DDoS (Distributed Denial of Service): A DDoS attack is one that pits many machines against a single victim. An example is the attacks of February 2000 against some of the biggest websites. Even though these websites have a theoretical bandwidth of a gigabit/second, distributing many agents throughout the Internet flooding them with traffic can bring them down. Key point: The Internet is defenseless against these attacks. The best defense is for ISPs to do “egress filtering”: prevent packets from going outbound that do not originate from IP addresses assigned to the ISP. This cuts down on the problem of spoofed IP addresses. History: The original DDoS tools were clonebots used during IRC wars. See also: zombie. From Hacking-Lexicon
Trojans are often used to launch Distributed Denial of Service (DDoS) attacks against targeted systems, but just what is a DDoS attack and how are they performed?
At its most basic level, a Distributed Denial of Service (DDoS) attack overwhelms the target system with data, such that the response from the target system is either slowed or stopped altogether. In order to create the necessary amount of traffic, a network of zombie or bot computers is most often used.
Zombies or botnets are computers that have been compromised by attackers, generally through the use of Trojans, allowing these compromised systems to be remotely controlled. Collectively, these systems are manipulated to create the high traffic flow necessary to create a DDoS attack.
Use of these botnets are often auctioned and traded among attackers, thus a compromised system may be under the control of multiple criminals – each with a different purpose in mind. Some attackers may use the botnet as a spam-relay, others to act as a download site for malicious code, some to host phishing scams, and others for the aforementioned DDoS attacks.
Several techniques can be used to facilitate a Distributed Denial of Service attack. Two of the more common are HTTP GET requests and SYN Floods. One of the most notorious examples of an HTTP GET attack was from the MyDoom worm, which targeted the SCO.com website. The GET attack works as its name suggests – it sends a request for a specific page (generally the homepage) to the target server. In the case of the MyDoom worm, 64 requests were sent every second from every infected system. With tens of thousands of computers estimated to be infected by MyDoom, the attack quickly proved overwhelming to SCO.com, knocking it offline for several days.
A SYN Flood is basically an aborted handshake. Internet communications use a three-way handshake. The initiating client initiates with a SYN, the server responds with a SYN-ACK, and the client is then supposed to respond with an ACK. Using spoofed IP addresses, an attacker sends the SYN which results in the SYN-ACK being sent to a non-requesting (and often non-existing) address. The server then waits for the ACK response to no avail. When large numbers of these aborted SYN packets are sent to a target, the server resources are exhausted and the server succumbs to the SYN Flood DDoS.
Several other types of DDoS attacks can be launched, including UDP Fragment Attacks, ICMP Floods, and the Ping of Death. For further details on the types of DDoS attacks, visit the The Advanced Networking Management Lab (ANML) and review their Distributed Denial of Service Attacks (DDoS) Resources.