Of course, this isn’t something you should try at home.
You’ve just arrived home after a long work day, so long in fact that night has already set in. You wander a bit through the darkness, turn on the lights, grab two slices of bread, and put them into that old, creaking toaster. It’s nothing fancy, just a quick and dirty snack until you undress, unwind and cook a proper dish.
The moment you push down on the button to toast the bread, you hear a loud pop, and all of the lights suddenly go out.
“Damn, the fuse blew up.”
Because the toaster was faulty, it flooded the electrical installation with excessive current it wasn’t designed to handle. This blew up the fuse, and shut down the installation.
A nearly identical process takes place in DDoS attacks. Replace “electrical current” with “information”, and “installation” with the term “information processor”, and you’ve already understood the basic principle.
What does DDoS stand for?
A DDoS attack is short for “Distributed Denial of Service”, and is the bigger brother of simpler denial-of-service attacks.
The point of these exercises to take down a website or service, typically by flooding it with more information than the victim website can process.
DoS attacks typically send information from only one source (think PC’s, or other internet-connected devices), but a DDoS attack uses thousands, or hundreds of thousands, of sources to flood its target. This makes it a few orders of magnitude more powerful than its smaller sibling.
Measuring the strength of a DDoS
According to this study, 82% of attacks last less than 4 hours. In terms of bandwith volume, 34% clock in at between 100 MB’s to 1 GB’s, and only 5.3% exceed the 10 GB/s mark.
A 1 GB/s denial-of-service attack is strong enough to take down most of the websites out there, since their data hosting simply doesn’t offer enough bandwith to keep the site online.
One of the biggest ever recorded was the Mirai botnet attack in Autumn 2016, coming at over 1 terrabytes per second. It overwhelmed the Dyn DNS provider, and then the effect cascaded, temporarily taking down major websites such as Reddit or Twitter.
Nowadays, even beginner hackers who can’t even code to save their life (called script kiddies) have access to big and powerful botnets-for-hire that can flood a target with 100 GB/s. This type threat isn’t going away, quite the contrary. Quite the contrary, it will only become powerful and widely accessible than before.
Why would anybody do this?
Compared to other kinds of cyber attacks, DDoS attacks are messy, overly destructive, and very difficult to pull off. Because of this, they don’t make much sense from a financial perspective.
So cybercriminals might use them as a blunt weapon against some of their competitors. For instance, they might want to bring down a site hosting a cybersecurity tool, or bring down a small online shop operating in the same niche.
In other cases, malicious hackers use them as a form of extorsion, where the victim has to pay a fee in order for the denial of service to stop.
Also, a DDoS attack can act like a smokescreen, hiding the real endgame, such as infecting the target with malware or extracting sensitive data.
And in what constitutes a frequent scenario, the attacker might not even have a motive. Instead, he just does it for the “giggles”, seeking to test his abilities or just to cause mayhem.
How to DDoS someone, cybercriminal style
There’s more than one way of carrying out a denial-of-service attack. Some methods are easier to execute than others, but not as powerful. Other times, the attacker might want to go the extra mile, to really be sure the victim gets the message, so he can hire a dedicated botnet to carry out the attack..
A botnet is a collection of computers or other Internet connected devices that have been infected with malware, and now respond to the orders and commands of a central computer, called the Command and Control center.
The big botnets have a web of millions of devices, and most of the owners have no clue their devices are compromised.
Usually, botnets are used for a wide variety of illegal activities, such as pushing out spam emails, phishing or cryptocurrency mining.
Some however, are available to rent for the highest bidder, who can use them in whatever way seems fit. Often times, this means a DDoS attack.
DDoS programs and tools
Small scale hackers who don’t have access to botnets, have to rely on their own computers. This means using specialized tools, that can direct Internet traffic to a certain target.
Of course, the amount of traffic an individual computer can send is small, but crowdsource a few hundreds or thousands of users, and things suddenly grow in scope.
This particular tactic has been successfully employed by Anonymous. In short, they send a call to their followers, asking them to download a particular tool, and be active on messaging boards, such as IRC, at a particular time. They then simultaneously attack the target website or service, bringing it down.
Here’s a sample list of tools that malicious hackers use to carry out denial of service attacks:
- Low Orbit Ion Cannon, shortened to LOIC.
- HULK (HTTP Unbearable Load King).
- DDOSIM – Layer 7 DDoS Simulator
- Tor’s Hammer.
How to DDoS an IP using cmd
One of the most basic and rudimentary denial-of-service methods is called the “ping of death”, and uses the Command Prompt to flood an Internet Protocol address with data packets.
Because of its small scale and basic nature, ping of death attacks usually work best against smaller targets. For instance, the attacker can target:
a) A single computer. However, in order for this to be successful, the malicious hacker must first find out the IP address of the device.
b) A wireless router. Flooding the router with data packets will prevent it from sending out Internet traffic to all other devices connected to it. In effect, this cuts the Internet access of any device that used the router.
In order to launch a ping denial-of-service attack, the malicious hacker first needs to find out the IP of the victim’s computer or device. This is a relatively straightforward task however.
A ping of death is small in scale, and fairly basic, so it’s mostly efficient against particular devices. However, if multiple computers come together, it’s possible for a handful of these to bring down a smallish website without the proper infrastructure to deal with this threat.
Using Google Spreadsheet to send countless requests
An attacker can use Google Spreadsheets to continuously ask the victim website to provide an image or PDF stored in the cache. Using a script, he will create a neverending loop, where the Google Spreadsheet constantly asks the website to fetch the image.
This huge amount of requests overwhelms the site, and blocks it from sending outward traffic to visitors.
Unlike other denial-of-service tactics, this one doesn’t send large information packages to flood the website, but instead it makes data requests, which are much, much smaller.
In other words, the attacker doesn’t need to rely on sizeable botnet or thousands of other users to achieve a similar effect.
In most cases, the information transmitted between a client device and the server is too big to be sent in one piece. Because of this, the data is broken into smaller packets, and then reassembled again once it reaches the server.
The server knows the order of reassembly through a parameter called “offset”. Think of it as instructions to building a LEGO toy.
What a teardrop attack does, is to send data packets at the server that make no sense, and have overlapping or dysfunctional offset parameters. The server tries, and fails, to order the data according to the malicious offset parameters. This quickly consumes available resources until it grinds to a halt, taking down the website with it.
Amplifying a DDoS attack
To maximize every data byte, malicious hackers will sometimes amplify the flood by using a DNS reflection attack.
This is a multiple step process:
- The attacker will assume the identity of the victim by forging its IP address.
- Using the forged identity, he will then send out countless DNS queries to an open DNS resolver.
- The DNS resolver processes each query, and then sends the information back to victim device who had its identity stolen. However, the information packets the DNS resolver sends out are much bigger than the queries it receives.
What happens during amplification is that every 1 byte of information becomes 30 or 40 bytes, sometimes even more. Amplify this further using a botnet with a few thousand computers, and you can end up sending 100 gygabytes of traffic towards a site.
The types of DDoS attacks
Denial-of-Service attacks fall in two broad categories, depending on their main attack vector:
- Application Layer.
- Network Layer.
Network Layer attacks
A network layer attack works by flooding the infrastructure used to host a website with vast amounts of data.
Many providers nowadays claim they offer “unmetered” bandwith, meaning you should theoretically never have to worry about excessive amounts of traffic taking down your site. However, this “unmetered” bandwith comes with strings attached.
To put things into perspective, a website with some 15,000 monthly pageviews and hundreds of pages requires around 50 gygabytes of monthly bandwith to operate optimally. Keep in mind that this traffic is widely dispersed over the course of an entire month. A site like this has no chance to stay online if a DDoS attacks rams it with 30 or 40 gigs of traffic in a one hour period.
As a self-defense measure, the hosting provider itself will simply cut off hosting you while the traffic normalizes. Although this might seem cold, this prevents spill-over effects that might affect other clients of the hosting provider.
Network layer attacks themselves come in multiple shapes and sizes. Here are a few of the more frequent ones:
- SYN Attacks. SYN is a shorthand for “synchronize”, and is a message that a client (such as a PC) sends to the server for the two to be in sync.
- DNS reflecting.
- UDP amplification attacks.
An upside to this kind of attack, if you can call it that, is that the huge amounts of traffic involved makes it easier for victims to figure out what kind of denial of service they’re facing.
Application layer attack
Application layer attacks are much more surgical in nature compared to network ones. These work by targeting certain programs or software that a website uses in its day-to-day functioning.
For instance, an application layer attack will target a sites WordPress installation, PHP scripts or database communication.
This type of software can’t handle anywhere near the load of wider network infrastructure, so even a comparatively small DDoS of a few megabytes per second can take it down.
The typical application layer DDoS is the HTTP flood. This works by abusing one of two commands, POST or GET. The GET command is a simple one that recovers static content, like the web page itself or an image on it.
The POST command is more resource intensive, since it triggers complex background processes with a greater impact on server performance.
An HTTP flood will generate a huge amount of internal server requests that the application cannot handle, so it then flops, and takes down the entire site with it.
How to stop and protect against a DDoS attack
Analyze the traffic, is it a usage spike or an attack?
Traffic spikes are a frequent occurrence, and can actually be big enough to take down poorly prepared websites. A site designed to cope with an average of 30-40 concurrent users will come under strain if a spike brings up the number to 600-700 users at the same time.
The first sign of a DDoS attack is a strong slowdown in server performance, or an outright crash. 503 “Service Unavailable” errors should start around this time. Even if the server doesn’t crash and clings on to dear life, critical processes that used to take seconds to complete now take minutes.
Wireshark is a great tool to help you figure out if what you’re going through is a DDoS. Among its many features, it monitors what IP addresses connect to your PC or server, and also how many packets it sends.
Of course, if the attacker uses a VPN or a botnet, you’ll see a whole bunch of IPs, instead of a single one. Here’s a more in-depth rundown on how to use Wireshark to figure out if you’re on the wrong end of a denial-of-service.
Microsoft Windows also comes with a native tool called Netstat, which shows you what devices are connecting to your server, and other similar statistics.
To open the tool, write cmd in the Start menu search bar, and then type in netstat –an. This will take you to a screen showing your own internal IP in the left hand column, while the right hand column holds all of the external IPs connected to your device.
The screenshot above is for a normal connection. In it, you can see a few other IPs that communicate normally with the device.
Now, here’s how a DDoS attack would look like:
On the right hand side, you can see that a single external IP repeatedly tries to connect to your own device. While not always indicative of a DDoS, this is a sign that something fishy is going, and warrants further investigation.
Have an incident response plan
This is a basic procedure that decided well in advance, that describes what steps an organization should follow in case it suffers a denial-of-service.
Every plan is different, depending on what the organization requires, but here are some basic steps and starting points:
- Whitelist mission-critical IPs and traffic sources, such as your ISP, host or important clients and partners. Then block everything else.
- Set up traffic alerts that notify of spikes and data floods.
- Terminate unwanted connections.
- Add more servers and bandwith to reduce the impact of the data flood.
Contact your ISP provider and host
Many ISPs and hosting companies have backup measures and protocols in place to deal with a DDoS, and help mitigate the damage and normalize activity.
Ideally, contact them BEFORE the attack, and plan ahead of time on how to include them in your response plan.
Look out for data leaks and malware infections
Sometimes, denial-of-service attacks are just a cover for a more complex cyber attack designed to infect an organization with malware or extract its data.
Once systems are back online, scan and search through every nook and cranny, and look for any malware. Be thorough, and don’t let anything slip through the cracks.
Here’s an article that might help you find the best antivirus, and also how to remove any malware you might find.
Use DDoS mitigation tools
Because of how widespread DDoS attacks have become, security vendors now offer several solutions to prevent and mitigate these kinds of attacks. Here are just a few of them:
- Arbor Networks.
- Nexus Guard.
DDoS attacks will only get more frequent as time passes and script kiddies get access to ever more sophisticated and cheap attack methods. Fortunately, denial-of-service attacks are short lived affairs, and tend to have only short-term impact. Of course, this isn’t always the case, so it’s best to be prepared for the worst case scenario.
DDos a Website Like a Pro (Windows Only)
Welcome to this short and easy tutorial on hacking and DDosing (is that even a word I don't know) anyways lets get started
First of all DDos means distributed denail of service attack, and yes i don't know what the HELL it means either. but anyway DDosing is where you spam a website or server with so much data that it forces them to close down for a short amount of time. Be warned though, if you have a bandwith cap then this will waste it within a minute, so only do this if you're using an ISP with unlimited bandwith. P.S you will need quite a lot of computers to shut websites down but you can at least lag them a lot. It's good for winding you friend up if he has a minecraft server or something though.
1. Getting the Software
To DDos, first your going to have to get the software. The software we are going to be using in this tutorial is called Low Orbit Ion Cannon (abreviated LOIC) you can get this from http://sourceforge..net/projects/loic/ Once you download the file, go ahead and extract it to your desktop.
2. Targeting the Website
Now open LOIC (obvious but I want to get some of them little credit thingys so i'm trying to make it however many words long) and you will be prompted with a screen a little bit like this
First of all find the box that says 1. Select your target and fill it in. If you want to DDos a website, put the web adress in the url box, if you have an ip you want to DDos then put the ip in the box.Then press the lock on button next to the text box you filled in.
3. Configuring the Attack
Skip the big button that says ima chargin mah lazer and go to section 3 that says attack options. keep timeout ,http subsite and the speed bar the same but in tcp/udp message enter a random message, in port type whatever port you want to attack, and in method select UDP. (if your attacking a website keep the port the same, and for minecraft servers it is usually 25565) also, uncheck wait for reply and keep threads at 10. If you have a good pc you can change it to 20 but no more than 20. in the end, your screen should look like this:
4. Fire the Lazer!!!!!!!!!!!!!!!!!!!
Now all thats left to do is press the big button that says IMMA CHARGIN MAH LAZER. once you have pressed that, you should see the requested collumn in attack status be filling up with loads of numbers and stuff. This is how many times it has requested that page or minecraft server or whatever from the server.
Hope you enjoyed this tutorial, and be sure to give that kudos stuff, even if it does get rid of them little credit thingys.
How to Launch a 65Gbps DDoS, and How to Stop One
Yesterday I posted a post mortem on an outage we had Saturday. The outage was caused when we applied an overly aggressive rate limit to traffic on our network while battling a determined DDoS attacker. In the process of writing it I mentioned that we'd seen a 65Gbps DDoS earlier on Saturday. I've received several questions since that all go something like: "65Gbps DDoS!? Who launches such an attack and how do you defend yourself against it?!" So I thought I'd give a bit more detail.
What Constitutes a Big DDoS?
A 65Gbps DDoS is a big attack, easily in the top 5% of the biggest attacks we see. The graph below shows the volume of the attack hitting our EU data centers (the green line represents inbound traffic). When an attack is 65Gbps that means every second 65 Gigabits of data is sent to our network. That's the equivalent data volume of watching 3,400 HD TV channels all at the same time. It's a ton of data. Most network connections are measured in 100Mbps, 1Gbps or 10Gbps so attacks like this would quickly saturate even a large Internet connection.
At CloudFlare, an attack needs to get over about 5Gbps to set off alarms with our ops team. Even then, our automated network defenses usually stop attacks without the need of any manual intervention. When an attack gets up in the tens of Gigabits of data per second, our ops team starts monitoring the attack: applying filters and shifting traffic to ensure the attacked customer's site stays online and none of the rest of our network is affected.
So You Want to Launch a DDoS
So how does an attacker generate 65Gbps of traffic? It is highly unlikely that the attacker has a single machine with a big enough Internet connection to generate that much traffic on its own. One way to generate that much traffic is through a botnet. A botnet is a collection of PCs that have been compromised with a virus and can be controlled by what is known as a botnet herder.
Botnet herders will often rent out access to their botnets, often billing in 15 minute increments (just like lawyers). Rental prices depend on the size of the botnets. Traditionally, email spammers purchased time on botnets in order to send their messages to appear to come from a large number of sources. As email spam has become less profitable with the rise of better spam filters, botnet herders have increasingly turned to renting out their networks of compromised machines to attackers wanting to launch a DDoS attack.
To launch a 65Gbps attack, you'd need a botnet with at least 65,000 compromised machines each capable of sending 1Mbps of upstream data. Given that many of these compromised computers are in the developing world where connections are slower, and many of the machines that make up part of a botnet may not be online at any given time, the actual size of the botnet necessary to launch that attack would likely need to be at least 10x that size. While by no means unheard of, that's a large botnet and using all its resources to launch a DDoS risks ISPs detecting many of the compromised machines and taking them offline.
Amplifying the Attacks
Since renting a large botnet can be expensive and unwieldy, attackers typically look for additional ways to amplify the size of their attacks. The attack on Saturday used one such amplification technique called DNS reflection. To understand how these work, you need to understand a bit about how DNS works.
When you first sign up for an Internet connection, your ISP will provide you with a recursive DNS server, also known as a DNS resolver. When you click on a link, your computer sends a lookup to your ISP's DNS resolver. The lookup is asking a question, like: what is the IP address of the server for cloudflare.com? If the DNS resolver you query knows the answer, because someone has already asked it recently and the answer is cached, it responds. If it doesn't, it passes the request on to the authoritative DNS for the domain.
Typically, an ISP's DNS resolvers are setup to only answer requests from the ISP's clients. Unfortunately, there are a large number of misconfigured DNS resolvers that will accept queries from anyone on the Internet. These are known as "open resolvers" and they are a sort of latent landmine on the Internet just waiting to explode when misused.
DNS queries are usually sent via the UDP protocol. UDP is a fire-and-forget protocol, meaning that there is no handshake to establish that where a packet says it is coming from actually is where it is coming from. This means, if you're an attacker, you can forge the header of a UDP packet to say it is coming from a particular IP you want to attack and send that forged packet to an open DNS resolver. The DNS resolver will reply back with a response to the forged IP address with an answer to whatever question was asked.
To amplify an attack, the attacker asks a question that will result in a very large response. For example, the attacker may request all the DNS records for a particular zone. Or they may request the DNSSEC records which, often, are extremely large. Since resolvers typically have relatively high bandwidth connections to the Internet, they have no problem pumping out tons of bytes. In other words, the attacker can send a relatively small UDP request and use open resolvers to fire back at an intended target with a crippling amount of traffic.
Mitigating DNS Reflection Attacks
One of the great ironies when we deal with these attacks is we'll often get an email from the owner of the network where an open resolver is running asking us to shut down the attack our network is launching against them. They're seeing a large number of UDP packets with one of our IPs as the source coming in to their network and assume we're the ones launching it. In fact, it is actually their network which is being used to launch an attack against us. What's great is that we can safely respond and ask them to block all DNS requests originating from our network since our IPs should never originate a DNS request to a resolver. Not only does that solve their problem, but it means there's a smaller pool of open resolvers that can be used to target sites on CloudFlare's network.
There have been a number of efforts to clean up open resolvers that are currently active. Unfortunately, it is slow going and the default installation of many DNS clients still has them open by default. While we actively reach out to the worst offenders to protect our network, to protect the Internet generally there will need to be a concerted effort to clean up open DNS resolvers.
In terms of stopping these attacks, CloudFlare uses a number of techniques. It starts with our network architecture. We use Anycast which means the response from a resolver, while targeting one particular IP address, will hit whatever data center is closest. This inherently dilutes the impact of an attack, distributing its effects across all 23 of our data centers. Given the hundreds of gigs of capacity we have across our network, even a big attack rarely saturates a connection.
At each of our facilities we take additional steps to protect ourselves. We know, for example, that we haven't sent any DNS inquiries out from our network. We can therefore safely filter the responses from DNS resolvers: dropping the response packets from the open resolvers at our routers or, in some cases, even upstream at one of our bandwidth providers. The result is that these types of attacks are relatively easily mitigated.
What was fun to watch was that while the customer under attack was being targeted by 65Gbps of traffic, not a single packet from that attack made it to their network or affected their operations. In fact, CloudFlare stopped the entire attack without the customer even knowing there was a problem. From the network graph you can see after about 30 minutes the attacker gave up. We think that's pretty cool and, as we continue to expand our network, we'll get even more resilient to attacks like this one.