2.3. Behind the Scenes

How do DoS attacks work? As mentioned in Chapter 1, there are two main approaches to denying a service: exploiting a vulnerability present on the target or sending a vast number of seemingly legitimate messages. The first kind of an attack is usually called a vulnerability attack, while the second is called a flooding attack.

Vulnerability attacks work by sending a few specifically crafted messages to the target application that possesses a vulnerability. This vulnerability is usually a software bug in the implementation or a bug in a default configuration of a given service. Malicious messages by the attacker represent an unexpected input that the application programmer did not foresee. The messages cause the target application to go into an infinite loop; to severely slow down, crash, freeze, or reboot a machine; or to consume a vast amount of memory and deny service to legitimate users. This process is called exploiting a vulnerability, and the malicious messages are called the exploit. In some cases, vulnerabilities of this kind can be exploited in the operating system, a common piece of middleware, or in a network protocol, as well as in application programs.^[1] While it is impossible to detect all vulnerabilities, it can also be quite hard to find new exploits. This means that each vulnerability that is detected and patched is a large gain and a sure step ahead for the defenders.

^[1] For example, some implementations of the 802.11 wireless access protocol have a vulnerability that allows an attack to deny service selectively to one user in the wireless network or promiscuously to all of them. In effect, the attacker can send a packet to the wireless access point that claims to be from another user and that indicates that the user is finished and essentially wants to "hang up" [BS03]. The wireless access point then no longer recognizes communications from the targeted user. That user can reestablish communications with the access point, but the attacker can shut it down again in the same way.

Flooding attacks work by sending a vast number of messages whose processing consumes some key resource at the target. For instance, complex messages may require lengthy processing that takes up CPU cycles, large messages take up bandwidth, and messages that initiate communication with new clients take up memory. Once the key resource is tied up by the attack, legitimate users cannot receive service. The crucial feature of flooding attacks is that their strength lies in the volume, rather than in content. This has two major implications:

1. The attackers can send a variety of packets. The attack traffic can be made arbitrarily similar to the legitimate traffic, which greatly hinders defense.

2. The flow of traffic must be so large as to consume the target's resources. The attacker usually has to engage more than one machine to send out the attack traffic. Flooding attacks are therefore commonly DDoS attacks.

The simplest form of a DDoS attack is merely to send a very large quantity of messages, divided into packets, to a service on the victim machine. Unless something between the attacking machines and the victim drops those request packets, the victim will spend resources attempting to receive and properly handle them. If there are enough of these packets, all of the machine's resources will be spent trying to handle packets that have no value.

Another DDoS option is to attack the victim's network interface. If the network card in the victim's machine can handle only 10 Mbps of traffic, then an attacker needs to merely generate 10 or more Mbps of any deliverable IP packets and send them to the victim. Again assuming that no other entity drops those packets before they reach the victim's interface, they will easily exhaust its network resources and also create a sizable congestion on the path to the victim. If there are a few legitimate packets in addition to the large flood of attack packets, they are unlikely to receive service.

The attacker can also target the local network that attaches the victim to the Internet. If the attacker knows that the victim is attached to a 1-Gbps network segment, then she can send enough packets to the victim or other nodes on the segment to overwhelm it. Most networks become unusable as the traffic offered to them approaches their rated capacity, so little or no legitimate traffic will get through to the victim. In this form of DDoS attack, all of the other nodes on the network segment will similarly suffer. This example illustrates a curious property of DDoS: The damage is inflicted not only on the victim, but also on its legitimate users (who cannot get the service) and anyone else who shares the critical resource. For instance, the attacker may target a network that has the same ISP as you. If the amount of attack traffic is sufficiently high, your services may also be denied.

The above attacks are all based on large volumes of traffic. The attacker can sometimes perpetrate an effective flooding attack with much smaller volumes. If the victim has some service running that requires more time to process a remote request than it takes to generate that request, or that ties up a scarce resource on the server, the attacker can make use of this asymmetry. Even short or infrequent bursts of malicious traffic will effectively tie up the critical resource. A common example is the TCP SYN flood attack, described in detail in Chapter 4. The attacker floods the victim with TCP SYN packets, which are usually used to initiate new communication. The victim reserves some memory in a limited-size buffer for each new communication request, while the attacker can send out those requests without any memory cost. This asymmetry helps the attacker disable any new communication during the attack, while sending very few TCP SYN packets.

This discussion illustrates the fact that the line between vulnerability and flooding attacks is thin, and many attacks may well fall into both the vulnerability and flooding categories.

2.3.1. Recruiting and Controlling Attacking Machines

DDoS attacks require engagement of multiple machines, which will be sending the attack traffic to the victim. Those machines do not belong to the attacker. They are usually poorly secured systems at universities, companies, and homes even at government institutions. The attacker breaks into them, takes full control, and misuses them for the attack. Therefore, the attacking machines are frequently called zombies, daemons, slaves, or agents. In this book we use the term agents.

How does the attacker gain control over machines that belong to others? The agents are usually poorly secured machines they do not have recent patches and software updates, they are not protected by a firewall or other security devices, or their users have easily guessed passwords. The attacker takes advantage of these well-known holes to break in. Unpatched and old software has well-known vulnerabilities with already-written exploits. These belong to a specific kind of vulnerabilities once exploited, they allow the attacker unlimited access to the system, as if he had an administrator's account. Accounts with easily guessed passwords, such as combinations of users' names or dictionary words, allow another easy way into the machine. There are several password-guessing tools that will quickly reveal if any of the accounts on a system have weak passwords.^[2] For example, Phatbot will attempt to connect and log in to Windows hosts using a set of several dozen very commonly chosen passwords. Even if these programs find accounts that do not have administrator privileges, this access can still be misused for a DDoS attack or, by exploiting other vulnerabilities, can elevate privileges to the administrator level.

^[2] A weak password is one that is easily guessed, by either a human guesser or an automated program that tries many possible passwords, such as all very short passwords, all the words in the dictionary, or the most commonly used men's and women's names.

Once the attacker has gained control of the host, she installs the DDoS attack agent and makes sure that all traces of the intrusion are well hidden and that the code runs even after the machine is rebooted.

DDoS attacks frequently involve hundreds or thousands of agents. It would be tedious and time consuming if the attacker had to manually break into each of them. Instead, there are automated tools that discover potential agent machines, break into them, and install the attack code upon a single command from an attacker, and report success back to her. Such tools can easily be downloaded from the Web or acquired from Internet chat channels. In addition to recruiting the collection of agents, automated tools also facilitate the control of this network by keeping track of the agents and providing easy ways of delivering commands to all of them at once. The attacker needs only to issue a single command and have all agents start the flood to the given victim.

2.3.2. Hiding

The attacker further hides her identity by deploying several layers of indirection between her machine and the agents. She uses one or several machines that deliver her commands to the agents. These machines are called handlers or masters. In this book we use the term handlers. Figure 2.1 illustrates this handler/agent architecture.

Another layer of indirection consists of the attacker's logging on to several machines in sequence, before accessing the handlers. These intermediary machines between the attacker's machine and the handlers are called the stepping stones, and are illustrated in Figure 2.2.

Both handlers and stepping stones are used to hinder investigation attempts. If authorities located and examined an agent machine, all its communication would point to one of the handlers. Further examination of the handler would point to a stepping stone, and from there to another stepping stone. If stepping stones are selected from different countries and continents (and they usually are), it becomes very difficult to follow the trail back to the attacker's machine and unveil her identity.

Another means of obscuring the attack is through the use of IP spoofing. Each packet in the Internet carries some control information preceding the data an IP header. One field in the IP header specifies the address of the sender the source IP field. This information is filled in by the machine that sends the packet (an action similar to putting a return address on a letter), and is used by the destination, or the routers on the path to the destination, to send replies back to the source. Attackers commonly forge this field to achieve impunity for the attacks and hinder the discovery of agent machines. IP spoofing also greatly complicates some DDoS defense approaches that rely on a source address for differentiation between legitimate clients and attackers. With IP spoofing, an attacker easily assumes the identity of a legitimate client or even several of them.

2.3.3. Misusing Legitimate Services

IP spoofing creates an opportunity for fooling noncompromised and otherwise perfectly secure machines into participating in a DDoS attack. The attacker chooses a publicly available service or protocol, such as the Domain Name System (DNS), Web, or ping, and sends service requests to many such servers, forging the source address of the victim. Servers then reply back to the victim, and this flood of replies creates denial of service. This type of attack is called a reflection attack, and the servers participating in it are called reflectors. Of special interest to the attacker are services that can generate lengthy or numerous replies for a few short requests. This is called amplification, and it enables the attacker to create a DoS effect with a few small packets.