Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Akamai DDoS: Sophisticated?

  1. #11
    Senior Member
    Join Date
    Nov 2002
    Posts
    339
    A sophisticated DDoS IMO would consist of an attacker more......sophisticated. HA!
    J/K. It is probably a safe bet that Akamai had NIDS, and probably CIDS hardware. As you probably well know one way an IDS detects an attack is by signatures. If The attacker could get 1000's of computers to attack Akamai's network and he/she could manage to sneak these crafted packets in with out the IDS flippin out...I'd say thats sophisticated. Shutting down a band as large as Akamai's would not be easy. Even for two hours. It is probably also safe to assume that Akamai has a very, very tight security policy. After how many times yahoo, MS's sites have been taken down before, defaced, whatever, you'd think that they would have learned and have 90% of there bases covered. In short no script kiddie did this, as with most DoS. Most DoS are performed by kids who barely grasp what a packet is let alone try and perform a large attack such as this. I am not saying whoever did this was a genius. But it is probably safe to say they did there homework, and they did it well.
    Don\'t be a bitch! Use Slackware.

  2. #12
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I personally think it's was a plain and simple DOS attack with a very large number of zombie bots. They are using the sophisticated word because

    1) They are trying to protect their image
    2) The traffic the zombie network created all looked like real and legitimate traffic.

    You can read more info here
    http://zdnet.com.com/2100-1105_2-5236403.html
    -Simon \"SDK\"

  3. #13
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    There is a firm difference between sophisticated and coordinated (or in this case, coordinated VERY properly). I think that the attack was just so well coordinated and possibly size wise was massive to the point where it could shutdown the Akamai server's. I gotta agree with SDK as well, chance's are they are making it bigger than what it is because they are trying to protect their image.
    Space For Rent.. =]

  4. #14
    My guess was the best. Period. :P

  5. #15
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I came across this paper on my travels. I think some of you here may well find it of interest. Its in pdf format, anyway heres the link::http://www.cs.ucsd.edu/~savage/papers/UsenixSec01.pdf
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #16
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    It's got to be these guys, MsMittens

  7. #17
    Maybe it's sofisticated because each zombie sends a request... Or what if you Bounced off itself? Can you even do that?

    -Cheers-

  8. #18
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    A security professional who participated in investigating the attack confirmed that the DDoS attack apparently came from an extremely large bot net.

    "If it was (a) bot, it was very well written and it was very large," the security expert said on condition of anonymity. "As far as we could tell...it all looked like real and legitimate traffic."

    While Tuesday's attack was aimed at bringing down the four major Web sites, Akamai's Leighton said his company was the true target.

    "At the high level, it was clear that this attack was focused on a subset of our customers," he said. "We assumed they were attacked as a way to get at Akamai."

    What remains unclear is how the DDoS attack could be so selective as to focus on the main Yahoo, Google, Microsoft and Apple sites. Distributed attacks are typically blunt instruments rather than scalpels, as evidenced by the mass outages caused by this method in 2000.

    http://asia.cnet.com/sg/0,39002190,39183708,00.htm
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #19
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    hmm

    my guess is, unlike most bot's used for packeting nets, this bot used a (simple) http engine of some sort to grab the pages in a valid way. Most bots simply generate a SYN packet with garbage attatched, or simply just garbage. Having a properly crafted hand-shake procedure incurrs the overhead of having to acctualy send the page and process the page (dynamic pages for example).

    Say a handshake takes 1k of data, and the page is 100k with images and the works, you easily see how it can drain the servers. DRDoS could not be used as it dosn't permit return data.
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  10. #20
    Senior Member
    Join Date
    Jun 2002
    Posts
    174
    I think the most sofe-ist-hi-cated attack I've read about is version of the "man in the middle" attack. Attacker sends a steady stream of syn packets to a computer, effectively causing it to ignore incoming connections. After being syn-flooded, it will only attempt to respond to the syn/ack the half-open connectoins in queue, but it won't be able to open any more connections. The attacker waits for the syn/ack packets that return, and examin the TCP sequence number inside each packet.

    During the Ack -> Syn/Ack -> Syn process the originating host sends the TCP sequence number it wishes to use, and the target responds by sending the sequence number back during the syn/ack process. Once both have established communication and agreed on the sequence number of the segments they are exchanging, the originating host can send the final segment contiaining its own Ack of the targets sequence number and data transfer can start. Once the cracker has made a guess at the sequence number made available for the next incoming connection, it is possible to "spoof" the connection by using a bogus TCP sequence number. Once the guess has been made, the cracker can send a syn packet to the real target, which is "supposedly" from the server you just syn-flooded (a trusted server). The target will attempt to syn/ack the server, which can't respond cause its connection queue is full. Instead the cracker sends an Ack packet which uses the guessed TCP sequence number in the Syn/Ack, and the attacker now has a oneway connection into the targetmachine which appears to be coming from a trusted server. The cracker can now pipe any command necessary to compromise the target machine.... Once he's done, all he has to do is send the packet containing the RST bit to the server. This clears the connection queue and no-one is the wiser.

    ---Paraphrased from "A Complete H@ckers Handbook"

    Meh. Works, neh?

    ~m
    I\'m back.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •