DDoS Attacks

Overview

On March 18, 2013, there were numerous DDoS attacks targeted at the website spamhaus.org, lasting a week. The attacks peaked at a whopping 300 Gbps. Hackers used a mass of systems to be able to launch attacks with high volume, taking the form of a DDoS (Distributed Denial of Service) Attack. These attacks are often done by using “botnets”, a mass of compromised systems that are centrally controlled by an attacker.

Vulnerability Details

The largest source of traffic in the attack came from DNS amplification. This type of attack is done by sending spoofed requests to misconfigured DNS servers, resulting in an overwhelming amount of traffic to be directed towards Spamhaus. These requests are crafted in such a way that the response from the DNS server is much larger in size than the original request. Even a small number of requests can generate a massive amount of traffic. First, the attacker sends a request for a large DNS zone file to various open DNS resolvers with the source IP spoofed to the victim's address. The resolvers respond to the request, sending the DNS zone answer to the intended victim. The attacker's original requests are only a small fraction of the responses, which means they can effectively amplify the attack multiple times the size of the bandwidth resources they actually have.

Lab Terminal

In this terminal activity, students will explore how DDoS attacks work, specifically focusing on reflective DDoS attacks that utilize IP spoofing and traffic amplification techniques. By simulating the process of sending spoofed DNS requests to open resolvers, students will gain hands-on experience in understanding the mechanics behind these attacks. They will analyze how attackers can exploit misconfigured DNS servers to amplify their attack traffic and direct it towards a target. Additionally, students will investigate common defense mechanisms that organizations can implement to mitigate the impact of DDoS attacks, such as rate limiting and packet filtering. This activity aims to provide students with a comprehensive understanding of DDoS attacks and the strategies used to defend against them.

Instructions:

  • Use the help command to explore available commands.
  • Simulate sending spoofed DNS requests to open resolvers.
  • Analyze the amplification effect of the responses received from the resolvers.
  • Investigate common defense mechanisms against DDoS attacks, such as rate limiting and packet filtering.

Review Questions

What is a DDoS attack?
How did attackers maliciously use open DNS resolvers in DDoS attacks?
What are some possible ways to create a packet with spoofed IP addresses?
Explain how rate limiting and packet filtering could be used to prevent DDoS attacks.
DDoS attacks have been prominent since the 2000s up until the early 2010s, and have tapered off in recent years. Why do you think this is the case?