This post is about the basics of a distributed DOS attack. DoS is the abbreviation of Denial of Service. I won’t list everything you need, not the software you need nor anything which you can start a DOS attack with, but the architecture of such an attack to help you form a picture about how the DOS attacks works thus help you avoid them.

First of all, what is a DoS attack?

DoS stands for Denial of Service. Basically, a server is bombarded with fake traffic until it denies to serve normal traffic coming from legitimate users. DoS is a relatively new thing on the internet and they can be temporary or permanent. Temporary is when it can be let’s say fixed easily and permanent is when it can’t be fixed with a simple reboot or by shutting down the ethernet port. Permanent DoS is very sever as it rewrites a network component’s firmware, thus the owner of the hardware either replace it or re-rewrites the firmware (usually replacing is advised).

There are many types of DOS attacks, the most common are probably the ICMP floods. ICMP is a protocol on which the ping requests are handled and as almost every server will respond to ping requests, they are vulnerable to these type of attacks.

So, what happens in the background? A user with connection superior to the server’s which will be attacked, sends a high amount of ping requests to the server and keeps sending them until the server is brought down. Sounds simple? It’s not. The above example is oversimplified, there is involved one other step which i didn’t mention: the IP faking.

So, how ping is working?

1. user initiates a ping to a specified server.
2. the server receives the request
3. the request contains data about where the server has to reply, the initiator’s IP address. The server replies to this address
4. the initiator acknowledges the answer and the connection is closed

So how to initiate a DoS attack

The problem occurs when the pinger’s IP is faked as the server will try to answer for the request but as the address is faked it can’t. One issue with this: as the architecture of the web servers is designed so that if a connection can not be handled, the connection is kept open for a very long time. Too many connections open will bring the server on its knees in no time, mostly if there are not enough hardware resource like RAM.

Of course, modern web servers will not be brought down with only one offending client. An attack to a well designed webserver, network component or network is much harder and requires more offenders. The attack should be synchronized very well and distributed over many, a few hundred or even thousand and even millions of attacking PC, solely depending on how advanced is the attacked party.

So how DoS is possible then?

The easiest way the hackers achieve to sync and distribute the attack is that they, let’s say hire spammers to send spam containing either links to malware which is used as a DoS client or the message has the malware attached. When the user clicks the link or opens the attachment, the script installs itself as a service on a Windows based OS.

On a side note, it’s interesting that the most expensive OS is in the same time the most vulnerable to malware and virus attacks, too.

The whole of the PCs which has this malware installed is called botnet.

The installed malware will start to work on a specified time and date like in MyDoom’s (Link to Wikipedia article, read it, it’s very interesting) case when millions of computers started synchronized distributed attack against several websites. This is called DDoS, abbreviation for Distributed Denial of Service. It’s incredibly effective against lower end web servers and can put offline even high-end architectures like Google’s search back-end network.

Next article is about how to recognize DoS attacks.

If something is not clear, feel free to ask.