Saturday, 6 December 2014

Security: Basic DDoS Internals (No-source code)


For a long time, I did not post any scripts nor source codes as a result of education. Nevertheless I am posting today regarding how DDoS works & why hackers perform them.

DDoS is a cyber-attack strategy used widely to make a machine resource or network resource unavailable to its intended users. Normally, DDoS is targeted to interrupt or suspend  services of a host connected to internet. DDoS is usually misunderstood by beginner security experts\developers, the general misunderstanding is about how to define a DDoS attack, To clarify DDoS is when two or more people, or bots try flood the target.

Lets get to the technicals of a DDoS attack, as stated DDoS is only sustained if the host is connected to the internet. This suggests that the attackers use internet packets\requests to attack the target. They do this via sending TCP\UDP\ICMP or HTTP packets to the target in order to request or upload information to cause the targets machine to focus on those requests and temporary disable all internet services. The target disables the internet services because as bandwidth is limited for all machines connected to internet, computers normally divide the bandwidth among all the services equally to ensure each service can run however computer does allow one service to request for more bandwidth, with this being said one can assume all services can ask for all the bandwidth for themselves.

This should mean if any one internet service is targeted with a lot of packets, the service would require more bandwidth to reply and process every request. This should mean as we increase the request sizes and packets sent as one time, the bandwidth consumption for the following service will increase & decrease the other internet services. As the consumption increases to a critical level, the machine does not have any more bandwidth left to share or give and this causes the machine to temporary drop off from internet until the DDoS stops.

Normally most DDoS tools tend to be multi-threaded to increase attack strength as more packets sent the more bandwidth should be consumed by the attack.

That said, now assume if the target has an bandwidth of 100 MB and let us assume there is perhaps 50 members who have a total bandwidth of 200 MB which we should deduce that on average each member has 4 MB of bandwidth. This said, since we only need 100 MB to drop the target from internet for a duration of time. The DDoS  mechanism\software\program\service will require 2 MB of bandwidth from each participant.

That in mind, using this 2 MB they will completely disable the target and drop it of the internet for a time-being therefore a successful attack has been completed.

Now, let me explain more about the after-effects both parties may face after or during the attack.

Let me discuss, pertaining what may happen during an DDoS attack. As the attackers request 2 MB from their 4 MB of average bandwidth. Their online connectivity will be half as fast as it were prior to the attack. This is practically a Newtonian law of Computing:

"Ever action has a equal and opposite reaction"

This makes complete sense, just because they used 2MB data to attack their internet also becomes 2 MB slower while making the target 2 MB slower. That in mind, its a basic equal and opposite reaction.

That said, it is quite possible for the attacker to "suicide" himself, in the process if he or she cannot overwhelm the target as the DDoS program may ask for additional bandwidth and over-time the bandwidth may completely used to take-down our target, so its always important to set an certain limit which MUST not be crossed  to avoid "net-suicide"

In that, you must understand the reason why malwares use only some percent of the internet bandwidth to avoid suspicion in case of failure of attack first to avoid being obvious due to raise in internet use which User may detect and find suspicious.

Before I conclude, let me explain about few symptoms of priori net-suicide, first most obvious symptoms is that your internet will become slow as it approaches the limit of net-suicide due to consumption of internet becoming practically maximum . Then, we would also notice processing power of computer becoming extremely high from say 2 - 3 % to 50 - 65 % which will be as a result of  computer trying to process all those requests from DDoS process. Then you will notice if you use Network sniffers such as WireShark, that the screen will be filled & filling up data which points to an DDoS taking place, These symptoms may appear on both Target and Attacker.

This will only be an introductory of what DDoS is before we use our white-hat C++ skills to develop an application for DDoS using multi-threading as well as Windows API, to show Proof-Of-Concept and for Ethical purposes & Educational purposes.

Kind Regards

Monday, 5 May 2014

Basic Simulation: Basic Gravity


Today as promised I'll be posting simulation programming basics. That being said, today I will be talking and discussing about Gravity however unlike my initial plan we will not be using any equations for simplicity purposes for the beginner audience. The simulation programming will be using OpenGL as I want the simulation programmer to be able to see an visual representation of their success rather than have few numbers shown upon screen making this topic nothing but a mere boring mathematical incorporation of physics.

That being said, this tutorial will only be using basic OpenGL function such as glTranslatef(), glRectf() and other similar function. Next, this tutorial will neither make use of a timer as it could be too complicated for the user who messaged me for this tutorial to be created. That in mind, we will not be even using gravitational constants such as 9.81 m/s^2.

To be brutally honest, this tutorial is really designed to show how easily we can create programs using BASIC OpenGL functions that a beginner can learn and apply in matter of few hours. Here is the source:

Basic OpenGL Gravity

Bare in mind that the code is not too pretty in terms of implementation and using functions such as Sleep() as an "Pixel" slower to ensure that the user can actually see the dot fall similar to that of gravity. That being said, it was designed for an newbie.

Hope you learned something new,

Wednesday, 9 April 2014

Still a alive - Update


I have not posted anything for a while, but I am going to be posting from now. I apologize for the long delay, I did not really get around to posting any interesting topics recently however I plan on also writing few blogs regarding security soon or later.

Nevertheless, I am going to be writing about physics, cosmology as well after people requested me to write few blogs pertaining about physics and space.

Anyway, in security I will be covering:

- Theories of Anti-Virus development (Heuristics)
- How DDoS works
- Theory of Network analysis
- Self-Protection mechanisms

I also have a long list of planned topics to cover in future:

- AI (Non-Game based)
- Encryptions
- Science of Sci-Fi
- Simulation Programming

That being said, stay tuned.

Sunday, 5 January 2014

Global Remote Detour: KiFastSystemCall


I am not planning on explaining my code too much but rather give code, which is more or less straightforward in terms of the functions used and the simple logic.

Unlike the previous remote detour given I am not really creating a running thread as that will just be too slow and unneeded work.

There are 2 functions needed for the global injection: Provider(void) & Injector(DWORD Pid)
The function Provider(void) is responsible for providing each process's PID to the Injector function, then the Injector function will:

  1. Open the PID via a call to OpenProcess
  2. Using the handle it will suspend the process, ready for injection
  3. It will then write the callback into the process memory space
  4. Then will create a char array of machine code (JMP ---) then will annotate the remote callback address on to the char array.
  5. The char array will be then written on KiFastSystemCall address, 
We have detoured KiFastSystemCall, the uses of such detours are endless:

  • Self-Protection
  • Proactive AV scanning
  • Complete Control over system
  • Helpful Debugging Information
The Code Metrics:

Line Count:  105 Lines
Size: 3.05 KB (3,125 bytes)

Stay Tuned,