1 00:00:07,580 --> 00:00:08,890 - Denial of service and 2 00:00:08,890 --> 00:00:10,910 distributed denial of service attacks 3 00:00:10,910 --> 00:00:13,370 have been around for quite some time now. 4 00:00:13,370 --> 00:00:16,170 But we have seen several waves of these attacks 5 00:00:16,170 --> 00:00:18,670 over the past few years. 6 00:00:18,670 --> 00:00:21,430 Now, DDoS attacks can be categorized 7 00:00:21,430 --> 00:00:23,350 in three major categories: 8 00:00:23,350 --> 00:00:25,190 direct DDoS attacks, 9 00:00:25,190 --> 00:00:27,710 reflected DDoS attacks, 10 00:00:27,710 --> 00:00:31,110 and amplification DDoS attacks. 11 00:00:31,110 --> 00:00:33,470 Direct DDoS attacks occur when the source 12 00:00:33,470 --> 00:00:36,210 of the attack generates the packet, 13 00:00:36,210 --> 00:00:39,720 regardless of the protocol application and so on. 14 00:00:39,720 --> 00:00:41,200 That they are sent directly 15 00:00:41,200 --> 00:00:43,960 to the victim of the attack. 16 00:00:43,960 --> 00:00:47,560 In this example, the attacker launches a direct DDoS 17 00:00:47,560 --> 00:00:50,260 to a web server, which is the victim here, 18 00:00:50,260 --> 00:00:53,960 and sending numerous TCP SYN packets, 19 00:00:53,960 --> 00:00:56,540 so TCP synchronization packets. 20 00:00:56,540 --> 00:00:59,100 And this type of attack is actually aimed 21 00:00:59,100 --> 00:01:01,000 to flood the victim 22 00:01:01,000 --> 00:01:03,440 with an overwhelming number of packets. 23 00:01:03,440 --> 00:01:05,985 And then over saturating its connection bandwidth 24 00:01:05,985 --> 00:01:10,890 or depleting the target's resources in that system. 25 00:01:10,890 --> 00:01:12,380 This type of attack is also known 26 00:01:12,380 --> 00:01:13,740 as a syn-flood attack. 27 00:01:13,740 --> 00:01:16,370 As a TCP Syn-flood attack. 28 00:01:16,370 --> 00:01:19,640 Cyber criminals also can use DDoS attacks to 29 00:01:19,640 --> 00:01:21,950 produce added cost to the victim 30 00:01:21,950 --> 00:01:23,760 when the victim is actually using things 31 00:01:23,760 --> 00:01:25,710 like cloud services, for example. 32 00:01:25,710 --> 00:01:26,930 So in most case, 33 00:01:26,930 --> 00:01:28,390 when you see a cloud service, 34 00:01:28,390 --> 00:01:31,217 such as Amazon Web Services, or AWS, 35 00:01:32,630 --> 00:01:34,330 or some other ones, 36 00:01:34,330 --> 00:01:36,090 you actually pay per usage, right? 37 00:01:36,090 --> 00:01:39,570 So, attackers can actually launch DDoS attacks 38 00:01:39,570 --> 00:01:41,480 and cause you to pay more 39 00:01:41,480 --> 00:01:46,480 for the users and resources that are being serviced. 40 00:01:46,550 --> 00:01:49,470 Another type of DDoS is caused 41 00:01:49,470 --> 00:01:52,650 by exploiting vulnerabilities, such as a buffer overflow, 42 00:01:52,650 --> 00:01:54,520 to actually cause a server, 43 00:01:54,520 --> 00:01:56,307 or even a network infrastructure device, 44 00:01:56,307 --> 00:01:59,470 to actually crash, so to reload. 45 00:01:59,470 --> 00:02:01,560 And then subsequently causing 46 00:02:01,560 --> 00:02:05,270 a complete denial of service condition. 47 00:02:05,270 --> 00:02:10,140 Now, many attackers use botnets to launch DDoS attacks. 48 00:02:10,140 --> 00:02:12,550 A botnet is actually a collection 49 00:02:12,550 --> 00:02:15,530 of compromised machines where the attacker 50 00:02:15,530 --> 00:02:18,990 can manipulate them from a command and control server, 51 00:02:18,990 --> 00:02:23,150 what we call a CNC server, a system. 52 00:02:23,150 --> 00:02:26,760 To either participate in a DDoS in this case, 53 00:02:26,760 --> 00:02:30,310 or they can also be compromised and manipulated to 54 00:02:30,310 --> 00:02:32,060 actually send spam emails 55 00:02:32,060 --> 00:02:34,620 or to perform other illicit activities. 56 00:02:34,620 --> 00:02:36,300 Now in this example here, 57 00:02:36,300 --> 00:02:39,070 I'm actually showing a botnet that is actually used 58 00:02:39,070 --> 00:02:42,040 by the hacker to actually launch a DDoS attack. 59 00:02:42,040 --> 00:02:45,460 And in this example, the actual attacker sends instruction 60 00:02:45,460 --> 00:02:48,230 to the command and control box, so to the CNC. 61 00:02:48,230 --> 00:02:52,540 And then subsequently the CNC sends instructions to the bot, 62 00:02:52,540 --> 00:02:57,540 within the botnet, to then launch a DDoS against the victim, 63 00:02:57,600 --> 00:02:58,950 in this case. 64 00:02:58,950 --> 00:03:01,190 Now the other type of DDoS attacks 65 00:03:01,190 --> 00:03:03,280 is a reflected DDoS attack. 66 00:03:03,280 --> 00:03:06,619 And reflected DDoS attacks occur when the source 67 00:03:06,619 --> 00:03:11,340 or the sources of the attack are sent spoof packets 68 00:03:11,340 --> 00:03:13,620 that appear to be from the victim. 69 00:03:13,620 --> 00:03:17,330 And then the sources become unwittingly participants 70 00:03:17,330 --> 00:03:18,540 of the DDoS attacks 71 00:03:18,540 --> 00:03:23,100 by sending the response traffic back to the intended victim. 72 00:03:23,100 --> 00:03:27,490 UDP is actually often used as a transport mechanism 73 00:03:27,490 --> 00:03:29,273 because it's actually more easy, 74 00:03:30,180 --> 00:03:31,460 or it is easier, 75 00:03:31,460 --> 00:03:35,930 to be spoofed due to the lack of 3-way handshake. 76 00:03:35,930 --> 00:03:39,400 Just like UDP is a connectionless protocol 77 00:03:39,400 --> 00:03:42,750 and not like TCP, that actually has a 3-way handshake. 78 00:03:42,750 --> 00:03:44,720 So for example, if the attacker decides 79 00:03:44,720 --> 00:03:46,380 that he wants to attack the victim, 80 00:03:46,380 --> 00:03:50,480 he will send packets, let's say NTP packets or 81 00:03:50,480 --> 00:03:53,590 any of the other type of UDP packet, 82 00:03:53,590 --> 00:03:55,980 to a source who actually thinks 83 00:03:55,980 --> 00:03:57,980 that these packets are legitimate. 84 00:03:57,980 --> 00:04:00,290 And then the source then responds 85 00:04:00,290 --> 00:04:02,650 to the NTP request, in this case, 86 00:04:02,650 --> 00:04:06,070 by sending the responses to the victim. 87 00:04:06,070 --> 00:04:10,640 And in this case the victim, who has never been expecting 88 00:04:10,640 --> 00:04:12,916 these NTP packets from actually the source, then of course 89 00:04:12,916 --> 00:04:16,930 cause this denial of service condition. 90 00:04:16,930 --> 00:04:19,610 Now there is another type of denial of service attack 91 00:04:19,610 --> 00:04:21,760 called amplification attacks. 92 00:04:21,760 --> 00:04:25,880 And these attacks are a form of reflected attacks in which 93 00:04:25,880 --> 00:04:27,560 the response traffic, 94 00:04:27,560 --> 00:04:30,420 which is actually sent by the unwilling participants, 95 00:04:30,420 --> 00:04:33,781 is actually made up of packets that are much larger 96 00:04:33,781 --> 00:04:37,140 than those that were initially sent by the attacker. 97 00:04:37,140 --> 00:04:39,370 So, the attacker is actually spoofing the victim 98 00:04:39,370 --> 00:04:40,510 in this case. 99 00:04:40,510 --> 00:04:44,900 So, an example of this is actually when DNS queries are sent 100 00:04:44,900 --> 00:04:48,840 to a DNS server and the DNS responses actually are 101 00:04:48,840 --> 00:04:51,360 much larger in the packet size 102 00:04:51,360 --> 00:04:53,170 than initial request of the packet. 103 00:04:53,170 --> 00:04:55,870 Subsequently, this is what we call 104 00:04:55,870 --> 00:04:58,070 an amplification of the attack, 105 00:04:58,070 --> 00:05:02,580 since the the responses are actually amplified 106 00:05:02,580 --> 00:05:04,400 or much larger in packet size 107 00:05:04,400 --> 00:05:07,970 than the initial quarry packets that were sent. 108 00:05:07,970 --> 00:05:10,090 So the end result is that the victim gets flooded 109 00:05:10,090 --> 00:05:12,384 by those large packets 110 00:05:12,384 --> 00:05:16,470 from which it never actually issues queries for. 111 00:05:16,470 --> 00:05:20,010 So in this example, we actually have three DNS servers 112 00:05:20,010 --> 00:05:21,740 that are open resolvers, right? 113 00:05:21,740 --> 00:05:26,260 So, the attacker sends spoof packets to the DNS servers 114 00:05:26,260 --> 00:05:29,650 and these packets are small 64-bit packet. 115 00:05:29,650 --> 00:05:32,800 And then the DNS servers amplify those packets to the victim 116 00:05:32,800 --> 00:05:36,323 with a much larger size, as you can see from this picture.