WIXLIB

4DDoS For Dummies, Corero Network Security Editionconcerted efforts of cybercriminals to stop an Internet sitefrom functioning efficiently or at all.DDoS attacks have plagued the Internet, corporate websites,and networks for more than a decade. Although DDoS attacksaren’t new, modern threats and tactics are more advancedthan ever, and DDoS attacks are occurring with increasing frequency and causing greater damage against a rapidly growingnumber of targets worldwide.The means for committing DDoS attacks are readily availableto practically anyone. Easy-to-use, automated tools can befreely downloaded from various blackhat (hacker) websiteson the Internet. The resurgence in DDoS attacks can be largelyattributed to two factors: the rise of global botnets and newattack techniques for evading detection.The role of botnetsA botnet is a network of compromised PCs or other devices.These compromised PCs are called bots (or zombies). Bots arePCs that are infected with various types of malware, such asviruses, worms, Trojans, and spyware, that enable the PCs tobe compromised by an attacker. A bot can be remotely controlled by an attacker (sometimes called a bot-herder) to carryout DDoS attacks, steal data from victim networks and servers, or send out e-mail spam. Bots can be particularly difficultto detect and clean from an infected PC because they’re veryadaptive and resilient. The bot-herder can quickly and easilychange the behavior and characteristics of a bot, making itextremely difficult to detect.Some bots even detect and clean many common types ofviruses from an infected PC, so that your installed anti-virusor anti-malware software doesn’t tip you off to the larger (bot)infection!It has been estimated that up to 80 percent of all Internetconnected computers are infected with some form of spywareor adware.Botnets are typically comprised of hundreds of thousands tomillions of infected bots, and can operate for several yearsbefore being discovered or taken down. Criminal organizationsThese materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 1: DDoS Attacks Defined5are known to rent out control of botnets to anyone willing topay the price — often for less than 100 per day.Types of attacksThe second major factor spurring increased DDoS attacks is ashift in techniques from brute force assaults to more insidiousattacks.In a brute force attack, the attacker sends an exceptionallylarge payload to a targeted organization’s network in order tooverwhelm the available bandwidth on that network. Thesetraditional DDoS attacks are called network-layer DDoS attacksand are still common today (see sidebar, “The devil is in theDDoS details”).Network-layer DDoS attacks can disrupt communicationswith your critical e-commerce servers, for example, or overwhelm your network. A botnet comprised of large numbersof hijacked systems simultaneously sends packets to a targetserver, attempting to open a communication session. Whenthe victim server replies, the attacking systems don’t acknowledge the server’s response. This overloads the server bycausing it to use all its available resources attempting to keeptrack of the many incoming connections. Service is degraded,and the server may crash.An overwhelming network-layer DDoS attack can disrupt oroverload the network infrastructure to the point where itcan’t transmit requests or responses. These attacks can affectISP (Internet service provider) links, routers, switches, firewalls, and servers, causing one or more of them to becomebottlenecks, and restricting or eliminating the ability of theserver to deliver its service.In an effort to thwart the security mechanisms used by mostorganizations to defend against traditional network-layerDDoS attacks (such as firewalls and some intrusion prevention systems) attackers have adopted a newer variant of thetraditional DDoS attack — application-layer DDoS attacks.These materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

6DDoS For Dummies, Corero Network Security EditionThe devil is in the DDoS detailsTraditional network-layer DDoSattacks typically flood the victim’ssystem or network with requests,such as a flood of IP packets, TCPpackets, or ICMP packets. The following are some common types oftraditional DDoS attacks.SYN FloodA SYN-flood attack (see the accompanying figure) takes advantageof the TCP (Transmission ControlProtocol) three-way handshake process by flooding multiple TCP ports onthe target system with SYN (synchronize) messages to initiate a connection between the source system andthe target system. The target systemresponds with a SYN-ACK (synchronize-acknowledgement) messagefor each SYN message it receivesand temporarily opens a communications port for each attempted connection while it waits for a final ACK(acknowledgement) message fromthe source in response to each ofthe SYN-ACK messages. The attacking source never sends the final ACKmessages and therefore the connection is never completed. The temporary connection will eventually timeout and be closed, but not before thetarget system is overwhelmed withincomplete connections.InternetBot MasterBotnet Command and ControlBotBotBotSYN Flood TrafficBotBotnetUDP FloodA UDP (user datagram protocol) floodattack involves the attacker sendingUDP packets to each of the 65,535UDP ports on the target system. m’s Network/Serverstarget system is overloaded whileprocessing the UDP packets andattempting to send reply messagesto the source system.These materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 1: DDoS Attacks DefinedICMP floodMost network-layer DDoS attacks usebot-infected systems to flood a targetwith network traffic. ICMP (InternetControl Message Protocol) packetsare commonly used for this purpose.ICMP packets are legitimately used7for network troubleshooting, butwhen used for a DDoS attack, thesetiny packets can overwhelm a targetsystem, leaving it unable to servicevalid network requests in a timelyfashion.Application-layer DDoS attacks still take place over the network. But these attacks not only send network packets — theyactually complete TCP connections from the attacker to thevictim server. Once the TCP connection is made, the attackingcomputers make repeated requests to the application in anattempt to exhaust the resources of the application, renderingit unable to respond to any other requests.These more intelligent attacks are harder to defend againstbecause they create denial-of-service conditions without consuming all the available network bandwidth or overloadingrouters, firewalls, and switches. The attack traffic often lookslike legitimate, routine traffic coming into a network or website. It could be something as simple as a request to display aweb page or to fill out a “contact us” form. A common example of an application-layer DDoS attack is a repetitive HTTPGET request, which cripples a Web application server with anoverwhelming number of requests for a resource.Compared to a network-layer attack, a successful applicationlayer attack typically requires a much smaller botnet tooverwhelm a victim server. The hijacked bots in an application-layer DDoS attack go beyond simply initiating an opencommunications session with a victim server. Because theattacking bots are actually communicating with the victimserver, more server resources must be allocated, and potentially the resources of other network assets, such as a database server, that are integrated with the victim server.The goal of all the different types of DDoS attacks is to consume resources that should be available for a system or application to serve its intended customers.These materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

8DDoS For Dummies, Corero Network Security EditionRecognizing the BusinessImpact of DDoS AttacksFar too many organizations are ill-prepared to deal with theeffects of DDoS attacks and other Internet security threats.They rely on firewalls, intrusion detection systems (IDS),intrusion prevention systems (IPS), and other security technologies that are inadequate to defend their networks andsystems against DDoS attacks (see Chapter 2 to learn more),thereby creating plenty of opportunity for cybercriminalstoday. In the following sections, I tell you about a few industries that are prime targets for DDoS attacks.E-commerceE-commerce is the lifeblood of many businesses around theglobe and has become a way of life for millions of consumerswho depend on their computers and mobile devices to buyproducts and services, research product information, andobtain support. JP Morgan projected that 2011 e-commercerevenue would reach 680 billion, up 18.9 percent over 2010.E-commerce works in our modern, fast-paced world becausee-commerce sites are responsive, secure, and always availableon demand. E-commerce is quickly transforming the Internetfrom the “information superhighway” into the “informationsupermall.”Unfortunately, legitimate businesses aren’t the only onestaking advantage of the tremendous opportunities createdby the Internet. Criminals have been quick to gravitate to theInternet as business volume and the value of online transactions have reached critical mass. There’s big money in onlinebusiness — and therefore big criminal opportunity.Online companies are victimized by mass, automated attacksthat exploit targets of opportunity, as well as targeted attacksthat exploit unpatched or zero-day (previously unknown) vulnerabilities. Organized criminals also employ hacking techniquesand malware to commit data theft, extortion, identity theft, andfraud. The crimes are as old as civilization, but the methods areadapted to the times and the impact is devastating.These materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 1: DDoS Attacks Defined9DDoS attacks are on the rise: Gartner reports a 30 percentincrease in attacks in 2010, and that trend has continuedthrough 2011. Cybercrimes are now the FBI’s third highest priority, behind terrorism and espionage.E-commerce companies depend on 24/7 availability and realtime responsiveness on their customer-facing sites. When aDDoS attack strikes, businesses can lose thousands or evenmillions of dollars if service is slowed or the website goesdown. Extended service interruptions can be catastrophic,both in terms of revenue loss and damage to the corporatebrand.To your customers, your Internet website is your business. Ifyour website is down, your customers can simply surf overto your competitors’ websites and may become your formercustomers. Disruptions to your website for any extendedperiod can impact business and severely undermine customer confidence. Recent DDoS attacks have hit Amazon,PayPal, Visa, Sony PlayStation Network, and MasterCard,among others.Companies doing business online are also entrusted with andresponsible for sensitive customer data, including accountcredentials, credit cardholder data, and personally identifiable information (PII). Compliance mandates, such as thePayment Card Industry Data Security Standard (PCI DSS),impose stiff penalties on businesses for failing to protectthese records against unauthorized access.A DDoS attack can be a preemptive strike to test your company’s security and response capabilities. For companies thataren’t ready to properly respond to an attack (see Chapter 3), apanicked and unorganized reaction can weaken your defensesand open the door for further attacks and data theft. Even ifa DDoS attack doesn’t lead to a data breach, your customers’perception will be that your company’s website isn’t secure,which may cause them to hesitate when doing online businesson your site or to avoid your site altogether.According to a survey by the Ponemon Institute, the averagetotal cost of a single data breach was more than 7.2 milliondollars in 2010.These materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

10DDoS For Dummies, Corero Network Security EditionFinancial servicesThe Internet has revolutionized the way financial institutionsdo business, from online banking services to high-speedglobal transactions and payment processing. Financial transactions are processed in huge volumes and at high speedsaround the globe, enabling institutions, partners, and customers to react swiftly to changing financial conditions andmarket requirements.Customers conduct online transactions from anywhere, at anytime, and increasingly, from any number of different devices(such as smartphones and tablets). They expect their information to be secure and that services will be reliable, fast,and always available when they need them.As the Internet has opened up new business opportunities, ithas also introduced new elements of risk in the financial services sector that must be considered in their risk assessmentand risk mitigation programs. These risks, broadly speaking,manifest themselves in two categories: DDoS attacks: For online banking and financial transactions, time is quite literally money. Millions of dollarscan be lost in minutes if service is slowed or interrupted.In performance-sensitive environments such as transaction processing and high-volume trading, major serviceinterruptions can be catastrophic, both in terms of actualfinancial loss and damage to the corporate brand. Data breach: Like e-commerce companies, financial institutions — from the largest banks and trading houses toregional credit unions — are entrusted with and responsible for sensitive customer data. Financial servicesproviders are required by numerous regulations and obligations to their customers and partners to protect thesesensitive records against unauthorized access.Malicious cyberactivity is a continuous threat to both onlinetransactions and services and sensitive information. Manybanks, stock exchanges, and other financial institutions,including Bank of America, U.S. Bancorp, and the New Yorkand Hong Kong stock exchanges, have been victims of DDoSattacks.These materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 1: DDoS Attacks Defined11Online gamingOnline gaming is big business. Many millions of people engagein Internet gambling from poker to bingo, and play videogames such as first-person action shooters and wildly popular role-playing fantasy games on platforms including PCs,Microsoft Xbox, and Sony PlayStation. The stakes are high: According to a report by Global Betting and GamingConsultants, the global online gambling industry grew by12 percent during 2010 to 29.3 billion. According to the Online Gaming Association, 20 millionMicrosoft Xbox users have spent 17 billion hours online;there are 40 million Sony PlayStation Network accounts.Performance and availability are critical to the success of onlinegaming businesses. DDoS attacks can undermine the businessin a hurry. If a gambling site goes down, all bets are off. And forgamers, a slow game is no game at all — they will seek entertainment elsewhere, perhaps at a competitor’s gaming site. Videogame companies, in particular, may face unscrupulous competitors that would attack their site during beta testing to disruptthe launch schedule for a new game, or to ruin gaming sessionsin order to drive customer traffic to their own game sites.In addition to the DDoS threat, online gaming companiesand gambling sites, like other businesses that engage ine-commerce and financial transactions, are custodians ofsensitive customer data and financial information, and aretherefore subject to various compliance mandates, includingPCI DSS and numerous state data breach notification laws.The hacktivist group Anonymous recently directed DDoSattacks against the Sony PlayStation Network to protest theentertainment giant’s lawsuit against the person who published code that lets users “jailbreak” the PlayStation 3.Understanding the Attacker’sMotivations“If ignorant both of your enemy and yourself, you are certainto be in peril.”– Sun Tzu, The Art of WarThese materials are the copyright of John Wiley & Sons, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.

12DDoS For Dummies, Corero Network Security EditionBragging rights and recognition of hacking skills used to bethe primary motivation for DDoS attacks against prominentwebsites. Today, a number of more sinister motives driveDDoS attacks, including criminal extortion, unfair businessadvantage, and political or ideological activism — all of whichare explained in the following sections.Criminal extortionOne of the main motivations for DDoS attacks today is criminal extortion. An attacker threatens to take down the intendedvictim’s site or network unless a ransom is paid. A limiteddenial-of-service attack is often launched concurrently withthe threat to establish the attacker’s credibility.An online gaming site recently received just such a criminalextortion threat and got a taste of what was to come with alimited proof-of-concept attack. Rather than knuckle underto the criminals, the wou

4 DDoS For Dummies, Corero Network Security Edition concerted efforts of cybercriminals to stop an Internet site from functioning efficiently or at all. DDoS attacks have plagued the Internet, corporate websites, and networks for more than a decade. Although DDoS attacks