DDoS attacks

  1. Introduction

In the beginning of February 2000, world saw a number of attacks on very big internet sites like Amazon, CNN, Yahoo and eBay. Most of these attacks can be classified as Denial of service attacks with additional feature – the compromise of many distributed hosts to act as daemon or zombie machines. Each zombie carries out a Dos attack resulting in a vastly distributed and amplified attack – the Distributed Denial of Service (DDoS).

The surprise attack took the Yahoo site down for more than three hours. It was based on Smurf attack, and most likely, the Tribe Flood Network technique. At the peak of the attack, Yahoo was receiving more than one gigabit per second of data requests.

2. Methods of Distributed Denial of Service Attacks

These methods allow an attacker to coordinate and execute the attack. These types of attacks plagued the Internet on February 2000. However these distributed attack techniques still rely on the base type of attacks like smurf, SYN or UDP flood.

The techniques are listed in chronological order. It can be observed that as time has passed, the distributed techniques (Trinoo, Tribal Flood Network, Stacheldraht, Shaft, and TFN2k) have become technically more advanced and, hence more difficult to detect.

Trinoo uses TCP to communicate between the attacker and the control master program communicates with the attack daemons using UDP packets. Trinoo attack daemons implement UDP Flood attacks against the target victim.

Tribe Flood Network (TFN) uses a command line interface to communicate between the attacker and the control master program. Communication between the control master and attack daemons is done via ICMP echo reply packets. TFN’s attack daemons implement Smurf, SYN Flood, UDP Flood, and ICMP Flood attacks.

Stacheldraht (German word for “barbed wire”) is based on the TFN attack. However, unlike TFN, Stacheldraht uses and encrypted TCP connection for communication between the attacker and master control program. Communication between the master control and attack daemons is conducted using TCP and ICMP, and involves an automatic update technique for the attack daemons. The attack daemons for Stacheldraht implement Smurf, SYN Flood UDP Flood, and ICMP Flood attacks.

Shaft is modeled after Trinoo. Communication between the control master program and attack daemons is achieved using UDP packets. The control master daemons are achieved using UDP packets. The control master program and attacker communicate via a simple TCP telnet connection. A distinctive feature of Shaft is the ability to switch control master server and ports in real time, hence making detection by intrusion detection tools difficult.

TFN2k uses TCP, UDP and ICMP or all three to communicate between the control master program and the attack daemons. Communication between the real attacker and control master is encrypted using a key based CAST 256 algorithm. In addition, TFN2k conducts covert exercises to hide itself from intrusion detection systems. TFN2k attack daemon implements Smurf, SYN, UDP and ICMP Flood attacks.


 Figure 1

3.     Mitigation against attacks

Many observers have stated that there are currently no successful defenses against a fully distributer denial of service attack. This may be true. Nevertheless, there are numerous safety measures that a host or network can perform to make the network and neighboring networks more secure.

–          Firewall: Filtering all packets entering and leaving the network protects the network from attacks conducted from neighboring networks and prevents the network itself from being an unaware attacker. This measure requires installing ingress and egress packet filters on all routers.

–          Disabling IP Broadcast: By disabling IP broadcasts, host computers can no longer be used as amplifiers in Smurf and Fragle attacks. However, to defend against this attack, all neighboring networks need to disable IP broadcasts.

–          Applying Security Patches:  To guard against denial of service attacks, host computers must be updated with the latest security patches and techniques. For example, in the case of SYN Flood attack there are three steps that the host computers can take to guard themselves from attacks: increase the size of the connection queue, decrease the time-out waiting for the three-way handshake, and enable end host features like SYN cookies and SYN cache and circumvent the problem.

–          Disabling Unused Services: If UDP echo or chargen services are not required, disabling them will help to defend against the attack. In general , if network services are unneeded or unused , the services should be disabled to prevent tampering and attacks

–          Performing Intrusion Detection: By performing intrusion detection, a host computer and network are guarded against being a source for and attack, as while as being a victim of an attack, Network monitoring is a very good pre-emptive way of guarding against denial of service attacks especially net-flow based tools are very useful in detection vector of attack and tracking down source and destination. By inspecting host systems, a host can also prevent it from hosting an attack on another network.

4.     DDoS attacks: The impact on Data centers

Data centers inherently contain numerous targets for DDoS attacks. A surveyed showed that 45% of the respondents experienced DDoS attacks against their data centers. This shows a growth of 60% of the DDoS attacks compared to the previous year. Furthermore 94% of the persons that took place in the in the survey confirmed regular DDoS attacks and 17% reported that the attack’s volume exceeded the available bandwidth into their data center.

The Targets of DDoS Attacks

The most frequent target of DDoS attacks is the end customer. Due to the multi-tenant nature of most of the data centers, this should be a significant concern.

The Data center infrastructure services (e.g., DNS, SMTP) are the second most frequent target with over 50% confirmed similar attacks. Yet only 19% have resources responsible for DNS security. One third respondents reported attacks on the data center infrastructure itself.

Frequency of DDoS Attacks

For data center operators who reported being the victims of a DDoS attacks, the observed frequency of attacks increased over last year’s surveys. In 2011 only 30% of respondents indicated that DDoS attacks were not something that occurs each month. Since then 83% of respondents who were victims of attack now experience between one and 50% attacks per month.

Business Impact of DDoS Attacks

Nearly 90% of data center operators reported operational expenses due to DDoS attacks, while one-third among them experienced customer’s complaints and revenue loss:


Figure 2

Visibility into Data Center Networks

Just over three-quarters of data center respondents have good visibility up to Layer 4, while only one-third have visibility up to Layer 7. This indicates that the majority of operators are likely blind to attacks above Layer 4, making it difficult to defend against them. Layer 7 DDoS attacks are especially dangerous as they are typically “low and slow,” and are often undetectable using traditional volumetric detection mechanisms.

Data Center Security

Firewalls are now a standard security practice in data centers, deployed by 95 percent of respondents compared to only 42 percent last year. The second most common security technology is IDS/IPS (Intrusion detection System and Intrusion Prevention System) which is used by half of respondents. The increased use of firewalls and IDS/IPS devices to deal with DDoS attacks is concerning because even though these devices can deal with some kinds of DDoS attacks, they are primarily designed to assure confidentiality and integrity, rather than service availability.

Firewalls or IDS/IPS Compromised by DDoS Attack

The result is that over one-third of respondents reported that their firewalls or IDS/IPS systems were compromised by a DDoS attack during the survey period.

DDoS Prevention and Mitigation

The proportion of data center respondents using today’s various DDoS prevention/mitigation techniques remained unchanged from last year’s survey. However the proportion of respondents using Intelligent DDoS Mitigation Systems (IDMS) slightly increased and the proportion of the use D-RTBH slightly decreased. This may indicate that data center operators are becoming more focused on protecting end customer service availability during an attack. Three-quarters of data center operators who have IDMS solutions deployed offer their customer base an anti-DDoS service based on their IDMS equipment, thus monetizing their investment.


Data centers are increasingly being targeted by DDoS attacks—with significant downside to their businesses. As more companies move their services to the cloud, they now have to be wary of the shared risks of collateral damage. With e-commerce and online gaming sites being the most common targets for DDoS attacks, according to survey results this year, sharing data centers with these organizations bring some risk.