TBT: The month fem-power first led HP
Protecting a Server from DDoS Attacks

Understanding the Roots of DDoS Attacks

Editor’s Note: While the summertime of pace of business is upon us all, the heat of security threats remains as high as this season's temperatures. Only weeks ago, scores of major websites, hosted on popular MPE replacement Linux servers, were knocked out of service by Distributed Denial of Service DDoS attacks. Even our mainline blog host TypePad was taken down. It can happen to anybody employing a more Web-ready server OS than MPE, to any such server attached to a network -- so migrating sites will do well to study up on these hacks. Our security writer Steve Hardwick shares background today, and preventative measures next time.

By Steve Hardwick, CISSP
Oxygen Finance

DDOS-AttackDistributed Denial of Service (DDoS) is a virulent attack that is growing in number over the past couple of years. The NSFOCUS DDoS Threat Report 2013 recorded 244,703 incidents of DDoS attacks throughout last year. Perhaps the best way to understand this attack is to first look at Denial Of Service, (DoS) attacks. The focus of a DoS attack is to remove the ability of a network device to accept incoming traffic. DoS attacks can target firewalls, routers, servers or even personal computers. The goal is to overload the network interface such that it either it unable to function or it shuts down.

A simple example of such an attack is a Local Area Network Denial. This LAND attack was first seen around 1997. It is accomplished by creating a specially constructed PING packet. The normal function of ping is to take the incoming packet and send a response to the source machine, as denoted by the source address in the packet header. In a LAND attack, the source IP address is spoofed and the IP address of the target is placed in the source address location. When the target gets the packet, it will send the ping response to the source address, which is its own address. This will cause the target machine to repeatedly send responses to itself and overload the network interface. Although not really a threat today, some older versions of operating systems -- such as the still-in-enterprises Windows XP SP2, or Mac OS MacTCP 7.6.1 -- are susceptible to LAND attacks.

So where does the Distributed part come from? Many DoS attacks rely on the target machine to create runaway conditions that cause the generation of a torrent of traffic that floods the network interface. An alternative approach uses a collaborative group of external machines to source the attack. For example, a virus can be written that sends multiple emails to a single email address. The virus also contains code to send it to everyone in the recipient's email address book. Before long, the targeted server is receiving thousands of emails per hour -- and the mail server becomes overloaded and effectively useless.

Another DoS example is a variant of the LAND attack, a Ping flood attack. In this attack a command is issued on a machine to send ping packets as fast as possible without waiting for a response (using the -f option in the ping command, for example). If a single machine is used, then the number of packets may not overwhelm the target. However, if a virus is constructed such that the ping flood will occur at a specific time, then it can be sent to multiple machines.

When a predefined trigger time is reached, all of the infected machines start sending ping flood to the target. The collection of infected machines, called Zombies, is called a botnet or an amplifications network. A good example is Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems. This created a new phenomenon -- MAC based botnets.

Before discussing some other attacks, it is necessary to understand a little more about firewalls and servers. In the examples above, the target was at the IP address layer of the network interface. However, network equipment has additional functionality on top of the IP processing function. This includes session management of the IP connections and application level functions.

Newer attacks have now started focusing on these session and application functions. This requires less resources and can create broader based attacks that can target multiple network elements with a single virus. A good example of this class are HTTP floods. For example, repeated HTTP Get requests are made to retrieve information from a web server. The sending machine does not wait for the information to be sent, but keeps sending multiple requests. The web server will try to honor the request and send out the content. Eventually the multiple requests will overload the web server. Since these look like standard HTTP requests, they are difficult to mitigate.

Next time: Why DDoS is used, and how to reduce the threats to servers.