DDoS Attacks Changing -- and Still Dangerous

Carl Weinschenk

This Dark Reading piece restates the generally accepted wisdom that distributed denial of service (DDoS) attacks are becoming less numerous -- but at the same time are growing far more nuanced and tactical.


In many cases, the writer says, DDoS attacks are being waged in conjunction with botnets and carry viruses and other malware. Make no mistake, however: There still are plenty of attacks to go around. Research by Arbor Networks says there are, on average, 1,200 DDOS attacks each day in the 38 ISP networks tracked. At least one of these consists of at least 1 million packets per second.

The heart of the piece is a three-step guide to minimizing damage and stopping attacks.

The first phase occurs during the initial five minutes of the attack. It is important to have tools in place to filter out bad traffic and minimize disruption to end users. At this early point, the ISP may be able to trace the "direct attackers," who usually are swarms of bot-controlled PCs. Identifying them isn't a priority, however, because they are slave machines being used by the real bad guys, who remain well hidden.

The next step is the first hour of the attack. An ISP should trace the "command and control infrastructure" driving the attack in preparation to destroy it. However, a Neustar executive comments that amassing such intelligence is getting increasingly difficult as attacker sophistication grows.

The third stage is to call in back up in the form of law enforcement and security researchers. The writer points out that it is important to cooperate with these folks, but attention must be paid to non-disclosure agreements (NDAs) and other privacy issues.

This useful blog positing at Hacking.co.in starts out with a generic description of DDoS attacks, but quickly gets into a deeper discussion of the variations used by hackers.

  • Buffer overflows are the most common attack. As the name implies, the idea is to send so much traffic to an address that the buffers won't be able to handle it. The story offers three examples of well-known buffer overflow attacks.
  • SYN attacks focus on the connection between the Transport Control Program (TCP) and server in a network. A small buffer exists in the "handshake" exchange used to create a connection. Part of this handshake is a SYN field, which the blogger says establishes the sequence of the message exchange. The blogger goes into some detail, but the bottom line is that jamming and confusing this exchange can be an effective DDOS attack.
  • In some cases, a packet being sent from one router is too large for the next. The Internet has procedures for handling this. A teardrop attack centers on creating confusion in this process.
  • A smurf attack involves sending an IP ping -- a request for answer generally used to see if, and how well, a link is working -- to a number of IP addresses. The attack simply instructs the receiving station to send the response to the IP address being attacked. If enough of these spoofed pings are sent, the targeted machine can be overwhelmed.

The industry is reacting to the changing tactics used by hackers. Last week, BT introduced a system that seeks to control DDoS attacks. The managed service, which uses Arbor's threat management system (TMS), relies on profiles of the traffic patterns of each customer. This enables traffic surges and unusual patterns to be analyzed in real time. When an attack occurs, the traffic is sent through a mitigation device that filters out the DDoS traffic while passing through the legitimate traffic.


The difficulty of dealing with these issues was illustrated last week. The Department of Homeland Security suffered a self-inflicted "mini DDoS" attack when a request for a change from a reader of the DHS Open Source Intelligence Report was sent to everyone on the list. eWeek reports that the the situation escalated during the next hour as messages bounced back and forth involving the entire list. The messages -- from a political ad to local weather reports to repeated requests for people to stop responding -- resulted in about 2.2 million messages bombarding subscribers' inboxes.

Add Comment      Leave a comment on this blog post
May 27, 2008 6:13 AM Denial of Service Denial of Service  says:
This blog is very informative. Keep it up Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.