An introduction to how amplified reflected DDoS-attack works.

Описание: Follow our channel at http://vid.io/xomJ
Visit our web page at http://vid.io/xomQ

This video explains how an amplified reflected DDoS-attack works. DDoS is one of the most commen hacking attacks today. A Stresser controls a botnet which sends spoofed UDP-packets to reflectors who in turn sends the responses to the victim.

One of the most common types of DDoS attacks is the UDP-based amplified reflection attack. I will now explain how this attack works and what makes it so hard to protect against it.

The most targeted systems is web servers. Any system attached to internet can be victim of a DDoS attack and this attack works just as well on all types of systems. But for this video, lets assume that the victim is the web server.

This system is connected to internet via a local internet connection with a bandwidth of lets say 200 Megabits per second. There is a firewall filtering and inspecting all traffic between the web server and internet. It has a capacity of 500Mbps. The internal network has a capacity of 1 Gbps, that is roughly 1000 Mbps. Finally the web server itself can handle 100Mbps.

This system is sized for 100Mbps which means that the weaker link of the chain, which is the web server, has a capacity of 100Mbps. If there would ever be a demand for more traffic, the web server could be upgraded to handle more traffic and the bottleneck would instead be the internet connection of 200Mbps. This upgrade race could continue forever upgrading the weakest point of the traffic flow to keep up with the demands of bandwidth and performance.

When it comes to UDP-based attacks however, the traffic flow normally stops and terminates in the firewall.

This means that the capacity of the parts behind the firewall is irrelevant and in this case the weakest link is the 200Mbps internet link.

If the link, or the firewall is exhausted, it will start dropping packets. The result of this is retransmissions and eventually outage of service. The webpage will become slow or unresponsive.

So, if the weakest link is 200Mbps, all it takes to do a Denial of Service attack is to generate more than 200Mbps of traffic.

If Evil Bob who have the intention to attack the web server has more than 200Mbps of bandwidth at home he could in theory create this attack all by himself. However, doing that will most probably draw attention to him from his ISP when generating that massive amount of traffic.

Instead of generating this traffic directly to the victim web server he generates traffic to reflectors. The reflectors are servers on internet that has no intentions to be part of any DoS-attack.

To be able to do a reflective DoS-attack the attacker uses UDP which is stateless. He sends traffic to the reflector using the victim web server as source address for the traffic, which makes the reflectors believe that the traffic came from the web server, and the reflectors will send replies to the web server.

If the attacker used TCP packets which are stateful, the packet from the attacker would be a SYN-packet and the response from the reflector to the victim would be a SYN-ACK-packet which has no payload and is rather small.

By using any kind of stateless UDP-packets where the query, the first packet, is small and the response, in this case sent from the reflector to the victim, is bigger, the attack would be amplified. If the amplification factor was 1 to 10, the attacker could generate 20Mbps of UDP queries to the reflectors and the responses fro the reflector to the victim would be 10 times bigger, 200Mbps. This is called an amplified attack.

There are different types of UDP-based protocols used in amplification attacks today. The most common types uses DNS or NTP-servers. In both cases, proper configured DNS and NTP-servers does not answer to this types of queries. But there are many not properly configured DNS and NTP-servers on internet which can be used as reflectors for these attacks.

To further strengthen these attacks, the attacker does not send the UDP-packets himself to the reflectors. Instead he uses botnets for this. A botnet is a number of malware infected computers spread over the world that the botnet controller can use for various purposes. Your or mine virus infected computer can be part of this botnet. If the infected computer does not do anything active it is called a zombie. It is often a background process running in the computer invisible for you and me, just waiting for commands from the command and control server managing the botnet.