A denial of service is when
the bad guys are taking a service that’s
normally available, and they’re now making
it unavailable for you and everyone else. They’re causing a
particular service to fail. There’s lots of ways to do this. One way is to take advantage of
a design vulnerability, maybe a failure that’s in a
particular piece of software, and this is why we always tell
you to patch your applications and patch your operating
systems because if there’s a problem in that operating
system that can cause it to crash, the bad guys
could take advantage of that and cause a denial of service. Sometimes a denial of service
is just an overwhelming of a service. The service is working normally. There’s no vulnerabilities. There’s no security
patches required. It’s just so many people
hitting a site all at once caused the service to be denied. This could also be a
smokescreen for other problems. For example, someone could
cause a denial of service to a DNS server, and
that way the bad guys can create their own
DNS servers to control where people are going. This doesn’t have to be
a complicated method, it could be something
as simple as turning off the power to a building,
that would certainly cause a denial of service. Sometimes a denial of
service isn’t something that’s happening maliciously,
but it is causing problems for people trying to gain
access to that service. One might be something
like a network-based denial of service. Somebody creates
a loop, you don’t have Spanning Tree
enabled on your switches, and now nobody can
communicate on your network. Maybe it’s a denial
of service because you don’t have enough bandwidth
and now everybody’s trying to download
something all at once. Everything slows to
a crawl, and nobody’s able to get anything done. And one type of
denial of service that I’ve had to deal with
is a waterline breaking in a computer room. That could certainly
be a problem that might cause a
denial of service for a large group of people. A distributed
denial of service is one where the service
is being denied, and it’s being denied
because the attack is coming from many places
all at the same time. There could be an
army of botnets that have been programmed
to take down a website. They come from many
different locations, and it becomes almost
impossible to stop all of these because there are so
many different places that they’re coming from. This is why the bad guys have
spent so much time infecting these computers
with these botnets, so they can then control them
and tell them exactly where they’d like them to go. One characteristic
of a DDoS attack is that the people that are
doing the attacking often don’t have anywhere close to the
resources of the person who’s being attacked. But because so many
different devices are all doing this at the
same time, they’re taking advantage
of their strength in numbers to cause a problem
with the person that’s being attacked. Another technique that the
DDoS attackers like to use is amplification. They can send a very small
attack, but by the time it reaches you, it has
become very, very large. They’re usually
reflecting this attack off a third-party
service to increase the total size of the
attack when it gets to you. This is becoming a
very common technique that we’re seeing with
distributed denial of service attacks. These amplification
attacks are able to work because some of
these older protocols were not created with any
type of security in mind. So protocols like Network
Time Protocol, DNS, ICMP, those are
protocols that people have been able to
abuse and amplify these attacks against
a third party. Here’s how an
amplification attack would look from a DNS perspective. This is the DNS records that
are associated with isc.org. And you can see
in those records, they have DNS key records. You can see these DNS keys
are quite long because these are keys used for security. And you can simply
ask for the DNS key, and the response that you’re
getting for the DNS key is going to be quite large. So the bad guys are able
to take advantage of that. They can ask for a very
little piece of information on the inbound but end up with
much more information coming back. A distributed denial
of service attack is usually going to start
with someone in command. This is our botnet
command and control, and this is the person that’s
in charge of the botnet. They’re going to send a
message in to the botnet, usually this is in some type of
centralized messaging service. All the botnets are listening in
to see if there’s any commands to be run. When they send
those commands in, the botnets will
receive the commands, and then they’ll begin to act. This particular DNS
amplification denial of service is going to send a request
to open DNS resolvers that might be out on the internet. But it’s going to
spoof the person who’s sending the request. Instead of coming
from the botnet, they’re going to spoof it and
say that the request really came from the web server. They’re going to send
those requests in. They might go to
multiple DNS resolvers. Since we’re asking for the DNS
key or some other large piece of information, that
very small request ended up being a
very large response. And now we can see that that
large response, since it was spoofed from
that web server, the response is going
to go to the web server. And now they were able to send
a little bit of information into a DNS server, get a
relatively large response and easily bring down this
web server with a distributed denial of service attack.