DDoS: Fighting A Zombie Apocalypse

Posted on Aug 13 2013 - 4:59pm by Chris Pentago

Zombie

DDoS attacks are the go-to option for hackers who, for some reason, need your web site or web service incapacitated, at least for some amount of time. The reasons may vary from a rival business trying to sabotage yours, to just random attacks from idle hackers, just for the fun of it.

In general, what happens to your website is that it starts receiving enormous loads of requests over a small time-span, which would, hopefully for the attackers, lead to your servers literally clogging up with information, and eventually crashing.

That kind of overload prevents your servers from responding to regular clients in time, or at all. DDoS actually stands for Distributed Denial of Service and it, as every other DoS attack has it’s final goal in temporarily or even permanently destroying the functionality of it’s target. The targets are almost always credit card payment gateways, banks or “.gov” sites.

This is due to the nature of the very hackers, who are almost in every case part of an extreme anarchistic group (government official’s term), and this is the way they try to achieve their goal, by showing the downsides of the whole governing system.

Latest events

DDoS attacks haven’t been rare, but every now and again the authorities come up with a counter-solution, and that tends to keep hackers at bay for some time, until they find a new way. The latest attacks of some bigger magnitude happened from 24th to 27th July and their targets were three bank websites bringing significant damage to their respective owners.

The perpetrator is thought to be the hacktivist group called Izz ad-Din al-Qassam Cyber Fighters, who have targeted these three banks (JPMorgan ChaseU.S. Bancorp and Regions Financial Corp.) recently.

The Regions Financial Corp. site was offline for a couple of hours or so, with even the ATM services unavailable, causing them to suffer significant revenue loss over that period. The targets they chose prove to show the nature of the attacks, of which i’ve talked above.

What exactly is a DDoS attack?

It is a type of DoS attack which includes sending huge packages of data to a certain targeted server in order to incapacitate or completely disable it for an amount of time. The first D in DDos stands for “distributed”, that means that you send this data which attacks a target not from one computer (which is a regular DoS), but from a network of bots, and we will talk about those later on.

Both of these attacks have their respective defence methods that too will be the subject of this article. DDoS are what anarchistic and groups of “hacktivists”, as they call themselves, use in their “stick it to the man” activities, meaning that they can result in serious financial damage for, basically any company or business which has a website, which is, well…everyone.

So, everyone with a site can be a target, but there is one more aspect of these attacks which makes them extremely dangerous to the overall stability, if there even is any left. What makes them so special, and why are we putting this much capital and time in building a defence for them is what is going to be the focus in this next paragraph.

The significance of these attacks

The first significant DDoS attack happened in Minnesota in 1999. Since then, most of the high-profile websites dealing with large groups of people and their needs, have been targeted by hackers.

What these attacks do is overwhelm the targeted site’s servers with extreme amounts of information and requests, causing them to stall or crash. Recently, an attack occurred, which shook the very foundations of the Internet as we know it.

Supposedly, a web-hosting company from the Netherlands launched a very powerful DDoS attack on the spamhaus.org website, and their DNS provider – CloudFlare. The attack was first aimed only against Spamhaus, but when they realized that they could not deter this attack, they contacted CloudFlare, who then took over their defence. There wouldn’t be any problems if the information packets stayed in range of the 10Gbps which they were in the beginning, but, as soon as CloudFlare took over, the amount of information got way higher, towards 30Gbps and peaking at 90Gbps.

The attacks got even larger, and when CloudFlare successfully defended against 120Gbps traffic, the attacker chose to change their strategy.

Instead of attacking the Spamhaus network providers, they chose to attack CloudFlare’s own Tier 2 network suppliers. These attacks got automatically reflected to the Tier 1 providers, and had nowhere else to go after that, since Tier 1 providers do not get connectivity from anyone. But they are the very thing that keeps the Internet as we know together, which shows how serious this attack was.

The amount of information peaked at about 300Gbps, and shook the whole internet for a certain period of time, which showed up as the fact that on 23rd March the whole of Europe had difficulties accessing websites, which, in addition to the amount of information packets, makes this the most serious DDoS attack ever recorded.

Of course, it’s rare that these attacks reach this kind of magnitude, and cause serious damage to the Internet as a whole, but this one shows how fragile the whole system is. We can now move on to the next part, which is explaining what exactly is going on during these attacks, both hardware and software-wise.

The “physiology” of an attack

Here, we will try to make the details of a DDoS attack more clear, since these things tend to look abstract to the “naked eye”. So, firstly, the attacker chooses one computer system (preferably the strongest one) and makes it the attack master.

From there, he starts sending information packets to other systems which can be compromised and taken advantage of when the attack is finally being launched.

These computers, or computer systems are called bots, or zombies, which explains the title a bit, doesn’t it?

The attacker next loads his hacking software, which is easy to find on the Internet, to these zombies and starts launching series of requests and information packages to the target website simultaneously. This overwhelms the target website’s servers with information and, if the amount is sufficient, eventually crashes them.

Of course, and you might have already guessed this, the owners of zombie computers mostly have no clue about the intrusion and misuse of their computer and IP addresses, which is a problem, since it allows the hackers to launch humongous attacks on their targets, and, as we saw earlier, endanger the whole Internet.

The tools for the defence

Defending from these attacks is a science in itself. Since regular Joes don’t have the knowledge and the tools for the trade, people have come up with certain software and services to help you keep your website and business out of harm’s way.

There is, of course, a certain difference between fighting off a regular DoS attack, and a DDoS attack. Since DoS attacks are conducted from just one, master, computer, the solution is quite obvious and simple.

You find the attacker’s IP and block it, and that should do the trick, for some time at least.

On the other hand, distributed DoS attacks are made from various computers, and, naturally, various IP addresses, simply blocking the master computer won’t do the trick. To achieve a good enough defence when or if this happens to you, you should know that there are two basic paths to go: using a general technique, or using a filtering technique.

Examples of general techniques:

  • Security patches – it is, of course, essential that you install the latest security software in order to have the best possible initial defence from any kind of attacks.
  • IP Broadcast – disable the IP broadcast from your host computer.
  • Unused services – it is strongly recommended to switch off all unused ports and applications on your server.
  • IP hopping – you might opt for switching your IP address from time to time, and from a previously collected group of IPs. That will make you a moving target.
  • Firewall – A firewall is, basically, the first line of defence against Distributed DoS, but they are fairly ineffective against more advanced types of attacks

Filtering techniques:

  • Aggressive aging – every old and inactive connection is removed after a while, and you can set how much time of that idleness is needed.
  • SYN Proxy – every bit of traffic is monitored, and only information from legitimate sources is let through.
  • Blacklisting – sending every suspicious IP address to the blacklist enables you to block all traffic coming from that IP.
  • Limiting connectivity – this means that active connections are always preferred over making new ones.
  • These are not the only techniques used, and if you feel curious, searching the web for more – will let you know more.

Services that may help

Now, using these techniques requires a certain level of knowledge, and because not all of us are computer wiz kids, there are numerous groups of people willing to help you if you by any chance end up as a victim of a DDoS attack.

I actually mentioned one before, CloudFlare. Other than them, there are a few more worth mentioning, but first here is little about CloudFlare.

CloudFlare

Their signature technique is with a method called “Anycast”. It does the following; it takes the malicious data, and spreads it all over their own data centers, thus spreading the whole attack, and absorbing it’s intensity.

It serves as a shield does in the physics of a swordfight. Basically it does the exact opposite of the very attack. And if you can respond with high enough numbers, you can parry the attack.

GlobalDots

These guys prefer using and combining various filtering techniques to ensure the maximum level of defence. I’ve talked about those techniques in the paragraph above.

They defend your servers through filtering IP addresses which are allowed to contact you in any way, while the bots, or zombies will be kicked and banned almost automatically, since there is software which can recognize these for you.

Incapsula

They use a combination of the two above mentioned. They organize a cloud defence and even out the large-scale attacks. There is a significant upside to this approach, which is that your whole network and your defence will appear offline to untrusted sources of information, which, furthermore, means that only the validated machines can access your network.

When facing a smaller-scale attack, they use standard filtering methods, and they prove sufficient most of the time because of the small numbers of information bits involved in the attack.

So, what’s the bottom line?

The Internet can be viewed as an embryo of a material projection of the collective consciousness, since it’s databases are getting ever larger, and closer to “knowing everything”.

This just shows how important it is to our own well-being, and how valuable of a tool it is in achieving great things. DDoS attacks are rarely strong enough to endanger the whole Internet, but, as i wrote in the beginning of this text, they came close one time. And it does only take one time.

So, being aware of this danger can help you endure an attack, as well as help achieving a wider sense of stability on the Internet in general. It’s needless to say that, even if the whole internet survives an attack, your machines might not, and you’ll lose revenue nevertheless, or just lose credibility with your online customers if you fall victim to a DDoS attack.

Furthermore, given that technology advances more and more every day, these attacks are bound to get bigger and bigger, and more serious as the years go by, so the bottom line is that it is of the utmost essence to keep up with the latest trends concerning this problem to enable enough protection for yourself, and the internet community in the whole.

Photo Credit: Flickr/Nivaldo Arruda

About the Author

Chris is experienced web developer/designer and computer geek interested in key technologies to make your online business perform. During his career he worked for some of the biggest Australian brands. Currently experimenting with all sorts of Unix-like operating systems and Ninefold virtual machines.