An attacker may only be interested in disabling services on your network. In this video, you’ll learn about many different forms of denial of service attacks.
A denial of service occurs when an attacker forces a service to fail. This is an intentional process where the attacker may be overloading a service so that no one else can gain access. Or the attacker may be taking advantage of a known vulnerability or design failure with that particular system. This is another reason why we always say to keep your systems always up to date with the latest patches.
There are also documented cases where an organization may create a denial of service to a third party as a competitive advantage. If you can remove your competitor from the internet, then there is an obvious advantage to be had. And it may be that the denial of service is simply a distraction or smokescreen so that some other vulnerability can be exploited elsewhere in the organization. And although it’s true that sometimes this denial of service occurs because of a vulnerability in software, sometimes, it’s a very easy process, for example, removing the power from a system is a very simple way to create a denial of service situation.
Sometimes, we create a denial of service to ourselves. This can be easily done if you aren’t paying attention. For example, you may be plugging in two switches to each other, and then you plug those two switches into each other again, which effectively creates a loop. And if you’re not running spanning tree, then you’ve probably brought down that particular part of the network, creating a denial of service.
You could also create a denial of service by simply downloading a file. For example, if you need to download a large Linux distribution, and all you have is a very small DSL line, you may be using all of the bandwidth that would normally be associated with your production applications. And I have worked for organizations where the water line was placed above the ceiling of the data center. And unfortunately, that water line broke. This certainly caused panic for everyone in the IT department. And it also caused a denial of service.
The attackers, though, don’t count on one single device to try to bring down an entire set of servers. Instead, they will use multiple devices located all over the world to create a Distributed Denial of Service, or DDoS. For example, they may use a large number of computers scattered all over the world to use up all of the bandwidth or resources associated with a web server, which would effectively cause this denial of service issue.
Obviously, the attacker is not sitting at the workstation of all of these devices that are located all over the world. Instead, they’ve put malware on these devices and created a series of botnets. These are robot networks that are under the control of the attacker. And the attacker can simply tell the botnet in one single command to attack a particular web server. As an example of just how prevalent this can be, the Zeus botnet had over 3.6 million computers under their control at their peak.
This allowed the owner of the botnet to basically attack any device or any system that they would like all by sending a single command to their botnet. We sometimes refer to this as an asymmetric threat because the attacker has relatively few resources, and they can easily bring down organizations that have many more systems and much more bandwidth than they do.
The attackers have also found that they can create a much more efficient attack if they can send large amounts of data to these devices to effectively bring them down even faster. And the attackers have found that there are ways that they can send small amounts of data that are suddenly amplified into very large amounts of data to cause the denial of service. This process of reflecting and amplifying the amount of traffic being sent over the network is possible because they’re taking advantage of internet services that are available to anyone.
You can see this amplification occur with certain protocols. For example, when you request information from an NTP server, you generally receive back more information than you requested. The same thing applies to DNS requests, ICMP requests, and other types of very common protocols. Here’s a very common example of DNS amplification. This is a DNS query. You can see the dig command. This dig command is requesting any information over a particular domain name. And the domain they’d like to find is isc.org.
So you’re sending very little information out, only 15 characters. But notice that the results of what’s returned is about 1,300 characters. Or you’re effectively amplifying this by about 86 times. You can see how this might be appealing for an attacker because they can use DNS service, which is very common, send very little information into the DNS, and have the victim receive a large amount of information in return.
Here’s how this would work. You have a command and control for the botnet that is managed from a central facility. And of course, you have all of these infected systems around the world that make up the botnet. It’s also important for the attacker to find just the right DNS servers, the ones that are not properly configured or properly secured. These are open DNS resolvers. And there may be a number of these that the attacker can use located around the world.
This starts with the botnet command and control sending the command to the botnet to start the distributed denial of service attack. This is sent as a message that says perform a query on the open DNS resolvers that are listed and have that query spoofed so that the results are being sent to a particular web server. This query is sent from all of the botnet devices to these DNS resolvers.
And of course, because this is amplification, the query that’s made is relatively small, but the results from the DNS resolver will be much larger. These DNS resolvers will send these responses to the web server IP address that was originally spoofed, effectively overwhelming it and causing the distributed denial of service attack.