Jayant Gandhi
Distributed Denial of Service Attacks
the Anonymous Scourge
The internet has quickly become the defining tool of the twenty first century, revolutionizing the way people communicate and do business together. There are virtually no businesses or organizations that have not invested in online resources, such as website construction. As investment in these websites increases it becomes more and more important to be able to ensure their security in this new environment. In our enthusiastic love for all the benefits the internet has conferred unto us it is easy to forget just how dangerous a place it can be.
Enter the hacker. For a long time the popular image of a hacker has been the teenage computer geek who entertained his or herself by ‘playing’ with the information posted by other people on the internet. To a certain extent this image is true. There are plenty of hacker communities that discuss different techniques for hacking (a quick Google search of hacking reveals a plethora of hacker-friendly sites) and conduct larger group activities, such as ‘PWN2OWN’.[1] In its most benign form, hacking can be a harmless entertainment for those with enough technical knowledge to pull it off, but of course hacking is not always so innocent.
Of the many different varieties of hacking one has recently popped into the limelight because of its potentially devastating powers. It is called a distributed denial of service attack (or DDoS for short) and it can incapacitate a target website. Threats of such attacks can be used to extort companies for money or risk having their websites shut down and potentially lose even more money. DDoS attacks work by flooding the targeted system with requests from the attackers, using up all of the system’s resources and making it inaccessible to legitimate traffic. A regular denial of service attack can be carried out by a single attacking computer, but their damage is limited by the computer’s capabilities and the ease at which the attacker’s IP address.[2] However, as hacking grew more and more sophisticated it became possible to conduct a DoS on a larger scale. [i]
Hackers can ‘infect’ other computers and use them to carry out a DDoS. Computer viruses and Trojan Horses (software that seems to provide a beneficial function, but is in fact harmful) can be used to turn the victim computer into a zombie. A zombie computer is one that has been compromised by a hacker and can then be given orders remotely through an Internet Relay Chat (IRC) channel or a peer-to-peer connection, generally without the knowledge of the computer’s owner. These zombie computers come together to form a botnet, which in turn is used to carry out the DDoS. Botnets not only allow hackers access to even more computers, amplifying the power of their DDoS, but it also makes it incredibly difficult to trace the attack to a single source.
Figure 1i
As figure 1 shows, the real attacker may not even contact the victim at all, but instead carry out the attack by means of the zombies (or daemons in the figure) that make up the botnet.[ii]
DDoS attacks can be divided into two general categories: they can be application based or network based. Application based DDoS attacks seek to tie up a system’s memory and CPU by exploiting software vulnerabilities. An example of this kind of attack (and one of the more common forms of DDoS attacks) is the SYN-flood. This attack exploits the ‘three-way handshake’ of the TCP/IP[3] process. In a regular TCP/IP interaction the client sends a SYN (synchronization) message to the server, whicha in turn responds with a SYN-ACK (synchronization acknowledged) message. At this point the client responds with an ACK to confirm the connection. However in a SYN-flood this part of the ‘handshake’ is omitted causing the server to use up its memory holding up its side of the connection. [iii]
Network based DDoS attacks focus on consuming as much bandwidth (the measure of how much information is being communicated between a device and the internet in bits per second) as possible, therefore inhibiting the targeted system from being able to accept anymore incoming information. These are slightly harder to pull off because they require very large botnets or complex amplification processes to flood the targeted server with requests. Large botnets are very rare to come by so more frequently network attacks are carried out by means of amplification. One such amplification process is called a Smurf attack. To perform a Smurf attack the attacker sends a spoofed broadcast ping[4] (meaning the ping is sent from the address of the targeted computer) from the targeted computer to a network of computers causing them all to respond to the targeted computer for each single ping sent.iii
DDoS attacks have been carried out against many websites such as gambling websites right before major sporting events in order to extort money from them, but no DDoS has gained more public attention than the one perpetrated against MasterCard and Visa by the group of ‘hacktavists’ known as Anonymous.i This attack threw DDoS attacks into spotlights when it shown how not even huge corporations were safe. (Of course, the concern with DDoS attacks is not just one of financial loss as the same technique can be used by oppressive governments to silence any voice of opposition or used to undermine the security systems of a government that rely on the internet.) It is clear that this kind of activity cannot be tolerated, but, while it is possible to fend off an attack once it has started, it is an entirely different matter to identify the source of an attack.
On the matter of whether or not the source of a DDoS attack can be traced there is a sharp divide in opinion between experts. While everyone seems to be in agreement that you can theoretically identify the source, the difficulty of this action is so great that it renders it practically impossible. In order to identify the source a victim needs the help of its Internet Service Provider (ISP) to trace the IP address of all the direct attackers. Once all the zombie computers of the botnet are identified the ISP then has to dismantle the botnet command structure. This is done by checking the IRC channels that establish connections between the zombies and the master. Once the IP address of the master computer is discovered the ISP can put a face to the attacker.[iv]
Supporters of the idea that it is possible to trace the source of DDoS attacks point to the arrests that followed Anonymous’s attack on MasterCard and Visa.[v] These arrests were due to the particular program used by these hackers to execute the DDoS. They used the stress-test program ‘Low Orbit Ion Cannon’ (LOIC), which bombards a target with requests (TCP, HTTP, or otherwise). The program can easily be linked up to a botnet via an IRC and therefore execute a DDoS attack. However, the program sends the IP address of the attacking computer with the packets of information it sends in the requests. From there it is just a simple matter of contacting the ISP to track the IP address to the actual person.[vi]
This argument, however, is not all that strong. To suggest that this is method of tracing can be applied to the wider world of DDoS attacks is very narrow sighted as hackers use a variety of tools that they have at their disposal. Furthermore, the paper in which the idea of tracking the hackers based on LOIC even admits that the problem of the program transmitting the attackers IP address could be easily circumnavigated by a veteran hacker. All the hacker would need to do is spoof an IP address. This is a simple matter of replacing the IP header (the numerical beginning of the IP address which identifies the location of the sending device) so that the response that comes from any interaction online is sent to the spoofed address instead of the hacker’s address. What happened in Anonymous’s case was the arrest of most likely novice hackers attracted by the popular movement who failed to spoof their IP addresses.
Those who believe that DDoS attack can be traced also cite our increasing ability to perform IP trace-backs (the ability to follow spoofed IP addresses to their source). There are several methods of IP trace-backs currently being used and more are being developed constantly as algorithms are improved. For example, a common form of IP trace-back used to be the Center Track approach. This entailed the victim set up an overlay network during an attack by creating special tracking routers. During an attack the victim would connect all the ‘edge’ routers (the routers from which the attacking information is coming from) to this central overlay network allowing the victim to more easily hop from one router to another (hop-by-hop tracking) as it searches for the source.
This system works, but has its limitations since it must be enacted during the attack, when the focus of the victim would most likely be on mitigating damage, and requires precise coordination on the part of the victim as one mistake in the overlay network could render the whole process useless. However, since then improvements have been made by capitalizing on the stored information of the ‘edge’ routers. These routers store the source and destination of their traffic. Using this info you can figure out the ingress adjacency of the attack (basically map out the flow of information from router to router).i
Skeptics, on the other hand, see the difficulty in tracing as an impossible hurdle to overcome. While the optimists see the advances in tracking technology, skeptics see the advances in a hacker’s ability to remain anonymous. First off there is the botnet, the quintessential tool for committing a DDoS attack, but also a hacker’s first line of defense. Botnets make it difficult to do an IP trace back because you have to sift through many innocent computers before you can reach the source of the commands. More modern botnets make use of multiple layers so that even once you find a computer that is issuing commands it is probably just another bot in the net receiving its orders from yet another source.iii
Apart from this, hackers can also access darknets to obscure their identity further. Darknets are comprised of all the unused IP addresses of an ISP making it virtually impossible to link an IP address to an actual person even if you pinpoint the source of the attack.iv Nevertheless, darknets are not impregnable shrouds and complex botnet structures can be overcome. By their own nature, darknets are not meant to have any information travelling through them. Occasionally the random packet of data may find itself passing through a darknet, but something on the scale of a botnet acquiring spoofed IP addresses is much more noticeable to ISPs. If monitored adequately enough and ISP could catch suspicious activity and be able to trace the intruder back to its original IP address. The complex botnet structures require a more direct response: IP trace-back algorithms have to increase in their comprehensiveness and efficiency. In a sense, this would trigger a cyber arms race between hackers and security firms (a race we already see them engage in with viruses).
When weighing the arguments of both sides it is hard to pick a clear winner. It seems as if for every bit hackers advance in their techniques security firms advance as well. That being said, I find the skeptics’ argument to be slightly more convincing. While advanced algorithms like the ingress adjacency method hold a lot of promise they just do not stack up to the level of secrecy offered to hackers through IP address spoofing, especially those obtained from darknets. While it is possible to trace back a spoofed IP to the actual person it is something that can almost exclusively be undertaken by an ISP who has the access to all the resources (namely complete information on their IP addresses) needed to locate the user of a spoofed IP address.
The IP trace-backs touted by the optimists can only go so far. Even if algorithms advance to the point that they can quickly cut down an advanced botnet structure and locate the source, the spoofed IP addresses of the hacker will still give them trouble without a coordinated effort with their ISP. Realistically, the level of coordination required to pull off an intricate IP trace-back and call in the resources of the ISP (or multiple in cases where the hackers actually come from outside the target’s ISP’s domain) is so high that the chances of it happening fall dramatically.
The major downside to the skeptics’ argument, however, is the rate at which the hacker’s tools have evolved versus security firms’ development of trackers. IP spoofing is an old technique and has remained relatively unchanged since it is a very basic function. IP back-tracing is a much more dynamic field and shows the most potential for improvement. It is very possible that someone could create a new IP back-trace system that can effectively and efficiently trace a spoofed IP address. The problem is that right now the only reliable method is the hop-by-hop method and it has many limitations (due to its time constraints and intricacy discussed earlier). The skeptics’ argument also fails to address what happens when smaller botnets, smaller groups, or individuals undertake DDoS. Under these circumstances it becomes significantly easier to trace the source.iii The ‘untraceability’ of hackers, therefore, depends on the size of their botnets and/or hacker groups. However, it is these large scale attacks that are more worrisome and have not decreased to the extent smaller attacks have.
The problem with this whole controversy is not with the science on either side, but rather it lies in the fact that it is an argument over practicality versus possibility. While tracking down hackers may sound appealing to those who wish to make the internet a safer place, what this argument shows is that it may be a more efficient use of their time to work on building defenses against such attacks rather than waste energy trying to find a needle in a haystack. That is not to say the quest to bring cyber criminals to justice should be given up completely; priorities just need to be set straight. Perhaps the burden falls to ISP to invest in the development of new internet protocols that do not have the exploits of IP addresses and the TCP/IP that hackers so readily exploit. Then again, hackers can be quite creative and might be able to find a way to exploit the new system.