Denial of Service Attacks

1-Introduction
Definition: A denial-of-service attack (DoS attack) or distributed denial-of-service
attack (DDoS attack) is an attempt to make a computer resource unavailable to its
intended users. Although the means to carry out, motives for, and targets of a DoS
attack may vary, it generally consists of the concerted efforts of a person or people
to prevent an Internet site or service from functioning efficiently or at all, temporarily
or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on
high-profile web servers such as banks, credit card payment gateways, and even
root nameservers. The term is generally used with regards to computer networks,
but is not limited to this field; for example, it is also used in reference to CPU
resource management.

1
 2-History of Denial of Service attacks1
Denial-of-service attacks under a number of guises have been around for decades.
Distributed DoS attacks are much newer, first being seen in late June and early July
of 1999. The first well-documented DDoS attack appears to have occurred in August
1999, when a DDoS tool called Trinoo (described below) was deployed in at least
227 systems, of which at least 114 were on Internet2, to flood a single University of
Minnesota computer; this system was knocked off the air for more than two days.
The first well-publicized DDoS attack in the public press was in February 2000. On
February 7, Yahoo! was the victim of a DDoS during which its Internet portal was
inaccessible for three hours. On February 8, Amazon, Buy.com, CNN, and eBay
were all hit by DDoS attacks that caused them to either stop functioning completely
or slowed them down significantly. And, on February 9, E*Trade and ZDNet both
suffered DDoS attacks. Analysts estimated that during the three hours Yahoo was
down, it suffered a loss of e-commerce and advertising revenue that amounted to
about $500,000. According to book seller Amazon.com, its widely publicized attack
resulted in a loss of $600,000 during the 10 hours it was down. During their DDoS
attacks, Buy.com went from 100% availability to 9.4%, while CNN.com's users went
down to below 5% of normal volume and Zdnet.com and E*Trade.com were virtually
unreachable. Schwab.com, the online venue of the discount broker Charles Schwab,
was also hit but refused to give out exact figures for losses. One can only assume
that to a company that does $2 billion dollars weekly in online trades, the downtime
loss was huge.
In a DDoS attack, the attacking packets come from tens or hundreds of addresses
rather than just one, as in a "standard" DoS attack. Any DoS defense that is based
upon monitoring the volume of packets coming from a single address or single
network will then fail since the attacks come from all over. Rather than receiving, for
example, a thousand gigantic Pings per second from an attacking site, the victim
might receive one Ping per second from 1000 attacking sites.
One of the other disconcerting things about DDoS attacks are that the handler can
choose the location of the agents. So, for example, a handler could target several
NATO sites as victims and employ agents that are all in countries know to be hostile
in NATO. The human attacker, of course, might be sitting in Canada.

1
By Gary Kessler http://www.garykessler.net/library/ddos.html

2
 3-Description of Denial of Service Attacks

In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users

from accessing information or services. By targeting your computer and its network
connection, or the computers and network of the sites you are trying to use, an
attacker may be able to prevent you from accessing email, websites, online accounts
(banking, etc.), or other services that rely on the affected computer.

In a distributed denial-of-service (DDoS) attack, an attacker may use your computer

to attack another computer. By taking advantage of security vulnerabilities or
weaknesses, an attacker could take control of your computer. He or she could then
force your computer to send huge amounts of data to a website or send spam to
particular email addresses. The attack is "distributed" because the attacker is using
multiple computers, including yours, to launch the denial-of-service attack.

A "denial-of-service" attack is characterized by an explicit attempt by attackers to

prevent legitimate users of a service from using that service. Examples include

● attempts to "flood" a network, thereby preventing legitimate network traffic

● attempts to disrupt connections between two machines, thereby preventing
access to a service
● attempts to prevent a particular individual from accessing a service
● attempts to disrupt service to a specific system or person

Not all service outages, even those that result from malicious activity, are necessarily
denial-of-service attacks. Other types of attack may include a denial of service as a
component, but the denial of service may be part of a larger attack.
Illegitimate use of resources may also result in denial of service. For example, an
intruder may use your anonymous ftp area as a place to store illegal copies of
commercial software, consuming disk space and generating network traffic

The most common and obvious type of DoS attack occurs when an attacker "floods"
a network with information. When you type a URL for a particular website into your
browser, you are sending a request to that site's computer server to view the page.
The server can only process a certain number of requests at once, so if an attacker
overloads the server with requests, it can't process your request. This is a "denial of
service" because you can't access that site.

An attacker can use spam email messages to launch a similar attack on your email
account. Whether you have an email account supplied by your employer or one
available through a free service such as Yahoo or Hotmail, you are assigned a
specific quota, which limits the amount of data you can have in your account at any

3
given time. By sending many, or large, email messages to the account, an attacker
can consume your quota, preventing you from receiving legitimate messages.

To describe and understand DDoS attacks, it is important to understand the

terminology that is used to describe the attacks and the tools. While the industry has
more or less settled upon some common terms, that consensus did not come about
until well after many DoS/DDoS attacks had already appeared in the hacker and
mainstream literature.
DDoS attacks always involve a number of systems. A typical DDoS attack scenario
might follow roughly the following steps:

4
 4-Modus Operandi of a Denial of Service Attack
Step-1
An intruder finds one or more systems on the Internet that can be compromised and
exploited (see figure below). This is generally accomplished using a stolen account
on a system with a large number of users and/or inattentive administrators,
preferably with a high-bandwidth connection to the Internet (many such systems can
be found on college and university campuses).

5
 Step-2

The compromised system is loaded with any number of hacking and cracking tools such
as scanners, exploit tools, operating system detectors, root kits, and DoS/DDoS
programs. This system becomes the DDoS master. The master software allows it to find
a number of other systems that can themselves be compromised and exploited. The
attacker scans large ranges of IP network address blocks to find systems running
services known to have security vulnerabilities. This initial mass-intrusion phase
employs automated tools to remotely compromise several hundred to several thousand
hosts, and installs DDoS agents on those systems. The automated tools to perform this
compromise is not part of the DDoS toolkit but is exchanged within groups of criminal
hackers. These compromised systems are the initial victims of the DDoS attack. These
subsequently exploited systems will be loaded with the DDoS daemons that carry out
the actual attack (see figure below).

6
 Step-3
The intruder maintains a list of owned systems, the compromised systems with the DDoS
daemon. The actual denial of service attack phase occurs when the attacker runs a program
at the master system that communicates with the DDoS daemons to launch the attack. Here
is where the intended DDoS victim comes into the scenario (see figure below).

Communication between the master and daemons can be obscured so that it

becomes difficult to locate the master computer. Although some evidence may exist
on one or more machines in the DDoS network regarding the location of the master,
the daemons are normally automated so that it isn't necessary for an ongoing
dialogue to take place between the master and the rest of the DDoS network. In fact,
techniques are typically employed to deliberately camouflage the identity and
location of the master within the DDoS network. These techniques make it difficult to
analyze an attack while in progress and also to block attacking traffic and trace it
back to its source.
In most cases, the system administrators of the infected systems don't even know
that the daemons have been put in place. Even if they do find and eradicate the
DDoS software, they can't help anyone determine where else the software may have

7
been placed. Popular systems to exploit are a site's Web, e-mail, name, or other
servers since these systems are likely to have a large number of open ports, a large
amount of traffic, and are unlikely to be quickly pulled off-line even if an attack can
be traced to them.
A final word on terminology is necessary. Early descriptions of DDoS tools used a
jumble of terms to describe the various roles of the systems involved in the attack. At
the CERT Distributed System Intruder Tools workshop held in November 1999,
some standard terminology was introduced and those terms are used in the
paragraphs above. To align those terms and the terms used by the hacker literature
as well as early descriptions, we find the following synonyms:
● Intruder: Also called the attacker or client
● Master: Also called the handler
● Daemon: Also called an agent, bcast (broadcast) program, or zombie
● Victim: Always the victim
It should not go without saying that DoS/DDoS attacks actually have two victims,
namely the ultimate target as well as the intermediate system(s) that were exploited
and loaded with daemon software. Although we tend to refer to the site that is
eventually brought down as the victim, the intermediate systems from where the
attack is launched have also been victimized. In this chapter, we will focus on the
end-of-the line DoS/DDoS victim.

8
 5-Symptoms of Denial of Service Attacks

A "denial-of-service" attack is characterized by an explicit attempt by attackers to

prevent legitimate users of a service from using that service. There are two general
forms of DoS attacks: those that crash services and those that flood services.
Attacks can be directed at any network device, including attacks on routing devices
and web, electronic mail, or Domain Name System servers.
A DoS attack can be perpetrated in a number of ways. The five basic types of attack
are:
1. Consumption of computational resources, such as bandwidth, disk space,
or processor time.
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP
sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and
the victim so that they can no longer communicate adequately.
A DoS attack may include execution of malware intended to:
● Max out the processor's usage, preventing any work from occurring.
● Trigger errors in the microcode of the machine.
● Trigger errors in the sequencing of instructions, so as to force the computer
into an unstable state or lock-up.
● Exploit errors in the operating system, causing resource starvation and/or
thrashing, i.e. to use up all available facilities so no real work can be
accomplished.
● Crash the operating system itself.

9
 6-Types of Denial of Service Attacks

There are various ways in which an attacker can perpetrate DoS attacks. Some of
these are listed below.
○ ICMP flood
○ Teardrop attacks
○ Peer-to-peer attacks
○ Asymmetry of resource utilization in starvation attacks
○ Permanent denial-of-service attacks
○ Application-level floods
○ Nuke
○ Distributed attack
○ Reflected attack
○ Degradation-of-service attacks
○ Unintentional denial of service
○ Denial-of-Service Level II
○ Blind denial of service

ICMP Flood

A smurf attack is one particular variant of a flooding DoS attack on the public
Internet. It relies on misconfigured network devices that allow packets to be sent to
all computer hosts on a particular network via the broadcast address of the network,
rather than a specific machine. The network then serves as a smurf amplifier. In
such an attack, the perpetrators will send large numbers of IP packets with the
source address faked to appear to be the address of the victim. The network's
bandwidth is quickly used up, preventing legitimate packets from getting through to
their destination. To combat Denial of Service attacks on the Internet, services like
the Smurf Amplifier Registry have given network service providers the ability to
identify misconfigured networks and to take appropriate action such as filtering.
Ping flood is based on sending the victim an overwhelming number of ping packets,
usually using the "ping" command from unix-like hosts (the -t flag on Windows
systems has a far less malignant function). It is very simple to launch, the primary
requirement being access to greater bandwidth than the victim.
Ping of death is based on sending the victim a malformed ping packet, which might
lead to a system crash.
SYN flood sends a flood of TCP/SYN packets, often with a forged sender address.
Each of these packets is handled like a connection request, causing the server to
spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and
waiting for a packet in response from the sender address. However, because the
sender address is forged, the response never comes. These half-open connections

10
saturate the number of available connections the server is able to make, keeping it
from responding to legitimate requests until after the attack ends.

Teardrop attacks

A Teardrop attack involves sending mangled IP fragments with overlapping, over-

sized payloads to the target machine. This can crash various operating systems due
to a bug in theirTCP/IP fragmentation re-assembly code.Windows 3.1x, Windows 95
and Windows NT operating systems, as well as versions of Linux prior to versions
2.0.32 and 2.1.63 are vulnerable to this attack.
Around September 2009, a vulnerability in Windows Vista was referred to as a
"teardrop attack", but the attack targeted SMB2 which is a higher layer than the TCP
packets that teardrop used.

Peer-to-peer attacks

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to

initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks
exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks.
With peer-to-peer there is no botnet and the attacker does not have to communicate
with the clients it subverts. Instead, the attacker acts as a "puppet master,"
instructing clients of large peer-to-peer file sharing hubs to disconnect from their
peer-to-peer network and to connect to the victim's website instead. As a result,
several thousand computers may aggressively try to connect to a target website.
While a typical web server can handle a few hundred connections per second before
performance begins to degrade, most web servers fail almost instantly under five or
six thousand connections per second. With a moderately large peer-to-peer attack, a
site could potentially be hit with up to 750,000 connections in short order. The
targeted web server will be plugged up by the incoming connections.
While peer-to-peer attacks are easy to identify with signatures, the large number of
IP addresses that need to be blocked (often over 250,000 during the course of a
large-scale attack) means that this type of attack can overwhelm mitigation
defenses. Even if a mitigation device can keep blocking IP addresses, there are
other problems to consider. For instance, there is a brief moment where the
connection is opened on the server side before the signature itself comes through.
Only once the connection is opened to the server can the identifying signature be
sent and detected, and the connection torn down. Even tearing down connections
takes server resources and can harm the server.
This method of attack can be prevented by specifying in the peer-to-peer protocol
which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on
websites can be very limited.

11
Asymmetry of resource utilization in starvation attacks

An attack which is successful in consuming resources on the victim computer must

be either:
● carried out by an attacker with great resources, by either:
○ controlling a computer with great computation power or, more
commonly, large network bandwidth
○ controlling a large number of computers and directing them to attack
as a group. A DDOS attack is the primary example of this.
● taking advantage of a property of the operating system or applications on the
victim system which enables an attack consuming vastly more of the victim's
resources than the attacker's (an asymmetric attack). Smurf attack, SYN
flood, and NAPTHA are all asymmetric attacks.
An attack may utilize a combination of these methods in order to magnify its power.

Permanent denial-of-service attacks

A permanent denial-of-service (PDoS), also known loosely as phlashing is an attack

that damages a system so badly that it requires replacement or reinstallation of
hardware.Unlike the distributed denial-of-service attack, a PDoS attack exploits
security flaws which allow remote administration on the management interfaces of
the victim's hardware, such as routers, printers, or other networking hardware. The
attacker uses these vulnerabilities to replace a device's firmware with a modified,
corrupt, or defective firmware image—a process which when done legitimately is
known as flashing. This therefore "bricks" the device, rendering it unusable for its
original purpose until it can be repaired or replaced.
The PDoS is a pure hardware targeted attack which can be much faster and requires
fewer resources than using a botnet in a DDoS attack. Because of these features,
and the potential and high probability of security exploits on Network Enabled
Embedded Devices (NEEDs), this technique has come to the attention of numerous
hacker communities. PhlashDance is a tool created by Rich Smith (an employee of
Hewlett-Packard's Systems Security Lab) used to detect and demonstrate PDoS
vulnerabilities at the 2008 EUSecWest Applied Security Conference in London.

Application-level floods

On IRC, IRC floods are a common electronic warfare weapon.

Various DoS-causing exploits such as buffer overflow can cause server-running
software to get confused and fill the disk space or consume all available memory or
CPU time.
Other kinds of DoS rely primarily on brute force, flooding the target with an
overwhelming flux of packets, oversaturating its connection bandwidth or depleting
the target's system resources. Bandwidth-saturating floods rely on the attacker

12
having higher bandwidth available than the victim; a common way of achieving this
today is via Distributed Denial of Service, employing a botnet. Other floods may use
specific packet types or connection requests to saturate finite resources by, for
example, occupying the maximum number of open connections or filling the victim's
disk space with logs.
A "banana attack" is another particular type of DoS. It involves redirecting outgoing
messages from the client back onto the client, preventing outside access, as well as
flooding the client with the sent packets.
An attacker with access to a victim's computer may slow it until it is unusable or
crash it by using a fork bomb.

Nuke

A Nuke is an old denial-of-service attack against computer networks consisting of

fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a
modified pingutility to repeatedly send this corrupt data, thus slowing down the
affected computer until it comes to a complete stop.
A specific example of a nuke attack that gained some prominence is the WinNuke,
which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of
out-of-band data was sent to TCP port 139 of the victim's machine, causing it to lock
up and display a Blue Screen of Death (BSOD).

Distributed attack

A distributed denial of service attack (DDoS) occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers.
These systems are compromised by attackers using a variety of methods.
Malware can carry DDoS attack mechanisms; one of the better-known examples of
this was MyDoom. Its DoS mechanism was triggered on a specific date and time.
This type of DDoS involved hardcoding the target IP address prior to release of the
malware and no further interaction was necessary to launch the attack.
A system may also be compromised with a trojan, allowing the attacker to download
a zombie agent (or the trojan may contain one). Attackers can also break into
systems using automated tools that exploit flaws in programs that listen for
connections from remote hosts. This scenario primarily concerns systems acting as
servers on the web.
Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where
the attacker uses a client program to connect to handlers, which are compromised
systems that issue commands to the zombie agents, which in turn facilitate the
DDoS attack. Agents are compromised via the handlers by the attacker, using
automated routines to exploit vulnerabilities in programs that accept remote
connections running on the targeted remote hosts. Each handler can control up to a
thousand agents.

13
These collections of systems compromisers are known as botnets. DDoS tools like
stacheldraht still use classic DoS attack methods centered on IP spoofing and
amplification likesmurf attacks and fraggle attacks (these are also known as
bandwidth consumption attacks). SYN floods (also known as resource starvation
attacks) may also be used. Newer tools can use DNS servers for DoS purposes. See
next section.
Simple attacks such as SYN floods may appear with a wide range of source IP
addresses, giving the appearance of a well distributed DDoS. These flood attacks do
not require completion of the TCP three way handshake and attempt to exhaust the
destination SYN queue or the server bandwidth. Because the source IP addresses
can be trivially spoofed, an attack could come from a limited set of sources, or may
even originate from a single host. Stack enhancements such as syn cookies may be
effective mitigation against SYN queue flooding, however complete bandwidth
exhaustion may require involvement
Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address.
Script kiddies use them to deny the availability of well known websites to legitimate
users. More sophisticated attackers use DDoS tools for the purposes of extortion —
even against their business rivals
It is important to note the difference between a DDoS and DoS attack. If an attacker
mounts an attack from a single host it would be classified as a DoS attack. In fact,
any attack against availability would be classed as a Denial of Service attack. On the
other hand, if an attacker uses a thousand systems to simultaneously launch smurf
attacks against a remote host, this would be classified as a DDoS attack.
The major advantages to an attacker of using a distributed denial-of-service attack
are that multiple machines can generate more attack traffic than one machine,
multiple attack machines are harder to turn off than one attack machine, and that the
behavior of each attack machine can be stealthier, making it harder to track down
and shut down. These attacker advantages cause challenges for defense
mechanisms. For example, merely purchasing more incoming bandwidth than the
current volume of the attack might not help, because the attacker might be able to
simply add more attack machines.
It should be noted that in some cases a machine may become part of a DDoS attack
with the owner's consent. An example of this is the 2010 DDoS attack against major
credit card companies by supporters of WikiLeaks. In cases such as this, supporters
of a movement (in this case, those opposing the arrest of WikiLeaks founder Julian
Assange) choose to download and run DDoS software.

Reflected attack

A distributed reflected denial of service attack (DRDoS) involves sending forged

requests of some type to a very large number of computers that will reply to the
requests. Using Internet Protocol address spoofing, the source address is set to that
of the targeted victim, which means all the replies will go to (and flood) the target.

14
ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected
attack, as the flooding host(s) send Echo Requests to the broadcast addresses of
mis-configured networks, thereby enticing many hosts to send Echo Reply packets
to the victim. Some early DDoS programs implemented a distributed form of this
attack.
Many services can be exploited to act as reflectors, some harder to block than
others.DNS amplification attacks involve a new mechanism that increased the
amplification effect, using a much larger list of DNS servers than seen earlier.

Degradation-of-service attacks

"Pulsing" zombies are compromised computers that are directed to launch

intermittent and short-lived floodings of victim websites with the intent of merely
slowing it rather than crashing it. This type of attack, referred to as "degradation-of-
service" rather than "denial-of-service", can be more difficult to detect than regular
zombie invasions and can disrupt and hamper connection to websites for prolonged
periods of time, potentially causing more damage than concentrated floods.Exposure
of degradation-of-service attacks is complicated further by the matter of discerning
whether the attacks really are attacks or just healthy and likely desired increases in
website traffic.

Unintentional denial of service

This describes a situation where a website ends up denied, not due to a deliberate
attack by a single individual or group of individuals, but simply due to a sudden
enormous spike in popularity. This can happen when an extremely popular website
posts a prominent link to a second, less well-prepared site, for example, as part of a
news story. The result is that a significant proportion of the primary site's regular
users — potentially hundreds of thousands of people — click that link in the space of
a few hours, having the same effect on the target website as a DDoS attack. A
VIPDoS is the same, but specifically when the link was posted by a celebrity.
An example of this occurred when Michael Jackson died in 2009. Websites such as
Google and Twitter slowed down or even crashed. Many sites' servers thought the
requests were from a virus or spyware trying to cause a Denial of Service attack,
warning users that their queries looked like "automated requests from a computer
virus or spyware application".
News sites and link sites — sites whose primary function is to provide links to
interesting content elsewhere on the Internet — are most likely to cause this
phenomenon. The canonical example is the Slashdot effect. Sites such as Digg, the
Drudge Report, Fark, Something Awful, and the webcomic Penny Arcade have their
own corresponding "effects", known as "the Digg effect", being "drudged", "farking",
"goonrushing" and "wanging"; respectively.

15
Routers have also been known to create unintentional DoS attacks, as both D-Link
and Netgear routers have created NTP vandalism by flooding NTP servers without
respecting the restrictions of client types or geographical limitations.
Similar unintentional denials of service can also occur via other media, e.g. when a
URL is mentioned on television. If a server is being indexed by Google or another
search engineduring peak periods of activity, or does not have a lot of available
bandwidth while being indexed, it can also experience the effects of a DoS attack.
Legal action has been taken in at least one such case. In 2006, Universal Tube &
Rollform Equipment Corporation sued YouTube: massive numbers of would-be
youtube.com users accidentally typed the tube company's URL, utube.com. As a
result, the tube company ended up having to spend large amounts of money on
upgrading their bandwidth.

Denial-of-Service Level II

The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense

mechanism which blocks the network segment from which the attack originated. In
case of distributed attack or IP header modification (that depends on the kind of
security behavior) it will fully block the attacked network from Internet, but without
system crash.

Blind denial of service

In a blind denial of service attack, the attacker has a significant advantage. If the
attacker must be able to receive traffic from the victim, then the attacker must either
subvert the routing fabric or use the attacker's own IP address. Either provides an
opportunity for the victim to track the attacker and/or filter out his traffic. With a blind
attack the attacker uses one or more forged IP addresses, making it extremely
difficult for the victim to filter out those packets. The TCP SYN flood attack is an
example of a blind attack.

16
 7-How is the common man affected by this problem?

As we have learnt earlier, in a DoS attack an attacker tries to flood a network with
illegitimate requests. Only a single computer can do significant damage as such, but
is somehow the attacker can get access to many computers then he can launch an
attack at an enormous scale. as implausibe it may seem, it is a peice of cake.

Most Distributed Denial of service(DDoS) attacks are carried out in this fashion. The
attacker infects the computer of unsusecting individuals with a “daemon” so that he
can control the computer remotely. Such an infected computer is called a zombie
and a network of such computers is called a “botnet”. Since in a botnet it is difficult to
ascertain who is the “leader of the group”, it becomes difficult to trace the root of the
problem.

While the attacker now has access to many computers and can use them
simultaneously to launch an attack on any website he feels like.

● Your resources are used up without your knowledge.

● Your internet connection starts to fail. you might think it is a network problem
but actually it is a virus.
● You share culpability with the perpetrator for this kind of attack since it was
your machine which was used.

17
 8-Incedents of Denial of Service attacks2
● The first major attack involving DNS servers as reflectors occurred in January
2001. The target was Register.com. This attack, which forged requests for the
MX records ofAOL.com (to amplify the attack) lasted about a week before it
could be traced back to all attacking hosts and shut off. It used a list of tens of
thousands of DNS records that were a year old at the time of the attack.
● In February 2001, the Irish Government's Department of Finance server was
hit by a denial of service attack carried out as part of a student campaign from
NUI Maynooth. The Department officially complained to the University
authorities and a number of students were disciplined
● In July 2002, the Honeynet Project Reverse Challenge was issued. The
binary that was analyzed turned out to be yet another DDoS agent, which
implemented several DNS related attacks, including an optimized form of a
reflection attack.
● On two occasions to date, attackers have performed DNS Backbone DDoS
Attacks on the DNS root servers. Since these machines are intended to
provide service to all Internet users, these two denial of service attacks might
be classified as attempts to take down the entire Internet, though it is unclear
what the attackers' true motivations were. The first occurred in October 2002
and disrupted service at 9 of the 13 root servers. The second occurred in
February 2007 and caused disruptions at two of the root servers.
● In February 2007, more than 10,000 online game servers in games such as
Return to Castle Wolfenstein, Halo, Counter-Strike and many others were
attacked by the hacker group RUS. The DDoS attack was made from more
than a thousand computer units located in the republics of the former Soviet
Union, mostly from Russia, Uzbekistan and Belarus. Minor attacks are still
continuing to be made today.
● In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS
attack directed at Georgian government sites containing the message:
"win+love+in+Rusia" effectively overloaded and shut down multiple Georgian
servers. Websites targeted included the Web site of the Georgian president,
Mikhail Saakashvili, rendered inoperable for 24 hours, and the National Bank
of Georgia. While heavy suspicion was placed on Russia for orchestrating the
attack through a proxy, the St. Petersburg-based criminal gang known as the
Russian Business Network, or R.B.N, the Russian government denied the
allegations, stating that it was possible that individuals in Russia or elsewhere
had taken it upon themselves to start the attacks.
● During the 2009 Iranian election protests, foreign activists seeking to help the
opposition engaged in DDoS attacks against Iran's government. The official
website of the Iranian government (ahmedinejad.ir) was rendered
inaccessible on several occasions. Critics claimed that the DDoS attacks also
cut off internet access for protesters inside Iran; activists countered that, while

2
From wikipedia.com

18
 this may have been true, the attacks still hindered President Mahmoud
Ahmadinejad's government enough to aid the opposition.
● On June 25, 2009, the day Michael Jackson died, the spike in searches
related to Michael Jackson was so big that Google News initially mistook it for
an automated attack. As a result, for about 25 minutes, when some people
searched Google News they saw a "We're sorry" page before finding the
articles they were looking for.
● June 2009 the P2P site The Pirate Bay was rendered inaccessible due to a
DDoS attack. This was most likely provoked by the recent sellout to Global
Gaming Factory X AB, which was seen as a "take the money and run"
solution to the website's legal issues. In the end, due to the buyers' financial
troubles, the site was not sold.
● Multiple waves of July 2009 cyber attacks targeted a number of major
websites in South Korea and the United States. The attacker used botnet and
file update through internet is known to assist its spread. As it turns out, a
computer trojan was coded to scan for existing MyDoom bots. MyDoom was
a worm in 2004, and in July around 20,000-50,000 were present. MyDoom
has a backdoor, which the DDoS bot could exploit. Since then, the DDoS bot
removed itself, and completely formatted the hard drives. Most of the bots
originated from China, and North Korea.
● On August 6, 2009 several social networking sites, including Twitter,
Facebook, Livejournal, and Google blogging pages were hit by DDoS attacks,
apparently aimed at Georgian blogger "Cyxymu". Although Google came
through with only minor set-backs, these attacks left Twitter crippled for hours
and Facebook did eventually restore service although some users still
experienced trouble. Twitter's Site latency has continued to improve, however
some web requests continue to fail.
● In July and August 2010, the Irish Central Applications Office server was hit
by a denial of service attack on four separate occasions, causing difficulties
for thousands of Second Level students who are required to use the CAO to
apply for University and College places. The attack is currently subject to a
Garda investigation.
● On November 28, 2010, whistle blower site wikileaks.org experienced a
DDoS attack. This was presumably related to the pending release of many
thousands of secret diplomatic cables.
● On December 8, 2010, a group calling themselves "Anonymous" launched
orchestrated DDoS attacks on organisations such as Mastercard.com,
PayPal, Visa.com andPostFinance; as part of the ongoing "Operation
Payback" campaign, which originally targeted anti-piracy organisations, in
support of the Whistleblowing site Wikileaks.ch and its founder, Julian
Assange. The attack brought down the Mastercard, PostFinance, and Visa
websites successfully. PostFinance, the bank that had frozen Julian
Assange’s account, was brought down for more than 16 hours due to the
attacks. However, in denial of the fact that it was taken down by a bunch of

19
 notorious internet users, the bank issued a statement that the outage was
caused by an overload of inquiries:
"Access to www.postfinance.ch and thus also e-finance is currently overloaded
owing to a multitude of online enquiries. The security of customer data is not
affected."

20
 9-Preventing Denial of Service Attacks
If your host is one of the Slaves in a DDoS, you will most likely never even be aware
of it - unless you carefully examine your logs and watch for untoward network
activity. If, on the other hand, you're the Victim, the results will be dramatic and
obvious.
Symptoms (Victim):
1. Programs run very slowly
2. Services (e.g., HTTP) fail at a high rate
3. Large number of connection requests from different networks
4. User complaints about slow (or no) site access
5. Machine shows a high CPU load

There is no complete or perfect solution to DDoS. The logic is simple: NO software

or countermeasures can stand up to attacks from, say, 100 servers at once. All that
can be done is to take preventive measures, and respond quickly and effectively
when the attack takes place.

As it is often said, an ounce of prevention is better than a pound of cure - and this is
very true in the case of DDoS. In the introduction, I had mentioned that DDoS often
happens because of vulnerable software/applications running on a machine in a
particular network. Attackers use those security holes to compromise the hosts and
the servers and install the DDoS tools such as 'trin00'.

To prevent or mitigate future DDoS attacks, follow these steps:

● Create and implement a good security policy
● Set up a firewall which does ingress and egress filtering at the gateway (e.g.,
APF from http://www.rfxnetworks.com/apf.php)
● Use host-based intrusion detection on your gateway/hosts to alert you to port
scans and break-in attempts (e.g., AIDE from
http://freshmeat.net/projects/aide/)
To prevent your network from being used as a slave, follow these steps:
● Conduct regular audits on each host on the network to find installed DDoS
tools and vulnerable applications.
● Use tools like Rkdet, Rootkit Hunter, or chkrootkit to find if a rootkit has been
installed on your system.
● Perform a general security audit on your systems on a regular basis:
○ Keep your systems up to date to minimize software vulnerabilities
(kernel and software upgrades)
○ Check for rootkits
○ Check logs for evidence of port sniffing, etc.
○ Check for hidden processes by comparing the output of 'ps' and 'lsof'.
○ Use auditing tools (i.e., Nessus, SAINT, or SARA)

21
 ○ Check system binaries with, e.g., Tripwire to see if they've been
changed since your last snapshot
○ Check for open email relays
○ Check for malicious cron entries
○ Check /dev /tmp /var directories for odd files (i.e., '...', wrong
permissions/ownership on device files, etc.)
○ Check whether backups are maintained
○ Check for unwanted users and groups (examine /etc/passwd)
○ Check for and disable any unneeded services
○ Check for SUID, SGID, and 'nouser' files on your system with the 'find'
command
○ Check the system performance (memory and CPU usage); note the
average levels
● Create a DSE (Dedicated Security Expert) team for your company.
● Enforce and implement security measures on all hosts in the network. The
only hosts that should be allowed on your network are ones that have been
vetted by your security admin or DSE (Dedicated Security Expert). All hosts
on the network should be checked on a regular basis by your DSE team.
● Collect your network and host data and analyze them to see what kind of
attacks are being run against your networks.

The majority of denial of service attacks can be prevented through simply upgrading
to the latest hardware and software. In the case of distributed denial of service
attacks, we have less simplistic options to work with.
Even giants such as Microsoft have fallen victim to the DDoS attack. Generally, it’s a
good idea to not make many enemies- and keep a sharp watch on your network at
all times. And in the event that you do track an attacker down, keep two things in
mind. First, it may be a spoofed IP address, and thus, a false lead. Second, never
attack back. Simply contact the authorities and wait for the justice system to do its
work.

22
 10-Case Study of software to help prevent DDoS attacks on web servers

Software : AIDE(Advanced Intrusion Detection Environment) 3

Licence: AIDE is licensed under GPL.

It creates a database from the regular expression rules that it finds from the config
file(s). Once this database is initialized it can be used to verify the integrity of the
files. It has several message digest algorithms (see below) that are used to check
the integrity of the file. All of the usual file attributes can also be checked for
inconsistencies. It can read databases from older or newer versions. See the manual
pages within the distribution for further info.

Creators:
AIDE was originally written by Rami Lehti and Pablo Virolainen in 1999. Between
2003 and 2010 it was maintained by Richard van den Berg. In October 2010
Hannes von Haugwitz took over the project.

Features
● supported message digest algorithms: md5, sha1, rmd160, tiger, crc32,
sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
● supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name,
Size, Block count, Number of links, Mtime, Ctime and Atime
● support for Posix ACL, SELinux, XAttrs and Extended file system attributes if
support is compiled in
● plain text configuration files and database for simplicity
● powerful regular expression support to selectively include or exclude files and
directories to be monitored
● gzip database compression if zlib support is compiled in
● stand alone static binary for easy client/server monitoring configurations
● and many more

Platforms
Basically AIDE runs on any modern Unix. Below is a table of platforms people has
tested AIDE (compiled with standard options).

3
http://www.aide.sourceforge.net

23
 11-DoS attacks as a political tool : Hacktivism 4
Hacktivism is a portmanteau of hack and activism. This leads to a controversy of
meaning because both the terms "hacker" and "activism" are ambiguous terms. The
term "hacking", which in relation to computers has the modern connotation of making
an invisible break into a computer by manipulating the security code and/or firewall
with "clever computer usage/programming" - the terminology used in the mainstream
media, almost exclusively to mean "illegally breaking into computers". Hacking by
definition simply means taking an original product and changing it for the purposes of
the user. With relation to computers it means writing software, modifying software or
hardware, or tricking software to do what you want it to. It does not mean doing
anything illegal (see cracking). Activism similarly includes both explicitly non-violent
action (Martin Luther King and Mahatma Gandhi) and violent revolutionary activities
(Che Guevara). The term hacktivism was first used by designer/author Jason Sack in
a 1995 InfoNation article about the media artist Shu Lea Cheang.

According to Jewel Ward5

“When a Denial of Service attack occurs, is it vandalism and mischief, an act of war,
or a new form of democratic protest? The answer to that question might depend on
which side you are on — it is a bit like the quote that “one man’s terrorist is another
man’s freedom fighter“. Regardless of your point of view, it is a way to take control of
someone else’s data and information by denying others access to it — to illegally
tame it, if you will.”

The Internet offers a powerful tool for communicating and coordinating action. It is
inexpensive to use and increasingly pervasive, with an estimated 201 million on-line
as of September 1999.3 Groups of any size, from two to millions, can reach each
other and use the Net to promote an agenda. Their members and followers can
come from any geographical region on the Net, and they can attempt to influence
foreign policy anywhere in the world. This section describes five modes of using the
Internet: collection, publication, dialogue, coordination of action, and direct lobbying
of decision makers. While treated separately, the modes are frequently used
together and many of the examples described here illustrate multiple modes.

The Internet offers several channels whereby advocacy groups and individuals can
publish information (and disinformation) to further policy objectives. They can send it
through e-mail and post it to newsgroups. They can create their own electronic
publications or contribute articles and essays to those of others. They can put up
Web pages with documents, images, audio and video clips, and other types of
information. The Web sites can serve as a gathering place and source of information
for supporters, potential supporters, and onlookers.

4
http://en.wikipedia.org/wiki/Hacktivism
5
http://tamingdata.com/2010/10/19/denial-of-service-attacks-cyber-vandals-and-cyber-
activism-explored/

24
One reason the Internet is popular among activists is its cost advantage over
traditional mass media. It is easier and cheaper to post a message to a public forum
or put up a Web site than it is to operate a radio or television station or print a
newspaper. Practically anyone can afford to be a publisher. In addition, the reach of
the Internet is global. A message can potentially reach millions of people at no
additional cost to the originator. Further, activists can control their presentation to the
world. They decide what is said and how. They do not have to rely on the mass
media to take notice and tell their story "right."

With respect to hacktivism and cyberterrorism, those who engage in such activity are
less likely to accomplish their foreign policy objectives than those who do not employ
disruptive and destructive techniques. They may feel a sense of empowerment,
because they can control government computers and get media attention, but that
does not mean they will succeed in changing policy. The main effect is likely to be a
strengthening of cyberdefense policies, both nationally and internationally, rather
than accommodation to the demands of the actors.

Features of Hacktivism
A Haction usually has the following elements.
● Politically motivated
● Place a premium on humor, and often resembles a digital form of clowning
● Owns a moderate "Outlaw Orientation" as opposed to severe
● The result of aggressive policy circumvention - rather than a gradual attempt
to change a policy
● Always non-violent- a haction never places another in direct danger
● Capacity for solo activity - while most forms of political activism require the
strength of masses, hacktivism is most often the result of the power of one, or
small group.
● Is most often carried out anonymously, and can take place over transnational
borders.

25
 12-Case Study : Operations Payback, Avenge Assange, and Bradical
Country of origin : Unknown

Group Responsible : Anonymous(Group)

Targets : Law firms, pro-copyright organizations, anti-Wikileaks organisations

Description:

Operation Payback is a coordinated, decentralized group of attacks on opponents

of internet piracy by internet activists using the "Anonymous" moniker - originating
from the website 4chan.org. Operation Payback started as retaliation to distributed
denial of service (DDoS) attacks on torrent sites; piracy proponents then decided to
launch DDoS attacks on piracy opponents. The initial reaction snowballed into a
wave of attacks on major pro-copyright and anti-piracy organizations, law firms, and
individuals. Following the United States diplomatic cables leak in December 2010,
the organizers commenced DDoS attacks on websites of banks who had withdrawn
banking facilities from WikiLeaks.

In 2010, several Bollywood companies hired Aiplex Software to launch DDoS attacks
on websites that did not respond to software takedown notices.Piracy activists then
created Operation Payback in September 2010 in retaliation. The original plan was

26
to attack Aiplex Software directly, but upon finding some hours before the planned
DDoS that another individual had taken down the firm's website on their own,
Operation Payback moved to launching attacks against the websites of copyright
stringent organizations, law firms and other websites. This grew into multiple DDoS
attacks against anti-piracy groups and law firms.

On 2 April 2011 Anonymous launched an attack on the media giant Sony, Named
#opsony, it is a part of the Operation Payback.Anonymous claims the attack a
success after they took down the PlayStation Network and other related PlayStation
Websites. Anonymous' actions also included personal harassment of employees and
their families. The PlayStation Network subsequently has had lengthy outages,
although Anonymous claims that this is not due to any officially-sanctioned action on
their part, but may be due to sub-groups of Anonymous.
Sony Corp. came to Anonymous’ attention after it took legal action against George
Hotz (a.k.a. GeoHot), the coder behind a popular tool that allows homebrew software
to run on the PlayStation 3 (PS3). In addition, Sony is also taking legal action against
Alexander Egorenkov (a.ka. Graf_Chokolo) for his efforts to restore Linux to the PS3.
The reason why Hotz and Egorenkov do what they do follows on from Sony's
decision to remove the system's OtherOS feature, which enabled the use of Linux.
Hotz and Egorenkov’s efforts to return the OtherOS feature are both a gift and a
curse. While the pair has earned respect for their research and technical skills, they
have also gained the attention of Sony's legal team. With a lawsuit now against Hotz
this attracted the attention of Anonymous. They claim that Sony is breaching the free
speech border, and this is the reason for their actions.
In December 2010, the document archive website WikiLeaks (used by
whistleblowers) came under intense pressure to stop publishing secret United States
diplomatic cables. In response, Anonymous announced its support for WikiLeaks,
and Operation Payback changed its focus to support WikiLeaks and launched DDoS
attacks against Amazon,PayPal, MasterCard, Visa and the Swiss bank PostFinance,
in retaliation for perceived anti-WikiLeaks behavior. This second front in the
December offensive was performed under the codename Operation Avenge
Assange. Due to the attacks, both MasterCard and Visa's websites were brought
down on December 8. A threat researcher at PandaLabs said Anonymous also
launched an attack which brought down the Swedish prosecutor's website when
WikiLeaks founder Julian Assange was arrested in London and refused bail in
relation to extradition to Sweden.

After suspected leaker Bradley Manning was transferred to Marine Corps Brig,
Quantico in July 2010, allegations of abuse arose around Manning's isolation in a
maximum security area, and the suicide-watch he was put under which included
constant verbal checks by guards and forced nudity. Military officials denied the
treatment was abuse or abnormal. In an event that lead to his resignation, State
Department spokesman Philip J. Crowley made statements condemning the
treatment. In response to Manning's imprisonment and treatment, Anonymous

27
threatened to disrupt activities at Quantico by cyber-attacking communications,
exposing private information about personnel, and other harassment methods.
Dubbed "Operation Bradical", Spokesperson Barrett Brown stated that this would be
in direct response for the alleged mistreatment. Military spokespesons have
responded that the threat has been referred to law enforcement and counterterrorism
officials and requested an investigation.

”Update – 11/27 7:21 PM PST – Operation:Payback has set their cross-hairs on the
IFPI in retaliation for the legal action taken against The Pirate Bay. According to our
statistics, IFPI.org first went down yesterday at 11:15:25AM PST and has
experienced 27 hours of ongoing downtime.” 6

6
http://pandalabs.pandasecurity.com/4chan-users-organize-ddos-against-mpaa/

28
 13 -IT Act on the DoS attacks

Under section 43 of the IT Act 2000 Denial of Service attacks and Distributed Denial
of Service attacks are punishable offences in India.

29