FAQ: The ins and outs of DoS attacks

Thursday's denial-of-service attack that knocked Twitter offline for a few hours and affected Facebook, LiveJournal, and Google Sites and Blogger wasn't your average attack.

Typically, someone who has a bone to pick with a specific Web site will round up some hijacked PCs and use them to try to shut the site down. In this case, whoever was responsible was trying to block access to a specific user's accounts and not the sites themselves.

Denial-of-service attacks aren't always straight forward and this one has its own unique twist. Let's take a look at what happened and why.

What's a denial-of-service attack?
A denial-of-service (DoS) attack is any effort designed to interfere with access to a Web site or Internet service. A common method of attack involves flooding a target server with so many communications requests that legitimate traffic can not get through. This can shut down or slow down the site temporarily.

Web sites aren't the only things that can be targeted in DoS attacks. Unplugging someone's computer is a very basic type of DoS attack.

What's a distributed-denial-of-service (DDoS) attack?
Because Web sites are built to handle a lot of traffic, it can take millions of simultaneous communications requests to have enough affect on the performance of the server for an attack. In a DDoS attack, tens of thousands or even millions of computers are used to send traffic to the target site all at the same time and repeatedly. As Sophos' Graham Cluley wrote on his blog: "It's a bit like 15 fat men trying to get through a revolving door at the same time--nothing can move."

What's a botnet?
The hijacked PCs that are used in a DDoS attack comprise a botnet. The individual computers are called "bots," "zombies" or "slaves" and are controlled remotely by the "master" attacker. The attacker relays instructions to the bots via a command-and-control server, typically using IRC (Internet Relay Chat). Botnets are also used to distribute spam. Some newer botnets, like one created by a version of Conficker, relay instructions via peer-to-peer.

How does an innocent PC become a bot?
There are different ways a criminal can get programs onto computers in order to turn them into bots that they can control. Often, criminals send spam with attachments containing malware or links to Web sites hosting malware. The malware--typically a worm, Trojan horse, or backdoor--is installed on the computer when the attachment is opened or the URL link is clicked. Many computers are compromised by drive-by downloads in which hidden malware on Web sites exploits Web browser vulnerabilities and is downloaded onto the visitors' computer without their knowledge.

Computer users usually have no idea that their computer has been compromised and botnet operators like it that way so they can keep using the bots indefinitely. Now, criminals who don't want to bother with do the grunt work necessary to compromise an army of machines can just lease one. A recent study by Finjan found that an underground network was offering to let criminals rent a botnet for as little as 5 cents to 10 cents per bot.

What happened in the DDoS that caused the Twitter outage this week?
While most DoS attacks are designed to take down a specific Web site, Thursday's DDoS attack targeted someone who has accounts on the different sites--a Georgian blogger, who uses the account name "Cyxymu" and who has accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube.The affected companies worked together to investigate the attacks and discovered that Cyxymu was the common thread linking the sites. An investigation is pending into who launched the attack and why.

In a clear and simple way, this Cisco graphic shows the relationship of the parties in a DDOS attack.

(Credit: Cisco)

How many bots are needed to take down a Web site?
The number depends on how much resources, servers and bandwidth, the target site has. It can take 25,000 to 50,000 bots to cripple a typical site and as few as 10,000 or less for a small Web site, according to Kevin Stevens, a security researcher for SecureWorks' Counter Threat Unit.

It's difficult to know exactly how big any particular botnet is and guesses vary widely. For example, estimates of the Conficker botnet ranged from 500,000 PCs to 10 million.

Who launches a DoS and why?
Unless someone takes credit, it's nearly impossible to find out who is responsible for a DoS attack. Often attackers will send traffic through proxies so there is no direct link to the source, even if investigators can get a hold of a bot used in an attack to dissect the code. Bots also may be located in another country.

The first big DDoS attack, in February 2000 took down some of the Web's most popular sites for hours, including Yahoo, CNN, eBay, Amazon.com, Buy.com, and E*Trade. The U.S. Federal Bureau of Investigation promptly held a news conference to discuss the disruption to the Internet and eventually tracked down the perpetrator, 15-year-old "Mafiaboy," after he bragged about it to friends online.

Mafiaboy was most likely trying to get attention, like script kiddie hackers do when they deface Web sites. Other attackers have different agendas. For instance, there are politically motivated DDoS attacks, such as those involving Russian and Georgian sites last year. Estonia sites were attacked in 2007. Meanwhile, the origin of recent DDoS attacks targeting U.S. government sites and sites in South Korea remain a mystery.

What kind of damage can a DoS attack do?
A DoS can make a Web site completely inaccessible to anyone for a period of time, like the most recent attack did with Twitter. Or it can be equivalent to a hiccup, slowing down page loads or affecting only part of the site.

Sites that aren't in the direct line of fire can also be affected. For example, if a company that is attacked is hosting images or content that is fed to other sites, those other sites may have trouble. So many sites feature Twitter updates that it's likely some of those associated sites were impacted when Twitter was down and the ancillary site's requests to get updates were ignored.

How can a DDoS be prevented or stopped?
There is no surefire way to prevent a DDoS attack. However, a company can reduce its risk by buying plenty of servers and bandwidth, and hosting content on backup servers. Companies can also limit the number of connections that the Web server allows at any one time and set the firewall to block certain types of data that are used in DDoS attacks, said SecureWorks' Stevens.

In addition, companies can ask the ISP to impose bandwidth limits and to block the IP addresses serving up the attack. Some companies offer DoS detection software, and sites can configure their Web server to monitor traffic patterns and automatically ban IP addresses that could be associated with an attack.

In 2001, the White House was able to thwart a DDoS attack that was programmed into the code of the Code Red virus by moving the site away from the targeted IP address. And in 2005, Microsoft sidestepped a DDoS that was going to be triggered by PCs infected with the Blaster virus by killing the targeted IP address.

Once an attack has been launched a company can try to redirect the attack traffic to a null IP address, or a black hole, according to Trend Micro's David Perry.

More information on prevention and mitigation can be found on the SANS Web site and on the US-CERT site.

What can individuals do to prevent their computers from being used in a DDoS attack?
To keep malware off a computer, people should install the latest operating system and application patches, update their antivirus and other security software, consider using auto-updates for browsers and be careful about opening up attachments and visiting Web sites.

Larry Magid of CBSNews.com has more information for consumers on his Safe and Secure blog.

[k-tut]

A good description of DDOS attacks. Only one thing missing: The name of the OS on which all of these attacks are reliant. On who's computers do these botnets act?

[SIGHUP]

Prior to Botnets becoming the DDoS platform of choice, most DDoS were launch from Unix boxes. The most famous of these was the Smurf attack (http://en.wikipedia.org/wiki/Smurf_attack) which used private broadcasting addresses from thousands of networks to take down their victims. It had nothing to do with any manufacturer and was just a product of someone taking advantage of a networking feature.

[aMUSICsite]

Botnets can run on any major OS. If you open yourself to a seurity hole and someone get's into your system they could be able to install a botnet on your machine, with any OS. Criminals can also set up botnet themselves.

[Random_Walk]

N.B. DoS != DDoS ;)

[BethJones-Sophos]

@k-tut<br />Why is the name of the OS important? *Nix can be used for DDOS attacks as easily as Windows. There are many Linux backdoors (not as many as Windows, I'll grant you), but it's not that difficult for hackers to harvest ssh sessions with weak passwords and then script something to cause ping floods. Most *nix installs come with nmap or similar scanning ************ which can also be used.<br /><br />So it's not wholly a Windows issue. Security is all encompassing and everyone should be vigilant and patching their systems regardless of OS to do their part in preventing these type of attacks.

[MacSnob]

With all those celeron pc's in cuban trerrorists hands don't you think that is enough to cause a Dos? Maybe there is a connection between the two stories.

[EvanSei]

what I would love to know is how big of an attack would it take to bring google to its knees, if anyone could do that it would be amazing!

[edjay3]

What about wiping and reinstalling your OS on a regular basis to make sure your PC has not been compromised?

[Dalkorian]

A typical winblows answer. What about shutting down your computer when you're not using it and/or doing some network monitoring?

[LawrenceEW]

Great info even for an average Internet user. I keep my Comodo firewall and anti-virus, and other malware software updated almost daily. I only go to sites I know are trusted. Even then I will occasionally get a Trojan that is found and removed by my security software.<br />Thanks again for info on DoS and botnets.