The evolution of Denial of Service attacks into Distributed and Reflected extremely devastating attacks

Acronis Cyber Protect

A Denial of Service (DoS) attack is one in which an attacker is able to disrupt and deny a computer or servers the normal quality of service they should experience. Many of the first types of attacks were done as pranks and mostly considered harmless fun or just annoying to the victim. These initial DoS attacks were rarely reported and there was typically little public awareness because they were mainly targeted against youths, and adults that were affected mainly did not understand what was happening to them and if they did the severity of the attacks were rarely enough to warrant a significant reaction.

During the late 1990’s the nature of DoS attacks began to change from playful mischief into damaging and costly assaults on businesses and users who used computers for financial gain, research and other significant uses. During this time period there were several types of DoS attacks that were developed. Some of the first types of attacks exploited weaknesses or flaws in the operating system of the victim. Some attacks that were most prevalent of this nature were WinNuke, Teardrop and Ping of Death. These attacks wreaked havoc on the internet and launched a new wave in terrorism. The attacks were different in nature from early denial of service attacks. With these attacks computers were being frozen and shut down, including web servers being taken offline until the administrator could reboot the system.
WinNuke was able to successfully exploit computers that ran Windows 95, NT and 3.11 operating systems. It functioned by sending special OOB (Out-of-Band) data packets to the IP address of the Windows user on port 139 which is for NetBIOS. When a Windows computer receives the OOB, it is not able to handle the packet because it uses a pointer link in the packet to a spot that does not exist. This caused unexplained and mixed results, the most prominent was the “blue screen of death” which would pop up on the victim’s machine with an error message and force a reboot. In some cases the remote system would just simply freeze or immediately reboot (myst, 1997). Though the WinNuke attack could be very frustrating and waste the time of the victim, the damage inflicted is not permanent. A simple reboot of the system is normally enough to fully recover. The biggest risk was that any programs that were open or work that was unsaved at the time would have lost in most cases. After the exploit code was officially released Microsoft was able to create a patch that users could download to prevent the exploit, however for several months prior to the public release of the exploit many hackers on the underground had been launching the attack and crashing computers at will. Until a patch was released the only defense a user had was to have a firewall in place that would block the incoming packets.
Teardrop was released around the same time as WinNuke and this attack was able to exploit the same Windows machines and also Linux systems with kernels 2.0.32, 2.1.63 and previous versions. This meant a lot more servers hosting websites and sensitive information were taken offline from this attack. The DoS was a “fragment attack” that exploited the IP Protocol in these systems. The exploit uses the protocol to fragment large packets into several IP packets each having a sequence number and a common identification number. When receiving data, the recipient reassembles the packets to the offset values they contain. The attack inserted false offset information into fragmented packets. As a result, during reassembly, there are empty or overlapping fragments that can cause the system to be unstable and typically freeze or automatically shutdown.

The Ping of Death attack was another attack which exploited a flaw similar to the teardrop attack.

Unlike the previous DoS attacks that have been mentioned the next wave of attacks could not be easily stopped, and there were no patches to prevent them. The attacks were based on flooding a remote user’s internet connection and therefore were effective against any operating system because the attack was targeted at the bandwidth of the system, not the operating system itself. These attacks forced users and administrators to start implementing firewalls and system configurations to help slow if not stop these attacks. Since the attacks were mainly focused on bandwidth, if the victim did not have more bandwidth than the attacker they were almost always helpless in defending off such an attack. Ping flooding was one of these attacks; the ping flood did not require exploiting a flaw in a remote system, it was able to overwhelm any system from which it had more bandwidth than. The attack used the ICMP protocol and worked by overwhelming the target with more ICMP based bandwidth than it could handle. For example if an attacker had a cable modem and decided to attack a dial-up user, the dial-up user would be overloaded with bandwidth and eventually disconnected. If the dial-up user tried to ping flood the cable modem, the user of the cable modem might not even notice that they are under attack because the significant difference is bandwidth capabilities.

The Smurf attack which may be one of the most popular DoS of all time and it took ping flooding to a whole new level. The Smurf attack added the ability to spoof IP packets and used a list of broadcast host to amplify the attack. Spoofing of an IP packet is when the true source of the IP address is hidden and a forged IP address put in its place. The broadcast hosts were ones that the attacker could send an echo reply request to the broadcast address of the network and it would reply any given number of times, some networks were so miss configured that they were reported to have replied over a thousand times. According to one of the non-profit organizations that helped to eliminate the amount of broken networks in the world reported that in January 25th of 1999 there were 122,945 broken networks. If an attacker had listed all of these networks in their broadcast list file and targeted a victim server they would be bombarded by an enormous amount of bandwidth that virtually no servers at that time could handle. Due to the efforts of and public awareness of the Smurf attacks, reported in January 25th of 2005 that there were only 2,417 broken networks left (, 2005). The few remaining networks left that were still broken would only reply to echo request a maximum of about fifty times which was greatly reduced from early reports. By this time most networks were configured to only reply to a limited number of ping request and many networks even disabled completely incoming ICMP request essentially making Smurf attacks obsolete and ineffective. Having personally been on both sides of the previous attacks countless times during a miss spent youth, I can personally state the Smurf attack done in peak of its power was certainly devastating and over powering. At the time I was on a DSL connection with a personal firewall and when the Smurf attacks would be launched against me, my firewall was able to slow an attack for no more than five seconds and then so many packets hit it that it could not block them all and my internet connection was useless until the attack was halted. The Smurf attack was also one of the first major DDoS (Distributed Denial of Service) which means it used multiple hosts to attack a target with.

In the early 2000’s attackers developed some new tools, as Smurf and other ICMP flooding programs were growing far less effective with so many servers denying ICMP ping request and effectively blocking the attacks with firewalls. Many forms of synflooding attacks became popular. Synfloods take advantage of the TCP handshake process in which they flood a host with thousands of handshake request and they purposely do not close the handshake leaving thousands of half opened request on a system. These types of attacks can still be used today if a network is not properly configured to handle them. At the same time many attacks began using UDP flooding attacks because this was a protocol that could not be completely denied as it is needed for communications. These types of attacks are still effective today if sent with enough bandwidth. Other attacks were targeting the TCP protocol and flooding targets with the ACK flag set and other mechanisms to render the target internet connection worthless.

All of the flooding tools that have been discussed were dangerous in their own right if used on networks with high bandwidth and this type of thinking led to the next phase in the evolutionary process of DoS. Distributed Denial-of-Service (DDoS) evolved on the scene, Smurf was considered the first type of this attack but definitely would not be the last. Hackers were developing tools that could scan all of the IP addresses in the world for specific open ports. The ports that would be scanned would be for known exploitable services in these networks and during this time there were a lot of 0-day exploits being passed around and sold on the underground. 0-day exploits are those for which no known patch exist and typically have not been publicly released and without the vender of the exploited service even knowing about it. Scans were than modified to add the ability to attempt an exploitation of the remote systems with these vulnerable services found and upon successful exploitation install either a full rootkit, simple backdoor rootshell on a specified port or create a super user account that could later be logged into by the attacker. A rootkit is a package of software that can be used to hide logs, install backdoors on the system and replace legitimate services with trojaned ones. Attackers also would install a daemon service that would effectively make the exploited machines into zombie servers. The attacker would specify a server that all of the zombie servers they had compromised would connect to. This is what is known as a DDoSnet or sometimes incorrectly referred to as just simply a “botnet” by the academic IT community. A botnet in itself can be used for legitimate means, most commonly the term comes from IRC networks in which botnets act together on the same network to administer communication channels and network services. In this regard all DDoSnet’s are botnets but not all botnets are DDoSnet’s and the distinction in the academic world is rarely made. With the ability to launch attacks from thousands of servers at the same time attacks could be amplified by the number of systems and bandwidth were in the DDoSnet. The attackers took the same basic attacks that had been mentioned for flooding and combined them into one big package that the zombie server could launch. For instance with a DDoS software package known as Trinoo the attacker could specify each zombie node on the network to launch a UDP, TCP, ICMP, IGMP, Syn flood attack or do a combination of attacks and on a combination of different ports.

The world of DoS and DDoS as it exists today has remained virtually the same as it did in the early 2000’s with some small variants and slight modifications of the attack tools. For the most part original DDoS networks and servers used for launching DoS attacks were Linux/Unix based. These were primary targets for many reasons, one of which being that if someone considered themselves a true hacker in the underground arena they did not hack Windows systems. Linux/Unix systems were prestigious hacks that allowed the attacker to typically gain access to a high end network that would be very stable with system uptimes being in the hundreds of days compared to several days on most personal Windows machines. Having personally seen several of the largest DDoS networks in the world in the early 2000’s one such network was compiled of over 5000 servers including mainly academic servers with domain extensions such as .edu,, and other academic servers worldwide. There are many reasons that colleges and universities have been a primary target for hackers. One reason is that they typically have very high bandwidth internet connections. Another is that many of the servers on their network are setup for research, student learning and as test servers and are not properly administered. Servers owned and operated by businesses typically have the funding to hire qualified administrators to monitor their network.

In more recent times home PC users have become targets for attackers to exploit and turn into zombies for DDoS networks. This has happened because the average internet connection speed for broadband users has risen dramatically from the early 2000’s. While home PC users typically do not have considerable high bandwidth rates compared to business and academic lines, the amount of infected users is such that the attacker can compensate for lack of bandwidth with mass of zombies. It was reported in 2010 that a hacker group known as “Anonymous” was in control of over 1,000,000 zombie computers. They have shown their capabilities of DDoS in 2011 while launching a massive DDoS campaign against payment processors and successfully took down, and several of’s servers at the same time.

Over the last twenty years denial of service attacks have evolved from simple pranks and annoying tricks into costly and damaging incidents. Denial of service attacks have become more and more frequent because the amount of skill required to build attack networks and launch attacks has diminished. Having personally been away from the underground network for close to a decade now I was curious how easy it has become and did a little research. I located a PHP script that is capable of launching a very fast and lethal UDP flood and did some crafted Google searches to locate servers that would be indexed on the search engine with this script installed. In less than an hour I was able to locate 57 servers with such a script installed, this means I could potentially launch an attack from these very fast web servers and take down many large networks with no trouble. As a Certified Ethical Hacker and a very experienced pen tester, the rapid increase and power of denial of service attacks has me very worried about the future of the internet in its current state.

Leave a Comment