What is a DDoS attack?

If you’ve been a part of a gaming community you have more than likely been exposed to the term “DDoS” or in full “Distributed Denial of Service Attack”. It is a malicious method which prevents access to a certain resource, like a website or (game)server, by filling up the traffic to the resource with fake communication.

Johnny is mad!

Here’s an example of what could happen with any website or (game)server that is connected to the internet:

Johnny is mad with the administration of his favorite Garry’s Mod DarkRP server. He was accused of hacking by some 12-year-old admin who doesn’t even know what he’s talking about. Filled with anger Johnny shuts down Garry’s Mod.

CheatEngine.exe has stopped responding. -shit-

After Johnny has quickly opened Internet Explorer and navigated to his hotmail inbox, he composes a new email to his friends: “Guys, visit this website and keep refreshing as fast as you can!”.

On the other side of the planet a 12-year-old Garry’s Mod DarkRP server administrator is just shutting down his game in order to go have a look at the forums. To his dismay the forums appear unreachable! He sometimes is able to get half a page visible, but for most of the time he’s stuck watching a loading indicator or getting server errors.

Johhny is peforming a ddos attack

Now in this example Johnny is using his friends to get something offline by distributing a DoS-attack command to each his friends. On the other hand due to automation we never have to do anything manually as long as we put enough time into it. Downside is that because of constant optimization and discovery of new technologies, DDoS-attacks are easier, faster and stronger today than ever before. Instead of getting Johnny’s friends to keep visiting a website there’d be ten or even hundreds of thousands devices doing the request automatically.

DDoS-attacks these days are usually executed from ‘Hijacked’ devices. Due to poor software implementations or human mistakes a lot of devices are hacked into and taken over to do what the hackers wants. A bunch of hacked devices that can be used to perform DoS-attacks are know as a botnet (shown in the dotted red box in the image below).

how does a ddos attack work

Now with a whole lot of new devices categorised under ‘Internet of Things’, or IoT in short, come more potential victims for the botnet. From early distributions of these IoT devices we have already learned that companies do not generally invest proper time and money into security of their devices. This has resulted in problems ranging from random uncomfortable smart-thermostat changes all the way to smart-sex-toys being activated by a stranger and them looking at explicit photo albums made by the users.

You can protect your devices from becoming part of a botnet in the following ways:

If you own a personal computer connected to the internet:

  • Ensure you are running an anti-virus/firewall (default Windows Defender will manage in most cases)
  • Make sure your antivirus is updated so it knows of new vulnerabilities
  • Do not download shady files or files from shady websites
  • Update all internet-connected software frequently. Examples of software to keep updated: firewalls, browsers (Chrome, Firefox, Opera, etc), communication software (Skype, Discord, Teamspeak) and ofcourse your multiplayer games.

If you own a server connected to the internet:

  • Ensure you are running a firewall (perhaps your server-provider offers firewall protection)
  • Ensure all software and scripts are updated frequently on your server. It is worth subscribing to technical newsletters for the software you use in order to get informed when a vulnerability is found. Examples of software that can be vulnerable are: web servers and load balancers(apache, nginx, Microsoft IIS), connectivity tools (like ssh) and web-applications or frameworks (WordPress, Joomla, phpBB, vBulletin, Laravel, CakePHP, Ruby On Rails, etc). Note that this list is an indication of what can be vulnerable. As of writing this there are no public vulnerabilities in the latest versions of these software.

Besides the botnet “just refreshing” a web-page, there are more attacks that can be performed in order to disturb a service. Kaspersky Labs come with a quarterly report on DDoS-attacks and for Q2 of 2018 showed the following attack distribution:

quarterly report on DDoS-attacks

As you can see ‘http’ is used the fewest and it can roughly be compared to the attack in the Johnny example. The other attacks are all variations on this except with different kinds of communications (or protocols) and targeting different kinds of software. Some of these attacks can only be used at specific servers, whilst others can be used against any internet connected device.

How do people do this so easily?

With the rise of DDoS-attacks came a whole library of ways to easily execute them yourself. One method which is often used is where the attacker uses a ‘Booter’. Booters are a way to “rent” the power of a botnet to anyone with malicious intent. An attacker can go to a Booter website, choose a server to attack (by IP or website domain), pay through cryptocurrencies (or sometimes even PayPal) and press the “Go”-button. Within seconds a website could be brought offline by a botnet that doesn’t even belong to the attacker.

In practice these Booters are often cloaked as “legitimate stress-testers”. A way for someone to test their own online devices against DDoS-attacks. But in reality these services are often run by very shady people and sometimes even criminal organisations. If a stress-testing tool is legitimate it would require at least some effort to prove that the target is your property.

Is it legal to buy/perform a DDoS?

Although this differs on what part of the world you are in, most countries do not allow people to knock someone’s services offline (and sometimes even cause damages). Even using someone else’s botnet is illegal and in The Netherlands there have been arrests and convictions for people that used a Booter to knock down big websites.

The big danger the government is afraid of is that an attacker uses a botnet to attack a sensitive network by intent or even accidentally. Their worst nightmare would be that an inexperienced attacker would accidentally get an airport or hospital caught with connectivity issues potentially causing accidents or loss of life.

Often users of Booters, or even novice hackers with their own botnets, feel invincible and untraceable due to their efforts to remain anonymous. Though it has often been proven that over time these people make mistakes in their online behaviour. This can happen through mistakes like logging in to illegal services without a proxy or VPN, buying access to illegal services without a proxy or VPN, giving out personal information like what country they’re traveling to and even having a hackers phone accidentally connect to a network exposing their time and location. There’s an interesting DEF CON (hacking conference) talk on how the FBI caught a big hacker involved in credit-card fraud you can watch on YouTube.

Can I protect my networks?

First and foremost you should always report attacks targeting your device to the police. Although it is unlikely they’ll set-up an investigation against someone taking down your Minecraft server every month, they’ll build a report which can come in useful in other cases.

Although I reported a DDoS-attack to the police it wasn’t until years later I read of an arrest in which the attacker was finally caught and convicted on multiple charges.

When reporting to the police, be sure to provide logs from your device that can show ip’s of attackers or a botnet. On Windows you can use something like Wireshark to log incoming traffic.

For websites you can also choose to position a big network service between it and visitors. Services like CloudFlare and Akamai will direct incoming traffic from your domain to your server. When CloudFlare detects potentially malicious behaviour it will automatically attempt to mitigate it. This can mean that they show CAPTCHA to visitors to see who’s human and who’s Johnny’s friends. CloudFlare tries to block malicious traffic before it reaches your website.

A mistake some people make is leaving a route to the web server which is not behind CloudFlare. Even though the main method of entry is through CloudFlare a hacker could use different or more direct methods to get to the server.

If you run a game or webserver and all this about DDoS sounds scary: don’t be scared. Just try your best to run your game or web server the best way you can. Attracting friendly visitors and building communities makes you stronger as a group. In your time as a server owner you’ll always get 1 or 2 loners that attack you, but even these people get bored or run out of money. Besides, your server may not be interesting to attack since there are more valuable targets out there…

TJjokerR

About TJjokerR

My name is Timothy, a.k.a TJjokerR. I was a coder for VentMob and one of the founders of Revolt Gaming (both now defunct). It took about 14 years to get where I am now, which is as a teacher in software development at a school in The Netherlands. I learned programming the easy way: making stuff I wanted to make, learning everything myself.