分布式拒绝服务攻击(DDoS)原理及防范
Posted on分布式拒绝服务攻击(DDoS)原理及防范
徐一丁, 高级工程师, 北京玛赛网络系统有限公司
简介: 分布式拒绝服务攻击(DDoS)是目前黑客经常采用而难以防范的攻击手段。本文从概念开始详细介绍了这种攻击方式,着重描述了黑客是如何组织并发起的DDoS攻击,结合其中的Syn Flood实例,您可以对DDoS攻击有一个更形象的了解。最后作者结合自己的经验与国内网络安全的现况探讨了一些防御DDoS的实际手段。
DDoS攻击概念
DoS的攻击方式有很多种,最基本的DoS攻击就是利用合理的服务请求来占用过多的服务资源,从而使合法用户无法得到服务的响应。
DDoS攻击手段是在传统的DoS攻击基础之上产生的一类攻击方式。单一的DoS攻击一般是采用一对一方式的,当攻击目标CPU速度低、内存小或者网络带宽小等等各项性能指标不高它的效果是明显的。随着计算机与网络技术的发展,计算机的处理能力迅速增长,内存大大增加,同时也出现了千兆级别的网络,这使得DoS攻击的困难程度加大了 - 目标对恶意攻击包的"消化能力"加强了不少,例如你的攻击软件每秒钟可以发送3,000个攻击包,但我的主机与网络带宽每秒钟可以处理10,000个攻击包,这样一来攻击就不会产生什么效果。
这时侯分布式的拒绝服务攻击手段(DDoS)就应运而生了。你理解了DoS攻击的话,它的原理就很简单。如果说计算机与网络的处理能力加大了10倍,用一台攻击机来攻击不再能起作用的话,攻击者使用10台攻击机同时攻击呢?用100台呢?DDoS就是利用更多的傀儡机来发起进攻,以比从前更大的规模来进攻受害者。
高速广泛连接的网络给大家带来了方便,也为DDoS攻击创造了极为有利的条件。在低速网络时代时,黑客占领攻击用的傀儡机时,总是会优先考虑离目标网络距离近的机器,因为经过路由器的跳数少,效果好。而现在电信骨干节点之间的连接都是以G为级别的,大城市之间更可以达到2.5G的连接,这使得攻击可以从更远的地方或者其他城市发起,攻击者的傀儡机位置可以在分布在更大的范围,选择起来更灵活了。
被DDoS攻击时的现象
- 被攻击主机上有大量等待的TCP连接
- 网络中充斥着大量的无用的数据包,源地址为假
- 制造高流量无用数据,造成网络拥塞,使受害主机无法正常和外界通讯
- 利用受害主机提供的服务或传输协议上的缺陷,反复高速的发出特定的服务请求,使受害主机无法及时处理所有正常请求
- 严重时会造成系统死机
攻击运行原理
如图一,一个比较完善的DDoS攻击体系分成四大部分,先来看一下最重要的第2和第3部分:它们分别用做控制和实际发起攻击。请注意控制机与攻击机的区别,对第4部分的受害者来说,DDoS的实际攻击包是从第3部分攻击傀儡机上发出的,第2部分的控制机只发布命令而不参与实际的攻击。对第2和第3部分计算机,黑客有控制权或者是部分的控制权,并把相应的DDoS程序上传到这些平台上,这些程序与正常的程序一样运行并等待来自黑客的指令,通常它还会利用各种手段隐藏自己不被别人发现。在平时,这些傀儡机器并没有什么异常,只是一旦黑客连接到它们进行控制,并发出指令的时候,攻击傀儡机就成为害人者去发起攻击了。
有的朋友也许会问道:"为什么黑客不直接去控制攻击傀儡机,而要从控制傀儡机上转一下呢?"。这就是导致DDoS攻击难以追查的原因之一了。做为攻击者的角度来说,肯定不愿意被捉到(我在小时候向别人家的鸡窝扔石头的时候也晓得在第一时间逃掉,呵呵),而攻击者使用的傀儡机越多,他实际上提供给受害者的分析依据就越多。在占领一台机器后,高水平的攻击者会首先做两件事:1. 考虑如何留好后门(我以后还要回来的哦)!2. 如何清理日志。这就是擦掉脚印,不让自己做的事被别人查觉到。比较不敬业的黑客会不管三七二十一把日志全都删掉,但这样的话网管员发现日志都没了就会知道有人干了坏事了,顶多无法再从日志发现是谁干的而已。相反,真正的好手会挑有关自己的日志项目删掉,让人看不到异常的情况。这样可以长时间地利用傀儡机。
但是在第3部分攻击傀儡机上清理日志实在是一项庞大的工程,即使在有很好的日志清理工具的帮助下,黑客也是对这个任务很头痛的。这就导致了有些攻击机弄得不是很干净,通过它上面的线索找到了控制它的上一级计算机,这上级的计算机如果是黑客自己的机器,那么他就会被揪出来了。但如果这是控制用的傀儡机的话,黑客自身还是安全的。控制傀儡机的数目相对很少,一般一台就可以控制几十台攻击机,清理一台计算机的日志对黑客来讲就轻松多了,这样从控制机再找到黑客的可能性也大大降低。
黑客是如何组织一次DDoS攻击的?
这里用"组织"这个词,是因为DDoS并不象入侵一台主机那样简单。一般来说,黑客进行DDoS攻击时会经过这样的步骤:
1. 搜集了解目标的情况 下列情况是黑客非常关心的情报:
- 被攻击目标主机数目、地址情况
- 目标主机的配置、性能
- 目标的带宽
对于DDoS攻击者来说,攻击互联网上的某个站点,如http://www.mytarget.com,有一个重点就是确定到底有多少台主机在支持这个站点,一个大的网站可能有很多台主机利用负载均衡技术提供同一个网站的www服务。以yahoo为例,一般会有下列地址都是提供http://www.yahoo.com服务的: 66.218.71.87 66.218.71.88 66.218.71.89 66.218.71.80 66.218.71.81 66.218.71.83 66.218.71.84 66.218.71.86
如果要进行DDoS攻击的话,应该攻击哪一个地址呢?使66.218.71.87这台机器瘫掉,但其他的主机还是能向外提供www服务,所以想让别人访问不到http://www.yahoo.com的话,要所有这些IP地址的机器都瘫掉才行。在实际的应用中,一个IP地址往往还代表着数台机器:网站维护者使用了四层或七层交换机来做负载均衡,把对一个IP地址的访问以特定的算法分配到下属的每个主机上去。这时对于DDoS攻击者来说情况就更复杂了,他面对的任务可能是让几十台主机的服务都不正常。
所以说事先搜集情报对DDoS攻击者来说是非常重要的,这关系到使用多少台傀儡机才能达到效果的问题。简单地考虑一下,在相同的条件下,攻击同一站点的2台主机需要2台傀儡机的话,攻击5台主机可能就需要5台以上的傀儡机。有人说做攻击的傀儡机越多越好,不管你有多少台主机我都用尽量多的傀儡机来攻就是了,反正傀儡机超过了时候效果更好。
但在实际过程中,有很多黑客并不进行情报的搜集而直接进行DDoS的攻击,这时候攻击的盲目性就很大了,效果如何也要靠运气。其实做黑客也象网管员一样,是不能偷懒的。一件事做得好与坏,态度最重要,水平还在其次。
2. 占领傀儡机 黑客最感兴趣的是有下列情况的主机:
- 链路状态好的主机
- 性能好的主机
- 安全管理水平差的主机
这一部分实际上是使用了另一大类的攻击手段:利用形攻击。这是和DDoS并列的攻击方式。简单地说,就是占领和控制被攻击的主机。取得最高的管理权限,或者至少得到一个有权限完成DDoS攻击任务的帐号。对于一个DDoS攻击者来说,准备好一定数量的傀儡机是一个必要的条件,下面说一下他是如何攻击并占领它们的。
首先,黑客做的工作一般是扫描,随机地或者是有针对性地利用扫描器去发现互联网上那些有漏洞的机器,象程序的溢出漏洞、cgi、Unicode、ftp、数据库漏洞…(简直举不胜举啊),都是黑客希望看到的扫描结果。随后就是尝试入侵了,具体的手段就不在这里多说了,感兴趣的话网上有很多关于这些内容的文章。
总之黑客现在占领了一台傀儡机了!然后他做什么呢?除了上面说过留后门擦脚印这些基本工作之外,他会把DDoS攻击用的程序上载过去,一般是利用ftp。在攻击机上,会有一个DDoS的发包程序,黑客就是利用它来向受害目标发送恶意攻击包的。
3. 实际攻击 经过前2个阶段的精心准备之后,黑客就开始瞄准目标准备发射了。前面的准备做得好的话,实际攻击过程反而是比较简单的。就象图示里的那样,黑客登录到做为控制台的傀儡机,向所有的攻击机发出命令:"预备~ ,瞄准~,开火!"。这时候埋伏在攻击机中的DDoS攻击程序就会响应控制台的命令,一起向受害主机以高速度发送大量的数据包,导致它死机或是无法响应正常的请求。黑客一般会以远远超出受害方处理能力的速度进行攻击,他们不会"怜香惜玉"。
老到的攻击者一边攻击,还会用各种手段来监视攻击的效果,在需要的时候进行一些调整。简单些就是开个窗口不断地ping目标主机,在能接到回应的时候就再加大一些流量或是再命令更多的傀儡机来加入攻击。
DDoS攻击实例 - SYN Flood攻击
SYN-Flood是目前最流行的DDoS攻击手段,早先的DoS的手段在向分布式这一阶段发展的时候也经历了浪里淘沙的过程。SYN-Flood的攻击效果最好,应该是众黑客不约而同选择它的原因吧。那么我们一起来看看SYN-Flood的详细情况。
Syn Flood原理 - 三次握手 Syn Flood利用了TCP/IP协议的固有漏洞。面向连接的TCP三次握手是Syn Flood存在的基础。
TCP连接的三次握手
图二 TCP三次握手
如图二,在第一步中,客户端向服务端提出连接请求。这时TCP SYN标志置位。客户端告诉服务端序列号区域合法,需要检查。客户端在TCP报头的序列号区中插入自己的ISN。服务端收到该TCP分段后,在第二步以自己的ISN回应(SYN标志置位),同时确认收到客户端的第一个TCP分段(ACK标志置位)。在第三步中,客户端确认收到服务端的ISN(ACK标志置位)。到此为止建立完整的TCP连接,开始全双工模式的数据传输过程。
Syn Flood攻击者不会完成三次握手
图三 Syn Flood恶意地不完成三次握手
假设一个用户向服务器发送了SYN报文后突然死机或掉线,那么服务器在发出SYN+ACK应答报文后是无法收到客户端的ACK报文的(第三次握手无法完成),这种情况下服务器端一般会重试(再次发送SYN+ACK给客户端)并等待一段时间后丢弃这个未完成的连接,这段时间的长度我们称为SYN Timeout,一般来说这个时间是分钟的数量级(大约为30秒-2分钟);一个用户出现异常导致服务器的一个线程等待1分钟并不是什么很大的问题,但如果有一个恶意的攻击者大量模拟这种情况,服务器端将为了维护一个非常大的半连接列表而消耗非常多的资源----数以万计的半连接,即使是简单的保存并遍历也会消耗非常多的CPU时间和内存,何况还要不断对这个列表中的IP进行SYN+ACK的重试。实际上如果服务器的TCP/IP栈不够强大,最后的结果往往是堆栈溢出崩溃---即使服务器端的系统足够强大,服务器端也将忙于处理攻击者伪造的TCP连接请求而无暇理睬客户的正常请求(毕竟客户端的正常请求比率非常之小),此时从正常客户的角度看来,服务器失去响应,这种情况我们称做:服务器端受到了SYN Flood攻击(SYN洪水攻击)。
下面是我在实验室中模拟的一次Syn Flood攻击的实际过程
这一个局域网环境,只有一台攻击机(PIII667/128/mandrake),被攻击的是一台Solaris 8.0 (spark)的主机,网络设备是Cisco的百兆交换机。这是在攻击并未进行之前,在Solaris上进行snoop的记录,snoop与tcpdump等网络监听工具一样,也是一个很好的网络抓包与分析的工具。可以看到攻击之前,目标主机上接到的基本上都是一些普通的网络包。 …
… ? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
192.168.0.66 -> 192.168.0.255 NBT Datagram Service Type=17 Source=GU[0]
192.168.0.210 -> 192.168.0.255 NBT Datagram Service Type=17 Source=ROOTDC[20] 192.168.0.247 -> 192.168.0.255 NBT Datagram Service Type=17 Source=TSC[0]
? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
192.168.0.200 -> (broadcast) ARP C Who is 192.168.0.102, 192.168.0.102 ?
? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
192.168.0.66 -> 192.168.0.255 NBT Datagram Service Type=17 Source=GU[0] 192.168.0.66 -> 192.168.0.255 NBT Datagram Service Type=17 Source=GU[0]
192.168.0.210 -> 192.168.0.255 NBT Datagram Service Type=17 Source=ROOTDC[20] ? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
? -> (broadcast) ETHER Type=886F (Unknown), size = 1510 bytes
… …
接着,攻击机开始发包,DDoS开始了…,突然间sun主机上的snoop窗口开始飞速地翻屏,显示出接到数量巨大的Syn请求。这时的屏幕就好象是时速300公里的列车上的一扇车窗。这是在Syn Flood攻击时的snoop输出结果: …
… 127.0.0.178 -> lab183.lab.net AUTH C port=1352
127.0.0.178 -> lab183.lab.net TCP D=114 S=1352 Syn Seq=674711609 Len=0 Win=65535 127.0.0.178 -> lab183.lab.net TCP D=115 S=1352 Syn Seq=674711609 Len=0 Win=65535
127.0.0.178 -> lab183.lab.net UUCP-PATH C port=1352 127.0.0.178 -> lab183.lab.net TCP D=118 S=1352 Syn Seq=674711609 Len=0 Win=65535
127.0.0.178 -> lab183.lab.net NNTP C port=1352 127.0.0.178 -> lab183.lab.net TCP D=121 S=1352 Syn Seq=674711609 Len=0 Win=65535
127.0.0.178 -> lab183.lab.net TCP D=122 S=1352 Syn Seq=674711609 Len=0 Win=65535 127.0.0.178 -> lab183.lab.net TCP D=124 S=1352 Syn Seq=674711609 Len=0 Win=65535
127.0.0.178 -> lab183.lab.net TCP D=125 S=1352 Syn Seq=674711609 Len=0 Win=65535 127.0.0.178 -> lab183.lab.net TCP D=126 S=1352 Syn Seq=674711609 Len=0 Win=65535
127.0.0.178 -> lab183.lab.net TCP D=128 S=1352 Syn Seq=674711609 Len=0 Win=65535 127.0.0.178 -> lab183.lab.net TCP D=130 S=1352 Syn Seq=674711609 Len=0 Win=65535
127.0.0.178 -> lab183.lab.net TCP D=131 S=1352 Syn Seq=674711609 Len=0 Win=65535 127.0.0.178 -> lab183.lab.net TCP D=133 S=1352 Syn Seq=674711609 Len=0 Win=65535
127.0.0.178 -> lab183.lab.net TCP D=135 S=1352 Syn Seq=674711609 Len=0 Win=65535 …
…
这时候内容完全不同了,再也收不到刚才那些正常的网络包,只有DDoS包。大家注意一下,这里所有的Syn Flood攻击包的源地址都是伪造的,给追查工作带来很大困难。这时在被攻击主机上积累了多少Syn的半连接呢?我们用netstat来看一下:
/# netstat -an | grep SYN …
… 192.168.0.183.9 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.13 127.0.0.79.1801 0 0 24656 0 SYN_RCVD 192.168.0.183.19 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.21 127.0.0.79.1801 0 0 24656 0 SYN_RCVD 192.168.0.183.22 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.23 127.0.0.79.1801 0 0 24656 0 SYN_RCVD 192.168.0.183.25 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.37 127.0.0.79.1801 0 0 24656 0 SYN_RCVD 192.168.0.183.53 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
… …
其中SYN_RCVD表示当前未完成的TCP SYN队列,统计一下:
/# netstat -an | grep SYN | wc -l 5273 /# netstat -an | grep SYN | wc -l 5154 /# netstat -an | grep SYN | wc -l 5267 …..
共有五千多个Syn的半连接存储在内存中。这时候被攻击机已经不能响应新的服务请求了,系统运行非常慢,也无法ping通。
这是在攻击发起后仅仅70秒钟左右时的情况。
DDoS的防范
到目前为止,进行DDoS攻击的防御还是比较困难的。首先,这种攻击的特点是它利用了TCP/IP协议的漏洞,除非你不用TCP/IP,才有可能完全抵御住DDoS攻击。一位资深的安全专家给了个形象的比喻:DDoS就好象有1,000个人同时给你家里打电话,这时候你的朋友还打得进来吗?
不过即使它难于防范,也不是说我们就应该逆来顺受,实际上防止DDoS并不是绝对不可行的事情。互联网的使用者是各种各样的,与DDoS做斗争,不同的角色有不同的任务。我们以下面几种角色为例:
- 企业网管理员
- ISP、ICP管理员
- 骨干网络运营商
企业网管理员
网管员做为一个企业内部网的管理者,往往也是安全员、守护神。在他维护的网络中有一些服务器需要向外提供WWW服务,因而不可避免地成为DDoS的攻击目标,他该如何做呢?可以从主机与网络设备两个角度去考虑。
主机上的设置 几乎所有的主机平台都有抵御DoS的设置,总结一下,基本的有几种:
- 关闭不必要的服务
- 限制同时打开的Syn半连接数目
- 缩短Syn半连接的time out 时间
- 及时更新系统补丁
网络设备上的设置 企业网的网络设备可以从防火墙与路由器上考虑。这两个设备是到外界的接口设备,在进行防DDoS设置的同时,要注意一下这是以多大的效率牺牲为代价的,对你来说是否值得。
1.防火墙
- 禁止对主机的非开放服务的访问
- 限制同时打开的SYN最大连接数
- 限制特定IP地址的访问
- 启用防火墙的防DDoS的属性
- 严格限制对外开放的服务器的向外访问
第五项主要是防止自己的服务器被当做工具去害人。
2.路由器 以Cisco路由器为例
- Cisco Express Forwarding(CEF)
- 使用 unicast reverse-path
- 访问控制列表(ACL)过滤
- 设置SYN数据包流量速率
- 升级版本过低的ISO
- 为路由器建立log server
其中使用CEF和Unicast设置时要特别注意,使用不当会造成路由器工作效率严重下降,升级IOS也应谨慎。路由器是网络的核心设备,与大家分享一下进行设置修改时的小经验,就是先不保存。Cisco路由器有两份配置startup config和running config,修改的时候改变的是running config,可以让这个配置先跑一段时间(三五天的就随意啦),觉得可行后再保存配置到startup config;而如果不满意想恢复原来的配置,用copy start run就行了。
ISP / ICP管理员
ISP / ICP为很多中小型企业提供了各种规模的主机托管业务,所以在防DDoS时,除了与企业网管理员一样的手段外,还要特别注意自己管理范围内的客户托管主机不要成为傀儡机。客观上说,这些托管主机的安全性普遍是很差的,有的连基本的补丁都没有打就赤膊上阵了,成为黑客最喜欢的"肉鸡",因为不管这台机器黑客怎么用都不会有被发现的危险,它的安全管理太差了;还不必说托管的主机都是高性能、高带宽的-简直就是为DDoS定制的。而做为ISP的管理员,对托管主机是没有直接管理的权力的,只能通知让客户来处理。在实际情况时,有很多客户与自己的托管主机服务商配合得不是很好,造成ISP管理员明知自己负责的一台托管主机成为了傀儡机,却没有什么办法的局面。而托管业务又是买方市场,ISP还不敢得罪客户,怎么办?咱们管理员和客户搞好关系吧,没办法,谁让人家是上帝呢?呵呵,客户多配合一些,ISP的主机更安全一些,被别人告状的可能性也小一些。
骨干网络运营商
他们提供了互联网存在的物理基础。如果骨干网络运营商可以很好地合作的话,DDoS攻击可以很好地被预防。在2000年yahoo等知名网站被攻击后,美国的网络安全研究机构提出了骨干运营商联手来解决DDoS攻击的方案。其实方法很简单,就是每家运营商在自己的出口路由器上进行源IP地址的验证,如果在自己的路由表中没有到这个数据包源IP的路由,就丢掉这个包。这种方法可以阻止黑客利用伪造的源IP来进行DDoS攻击。不过同样,这样做会降低路由器的效率,这也是骨干运营商非常关注的问题,所以这种做法真正采用起来还很困难。
对DDoS的原理与应付方法的研究一直在进行中,找到一个既有效又切实可行的方案不是一朝一夕的事情。但目前我们至少可以做到把自己的网络与主机维护好,首先让自己的主机不成为别人利用的对象去攻击别人;其次,在受到攻击的时候,要尽量地保存证据,以便事后追查,一个良好的网络和日志系统是必要的。无论DDoS的防御向何处发展,这都将是一个社会工程,需要IT界的同行们来一起关注,通力合作。
参考资料
关于作者 徐一丁,北京玛赛网络系统有限公司方案设计部高级工程师,从事IT工作多年。目前主要进行国内外安全产品评测与黑客攻击的研究。有丰富的网络安全设计与实施经验,并给各大电信公司如中国电信、吉通公司、联通公司等进行过系列安全培训。
以下是参考资料页内容:
Last modified: Thu Jul 4 15:06:53 PDT 2013
Distributed Denial of Service (DDoS) Attacks/tools
What's new in DDoS?
Nothing, really. (Some people are just late to the party. ;)
Anonymous threatens reflected/amplified attack on the DNS Root name servers
Threat by Anonymous to take down the Internet by a reflected DDoS attack against the DNS root name servers, Pastebin posting, February 12, 2012
- Could a DDoS Attack Against the Roots Succeed?", by Cricket Liu, March 13, 2012
- Mitigating DNS Denial of Service Attacks, DNS OARC
What is a distributed reflected DDoS attack?
Distributed reflected DoS attacks go back to 2001. See the sections below for information on DRDoS examples and background and fundamental problems.
- Security Experts Warn of Devastating Web Attack, ISN, March 21, 2006
- The Worrisome Threat of DNS DDoS Amplification Attacks, The Security Skeptic [This article was originally published in the ENISA Quarterly, 6 June 2006. It is no longer available from ENISA.]
Have the root servers been attacked before?
Distributed denial of service attacks on root nameservers, Wikipedia
- Events of 21-Oct-2002, by Paul Vixie, Gerry Sneeringer, and Mark Schleifer, November 24, 2002
- Nameserver DoS Attack October 2002, CAIDA
- Global Root Server System Stands Firm Against DDoS Attack, by K-ROOT, February, 2007
- February 2007 Root Server Attacks - A Qualitative Report, by Danny McPherson, Arbor Networks Security Blog, June 9, 2007
- ICANN Fact Sheet: Root server attack on 6 February 2007, ICANN, March 1, 2007
Wikileaks attacks, counter-attacks, counter-counter-attacks...
Cyberattack Against Wikileaks was Weak, by Kevin Poulsen, Wired Threatlevel blog, November 2010
- Operation Payback cripples MasterCard site in revenge for WikiLeaks ban, by Esther Addley and Josh Halliday, The Guardian, December 8, 2010
- Continuing pro-Wikileaks DDOS actions, Anonymous takes down PayPal.com, by Xeni Jardin, Boingboing.net, December 8, 2010
- How pro-WikiLeaks hackers wage cyberwar without hijacking your computer, by Mark Clayton, The Christian Science Monitor, December 9, 2010
- "Anonymous": How dangerous is hacker network defending WikiLeaks?, by Mark Clayton, The Christian Science Monitor, December 9, 2010
- Hackers wage global "cyberwar" in defense of WikiLeaks, by Stephen Kurczy, The Christian Science Monitor, December 9, 2010
- Wikileaks: Anonymous stops dropping DDoS bombs, starts dropping science, by Sean Bonner, BoingBoing, December 9, 2010
- WikiLeaks battle: a new amateur face of cyber war?, by Peter Apps, Reuters, December 10, 2010
- Operation Payback is Becoming a Complete Failure, by John Danz, December 10, 2010
Are the Anonymous "Operation Payback" attacks a form of "civil disobedience?" Read these carefully, then you decide.
Retributive justice, Wikipedia
- Incitement, Wikepedia
- Civil Disobedience, Wikipedia
- Some General Subjects/Themes
Distributed Reflected DNS attacks (and some background)
Randal Vaughn and Gadi Evron released an analysis of DNS Amplification Attacks (which use distributed reflection and amplification) on March 17, 2006
- VeriSign reports a "new DDoS attack" in an article published March 17, 2006
- CERT/CC publishes a document discussing DNS recursion problems and some solutions for preventing becoming a reflector in early 2006.
- NANOG Thread "DNS deluge for x.p.ctrc.cc" from February 2006
- Distributed reflected DDoS attacks are covered on pages 19-20, 45, 51-52, and 297 in Internet Denial of Service: Attack and Defense Mechanisms, published in 2005
- Vern Paxson wrote a paper, An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, warning of these kinds of attacks in June 2001
- A DNS reflection attack on Register.com was publicly discussed in a thread on the UNISOG mailing list in January 2001. This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a large list of DNS servers at least a year old (at the time of the attack.)
- The Honeynet Project Reverse Challenge, done in July 2002, involved analysis of a piece of malware that was [not?] surprisingly a DDoS agent. It implemented several DNS related attacks, including a reflection attack.
- One of the fundamental issues in distributed reflected attacks is the ability of an attacker to spoof source addresses on packets. Documents describing this problem, and suggested fixes, are found in the Mitigation section of this page below, some going back to 2000.
- Mitigating DNS Denial of Service Attacks, DNS OARC
Estonia claims to be under cyberwarfare DDoS attack from Russia?
Kremlin Kids: We Launched the Estonian Cyber War, by Noah Shachtman, Danger Room blog, Wired.com, March 11, 2009
- Kremlin-backed youths launched Estonian cyberwar, says Russian official, by Dan Goodin, The Register, March 11, 2009
- Estonia and Russia: A cyber-riot, The Economist, May 10, 2007
- Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks, Sydney Morning Herald, May 16, 2007
- Cyber Assaults on Estonia Typify a New Battle Tactic, by Peter Finn, Washington Post Foreign Service, May 19, 2007
- Estonian DDoS Attacks - A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007
- When cyberattacks are politically motivated, by Robert Vamosi, Special to CNET News.com, May 29, 2007 [Interview with Jose Nazario of Arbor Networks]
- After Computer Siege in Estonia, War Fears Turn to Cyberspace, by Mark Landler and John Markoff, The New York Times, May 29, 2007
- Cyberwar is breaking out of sci-fi genre, Pavla Kozkov, Czech Business Weekly, June 11, 2007
The "Botmaster Underground" case
FBI agents bust 'Botmaster', Reuters News Service, November 4, 2005
- 'Botmaster' pleads guilty to computer crimes, Reuters, January 24, 2006 [Teen admits to controlling somewhere near 500,000 computers, must return $60,000 cash, computer equipment, and a BMW he bought with proceeds from renting the botnet.
- eWeek blog entry about the case
- U.S. Department of Justice press release.
- Lee Graham Walker, Axel Gembe CHARGED in Operation Cyberslam, Outlook Series, October 6, 2008
- U.S. v. James Jeanson Ancheta (federal indictment)
- 20-year-old 'botmaster' faces years behind bars, Reuters, May 9, 2006
This was not the first case of DDoS-for-hire in the U.S., however. That was another case in 2005.
THE CASE OF THE HIRED HACKER: Entrepreneur and Hacker Arrested for Online Sabotage, FBI.gov headline story, April 18, 2005
- Duo charged over DDoS for hire scam, by John Leyden, The Register, March 22, 2005
- Michigan Man Arrested for Using New Jersey Juvenile to Launch Destructive "DDOS for Hire" Computer Attacks on Competitors, US Department of Justice press release, March 18, 2005
Books related to DDoS
Internet Denial of Service: Attack and Defense Mechanisms, by Jelena Mirkovic, Sven Dietrich, David Dittrich and Peter Reiher, Prentice Hall PTR, ISBN 0131475738(Errata and related material)
- Malware: Fighting Malicious Code, by Ed Skoudis and Lenny Zeltser, Prentice Hall PTR ISBN 0131014056, November, 2003
- The Tao of Network Security Monitoring, by Richard Bejtlich, Addison-Wesley, ISBN 0321246772, July, 2004
- Defense and Detection Strategies against Internet Worms, by Jose Nazario, ISBN 1580535372, 2004
- The Art of Computer Virus Research and Defense, by Peter Szor, Addison Wesley in collaboration with Symantec Press, ISBN 0321304543, February, 2005
Analyses and talks on attack tools
The DoS Project's "trinoo" distributed denial of service attack tool, by David Dittrich
- RAZOR analysis of WinTrinoo
- Report of Windows version of trinoo DDOS tool by Gary Flynn, James Madison University
- The "Tribe Flood Network" distributed denial of service attack tool, by David Dittrich
- The "stacheldraht" distributed denial of service attack tool, by David Dittrich
- TFN2K - An Analysis, by Jason Barlow and Woody Thrower, Axent Security Team
- "Trinity" Distributed Denil of Service Attack Tool, by Michael Marchesseau, September 11, 2000
- Notes of talk given at CERT Distributed-Systems Intruder Tools Workshop, November 2, 1999
- An analysis of the "Shaft" distributed denial of service tool, by Sven Dietrich, Neil Long, and David Dittrich [BUGTRAQ followup post by Richard Wash] (PDF Version from Information Security Bulletin magazine)
- Analysis of a Shaft Node and Master, by Rick Wash and Jose Nazario, March 26, 2000
- "Analyzing Ditributed Denial of Service Attack Tools: The Shaft Case" (PDF), by Sven Dietrich, Neil Long, and David Dittrich, Presented at LISA 2000 (GZIP PostScript)
- Steve Bellovin's NANOG presentation on DDOS Attacks, February 7, 2000
- Presentation at DDoS BoF, NANOG Meeting, February 7, 2000
- The "mstream" distributed denial of service attack tool, by David Dittrich, George Weaver, Sven Dietrich, and Neil Long
- Invited Talk, "DDoS: Is There Really a Threat?," USENIX Security Symposium, August 16, 2000
- Analysis of the "Power" bot, by David Dittrich
- GT Bot (Global Threat), by Lockdown Corp.
- kaiten.c (no analysis, just code)
- knight.c (no analysis, just code)
X-DCC (IRC "warez" bots often combined with DDoS)
CanSecWest talk on disassembling malware networks by Dave Dittrich, May 2002 (see xdcc-analysis.txt for analysis)
- XDCC - An .EDU Admin's Nightmare, by TonikGin, Sept. 11 2002
- ocxdll.exe / mIRC Trojan Analysis, by Kyle Lai, September 5, 2002
- Honeynet Project Reverse Challenge binary ([not?] surprisingly, this is a DDoS agent)
- Robert Graham's analysis of the Blaster worm
- sdbot command reference
- rxbot command reference
- Inside the Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver, IEEE Security & Privacy (Vol 1 No 4)
- Phatbot Trojan Analysis, by LURHQ
Fundamental problems
Attribution
Techniques for Cyber Attack Attribution, by David A. Wheeler, Institute for Defense Analyses, October 2003
Source Address Forgery
F-08: Internet Address Spoofing and Hijacked Session Attacks, DoE CIAC, January 23, 1995
- CERT Advisory CA-1995-01 IP Spoofing Attacks and Hijacked Terminal Connections, January 23, 1995
- IP Spoofing Demystified, Phrack magazine, Issue 48, Article 14, June 1996
- CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, September 19, 1996
- Help Defeat Denial of Service Attacks: Step-by-Step, SANS, March 23, 2000
- BCP 38, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," by Paul Ferguson and Daniel Senie, May 2000
- SAVE: Source Address Validity Enforcement Protocol, by Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, and Lixia Zhang, 2001
- SAC004, "Securing the Edge," by Paul Vixie, October 17, 2002
- Changing IP to Eliminate Source Forgery, by Donald Cohen, K. Narayanaswamy, Fred Cohen
Defensive Tools
RID, by David Brumley
- National Infrastructure Protection Center; Trinoo/Tribal Flood Net/Stacheldraht/tfn2k detection tool
- BindView's Zombie Zapper
- Index of Distributed Tools at Packet Storm
- dds -- a trinoo/TFN/stacheldraht agent scanner (C source code) by Dave Dittrich, Marcus Ranum, George Weaver, David Brumley, and others. [In BETA testing.] (Use RID instead.)
- gag -- a stacheldraht agent scanner (C source code) by Dave Dittrich, Marcus Ranum, and others. (Use RID instead.)
- Ramenfind (Identification and cleanup tool for the Ramen worm, which was modified to install DDoS agents in February 2001.)
- IP Source Tracking on Cisco 12000 Series Internet Routers (PDF version), Cisco Systems
Advisories
CERT Incident Note 99-07 Distributed Denial of Service Tools, November 18, 1999
- NIPC ADVISORY 00-055: "Trinity v3/Stacheldraht 1.666" Distributed Denial of Service Tools, October 13, 2000
- CERT Incident Note IN-2000-05 "mstream" Distributed Denial of Service Tool, May 2, 2000
- CERT Advisory CA-2000-01 Denial-of-Service Developments
- Sun Bulletin /#00193, Distributed Denial-of-Service Tools, January 5, 2000
Mitigation information
Start by reading these documents:
Distributed Denial of Service Attacks, by Bennett Todd, Linuxsecurity.com, February 18, 2000
- Results of the [CERT sponsored] Distributed-Systems Intruder Tools Workshop [PDF version]
- Managing the Threat of Denial of Service, by Allen Householder, Art Manion, Linda Pesante, and George Weaver (CERT/CC) in collaboration with Rob Thomas, October 2001
- Consensus Roadmap for Defeating Distributed Denial of Service Attacks, A Project of the Partnership for Critical Infrastructure Security
- Help Defeat Denial of Service Attacks: Step-by-Step, SANS Institute
- Denial of Service (DoS) Attack Resources, by Paul Ferguson
- BCP 38, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," by Paul Ferguson and Daniel Senie, May 2000
- SAC004, "Securing the Edge," by Paul Vixie, October 17, 2002
SYN flood protection
TCP/IP stack tuning on end systems, by Rob Thomas
- Hardening the TCP/IP stack to SYN attacks, by Mariusz Burdach, SecurityFocus, September 10, 2003
- Solaris 2.x - Tuning Your TCP/IP Stack and More
- Countering SYN Flood Denial-of-Service Attacks, by Ross Oliver, Tech Mavens, August 29, 2001
Advice for server administrators
Protect the required and often attacked services, e.g. DNS., by Rob Thomas
Advice for network providers
Mitigating DNS Denial of Service Attacks, DNS OARC
- Characterizing and Tracing Packet Floods Using Cisco Routers, Cisco Systems Inc.
- "Essential IOS" - Features Every ISP Should Consider, Cisco Systems Inc.
- ISP security (from an operations perspective), NANOG Tutorial by Barry Raveendran Greene (Cisco), Christopher L. Morrow and Brian W. Gemberling (UUNET) [Mentioned in USENIX 2005 tutorial]
- Protect the border and the border routers (also ported to Juniper and Riverstone), by Rob Thomas
- Protect your BGP peering and RIBs (also ported to Juniper and Riverstone), by Rob Thomas
- Monitor DoS attacks with NetFlow on your VIPs, by Rob Thomas
- Track the source of spoofed packets, by Rob Thomas
- Filtering ICMP and minimum ICMP messages, by Rob Thomas
- Null routing traffic and tracking DoS attacks, by Chris Morrow
- Blocking Code Red Worm with Cisco IOS NBAR, 4 August 2001
- Using Network-Based Application Recognition and Access Control Lists for Blocking the "Code Red" Worm at Network Ingress Points, Cisco Tech Note
- A DDOS defeating technique based on routing, BUGTRAQ posts by Fernando Schapachnik, February 20, 2000
- Path MTU Discovery and Filtering ICMP, by Marc Slemko
- RFC 2267 -- Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, by Paul Fergussen and Daniel Senie
- RFC 2644 -- Changing the Default for Directed Broadcasts in Routers, by Daniel Senie
- Distributed Denial of Service (DDoS) News Flash, Cisco Systems Inc.
- Policing and Shaping Overview, Cisco whitepaper on rate limiting
General advice
DDoS Attack Mitigation, BUGTRAQ posts by Elias Levy, 11 Feb 2000
- Incident Handling Step by Step: Unix Trojan Programs, SANS Institute
- Smurf attacks by Craig A. Huegen
- Tune your firewalls and end systems, by Rob Thomas
Legal implications
SANS Webcast on Legal Liability for Security Breaches - and Minimum Standards of Due Care with Mark Rasch and Hal Pomeranz, February 26, 2003
- Distributed Denial-of-Service Attacks, Contributory Negligence and Downstream Liability, by M. E. Kabay, PhD, CISSP
- DDoS Class Action lawsuit web site
Related Papers, Essays, Legislative Proposals, and Research
Denial of Service Attacks and Challenges in Broadband Wireless Networks, by Shafiullah Khan, Kok-Keong Loo, Tahir Naeem, and Mohammad Abrar Khan, International Journal of Computer Science and Network Security, Vol. 8, No. 7, pp. 1-6, July 2008
- Breeding Internet Superbugs, by Paul Vixie, July 31, 2006
- Trends in Denial of Service Attacks, by Jose Nazario, Arbor Networks, Usenix 2003 Work-in-Progress report
- Extortion Worms: Internet Worms that Discourage Disinfection, by Tim Freeman, February 12, 2002
- Untraceable Email Cluster Bombs: On Agent-Based Distributed Denial of Service, by Markus Jakobsson and Filippo Menczer, May 23, 2003
- How to 0wn the Internet in Your Spare Time, by Stuart Staniford, Vern Paxson, and Nicholas Weaver, 2002
- Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures, by Ruby B. Lee, Princeton University
- Distributed Denial of Service, talk by John Ioannidis, April 2002
- Hop Count Filtering: An Effective Defense Against Spoofed Traffic, by Cheng Jin, Haining Wang, and Kang G. Shin
- A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, by Jelena Mirkovic, Janice Martin and Peter Reiher, UCLA Computer Science Department, Technical report /#020018
- D-WARD: DDoS Network Attack Recognition and Defense home page (Peter Reiher, Gregory Prier, Scott Michael, and Jun Li)
- Computer Crime, by Ronald B. Standler, 2002 (section on DDoS and Mafiaboy case)
- An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, by Vern Paxson, June 2001
- UNISOG thread on Register.com DNS Reflector DoS attack, January 2001
- "Cyber Threat Trends and US Network Security," Statement for the Record for the Joint Economic Committee, Lawrence K. Gershwin, National Intelligence Officer for Science and Technology, 21 June, 2001
- CenterTrack, Robert Stone (a defunct research project that attempted to track DoS attacks at UUnet)
- The Strange Tale of the Distributed Denial of Service Attacks Against GRC.COM, by Steve Gibson, June 2, 2001(My responses to Steve Gibson's initial claims and his later claims of discovering a "new" reflection attack.)
- CERIAS Attack Traceback Summit Proceedings (PDF version)
- Inferring Internet Denial-of-Service Activity, by David Moore, Geoffrey M. Voelker and Stefan Savage, University of California, San Diego
- On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack, by Kihong Park and Heejo Lee, Network Systems Lab and CERIAS, Purdue Univerisity
- MULTOPS: a data structure for denial-of-service attack detection (PDF), by Thomer M. Gil (PostScript version)
- Guidelines for Evidence Collection and Archiving
, Dominique Brezinski and Tom Killalea (Internet Draft) - Draft Convention on Cyber-Crime, Council of Europe (See also Cybercrime Solution Has Bugs, by Declan McCullagh, Wired News, May. 3, 2000)
- Source code to mstream, a DDoS tool, VULN-DEV post by Anonymous, April 29, 2000
- THE WAR ON HACKERS, by Gary Lawrence Murphy
- Distributed Denial Of Service Attacks (DDOS), by David Anderson, MIT
- Theories on new DoS Attacks v.1, by J. Oquendo
- On Magic, IRC Wars, and DDoS, by Robert Graham
- Client-side Distributed Denial-of-Service: Valid campaign tactic or terrorist act?, by the electrohippies collective
- Spaf's Summary of White House meeting, February 19, 2000
- DDoS Whitepaper by Bennett Todd (readable overview intended for non-techies)
- Crypto-Gram, by Bruce Schneier, February 15, 2000
- Current Events on The Net: Fact, Fiction, or Hype?, by Richard Forno
- DDoS FAQ, by Kurt Seifried
- 10 Proposed 'first-aid' security measures against Distributed Denial Of Service attacks, by Mixter
- "Tribe Flood Network 3000": A theoretical review of what exactly Distributed DOS tools are, how they can be used, what more dangerous features can be implemented in the future, and starting points on establishing Network Intrusion Detection Rules for DDOS, by Mixter
- Protecting Against the Unknown -- A guide to improving network security to protect the Internet against future forms of security hazards, by Mixter
- Have Script, Will Destory (Lessons in DoS), by Brian Martin, Attrition.org
- Practical Network Support for IP Traceback, by Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, Department of Computer Science and Engineering, University of Washington
- ICMP Traceback Messages (IETF draft proposal), by Steven Bellovin
- Advanced and Authenticated Marking Schemes for IP Traceback, by Dawn X. Song and Adrian Perrig
- Host Identity Payload, Internet Draft, Robert Moskowitz, ICSA.net
- Host Identity Payload -- Architecture, Internet Draft, Robert Moskowitz, ICSA.net
- Host Identity Payload -- Implementation, Internet Draft, Robert Moskowitz, ICSA.net
- Purgatory 101: Learning to cope with the SYNs of the Internet, by NightAxis and Rain Forrest Puppy
- Distributed Attacks and the Way To Deal With Them, by Tim Yardley
- Strategies for Defeating Distributed Attacks, by Simple Nomad
- Hacktivism: Civil Disobedience, Cyberterrorism or Silly Posturing?, vigilante.com
Vendors marketing products in the DDoS space (DISCLAIMER: Inclusion here does not imply I believe these products are or are not good solutions. These companies simply claim to have some kind of "solution" to the issues of DDoS.)
Network level defenses (detect, stop floods)
- Mazu Networks
- Captus Networks
- CS3
- Riverhead Networks
- Reactive Network Solutions
Host level defenses (detect, stop handler/agent installation)
- Tripwire
Augmented Intrusion Detection (detect)
- Recourse Technologies
Managed Security Services (react)
- Solsoft
- Aprisma
Work in progress research
- Notes from Lockheed Martin conference on DDoS vendor solutions, December 20, 2001
Selected news reports/interviews/panel discussions (in reverse chronological order)
World Cup DDoS blackmailer sentenced to jail, by Graham Cluley, Sophos NakedSecurity, June 16, 2011
- Activists Launch Hack Attacks on Tehran Regime, by Noah Shachtman, Wired.com, June 15, 2009
- DDoS attack damaged public civil service for the first time, by Jang, Dong-joon, Kim, In-soon, Korea IT News, March 10, 2009
- Techwatch weathers DDoS extortion attack: Botnet blackmail, by John Leyden, The Register, January 30, 2009
- Internet Attacks Grow More Potent, by John Markoff, November 9, 2008 [One slight correction: The first major distributed reflected DDoS attack, as noted elsewhere on this page, occured in 2001 against Register.com.]
- Before the Gunfire, Cyberattacks, by John Markoff, New York Times, August 12, 200
- Feds: Teen made computers 'zombies', by Jared Miller, Star-Tribune capital bureau, June 27, 2008
- Radio Free Europe DDOS attack latest by hactivists, by Elinor Mills, News Blog, May 1, 2008
- SlideShare Slammed with DDOS Attacks from China, by Mark Hendrickson, TechCrunch Blog, April 23, 2008 [We didn't pay this person to advertise out book. Honestly.]
- DDOS Danger For Online Gambling Sites, Online-Casinos.com, February 20, 2008
- Quebec police bust alleged hacker ring, by Jan Ravensbergen, Canwest News Service, February 20, 2008
- 'Ragtag' Russian army shows the new face of DDoS attacks: Semi-organized people just as dangerous as botnets, by Dan Goodin, The Register, January 4, 2008
- Making malware unprofitable: economics key to slowing hackers down, by John Timmer, Ars Technica, November 20, 2007
- Security Pro Admits to Hijacking PCs for Profit, blog post by Brian Krebs, November 10, 2007
- Is IT losing the battle against DNS attacks?, by Michael Cooney, Network World, July 18, 2007
- Fast flux foils bot-net takedown, by Robert Lemos, SecurityFocus, July 7, 2007
- Anti-spam sites weather DDoS assault, by John Leyden, The Register, June 11, 2007
- Cyberwar is breaking out of sci-fi genre, Pavla Kozkov, Czech Business Weekly, June 11, 2007
- After Computer Siege in Estonia, War Fears Turn to Cyberspace, by Mark Landler and John Markoff, The New York Times, May 29, 2007
- When cyberattacks are politically motivated, by Robert Vamosi, Special to CNET News.com, May 29, 2007 [Interview with Jose Nazario of Arbor Networks]
- Estonian DDoS Attacks - A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007
- Cyber Assaults on Estonia Typify a New Battle Tactic, by Peter Finn, Washington Post Foreign Service, May 19, 2007
- Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks, Sydney Morning Herald, May 16, 2007
- Estonia and Russia: A cyber-riot, The Economist, May 10, 2007
- Biggest threat to Internet could be a massive virtual blackout, by Andrew Noyes, National Journal's Technology Daily, April 5, 2007
- GoDaddy whacked by DDoS attack, by Kevin Murphy, Computer Business Review Online, March 12, 2007
- National Bolsheviks ousted from Runet, by CNews.ru, February 26, 2007
- Phish fighters floored by DDoS assault, by John Leyden, TheRegister.co.uk, February 20, 2007
- 2006: E-security in Vietnam shaken by crimes, VietNamNet Bridge, January 16, 2007
- CafePress wilts under DDoS assault, by John Leyden, The Register, December 22, 2006
- Analysis: Websites struggling for legal recourse for DoS attacks, by Matt Whipp, PC Pro News (UK), November 23, 2006
- Florida man charged in botnet attack on Akamai, by Caroline McCarthy, CNET News.com, October 24, 2006
- National Australia Bank hit by DDoS attack, by Munir Kotadia, ZDNet Australia, October 20, 2006
- Airline foils hackers with latest high-tech defences, by Bill Goodwin, Computer Weekly, September 27, 2006
- 20-year-old 'botmaster' faces years behind bars, Reuters, May 9, 2006
- Blue Security attack linked to blog crashes, by Tom Espiner, ZDNet (UK), May 4, 2006
- Cyberattack knocks millions of blogs offline, by Joris Evers, CNET News.com, May 3, 2006
- 'Second Life' fending off denial-of-service attacks, by Daniel Terdiman, CNET News.com, May 1, 2006
- Sun Grid hit by network attack, by Stephen Shankland, CNET News.com, March 22, 2006
- 'Botmaster' pleads guilty to computer crimes, Reuters, January 24, 2006 [Teen admits to controlling somewhere near 500,000 computers, must return $60,000 cash, computer equipment, and a BMW he bought with proceeds from renting the botnet. See also this eWeek blog entry and U.S. Department of Justice press release.]
- Blackmailers try to black out Million Dollar Homepage, by Dawn Kawamoto, CNET News.com, January 18, 2006
- FBI agents bust 'Botmaster', Reuters News Service, November 4, 2005
- 'Bot herders' may have controlled 1.5 million PCs, by Joris Evers, CNET News.com, October 21, 2005 [Note: This article doesn't say how the 1.5 million count was obtained, which could mean it is overstated by an order of magnitude or more. There are many reasons why counting things like IP addresses in logs, bot nicks, etc. can be way off the mark, such as DHCP lease times, moving from wired to wireless or dialup networks, etc.]
- Cops smash 100,000 node botnet: Largest zombie army ever detected, by Tom Sanders, vnunet.com, October 10, 2005 [Note: Actually, several botnets have been reported to be much larger than 100,000. E.g., see Thwarting the Zombies, by Dennis Fisher, eWeek, March 31, 2003, which quotes CERT/CC as saying they have tracked a botnet of 140,000 hosts]
- Hackers Admit to Wave of Attacks, by Kevin Poulson, Wired, September 8, 2005
- Teenager jailed for Web attacks, by Graeme Wearden, ZDNet UK, August 17, 2005
- Stalking the Internet, an army on the rise, by Stephen Labaton, The New York Times, June 24, 2005
- THE CASE OF THE HIRED HACKER: Entrepreneur and Hacker Arrested for Online Sabotage, FBI.gov headline story, April 18, 2005
- Rootkit Web sites fall to DDoS attack, by Paul Roberts, IDG News Service, April 11, 2005
- Duo charged over DDoS for hire scam, by John Leyden, The Register, March 22, 2005
- Michigan Man Arrested for Using New Jersey Juvenile to Launch Destructive "DDOS for Hire" Computer Attacks on Competitors, US Department of Justice press release, March 18, 2005
- Dutch hackers sentenced for attack on government sites: Teens were unhappy about cabinet," by Jan Libbenga, The Register, March 16, 2005
- BitTorrent servers under attack, by Robert Lemos, CNET News.com, December 2, 2004
- Antispam screensaver downs two sites in China, by Dan Ilett, ZDNet News (UK), December 2, 2004
- Lycos Europe denies attack on zombie army, by Dan Ilett, ZDNet News (UK), December 1, 2004,
- Experts fret over online extortion attempts: 'Bot' armies capable of toppling big sites, some say, by Bob Sullivan, MSNBC, November 10, 2004
- Lawmaker: Beware of cyber-Pearl Harbor, Reuters, November 5, 2004
- Online payment firm in DDoS drama, by John Leyden, November 3, 2004
- Child porn threat to betting site, BBC News, October 27, 2004
- Dutch government sites attacked, correspondents in Amsterdam, Australian IT, October 6, 2004
- WorldPay struggles under DDoS attack (again), by John Leyden, The Register, October 4, 2004
- Zombie armies behind cyberscrime sprees, by Dan Illet, ZDNet (UK), October 1, 2004
- Update: Credit card firm hit by DDoS attack, by Jaikumar Vijayan, Computerworld, September 22, 2004
- Attacks disrupt some credit card transactions, by Rob Lemos, CNET News.com, September 22, 2004
- Extortion Online: Technology can help fight the growing cyberextortion threat, but experts say not enough companies are prepared, by George V. Hulme, InformationWeek, September 13, 2004
- FBI busts alleged DDoS Mafia, by Kevin Poulsen, SecurityFocus, August 26, 2004 [ Indictment against Paul G. Ashley, Jonathan David Hall, Joshua James Schichtel, Richard Roby, and Lee Graham Walker]
- Police say Russian hackers are increasing threat, by Oliver Bullough, Reuters, July 28, 2004
- DoubleClick blacks out from Web attack, by Jim Hu, CNET News.com, July 27, 2004
- MyDoom.M virus slams search sites, by Byron Acohido and Jon Swarz, USA Today, July 26, 2004
- British cybercops nab alleged blackmailers, by Graeme Wearden and Andy McCue, ZDNet (UK), July 21, 2004
- Scotland Yard and the case of the rent-a-zombies, Reuters, July 7, 2004
- 'Zombie' PCs caused Web outage, Akamai says, by Robert Lemos and Jim Hu, CNET News.com, June 16, 2004
- Business allegedly attacked via Web: FBI investigates area owner's extortion claim, by Caroline Lynch, The Courier-Journal, May 10, 2004
- Alarm Grows of Bot Software, by Rob Lemos, CNET News.com, April 30, 2004
- Bookies suffer online onslaught, by Mark Ward, BBC News Online, March 19, 2004 (Netcraft graphs of UK betting sites)
- Hackers Embrace P2P Concept: Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or Denial-of-Service Attacks, by Brian Krebs, washingtonpost.com, March 17, 2004
- Mydoom lesson: Take proactive steps to prevent DDoS attacks, by Jaikumar Vijayan, February 6, 2004
- The FBI Called Again, by simul, Kuro5hin.org (targetted by DDoS attacks), February 4, 2004
- Super Bowl fuels gambling sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004
- Attack on SCO sites at an end, by Rob Lemos, CNET News.com, December 12, 2003
- New computer virus variant floods Web sites of anti-spam activists, by Anick Jesdanun, The Associated Press, December 3, 2003
- E-commerce targeted by blackmailers, by BBC News, November 26, 2003
- Dutch blogsites fight cyberwar against spammer, by Jan Libbenga, The Register, November 24, 2003
- ISPs take on DDoS Attacks, by Denise Pappalardo, Network World, November 19, 2003
- Zombie machines fueling new cybercrime wave, by Bernhard Warner, computerworld.com, November 17, 2003
- East European gangs in online protection racket, by John Leyden, The Register, November 12, 2003
- High-Tech Gangsters Who Shoot on Site, by Chris Nuttall, Financial Times, November 12, 2003
- Crime gangs extort money with hacking threat, by Chris Nuttall, Financial Times of London, November 11 2003
- 'DDoS' Attacks Still Pose Threat to Internet, by David McGuire, washingtonpost.com, November 4, 2003
- Virtual girlfriend 'inspired Internet attack', by Munir Kotadia, Special to CNETAsia, October 13 2003
- 11,000 IP addresses found on accused hacker's PC, by Munir Kotadia, ZDNet UK, October 8, 2003
- 'Revenge' hack downed US port systems, by Andy McCue, silicon.com, October 7, 2003
- Cloaking Device Made for Spammers, by Brian McWilliams, October 9, 2003 [reports one group controlling 450,000 bots]
- Sobig linked to DDoS attacks on anti-spam sites, by John Leyden, September 25, 2003
- Teenager arrested in 'Blaster' Internet attack, by Jeordan Legon, CNN, August 29, 2003
- Hackers cut off SCO Web site, by Martin LaMonica, CNET News.com, August 25, 2003
- Porn Purveyors Getting Squeezed, by Noah Shachtman, Wired News, July 10, 2003
- DDoS attack hits clickbank and spamcop.net, by Mirko Zorz, June 25, 2003
- Rise of the Spam Zombies, by Kevin Poulson, Security Focus, April 27, 2003
- The Palestinian-Israel: cyberwar, by Patrick D. Allen and Chris C. Demchak, Military Review, March-April, 2003,
- Thwarting the Zombies, by Dennis Fisher, eWeek, March 31, 2003 [quotes CERT/CC as saying they have tracked a botnet of 140,000 hosts]
- Al-Jazeera hobbled by DDOS attack: News site targeted for second day, by, Paul Roberts, Infoworld, March 26, 2003
- DDoS attack cripples Uecomm's AU links, by Patrick Gray, ZDNet Australia, March 20, 2003
- Thousands 'trojaned' through net shares: CERT, by Patrick Gray, ZDNet Australia, March 12, 2003
- Worm could be clearing path for DDoS attack, by Patrick Gray, ZDNet Australia, March 10, 2003
- US and UK arrests in computer worm probe, by John Leyden, March 6, 2003
- Could Attack on DALnet Spell End for IRC?, by Thor Olavsrud, internetnews.com, January 24, 2003
- Attacks Fell on Online Community, by Justin Jaffe, Wired News, January 27, 2003
- DDOS attack 'really, really tested' UltraDNS, by ComputerWire, The Register, November 26, 2002
- Future Hacking: How Vulnerable is the Net?, by James Maguire, NewsFactor Network, November 4, 2002
- Attack On Internet Called Largest Ever, by David McGuire and Brian Krebs, washingtonpost.com, October 22, 2002
- Is the U.S. headed for a cyberwar?, by Robert Vamosi, CNET Reviews, September 25, 2002
- RIAA Web site disabled by attack, by Declan McCullagh, Special to ZDNet News, July 30, 2002
- ISP run out of business by DOS attacks, geeknews.com, July 23, 2002
- News Sites Under 'Syn' Attack: Computers in Asia Flooding Sites, Blocking Access, by Paul Eng, ABCNEWS.com, June 14, 2002
- Good News/Bad News in DoS Struggle, by Jim Carr, Network Magazine, July 7, 2002
- Cert warns of automated attacks, by James Middleton, vnunet.com, April 9, 2002
- Scottish ISP floored as DDoS attacks escalate, by John Leyden, The Register, April 9, 2002
- Denial-of-Service Attacks Still a Threat, by Jaikumar Vijayan, Computer World, April 08, 2002
- Internet User Sentenced in Federal Court for Using the Internet to Make Threats (DDoS attacks were also involved in this case, although the death threats were the main thrust of prosecutors.)
- How CloudNine Wound Up in Hell, Reuters (via Wired.com), February 1, 2002
- Hack Shuts Down British ISP, by Dennis Fischer, eWEEK, January 22, 2002 (Cloud Nine British ISP)
- Arrested Goner Creators Left Obvious Online Trail, By Brian McWilliams, Newsbytes, December 9, 2001
- 'Mafiaboy' hacker jailed, BBC News, September 13, 2001
- DDoS protection racket targets bookies, by John Leyden, The Register, November 26, 2001
- Cyber-raid hobbles web users, By Michael Foreman, The New Zealand Herald, September 10, 2001
- Mafiaboy must be jailed, says social worker, by Michelle MacAfee, The Canadian Press, June 19, 2001
- College: A Cracker's Best Friend, by Michelle Delio, Wired.com, February 28, 2001
- DoS Attack Storms Weather Channel's Routers, by Rutrell Yasin, InternetWeek, May 24, 2001
- Hackers storm White House Web site, by Robert Lemos, ZDNet News, May 4, 2001
- Warning Issued Against Fast-Spreading Hacking Worm, kdh@koreatimes.co.kr, The Korea Times, April 24, 2001
- Microsoft Web Sites Attacked, by Ariana Eunjung Cha and David Streitfield, Washington Post, January 26, 2001
- IRC Attack Linked to DoS Threat, by Michelle Delio, Wired, January 12, 2001
- FBI Targets 7 Hackers In Planned New Year's Eve Virus Attack, by Brian Krebs, Newsbytes, January 11, 2001
- Lynnwood teen one of several targets of FBI probe, KING 5 News (Seattle), January 10, 2001
- IRC: Attack From Killer 'HaX0rZ', by Michelle Delio, Wired, January 9, 2001
- Romanian hacker bombs chat network, by Will Knight, ZDNet UK, January 9, 2001
- Four Israeli hackers suspected of planning New Year's Eve attack , by Assaf Zohar, Israel's Business Arena, January 3, 2001
- 2001: Killer hack attacks, by Scott Berinato, eWEEK (via ZDNet UK), December 20, 2000
- The Year of the Killer Hackers, by Scott Berinato, eWEEK, December 18, 2000
- 'Mafiaboy' Trying To Stare Down Prosecutors, by Kevin Johnson, USA TODAY, December 5, 2000
- 'Mafiaboy' to plead guilty to hacking major Web sites, by Linda Rosencrance, Computerworld, November 07, 2000
- U.S. may face net-based holy war, by Dan Verton, Computerworld, November 13, 2000
- Abroad at Home: The cyberwars of the Middle East have come to Washington, by John Lancaster, Washington Post, November 3, 2000 (defaced web site)
- Lucent says Mideast hackers attacked Web site, by Erich Luening, CNET News.com, November 2, 2000,
- Mideast hackers may strike U.S. sites, FBI warns, by Erich Luening, CNET News.com, November 2, 2000
- Security experts: Denial-of-service attacks still a big threat, by Patrick Thibodeau, Computerworld, October 20, 2000
- 'Pecked to Death by a Duck' -- Hacktivists Chat up the World Bank, by Sarah Ferguson, The Village Voice, October 18, 2000
- Interpol orders immediate cybercrime action, by Will Knight, ZDNet UK, October 11, 2000
- Internet giants confer on denial-of-service attacks, by Paul Festa, CNET News.com, September 26, 2000
- Web sites unite to fight denial-of-service war, by Ellen Messmer, Network World, September 25, 2000
- New Technology Tracks, Kills DoS Attacks At ISP Level, by Cynthia Flash, TechWeb News, September 14, 2000
- New denial-of-service attack tool uses chat programs, by Ellen Messmer, CNN, September 6, 2000
- New Web attack tools exploit chat technology, by Evan Hansen, CNET News.com, September 5, 2000
- Surfing the Tsunami: A large Southeastern university IS team fights off a massive distributed denial of-service attack and lives to tell about it., by DDoS Survivor, Network World, August 28, 2000
- University researcher traces response to DDOS attacks, by Ann Harrison, Computerworld, August 18, 2000 [Corrections to Computerworld article]
- New Public-Private Venture Meant to Combat Cybercrime, by Paul Nowell, The Associated Press, August 11, 2000
- 250 Linux servers infected by denial-of-service program, the Korea Herald, August 1, 2000
- Lack of funding threatens cybersecurity project, by Elinor Abreu, The Industry Standard, July 31, 2000
- Wanna know how BT.com was hacked?, by Kieren McCarthy, The Register, July 25, 2000
- BT hacked: revenge for crap service, by Kieren McCarthy, The Register, July 21, 2000
- Hackers Plant Attack File in Home Computers, by Chet Dembeck, E-Commerce Times, June 9, 2000
- Hackers Said Poised for Attack, by D. Ian Hopper, AP, June 9, 2000
- Online boasting leaves trail -- FBI: Teen a schoolboy by day, brazen hacker by night, by Kevin Johnson, M.J. Zuckerman and Deborah Solomon, USA TODAY, June 7, 2000
- Experts lecture feds on cybersecurity, by Diane Frank, Federal Computer Week, May 24, 2000
- Beware of the security zealot, by Lewis Z. Koch, Inter@ctive Week, May 23, 2000
- New Denial-of-Service Software Found "in the Wild", by Steven Bonisteel, Newsbytes, May 3, 2000
- Hackers release new DoS tool -- Stakes high in cat-and-mouse game with security experts, by Bob Sullivan, MSNBC, May 2, 2000 [Corrections to MSNBC article]
- Cybercrime Solution Has Bugs, by Declan McCullagh, Wired News, May. 3, 2000
- Expert warns of powerful new hacker tool, by Stephen Shankland, CNET News.com, May 1, 2000
- Probe of Hacker Net a Second Suspect: His Father, by Steven Pearlstein and David A. Vise, Washington Post, April 21, 2000
- DoS Attacks: What Really Happened, by Bob Sullivan, MSNBC, April 19, 2000
- `Mafiaboy' Arrested -- Canadian Teen Charged In Web Attacks, by Jonathan Dube and Brian Ross, ABCnews.com, April 19, 2000
- Hackers can claim copyright on tools, by David Hellaby, AustralianIT, April 18, 2000
- U.S. Treasury Chief Warns of Cyber Threats, by Jim Wolf, Reuters, April 18, 2000
- How to Fight Cyber Thugs -- Before it's Too Late, editorial by Jesse Berst, ZDNet AnchorDesk, April 3, 2000
- Hacker attack costs rise -- FBI, CSI: Verifiable losses due to poor security top $265M in 1999, CNNfn, March 22, 2000
- DDOS attacks' ultimate lesson: Secure that infrastructure, by Deborah Radcliff, Securityportal.com, March 20, 2000
- DoS Attack Shuts Down Brazilian Government Site, By Steve Gold, Newsbytes March 18, 2000
- Ihug hit by hackers, by Adam Gifford, The New Zealand Herald, March 15, 2000
- Get more secure - or else!, by Lisa M. Bowman, ZDNet|UK|, March 15, 2000
- Asleep at the switch? -- How the government failed to stop the world's worst Internet attack, by M.J. Zuckerman, USA TODAY, March 9, 2000 [Note: When I was interviewed by Mike, I hadn't researched the timing of events very thoroughly, so he was working with my rough recollections. I've since tried to put together my own timeline on DDoS events]
- Web attacks: Cure worse than woes? Trend Micro's anti-viral OfficeScan - which also checks for DoS vulnerabilities - is a prime vehicle for foul play, by Steven J. Vaughan-Nichols, Sm@rt Reseller, ZDNN, March 8, 2000
- DoS attacks: A problem of the information age Q&A with security guru Dave Dittrich, by J.S. Kelly, SunWorld Online, March 2000 [Note: I was unable to provide feedback to J.S. Kelly in time, so some of the transcribed answers are not quite what I said. I'll try to clarify more as I find time. See also the Slashdot and other RealAudio interviews for answers to similar questions.]
- Hatch Won't Hatch Clinton Net Security Idea, by Robert MacMillan, Newsbytes, March 3, 2000
- Getting Hacked Could Lead to Getting Sued, by Ritchenya A. Shepherd, American Lawyer Media News Service, March 2, 2000
- Hacker plan: take down the Net -- Associates tell feds Coolio started last month's Web attacks; teen's New England home searched, computers confiscated, by Bob Sullivan, MSNBC, March 1, 2000
- CIOs Need to Be Held Accountable for Security, by L. Taylor, TechnologyEvaluation.com, February 28th, 2000
- FBI: Internet Attack Motive Unknown, by Ted Bridis, AP, February 29, 2000
Senate Judiciary Committee hearing on Internet Denial of Service Attacks and the Federal Response, February 29, 2000
Testimony of Eric Holder, Deputy Attorney General, Department of Justice
- Testimony of Dan Rosensweig, President and CEO, ZDNet
- Testimony of "Mudge", @Stake
- Locking Out the Hackers -- How to safeguard the Web, News: Analysis & Commentary, Business Week, February 28, 2000
- FBI site hit in latest hacker attacks -- Microsoft, brokerage among victims, but damage is short-lived, MSNBC staff and wire reports, February 25, 2000
- Web attacks? The ISPs strike back!, by Robert Lemos, ZDNet News, February 23, 2000
- New hacker software could spread by email, by John Borland, CNET News.com, February 23, 2000
- Cyber Crime -- First Yahoo! Then eBay. The Net's vulnerability threatens e-commerce--and you, Cover Story, BusinessWeek magazine, February 21, 2000
- Web attacks: Are ISPs doing enough? Not according to many broadband customers and security experts, by Robert Lemos, ZDNet News, February 21, 2000
- Internet News Radio interview with David Dittrich (University of Washington) and Brian Martin (aka "jericho" of Attrition.org), February 23, 2000
- Warding off DDoS Attacks: Tools and services help keep servers from being turned into zombies, by Jim Kerstetter, PC Week Online, February 21, 2000
- Hacker's Web Weapons Test-Fired on Chat Sites, by Ariana Eunjung Cha, Washington Post, February 19, 2000
- Dot-Com firms are hacking each other -- expert, by Thomas C. Greene, The Register, February 18, 2000
- NPR's Diane Rehm show (Real Audio), panel discussion on Internet Security with Jeffrey Hunker (National Security Council), James Adams (iDefense.com), David Dittrich (University of Washington) and Elias Levy (SecurityFocus.com)
- Slashdot interview
- Universities likely to remain Net security risks, by John Borland, CNETNews.com, February 15, 2000
- German programmer "Mixter" addresses cyberattacks, by Stephen Shankland, CNET News.com, February 14, 2000
- Hacker discloses new Internet attack software , by Stephen Shankland, CNET News.com, February 14, 2000
- Hacker hunters follow lead to Germany -- Web site attackers exploited Stanford computers, CNN.com, February 13, 2000
- Hacker probe widens as Canada attacked, by John Greenwood, National Post (with files from Bloomberg News and Dow Jones), February 12, 2000
- Doing Away with DoS, by Michelle Finley, Wired, February 10, 2000
- DoS: Defense Is the Best Offense, by Chris Oakes, Wired, February 10, 2000
- ZDNet Special Report: It's War! Web Under Attack [An over-hyped headline, but aggregates several stories]
- Hack leads point to California university, by John Borland and Jeff Pelline, CNET News.com, February 11, 2000
- The making of weapons -- underground, by Stephen Shankland, Michael Kanellos, and Mike Yamamoto, CNET News.com, February 9, 2000
- Hacker tools may come from single source, by Stephen Shankland, Michael Kanellos, and Mike Yamamoto Staff, CNET News.com, February 9, 2000
- Hackers disrupt Web sites, Seattle Post-Intelligencer, February 9, 2000
- Was Yahoo Smurfed or Trinooed?, by Declan McCullagh, Wired News, February 8, 2000
- Yahoo on Trail of Site Hackers, Rueters News Service, February 8, 2000
- Yahoo brought to standstill, BBC News, February 8, 2000
- Internet attack slows Web to a crawl -- Assault on Oz.net affects entire area, by Dan Richman, Seattle Post-Intelligencer, January 18, 2000
- DoS attack programs find warm, safe place on Solaris, by Nora Mikes, SunWorld Magazine, January 2000
- Experts Warn of Multipronged E-Mail Assaults: New Software Allows Vandals to Overwhelm Computers , by David Noack, APBNews.com, December 27, 1999
- CERT warns of networked denial of service attacks, by Ann Harrison, Computerworld, December 23, 1999 [Corrections to Computerworld article]
- Malicious programs lie in wait, FBI warns, by Bruce V. Bigelow, San Diego Union Tribune, December 15, 1999 [Corrections to San Diego Union Tribune article]
- Computer security teams brace for attacks by Stephen Shankland, Staff Writer, CNET News.com, December 20, 1999 [Corrections to CNET News.com article]
- Net hackers develop destructive new tools, by M.J. Zuckerman, USA TODAY, December 7, 1999 [Corrections to USA Today article]
- Cyberterrorism hype, by Johan J. Ingles-le Nobel, Janes Intelligence Review, October 21, 1999
- Cyber Attacks -- Both Old and New, by Robert Lemos, ZDNet News, October 20, 1999
- "Smurf" attack hits Minnesota, by Paul Festa, CNET News.com, March 17, 1998
- Hackers attack NASA, Navy, by Paul Festa, Staff Writer, CNET News.com, March 4, 1998 (Not DDoS, but still a large DoS attack that affected tens or hundreds of thousands of hosts across the country.)
History of Denial of Service and its use against Internet Relay Chat (IRC) networks
Internet Relay Chat (IRC) History, by Jarkko Oikarinen
- An IRC Tutorial
- Bots, Drones, Zombies, Worms and other things that go bump in the night., by Lockdown Corp.
- Definition of "channel takeover", Valinor IRC glossary
- Hacking IRC - The Definitive Guide
- rEfnet Old News (look for "TakeOver" and "split")
- Why EFnet Sucks, by Mixter
- Bots Are Hot!, by Andrew Leonard, Wired magazine, April 1996
- Romanian Cracker Takes Down the Undernet, by Kristi Coale, Wired News, January 14, 1997
- Out of Band Bug Kicks Users Off Networks, by Mark Joseph Edwards, Wired News, May 12, 1997
- Smurfing Cripples ISPs, by James Glave, Wired News, January 7, 1998
- CIAC-2318: "IRC On Your Dime? What You Really Need to Know About Internet Relay Chat (PDF), (PostScript), CIAC, Dept. of Energy, June 1998
- Denial of Service Attack Information, by Craig A. Huegen (1998)
Sociological aspects of DoS and DDoS
Anti-Social Behavior Online Poses Challenge, GameMarketWatch.com, August 9, 2003
- The Bad Boys of Cyberspace: Deviant Behavior in Online Multimedia Communities and Strategies for Managing it, Suler, J.R. and Phillips, W., 1998
