Distributed Denial of Service Attacks(DDoS) Resources
|
|
Advanced Networking Management Lab (ANML) Distributed Denial of Service Attacks(DDoS) Resources |
|
DDoS Case Online Attacks Against GRC.COM DoS Attack on a Check Point Firewall Technical Information SANS' DDoS Roadmap CERT's DoS FAQ Dave Dittrichs' Homepage DDoS Attacks/tools CIAC Astanetworks |
Basics of DDoSTerminology: The terminology used in DDoS analyses is often confusing. For clarity, we use the following: Client - an application that can be used to initiate attacks by sending commands to other components, also called the attacker or intruder. Daemon - a process running on an agent, responsible for receiving and carrying out commands issued by a client, also called bcast(broadcast program). Handler - a host running a client, also called master. Agent - a host running a daemon, also called zombie. Victim - the target (a host or network) of a distributed attack DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS software on them, allowing them to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. The process can be divided into the following steps, in which:  1. A client finds one or more systems on the Internet that can be compromised and exploited. This is generally accomplished using a stolen account on a system with a large number of users and/or inattentive administrators, preferably with a high-bandwidth connection to the Internet. The compromised system is loaded with any number of hacking and cracking tools such as scanners, exploit tools, operating system detectors, root kits, and DoS/DDoS programs. This system becomes the DDoS handler. 2. The handler scans large ranges of IP network address blocks to find hosts(on the order of 100,000 or more) and gains access to those machines(usually called agents) by exploiting security holes and plants the attack code. The attacker further takes steps to protect the code from discovery (by renaming the files, making them hidden or placing them in system directories) and deactivation (by instructing a system scheduler, such as Linux cron, to restart the code periodically). Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour. 3. The attacker maintains a list of owned systems, the compromised systems with the DDoS daemon. The actual denial of service attack phase occurs when the attacker runs a program at the handler system that communicates with the DDoS daemons to launch the attack. In the early DDoS days, the IP addresses of handlers were hardcoded in the attack code, and handlers stored the encrypted information about available agents in the file. Thus the discovery of a single machine in a DDoS network revealed all other participants. Recently the Internet Relay Chat (IRC) channels started being used for communication. The IRC server tracks the addresses of connected agents and handlers and facilitates communication between them. The discovery of the single participant leads to discovery of the communication channel, but other participants' identities are protected.
|
|
Page developed by yinjin@indiana.edu 107
S. Indiana Ave., Bloomington,
IN 47405-7000 (812) 855-4810
|
