Denial of service attacks have in been the news recently and the recent ones have been something called amplified distributed denial of service attacks. Um, this is a fairly straightforward thing... but how we got here is quite interesting. Denial of service attacks have gone on for a long long long long time. I can remember being 14, 15 and going on IRC which is like internet relay chat like an old school chat service and irritating people IRC to this day remains a haven for the kind of script kiddie type, the cracker type; the type that has downloaded a few slightly dodgy scripts off the Internet and think they are now an extremely good hacker because of it I may have irritated - like - 14 year old me may have irritated people sometimes and... my home internet connection got denial of service. At that point my internet connection was a 56k modem It is incredibly easy to Denial of Service Attack those Particularly if you happen to irritate someone who is on an enormous university connection, at say, ha, 1 meg. which isn't that much bigger by today's standards but in those days all it meant was they sent a little thing on their system, which sends as much traffic as possible to your system. And if their system is bigger than yours, well... your internet connection gets saturated, you can't send anything in and out... At which point I have to literally hang up the phone to dial in again and get a new IP address so they can't find me. And, that was how it worked for awhile. Uh, and then you started to get the criminals involved who were writing botnets. Who were writing viruses that instead of destroying data, would go in and take over other people's internet connections. They would find broadband users, generally in The United States or around there, who would... [exasperated exhale] Who would be running unsecured versions of Windows XP or 98 or something like that... They would quietly install their software in the background, and then would use those unsuspecting users' internet connections to launch a big denial of service attack. This was *distributed* denial of service so, Instead of having one big computer, you had lots of little computers, Hundreds Maybe even thousands Maybe tens of thousands All sending as much traffic as they could against one company. And it didn't matter how big that company's internet connection was... Ultimately, ten thousand people all reloading their website or turning out as much traffic as possible as fast as possible Yeah, it's gonna take down their network connection. And what was this used for? Well, Ransom..! What you found in sort of the 2000s was that gambling companies, finance companies, anyone whose job, whose livelihood, depended on being up and online all the time, was being held for ransom. They would get a call, an email, or a message that said "If you don't pay us -an amount- your website's gonna go down for quite a while." There are defense strategies, sort of... You can generally hire a very expensive company to try and mitigate this, at which point it does become a bit of a bit of a protection racket. But ultimately Microsoft got their act together The number of zombie computers, as they were called, started falling down. And the internet started getting more and more and more and more bandwidth. And you could hire a net connection that could stand up to reasonable denial of service attacks for not too much. Now the new threat is something called Amplified Denial of Service. And it's not a new threat as such, it's just a new common threat that's been theorized about for a while. And what it is is a combination of a couple of vulnerabilities in how some very old parts of the internet work. Hold that thought, because I need to explain something else first. I need to explain the difference between TCP and UDP. TCP is how most of the web works. It's how the webpage that you're viewing- the YouTube page you're viewing this in, gets sent back and forth. And it is a two way protocol, there's a handshake involved. You request something, and then that request is acknowledged, and you get something back and as all the packets go back and forth, there is two way conversation going on making sure that everything's arrived in the right order, intact. Which means you can use it for webpages, and use it for financial transactions on your online bank. You can use it for anything where getting everything through *bit perfect* is required. And then on the other hand, you have UDP. UDP is very much opposite of that. UDP is... "Here is a stream of data... just just deal with it As much as it as much of it as you can as fast as you can Just just deal with it!" This is what you use for voice over IP This is what you use for streaming video- live video. Anything where it doesn't matter if a bit of it gets lost Or a bit of it arrives in the wrong order Uh I say bit A part of it Obviously Bit... is a... thing with.... Uh- it doesn't matter if some of it arrives a little bit malformed, as long as most of it gets through. Now the difference between those is that UDP doesn't really have a handshake. You just kind of point a fire hose of data of something and blast them with it. And because of that, well it means you don't really have to acknowledge it You don't have to say "Yes! I approve this stream being sent to me." It just kind of arrives and there's not much you can do about it... There is a flaw in the UDP protocol, or at least in some implementations of it and a few other subtle things around the internet that means I can essentially spoof the return address. My computer here can claim that I am someone else entirely. And that wouldn't normally be a problem because most well-designed protocols- and pretty much everything in the internet- will only let you send on a small amount of data. I send a small request to them They send a small request onwards And it's not really a problem. Except There is something called NTP, The Network Time Protocol. And this is the thing that keeps all the clocks in your phone and your laptop in sync to almost to the milisecond. Wonderful thing, great boon to society, unfortunately has a couple of really badly designed things in it. And one of them is this command: "MONLIST". This is the most useless, frustrating, and abused command ever added to anything. Um- it's horrible. What is does is it sends the details of the last 600 people who requested the time from that computer back. I have no idea why you'd have that... I have absolutely no idea why that exists. Why you would need the last 600 people- Why 600?! Anyway... What it means is that I can send a tiny request, just this little monlist command here, to the time server and the time servers are all on **Enormous connections** spoof where it came from, and they will send... AN ENORMOUS amount of data. 206 TIMES the amount of data to that poor computer there. And more than that... You can work out where this is going, you know There are many time servers and lets say I have one of those botnets that I mentioned earlier with zombie computers Those compromised computers all send small amounts of data to lots of time servers and they will all send 206 TIMES THE AMOUNT OF DATA [furiously scribbling] to this poor sod. This is NTP amplification, but it's not the only amplification attack. There's been DNS for a while, there are a couple of others that security researchers are hinting at, but don't want to release the details of- Not because that'll stop the bad guys, it won't. You can't do security through obscurity, that's the term... But, you might at least slow them down a bit?.. If you're watching this a few months after it's been uploaded, I wouldn't be surprised if we've seen one, maybe two, terabit per second attacks. That is... a hundred thousand times more than your broadband connection? It's something that is on the scale of disrupting the entire Internet, rather than just disrupting one computer. How can you defend against it? Well... you can't. I mean you can hire a company that claims to be able to block a lot of attacks... And they can, and they can do interesting things at the network level to try and filter it all out... But ultimately, against an attack of that size which could actually disrupt the infrastructure of the internet itself, there's not much a victim can do. But what you can do... is, campaign to get the relays, the amplification vectors to shut down. And we've seen this done before. We saw it with open mail replays, years ago. There used to be things called open mail relays which would be just simple sites that would take an email and forward it on. And those were incredible vectors for spam... And they were blocked, and they were filtered and they were shut down, campaigned against for a long, long time. And there's now a generally agreed upon list of these still open, which just won't be able to send anywhere, because everyone simply ignores their traffic. This is gonna happen, sooner or later with relays that still allow spoofing and relays that still allow amplification attacks. Sooner or later, they will get shut down... but... until then... well... you just kind of have to hope... that no one targets you. We would like to thank Audible.com for sponsoring this Computerphile video. And if you'd like to check out one of their huge range of books, get over to audible.com/computerphile and there's a chance to download one for free. I'd like to recommend a book today called Makers, by Chris Anderson, which is all about the idea of democratizing the world of making things and manufacturing, so the idea is that the internet has a democratized publishing and broadcasting with things like YouTube and then the same thing's happening to the world of bits and stuff and it kind of covers a hacker movement so get over there, check that out... Remember, audible.com/computerphile for your chance to download a free book and thanks once again to them for sponsoring this computerphile video.
Love computerphile, Nottingham U has some great public education vids for many science fields.
Be sure to check out Tom's own channel too, as well as /r/TomScott.
Very timely after DynDNS getting DDOSed. It was a hot mess for the East Coast and even caused disruptions all the way to the West Coast, it was pretty bad.
The sound of that type of pen on paper always makes me uneasy
I found an interesting read about Microsoft secret initiative on taking down Bot Herders. Its was first launched around 2009 possibly earlier. A notorious Botnet called Waledac. Some say it was the first of its kind others might say it was the start of the botnet invasion. Overall, Microsoft took action and launched a couple different campaigns one of the most famous was Project MARS. Project MARS was most popular because this project included ISPs. (Microsoft has notice of IP addresses of computers potentially compromised by the Waledac and Rustock botnets. 'We have worked with major Internet Service Providers (ISP) and Computer Emergency Response Teams (CERT) across the world to notify computer users who may be infected by Waledac and Rustock.' That process may have led you to this page.) These campaigns included cold calling a customer and letting them know that a customers computer was possibly infected and CERTs would go into action, resolve and destroy the infection. Now upon further research has shed light in most recent event lets say in the last couple months. What Microsoft thought taking action and helping people back then has now turned around on them 360 (No Pun intended). Possibly the same suspects, hackers and or bot herders are now using the very technique Microsoft did those years ago.
If someone wanted to go into network security like this, what resources would be the best to research? It seems like there's really a lack in protection against these kind of attacks, and although difficult, shouldn't be impossible.
This happened to Riot Games a few years ago, if anyone remembers. Big, massive scale DDOS. A buddy of mine was working there at the time and he said something along the lines of "yea, it was big. we had a bunch of different companies trying to reduce the impact."
NDA wouldn't let me speak of the details, but it shut them down pretty hard for a while.
What's to stop ISP's or businesses from using ACL's or to throttle the known protocols to only acknowledging 2000bps on an outside facing connection?
Bruce Schneier is pretty close in that someone is learning how to take down the internet with all the recent cyber intrusions and auditing of network infrastructure and security systems.