Distributed Denial of Service (DDoS) Attacks Explained

Wednesday, December 22, 2010

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

You may have heard about the DDoS attacks that have shutdown many websites during the WikiLeaks kerfuffle. But what is a DDoS attack anyways?

Well, simply put, in a denial of service attack, the attacker sends repeated messages to a target website with such frequency, that the website can not keep up and slows to a crawl, in effect taking it offline.

Well, this works great for small websites, but larger websites are hosted on several computers and use a round robin DNS type resolution, so that multiple machines appear as one site. These can handle a lot more traffic so a different tactic is needed.

Attackers will usually use zombie machines that they have infected with a virus (also called ‘bots’) to work together to attack a single site. Sometimes hundreds and even thousands of systems are used in this matter. (keep your system and anti-virus updated! :)

The website is hit with so many requests that it bogs them down to the point where they can no longer respond. This is called a Distributed Denial of Service Attack.

Most of the “hacktivists” involved with the WikiLeaks DDoS attacks are using these DDoS attacks to shutdown each others websites.

The hacktivists are receiving a lot of flack from the computer security “experts” for using these old style attacks (Kinda doesn’t make sense, because they do seem to be working).

For you see there is a newer, much more efficient method of Denial of Service attack called “Layer 7 DoS”. In this level of attack, instead of flooding a server with thousands of message packets, the actual webserver application itself is attacked.

Partial request are opened with the server, but never finished. This leaves the server in a waiting state. It only takes a very few of these requests to bog down a server and take it offline.

In a Layer 7 Denial of service attack, a single attacker could take almost any single website down at will. They literally act like an on/off switch.

The Jester used such a program he created called “Xerxes” to take WikiLeaks offline the first day of the latest release. I have seen a different Layer 7 DoS program run and it is brutally effective.

The scary part is that these have existed for quite a while now, and because they attack a function of webservers, neither Apache or Microsoft have moved to fix them. T

hat is the official word though, to truly fix the issue would probably require major rewrites and they are not willing to do that at this point.

You will probably see these issues addressed in the next releases of Apache and IIS.

This is a copy of an article I did for iElmira.com tech forum 

Cross-posted form Cyber Arms

Possibly Related Articles:
18401
Network->General
Denial of Service Botnets DoS DDoS Servers
Post Rating I Like this!
D5e39323dd0a7b8534af8a5043a05da2
Fred Williams Interesting post as I keep thinking everytime I hear about a DoS attack in the news, why haven't we been able to thwart DoS attacks? They have been around forever. But your point about the "new" style of DoS attacks are the key. As I was researching Layer 7, I found two instances: HTTP Get DoS made famous by RSnake with Sloworis and the new Slow request bodies. It seems that IIS can already handle the HTTP Get by setting a timeout threshold and Apache can handle it using a certain module. However the HTTP Post attack is the most difficult. Both Microsoft and Apache recognize the flaw but consider it a flaw in the protocol.

OWASP has released a tool designed to test against the HTTP post attack.

I would imagine that Xerces could be most likely a version of the HTTP post attack since Jester can disable a site by himself (or herself).

Crazy stuff.
1293122479
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.