DrDoS - A new breed of evil

[mubix]

Distributed Reflected Denial of Service.

So you have all mostly heard of Distributed Denial of Service and how zombies work but here is a breif 'barney' style spin up:

Hacking from ones house is not only stupid but not very efficient. You only have so much bandwidth and if you want to, lets say, hold an online gambling website for a million dollar randsom, one, you don't want to be caught, and two you have to pack a bigger punch then your 784kbps home DSL modem. So how does one do this?

Through viruses, trojans, malware, and phishing, vulnerable host are silently infected with a 'zombie' program. This program connects to an IRC server and joins it's zombified pals. And contrary to popular belief, you don't need irssi, xchat, bitchx, or mIRC to connect to an IRC server. You can connect with telnet or my favorite tool, netcat. And the enduser will never know he/she is infected, since it isn't affecting his or her normal usage. Well that is until the zombie is activated by the zombie master.

So this Zombie master is the 'cracker' who either wrote the IRC program or downloaded it and modified the configurations for another IRC server or channel. And when he joins that channel and issues a command, every zombie computer follows that command. So if he tells his zombie army or 'botnet' to ping a specific IP, and he could have 10s of thousands of zombies. That innocent 784 DSL, just got amplified 10,000 times. Which can pretty much take a small to mid size network to its knees in a matter of seconds. Just a side note. Ping is one of the mildest commands a zombie master can invoke.

So now we know what DDoS is. What the heck is DrDoS? Well it's the exact same thing, except, the source IP is spoofed to a real IP address of another host that is to be attacked. So when the under attack network tries to respond to all these requests or pings, it will be in essence be becoming it's own worst nightmare. The attacked network will either be attacking itself or someone else. And chances are, the attacked network has much more than the 784kbps DSL we started with.

Now that I have you scared. How can you protect against, 1. Being a zombie, and 2. Falling pray to DDoS and DrDoS.

1. You can deny IRC traffic on your network. But that doesn't mean they won't use another port. You can set up SNORT signatures to see RFC based IRC messages, which can catch IRC traffic on all ports. As a home user, make sure that you keep very aware of what traffic your computer is sending. A great way to do this is with TCPView from Sysinternals

http://www.sysinternals.com/Utilities/TcpView.html

2. You really can't defend against DDoS and DrDoS at the moment. There are some great technologies for big buisness that cost big bucks, but if you are anywhere from a home user to a mid size buisness, your only hope is your ISP and the FBI.

[ben]

I first read about this probably 4 years ago when Steve Gibson wrote his Distributed Reflection Denial of Service page about an attack on his web site. It's a good read for those of you who would like to hear about a real live attack or would like to see some visual descriptions.

I'm surprised there hasn't been more news about major attacks using this method. I'm sure it's only a matter of time though.

Ben

[melodic]

sounds cool

[Sparda]

Couldn't you edit the hosts file of the server so that it's own IP address points to another IP address some where else (asuming packets don't say they are from 127.0.0.1), so that when the ping requests comin, the server insted of trying to send a replie to it's self it sends it some where else, prefrably to a specific computer on the LAN so that 1. It doesn't hog any more internet band width 2. the server doesn't waste time trying to send the packets to an address that does not exsist, but I see no way for you to stop packets to be claiming to be from another IP address that is not it's own.

[melodic]

Couldn't you edit the hosts file of the server so that it's own IP address points to another IP address some where else (asuming packets don't say they are from 127.0.0.1), so that when the ping requests comin, the server insted of trying to send a replie to it's self it sends it some where else, prefrably to a specific computer on the LAN so that 1. It doesn't hog any more internet band width 2. the server doesn't waste time trying to send the packets to an address that does not exsist, but I see no way for you to stop packets to be claiming to be from another IP address that is not it's own.

why not click your link in ur sig :P

[Sparda]

80.3.160.13 - 1st - Owned ^^

[ben]

Couldn't you edit the hosts file of the server so that it's own IP address points to another IP address some where else (asuming packets don't say they are from 127.0.0.1), so that when the ping requests comin, the server insted of trying to send a replie to it's self it sends it some where else, prefrably to a specific computer on the LAN so that 1. It doesn't hog any more internet band width 2. the server doesn't waste time trying to send the packets to an address that does not exsist, but I see no way for you to stop packets to be claiming to be from another IP address that is not it's own.

This solution wouldn't work because that hosts file is only for name resolution. The incoming packets are only listening to a specific IP. This would work if an attack was going to hit a domain name. All you would need to do is update your DNS servers (which is what Microsoft did to deflect the Blaster worm attack against windowsupdate.com) but would not work if the attack targeted an IP.

Ben

[Sparda]

Insted of host file, edit that file i can't remerb of the name of that is for IP and trafic farwarding.

[racc00n]

Very nice written article from mubbix though i don't think calling the FBI would help in anyway :)

[jollyrancher82]

Why was this over a year old topic brought back to life? :-/

[moonlit]

Why was this over a year old topic brought back to life? :-/

That's 2nd or 3rd in the last few days...