What is a DDoS Attack?
DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections.
DDoS attacks can be broadly divided three types. The first, Application Layer DDoS Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.
The second type of DDoS attack, Protocol DDoS Attacks, include SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.
The third type of DDoS attack is generally considered to most dangerous. Volume-based DDoS Attacks include UDP floods, ICMP floods, and other spoofed-packet floods. The volume-based attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in Bits per second.
Why are botnets used in ddos attacks?
Some of the most common tools for which Botnet used in DDoS attack and these are easily downloaded from multiple online sources, and include:
•
SlowLoris – especially dangerous to hosts running Apache, dhttpd, Tomcat and GoAhead WebServer, Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network.
•
Qslowloris - uses Qt libraries to execute the methods used by Slowloris, offering a graphical user interface that makes the program highly easy to use.
•
Apache Killer - utilizes an exploit in the Apache OS first discovered by a Google security engineer. Apache Killer pings a server, tells the server to break up whatever file is transferred into a vast number of tiny chunks, using the "range" variable. When the server tries to comply with this request, it runs out of memory, or encounters other errors, and crashes.
There are also many tools for testing server readiness to withstand Botnet DDoS attacks, such as:
•
DDoSim, which can be used in a laboratory environment to simulate a DDoS attack, and helps measure the capacity of a given server to handle application-specific DDOS attacks, by simulating multiple zombie hosts with random IP addresses that create TCP connections.
•
PyLoris is a scriptable tool for testing a service's level of vulnerability to a particular class of Denial of Service (DoS) attack.
•
Tor's Hammer is a slow post dos testing tool written in Python. It can also be run through the Tor network to be anonymized.
One quarter of all computers part of a botnet
The World Economic Forum takes place this week in Davos, Switzerland, and leaders around the world gather to discuss issues like the Iraq war, global climate change, and globalization—along with the incredible prevalence of botnets.
The BBC's Tim Weber, who was in the audience of an Internet panel featuring Vint Cerf, Michael Dell, John Markoff of the New York Times, and Jon Zittrain of Oxford, came away most impressed by the botnet statistics. Cerf told his listeners that approximately 600 million computers are connected to the Internet, and that 150 million of them might be participants in a botnet—nearly all of them unwilling victims. Weber remarks that "in most cases the owners of these computers have not the slightest idea what their little beige friend in the study is up to."
If Cerf's estimate is accurate, that's one quarter of all machines connected to the Internet. So is the Internet doomed?
Well, you're reading this, so no, not yet. But the botnet menace is no phantom, and it has been growing in strength for years. In September 2006, security research firm Arbor Networks announced that it was now seeing botnet-based denial of service attacks capable of generating an astonishing 10-20Gbps of junk data. The company notes that when major attacks of this sort began, ISPs often do exactly what the attacker wants them to do: take the target site offline.
What is it that keeps the "botherders" so fascinated with amassing large flocks like modern-day, digital shepherds? Money. Once millions of "little beige friends" have been compromised with bot software, the creators can then use or rent the network to deliver spam, denial of service attacks, and log passwords and usernames.
All of these uses can be lucrative if you know the right wrong people. Several months ago, Wired published a great story about the extended botnet attack on Blue Security that captures the shadowy nature of the botnet world. Even after weeks of attacks and public tauntings from the spammer behind them, neither the security firm nor its ISPs could fully halt the attacks or identify the person who was launching them. In the end, Blue Security folded.
Botnets have been behind a significant increase in spam in recent months, and some security vendors have warned that these networks are now large enough to pose a potential threat to major government networks (at least those which operate or are connected to the public Internet).
It can be difficult to locate and prosecute botnet operators. Blue Security officials believed that their antagonist was in Russia, but American teenagers have also been involved in the practice, and several have been prosecuted. Two were sentenced last year to 57 and 37 months in jail, respectively—sentences designed to send a message that the government is serious about the issue.
