Changes

Jump to: navigation, search

DDoS Attack

1,279 bytes added, 3 years ago
no edit summary
'''Distributed Denial of Service Attacks''', or '''DDoS Attacks''', effectively flood websites or servers with traffic from many different sources in order to "make the site unavailable."<ref name="attack map">[http://www.digitalattackmap.com/understanding-ddos/ What is a DDoS Attack?], Digital Attack Map</ref> DDoS is a type of [[DoS Attacks|Denial of Service Attack (DoS Attack)]] that uses multiple sources in order to blocks users from accessing the site. It is important to remember that not all service errors are the result of attack behaviors and can occur if a website is overwhelmed by non-malicious traffic as well.<ref>[Imagehttp:UnderConstruction//www.png]us-cert.gov/ncas/tips/ST04-015 Security Tip (ST04-015): Understanding Denial-of-Service Attacks](February 6, 2013), United States Department of Homeland Security</ref>
==Public Perception==
The public perception of DDoS attacks is negative. It is inconvenient to users who cannot reach their destination, and it can create major problems for the website's registrant, whether it is the website of an individual or an organization. DDoS attacks can become criminal when the attacker asks for money to stop the current attack or to prevent further attacks.<ref name="blog"/> DDoS attacks can also be used by "hacktivists" for political gain, to interrupt free speech, or in protest of perceived injustice.<ref name="attack map"/><ref name="blog"/>
'''==Outcome==The outcome of a DDoS''' attack is the acronym for '''Distributed Denial of Service.''' The [[SEI|Software Engineering Institute]]- [[CERT]] at [[Carnegie Mellon University]] explained that the telephone system, computer system and the Domain Name System ([[DNS]]) sometimes become unusable during peak hours where consumers are having a hard time using the service attacked website is unavailable or when an intruder or hacker interrupts the system making it unavaible to consumersruns very slowly. When a hacker sends a very large amount of email The damage done by these attacks can lead to someone which can not be handled by the recipients computer disk that saves e-mailsminor inconveniences, losses in consumer confidence, a '''Denial of Service (DoS) attack''' happens because the user can not use his or her computer until the situation is resolved. In terms of computer network, intruders send extraordinary amount of internet calls to computers providing internet servicse preventing users to get internet connection. Users whose networks are unable to use the internet because of intrusion become victims of '''Distributed Denial Of Service attack'''.<ref>[http://www.cert.org/homeusers/ddoslarge revenue losses.html What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?]</ref>]
==Frequent Targets of Intruder AttacksHistorical Use==According *DDoS attacks have been used to take down or interrupt the CERT reporttraffic of large sites, making them inaccessible.<ref name=Weiss>[http://www.esecurityplanet.com/network-security/how-to-prevent-dos-attacks.html How to Prevent DoS Attacks] by Aaron Weiss (July 2, 2012), eSecurity Planet</ref><ref>[http://blog.icann.org/2013/04/do-more-to-prevent-dns-ddos-attacks/ Do More to Prevent DNS DDoS Attacks] by Dave Piscitello (April 3, 2013), Internet Corporation for Assigned Names and Numbers (ICANN)</ref> These planned attacks can be committed for political, social, and/or illegal purposes.<ref name="Trends in Denial Service Attack Technologyblog" /> Unlike regular DoS attacks, DDoS attacks use multiple computers to attack their victims which often makes the frequent targets attack harder to stop.<ref name=Weiss/> [[Botnet Attacks|Botnets]], or networks of intruders computers controlled by hackers, are Windows endoften used in DDoS attacks.<ref>[http://www.prolexic.com/knowledge-center-what-is-ddos-users and Internet Routing Technologydenial-of-service. Intruders primary intention in conducting DoS attack html What is DDoS denial of service? What everyone needs to prevent the use of computer or network resources.know about DDoS], Prolexic</ref>
==Reasons Why Internet is Vulnerable to Attacks==Internet connected systems are still vulnerable to DoS *Four types of DDoS attacks despite active security efforts is because of the following reasonsinclude:<refname="attack map"/>[http#TCP Connection Attacks://www.cert.org/homeusers/ddos.html Trends in Denial Service Attack Technology]attempting "to use up all the available connections to infrastructure devices"<ref name="attack map"/ref>* Internet is composed #Volumetric Attacks: attempting to use large amounts of limited and consumable resourcesbandwidth* Internet security is highly interdependent#Fragmentation Attacks: sending so many TCP or UDP fragments that the target cannot assemble them, which slows the system#Application Attacks: trying to flood one aspect or application on a given site
==Packet Flooding Attack=='''Packet Flooding Attack''' is the most common type of Denial of Service Attack*A DDoS attack can be bought or traded as a service.The modus operandi of intruders is sending more than acceptable number of packets to For example, an attack that lasts a particular destination which consumes the entire bandwidth resourcesweek can be purchased for $150,<ref name="attack map"/> while an attack that lasts 1 hour can be bought for $30-70. There are several types of packets used by Packet Flooding Attack tools including<ref>[http:* '''[[TCP]] Floods'''//www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground- SYN, ACK and RST flags are sent to the victim's [[IP]] Address* '''[[ICMP101.pdf Russian Underground 101]] echo request reply (Ping FloodsPDF)'''- A stream of ICMP is sent to the victim's IP Address* '''[[UDP]] Floods'''- A stream of UDP is sent to the victim's IP Addressby Max Goncharov, TrendMicro.com</ref>
These attack tools changes the characteristics of packets in the packet stream such as the '''Source IP Address''' *In addition to hide the real source of the packet stream. The method of sending packet streams causing service errors, DDoS attacks can also be used to one commit "other cybercrimes, including data breaches or more intermediate sites to create responses that will be sent to a victim is called '''IP Spoofingfinancial fraud.'''"<ref>[httphttps://www.issnetworkworld.net/security_center/advice/Underground/Hackingcom/Methodsnewsletters/Technicaltechexec/Spoofing2013/default101113bestpractices.htm Spoofinghtml?page=2 Best practices to mitigate DDoS attacks]by Linda Musthaler (January 10, 2013), Network World</ref> Other packet stream attribute being altered by intruders are the '''Source/Destination Ports''' and '''Other IP Header Values'''.
==Timeline of Trends in DoS Attack TechnologyICANN Policy=====1999 *ICANN does not have a policy that specifically addresses DDoS Attacks===* July- [[Trinoo]] attacks; however, ICANN's blog has addressed the issue of how to respond to and [[Tribe Flood Network]] (TFN) report a DDoS Network tools were widely distributed using UDP Flood attack, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast denial of service attacks respectively.<refname="blog">[http://wwwblog.certicann.org/incident_notes2013/IN04/how-to-99report-07.html Cert Incident Notes INa-99ddos-09 Distributed Denial of Service Toolsattack/ How to Report a DDoS Attack]by Dave Piscitello (April 25, 2013), Internet Corporation for Assigned Names and Numbers (ICANN).</ref>* August- [[Stacheldraht]] DDoS tool was discovered in isolated cases using combined features of trinooIf a site is under attack, TFN ad some new encypted DDoS tools to protect the attacker.Stacheldraht involved selective based targeting on 2013 post suggests that the packet generating capability of registrant contacts the target systems.<ref>[http://www.sans.org/security-resources/malwarefaq/stacheldraht.php Malware FAQ: Analysis on DDOS tool Stacheldraht v1.666]</ref>** November - CERT/CC sponsored the Distributed Systems Intruder Tools hosting provider and internet service provider (DISTISP) Workshop.<refname="blog"/>[http://www.docslibrary.com/results-of-If the-distributed-systems-intruder-tools-workshop Results of the Distributed-Systems Intruder Tools Workshop]</ref>* December- [[Tribe Flood Network 2000]] (TFN200) was released and it attack was designed to attack some UNIX and UNIX-like systems and Windows NT to destabilize and crash systems proceeded by sending malformed a threat or invalid packets.<ref>[http://www.cert.org/advisories/CA-1999-17.html CERT Advisory-CA-1999-17]</ref>* November 1999-[[Shaft]] DDoS tool a packet flooding sum of money was demanded to stop the attack occurred with similarities to trinoo. It used TCP packets with sequence number 0x28374839 as signature, the registrant should contact law enforcement.<ref>[http:/name="blog"/www.garykessler.net/library/ddos.html Defenses Against Distributed Denial of Service Attacks]</ref>
===2000 DDos Attacks===* January - Stacheldraht 1.666 DDoS tool was discovered ICANN's Security and widely spread on multiple compromised hosts in several organizations.<ref>[http://www.cert.org/advisories/CA-2000-01.html CA-2000-01 Denial-of-Service Developments]</ref>* April - Stability Advisory Committee ([[mstreamSSAC]] Packet Amplified Attacks ) also released an advisory in 2006 on Name Servers became common.<ref>[http://www.cert.org/incident_notes/IN-2000-04.html CERT Incident Note IN-2000-04]</ref>* May - [[Love Letter Worm]] a malicious VBScript was spread through emails, Windows file sharing, IRC, USENET news and through possible webpages. More than 500,000 individual systems were affectedDDoS attacks in relation to the DNS.<ref>[http://www.certicann.org/advisories/CA-2000-04.html CERT Advisory CA-2000-04 Love Letter Worm]</ref> [[T0rnkit]] was also distributed by intruders using six different versions of rootkit.<ref>[http:en/groups/www.cert.orgssac/incident_notes/INdns-2000ddos-10.html Cert Incident Note INadvisory-200031mar06-10]</ref>* August- [[Trinity]] DDos tool was distributed compromising [[UNIX]] systems which affected more or less 400 [[Linux]] computersen.<ref>[httppdf SSAC Advisory SAC008://articles.cnn.com/2000-09-06/tech/fear.trinity.idg_1_denial-DNS Distributed Denial of-service-attacks-on-web-sites-linux-server?_s=PM:TECH New denial-of-service attack tool uses chat programsService (DDoS) Attacks](PDF), ICANN Security and Stability Advisory Committee (SSAC)</ref>
===2001 DDoS Attacks==* January - ICANN's [[Ramen WormSSAC]] was distributed by intruders which targeted versions 6.2 released another advisory in 2014 on DDoS attacks and 7.0 of Red Hat's Linux operating systemhow they may exploit certain security issues in the DNS.<refname="s">[http://newswww.cneticann.comorg/en/groups/ssac/documents/2009sac-1001065-251311en.html Ramen Linux worm mutatingpdf SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure] (PDF), multiplying]ICANN Security and Stability Advisory Committee (SSAC)</ref>* February- VBS/[[On For example, an attacker may use a victim's spoofed IP address to make multiple queries to an open recursive DNS server; the server will then respond by flooding the Fly]]- a malicious VBScript program was distributed through e-mail victim's computer with an AnnaKournikova.jpg.vbs attachmentthe unsolicited responses.<refname="sing">[http://wwwsingapore49.certicann.org/advisoriesen/CAschedule/thu-2001-03.html CERT Advisory CA-2001-03ssac SSAC's Update Presentation at ICANN 49](PDF and audio)</ref> The erkms DDoS attacks that utilize "DNS reflection and and lion worms were also distributed which targeted the vulnerabilities of the ISC [[BIND]] Name Server Softwareamplification" can have "attack data bit rates reportedly exceeding 300 gigabits per second."<refname="sing"/>[http://wwwThe advisory suggests that "ICANN should.cert.org/incident_notes/IN-2001-03.html CERT Incident Note IN-2001-03]</ref>* April facilitate an Internet- [[Carko]] DDos Tool was discovered with similarities wide community effort to reduce the Stacheldraht attacksnumber of open resolvers and networks that allow network spoofing."<refname="s"/>[http://www.cert.org/incident_notes/IN-2001-04Additionally, rate limiting and blocking abusive queries may help reduce DDoS attacks.html CERT Incident Note IN-2001-04]<ref name="sing"/ref>* May - [[Cheese€worm]] attacks Linux computers with similarities The SSAC also recommends that DNS software and systems be updated regularly to the Ramen reduce DDoS using backdoors copying itself attacking host to victim host and it automatically propagates itself to make another cycle of attack without human interventionvulnerability.<refname="sing"/>**Read the [http://www.certicann.org/incident_notesen/groups/ssac/INdocuments/sac-2001065-05en.html Cert Incident Note IN-2001-05pdf SSAC's Advisory on DDoS Attacks Leveraging DNS Infrastructure]</ref>* July - W32/Sircam spreads through email and affected 300 individual sites.<ref>*View the [http://wwwsingapore49.certicann.org/advisoriesen/schedule/CAthu-2001-22.html CERT Advisory CA-2001-22 W32/Sircam Malicious Codessac SSAC's Presentation at ICANN 49]</ref>
==ReferencesLegislation=={{reflist}}*[[Computer Fraud and Abuse Act]] (CFAA): this act, last amended in 2008,<ref>[http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act Computer Fraud and Abuse Act] at Wikipedia</ref> prohibits the unauthorized use of another person's computer, among other things.<ref>[https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29 Computer Fraud and Abuse Act (CFAA)] at Internet Law Treatise</ref><ref>[http://us.practicallaw.com/2-508-3428 Computer Fraud and Abuse Act (CFAA)] at Practical Law, Thomson Reuters</ref> In relation to DDoS attacks, if the hacker used a botnet to perpetrate the attack, he or she could be charged under CFAA in addition to facing civil suits.<ref>[http://us.practicallaw.com/7-516-9293 Distributed Denial-of-Service (DDoS) Attack] at Practical Law, Thomson Reuters</ref> DDoS attackers can also face jail time.<ref name="naked">[http://nakedsecurity.sophos.com/2010/12/09/are-ddos-distributed-denial-of-service-attacks-against-the-law/ Are DDoS (distributed denial-of-service) attacks against the law?] by Graham Cluley (December 9, 2010), Naked Security, Sophos</ref>**Read more about the [https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29 CFAA].
*Other nations, such as the UK and Sweden, also have anti-DDoS legislature.<ref name="naked"/>
==DNS Award==
Awardees take a proactive approach to preventing DDoS attacks.
==Additional Resources==
*Review facts and watch a video explaining [http://www.digitalattackmap.com/understanding-ddos/ DDoS Attacks]
*View a [http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&time=16097&view=map DDoS Attack Map]
*Read the [http://www.icann.org/en/groups/ssac/dns-ddos-advisory-31mar06-en.pdf SSAC's DDoS Advisory]
*See [http://www.us-cert.gov/ncas/tips/ST04-015 CERT's Security Tips Page] for signs that indicate you may be experiencing a DDoS attack
*View a [http://www.circleid.com/posts/20140318_what_does_a_ddos_attack_look_like/ Visualization of a DDOS Attack]
*Listen to the [http://singapore49.icann.org/en/schedule/thu-ssac SSAC's Presentation at ICANN Singapore] that addresses DDoS attacks and recommendations
==Related Articles==
*[[Botnet Attacks]]
*[[DoS Attack]]
==References==
<references/>
    [[Category:GlossaryBad Practice]] __NOTOC__
Bureaucrats, lookupuser, staff, Administrators
11,729
edits

Navigation menu