DoS

Table 3-18 shows the summary information for the DDoS attack.

Table 3-18. DDoS

Attack name

DDoS

Class/subclass

Flood/network flooding

Sample implementations

Tribe Flood Network 2000 (TFN2K) Shaft

Prerequisites

Ability to infect large numbers of systems to build a zombie network

Pertinent vulnerability

Policy

Typical use

Overwhelm the victim's Internet connection

Attack result

Denial of service

Likely follow-up attack

None

OSI layers

34

Detection

IDS, log analysis

Protection

CAR, specific filtering, ISP options (through prearranged agreements)

Detection difficulty

2

Ease of use

2

Frequency

3

Impact

4

Overall rating

31

As the family of attacks that brought down some prominent Internet company websites in 2000, DDoS attacks have a fair degree of notoriety. Before amplification flood attacks (smurf and DDoS, for example), a network only required more bandwidth than the attacker to be immune to network flooding. Now, with amplification attacks, the attacker can have much more bandwidth available than the victim. Significant DDoS attacks occur weekly and sometimes daily on sites around the world.

A diagram of a Stacheldraht DDoS attack is shown in Figure 3-12. Stacheldraht (which means "barbed wire" in German) is a three-tier DDoS attack in that the attacker communicates with handlers, who communicate with agents. Think of it like an army with a general, lieutenants, and troops. Stacheldraht was one of the earliest DDoS attacks, and as such it received a fair amount of detailed analysis. Many newer attacks have eliminated the "handler" role and instead have agents registering themselves on an IRC channel, which makes detection very difficult. The Stacheldraht attack works like this:

1. Attacker infects a number of systems around the Internet and puts the DDoS handler software on each of them.

2. These handler systems attempt to infect portions of the Internet and recruit the infected systems as agents. The attack method used to compromise agents can be anything from a Trojan horse email to exploiting a vulnerability in application or operating system code.

3. At the appropriate time, the attacker sends the attack order to the handler systems, which in turn direct their agents to flood a particular IP address.

4. The victim network is consumed with bogus network traffic (most likely from spoofed sources). Legitimate users stand a low chance of getting their requests processed.

Figure 3-12. Stacheldraht Attack

Figure 3-12. Stacheldraht Attack

i-ran<jicr
100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment