akamai]], a global service provider for accelerating content and business process online, revealed that for the past three years, the occurrences of DDoS attacks increased by 2,000%. The report revealed that attacks originated from 195 countries during the the third quarter of 2011 and the '''top ten countries where DDoS attacks originated''' include:<ref>[http://www.circleid.com/posts/20120131_ddos_attacks_increased_by_2000_percent_in_past_3_years/ DDoS Attacks Increased by 2000% in Past 3 Years, Asia Generating Over Half of Recent Attacks]</ref>+ + + + + + + − # Indonesia (14%)+ − # Taiwan (11%)+ − # China (8.6%)+ − # United States (7.3%) − # Russia (7.2%) − # Brazil (5.5%) − # South Korea (3.8%) − # India (3.7%) − # Egypt (3.3%) − # Romania (2.4%) − − − ===Neustar SiteProtect=== − In April, 2011, [[Neustar]] launched '''SiteProtect''', a cloud based service that aims to provide a higher level of security for [[UltraDNS]] customers against [[DDoS|Distributed Denial of Service]] attacks. SiteProtect enables web infrastructure to function normally and avoids downtime even if it is under attack. According to [[Rick Rumbarger]], the Senior Director of Neustar Internet Infrastructure Services, ''"The problem with other approaches to DDoS protection is that the network needs to take a hit before mitigation is started. With SiteProtect, the brunt of the attack is immediately shifted away from the client infrastructure and directed to our mitigation cloud service. By moving this service to the cloud, customers no longer have to buy and maintain large capacity infrastructure with its resulting capex expenses."''<ref>[http://www.circleid.com/posts/20110405_neustar_launches_siteprotect_for_ddos_protection/ Neustar Launches SiteProtect for DDoS Protection]</ref> − − ===Verisign UpTime Bundle=== − In March, 2011, '''Verisign''' introduced '''Verisign Uptime Bundle''', a cloud-based services bundled with Domain Name System (DNS) hosting, threat intelligence services and protection against DDoS attacks. The new service helps improve the performance, security and availability of websites, email, and critical network services. [[Ben Petro]], senior vice president of the Verisign Network Intelligence and Availability Business, explained that a single line of defense against DDoS attacks is no longer reliable to ensure the availability of website and applications. He said that Verisign's Uptime Bundle is a muti-layered solution and offers the best way to detect and disarm an attack before substantial losses occur.<ref>[http://www.circleid.com/posts/20110328_verisign_uptime_bundle_combines_ddos_protection_managed_dns/ New Verisign Uptime Bundle Combines DDoS Protection, Managed DNS and Threat Intelligence Services]</ref> − {{reflist}}+ − − [[Category:Glossary]] − __NOTOC__+
no edit summary
'''DDoS''' is the acronym for '''Distributed Denial of Service.'''
'''Distributed Denial of Service Attacks''', or '''DDoS Attacks''', effectively flood websites or servers with traffic from many different sources in order to "make the site unavailable."<ref name="attack map">[http://www.digitalattackmap.com/understanding-ddos/ What is a DDoS Attack?], Digital Attack Map</ref> DDoS is a type of [[DoS Attacks|Denial of Service Attack (DoS Attack)]] that uses multiple sources in order to blocks users from accessing the site. It is important to remember that not all service errors are the result of attack behaviors and can occur if a website is overwhelmed by non-malicious traffic as well.<ref>[http://www.us-cert.gov/ncas/tips/ST04-015 Security Tip (ST04-015): Understanding Denial-of-Service Attacks] (February 6, 2013), United States Department of Homeland Security</ref>
The telephone system, computer system and Domain Name System ([[DNS]]) sometimes become unusable during peak hours because of supply and demand. However, when an intruder or hacker interrupts the system, takes control of the computer, prevents the legitimate user from using it, and forces the computer to send such a large amount of data to another person that it cannot be handled by the recipient's save disk, a '''Denial of Service (DoS) attack''' happens.<ref>[http://www.cert.org/homeusers/ddos.html What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?]</ref>
==Public Perception==
The public perception of DDoS attacks is negative. It is inconvenient to users who cannot reach their destination, and it can create major problems for the website's registrant, whether it is the website of an individual or an organization. DDoS attacks can become criminal when the attacker asks for money to stop the current attack or to prevent further attacks.<ref name="blog"/> DDoS attacks can also be used by "hacktivists" for political gain, to interrupt free speech, or in protest of perceived injustice.<ref name="attack map"/><ref name="blog"/>
==Background==
==Outcome==
The [[CERT/CC]] at Canegie Mellon University documented the first incident of Denial Of Service Attack in 1999 when the [[Trinoo]] and [[Tribe Flood Network]] (TFN) DDoS Network tools were widely distributed.<ref>[http://www.cert.org/incident_notes/IN-99-07.html Cert Incident Notes IN-99-09 Distributed Denial of Service Tools]</ref> Trinoo attacked a single computer from Minnesota University, affected around 227 systems, and became unusable for more than two days.<ref>
The outcome of a DDoS attack is that the attacked website is unavailable or runs very slowly. The damage done by these attacks can lead to minor inconveniences, losses in consumer confidence, or large revenue losses.
==Historical Use==
*DDoS attacks have been used to take down or interrupt the traffic of large sites, making them inaccessible.<ref name=Weiss>[http://www.esecurityplanet.com/network-security/how-to-prevent-dos-attacks.html How to Prevent DoS Attacks] by Aaron Weiss (July 2, 2012), eSecurity Planet</ref><ref>[http://blog.icann.org/2013/04/do-more-to-prevent-dns-ddos-attacks/ Do More to Prevent DNS DDoS Attacks] by Dave Piscitello (April 3, 2013), Internet Corporation for Assigned Names and Numbers (ICANN)</ref> These planned attacks can be committed for political, social, and/or illegal purposes.<ref name="blog"/> Unlike regular DoS attacks, DDoS attacks use multiple computers to attack their victims which often makes the attack harder to stop.<ref name=Weiss/> [[Botnet Attacks|Botnets]], or networks of computers controlled by hackers, are often used in DDoS attacks.<ref>[http://www.prolexic.com/knowledge-center-what-is-ddos-denial-of-service.html What is DDoS denial of service? What everyone needs to know about DDoS], Prolexic</ref>
*Four types of DDoS attacks include:<ref name="attack map"/>
* [[Stacheldraht]], 1.666 DDoS tool was discovered and widely spread on multiple compromised hosts in several organizations;<ref>[http://www.cert.org/advisories/CA-2000-01.html CA-2000-01 Denial-of-Service Developments]</ref>
#TCP Connection Attacks: attempting "to use up all the available connections to infrastructure devices"<ref name="attack map"/>
#Volumetric Attacks: attempting to use large amounts of bandwidth
#Fragmentation Attacks: sending so many TCP or UDP fragments that the target cannot assemble them, which slows the system
#Application Attacks: trying to flood one aspect or application on a given site
*A DDoS attack can be bought or traded as a service. For example, an attack that lasts a week can be purchased for $150,<ref name="attack map"/> while an attack that lasts 1 hour can be bought for $30-70.<ref>[http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf Russian Underground 101] (PDF) by Max Goncharov, TrendMicro.com</ref>
*In addition to causing service errors, DDoS attacks can also be used to commit "other cybercrimes, including data breaches or financial fraud."<ref>[https://www.networkworld.com/newsletters/techexec/2013/101113bestpractices.html?page=2 Best practices to mitigate DDoS attacks] by Linda Musthaler (January 10, 2013), Network World</ref>
==Packet Flooding Attack==
==ICANN Policy==
*ICANN does not have a policy that specifically addresses DDoS attacks; however, ICANN's blog has addressed the issue of how to respond to and report a DDoS attack.<ref name="blog">[http://blog.icann.org/2013/04/how-to-report-a-ddos-attack/ How to Report a DDoS Attack] by Dave Piscitello (April 25, 2013), Internet Corporation for Assigned Names and Numbers (ICANN).</ref> If a site is under attack, the 2013 post suggests that the registrant contacts the hosting provider and internet service provider (ISP).<ref name="blog"/> If the attack was proceeded by a threat or a sum of money was demanded to stop the attack, the registrant should contact law enforcement.<ref name="blog"/>
*ICANN's Security and Stability Advisory Committee ([[SSAC]]) also released an advisory in 2006 on DDoS attacks in relation to the DNS.<ref>[http://www.icann.org/en/groups/ssac/dns-ddos-advisory-31mar06-en.pdf SSAC Advisory SAC008: DNS Distributed Denial of Service (DDoS) Attacks] (PDF), ICANN Security and Stability Advisory Committee (SSAC)</ref>
==Frequent Targets of Intruder Attacks==
*ICANN's [[SSAC]] released another advisory in 2014 on DDoS attacks and how they may exploit certain security issues in the DNS.<ref name="s">[http://www.icann.org/en/groups/ssac/documents/sac-065-en.pdf SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure] (PDF), ICANN Security and Stability Advisory Committee (SSAC)</ref> For example, an attacker may use a victim's spoofed IP address to make multiple queries to an open recursive DNS server; the server will then respond by flooding the victim's computer with the unsolicited responses.<ref name="sing">[http://singapore49.icann.org/en/schedule/thu-ssac SSAC's Update Presentation at ICANN 49] (PDF and audio)</ref> DDoS attacks that utilize "DNS reflection and amplification" can have "attack data bit rates reportedly exceeding 300 gigabits per second."<ref name="sing"/> The advisory suggests that "ICANN should...facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing."<ref name="s"/> Additionally, rate limiting and blocking abusive queries may help reduce DDoS attacks.<ref name="sing"/> The SSAC also recommends that DNS software and systems be updated regularly to reduce DDoS vulnerability.<ref name="sing"/>
**Read the [http://www.icann.org/en/groups/ssac/documents/sac-065-en.pdf SSAC's Advisory on DDoS Attacks Leveraging DNS Infrastructure]
**View the [http://singapore49.icann.org/en/schedule/thu-ssac SSAC's Presentation at ICANN 49]
==Reasons Why Internet is Vulnerable to Attacks==
==Legislation==
Internet-connected systems are still vulnerable to DoS attacks despite active security efforts because of the following reasons:
*[[Computer Fraud and Abuse Act]] (CFAA): this act, last amended in 2008,<ref>[http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act Computer Fraud and Abuse Act] at Wikipedia</ref> prohibits the unauthorized use of another person's computer, among other things.<ref>[https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29 Computer Fraud and Abuse Act (CFAA)] at Internet Law Treatise</ref><ref>[http://us.practicallaw.com/2-508-3428 Computer Fraud and Abuse Act (CFAA)] at Practical Law, Thomson Reuters</ref> In relation to DDoS attacks, if the hacker used a botnet to perpetrate the attack, he or she could be charged under CFAA in addition to facing civil suits.<ref>[http://us.practicallaw.com/7-516-9293 Distributed Denial-of-Service (DDoS) Attack] at Practical Law, Thomson Reuters</ref> DDoS attackers can also face jail time.<ref name="naked">[http://nakedsecurity.sophos.com/2010/12/09/are-ddos-distributed-denial-of-service-attacks-against-the-law/ Are DDoS (distributed denial-of-service) attacks against the law?] by Graham Cluley (December 9, 2010), Naked Security, Sophos</ref>
**Read more about the [https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29 CFAA].
*Other nations, such as the UK and Sweden, also have anti-DDoS legislature.<ref name="naked"/>
==DNS Award==
Awardees take a proactive approach to preventing DDoS attacks.
==Additional Resources==
*Review facts and watch a video explaining [http://www.digitalattackmap.com/understanding-ddos/ DDoS Attacks]
*View a [http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&time=16097&view=map DDoS Attack Map]
*Read the [http://www.icann.org/en/groups/ssac/dns-ddos-advisory-31mar06-en.pdf SSAC's DDoS Advisory]
*See [http://www.us-cert.gov/ncas/tips/ST04-015 CERT's Security Tips Page] for signs that indicate you may be experiencing a DDoS attack
*View a [http://www.circleid.com/posts/20140318_what_does_a_ddos_attack_look_like/ Visualization of a DDOS Attack]
*Listen to the [http://singapore49.icann.org/en/schedule/thu-ssac SSAC's Presentation at ICANN Singapore] that addresses DDoS attacks and recommendations
==Related Articles==
*[[Botnet Attacks]]
*[[DoS Attacks]]
==Available Solutions Against DDoS Attacks==
==References==
==References==
<references/>
[[Category: Bad Practice]]