The Internet version of an old prank

Back in the 19th century in London, a prankster named Theodore Hook "DDoS'ed" a large part of London in what became known as the Berners Street hoax. Hook played a prank on the residents of 54 Berners Street by sending out letters requesting various random people to all arrive at 54 Berners Street on the exact same day at around the exact same time. Apparently first to arrive were chimney sweeps, followed by people delivering coal, and it eventually culminated to doctors, dignitaries, and delivery men carrying pianos and organs all arriving at around the same time to the same house. This brought traffic to a halt in a large part of London, effectively DDoS-ing the city.

In the Internet age, Hook's Berners Street hoax idea has taken a new identity in the form of a DDoS attack called the Distributive Reflective Denial of Service (DRDoS). The idea is simple: Sometimes when you send a packet requesting a response to a server, it will respond with a bunch of packets back to you. You can think of it as the modern analog to Hook's letters in the Berners Street hoax: Sending 1 letter to an organ company results in 6 men carrying a large pipe organ coming back to you. In a DRDOS attack, the attacker just sends, say, n MB of packets to a server using a spoofed IP address that is the IP of victim. The server responds with N MB of packets directly to the victim's IP. Now, every Mbps of bandwidth the attacker spends is received with a N/n multiplier by the victim. The N/n multiplier here is what is called the Bandwidth Amplification Factor (BAF). While we don't see bandwidth amplification factors as large as Hook's N/n = (6 dudes + 1 pipe organ)/(1 letter), attackers can still reach bandwidth amplification facts of >500 for NTP and in some cases up to the mid 4,000's!

Currently the largest DRDoS attacks have been done using UDP-based protocols such as NTP. This is because UDP does not require handshaking like TCP does. TCP-based protocols seem to be safe against becoming vectors for DRDoS attack because if you attempt to send a establish a TCP connection starting with a SYN packet that has a spoofed IP, you will not be able to complete the handshake as you'll never receive the SYN-ACK from the server. However, there has been literature that seems to show that TCP-based protocols might actually be vulnerable as well, which I may cover in a future blog post. For a sneak preview, check out this interesting paper by Kuhrer, Hupperich, Rossow, and Holz: Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks!

Comments

Post a Comment

Popular posts from this blog

First-Principles Derivation of A Bank

What is a Bank? A bank borrows money from people with money but low-risk appetite, and lends money to people who need money to take potentially rewarding risks. Say we live in a toy society with $10 in circulation and 2 people (a farmer and a cook). In this society, the farmer grows vegetables and the cook processes vegetables for food – both activities essential for survival. Assume that both parties start with $5 each. The farmer sells vegetables for $1 per serving and can produce 2 servings per day. The cook prepares food for $2 per serving and also has the capacity to produce 2 servings per day. Every day, the farmer sells 2 servings of vegetables to the cook for a total of $2 . Then, the cook prepares 2 servings of food and sells 1 serving to the farmer for $2 . In this perfectly balanced society, everybody eats, and money never needs to “rest.” Let's break the above equilibrium by adding a time component. In this society, vegetables take thr...
Read more

A Play-by-play of the Mirai botnet source code - Part 1 (scanner.c)

Today I've decided to start learning something very new and unfamiliar to me, as someone who mostly works with very high-level languages like Python and Kotlin, and attempt to understand the source code behind the Mirai botnet that managed to control over 380,000 IoT devices at one point in its life. I'll likely get a lot of things wrong the first time around, and this may take quite a few blog posts to complete, but my goal is to document everything I figure out, so that in the future, someone else in a similar position will be able to use this blog as a resource to understand the C and Go that ran this ground-breaking botnet. To begin, I'll start by reading  scanner.c , which is the code that is in charge of the scanning for and infecting new IoT devices. I'll be taking my time with it, so this might take a few blog posts. scanner.c  has most of its logic in a function called  scanner_init , which is triggered either from  main.c  (which seems like how it is t...
Read more

You can control individual packets using WinDivert!

Image
WinDivert is one of the most interesting packages I've recently come across. What WinDivert allows you to do is apply a filter to grab some subset of packets that pass through your Windows computer, and then apply some logic to the packet to maybe modify, and then drop or re-inject the packet. Here's a great diagram from this website that sums it up: Using PyDivert , a WinDivert Python binding, we can specify the PROGRAM portion in the above diagram, which means that we can now capture whatever packets we want, change them however we want, and then either drop them or re-inject them to be sent out whenever we want. The big sell here is that WinDivert allows you to play with packets on Windows without writing code that modifies the core operating system components that run in the kernel! The drawback is of course speed and efficiency, but for a lot of blog-post-worthy applications, we don't need that much speed and efficiency. Stay tuned for more stuff if this piqued your ...
Read more