DDoS Attacks

Overview

On March 18, 2013, there were numerous DDoS attacks targeted at the website spamhaus.org, lasting a week. The attacks peaked at a whopping 300 Gbps. Hackers used a mass of systems to be able to launch attacks with high volume, taking the form of a DDoS (Distributed Denial of Service) Attack. These attacks are often done by using “botnets”, a mass of compromised systems that are centrally controlled by an attacker.

Vulnerability Details

The largest source of traffic in the attack came from DNS amplification. This type of attack is done by sending spoofed requests to misconfigured DNS servers, resulting in an overwhelming amount of traffic to be directed towards Spamhaus. These requests are crafted in such a way that the response from the DNS server is much larger in size than the original request. Even a small number of requests can generate a massive amount of traffic. First, the attacker sends a request for a large DNS zone file to various open DNS resolvers with the source IP spoofed to the victim's address. The resolvers respond to the request, sending the DNS zone answer to the intended victim. The attacker's original requests are only a small fraction of the responses, which means they can effectively amplify the attack multiple times the size of the bandwidth resources they actually have.

Lab Terminal

In this terminal activity, students will explore the basics of a Denial of Service (DoS) attack. They will begin by verifying that a target system is reachable using ping and testing whether a web service is responding on port 80. Then, students will simulate a SYN flood attack using hping3 to overwhelm the target with a large number of connection requests. Finally, they will observe how the system becomes unresponsive under the attack. This activity demonstrates how even simple traffic flooding can disrupt a service and highlights the importance of network defenses against DoS attacks.

Instructions:

  • Use the help command to explore available commands.
  • Verify that the target system is reachable using ping ping 192.168.168.1.28 -c 10.
  • Send a test SYN packet to confirm the web server is responding on port 80 hping3 -S 192.168.1.28 -p 80 -c 1.
  • Initiate a SYN flood attack against the target on port 80 hping3 -S 192.168.1.28 -flood -p 80.
  • Check the status of the target system after the attack ping 192.168.168.1.28 -c 5.

Review Questions

What is a DDoS attack?
How did attackers maliciously use open DNS resolvers in DDoS attacks?
What are some possible ways to create a packet with spoofed IP addresses?
Explain how rate limiting and packet filtering could be used to prevent DDoS attacks.
DDoS attacks have been prominent since the 2000s up until the early 2010s, and have tapered off in recent years. Why do you think this is the case?