Jayant Gandhi
Distributed Denial of Service Attacks
the Anonymous Scourge
The internet has quickly become the defining tool of the twenty first century,
revolutionizing the way people communicate and do business together. There are virtually no
businesses or organizations that have not invested in online resources, such as website
construction. As investment in these websites increases it becomes more and more important
to be able to ensure their security in this new environment. In our enthusiastic love for all the
benefits the internet has conferred unto us it is easy to forget just how dangerous a place it can
be.
Enter the hacker. For a long time the popular image of a hacker has been the teenage
computer geek who entertained his or herself by ‘playing’ with the information posted by other
people on the internet. To a certain extent this image is true. There are plenty of hacker
communities that discuss different techniques for hacking (a quick Google search of hacking
reveals a plethora of hacker-friendly sites) and conduct larger group activities, such as
‘PWN2OWN’.1 In its most benign form, hacking can be a harmless entertainment for those with
enough technical knowledge to pull it off, but of course hacking is not always so innocent.
Of the many different varieties of hacking one has recently popped into the limelight
because of its potentially devastating powers. It is called a distributed denial of service attack
(or DDoS for short) and it can incapacitate a target website. Threats of such attacks can be used
to extort companies for money or risk having their websites shut down and potentially lose
even more money. DDoS attacks work by flooding the targeted system with requests from the
1
The annual contest held at the CanSecWest security conference, which asks contestants to try to exploit certain
software and computing platforms to expose any weaknesses.
attackers, using up all of the system’s resources and making it inaccessible to legitimate traffic.
A regular denial of service attack can be carried out by a single attacking computer, but their
damage is limited by the computer’s capabilities and the ease at which the attacker’s IP
address.2 However, as hacking grew more and more sophisticated it became possible to
conduct a DoS on a larger scale. i
Hackers can ‘infect’ other computers and use them to carry out a DDoS. Computer
viruses and Trojan Horses (software that seems to provide a beneficial function, but is in fact
harmful) can be used to turn the victim computer into a zombie. A zombie computer is one that
has been compromised by a hacker and can then be given orders remotely through an Internet
Relay Chat (IRC) channel or a peer-to-peer connection, generally without the knowledge of the
computer’s owner. These zombie computers come together to form a botnet, which in turn is
used to carry out the DDoS. Botnets not only allow hackers access to even more computers,
amplifying the power of their DDoS, but it also makes it incredibly difficult to trace the attack to
a single source.
Figure 1i
As figure 1 shows, the real attacker may not even contact the victim at all, but instead carry out
the attack by means of the zombies (or daemons in the figure) that make up the botnet.ii
2
Internet Protocol Address is the numerical label assigned to any device connecting to the internet used to identify
that device and enable online applications to interact with it by giving it a virtual location (address).
DDoS attacks can be divided into two general categories: they can be application based
or network based. Application based DDoS attacks seek to tie up a system’s memory and CPU
by exploiting software vulnerabilities. An example of this kind of attack (and one of the more
common forms of DDoS attacks) is the SYN-flood. This attack exploits the ‘three-way
handshake’ of the TCP/IP3 process. In a regular TCP/IP interaction the client sends a SYN
(synchronization) message to the server, whicha in turn responds with a SYN-ACK
(synchronization acknowledged) message. At this point the client responds with an ACK to
confirm the connection. However in a SYN-flood this part of the ‘handshake’ is omitted causing
the server to use up its memory holding up its side of the connection. iii
Network based DDoS attacks focus on consuming as much bandwidth (the measure of
how much information is being communicated between a device and the internet in bits per
second) as possible, therefore inhibiting the targeted system from being able to accept
anymore incoming information. These are slightly harder to pull off because they require very
large botnets or complex amplification processes to flood the targeted server with requests.
Large botnets are very rare to come by so more frequently network attacks are carried out by
means of amplification. One such amplification process is called a Smurf attack. To perform a
Smurf attack the attacker sends a spoofed broadcast ping4 (meaning the ping is sent from the
address of the targeted computer) from the targeted computer to a network of computers
causing them all to respond to the targeted computer for each single ping sent.iii
DDoS attacks have been carried out against many websites such as gambling websites
right before major sporting events in order to extort money from them, but no DDoS has gained
3
Transmission Control Protocol/Internet Protocol – The TCP sets up the connection of data transfer between host
and receiver while the IP is responsible for actually delivering the data to the desired address.
4
A ‘ping’ is a tool used by network administrators to measure the round-trip time for a message between host and
destination.
more public attention than the one perpetrated against MasterCard and Visa by the group of
‘hacktavists’ known as Anonymous.i This attack threw DDoS attacks into spotlights when it
shown how not even huge corporations were safe. (Of course, the concern with DDoS attacks is
not just one of financial loss as the same technique can be used by oppressive governments to
silence any voice of opposition or used to undermine the security systems of a government that
rely on the internet.) It is clear that this kind of activity cannot be tolerated, but, while it is
possible to fend off an attack once it has started, it is an entirely different matter to identify the
source of an attack.
On the matter of whether or not the source of a DDoS attack can be traced there is a
sharp divide in opinion between experts. While everyone seems to be in agreement that you
can theoretically identify the source, the difficulty of this action is so great that it renders it
practically impossible. In order to identify the source a victim needs the help of its Internet
Service Provider (ISP) to trace the IP address of all the direct attackers. Once all the zombie
computers of the botnet are identified the ISP then has to dismantle the botnet command
structure. This is done by checking the IRC channels that establish connections between the
zombies and the master. Once the IP address of the master computer is discovered the ISP can
put a face to the attacker.iv
Supporters of the idea that it is possible to trace the source of DDoS attacks point to the
arrests that followed Anonymous’s attack on MasterCard and Visa.v These arrests were due to
the particular program used by these hackers to execute the DDoS. They used the stress-test
program ‘Low Orbit Ion Cannon’ (LOIC), which bombards a target with requests (TCP, HTTP, or
otherwise). The program can easily be linked up to a botnet via an IRC and therefore execute a
DDoS attack. However, the program sends the IP address of the attacking computer with the
packets of information it sends in the requests. From there it is just a simple matter of
contacting the ISP to track the IP address to the actual person.vi
This argument, however, is not all that strong. To suggest that this is method of tracing
can be applied to the wider world of DDoS attacks is very narrow sighted as hackers use a
variety of tools that they have at their disposal. Furthermore, the paper in which the idea of
tracking the hackers based on LOIC even admits that the problem of the program transmitting
the attackers IP address could be easily circumnavigated by a veteran hacker. All the hacker
would need to do is spoof an IP address. This is a simple matter of replacing the IP header (the
numerical beginning of the IP address which identifies the location of the sending device) so
that the response that comes from any interaction online is sent to the spoofed address instead
of the hacker’s address. What happened in Anonymous’s case was the arrest of most likely
novice hackers attracted by the popular movement who failed to spoof their IP addresses.
Those who believe that DDoS attack can be traced also cite our increasing ability to
perform IP trace-backs (the ability to follow spoofed IP addresses to their source). There are
several methods of IP trace-backs currently being used and more are being developed
constantly as algorithms are improved. For example, a common form of IP trace-back used to
be the Center Track approach. This entailed the victim set up an overlay network during an
attack by creating special tracking routers. During an attack the victim would connect all the
‘edge’ routers (the routers from which the attacking information is coming from) to this central
overlay network allowing the victim to more easily hop from one router to another (hop-by-hop
tracking) as it searches for the source.
This system works, but has its limitations since it must be enacted during the attack,
when the focus of the victim would most likely be on mitigating damage, and requires precise
coordination on the part of the victim as one mistake in the overlay network could render the
whole process useless. However, since then improvements have been made by capitalizing on
the stored information of the ‘edge’ routers. These routers store the source and destination of
their traffic. Using this info you can figure out the ingress adjacency of the attack (basically map
out the flow of information from router to router).i
Skeptics, on the other hand, see the difficulty in tracing as an impossible hurdle to
overcome. While the optimists see the advances in tracking technology, skeptics see the
advances in a hacker’s ability to remain anonymous. First off there is the botnet, the
quintessential tool for committing a DDoS attack, but also a hacker’s first line of defense.
Botnets make it difficult to do an IP trace back because you have to sift through many innocent
computers before you can reach the source of the commands. More modern botnets make use
of multiple layers so that even once you find a computer that is issuing commands it is probably
just another bot in the net receiving its orders from yet another source.iii
Apart from this, hackers can also access darknets to obscure their identity further.
Darknets are comprised of all the unused IP addresses of an ISP making it virtually impossible to
link an IP address to an actual person even if you pinpoint the source of the attack. iv
Nevertheless, darknets are not impregnable shrouds and complex botnet structures can be
overcome. By their own nature, darknets are not meant to have any information travelling
through them. Occasionally the random packet of data may find itself passing through a
darknet, but something on the scale of a botnet acquiring spoofed IP addresses is much more
noticeable to ISPs. If monitored adequately enough and ISP could catch suspicious activity and
be able to trace the intruder back to its original IP address. The complex botnet structures
require a more direct response: IP trace-back algorithms have to increase in their
comprehensiveness and efficiency. In a sense, this would trigger a cyber arms race between
hackers and security firms (a race we already see them engage in with viruses).
When weighing the arguments of both sides it is hard to pick a clear winner. It seems as
if for every bit hackers advance in their techniques security firms advance as well. That being
said, I find the skeptics’ argument to be slightly more convincing. While advanced algorithms
like the ingress adjacency method hold a lot of promise they just do not stack up to the level of
secrecy offered to hackers through IP address spoofing, especially those obtained from
darknets. While it is possible to trace back a spoofed IP to the actual person it is something that
can almost exclusively be undertaken by an ISP who has the access to all the resources (namely
complete information on their IP addresses) needed to locate the user of a spoofed IP address.
The IP trace-backs touted by the optimists can only go so far. Even if algorithms advance
to the point that they can quickly cut down an advanced botnet structure and locate the
source, the spoofed IP addresses of the hacker will still give them trouble without a coordinated
effort with their ISP. Realistically, the level of coordination required to pull off an intricate IP
trace-back and call in the resources of the ISP (or multiple in cases where the hackers actually
come from outside the target’s ISP’s domain) is so high that the chances of it happening fall
dramatically.
The major downside to the skeptics’ argument, however, is the rate at which the
hacker’s tools have evolved versus security firms’ development of trackers. IP spoofing is an old
technique and has remained relatively unchanged since it is a very basic function. IP backtracing is a much more dynamic field and shows the most potential for improvement. It is very
possible that someone could create a new IP back-trace system that can effectively and
efficiently trace a spoofed IP address. The problem is that right now the only reliable method is
the hop-by-hop method and it has many limitations (due to its time constraints and intricacy
discussed earlier). The skeptics’ argument also fails to address what happens when smaller
botnets, smaller groups, or individuals undertake DDoS. Under these circumstances it becomes
significantly easier to trace the source.iii The ‘untraceability’ of hackers, therefore, depends on
the size of their botnets and/or hacker groups. However, it is these large scale attacks that are
more worrisome and have not decreased to the extent smaller attacks have.
The problem with this whole controversy is not with the science on either side, but
rather it lies in the fact that it is an argument over practicality versus possibility. While tracking
down hackers may sound appealing to those who wish to make the internet a safer place, what
this argument shows is that it may be a more efficient use of their time to work on building
defenses against such attacks rather than waste energy trying to find a needle in a haystack.
That is not to say the quest to bring cyber criminals to justice should be given up completely;
priorities just need to be set straight. Perhaps the burden falls to ISP to invest in the
development of new internet protocols that do not have the exploits of IP addresses and the
TCP/IP that hackers so readily exploit. Then again, hackers can be quite creative and might be
able to find a way to exploit the new system.
i
http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group2/; “Denial of Service and Countermeasures”;
Alexander Murphy, Audrey Pender, Louise Reilly and Siobhan Connel
ii
http://en.wikipedia.org/wiki/DDoS#Distributed_attack
iii
http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_DDoS_Attacks_Human_Rights_and_Media.p
df ; “Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites”; Ethan Zuckerman,
Hal Roberts, Ryan McGrady, Jillian York, John Palfrey; The Berkman Center for Internet & Society at Harvard
University; December 2010
iv
http://www.darkreading.com/security/perimeter-security/208804763/how-to-trace-a-ddos-attack.html ; “How
to Trace a DDoS Attack” ; Kelly Jackson Higgins ; Oct 03rd 2007
v
http://www.bbc.co.uk/news/technology-12299137 ; “Five arrested over ‘Anonymous’ web attacks” ; BBC News ;
January 27th 2011
vi
http://eprints.eemcs.utwente.nl/19151/01/2010-12-CTIT-TR.pdf ; “Attacks by ‘Anonymous’ Wikileaks
Proponents not Anonymous” ; Aiko Pras, Anna Sperotto, Giovane C. M. Moura, Idilio Drago, Rafael Barbosa, Ramin
Sadre, Ricardo Schmidt and Rick Hofstede ; University of Twente, Enshede, The Netherlands ; December 10 th 2010