Question about DDos?

Printable View

April 26th, 2003, 12:48 AM
Madseel

Question about DDos?

Ok, ive read around about how distributed denial of service attacks kinda work and from what i understand is that alot of them are trojans or viruses that make the computer log into irc servers and wait for a command. My question is, wouldn't it be making a denial of service attack on the irc server?
April 26th, 2003, 12:58 AM
tonybradley

No.

If you are hit by a virus or worm that happens to leave a Trojan horse behind, or someone just hacks your system and leaves a backdoor open or a Trojan horse it just gives them an avenue to get into your computer at a future date.

When a virus drops a Trojan it will typically either connect to a specific server or send an email message or something to let the attacker know that the machine is compromised and available for their use.

When the time comes that they want to initiate a DDoS attack they can issue the command to all of the various compromised machines "under their control" and specify which IP address or range they should flood to create the denial-of-service.

Hope that helps
April 26th, 2003, 01:03 AM
Madseel

Thanks, that does help. But i remember reading something about ddos attacks and it said that some of them waited for commands in irc servers. I dont really know too much about it but it made me a little curious.
Thanks again tony.
April 26th, 2003, 01:16 AM
Vigge

What you are referring to Madseel, is DDos Ircbots (Zomibes).

An example of a trojan that did just what you descibed is IRC.Mimic.

You can read about it here:
http://securityresponse.symantec.com...irc.mimic.html

Now I havent had this happen too me, but I read a paper about it and I have found some Zombie-channels on various IRC-networks in the past. Pretty scary to see 120 clients or so sittin dead just waiting for commands...

From what I've heard a herd of 120 Zombies is pretty small. These can go to the thousands.
April 26th, 2003, 04:48 AM
spurious_inode

You have the general idea behind DDoS, the improtant thing to know also is that it does not have to be a trojaned binary on a group of hosts, in fact the attacker/cracker/hacker (pick your term :) ) does not even need to have access to any of the machines except for via some protocol (ICMP, UDP, TCP, X.25, etc).

The most classic and widely known of all these sort of attacks was the 'smurf' attack. Basically, the attack caused all the machines in a range of ip's to ping-flood a single host. Now imagine 254 of your own boxes ping flooding your host with packets > 65450 kb..... Now what if several whole networks (n * 255 hosts) were doing this to your host?

Many of the trojans you have read about are quite efficient at generating DDoS attacks, however for the sake of understanding the term....

DoS = An attack (typically carried out by a single machine) against a vulnerable system to cause it to become so busy handling the traffic that it is unable to handle and *new* traffic, thus making it effectively unreachable.

DDoS = An attack launched by several host against a vulnerable system to cause them to be so overcome with traffic that they are effectively unreachable. Or simply DoS ^ n attacking hosts.

Ping floods are very simple and common types of DoS/DDoS attacks, but you will also see rpc-floods, udp-floods, SYN-floods, and many others. The essential idea is to simply overwhelm the target.

Good question, sorry for being such a nerd with my reply.... :)
May 4th, 2003, 12:39 PM
PakiBlue

to add more to it, ping-flooding doesn't work anymore. almost all the systems around the work can cop with it quite easily now. anyhow, there's still some very big holes left for flooding....
how one should cop with DDoS? buy and Intrusion Detection System (IDS) from cisco? ;)
May 5th, 2003, 08:50 AM
Networker

Madseel, u should visit http://grc.com/files/grcdos.pdf

It describe a DDoS using evilbots based on IRC. But there is many other type of Zombies running through the net