Some attackers would like your servers and networks to fail. In this video, you’ll learn about denial of service and how DoS amplification can be used to bring down a system with minimal resources.
A denial of service is an action or series of actions that causes a service to fail. Often this is an overloading of a system where others are not able to access because no resources are available on that particular system. For example, if someone was to overwhelm the capabilities of a server, that would certainly cause the server to become unavailable and, therefore, cause a denial of service. Sometimes an attacker will find some type of vulnerability in an operating system or an application that causes that service to become unavailable.
In those cases, they can pinpoint that particular weakness and cause the entire system to fail relatively easily. This is one of the reasons that we often say you should keep your system up to date with the latest security patches, so you don’t find yourself being taken advantage of by one of these vulnerabilities. When the denial of service is underway, that system is no longer available, which would be perfect for your competitors. And there have been times when the competition has been identified as the organization causing the denial of service to begin with.
Sometimes this denial of service is a distraction. In reality, the attackers are going after a different part of the network, but by bringing down this one particular server, all of your troubleshooting resources are now spending their time on this server rather than the other parts of the network that could be under attack. And of course, a denial of service does not have to be complicated. Someone could walk into the side of your building, pull the main power for your entire facility, and then you would have an enormous denial of service.
Many times a denial of service is caused by a third party, but it’s very easy to accidentally create a denial of service situation yourself. For example, if you were to connect multiple switches together with multiple connections and you were not using spanning tree protocol, you would be creating a loop on the network. This loop would cause more and more traffic to traverse the network, and very quickly you would find that the capacity of those switches would be completely overwhelmed.
If your internet connection has limited bandwidth, then simply downloading a single Linux distribution could effectively cause a denial of service for anyone that needed to use that internet connection. You also have to think about the physical environment where your data center resides. Something as simple as a water leak or a leak from the roof could cause an entire section of the data center to become unavailable. Unfortunately, a large percentage of denial of service situations are caused by multiple devices, all acting in unison to cause this denial of service situation.
We refer to this as a distributed denial of service or a DDoS. For example, a single botnet may be able to take over millions of personal computers and have all of those devices direct all of their traffic towards one single server on the internet. This type of coordinated attack from multiple devices that may be located anywhere in the world is a very common form of a distributed denial of service attack. And in that particular case, devices with very limited access to the internet could still manage to bring down systems with many more resources available.
We refer to this as an asymmetric threat because the attacker has so few resources, and yet, they’re able to disrupt and bring down systems with many, many more resources. The attackers have also found ways to make their process so much easier when they’re attacking someone with a denial of service. They refer to this as a DDoS reflection and amplification. With this attack, the attacker sends a little bit of information into the internet, and the internet is able to multiply that particular attack and send a much larger amount of traffic to the victim’s device.
Since this doesn’t require many resources for the attacker, it’s become a very popular way to overwhelm the capabilities of a particular remote host. The attackers have effectively taken the systems and protocols that we use every day and turned all of those against us. Protocols such as the Network Time Protocol, Domain Name System, or the Internet Control Message Protocol can all be used to amplify the messages that are sent to the victim’s computer. Let’s take a look at what this amplification looks like before the attack actually occurs.
A DNS query is one where a device is commonly requesting an IP address from a server. It’s a relatively low bandwidth communication and very little information is normally transferred. But there is information stored on a DNS server that can return much more information than simply an IP address. Here’s an example of what this looks like. We’re running the dig command with the ANY parameter to the name isc.org. And instead of simply receiving an IP address in return, we’re getting information such as DNS key information that is embedded within that DNS server.
These keys returned as part of this DNS query are normally used to verify a digital signature that’s being sent out in an email. But in this case, the attackers are using this large amount of information to amplify the message that’s being sent to the victim’s machine. Here’s how a distributed denial of service would look when you’re using DNS amplification. This starts with a botnet command and control. This is the device that is managing the process of the distributed denial of service. But that single device needs to include other machines that can add to this total amount of traffic.
And the command and control machine is using a botnet to provide those additional hosts. This botnet is connected to the internet, where there are also DNS resolvers that are open and available for anyone to query. Also on the internet connection is the web server that will be the victim of this distributed denial of service. The command and control device sends a message to the botnet, telling them to send that DNS query to one of these open DNS resolvers. The botnet sends this relatively small query to the DNS resolvers, and as we’ve already seen, the response to that query is a much larger amount of information.
The botnet devices are spoofing the source of these requests, so the responses are going to go to the web server. And since so much information has now been amplified, it overwhelms all of the resources available on that web server. And the system has now become a victim of a distributed denial of service. This amplification process has effectively taken a query that was 28 bytes in length and extended it out to 1,300 bytes as a response. This makes it very easy for these attackers to quickly overwhelm these remote devices on the internet.