Denial of Service Attacks

Summary

Denial of service attacks can effectively shut down web servers and can damage Internet infrastructure. Until recently they have been acts of vandalism, but they are coming to be used for extortion.

Mechanism

In a denial of service (or DoS) attack, a target machine is flooded with requests it cannot meet. The requests may be structured to waste resources on the target machine or to exploit weaknesses in its software. Whether or not this is successful, the sheer volume of traffic may overwhelm the target machine and its link to the Internet.

Sending large volumes of attacking traffic requires resources and may also be traceable. Attackers get round this by using other people's computers as intermediaries. Many such computers can be used, which greatly amplifies the volume of the attack, gets someone else to pay for the resources used, and hides the perpetrator very well. This is called a distributed denial of service (DDoS) attack.

To mount a DDoS, an attacker needs a supply of well-connected machines that will do his or her bidding. With the rise of consumer broadband, and the traditional base of machines in Universities, there are large numbers of machines with permanent high volume Internet connections. Some of these are not well-secured. Attackers can gain control of such machines by cracking them individually. There is also evidence that many of the viruses which have flooded the Internet are designed, in part, to provide a "back door" into large numbers of machines so that an attacker can get the machine to participate in a DDoS [Worms pour through MyDoom back door,The Register10 February 2004, http://www.theregister.co.uk/content/56/35450.html] or to send spam.

In February 2000, DDoS attacks crippled Yahoo, Amazon and CNN's web sites. [Yahoo Attributes a Lengthy Service Failure to an Attack, New York Times, 8 February 2000.] The perpetrator, a Canadian teenager, was identified nearly 12 months later after he bragged about it. ['Mafiaboy' hacker jailed, BBC, 13 September 2001.] Other attacks have been made on Internet infrastructure. In October 2002 a the largest DDoS attack seen at the time degraded operations of the Domain Name root servers [Massive DDoS Attack Hit DNS Root Servers, Internet News, 23 October 2002.], which are a key part of the Internet infrastructure. Observers noted that the attack, while huge, was poorly focussed and had the potential to do more damage than it actually did. [Comments by Paul Vixie, one of the architects of the Domain Names System.] Since this attack, more root servers have been commissioned and further steps have been taken to protect them.

Attacks have continued, and most attackers have not been caught. Sometimes attacks have caused problems to businesses, especially those which rely on their Internet presence. Extortion is a recent trend. Attackers, claiming to be Russian mafia, have crippled payment sites and demanded payment to desist. [E-commerce targeted by blackmailers, BBC, 26 November 2003.] They have threatened Internet sports gambling sites that they will attack during major sporting fixtures. [Super Bowl fuels gambling sites' extortion fears, Infoworld, 29 January 2004.] Some arrests have been made but this problem persists.

Virus writers also can use their creations to launch a DDoS attack. The MyDoom worm of February 2004 caused each machine it infected to repeatedly reload a particular website which then had to be removed from the web. A later variant of this virus attacked Microsoft's web page, but was unsuccessful in removing it from the web. [ Microsoft Unfazed by MyDoom's DDoS Attack, eWeek, 3 February 2004.]

Compromised machines are referred to as zombies or 'bots', after the kind of robot program they run. There are several types including 'Agobot' and 'Phatbot'. These programs listen for instructions on specific channels on Internet Relay Chat (IRC) servers. Networks of compromised machines, or 'botnets', are made available for a price for sending spam or other nefarious purposes. [ Phatbot arrest thows open trade in zombie PCs, The Register, 12 May 2004.]

Comment

Denial of service attacks can stop the websites of all but the most well-resourced companies. This could threaten the very existence of smaller e-tailers. It has gone beyond a nuisance and is becoming a serious problem with the arrival of organised crime.

Example Mitigations

Individual well-resourced sites can make some capacity provision but this option is not available to most.

Better pursuit and prosecution of offenders

Rate limiting

Anti-spoofing measures

Black-hole routing (manipulating routing tables to get rid of traffic from certain sources)