Your PC became a DDoS client, what now?

DDos stands for Distributed Denial Of Service and is one of the, let’s say most powerful and popular attacking methods of hackers and hacker-wannabes. For DDoS, the offender needs a high number of clients. Clients are common users’ PCs, which have a special malware installed.

To install this malware, the users have to click a link from a spam email or download and run a spam email’s attachment, the malware is installed as service and usually put on waiting. It waits for a special signal from the writer of the script or for a hard-coded date, when the malware will start what was coded for: to attack.
The typical symptom is that the PC is extremely slow. This is caused by the malware running in the background and sending over usually TCP/IP malicious, often faked packets to one single party, usually a website or a server, but always to an IP. To recognize if your PC is doing this, you have to look deeper. Download and install a network monitor, and watch. Look for traffic going to one single IP in high rate. You can also look for “echo requests”, pings. If you see high amount of such traffic, you are powering a DDoS attack.

How to get rid of DDoS client.

The most targeted operating system by malwares are the Windows based systems. Mailnly because these are the most popular, it’s quite easy to create software for them and because they have more security holes than a cottage.
The DDoS client is practically a malware, so a good anti-spyware/malware software should do the removal job.
Usually, since the malware is installed itself as a service, you have to run the malware remover in Windows’s safe mode.

Some of the best spyware/malware removers are:

• PC Pitstop
• Kaspersky Lab
• ZoneAlarm Security Suite
  

I used all of the above software and they are all worth the money.

If these software can not remove the malware because it was clever enough to protect itself by the operating system, your only option will be to reinstall your OS, sorry.

The most common way to get a malware, spyware or adware on your PC is to click links in e-mails you don’t know who it came from, spam emails. Avoid with any effort clicking, or even opening these emails because all they can cause is headaches, nothing else.
Download software only from trusted sources like Download.com, CNET, Mozilla, Microsoft or Google. This is not an exhaustive list, there are many other trusted entities I just listed some of them. You have to decide whether you trust a website or not, but if you never heard before about a website, be suspicious. Look if an installer was digitally signed. Those who write malware or they put any malicious code in their software will not spend money on digital certificates.

The current Internet is very insecure. I recommend for every user to be cautious while navigating on the internet because the threat level is almost always higher than zero.

Stop an ongoing DoS attack

Many server managers say that effectively stopping a DoS attack is impossible. This is only half true.

Under a DoS siege the majority of the server administrators will try to create a null route for each offensive IP, IP block or even whole subnets. This is done as an effort to keep the service online for legitimate clients, but deny service for the offenders. This is very time consuming operation as the IPs are faked so null routing almost always is impossible.

So what other methods are available?

I can tell you my experience only, and that is extremely simple. First, I start to look for the port the attackers chose. Usually and unfortunately this port is almost always port 80 aka HTTP. If the server became completely unusable and the number of connections is unbelievably high, then one simple step: shut down the ethernet card which handles the public network. No one will be able to use the server until you re-enable the ethernet card so this is a very cruel option in many’s mind. But why? If no one can access the server because the DOS attack, why is bad if I shut down the ethernet card?
And why do I shut down completely the traffic? This is again my own experience: the offender thinks that the mission was accomplished and simply gives up. I had only once situation when re-enabling the ethernet card after a few hours brought the offender back too, one occasion from a few dozen. So in my humble opinion it’s still better to have a few hours of silence than having a few hours of stress caused by the efforts of blocking the unwanted traffic.
On the other hand if the server didn’t deny the service yet, you may try to null route the offenders. It’s an extremely time consuming operation and if the IPs are faked… well. You can’t really null route. But if you desperately want to keep the server up and running, you may try it. Be prepared for great stress, have your coffee machine prepared too, and if you smoke, a few packs of cigs in the nearby is also required.

Another option I heard about is a bit more interesting. But it involves DNS administration so you should be familiar with it before start it.
Let’s take the following situation: you have www.example.com functioning on the 192.168.0.1 IP. When you observe that your IP is under attack and your website functioning under the example.com domain became slow, you move your domain name under another IP on another server, the offenders will still attack the old IP but they cause no trouble since that IP is out of service.
This is very beautiful in theory, but in real world may function or not. Usually doesn’t, since while the update in your DNS travels through the whole world, your website may be already on its knees.

What can be done to just not experience DoS attacks?

To be prepared for the attack. There will be always black hat hackers and hacker kids in suburban basements who has nothing better to do but try to offend websites or whole servers, so our only option is to be prepared. Better said, the datacenters.
DoS attacks can be recognized quite easily, there is a listening system installed on every major internet backbone too. What they can do is to early recognize that something is happening and start to block the malicious traffic while is born.
Choose your provider wisely. If you want a good hosting solution go with well known web hosts like GoDaddy or MediaTemple. If you need servers, choose well known data centers like RackSpace or Softlayer. They are all prepared for DoS attacks and can help you in no time.

If you go with a server, a must have is a good hardware (!) firewall, which can distinguish the good traffic from the bad one, then block the unwanted. This kind of firewalls, stateful firewalls are manufactured by Cisco for example. They do a hell’a good job.
Other than that, you can only beg for mercy. Nothing else. Every system is vulnerable to these attacks at any time, it’s not just you. The only difference is how much the servers can survive without being killed.

What is a DOS attack and how to initiate it

The best method to deflect an attack is to understand how the offender planed his attack, thus you know what will happen next or how to stop a previous action.

This post is about the basics of a distributed DOS attack. DoS is the abbreviation of Denial of Service. I won’t list everything you need, not the software you need nor anything which you can start a DOS attack with, but the architecture of such an attack to help you form a picture about how the DOS attacks works thus help you avoid them.

First of all, what is a DoS attack?

DoS stands for Denial of Service. Basically, a server is bombarded with fake traffic until it denies to serve normal traffic coming from legitimate users. DoS is a relatively new thing on the internet and they can be temporary or permanent. Temporary is when it can be let’s say fixed easily and permanent is when it can’t be fixed with a simple reboot or by shutting down the ethernet port. Permanent DoS is very sever as it rewrites a network component’s firmware, thus the owner of the hardware either replace it or re-rewrites the firmware (usually replacing is advised).

There are many types of DOS attacks, the most common are probably the ICMP floods. ICMP is a protocol on which the ping requests are handled and as almost every server will respond to ping requests, they are vulnerable to these type of attacks.

So, what happens in the background? A user with connection superior to the server’s which will be attacked, sends a high amount of ping requests to the server and keeps sending them until the server is brought down. Sounds simple? It’s not. The above example is oversimplified, there is involved one other step which i didn’t mention: the IP faking.

So, how ping is working?

1. user initiates a ping to a specified server.
2. the server receives the request
3. the request contains data about where the server has to reply, the initiator’s IP address. The server replies to this address
4. the initiator acknowledges the answer and the connection is closed

So how to initiate a DoS attack

The problem occurs when the pinger’s IP is faked as the server will try to answer for the request but as the address is faked it can’t. One issue with this: as the architecture of the web servers is designed so that if a connection can not be handled, the connection is kept open for a very long time. Too many connections open will bring the server on its knees in no time, mostly if there are not enough hardware resource like RAM.

Of course, modern web servers will not be brought down with only one offending client. An attack to a well designed webserver, network component or network is much harder and requires more offenders. The attack should be synchronized very well and distributed over many, a few hundred or even thousand and even millions of attacking PC, solely depending on how advanced is the attacked party.

So how DoS is possible then?

The easiest way the hackers achieve to sync and distribute the attack is that they, let’s say hire spammers to send spam containing either links to malware which is used as a DoS client or the message has the malware attached. When the user clicks the link or opens the attachment, the script installs itself as a service on a Windows based OS.

On a side note, it’s interesting that the most expensive OS is in the same time the most vulnerable to malware and virus attacks, too.

The whole of the PCs which has this malware installed is called botnet.

The installed malware will start to work on a specified time and date like in MyDoom’s (Link to Wikipedia article, read it, it’s very interesting) case when millions of computers started synchronized distributed attack against several websites. This is called DDoS, abbreviation for Distributed Denial of Service. It’s incredibly effective against lower end web servers and can put offline even high-end architectures like Google’s search back-end network.

Next article is about how to recognize DoS attacks.

If something is not clear, feel free to ask.