An In-Depth Look at DDoS – Part 1: Motives, Methods and Tools

Recently we’ve seen the renewed interest of DDoS methods and tools splash the front pages of major newspapers and news sites throughout the world. Just in the past week a hacktivist group is calling for more DDoS attacks on US banks.

The ability to harness and command internet traffic towards a company or organization for the attacker’s sole purpose of limiting the access to a resource is cheap, easy and very stealthy. It’s become the tool of trade for many activists and hackers alike and can be absolutely devastating if you’re in the crosshairs of a skilled attacker with the power of the internet flooding behind him.

Before we get into defending a DDoS attack lets discuss a few motives that might provoke an attacker into launching an attack towards someone.

• The “Cyber Sit In” – Whereas, in the past activists would show up at a location to demonstrate their dislike for an organization, all they have to do now is sit at a keyboard and launch an attack from the comfort of their mom’s basement. This is the side of DDoS that’s used to show the unhappiness one group has towards another’s ideology.
• Site for Ransom – On the flip side another motive is being driven completely by money. Now we’re seeing situations where one group knocks a competitor offline, and then holds the site hostage for a ransom. This can especially be harmful when conducted during a busy time of the year. These attackers see an opportunity to make money and are trying to get a piece of the pie.

Every organization has a limit, and with enough firepower behind them, the attacker will find that limit. Attackers have at their disposal free DDoS tools to download and have the capability to direct large quantities of traffic towards a victim with finite resources – all it takes a lot of the time is pointing and clicking towards a target IP/domain. Many of these tools can also be scripted to launch traffic towards a site on a scheduled basis and to change tactics to keep the victim guessing.

There are many ways that have been proposed to defend against DDoS attacks, but there is no silver bullet when it comes to this beast. Like all things in security you need to rely on layers of protection. To get a better understanding of DDoS attacks and ways to protect yourself against them you need to understand that there are several types of DDoS attacks that can be conducted numerous different ways – and depending on the layer being attacked different systems might not realize it.

• Application Layer Attack – When you have an application layer attack the bad guys are hitting your applications and use different methods and tools such as HTTP GET/PUT Floods, DNS saturation, etc.. Remember, the attacker’s main goal is to disrupt service and they don’t care how they do it. Many application layer attacks are successful with very limited bandwidth and are aimed at bringing down your database, application, etc. At this point if an attacker can overwhelm database connections on a website, FTP server, DNS, etc. the service is down and you can’t serve it to legitimate customers (It’s like an old fashioned sit in).

• Network Layer Attack – Network layer attacks  aim to saturate your systems or network so that either the internet circuit or networking equipment can no longer handle the load being requested –  this is synonymous with being punched in the face repeatedly until calling “Uncle”. Methods and tools used in this type of attack are ICMP Floods, Half Open Syn Floods, etc.

• Hybrid Attack – When application and network layer attacks are combined, these evil creatures become something called a hybrid attack (an ugly, rabid DDoS love child). Now when you have attackers switching attacks or using both attack types at the same time (AKA Hybrid Attack), things will get interesting.

Using the Botnet as a Bottleneck
Then there’s the botnet, the living, breathing beast on the internet looking to focus its rage upon a group like a dragon spewing flame. This is where DDoS gets the extra “D”. No, not dragon… distributed. When a botnet is in the hands of a capable attacker, the victim should know that they’re in for a long ride. There have been botnets as large as 500,000 nodes, which can do some serious damage. This is what most professionals are using to launch DDoS attacks, and the sad part is that many are up for rent.

The internet can be a cruel place… Check back next week to learn some things you can do to better defend against DDoS attacks. And if you have any recommendations, please share them here!