Distributed Denial of Service - HACKING 17 Most Dangerous Hacking Attacks (2017)

HACKING 17 Most Dangerous Hacking Attacks (2017)

Chapter 12 - Distributed Denial of Service

Before we get into the nitty-gritty details of complexity, let’s just take a step back and think about what a Denial of Service means.

Denial of Service

Also, know as DOS, in fact, most IT pro would refer to as DOS. Denial of Service can be explained in multiple ways, however, in a simple put, this is an event when something or someone would prevent an individual system to operate.

Before moving on to any technical details, please take a moment and think about how much could it cost for someone to cause a Denial of Service to a certain Organization? My hint is this: Do not overcomplicate it, and forget about any technical implementation! Also, try to come up with the cheapest ever that could be to cause such event to a small sized company let’s say no more than 500 people.

OK, I assume that you have thought about it, so let me elaborate on this. Some of you might think, that you need large systems, and enormous power of CPU capacity, even internet connection and so on… Some of you, in fact, most people think to cause a Denial of Service to an average company, the minimum that also could be enough is a laptop, so when thinking about a second-hand laptop, you may say a hundred bucks right?

What if I would tell you otherwise? What if I say 50cents would be just enough. I know it sounds weird and may think that is impossible, but think again. Imagine that an evil guy would walk into a public payphone, then dial a company or a large building reception saying there is a bomb in the building, then walk away. Unfortunately, thinks like these does happen all the time all over the word. As you see, there is no technical knowledge required, neither a laptop to cause a Denial of Service. This example would probably cause an average company a great fortune. Think about what would be a standard procedure in case of receiving a bomb threat. First, a full building evacuation, next to the police, or some bomb squad have to go through the whole building making sure there is no threat. I would say the minimum downtime for those employees while they would be unable to work at least 3 hours. 3 hours of an outage when an average employee would be on wages of $10 per hour could cost a company of 500 people at least $15K loss. Not to mention that particular work, and other losses would be too. In case there were a guest or future clients who would experience such event, would also consider doing business. Of course, some employees would resign right then, resulting the company to spend on ads for vacancies, additional interview processes and training for new staff and so on.

When most people think of a Denial of Service, begin to wonder about black hat hackers and huge technical knowledge, but in reality, it could be done with a simple phone call, costing less than a dollar in 10 seconds.

DoS in a Digital world

Denial of Service is happening all the time, however, let’s look at the history of DoS in the news. By the end of 90’s and the beginning of the 21st Century Denial of Service was all over the news. Back then this is a new type of attack had to be in the headline, and companies were that got hit were happily explained what experience they have gone through. Slowly by getting close to 2010 these types of attacks, seemed to be dropped, or at least we do not hear them as much in the news as we used to. Why is that? Companies have realized that by keeping on getting hacked or having their websites, or web services down is not so good for their reputation. Instead of willingly admitting that they have been a victim of a denial of service attack, they would only deny it, and state those are false statements from whatever who is spreading the word about it. Now think about an insurance company that would be kept on getting hacked, and their website almost never usable. Why would you insure yourself or any of your belongings with them if they can’t even insure themselves? Well, you wouldn’t. Because back in the day was cool to talk about it, now it is changed, as even to mention that a company has been hacked or their web services have been taken down, would exhibit weakness in their Security Infrastructure.

Denial of service can be done and caused in multiple ways, but most commonly the result would be the same, and that is to stop the website from functioning.

Very common is when there is a known vulnerability in certain systems software that would be require patching. Large companies would announce this issues publically, and for those having a contract with them, and anyone really who are registered on their e-mail lists, and happy to receive newsletters about the latest and greatest. So basically no one keeps away from the bad guys to receive the same news as those who would require implementing patching. IN the production environment, these could have high importance. However, most patching would require system reboots, and those changes should take place out of hours.

So when you think about average company standards and Change management procedures, such as planning the change and approvals, could take days, if not weeks. However, if some exceptional Infrastructure Managers can convince the business that these changes would require completion ASAP, they might just be able to complete patching vulnerabilities in the same day as they would receive the news. Threating vulnerability patching as an emergency change is indeed a good idea, however, if you can only implement the required patching at the evening, that might be already late. When you think about black hat hackers, they don’t need any approval or change management meetings to attend, all they have to do is take down your website. Therefore DoS attacks are very common. In fact, if you want to watch them DoS attacks in life, you can go ahead and visit Norse: http://map.norsecorp.com/#/

Norse has more than 8 million sensors around the globe, so they have been able to create a map of live attacks.

The reason for DOS?

Why would anyone ever implement a Denial of Service? The answer is to deny a particular service yes, but why? In Volume 1 of my book have explained the History of hacking and that show up with certain achievements were very popular back in the days. It was all about fame so that hackers can be recognized from one another. There was, of course, the fun side of it too for some. However, those days are nearly over. Don’t get me wrong, as I do know that people like these exist, and they will never go away. However, the time has moved on. As time moved on hackers have grown up too, and those have historically been involved in significant hacking and implementing attacks like DoS, or even DDoS, are now have a different lifestyle. Some may have become White hat hacker, or a Security Expert is having their company or helping out large corporations, or government agencies as a Cyber Security Consultant. When it comes to a Financial gain, DoS attacks might be helpful for some, and let me explain the reason for it. As of 2017, there are 5 to 10 companies that are producing high-quality mobile phones around the globe. There are more than that, but I am looking at the five most common brands out there. So imagine that one of them could take out the rest of them by keeping on causing DoS for their web services. This is what we call Cyberwar. This is already happening since years, in fact, it always existed, but now it’s hitting the digital world.

Banks, and other financial organizations, in fact, countries keep on attacking each other, and if you follow the news, you might have heard that some countries even lost their internet connection for hours. Traditional DoS attack can take down a website yes, but take down the whole country, and then no one knows who did it? This is the world we leave in, so we just better accept it as is.

DDoS

What it stands for is Distributed Denial of Service, but technically called DDOS., pronounced as deedos.

I didn’t get into so much detail when I explained about DoS, so now let me elaborate on it. I have mentioned that a DoS attack would cause of preventing a certain service or website to function, and I mentioned one common technique that hackers can use. However, there is another way that DoS or even DDoS is very famous about it.

I have been visiting certain websites that had issues just before days like Black Friday, or even Christmas period. Matters such as the site is unreachable. This is happening simply because the website has so many visitors at the same time, that the site would eventually crash. As for Black Friday, when everything has a price decrease, you might find many websites will not be able to function after a while due to a high number of visitors. However Black hat hackers would take down sites, using the very similar technique of a vast number of visits at the same time.

TCP SYN Flood attack

I have explained in Volume 2 how TCP works and why it’s so important to understand to be a great white hat hacker or Security Engineer. To visit a website, certain protocol stacks help us allowing the connection. One of the most common is a TCP – Transmission Control Protocol. TCP uses a 3way handshake to establish a connection between the client and the server. In the standard TCP connection when the end user types into the browser a website address, it would initiate a SYN packet, called a synchronize request. Next, the Server would answer with the SYN-ACK packet, meaning the synchronized packet was acknowledged. As for the third part, the client should send an ACK packet, recognizing that the server was responding, and now the 3way handshake would be completed and the communication would be established so that the end user would see the website on the screen.

When a black hat hacker would implement a TCP SYN flood attack in DDoS format, only the SYN packet would be sent to the server from multiple hosts simultaneously, and the server would keep on running out of space by remembering to wait for the ACK packet from each client that originally initiated the SYN requests.

Ping of death

Another way to cause DDoS attack is using echo requests by the ping utility. Again I have explained before how to use ping and what is it for, but the remind you, ping is formally used to check the reachability of a certain device on the network. Once a client would initiate a ping also known as an echo request to a certain server, there would be an echo reply from the server. When it comes to DDoS, there would be multiple clients that would initiate the echo requests simultaneously causing the server to stop functioning.

I have mentioned for both examples the word: multiple clients; this would mean that the black hat hacker would use a BOTNET, robot network to do either TCP SYN Flood attack or Ping of Death. Cyber criminals would probably use both attacks methods at the same time, even addition types, in the form of multiple BOTNET-s.

Protection against DDoS

First, let me tell you that DDoS using various BOTNET-s can take down any website, it’s only a matter of when rather than can it be done.

Implementing Rate limiting against TCP SYN Flood attack is a bare minimum, and echo request/reply should be turned off to protect against the Ping of Death. There is off course should be IPS, and IDS systems should be in place as well Firewalls, and large organizations this is a must to provide an always-on web service.