|
|
|
A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In this article we will look at a DoS and a DDoS which is a 揇istributed Denial of Service |
|
|
|
|
|
|
|
|
|
|
|
Launching A Distributed DoS
DDoS attacks advance the DoS conundrum one more painful step forward. DoS attacks have evolved beyond single-tier (SYN flood) and two-tier (Smurf) attacks. Modern attack methodologies have now embraced the world of distributed multi-tier computing. One of the significant differences in methodology of a DDoS attack is that it consists of two distinct phases. During the first phase, the perpetrator compromises computers scattered across the Internet and installs specialized software on these hosts to aid in the attack. In the second phase, the compromised hosts, referred to as zombies, are then instructed through intermediaries (called masters) to commence the attack. In figure 11.6 we look at the simplified explanation of a Distributed Denial of Service attack.
* The Vicious Attacker plans his/her attack. The first step is to recruit Zombies to do the dirty work.
* The Vicious Attack then crafts a Trojan (like we looked at earlier) that can be planted on unsuspecting machines. E-mails are sent, machines are infected and once infected they are recruited into the Zombie Hoard.
* Eventually, the Vicious Attacker plans out an attack once the army has been built. An unsuspecting victim site is chosen (in this scenario www.hackme.com is the unlucky site).
* The Vicious Attacker launches a flood of traffic to hackme.com and it is so flooded with bogus traffic from 100抯 of machines that it can抰 serve up request for any real shoppers to the site. This attack can vary from SYN floods to Pings of Death |
|
|
|
|
|
|
|
|
|
|
|
DDOS or its tool, TTFN popular masa late 90an selain SMURF hyper ping tools.
The 'beauty' of SMURF:
Normally computer will accept ping echo request. So, the remote computer will aware that ur computer is exist. It will send back ping to inform ur computer that it already aware about u. By using some tool to scan broadcast ip which will scan all of it's available IP in it's 'coverage network', the scan tools can print all those replied ping from the remote pc to u. By using a text file and put all those IP (very lots of IP, the more is better for example like 1000 ip's), u can launch smurf program which will execute the text file with ip's.
How this thing happen? The smurf program will send the victim's ip address (similar as a spoofed IP), then all those 1000 remote computer ip's will 'think' that the victim's ip address is requesting a normal ping, imagine that one ping from a one remote pc is calculate as 64 bytes per packet of ping. As for 1000 ip's will ping 1000 packets, so the ping receive by the victim computer is 64 bytes x 1000 equal to 64000bytes. And how about 10,000 remote ip? It will be 640,000 bytes (640 kbytes) receive by the victim. Smurf is popular around 90s as most people are using dialup modem and have a maximum only with a 56k of capabilities. Thus, it's a killer to a modem.
Threat : Will only make the victim's pc feel some lag.
The 'most beauty' of DDOS:
This one required a skill of hacking and cracking into a remote pc or server or having an user account in the remote pc/server. DDOS tools will be having a client version and server version. Once you already have an account in the remote server/pc, you can put the client DDOS tool in it and execute it as a background process. If you have more remote account, will be better. Use the server version tool for ur self. Once u have put all those client DDOS tool, u can execute the remote DDOS (client side) tool with from a single command from ur pc. The DDOS for example, u can execute something like ping -s 65000, which equal to 65000 packets of ping. One packet equal to 64 bytes, so if 65000 will equal to 4,160,000 bytes (4.16mbytes). Imagine if execute from 50 remote server/pc? It will be 208mbytes. Scary isnt it? The victim's will receive 208mbytes! The normal connected bandwidth of victim will be around 56k to 2mb. That's why yahoo server down a few times around the late 90s. 
Threat : Will make the victim's pc full out of connection. A very damn lag and also cannot be reach anymore from the outside network during the DDOS execution.
[ Last edited by cz on 26-1-2005 at 01:51 AM ] |
|
|
|
|
|
|
|
|
|
| |
|
Post time 10-3-2004 06:27 AM
变色卡
Author
