TLP WHITE
Denial of service attacks:
what you need to know
TLP WHITE
Contents
Introduction..................................................................................................................................................... 2
What is DOS and how does it work? ................................................................................................................ 2
DDOS ............................................................................................................................................................... 4
Why are they used? ......................................................................................................................................... 5
Take action ...................................................................................................................................................... 6
Firewalls, antivirus and updates ...................................................................................................................... 6
Use specialised equipment .............................................................................................................................. 6
Seek advice and share experience ................................................................................................................... 6
1
TLP WHITE
Introduction
Denial of service (DOS) attacks and distributed denial of service (DDOS) attacks are disrupting
business and costing the UK immeasurable amounts of revenue from disrupted services and
follow-on attacks.
This paper will explain what is meant by DOS/DDOS and how this type of attack works, examine
why an attacker might choose to launch such an attack and the effect that it might have. Finally,
some general guidelines will be provided that may help to mitigate any DOS attacks.
What is DOS?
A denial of service attack, often referred to as a “DOS” attack, is a method of stopping a website
or service from running. The outcome of this may be causing a website to stop displaying
content, or preventing a system that operates on the Internet from working properly. DOS
attacks can range in duration and may target more than one site or system at a time. It
becomes a distributed DOS, referred to as “DDOS”, when the attack comes from multiple
computers (or vectors) instead of one, as is the case in DOS.
A server, or anything connected to the Internet, works by passing data to and from multiple
devices in a network, known as
nodes. However, each node can only
handle a certain amount of traffic –
the amount of data being passed
between nodes. This happens
millions of times a second on the
Internet1 but when traffic gets busy,
data rates slow down.
A good example of this is ‘Black
Friday’ or ‘Cyber Monday’, where
millions of people attempt to buy
gifts online but can be greeted with
error messages rather than the
webpage they expect to see. This is because the amount of traffic is too great for the host to
handle and so it simply can’t serve each user. There needs to be a two-way communication in
order for the customer to be able to interact with the website, but the host has stopped
responding because its resources are being completely used up by others.
1
http://scoop.intel.com/what-happens-in-an-internet-minute/
2
TLP WHITE
The communication between (for example) a laptop and a website is happening in the
background without the user’s interaction. There are many ways devices communicate on the
Internet2, and this means that there are many different ways in which an attacker can disrupt
these services. Many different types of DOS/DDOS attacks exist, all working for slightly
different purposes, but the goal is always to ‘deny the service’, by overloading it.
How does it work?
When a user clicks to load a webpage, a ‘three-way handshake’ begins between the user and
the server hosting the webpage, much like making a phone call. A user ‘calls up’ the webpage
to initiate a conversation; the webpage
answers (“hello?”) and the user responds
(“hello, it’s…[name]...”), after that the two
participants can converse freely, knowing that
each party is active. The diagram shows this
handshake between computer and server
annotated with their associated flag (SYN and
ACK, standing for synchronise and
acknowledge). The flags are what is actually
communicated by the devices.
This process is happening millions of times a
day for more popular sites and so the servers
that host those sites are designed to handle
lots of traffic. A small independent company’s
website however, might be hosted on a server
that can’t handle as much traffic.
2
http://computer.howstuffworks.com/internet/basics/internet.htm
3
TLP WHITE
The SYN flood
The three way handshake can be maliciously manipulated in order to
create an excessive amount of traffic for the server. An attacker can
repeatedly send out the first step to initiate the handshake (SYN) but then
not respond to the server once it communicates back (SYN-ACK). Because
the server is waiting for the third step (ACK) it is using up resources. When
the server then receives what it thinks is another user trying to start a
conversation it dedicates a small amount of resources to keeping that
session open. If this step is repeated thousands of times then the server
is making room for thousands of sessions but with no one actually using
them. The attacker continues to create traffic until the server can’t handle
any more resulting in no legitimate users being able to log on.
Failure to connect to a website can be for any number of legitimate
reasons, the Internet connection may have temporarily dropped for
example, but this will persist in the event of a DOS attack. The message
seen by most is ‘ERROR 404 PAGE NOT FOUND’ and this is the computer
telling the user that, because it has not been able to complete the
handshake with the desired service, it is unable to display the content.
The attack described here, known as a SYN flood, is only one example of
many different types of attack. Other types of DOS/DDOS have the
purpose of creating an overload for a system. In the SYN flood it is an
overload of processing when trying to deal with the amount of traffic. There are many different
types of data protocol3 used on the Internet which, in turn, can be used to form different types
of flood attack. Other attacks can overload the bandwidth of a network, which is the amount
of data that can be sent and received.
DDOS
A DDOS attack differs in that a malicious actor can attack from different sources using multiple
devices, known as attack vectors, in order to bring down the victim site or server. This makes
DDOS more suitable to attackers who want to deny more sophisticated services to sites that
may be hosted on multiple servers, such as an email application.
Because more computing power will be required in order to create a successful attack, multiple
computers will be used, though they might not necessarily belong to the attacker. In what
would be only a small part of a complicated attack, the DDOS would be controlled by the
attacker’s machine but using (potentially hundreds) of other machines via the Internet. These
extra machines would have been infected with malicious software4 previously and specifically
so that they could be remotely activated to launch an attack and the computer’s owner won’t
even know that it is being used in a DDOS attack.
3
4
http://computernetworkingnotes.com/osi-layer-modals/osi-model.html
https://www.cert.gov.uk/resources/best-practices/an-introduction-to-malware/
4
TLP WHITE
Once a computer is infected with malware so it can be used in a DDOS, the machine is then
referred to as a ‘zombie’ and a network of zombie machines is known as a botnet5.
Why are they used?
It is illegal to launch a DOS or DDOS attack, but their use has increased in the UK6. While the
criminal aspect of these attacks is apparent to many, the motivation is not always clear. Several
high profile attacks occurred in 2014, notably the raised profile of the Lizard Squad hacking
group that brought down Sony and Microsoft gaming services on Christmas Day7, the reason
for which one alleged member stated was “for laughs”8.
Denying an Internet service could have severe consequences for many different types of
organisation. In 2007 and 2010 respectively, Estonia and Burma suffered DDOS attacks from a
botnet known as Conficker 9 . Both attacks used so many machines that Burma was almost
entirely cut off from the Internet for more than ten days ahead of an election. Estonia suffered
compromised financial institutions and
government communications networks were
forced to use radio for a brief period.
$100,000 per hour
Creating an overwhelming amount of traffic Estimated potential cost of a DDOS attack
can also be a cover for a different type of
cyber-attack altogether. An investigation
after a DOS attack will examine the logs that automatically collect data about connections to
and from servers. The DOS will create many thousands of logs thus making the real attack
vector extremely difficult to find.
Committing a DOS/DDOS attack however is not difficult. An Internet search will detail step by
step guides for those with even limited technical ability, and for those with none, it is possible
even to pay for an attack, with costs dependant on duration and ranging from minutes to
weeks. A company may even be contacted and then ransom the return to normal service. In
2013, almost 30% of reported DDOS attacks cost their victims in excess of $100,000 per hour10.
Many DDOS attacks are not even politically or commercially motivated but rather a personal
test of skill to the hacker or even a show of force. In 2000, a 15-year-old Canadian boy brought
down the world’s most popular search engine and several other websites including Amazon
and Yahoo causing an estimated $1.7bn in damages. In February 2014, what was thought to
be the biggest DDOS attack in history targeted the content delivery network of online security
company, Cloudflare11. This attack utilised a major timing protocol using a tool that was found
in hacking circles only six months prior to the event.
5
https://www.cert.gov.uk/wp-content/uploads/2014/08/An-introduction-to-malware.pdf
http://www.techweekeurope.co.uk/workspace/ddos-attacks-akamai-154110
7
http://www.theguardian.com/technology/2015/jan/02/sony-christmas-playstation-network-hack-discountspsn-lizard-squad
8
http://uk.businessinsider.com/why-hacker-gang-lizard-squad-took-down-xbox-live-and-playstation-network2014-12
9
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cybercrime-full-report.pdf
10
http://www.neustar.biz/resources/whitepapers/ddos-protection/2014-annual-uk-ddos-attacks-and-impactreport.pdf
11
http://arstechnica.com/security/2014/02/biggest-ddos-ever-aimed-at-cloudflares-content-deliverynetwork/
6
5
TLP WHITE
Mitigation advice
It is important to note that some companies legitimately offer services of DOS/DDOS attacks
for network testing purposes. The simulation of attacks can help to find weaknesses and test
responses and business continuity plans. While this may not be proportionate for small and
medium enterprises, there are other defences that may be suitable.
Firewalls, antivirus and updates
CERT-UK recommends the use of an appropriate firewall and antivirus software (which should
be updated regularly). New vulnerabilities are constantly being discovered and so a system’s
defences are only as good as the day they were updated. A culture of safety and good
housekeeping should be encouraged as per the UK government’s ’10 Steps to Cyber Security’12.
Think about your servers
Smaller companies might lease servers to host their business platform. Whether this is the case
or not, consideration should be made to the configuration of servers and it should be clearly
stated what resources an application can access and how the server will respond to requests
from clients. Not only does strong configuration of servers help to reduce the risk from other
cyber-attacks, it may actually ensure continued service during some types of DDOS attack13.
Use specialised equipment
A DOS attack often utilises legitimate traffic and so badly designed firewalls will allow all the
traffic through because the firewall itself is only concerned with content and not quantity.
Intrusion detection systems (IDS) can provide a capability to detect when valid protocols are
being used as an attack vehicle and IDS, in conjunction with firewalls, can also monitor traffic
levels and automatically block certain traffic.
Specialised equipment can often require installation and monitoring by trained professionals
and it is possible to procure services for business needs. It is important however that these
needs be scaled in line with the business risk linked to the website or service you are trying to
protect and independent advice should be sought.
Seek advice and share experience
Network defence can be a daunting prospect to understand. DOS is just one of many threats
to businesses in the UK and globally.
CiSP contains groups and spaces where users can share and receive information about specific
vulnerabilities and events, such as DOS/DDOS attacks. Members can post in forums and
request advice and help from the community while sharing experiences.
12
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/73129/12-1121-10-stepsto-cyber-security-advice-sheets.pdf
13
http://www.computerworld.com/article/2564424/security0/how-to-defend-against-ddos-attacks.html
6
TLP WHITE
Summary
DOS attacks are a significant threat to many online services that are used every day and can
cost businesses significant amounts in lost revenue. They can often be a cover for a different
kind of cyber-attack, most notably theft from networks.
Organisations of all sizes, including small and medium sized enterprises, should take this threat
seriously and are recommended to follow the mitigation advice in this paper. With greater
cyber awareness and better working practices, the threat from DOS attacks can be reduced
and make the UK a safer place in which to be online.
7
TLP WHITE
www.cert.gov.uk
@CERT_UK
A CERT-UK PUBLICATION
COPYRIGHT 2014 ©
8