The whole e-commerce world was recently shocked with a number of DDoS attacks against the leaders of electronic payment market ePassporte and Liberty Reserve, especially the latter one which became a "favourite" of ddosers. There is not a single forum where the participants have ignored this hot topic. Lots of people were really worrying about the system, some were greatly disappointed and hurried to leave it, and some people were blaming the system for a weak protection. But many people have forgotten that even such giants as Yahoo, eBay, Amazon, Buy.com, Datek, CNN and others have been attacked. Having looked through many forums we came to conclusion that lots of people don't even know what ddos is. So, we decided to tell a little bit about this plague of the Internet of the 21 century and to answer the most common questions on this subject.

What is DDos attack?

The aim of a denial-of-service attack (DoS attack) or a distributed denial-of-service attack (DDoS attack) is to disable some Internet website or service and to prevent them from functioning completely, partially or indefinitely. DdoS attacks can target any computer network, including even routing devices and the web, electronic mail, or Domain Name System servers. The targeted server uses up its resources to make a connection and can not manage its service and traffic anymore. Prevention of this kind of attacks is based on analysis of the sources of exceeded traffic (compared to the usual one) and on its ban.  

When has it started?

Today it is not easy to say the exact date and the originator of DdoS attack. Some people say that it was 1999, some 2000, there are even the ones who name 1989-1990. But all the people agree in opinion that the first massive DdoS attack occurred in February 2001 and targeted Register.com.  It lasted about one week.

How does DDoS attack work?

The most common case is when the computer of a "victim" is saturated with external communication requests and cannot respond to all of them. The situation is similar to the one when you try to call somewhere and cannot succeed as the telephone line is busy. The thing is that telephone lines as well as computer systems can receive only a limited number of calls and requests.  

There are a lot of ways to organize DDoS attack, as people say, all's fair in love and war, and here we can also add DDoS attacks. However, today DDoS attacks have a greater scale and usually target not only a single computer but the whole network.

First of all, intruders break into the weakest computers using the weak points of some standard programs and failures of operation systems. Then they install some software to hide their penetration and the victim even does not know that somebody has breached his or her computer. After this action hackers or if you want crackers or ddosers install their self-propagating programs instead of the programs of the victim,  and these programs automatically regenerate themselves, and through the net find other vulnerable machines to infect.  Later they become a kind of disease-breeders. At times the whole network is infected and is ready to act. It is possible to attack the victim immediately after the network is ready or it is possible to delay it until time comes.

How do they attack?

There are a lot of ways and methods to organize ddos and to bring some system down. Every day fertile minds of fraudsters and computer geniuses invent new and new forms of network penetration but there are 5 main methods which became classic of "ddos attack art".

1. Consumption of computational resources, such as bandwidth, disk space, or processor time
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

Some attacks can yield a loss not only by disabling some network but also with some malware included into DoS attack that is even worse, as such an attack may have serious consequences. Malware programs are like viruses which eat the system from inside. They can do the following:

• Make a complete prevention of work occurrence due to processor's usage max out;
• Initiate some errors in the microcode of the machine;
• Initiate errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up;
• Use errors in the operating system to cause resource starvation and/or trashing, i.e. to use up all available facilities and to prevent all real work to be accomplished;
• Destroy the operating system itself;
• iFrame (D)DoS, in which an HTML document is made to visit a webpage with many KB's of information many times, until they achieve the amount of visits to where bandwidth limit is exceeded.

What are the first signs of DDoS attack?

• Very slow operation of network (opening files or accessing web sites)
• Impossibility to enter this or that web site
• Inability of some definite web site
• A rapid growth of spam messages received, usually called as "Mail-Bomb".

If you have discovered all the symptoms mentioned above, it does not mean that you were ddosed, as there are some other kinds of attacks, such as smurf attacks, ping flood, SYN flood, teardrop attacks, peer-to-peer attacks, "banana attacks", fork bombs, nukes and so on.

Why is it almost impossible to find the culprit of DDoS attack?

DDoS attacks are organized not by somebody's own initiative, they are usually offered by some rivals or envious persons wishing to harm the successful "victim". Nobody can know who has offered this or that attack unless the executors of such attacks are found and questioned. But it is also not an easy thing to find the executors, as the swindlers usually attack from the computers in various time zones, different legal jurisdictions and with different system administrators. To hide the traces completely swindlers use the so-called IP spoofing which helps to pretend directing all the traffic not from the swindlers computer but someone else's.

What is the remedy?

If you have already become a victim of DDoSers you need to start the investigation as soon as it is possible. Unfortunately there are no immediate solutions so recovery can last some time starting from several minutes to several months and even years. The best way to survive during DDoS is to be prepared for it. So, it is favorable to have a separate block of IP addresses for critical servers with a separate route which can be invaluable.

Filtering is not a solution but it can prevent DoS attack or at least help to predict it.

Another solution is Firewall system, though they are not sufficient as well because they can hardly help to fight against some DoS attacks.  However they can help to prevent your computer from launching some programs which in the  future can be used in DDoS attacks.

It is also necessary to mention switches  as they provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. Owing to switches some DDoS attacks can be prevented.

Use of routers and application from end hardware also can be useful in struggle against DDoS, in conjunction with switchers they give the best result.

Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior based DoS attacks.

An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.

A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

Despite the existence of great variety of means to fight with DDoS attacks it is much easier, cheaper and simpler to be protected from them. It is necessary to have a good hoster and a powerful protection system as DDoS attacks hit not just the profits but the reputation, the recovery of which takes much more time than to recover the revenues.