Jump to content

DDoS Attack: Difference between revisions

From ICANNWiki
Marie Cabural (talk | contribs)
Marie Cabural (talk | contribs)
Line 21: Line 21:


==Timeline of Trends in DoS Attack Technology==
==Timeline of Trends in DoS Attack Technology==
* July 1999- [[Trinoo]] and [[Tribe Flood Network]] (TFN) DDoS Network tools were widely distributed using UDP Flood attack, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast denial of service attacks respectively.<ref>[http://www.cert.org/incident_notes/IN-99-07.html Cert Incident Notes IN-99-09 Distributed Denial of Service Tools]</ref>
===1999 DDoS Attacks===
* August 1999- [[Stacheldraht]] DDoS tool was discovered in isolated cases using combined features of trinoo, TFN ad some new encypted DDoS tools to protect the attacker.Stacheldraht involved selective based targeting on the packet generating capability of the target systems.<ref>[http://www.sans.org/security-resources/malwarefaq/stacheldraht.php Malware FAQ: Analysis on DDOS tool Stacheldraht v1.666]</ref>*
* July- [[Trinoo]] and [[Tribe Flood Network]] (TFN) DDoS Network tools were widely distributed using UDP Flood attack, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast denial of service attacks respectively.<ref>[http://www.cert.org/incident_notes/IN-99-07.html Cert Incident Notes IN-99-09 Distributed Denial of Service Tools]</ref>
* November 1999- CERT/CC sponsored the Distributed Systems Intruder Tools (DIST) Workshop.<ref>[http://www.docslibrary.com/results-of-the-distributed-systems-intruder-tools-workshop Results of the Distributed-Systems Intruder Tools Workshop]</ref>
* August- [[Stacheldraht]] DDoS tool was discovered in isolated cases using combined features of trinoo, TFN ad some new encypted DDoS tools to protect the attacker.Stacheldraht involved selective based targeting on the packet generating capability of the target systems.<ref>[http://www.sans.org/security-resources/malwarefaq/stacheldraht.php Malware FAQ: Analysis on DDOS tool Stacheldraht v1.666]</ref>*
* December 1999- [[Tribe Flood Network 2000]] (TFN200) was released and it was designed to attack some UNIX and UNIX-like systems and Windows NT to destabilize and crash systems by sending malformed or invalid packets.<ref>[http://www.cert.org/advisories/CA-1999-17.html CERT Advisory-CA-1999-17]</ref>
* November - CERT/CC sponsored the Distributed Systems Intruder Tools (DIST) Workshop.<ref>[http://www.docslibrary.com/results-of-the-distributed-systems-intruder-tools-workshop Results of the Distributed-Systems Intruder Tools Workshop]</ref>
* December- [[Tribe Flood Network 2000]] (TFN200) was released and it was designed to attack some UNIX and UNIX-like systems and Windows NT to destabilize and crash systems by sending malformed or invalid packets.<ref>[http://www.cert.org/advisories/CA-1999-17.html CERT Advisory-CA-1999-17]</ref>
* November 1999-[[Shaft]] DDoS tool a packet flooding attack occurred with similarities to trinoo. It used TCP packets with sequence number 0x28374839 as signature.<ref>[http://www.garykessler.net/library/ddos.html Defenses Against Distributed Denial of Service Attacks]</ref>
* November 1999-[[Shaft]] DDoS tool a packet flooding attack occurred with similarities to trinoo. It used TCP packets with sequence number 0x28374839 as signature.<ref>[http://www.garykessler.net/library/ddos.html Defenses Against Distributed Denial of Service Attacks]</ref>
* January 2000- Stacheldraht 1.666 DDoS tool was discovered and widely spread on multiple compromised hosts in several organizations.<ref>[http://www.cert.org/advisories/CA-2000-01.html CA-2000-01 Denial-of-Service Developments]</ref>
 
* April 2000- [[mstream]] Packet Amplified Attacks on Name Servers became common.<ref>[http://www.cert.org/incident_notes/IN-2000-04.html CERT Incident Note IN-2000-04]</ref>
===2000 DDos Attacks===
* May 2000- [[Love Letter Worm]] a malicious VBScript was spread through emails, Windows file sharing, IRC, USENET news and through possible webpages. More than 500,000 individual systems were affected.<ref>[http://www.cert.org/advisories/CA-2000-04.html CERT Advisory CA-2000-04 Love Letter Worm]</ref> [[T0rnkit]] was also distributed by intruders using six different versions of rootkit.<ref>[http://www.cert.org/incident_notes/IN-2000-10.html Cert Incident Note IN-2000-10]</ref>
* January - Stacheldraht 1.666 DDoS tool was discovered and widely spread on multiple compromised hosts in several organizations.<ref>[http://www.cert.org/advisories/CA-2000-01.html CA-2000-01 Denial-of-Service Developments]</ref>
* August 2000- [[Trinity]] DDos tool was distributed compromising [[UNIX]] systems which affected more or less 400 [[Linux]] computers.<ref>[http://articles.cnn.com/2000-09-06/tech/fear.trinity.idg_1_denial-of-service-attacks-on-web-sites-linux-server?_s=PM:TECH New denial-of-service attack tool uses chat programs]</ref>
* April - [[mstream]] Packet Amplified Attacks on Name Servers became common.<ref>[http://www.cert.org/incident_notes/IN-2000-04.html CERT Incident Note IN-2000-04]</ref>
* January 2001- [[Ramen Worm]] was distributed by intruders which targeted versions 6.2 and 7.0 of Red Hat's Linux operating system.<ref>[http://news.cnet.com/2009-1001-251311.html Ramen Linux worm mutating, multiplying]</ref>
* May - [[Love Letter Worm]] a malicious VBScript was spread through emails, Windows file sharing, IRC, USENET news and through possible webpages. More than 500,000 individual systems were affected.<ref>[http://www.cert.org/advisories/CA-2000-04.html CERT Advisory CA-2000-04 Love Letter Worm]</ref> [[T0rnkit]] was also distributed by intruders using six different versions of rootkit.<ref>[http://www.cert.org/incident_notes/IN-2000-10.html Cert Incident Note IN-2000-10]</ref>
* February 2001-VBS/[[On the Fly]]- a malicious VBScript program was distributed through e-mail with an AnnaKournikova.jpg.vbs attachment.<ref>[http://www.cert.org/advisories/CA-2001-03.html CERT Advisory CA-2001-03]</ref> The erkms and and lion worms were also distributed which targeted the vulnerabilities of the ISC [[BIND]] Name Server Software.<ref>[http://www.cert.org/incident_notes/IN-2001-03.html CERT Incident Note IN-2001-03]</ref>
* August- [[Trinity]] DDos tool was distributed compromising [[UNIX]] systems which affected more or less 400 [[Linux]] computers.<ref>[http://articles.cnn.com/2000-09-06/tech/fear.trinity.idg_1_denial-of-service-attacks-on-web-sites-linux-server?_s=PM:TECH New denial-of-service attack tool uses chat programs]</ref>
* April 2001- [[Carko]] DDos Tool was discovered with similarities to the Stacheldraht attacks.<ref>[http://www.cert.org/incident_notes/IN-2001-04.html CERT Incident Note IN-2001-04]</ref>
 
===2001 DDoS Attacks==
* January - [[Ramen Worm]] was distributed by intruders which targeted versions 6.2 and 7.0 of Red Hat's Linux operating system.<ref>[http://news.cnet.com/2009-1001-251311.html Ramen Linux worm mutating, multiplying]</ref>
* February- VBS/[[On the Fly]]- a malicious VBScript program was distributed through e-mail with an AnnaKournikova.jpg.vbs attachment.<ref>[http://www.cert.org/advisories/CA-2001-03.html CERT Advisory CA-2001-03]</ref> The erkms and and lion worms were also distributed which targeted the vulnerabilities of the ISC [[BIND]] Name Server Software.<ref>[http://www.cert.org/incident_notes/IN-2001-03.html CERT Incident Note IN-2001-03]</ref>
* April - [[Carko]] DDos Tool was discovered with similarities to the Stacheldraht attacks.<ref>[http://www.cert.org/incident_notes/IN-2001-04.html CERT Incident Note IN-2001-04]</ref>
* May - [[Cheese€worm]] attacks Linux computers with similarities to the Ramen DDoS using backdoors copying itself attacking host to victim host and it automatically propagates itself to make another cycle of attack without human intervention.<ref>[http://www.cert.org/incident_notes/IN-2001-05.html Cert Incident Note IN-2001-05]</ref>
* July - W32/Sircam spreads through email and affected 300 individual sites.<ref>[http://www.cert.org/advisories/CA-2001-22.html CERT Advisory CA-2001-22 W32/Sircam Malicious Code]</ref>


==References==
==References==

Revision as of 06:52, 14 September 2011


DDoS is the acronym for Distributed Denial of Service. The Software Engineering Institute- CERT at Carnegie Mellon University explained that the telephone system, computer system and the Domain Name System (DNS) sometimes become unusable during peak hours where consumers are having a hard time using the service or when an intruder or hacker interrupts the system making it unavaible to consumers. When a hacker sends a very large amount of email to someone which can not be handled by the recipients computer disk that saves e-mails, a Denial of Service (DoS) attack happens because the user can not use his or her computer until the situation is resolved. In terms of computer network, intruders send extraordinary amount of internet calls to computers providing internet servicse preventing users to get internet connection. Users whose networks are unable to use the internet because of intrusion become victims of Distributed Denial Of Service attack.[1]]

Frequent Targets of Intruder Attacks

According to the CERT report, "Trends in Denial Service Attack Technology" the frequent targets of intruders are Windows end-users and Internet Routing Technology. Intruders primary intention in conducting DoS attack is to prevent the use of computer or network resources.

Reasons Why Internet is Vulnerable to Attacks

Internet connected systems are still vulnerable to DoS attacks despite active security efforts is because of the following reasons:[2]

  • Internet is composed of limited and consumable resources
  • Internet security is highly interdependent

Packet Flooding Attack

Packet Flooding Attack is the most common type of Denial of Service Attack.The modus operandi of intruders is sending more than acceptable number of packets to a particular destination which consumes the entire bandwidth resources. There are several types of packets used by Packet Flooding Attack tools including:

  • TCP Floods- SYN, ACK and RST flags are sent to the victim's IP Address
  • ICMP echo request reply (Ping Floods)- A stream of ICMP is sent to the victim's IP Address
  • UDP Floods- A stream of UDP is sent to the victim's IP Address

These attack tools changes the characteristics of packets in the packet stream such as the Source IP Address to hide the real source of the packet stream. The method of sending packet streams to one or more intermediate sites to create responses that will be sent to a victim is called IP Spoofing.[3] Other packet stream attribute being altered by intruders are the Source/Destination Ports and Other IP Header Values.

Timeline of Trends in DoS Attack Technology

1999 DDoS Attacks

  • July- Trinoo and Tribe Flood Network (TFN) DDoS Network tools were widely distributed using UDP Flood attack, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast denial of service attacks respectively.[4]
  • August- Stacheldraht DDoS tool was discovered in isolated cases using combined features of trinoo, TFN ad some new encypted DDoS tools to protect the attacker.Stacheldraht involved selective based targeting on the packet generating capability of the target systems.[5]*
  • November - CERT/CC sponsored the Distributed Systems Intruder Tools (DIST) Workshop.[6]
  • December- Tribe Flood Network 2000 (TFN200) was released and it was designed to attack some UNIX and UNIX-like systems and Windows NT to destabilize and crash systems by sending malformed or invalid packets.[7]
  • November 1999-Shaft DDoS tool a packet flooding attack occurred with similarities to trinoo. It used TCP packets with sequence number 0x28374839 as signature.[8]

2000 DDos Attacks

  • January - Stacheldraht 1.666 DDoS tool was discovered and widely spread on multiple compromised hosts in several organizations.[9]
  • April - mstream Packet Amplified Attacks on Name Servers became common.[10]
  • May - Love Letter Worm a malicious VBScript was spread through emails, Windows file sharing, IRC, USENET news and through possible webpages. More than 500,000 individual systems were affected.[11] T0rnkit was also distributed by intruders using six different versions of rootkit.[12]
  • August- Trinity DDos tool was distributed compromising UNIX systems which affected more or less 400 Linux computers.[13]

=2001 DDoS Attacks

  • January - Ramen Worm was distributed by intruders which targeted versions 6.2 and 7.0 of Red Hat's Linux operating system.[14]
  • February- VBS/On the Fly- a malicious VBScript program was distributed through e-mail with an AnnaKournikova.jpg.vbs attachment.[15] The erkms and and lion worms were also distributed which targeted the vulnerabilities of the ISC BIND Name Server Software.[16]
  • April - Carko DDos Tool was discovered with similarities to the Stacheldraht attacks.[17]
  • May - Cheese€worm attacks Linux computers with similarities to the Ramen DDoS using backdoors copying itself attacking host to victim host and it automatically propagates itself to make another cycle of attack without human intervention.[18]
  • July - W32/Sircam spreads through email and affected 300 individual sites.[19]

References