DDoS Basics

Introduction
Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade
services provided by a computer at a given Internet Protocol1 (IP) address.

This paper will explain, in extremely basic terms, the various types of DDoS attacks.
We will explain the motivations of the miscreants behind these attacks and outline
the differing functionality of each attack type, providing examples and suggesting
measures that could be employed to mitigate future incidents.

This paper is not intended to serve as a comprehensive technical guide, but merely a
relatively non-technical overview for the novice. We will try to avoid jargon and
explain it where we have no alternative.

Figure 1: This image shows the relative number of machines in various countries on a single recent date
that were known to be infected with at least one computer virus. The numbers fluctuate regularly but
most of these infected machines will be part of botnets.

1 Think of these, in very basic terms, like phone numbers for computers on the
internet: unique numbers that identify ‘areas’ and unique machines on the network.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
Motivations

The Underground Economy (UE) is a term used to describe the massive

communications and economic infrastructure used by criminals who engage in
crime against, and facilitated by, the Internet and its users.

Primarily designed for acquisitive crime, transactions seen in the UE generally tend
to shy away from DDoS attacks, after all ‘nobody makes any money if you break the
Internet’.

However, DDoS attacks clearly do occur, for some of the following reasons:

Revenge – attacks against a rival, typically to take that person’s shell2 or

home connection offline, traditionally part of petty disputes on Internet
Relay Chat (IRC).

Demonstration – DDoS attacks normally utilize botnets: networks of

computers that are all infected with the same virus that are all under the
control of one person. DDoS attacks can be used to prove the size and power
of a botnet before it is rented or sold in the UE. Many apparently motiveless
attacks have been demonstrations with a victim picked essentially at
random.

Extortion – a favorite of Russian Organized Crime groups, DDoS attacks on e-

commerce, and legitimate online gambling sites in particular, can yield
ransoms of a few tens of thousands of dollars in exchange for allowing the
victim site to resume business. Interviews with perpetrators now in prison
have confirmed that they will ignore potential victims who ignore their
demands and move onto new targets in the hope of engaging in negotiations
with them.

Competitive advantage – DDoS services can be rented to take a competitor’s

website offline, causing lost business or embarrassment and forcing current
or potential customers to use a rival who can often claim plausible
deniability for any attack.

2A shell is an account on a remote server that can be used to hide your identity or
perform other functionality that you would not want to occur on your local machine.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
Figure 2: The average daily number of infected machines over the last 12 months for the Americas

Collateral damage – often many thousands of sites will be hosted on the same
server and IP address. An attack on one site will have the effect of taking
them all offline. Due to the topology of the Internet, huge attacks will often
cripple companies that provide connectivity, well before the attack even
reaches the final intended target. Routers can be attacked just as websites
and end users can be, resulting in connectivity issues for perhaps millions of
users that the attacker had no reason to want to impact.

Combination attacks – one that is only theoretical at this stage, but involving
a conventional attack in the real world (bank robbery, terrorist bombing)
that also disrupts communications links to cause panic and hinder first
responders.

Political attacks – now a mainstay of all conventional conflicts since the

Balkans, these attacks often involve regular, otherwise law abiding, Internet
users or the re-tasking of botnets that are normally engaged in conventional
UE activities. These attacks often impact IP addresses in geographic regions
or the IP space used by specific function within a government, to further a
political cause. Protest attacks are also generally considered to be a form of
political attack, an example being the recent activity of the group known as
‘Anonymous’.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
Figure 3: The average daily number of infected machines over the last 12 months for Europe

DDoS types

When reading this section, it might help to understand what a ‘Protocol’ is in

Internet terms - think of it like a language:

ICMP is the language used by computers on the Internet to talk to each other
about errors and other status related issues. Whilst they
are generally considered to be low priority messages, some ICMP messages
perform an important role. Oothers are less important and can be easily
filtered. Generally ICMP messages used in a DDoS attack can be easily
filtered although it is easy to blast out large volumes of packets using this
protocol as there is no built in flow control mechanism.

TCP is the language that computers use to order their data that needs to be in
defined, ordered streams – when you have to make sure you get it all
completely right, all the time such as with web browsing or email. It is
slightly harder to use TCP for DDoS attacks as you have to prevent the
management of the connection to speed up the flow of attacking packets.

UDP is another way for computers to transfer data but it is one that is used
for data that does not need to be in a reliable stream; it does not matter if
some of it gets lost en route or delivered out of sequence as it’s better to keep

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
 the stream moving along fast and you cope with a few lost packets. Again, as
with ICMP packets, it is relatively easy to use UDP for blasts of DDoS packets
as there is no built in mechanism to control the rate that packets are sent at.
UDP is often used for streaming videos, VoIP phones and Domain Name
System (DNS) queries.

IMCP ping flood

One of the simplest and oldest methods, this one was used to great effect during the
Estonia and Georgia attacks of recent years.

Otherwise law abiding citizens simply typed ‘ping’ and an IP address from their
home computers. The combined impact of hundreds of thousands of such
simultaneous commands can be enough to disrupt communications with a website.
As with many of these types of attack, there are tools to automate this over a large
number of infected machines in a botnet.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
UDP flood

This involves sending a stream of UDP packets to various ports3 on the victim
machine. Upon receipt of one of these packets, the victim machine will have to check
to see if any of its programs are set up to accept incoming data on that port.

It will probably find that there are not indeed any programs listening for data
coming in on that port and it will then normally send a reply to the originator of that

3Ports are like tiny doors into a computer system. If you find one that is open, you
can probably get into the system. This is why we have Firewalls - to act as guard
dogs at these doors into your computer.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
packet, to the effect that ‘there’s a problem, there’s nothing here for you on that
port’ . This reply is called a ICMP Destination Unreachable Packet.

If you send enough of these UDP packets, eventually the victim machine will be so
busy responding with these ICMP Destination Unreachable Packets, that any
legitimate requests will be unable to get through. In fact, with UDP, it’s quite easy to
fake (or ‘spoof’) where you are coming from, making it easy to spoof the true origin
of the UDP packets and preventing any attacker’s machines from getting swamped
with the ICMP Destination Unreachable Packets and making attribution even harder.

Smurf attack

An old attack, now rare as network administrators have been able to immunize their
networks against these faked IMCP broadcast pings.

Basically, you send a packet called an Echo Request to routing devices on a network
but you fake the source address of that data with the IP address of your intended
victim. This echo request gets sent to all the devices on the network that can be

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
reached on the broadcast address, causing every device that received it to send back
the requested echo reply to the victim machine.

SYN flood

When you connect to a website, the two computers go through a short conversation
to agree on the way they plan to communicate. The start of this negotiation involves
the sending of a specific packet of data called a ‘SYN’ (short for ‘synchronization’),
causing the receiving computer to send a reply and then wait to continue the
conversation.

A SYN flood attack involves sending a large number of these packets to a server,
causing a lot of corresponding replies called ACKs and consequent pauses. This
quickly eats up all the available resources on the server, making it impossible for
any legitimate traffic to get through.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
GET request

When you visit a web site, your computer makes a request for the page you want to
see using a ‘GET’ request.

In exactly the same way, miscreants can instruct machines that are part of a botnet
to all request, for example, a large image. Doing this constantly, using a large
number of machines, causes legitimate requests for content from that site to not
reach the server as the available connections are all already saturated.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
Frag flood

During normal operations on the Internet, sometimes packets of data have

to be split up, or "fragmented", due to their size and restrictions on
the networks they are passing through. Various parts of the Internet
infrastructure (routers, firewalls, and servers) may sometimes be
configured to attempt to reassemble these fragments to analyze or work
with the full original packet.

A frag flood works in two ways; first, like most other DDoS attacks, it
hopes to overwhelm routers, firewalls, servers, and network links with
sheer volume of data. Second, it sends specially crafted fragments that
cannot possibly be re-assembled, because the "first fragment", the part
of the packet with information about the other fragments, is never

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
actually created and sent. In some cases this can overwhelm re-assembly
mechanisms and cause devices to lock up and crash, in addition to simply
filling up their network links with garbage packets to be discarded.

DNS Amplification attack

This is a very different type of attack that does not use botnets at all. DNS servers
are critical to how the internet works, telling our computers what IP address the
sites we need to visit can be found at.

These DNS servers are often misconfigured to allow any computer to make these
queries and fake where the reply should be sent back to. If you ask the question of
the misconfigured DNS server in a certain way it’s possible to get a huge reply sent
‘back’ to an IP address you want to attack. Arrange for hundreds of thousands of
such queries to be sent simultaneously to a large number of these misconfigured
DNS servers and, if they all send their huge replies to the faked victim IP address,
you can achieve enormous attack sizes. This, as with most DDoS attacks, can simply
fill the networks ‘pipes’ with garbage, preventing any legitimate traffic from getting
through.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
We have seen some of the largest attacks on record using this relatively simple
method, capable of saturating the bandwidth of entire countries. Luckily they
remain rare. Team Cymru has a free service where we will tell networks if they have
any such misconfigured DNS servers in their network.

Figure 4: This image shows the locations of DNS servers that participated in a recent massive DNS
Amplification attack. The strength of the dot relates to the frequency that IP sent data.

Mitigation

There are a few tried and tested methods to lessen the pain of an attack although
they can be expensive and they are always a reactive tool. Networks find it difficult
to really avoid the impact of an attack without major investment in redundant
topologies and excessive bandwidth. Although there are many other technical
responses to DDoS attacks, here is an overview of some of the main options:

Filtering

If you can examine the traffic attacking you, you might be able to spot
similarities between the DDoS packets: they might all be coming
predominantly into one port or with a specific feature such as packet size. If
this is the case, you can set your routers to drop packets that match these
criteria. Unfortunately this might only be a temporary solution as the
miscreants only have to adjust their attacks to use a different port, packet
size or any other factor you are filtering on. Judicious use of Firewalls can

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
 prevent unwanted traffic such as UDP floods from ever reaching an intended
victim machine.

You can make Smurf attacks harder by setting your routers to not forward
anything to broadcast addresses – now the standard setting for routers. It is
also helpful to prevent machines from responding to pings and broadcast
packets.

Increase bandwidth

If your site normally resides at a hosting provider that gives you an average
amount of bandwidth, that bandwidth will easily be consumed by a
sustained, medium sized DDoS attack. You could purchase additional
bandwidth from your current or a larger hosting provider to absorb the
effects of the attack. This, again, might only be a temporary solution if the
attackers simply add more bots to the attack to absorb any increased
bandwidth. Some companies provide a form of insurance in that they will
host major sites on huge links that can absorb large attacks. They also
employ some clever techniques to prevent these large (often e-commerce)
sites from going down but they cost a lot of money.

IP address changes

An attack that targets the IP address your computer is at, could be avoided by
simply moving to a new IP address. Unfortunately, many attacks target
domains rather than IP addresses (for example www.google.com as opposed
to the IP address that the Domain Name Servers tell computers that Google is
currently at). Even when the DDoS attack is only targeting an IP address, it’s
trivial to react to a move and target the new IP address. Some attacks have
been going on literally for years like this.

Attribution

The most difficult and effective method of stopping a DDoS attack is to work
out who is behind it and for them to be arrested. The issues raised by this
course of action warrant their own document alone, save to say it is
unfortunately very rare for the miscreants responsible for these attacks to
get the punishments that serve as a deterrent against future crimes.

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.
Figure 5: This image shows the origin (C&C server location) and destination of the victim of DDoS attacks
for a recent 24 hour period.

Conclusion

DDoS attacks have been around almost since the birth of the Internet. They seem to
be slightly less frequent now, probably as they are difficult to monetize, and
generally just form part of the background noise in the Underground Economy. They
remain a potent threat however, and we continue to see occasional attacks that have
evolved in both technical sophistication and power. Hard to understand and react
to, hopefully this paper will arm you with the knowledge to at least become familiar
with the basics.

Who is team Cymru?

Team Cymru Research NFP is a specialized Internet security research firm and
501(c)3 non-profit dedicated to making the Internet more secure. By researching
the 'who' and 'why' of malicious Internet activity worldwide, Team Cymru helps
organizations identify and eradicate problems in their networks.

There are many way to keep up with what Team Cymru are doing, see the lower
part of: http://www.team-cymru.org/About/contact.html plus:

* join our announce list via cymru-announce-subscribe@cymru.com

* see what we see, www.team-cymru.org/Monitoring/Graphs
* probably the best news feed in the world, www.team-cymru.org/News
* cool stuff you can use, www.team-cymru.org/Services/
* see our Twitter feed at http://twitter.com/teamcymru
* The weekly Who and Why Show: www.youtube.com/teamcymru

© 2010 Team Cymru, Inc - all rights reserved. No part of this publication may be reproduced without
the prior written permission of Team Cymru.