DDoS is the acronym for Distributed Denial of Service. The Software Engineering Institute- CERT at Carnegie Mellon University explained that the telephone system, computer system and the Domain Name System (DNS) sometimes become unusable during peak hours because of supply and demand. However, when an intruder or hacker interrupts the system, takes control of the computer and prevents the legitimate user to use it and forces the computer to send large amount of email to someone else which can not be handled by the recipient's disk that saves e-mails, a Denial of Service (DoS) attack happens. If an intruder attacks a particular computer, takes control of it and sends extraordinary amount of data to a website and distribute it to numerous email addresses affecting the users computer network, the intrusion is called Distributed Denial of Service attack.]
The CERT/CC at Canegie Mellon University documented the first incident of Denial Of Service Attack in 1999 when the Trinoo and Tribe Flood Network (TFN) DDoS Network tools were widely distributed. The two DDoS used UDP Flood attack, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast denial of service attacks respectively. Trinoo attacked a single computer from Minnesota University, affected around 227 systems and became unusable for more than two days.
On February 2000, a massive DDoS attack against high profile websites including Yahoo!, Buy.com, eBay, CNN, Amazon.com, ZDNet.com, E*Trade, and Excite were paralyzed and lost an estimated amount of $1.7 billion. A suspect in who is a juvenile Canada with an online alias "mafiaboy" was arrested on April of the same year. He plead guilty on January 18, 2001 on 56 charges of mischief and illegal use of computer services.
Frequent Targets of Intruder Attacks
According to the CERT report, "Trends in Denial Service Attack Technology" the frequent targets of intruders are Windows end-users and Internet Routing Technology. Intruders primary intention in conducting DoS attack is to prevent the use of computer or network resources.
Reasons Why Internet is Vulnerable to Attacks
Internet connected systems are still vulnerable to DoS attacks despite active security efforts is because of the following reasons:
- Internet is composed of limited and consumable resources
- Internet security is highly interdependent
Packet Flooding Attack
Packet Flooding Attack is the most common type of Denial of Service Attack.The modus operandi of intruders is sending more than acceptable number of packets to a particular destination which consumes the entire bandwidth resources. There are several types of packets used by Packet Flooding Attack tools including:
- TCP Floods- SYN, ACK and RST flags are sent to the victim's IP Address
- ICMP echo request reply (Ping Floods)- A stream of ICMP is sent to the victim's IP Address
- UDP Floods- A stream of UDP is sent to the victim's IP Address
These attack tools changes the characteristics of packets in the packet stream such as the Source IP Address to hide the real source of the packet stream. The method of sending packet streams to one or more intermediate sites to create responses that will be sent to a victim is called IP Spoofing. Other packet stream attribute being altered by intruders are the Source/Destination Ports and Other IP Header Values.