Another form of trickery is the
Distributed Denial of Service attack (DDoS). As with all such denial attacks,
it is accomplished by the hacker getting a number of machines to attack the
target. However, this attack works a bit differently than other DoS attacks. Rather than getting coputie3rs to
attack the target, one of the ways the hacker accomplishes a DDoS is to trick Internet
routers into attacking a target. Another form of DDoS relies on compromised
(zombie) hosts to simultaneously attack a given target with a large number of
packets.
Recall from the discussion that
many of the routers on the Internet backbone communication on port 179 (Gibson,
2002). This attack takes advantage of this communication line and acquires
routers to attack the target system. What makes this attack particularly wicked
is that it does not require the router in question to be compromised in any
way. Accept of this, a hacker send packets of various massages to the
connection. The packets have been altered so that they appear to come from the
target system’s IP address. Routers respond by starting a connection with the
target system. What happens next is a flood of connections to multiple routers,
all targeting the same target system. The effect of this flood is to make the
system inaccessible.
Real – World Example
A good deal of time has been spent discussing
the basics of how various DoS attacks are conducted. By now, you should have a
firm grasp of what a DoS attack is and have a basic understanding of how it
works. It is now time to begin discussing specific, real-world, examples of
such attacks. This section will take the theoretical knowledge you have gained
and give you real-world examples of this application.
MyDoom
One of the most well publicized DoS
attacks was the MyDoom attack. This threat was a classically distributed DoS
attack. The virus/worm would e-mail itself to everyone in your address book and
then, at a preset time, all infected machines would begin a coordinated attack
on www.sco.com (Delio, 2004). Estimates put
the number of infected machines between 500,000 and I million. This attack was
successful and promptly shut down the SCO web site. It should be noted that
well before the day that the DoS attack was actually executed, network
administrator and home users were well aware of what MyDoom would do. There were
also several tools available free of charge on the Internet for removing the
virus/worm. However, it appears that many people did not take the steps
necessary to clean their machines of this virus / worm.
What makes this attack so
interesting is that it is clearly an example of domestic cyber terrorism
(although it is certain that the creators of MyDoom would probably see it
differently) for those readers who do not know the story, it will be examined
here briefly, Santa Cruz operation (SCO) makes a version is copyright
protected. Several months before this attack, SCO began accusing certain Linux
distributions of containing segments of SCO Unix code. SCO sent demand letters
to many Linux users demanding license fees. Many people in the Linux community
viewed this request as simply an attempt to undermine the growing popularity of
Linux, an open-source operating system. SCO went even further and filed suit
against major companies that were distributing Linux (SCO/Linux, 2003). This claim
by SCO seemed unfounded to many legal and technology analysis. It was also
viewed with great suspicion because SCO had close ties to Microsoft, which had
been trying desperately to stop the grow popularity of Linux.
Many analysts feel that the MyDoom
virus/worm was created by some individual (or group of individuals) who felt
that the santa Cruz Operations tactics were unacceptable. The hackers wished to
cause economic harm to SCO and damage its public image. This probable motive
makes this case clearly one of domestic economic terrorism: One group attacks
the technological assets of another group based on an ideological difference. Prior
to this virus/worm, there were numerous Web site defacements and other
small-scale attacks that were part of ideological conflicts. However, this
virus / worm was the first such attack to be so widespread and successful. This
incident began a new trend in information warfare. As technology becomes less
expensive and the tactics more readily available, you can expect to see an
increase in this sort of attack in the coming years.
Slammer
Another virus/worm responsible for
DoS attacks was the Slammer virus/worm. Some experts rate Slammer as the fastest-spreading
virus/worm to ever hit the Internet (Moore, 2004). This virus/worm achieved its
DoS simply by spreading so fast that it clogged up networks. It began spreading
on January 25th 2003. It would scan a network for any computers running
the Microsoft SQL Server Desktop Engine. It then used a flaw in that
application to infect the target machine. It would continually scan every
computer connected to the infected machine, seeking one with Microsoft SQL Server
Desktop Engine. At its peak, it performed millions of scans per second. This activity
resulted in a tremendous number of packets going across infected networks. That
flood of scanning packets brought many systems down.
This particular attack was
interesting for two reasons. First, what defines this virus as also being a worm
is its method of propagation. It was able to spread without any downloading it or
opening an attachment o0n an email. Instead, it would randomly scan IP
addresses, looking for any machine it could infect. This method meant that it
spread much faster than many other virus/worm attacks had previously. The second
interesting fact about this attack was that it was totally preventable. Microsoft
had released a patch for this flaw weeks before the attack took place. This story
should illustrate the critical need to frequently update you machine’s
software. You must make certain that you have all the latest patches installed
on your machine.