By Jerry Whitehead III, re-posted by Jeffrey Lyon
While they share some basic tenets, DDoS attacks are extremely varied in their details.
Although it’s honestly one of my least favorite sayings as an animal lover, there are indeed many ways to skin a cat. There are also many ways to take down a website or network of sites with Distributed Denial of Service (DDoS) attacks. The goal is always the same – to overload the target with bandwidth and data to the point where it can no longer accept any more, rendering it offline and denying its services to its users.
But as technology has advanced and new methodologies and tricks are shared among the hacktivist circles, the ways in which a DDoS attack can be executed are numerous and varied. We’ll take a look at several of the most popular in this blog entry, and give a brief explanation of how exactly they are carried out.
ICMP Flood
This is one of the oldest types of DDoS attacks in existence. ICMP stands for Internet Control Message Protocol, which is one of the foundational set of rules that dictates how the Internet as we know it operates. This set of rules is known as the Internet Protocol Suite (or IP), and many of the following types of DDoS attacks will take advantage of other aspects of it. ICMP is one of the easiest ways for computers on a shared network to send information to each other, which are known as packets. It is mostly used for internal diagnostic repairs and error messages rather than for users on a network to communicate, but savvy hackers as far back as 1989 realized that if they could break into a network, they could very quickly overload a system by flooding the server with ICMP packets. An automated ping flood could send enough packets to quickly max out a network’s bandwidth and render it inoperable.
UDP Flood
As you might have guessed from the name, this is very similar to the ICMP flood method. UDP (or User Datagram Protocol, another part of IP) flooding also involves attempting to overload a network with data packets, but the packets sent via UDP require the host to send back an ICMP packet, which takes up both inbound and outbound bandwidth/traffic. Also similar to ICMP flooding is the fact that UDP requires no acknowledgement by the server to make a connection (compared to a TCP “handshake” that does require one) – while this has its advantages in certain applications, it is a definite drawback in terms of DDoS protection since a server is not required to authenticate the inbound UDP pings in any way – it simply receives them and sends back an ICMP packet (the type of which is dependent upon the type of UDP ping).
SYN Flood
This is where the “handshaking” comes into play. Transmission Control Protocol (TCP) is yet another aspect IP and is one of the most commonly used methods of transmitting data on the Internet – it is used for nearly every email and web page loaded in the world. What makes it so common is its reliability, and part of that comes from what’s known as the Three Way Handshake. When a user attempts to make a connection, it will send a SYN message, which stands for SYNCHRONIZE. The server will then respond with a SYN-ACK, or SYNCHRONIZE-ACKNOWLEDGE request from the host. The user then will reply to the SYN-ACK message with an ACKNOWLEDGE (ACK) message and the connection is established. A SYN Flood attack takes advantage of this additional layer of security by flooding the server with SYN messages – the host then replies with SYN-ACK messages, but the users never respond with ACK messages. The server will wait for the messages for a designated period of time, during which even more SYN messages are coming in. It doesn’t take too long for the connections to be overloaded and legitimate users are unable to establish new connections.
Ping of Death
Although nowhere near as common today due to updates to TCP/IP structure, but in the mid to late-90s, the Ping of Death was a force to be reckoned with. Pings are packets of data sent along a network to allow machines connected to the network to communicate. Due to limited network bandwidth in the early days of the Internet, the maximum size of a ping was 65,535 bytes, which was more than enough to send basic error messages and network diagnostics. When a ping that was 65,536 bytes or larger that was sent through a network, it would usually be fragmented and sent in pieces. When it reached its destination however and was reassembled, it was larger than the allowable size and would crash the target offline. With stronger checks in the reassembly procedure, the Ping of Death is rarely a problem anymore – rather than focus on the size of pings, modern DDoS attacks send numerous smaller pings instead.
Reflected Attacks
If you follow technology and computer security circles (and odds are good that you do if you’re reading this blog), you’re aware of the truly massive size of recent DDoS attacks that have targeted sites like Spamhaus, Meetup, and more. These attacks are sending upwards of 400 gigabytes per second to their target, which is an unprecedented amount of data. The big ones recently have been various types of reflected attacks. In essence, reflected attacks ping phony data packets to as many computers as possible – but instead of replying back to the source, the phony packets all have a single IP address of the targeted victim. When all the computers receive the forged packets, they all ping back to the target with their reply. When a few skilled hackers control thousands of computers each and send them all to single source, the results can be disastrous.
One of the most recent forms of these reflected attacks have been of the Network Time Protocol (NTP) variety. NTP is another subset of IP that allows computers to connect to a specified server to accurately set their internal clocks. This is great when you don’t want to set your clock manually, but NTP has a feature that allows a very small ping request to be replied to by the host with the last 600 machines that the server has set the clocks for. As you can imagine, that reply is MUCH larger than the initial ping request, which makes it ripe for DDoS attackers. Overload a server with that specific type of NTP request and the outbound reply data will quickly overload the network.
These are just a handful of the types of DDoS attacks hackers and cyber criminals have at their disposal (we’ll look to do a part two of this soon). With so many rules and sections of the Internet Protocol Suite, there are bound to be loopholes that can be exploited. DDoS protection is now a necessity for any business or website that doesn’t want to fall victim to long offline times – as these attacks become bigger and more sophisticated, it’s never been more crucial to be protected.
