The "No Network is 100% Secure" series
- Distributed Denial of Service (DDoS) Attack -
A White Paper

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us


What is a denial of service (DoS) attack?: DoS attacks, also know as Distributed DoS attacks and sometimes "The Ping of Death" are attacks designed to deny legitimate computing service users of a particular resource. Typically, DoS attacks would be targeted at high profile web servers such as Microsoft, Banks, E-Commerce sites and so on. Other applications such as mail servers may be attacked as well, although this is less common and is known as "mail bombing" or SPAMMING attacks. Any IP addressable device including routers and DNS name servers can be targeted. Attacks can be made using wired networks acting in a distributed, coordinated manner (the most common method) or via wireless technology. Essentially, a DoS attack floods the target with more packets than it can handle, thus reducing the victims performance to the point where it is effectively inoperable.

Denial-of-service attacks can also lead to problems in the network LAN/WAN connecting to the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, effecting service and performance not only on the targeted computer, but also on the entire network. If an attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised.

A common method of attack involves saturating the target (victim) machine with communications requests, such as pings or port 25/80/443 requests such that the server cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. DoS attacks are often initiated by Techno-Geeks with too much time on their hands known as "script kiddies". DoS attacks are generally performed with malicious intent (or just for the fun of causing trouble) versus having financial, espionage or theft motives. However, cases of Blackmailing potential victims with the threat of attack is not unheard of. It should be noted that during the 2008 South Ossetia war, a DDoS attack against the Georgian Government site rendered several Government servers inoperable for 24 hours. In addition, there is speculation that "Terrorists" may start using DoS technology sometime in the near future.

Computers that have been previously infected with a virus and can now be controlled remotely as a "bot" or "zombie" are frequently used to deliver DoS attacks. Additionally, there are a wide array of programs around that can be used to launch DoS-attacks. Most of these programs are completely focused on performing DoS-attacks, while others are also true Packet injectors, thus able to perform other tasks as well.

A permanent denial-of-service (PDoS), also known as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike a DDoS, a PDoS attack exploits security flaws in the remote management interfaces of the victim's hardware, be it routers, printers, or other networking hardware. These flaws leave the door open for an attacker to remotely 'update' the device firmware to a modified, corrupt or defective firmware image, therefore bricking the device and making it permanently unusable for its original purpose. The PDoS is a pure hardware targeted attack which can be much faster, more destructive and requires fewer resources than using a botnet in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique has come to the attention of numerous hacker communities such as Hack a Day. PhlashDance is a tool created by Rich Smith, an employee of Hewlett-Packard's Systems Security Lab, used to detect and demonstrate PDoS vulnerabilities.

What can be done to defend against DoS attacks? Unfortunately, not a lot. Major web sites and networks have been brought to their knees by even primitive DoS attacks. There are a few niche products that have limited abilities to reduce the effects of certain types of attacks but for the most part, there is no magic pill to immunize networks from this vulnerability.

Establishing a schedule for periodically checking for firmware updates for devices susceptible to "phlashing' attacks and signing up for CERT bulletins would certainly be a good first step. Having proactive monitoring (such as a NOC) in place will help to quickly identify that an attack is under way. A well designed NOC will provide the NOC Techs with enough information to be able to identify the type of attack that is under way and may even have tools to stop or at least abate it. IMO, there is nothing worse than learning about IT outages from customers!

Having an independent consulting group such as Easyrider LAN Pro perform a security audit on your network will at least help to identify where you are most exposed. The first step in plugging vulnerability holes is first knowing where the holes are.

The easiest way to survive an attack is to plan for the attack well in advance. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route to the Internet (perhaps DSL) is not extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack. There are also products available that can simulate a DoS attack which can be helpful in testing your defense strategy.

Filtering is often ineffective, since the route to the filter will normally be swamped so that only a trickle of traffic will survive. However, by using a resilient stateful packet filter that will inexpensively drop any unwanted packets, surviving a DoS attack becomes somewhat easier. There are also firewalls, routers and switches available that offer some measure of resiliance against at least some modes of attack. But many DoS attacks are much too complext for common defense mechanisms like firewalls to handle. For an example, some firewalls do not know the difference between "good" packets and "bad" packets. So an attack on a web server would most likely sail right through most firewalls, switches and routers. In addition, even if a device drops the packet on the floor, doing so still consumes CPU cycles and network bandwidth. Checkpoint, Juniper and Cisco PIX are several that do have helpful DoS fighting features that "throttle" incoming traffic. However, these schemes usually just stop all incoming traffic once a DoS attack is detected. This protection method still denies service to legitimate users which is not always helpful as far as maintaining service availability is concerned.

Cybersecurity Act of 2009: The Government, which is seldom the source of solution but frequently is the source of problems (IMO) has come up with a very bush league (no pun intended) proposal for dealing with DDoS attacks -- pulling the plug on the Internet! President Obama would be able to effectively pull an Internet "kill switch" that would shut down all traffic on the Internet. The "sales pitch" in support of this legislation is that this would be akin to President Bush grounding all aircraft over the USA on 9/11.

It amazes me that Americans aren't screaming over this latest intended infringement on their rights... The so-called "Patriot Act" has already provided Government with virtually unfettered access to no-warrant-needed wiretaps and the ability to read people's e-mail at will. Even sending your e-mail encrypted does not protect your privacy since US law requires that the Government must be provided with the ability to decrypt any cypher scheme that exists. So you would need to assume that Government can and does read your e-mail even if you are using strong encryption PGP.

Yes, having an Internet "kill switch" will stop a DDoS. But so will pulling a computer's network patch cord out of it's NIC socket! Clearly, there is no one in the Obama Administration who knows much about how the Internet works. Perhaps the President should read my "No Network is 100% Secure" White Paper series...

What the Cybersecurity Act of 2009 would accomplish would be to impose an information blackout any time the President declared an "emergency". Without Internet access, American Citizens would depend on TV stations to provide information about any supposed "emergency".. and imposing a TV/cable/satellite blackout would be trivially more easy to impose compared to blacking out the Internet. Americans need to fear a Government that seeks to deny Citizens of their right to information. There's more, of course, but this is a white paper, not a rant. Suffice it to say that there are much more elegant solutions for dealing with DDoS attacks than taking bolt cutters to the networking infrastructure. Perhaps President Obama should think about hiring a professional network security consultant.....

The next step (and remember that you read it here first) will be a State controlled BotNet. ISPs would be forced to download Trojans to all connected machines (that is, to all PCs, MACs, etc. in the USA). This new BotNet could be energized to attack whatever "enemy" the President defined, during any "emergency" he declared. This would be ridiculously easy to implement and there would be no way for Americans to do anything to stop it. The Peoples Republic of China, which blocks access to many "Western" web sites, does not even have anything as Draconian as the proposed Cybersecurity Act of 2009! However, China does have a State sponsored BotNet called GhostNet that has been very effective at cyber-spying and DDoS attacks.

How many types of DoS attacks are there?: Providing detailed explanations about all of the many attack types that are out there is beyond the scope of this white paper. However, I will briefly outline some of the more common ones. Some DoS attacks include the execution of malware code. These variants are discussed in the virus white paper.

ICMP flood aka Smurf attack, Ping flood, and Ping of death. A smurf attack relies on misconfigured network devices that allow packets to be sent to the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination.

Ping flood is based on sending the victim an overwhelming number of ping packets, usually by directing hundreds and even thousands of "botnet" infected computers to coordinate an attack. It is very simple to launch. The primary requirement is having access to greater bandwidth than the victim.

SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets creates a connection request. The victim server spawns half-open connections, by sending back a TCP/SYN-ACK packet, and waiting for a response (that will never come) from the sender address. These half-open connections consume all of the available connections the server is able to make, preventing it from responding to legitimate requests until after the attack ends.

Peer-to-peer attacks Peer-to-peer attacks are different from regular botnet-based attacks. In this method, the attacker instructs clients of large peer-to-peer hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections per second before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections/sec. With a moderate size peer-to-peer attack a site could potentially be hit with up to a million or more connections in a short order. While peer-to-peer attacks are easy to identify with signatures (assuming that logs are being actively monitored), the large number of IP addresses that need to be blocked means that this type of attack can overwhelm mitigation defenses. And even if a mitigation device can block all of the attacking IP addresses, there are other problems to consider. For example, there is a period of time after the connection is opened on the server side but before the signature itself comes through. Mitigation cannot start until the identifying signature can be detected and the connection torn down. And even just tearing down thousands of connections every second consumes resources that can significantly slow down service performance.

Reflected attack is a distributed denial of service attack (DDoS) that involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using IP spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. Many services can be exploited to act as reflectors. Some are harder to block than others.

Degradation-of-service attack "Pulsing" zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as "degradation-of-service" rather than "denial-of-service", can be more difficult to detect than regular zombie invasions and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more damage than concentrated floods. Degradation-of-service attacks are complicated further because of teh difficulty in discerning whether the attacks really are attacks or just healthy and likely desired increases in website traffic.

Unintentional attack describes a situation where a website ends up denied, not due to a deliberate attack, but simply due to a sudden enormous spike in popularity.

Denial-of-Service Level II The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification, this method may fully block the attacked network from Internet, but without system crash.

A few high visibility incidents:

The first major attack involving DNS servers as reflectors occurred in January 2001. The target was This attack, which forged requests for the MX records of (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of DNS records that were a year old at the time of the attack.

In February, 2001, the Irish Government's Department of Finance server was hit by a denial of service attack carried out as part of a student campaign from NUI Maynooth. The Department officially complained to the University authorities and a number of students were disciplined.

In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that was analyzed turned out to be yet another DDoS agent, which implemented several DNS related attacks, including an optimized form of a reflection attack.

On two occasions to date, attackers have performed DNS Backbone DDoS Attacks on the DNS root servers. Since these machines are intended to provide service to all Internet users, these two denial of service attacks might be classified as attempts to take down the entire Internet, though it is unclear what the attackers' true motivations were. The first occurred in October 2002 and disrupted service at 9 of the 13 root servers. The second occurred in February 2007 and caused disruptions at two of the root servers.

In February 2007, more than 10,000 online game servers in games such as Return to Castle Wolfenstein, Halo, Counter-Strike and many others were attacked by "RUS" hacker group. The DDoS attack was made from more than a thousand computer units located in the republics of the former Soviet Union, mostly from Russia, Uzbekistan and Belarus. Minor attacks are still continuing to be made today.

In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack directed at Georgian government sites containing the message: "win+love+in+Rusia" effectively overloaded and shut down multiple Georgian servers. Websites targeted included the Web site of the Georgian president, Mikhail Saakashvili, rendered inoperable for 24 hours, and the National Bank of Georgia. While heavy suspicion was placed on Russia for orchestrating the attack through a proxy, the St. Petersburg-based criminal gang known as the Russian Business Network, or R.B.N, the Russian government denied the allegations, stating that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.

August 12, 2009: Turns out Twitter, Facebook, and LiveJournal weren't the only sites hit hard by major distributed denial-of-service (DDoS) attacks late last week, and their attacks definitely weren't the biggest: More than 770 different DDoSes were spotted across the globe last Thursday.

One DDoS attack that took out a 3G mobile operator in Asia's Web portal was a powerful, 30 gigabit-per-second one. The 30-Gbps DDoS was unusually potent; most attacks average about 1 Gbps or less.

Of course there are hundreds of DDoS attacks on any given day. Then last week, the Twitterverse suffered tweet withdrawal when Twitter was knocked offline for several hours by an apparent targeted DDoS attack aimed at a pro-Georgian blogger with accounts on Twitter, Facebook, and LiveJournal. But while the DDoS grabbed the attention of mainstream media and users, it was really just one of hundreds of these attacks that occur each day.

DDoS attacks aren't sophisticated, nor are they stealthy. And most of the time, they're basically just used as short-term disruption attacks for protest purposes or sometimes as a means of extortion. It's really easy to launch these kinds of attacks. In fact, it's cheaper to build out a botnet to wage DDoS attacks than it is to beef up your infrastructure with the appropriate redundancy and capacity to defend against one. Configuring devices to combat a DDoS is a big challenge. Botnet operators who DDoS have plenty of unknowing and willing recruits they can use to flood Websites with bogus traffic. And it's difficult for researchers and investigators to root out the actual botnet behind a DDoS. Most times, the attack is over before IT can even start figuring out where the attacks are coming from.

And DDoS attacks typically aren't waged from the world's biggest botnets -- the hundreds of thousands-strong spamming zombie armies that are known for traditional spam, Trojans, and in some cases, identity theft. The July, 2009 attacks that hit the feds and South Korea, for instance, came from a botnet of about 35,000to 40,000 bots. And there are more than 1,000 botnets in reserve just waiting to DDoS. Some are there because someone likes to wreak havoc on some IRC Internet Relay Chat network. A lot just sit around idle. There is compelling evidence that these attackers regularly wage DDoSes. It's fairly obvious that these people are doing this daily, picking out sites to extort money from, because they are or mad at someone, or targeting a competitor. They just launch these attacks all the time. And many of these attacks go unreported.

The 100,000 to 300,000-strong spamming botnets, meanwhile, are typically reserved for more lucrative malware and spam-spreading campaigns. And it's a good thing they aren't DDoS'ing, since I'm not sure whose architecture could withstand a sustained attack from one of those 100,000- to 300,000-sized botnets.

It used to be that DDoS attacks were all about size and flooding a router or sapping bandwidth, but that is changing. Now these attacks are more focused on services and applications. Either way, DDoS attacks aren't going away, experts say. And the potential volume of these attacks shows how the Internet can't really be protected from them. It's not possible today to prevent or eliminate DDoS attacks, unfortunately.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Conficker White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro