Protecting against denial of service attacks is an ongoing security challenge. In this video, you’ll learn about DoS, DDoS, and DDoS amplification attacks.
<< Previous Video: Wireless Authentication and Security Next: Social Engineering >>
A denial of service is when the bad guys are taking a service that’s normally available, and they’re now making it unavailable for you and everyone else. They’re causing a particular service to fail. There’s lots of ways to do this. One way is to take advantage of a design vulnerability, maybe a failure that’s in a particular piece of software. And this is why we always tell you to patch your applications and patch your operating systems. Because if there’s a problem in that operating system that can cause it to crash, the bad guys could take advantage of that and cause a denial of service.
Sometimes a denial of service is just an overwhelming of a service. The service is working normally. There’s no vulnerabilities. There’s no security patches required. It’s just so many people hitting a site all at once caused the service to be denied. This could also be a smokescreen for other problems. For example, someone could cause a denial of service to a DNS server. And that way the bad guys can create their own DNS servers to control where people are going.
This doesn’t have to be a complicated method. It could be something as simple as turning off the power to a building. That would certainly cause a denial of service.
Sometimes a denial of service isn’t something that’s happening maliciously, but it is causing problems for people trying to gain access to that service. One might be something like a network-based denial of service. Somebody creates a loop. Don’t have spanning tree enabled on your switches. And now nobody can communicate on your network.
Maybe it’s a denial of service because you don’t have enough bandwidth. And now everybody’s trying to download something all at once. Everything slows to a crawl, and nobody’s able to get anything done. And one type of denial of service that I’ve had to deal with is a waterline breaking in a computer room. That could certainly be a problem that might cause a denial of service for a large group of people.
A distributed denial of service is one where the service is being denied. And it’s being denied because the attack is coming from many places all at the same time. There could be an army of botnets that have been programmed to take down a website. They come from many different locations. And it becomes almost impossible to stop all of these, because there are so many different places that they’re coming from. This is why the bad guys have spent so much time infecting these computers with these botnets, so they can then control them and tell them exactly where they’d like them to go.
One characteristic of a DDoS attack is that the people that are doing the attacking often don’t have anywhere close to the resources of the person who’s being attacked. But because so many different devices are all doing this at the same time, they’re taking advantage of their strength in numbers to cause a problem with the person that’s being attacked.
Another technique that the DDoS attackers like to use is amplification. They can send a very small attack, but by the time it reaches you it has become very, very large. They’re usually reflecting this attack off a third party service to increase the total size of the attack when it gets to you. This is becoming a very common technique that we’re seeing with distributed denial of service attacks. These amplification attacks are able to work because some of these older protocols were not created with any type of security in mind. So protocols like network time protocol, DNS, ICMP, those are protocols that people have been able to abuse and amplify these attacks against a third party.
Here’s how an amplification attack would look from a DNS perspective. This is the DNS records that are associated with ISC.org. And you can see in those records they have DNS key records. You can see these DNS keys are quite long, because these are keys used for security. You can simply ask for the DNS key. And the response that you’re getting for the DNS key is going to be quite large. So the bad guys are able to take advantage of that. They can ask for a very little piece of information on the inbound but end up with much more information coming back.
A distributed denial of service attack is usually going to start with someone in command. This is our botnet command and control. And this is the person that’s in charge of the botnet. They’re going to send a message in to the botnet. Usually this is in some type of centralized messaging service. All the botnets are listening in to see if there’s any commands to be run. When they send those commands in, the botnets will receive the commands. And then they’ll begin to act.
This particular DNS amplification denial of service is going to send a request to open DNS resolvers that might be out on the internet. But it’s going to spoof the person who’s sending the request. Instead of coming from the botnet, they’re going to spoof it and say that the request really came from the web server.
They’re going to send those requests in. They might go to multiple DNS resolvers. Since we’re asking for the DNS key or some other large piece of information, that very small request ended up being a very large response. And now we can see that that large response– since it was spoofed from that web server, the response is going to go to the web server. And now they were able to send a little bit of information into a DNS server, get a relatively large response, and easily bring down this web server with a distributed denial of service attack.