Whats a DDOS attack?

[zveruga]

Just read an article here about DDOS attacks... WHat are those? What exactly do they do? Just curious... Please explain in a language that a non-networking person can understand🙂

--zveruga

 

[dexter333]

They can be any kind of attack designed to make a system or service stop responding to requests from the internet (DoS) typically sent from many many hosts around the globe (the distributed part). Most of the time it's just a whole buttload (a very technical 9th grade term for a lot, in the words of my 10th grade English teacher 😉) of ICMP pings sent to a machine in hopes that it will "fill up" their internet connection and make it totally unresponsive to legitimate connection attempts from other hosts.

 

[Mitzi]

A DDoS (Distributed Denial of Service) attack is where lots of computers at various locations attack a certain service or web page creating enough traffic to block legimate uses for that service/web page. Think of Windows Update and the MSBlaster worm...that should have been a classic DDoS attack.

 

[bsr]

just rapid packets (requests), typically sent from multiple machines in which would kill network bandwidth. In many cases it is a virus that causes it....


DDOS - Distributed Denial of Service

 

[buleyb]

Originally posted by: bsr
just rapid packets (requests), typically sent from multiple machines in which would kill network bandwidth. In many cases it is a virus that causes it....


DDOS - Distributed Denial of Service

No, it would overwhelm the resources of the network (it it doesn't change the network bandwidth, just the throughput)

Mitzi put it best...

 

[spidey07]

There's different kinds of DDoS attacks.

1) So much traffic that bandwidth is saturated with the attack and not much else can get through
2) Service based attack where the host or hosts run out of resources (like tcp connections, memory, processor, etc) because they are doing nothing but servicing the attack.

 

[VictorLazlo]

Read this.

 

[chsh1ca]

Originally posted by: spidey07
1) So much traffic that bandwidth is saturated with the attack and not much else can get through
2) Service based attack where the host or hosts run out of resources (like tcp connections, memory, processor, etc) because they are doing nothing but servicing the attack.

It's amazing how many people forget about the latter. 🙂

Note that both can be real-world situations that aren't attacks either. This is essentially what being 'slashdotted' is: big site A links to little site B, little site B gets a LOT of hits, and gets effectively DoSed -- even though there isn't an attack.

 

[spidey07]

heh,

I remember when I accidentally DDoS our own mail servers years ago.

I miswrote an access list that denied any reply traffic from the mail servers to clients. Not really a big deal except for now 30,000 clients were not receiving the syn-ack (2nd packet of tcp handshake) reply from the server.

Affect was clients continually tried to reconnect and the server ran out of TCP connections

 

[Jeff7]

Originally posted by: spidey07
heh,

I remember when I accidentally DDoS our own mail servers years ago.

I miswrote an access list that denied any reply traffic from the mail servers to clients. Not really a big deal except for now 30,000 clients were not receiving the syn-ack (2nd packet of tcp handshake) reply from the server.

Affect was clients continually tried to reconnect and the server ran out of TCP connections

Technically, that would be more of a DoS, not DDoS - yours was centralized. DDos (Distributed) would be more like if you messed up a lot of servers. 🙂
Though I guess that isn't really an attack.😛

 

[spidey07]

So all the clients hitting the server and consuming resources isn't a Distributed denial of service? Cause there wan't jack that could talk to all the e-mail servers - they were full of open, un acked TCP connections. I had to laugh at myself that day.

🙂

 

[zveruga]

Wow thanks guys for such complete answers full of examples!!

 

[chsh1ca]

Technically speaking:

DoS Possibilities: Packet flood using all available bandwidth or resource usage flood -- launched from a single machine.

DDoS Possibilities: Packet flood using all available bandwidth or resource usage flood -- launched from more than one machine.

30000 mail clients would make it distributed. Jeff7 just has the wrong idea on which end is distributed. 🙂

 

[groovin]

now my question: how do you defend against such an attack?

the IPs from the packets will probaly be forged so you cant really block them

 

[spidey07]

One method is called RPF check or reverse patch forwarding check.

A internet router looks at his routing table and decides if the source address of a packet coming in an interface is truly coming from where it should.

For example - ip source of 5.5.5.5 comes in interface 3, but the routers routing table says that the route to 5.5.5.5 is on interface 5. Well the packet is dropped because if failed the RPF check. This can help on the spoofed addresses.

Anyother DDoS must be dealt with from a provider level as there really isn't anything a customer can do. Also hosts are the only things attacked.

Internet routers themselves can be the destination and overloaded as well - processor goes thru the roof and traffic slows to a crawl.

-edit- for the truly geeky folks....the RPF check is critical with multicast routes and one of the reasons why properly designing multicast networks is so difficult. To much redundancy will reak havoc on the mcast routes because of a RPF problem. I learned that one the hard way. 🙁

 

[ITJunkie]

-edit- for the truly geeky folks....the RPF check is critical with multicast routes and one of the reasons why properly designing multicast networks is so difficult. To much redundancy will reak havoc on the mcast routes because of a RPF problem. I learned that one the hard way.

Thanks for that tip Spidey 🙂

 

[chsh1ca]

Originally posted by: groovin
now my question: how do you defend against such an attack?

Against a raw bandwidth flood attack, you can't. It's simple math. If you have a 1.5mbps connection and they are sending 1.5mbps worth of traffic, you have 0 available for your usage.

The resource usage DoS can be defended against by up to date software, and in TCP implementations by using a system whereby resources are not allocated until the handshake is completed. This I think is in violation of the TCP spec, but practically speaking, it stops SYN floods. That being said, you really have to rely on software vendors to prevent these kinds of occurances.

Also, source address spoofing is something I've always thought EVERY ISP should implement at their border routers.

 

[spidey07]

Also, source address spoofing is something I've always thought EVERY ISP should implement at their border routers.

from a RPF standpoint it is resource intensive. But general anti-address spood measures aren't.

God, now I have to recall the RFC. but there is a RFC out there specifically designed for this kind of prevention.

 

[chsh1ca]

The Ingress Filtering RFC (2267) by chance? 🙂