(Distributed) Denial of Service
Nick FeamsterCS 4251
Spring 2008
Distributed Denial of Service (DDoS)
Victim
Daemon
Daemon
DaemonDaemon
Daemon
Master
Real Attacker
Asymmetry comes in the form of a large farm of machines.IP addresses no longer need to be spoofed
February 2000: DDoS
Traditional protection techniques no longer applicable.
DDoS Attack: Yahoo!
• February 2000
• Intermittent outages for nearly three hours
• Estimated to have cost Yahoo $500,000 due to fewer page hits during the attack
• Attacker caught and successfully prosecuted
• Other companies (eBay, CNN) attacked in the same way the following days
DDoS Attack: Microsoft
• Target of multiple DDoS attacks
• Some successful, some not
• Successful one in January 2001• Attacked router in front of Microsoft’s DNS servers• During attack, as few as 2% of web page requests
were being fulfilled
DDoS Attack: DNS Root Servers
• October 2002 for 1 hour• Ping flood to all 13 of the DNS root servers • Successfully halted operations on 9
• Did not cause major impact on Internet• DNS NS record caching at local resolvers helped• Several root servers are very well-provisioned
DDoS: Setting up the Infrastructure
• Zombies– Slow-spreading installations can be difficult to detect– Can be spread quickly with worms
• Indirection makes attacker harder to locate– No need to spoof IP addresses
What is a Worm?
• Code that replicates and propagates across the network– Often carries a “payload”
• Usually spread via exploiting flaws in open services– “Viruses” require user action to spread
• First worm: Robert Morris, November 1988– 6-10% of all Internet hosts infected (!)
• Many more since, but none on that scale until July 2001
Example Worm: Code Red
• Initial version: July 13, 2001
• Exploited known ISAPI vulnerability in Microsoft IIS Web servers
• 1st through 20th of each month: spread20th through end of each month: attack
• Payload: Web site defacement• Scanning: Random IP addresses• Bug: failure to seed random number generator
Why Denial-of-Service “Works”
• Asymmetry: generating a request is cheaper than formulating a response
• One attack machine can generate a lot of requests, and effectively multiply its power
• Not always possible to achieve this asymmetry
Top Related