Saturday 6 December 2014

Security: Basic DDoS Internals (No-source code)

Hi,

For a long time, I did not post any scripts nor source codes as a result of education. Nevertheless I am posting today regarding how DDoS works & why hackers perform them.

DDoS is a cyber-attack strategy used widely to make a machine resource or network resource unavailable to its intended users. Normally, DDoS is targeted to interrupt or suspend  services of a host connected to internet. DDoS is usually misunderstood by beginner security experts\developers, the general misunderstanding is about how to define a DDoS attack, To clarify DDoS is when two or more people, or bots try flood the target.

Lets get to the technicals of a DDoS attack, as stated DDoS is only sustained if the host is connected to the internet. This suggests that the attackers use internet packets\requests to attack the target. They do this via sending TCP\UDP\ICMP or HTTP packets to the target in order to request or upload information to cause the targets machine to focus on those requests and temporary disable all internet services. The target disables the internet services because as bandwidth is limited for all machines connected to internet, computers normally divide the bandwidth among all the services equally to ensure each service can run however computer does allow one service to request for more bandwidth, with this being said one can assume all services can ask for all the bandwidth for themselves.

This should mean if any one internet service is targeted with a lot of packets, the service would require more bandwidth to reply and process every request. This should mean as we increase the request sizes and packets sent as one time, the bandwidth consumption for the following service will increase & decrease the other internet services. As the consumption increases to a critical level, the machine does not have any more bandwidth left to share or give and this causes the machine to temporary drop off from internet until the DDoS stops.

Normally most DDoS tools tend to be multi-threaded to increase attack strength as more packets sent the more bandwidth should be consumed by the attack.

That said, now assume if the target has an bandwidth of 100 MB and let us assume there is perhaps 50 members who have a total bandwidth of 200 MB which we should deduce that on average each member has 4 MB of bandwidth. This said, since we only need 100 MB to drop the target from internet for a duration of time. The DDoS  mechanism\software\program\service will require 2 MB of bandwidth from each participant.

That in mind, using this 2 MB they will completely disable the target and drop it of the internet for a time-being therefore a successful attack has been completed.

Now, let me explain more about the after-effects both parties may face after or during the attack.

Let me discuss, pertaining what may happen during an DDoS attack. As the attackers request 2 MB from their 4 MB of average bandwidth. Their online connectivity will be half as fast as it were prior to the attack. This is practically a Newtonian law of Computing:

"Ever action has a equal and opposite reaction"

This makes complete sense, just because they used 2MB data to attack their internet also becomes 2 MB slower while making the target 2 MB slower. That in mind, its a basic equal and opposite reaction.

That said, it is quite possible for the attacker to "suicide" himself, in the process if he or she cannot overwhelm the target as the DDoS program may ask for additional bandwidth and over-time the bandwidth may completely used to take-down our target, so its always important to set an certain limit which MUST not be crossed  to avoid "net-suicide"

In that, you must understand the reason why malwares use only some percent of the internet bandwidth to avoid suspicion in case of failure of attack first to avoid being obvious due to raise in internet use which User may detect and find suspicious.

Before I conclude, let me explain about few symptoms of priori net-suicide, first most obvious symptoms is that your internet will become slow as it approaches the limit of net-suicide due to consumption of internet becoming practically maximum . Then, we would also notice processing power of computer becoming extremely high from say 2 - 3 % to 50 - 65 % which will be as a result of  computer trying to process all those requests from DDoS process. Then you will notice if you use Network sniffers such as WireShark, that the screen will be filled & filling up data which points to an DDoS taking place, These symptoms may appear on both Target and Attacker.

This will only be an introductory of what DDoS is before we use our white-hat C++ skills to develop an application for DDoS using multi-threading as well as Windows API, to show Proof-Of-Concept and for Ethical purposes & Educational purposes.

Kind Regards