Denial of Service Attacks

From SI410
Jump to: navigation, search

Denial of Service (DOS) attacks are a type of cyberattack where attackers attempt to overwhelm a server with traffic so that it cannot provide services to ordinary users [1]. Many modern DOS attacks are launched by a network of decentralized devices, these attacks are known as Distributed Denial of Service (DDOS) attacks. DOS attacks have been documented since 1996 and can be conducted by taking advantage of vulnerabilities in any part of the network stack. Due to the rising occurrences of DDOS attacks in recent years, many methods and products have been created to try to prevent them. The motivation for DOS attacks has been varied, including political activism and intimidation, financial blackmail, and acts of revenge[2].

Technical Background

Networked computer systems communicate using a series of protocols that are stacked on to each other[3]. The lowest layers (physical and link layers) handle moving data to the next hop on the way to its destination, while the next highest layer, the IP layer contains protocols that move data between different networks. The two highest layers are the transport and application layer, which make sure that the two machines communicating have a reliable connection and move the actual intended data respectively. While originally there was no guarantees of confidentiality, integrity, and authenticity of any of the layers of the stack, over time protocols such as HTTPS/TLS were developed to encrypt and protect the upper layers of the stack, while the lower layers remain unencrypted [3] . DOS attacks can happen against each of these layers, depending on where system vulnerabilities lie. A summary of some common attack techniques is given below [4].

Hierarchy of common Networking protocols [3]

SYN Flood and TCP-Oriented Attacks

The earliest documented DOS attack happened in 1996 against the Internet Service Provider (ISP) Panix[5]. The attack method used, known as a SYN flood, took advantage of a feature of the Transmission Control Protocol (TCP), a common protocol used in the transport layer, to crash a server by filling up its memory. All TCP connections between two hosts begin with a three part handshake where the client first sends an initial “SYN” message to initiate a connection with the server, then the server acknowledges that it has received the request by sending back an “ACK” message, and then the client acknowledges the server response by sending a “SYN/ACK” message to the server[3]. This requires the server to maintain state information about each client so it knows that any client that sends a “SYN/ACK” message did first send a “SYN” message. This was exploited by the Panix attackers by sending large amounts of SYN messages to the ISP’s servers without sending back SYN/ACKs, causing the Panix server’s memory to fill up with state information about each of the attacking machines, which prevented them from providing service to actual users[4].

This specific type of attack was defeated by measures such as storing the state information on an encrypted client-side cookie instead of the server, but there are still other types of DOS attacks today that exploit TCP.[4].

Visualization of a SYN Flood attack [6]

DNS and UDP-based attacks

Another method used to conduct DOS attacks is based on protocols that use the transport layer User Datagram Protocol (UDP), an unsecured protocol used for sending one-time messages or those that do not require an ordered and reliable connection[3]. Some of these protocols include the Domain Name Service (DNS), used for translating between urls and IP addresses, and the Internet Control Message Protocol (ICMP), used mainly for debugging network issues. Due to the unsecured nature of these protocols, it is easy for an attacking machine or botnet to “spoof” fields in the messages that will make them return to the victim’s machine, not the attackers, which then overloads the victim with bogus traffic. This is further compounded by the fact that some versions of UDP-based protocols such as DNSSEC often have very large payloads which means less requests are needed to successfully attack a victim[7].

Preventing Attacks

CDNs

One way to prevent DOS attacks is for websites to use Content Delivery Networks (CDNs) or cloud providers to host their sites instead of running a server on-premises. Several notable CDNs include Cloudfare, Akamai, and Amazon CloudFront[8]. CDNs have an easier time defending against DDOS attacks than small web servers because they host large amounts of content across multiple data centers per geographic region, requiring a much larger amount of traffic to shut down a server[4]. In addition to providing DDOS protection, CDNs offer other services for websites such as automatic load balancing and faster connection time and download speeds for customers located far away from where the company’s servers would otherwise be[8].

While hosting content on a CDN can be a considerable expense, some CDNs such as Google Project Shield have been established to provide free DDOS protection for content seen as vulnerable such as human rights groups, news media, and election results websites [9]. Cloudfare’s Project Galileo provides similar free services, including to COVID-19 vaccination scheduling sites [10]. These services are seen as important by vulnerable sites because in the past, CDNs had refused to give protection to or dropped clients that frequently came under attack, such as when Akamai decided to drop the blog of investigative journalist Brian Krebs due to frequent massive DDOS campaigns against him as retaliation for his work on trying to expose the creators of the Mirai Botnet (see below) [11] .

On the other hand, CDNs have faced criticism due to their actions or lack thereof against controversial websites. Cloudfare has admitted to providing services to websites owned by groups seen as terrorist organizations by the US Government as well as drug traffickers[12]. It also has provided services for neo-Nazi website the Daily Stormer and the online forum 8chan that was notorious for hate speech, although it dropped these companies as customers following the 2018 New Zealand Mosque Attack and El Paso shooting, abandoning its previous stance against censoring or dropping any websites due to the political nature of their content[13].

Notable Incidents

Over the years, there have been several notable incidents involving DOS attacks that have had legal,ethical, and diplomatic implications.

2002 New Hampshire election TDOS

During the 2002 US Senate Election in New Hampshire between Democrat Jeanne Shaheen and Republican John Sununu, several state and national GOP officials hired a telemarketing company to overload the Democratic voter turnout hotline with spam calls, making it effectively useless for its intended purpose. Sununu ended up winning the election by a close margin, but after a Justice Department investigation, Republican officials James Tobin, Allen Raymond, and Charles McGee were convicted of telephone harassment and received and were sentenced to prison in what became known as the “phonegate” scandal[14]. Since this attack took down a telephone network rather than a computer network, it is an example of a TDOS (Telephony Denial of Service) attack[15], and was an early example of the potential harms that DOS attacks could cause to the public sphere.

Great Cannon and State Sponsored DDOS

Due to the power of DDOS attacks to damage web infrastructure, some countries have developed systems to utilize DDOS attacks for their own benefits. One example of this is the Great Cannon developed by China’s government[16]. The Great Cannon took advantage of the fact that many popular China-based websites such as Baidu ran on the unencrypted and insecure HTTP protocol which meant that anybody who intercepted a connection between a client and the server could modify any of the data being sent. China already has infrastructure set up to monitor all traffic going across the national border as part of the Great Firewall, so they developed this tool that could launch DDOS attacks by injecting malicious JavaScript code into requests from foreign users that would spam requests to the targeted website[16]. The Great Cannon was first known to be used against GitHub and the blog Great Fire in 2015 due to those sites hosting censorship circumvention tools[4]. This caused a diplomatic incident between China and the United States as the US Government saw it as an attack perpetrated by a foreign government against an American company[17]. China did not take official responsibility for this attack, but an analysis by researchers at the University of Toronto and Princeton University found that it was almost certainly caused by the Chinese government[16]. While this attack did not successfully take down any of the target servers, it did cause harm particularly to Great Fire, which had to pay its hosting provider a large fee to deal with all of the attacker traffic [17].

China is not the only country that has been accused of conducting state-sponsored DDOS attacks. Russia’s government and various hacker groups acting on its behalf have been found to have conducted DDOS attacks, among other forms of cyberattacks, against government websites in several Eastern European countries such as Bulgaria, Finland, and Romania since 2022, allegedly as retaliation for their support of Ukraine in the Russia-Ukraine war[18]. Iran has also allegedly launched DDOS attacks against targets in Israel and NATO countries as part of a cyberwarfare campaign[18]. While the United States is thought to possess the capabilities to launch attacks similar to the Great Cannon, there have not been any publicly known instances of the US and its allies launching such an attack[16].

Gaming DDOSAAS

One of the fields where DDOS attacks have become more common recently is in online multiplayer gaming. The motivation for these attacks is for the attacking player to gain an advantage against their target by slowing down the targets network connection so that there will be more latency on the targets actions during the game, reducing their performance[19]. The use of DDOS attacks in online gaming was greatly increased by the creation of online DDOS as a Service (DDOSAAS) for-hire DDOS services that allow users to rent a botnet to attack targets of their choice. This allows potential attackers that otherwise would not have the technical skills or resources to launch an attack to do so, and one of the first areas where this was widely used was in online gaming.

Many of the websites providing DDOS for hire services describe themselves as “IP stresser” services, implying that they are for the legitimate purpose of “stressing” a server that one owns with traffic to see how much traffic it can take [20]. However, most of these sites do not verify that their services are only used for legitimate purposes beyond a click box agreement with the user. The US Justice Department views these sites as illegal and has arrested and charged various operators of DDOS for hire sites in several operations since 2018, which has taken down many of them but has still not entirely eliminated the problem[20]. Since many of these services target minors wanting competitive advantages in video games who may not know that they are breaking the law, police in countries such as the UK have begun sending targeted advertisements to those searching for DDOS services to discourage users from utilizing them [20].

Mirai Botnet

Gamers wanting real-time competitive advantages is not the only reason online gaming has been targeted by DDOS attacks in recent years. In some online multiplayer games such as the world-building and survival game Minecraft, where gamers can play in one of many separate servers, being a server owner can be a lucrative source of income [11]. Since a slower or dysfunctional connection could make a large number of users decide to simultaneously leave a server, Minecraft server owners have been vulnerable to DDOS for years. It was for this motivation that one of the largest ever DDOS botnets, the Mirai Botnet, was created in 2016 by a group of New Jersey college students [11]. The Mirai Botnet worked by searching for Internet of Things (IOT) devices under weak home firewalls that had had little to no security mechanisms, and then infecting them with malware that spread the botnet to other devices on the same network[4]. Due to this mechanism as well as the vast number of IOT devices with weak security, it was quickly able to infect a large number of devices.The malware installed on the devices connected them to a central server that could command them to spam a target with requests [21]. While the creators of the botnet were mainly intending to use it to extort the owners of large Minecraft servers into buying DDOS protection software that they created as part of a protection racket scheme, the sheer number of devices in the botnet allowed it to also take down the servers of major ISPs and infrastructure providers [21]. Since the botnet became active around mid 2016, the FBI originally believed it was intended for state-sponsored DDOS attacks against the 2016 US Presidential Election, but after more investigation they found the actual perpetrators, who plead guilty to hacking charges in relation to creating and operating the botnet [11].

DDOS as a Tool for Political Activism

While DDOS attacks are seen by most governments as illegal computer hacking, it has also been used as a tool for political activism by some groups. DDOS has been used for activism for almost its entire existence, with an early pioneer of DDOS activism being a group known as the Electronic Disturbance Theater (EDT). The organization was started by a group of artists based in New York in 1998, when DDOS attacks were not yet technically illegal, that wanted to harness the new technologies of the internet to stage “electronic civil disobedience” and “virtual sit-ins”[22]. The EDT developed a JavaScript applet called “FloodNet” that users could load on their browsers to spam a targeted site with requests, similar to the “IP Stresser” tools marketed by modern-day DDOS for hire services. One of the first causes they wanted to raise awareness for was against the Mexican government’s treatment of the Zapatista rebel group in the Chiapas region. The EDT decided to direct users to try to take down US and Mexican government websites with the FloodNet tool, including the Pentagon website. Users from around the world participated in the “virtual sit-in”, but a couple hours into the attack, the Pentagon started using its own countermeasure that crashed the browsers of all FloodNet users trying to connect to it[22]. A year later, the EDT and a group known as the “electrohippies” did a similar action against the World Trade Organization as part of the anti-globalization protests during the WTO meeting in Seattle, using FloodNet to try to take down its website and also attempting to take down its email server by spamming the WTO with emails[23]. In more recent times, the group Anonymous has used DDOS as one of its tactics, most notably when they managed to briefly take down major websites such as Amazon and PayPal in 2010 as part of a protest against the charges brought up against Wikileaks founder Julian Assange[23].

Screenshot of the FloodNet website created by the EDT [22]

Another DDOS tactic that has been used for political activism is attempts to DDOS ISPs and other infrastructure providers to coerce them into blocking specific sites. This tactic was most notably used in Spain by opponents of the Basque Nationalist website Euskal Herria Journal to try to convince Spain’s main ISP IGC to deplatform it[23]. The campaign, which was promoted by several major newspapers, involved spamming IGC’s mail servers with emails, which took down the server and made it impossible for users to access their email accounts. Eventually, IGC agreed to fold to the demands of the movement and removed access to Euskal Herria.

  1. Understanding Denial of Service Attacks. CISA. (n.d.). Retrieved January 26, 2023, from https://www.cisa.gov/uscert/ncas/tips/ST04-015
  2. Denial of service (DOS) guidance. NCSC. (n.d.). Retrieved January 26, 2023, from https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection
  3. 3.0 3.1 3.2 3.3 3.4 Halderman, J.A and Ensafi, R Networking 101 [Class Handout]. University Of Michigan, EECS 388
  4. 4.0 4.1 4.2 4.3 4.4 4.5 Halderman, J.A and Ensafi, R Networking Attacks and Defenses [Class Handout]. University Of Michigan, EECS 388
  5. Calem, R. (1996, September 14). New York's Panix Service Is Crippled by Hacker Attack. The New York Times. Retrieved January 26, 2023, from https://archive.nytimes.com/www.nytimes.com/library/cyber/week/0914panix.html
  6. SYN flood attack. IONOS Digital Guide. (n.d.). Retrieved February 10, 2023, from https://www.ionos.com/digitalguide/server/security/syn-flood/
  7. DNS Amplification Attacks. CISA. (n.d.). Retrieved January 26, 2023, from https://www.cisa.gov/uscert/ncas/alerts/TA13-088A
  8. 8.0 8.1 CDN - MDN Web Docs Glossary: Definitions of Web-related terms: MDN. MDN Web Docs Glossary: Definitions of Web-related terms | MDN. (n.d.). Retrieved January 26, 2023, from https://developer.mozilla.org/en-US/docs/Glossary/CDN
  9. Google. (n.d.). Project shield- FAQ. Google. Retrieved January 26, 2023, from https://projectshield.withgoogle.com/faq
  10. Project Galileo. Cloudflare. (n.d.). Retrieved January 26, 2023, from https://www.cloudflare.com/galileo/
  11. 11.0 11.1 11.2 11.3 Graff, G. M. (2017, December 13). How a dorm room 'Minecraft' scam brought down the internet. Wired. Retrieved February 9, 2023, from https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
  12. Bort, J. (2019, September 11). Cloudflare, the next big cybersecurity IPO company, says it may have violated US law by doing business with terrorists and narcotics traffickers. Business Insider. Retrieved January 26, 2023, from https://www.businessinsider.com/cloudflare-us-law-terrorists-narcotics-traffickers-2019-9
  13. Prince, M. (2019, August 5). Terminating service for 8Chan. The Cloudflare Blog. Retrieved January 26, 2023, from https://blog.cloudflare.com/terminating-service-for-8chan/
  14. Overby, P. (2006, May 11). Phonegate: Jamming democrats' campaign efforts. NPR. Retrieved January 26, 2023, from https://www.npr.org/templates/story/story.php?storyId=5399282
  15. MS-ISAC security primer telephony denial of service attacks. (n.d.). Retrieved January 26, 2023, from https://www.cisecurity.org/wp-content/uploads/2015/08/Security-Primer-TDOS.pdf
  16. 16.0 16.1 16.2 16.3 Bill Marczak, Nicholas Weaver, Jakub Dalek, Roya Ensafi, David Fifield, Sarah McKune, Arn Rey, John Scott-Railton, Ron Deibert, & Vern Paxson (2015). An Analysis of China's “Great Cannon”. In 5th USENIX Workshop on Free and Open Communications on the Internet (FOCI 15). USENIX Association.
  17. 17.0 17.1 Dan Goodin - Mar 31, 2015 7:47 pm U. T. C. (2015, March 31). Massive denial-of-service attack on github tied to Chinese government. Ars Technica. Retrieved February 10, 2023, from https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/
  18. 18.0 18.1 Center for Strategic and International Studies . (n.d.). Significant cyber incidents: Strategic technologies program. CSIS. Retrieved February 10, 2023, from https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
  19. Holpuch, A. (2022, October 13). Gaming is booming. that's catnip for cybercriminals. The New York Times. Retrieved February 10, 2023, from https://www.nytimes.com/2022/10/13/technology/gamers-malware-minecraft-roblox.html
  20. 20.0 20.1 20.2 Krebs, B. (2022, December 14). Six charged in mass takedown of ddos-for-hire sites. Krebs on Security. Retrieved February 10, 2023, from https://krebsonsecurity.com/2022/12/six-charged-in-mass-takedown-of-ddos-for-hire-sites/
  21. 21.0 21.1 What is the Mirai botnet? | cloudflare. Cloudfare Blog. (n.d.). Retrieved February 10, 2023, from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
  22. 22.0 22.1 22.2 Lecher, C. (2017, April 14). Massive attack. The Verge. Retrieved February 10, 2023, from https://www.theverge.com/2017/4/14/15293538/electronic-disturbance-theater-zapatista-tactical-floodnet-sit-in
  23. 23.0 23.1 23.2 Sauter, M. (2014). In The coming swarm: Ddos actions, hacktivism, and civil disobedience on the internet. essay, Bloomsbury Academic.
Retrieved from "http://si410wiki.sites.uofmhosting.net/index.php?title=Denial_of_Service_Attacks&oldid=115529"