DDOS (Distributed Denial of Service) and DOS (Denial of Service) attacks are a flavor of hacks meant to do one thing, make a web site unavailable. The most common way to do this is to flood the site with traffic so it becomes overloaded and cannot respond to requests.
DDOS attacks generally have three parts to it , master, slave and victim, the master controls the slave machines and coordinate the attack on the victim. The simplest form of this attack would go something like
Master at 11:00am EST Ping xxx.xxx.xxx.xxx -n 10000
Slave 1-1000 ping xxx.xxx.xxx.xxx -n 10000
This attack tells 1000 slave machines to send 10,000 ping all at the same time to a particular IP address (victim).
One of the most common DDOS attacks is called The Ping of Death it is a typical TCP/IP implementation attack. In this assault, the DDoS attacker creates an IP packet that exceeds the IP standard’s maximum 65,536 byte size. When this fat packet arrives, it crashes systems that are using a vulnerable TCP/IP stack. No modern operating system or stack is vulnerable to the simple Ping of Death, but it was a long-standing problem with Unix systems.
Master at 11:00am EST Ping xxx.xxx.xxx.xxx -n 10000 -l 72000
Slave 1-1000 ping xxx.xxx.xxx.xxx -n 10000 -l 72000
In the above examples it is a simple matter to deny the offending IP access to the site by telling the router or firewall to ignore these packets from that IP. If they attack is coming from 1000 machines it becomes difficult and time consuming to block all the IP’s.
This simple examples of an attack can become much more sophisticated. This is where tools like Tribe Force Network and Trinity come in that allow a single user to blast a port with varying sizes of IP packets to act like a WAN killer, these are extremely effective and allow a single workstation the ability to bring a web site to a halt. Or spoofed IP’s from your own network or allow relaying from proxies servers.
A SYN attack simply buries its target by swamping it with TCP SYN packets. Each SYN packet demands a SYN-ACK response and causes the server t o wait for the proper ACK in reply. Of course, the attacker never gives the ACK, or, more commonly, it uses a bad IP address so there’s no chance of an ACK returning. This quickly swamps a server as it tries to send out SYN-ACKs while waiting for ACKs.
There is no silver bullet for DOS and DDOS attacks, many IDS systems will prevent a SYN flood but may fail on a large scale DDOS attack, companies like Arbor Networks offer programs to help you manage attacks and stay aware of what options are available.
Knowing that an attack is occurring is the first step in reacting to it and your IDS System should have notifications built in, if it does not then you won’t know about the attack until your site is down.
Tracking back to the attacker after the attack can be difficult if not impossible if done by pro’s who understand IP and how to take advantage of it. If the attack has been redirected to appear to be overseas then getting log files may be impossible or require litigation and the involvement of the State Department.