Denial-of-service attack - Revision history

Etenne at 17:37, 13 February 2016

2016-02-13T17:37:22Z

← Older revision		Revision as of 17:37, 13 February 2016
Line 1:		Line 1:
	In computing, a '''denial-of-service''' ('''DoS''') '''attack''' is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend [[network services of a host connected to the [[Internet]]. A '''distributed denial-of-service''' ('''DDoS''') is where the attack source is more than one–and often thousands of-unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.		In computing, a '''denial-of-service''' ('''DoS''') '''attack''' is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend [[network services of a host connected to the [[Internet]]. A '''distributed denial-of-service''' ('''DDoS''') is where the attack source is more than one–and often thousands of-unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.

	Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail<ref>{{cite web\|url=http://www.interpacket.com/42882/brand-com-victim-blackmail-attempt-says-president-mike-zammuto/ \|title=Brand.com President Mike Zammuto Reveals Blackmail Attempt\|date=5 March 2014\|archiveurl=https://web.archive.org/web/20140311070205/http://www.interpacket.com/42882/brand-com-victim-blackmail-attempt-says-president-mike-zammuto/\|archivedate=11 March 2014}}</ref><ref>{{cite web\|url=http://dailyglobe.com/61817/brand-coms-mike-zammuto-discusses-meetup-com-extortion/\|title=Brand.com’s Mike Zammuto Discusses Meetup.com Extortion\|date=5 March 2014\|archiveurl=https://web.archive.org/web/20140513044100/http://dailyglobe.com/61817/brand-coms-mike-zammuto-discusses-meetup-com-extortion/?\|archivedate=13 March 2014}}</ref> or activism<ref>{{cite web\|url=http://www.radicalphilosophy.com/article/the-philosophy-of-anonymous \|title=The Philosophy of Anonymous \|publisher=Radicalphilosophy.com \|date=2010-12-17 \|accessdate=2013-09-10}}</ref> can be behind other attacks.		Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail<ref>{{cite web\|url=http://www.interpacket.com/42882/brand-com-victim-blackmail-attempt-says-president-mike-zammuto/ \|title=Brand.com President Mike Zammuto Reveals Blackmail Attempt\|date=5 March 2014\|archiveurl=https://web.archive.org/web/20140311070205/http://www.interpacket.com/42882/brand-com-victim-blackmail-attempt-says-president-mike-zammuto/\|archivedate=11 March 2014}}</ref><ref>{{cite web\|url=http://dailyglobe.com/61817/brand-coms-mike-zammuto-discusses-meetup-com-extortion/\|title=Brand.com’s Mike Zammuto Discusses Meetup.com Extortion\|date=5 March 2014\|archiveurl=https://web.archive.org/web/20140513044100/http://dailyglobe.com/61817/brand-coms-mike-zammuto-discusses-meetup-com-extortion/?\|archivedate=13 March 2014}}</ref> or activism<ref>{{cite web\|url=http://www.radicalphilosophy.com/article/the-philosophy-of-anonymous \|title=The Philosophy of Anonymous \|publisher=Radicalphilosophy.com \|date=2010-12-17 \|accessdate=2013-09-10}}</ref> can be behind other attacks. [[Boylove]] sites are frequently the victims of these types terrorist attacks.

	==Symptoms==		==Symptoms==
Line 216:		Line 216:
	An Application-specific integrated circuit based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.		An Application-specific integrated circuit based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.

	A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.<ref>{{cite news\|last=Abante\|first=Carl\|title=Relationship between Firewalls and Protection against DDoS\|url=http://www.ecommercewisdom.com/relationship-firewalls-protection-ddos/\|newspaper=Ecommerce Wisdom\|date=March 2, 2013\|accessdate=2013-05-24~~}}{{dubious\|date=December 2013\|reason=SPS non-expert unreliable blog~~}}</ref>		A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.<ref>{{cite news\|last=Abante\|first=Carl\|title=Relationship between Firewalls and Protection against DDoS\|url=http://www.ecommercewisdom.com/relationship-firewalls-protection-ddos/\|newspaper=Ecommerce Wisdom\|date=March 2, 2013\|accessdate=2013-05-24}}</ref>

	===DDS based defense===		===DDS based defense===

Etenne: /* Legality */

2016-02-13T17:29:39Z

Legality

← Older revision		Revision as of 17:29, 13 February 2016
Line 261:		Line 261:
	Many jurisdictions have laws under which denial-of-service attacks are illegal.		Many jurisdictions have laws under which denial-of-service attacks are illegal.

	* In the US, denial-of-service attacks may be considered a federal crime under the [[Computer Fraud and Abuse Act]] with penalties that include years of imprisonment.<ref>{{cite web\|url=http://www.gpo.gov/fdsys/pkg/USCODE-2010-title18/html/USCODE-2010-title18-partI-chap47-sec1030.htm \|title=United States Code: Title 18,1030. Fraud and related activity in connection with computers \| Government Printing Office \|publisher=www.gpo.gov \|date=2002-10-25\|accessdate=2014-01-15}}</ref> The [[Computer Crime and Intellectual Property Section]] of the US ~~[[United States Department of Justice\|~~Department of Justice]] handles cases of (D)DoS.		* In the US, denial-of-service attacks may be considered a federal crime under the Computer Fraud and Abuse Act with penalties that include years of imprisonment.<ref>{{cite web\|url=http://www.gpo.gov/fdsys/pkg/USCODE-2010-title18/html/USCODE-2010-title18-partI-chap47-sec1030.htm \|title=United States Code: Title 18,1030. Fraud and related activity in connection with computers \| Government Printing Office \|publisher=www.gpo.gov \|date=2002-10-25\|accessdate=2014-01-15}}</ref> The Computer Crime and Intellectual Property Section of the US Department of Justice handles cases of (D)DoS.
	* In ~~[[Europe]]an~~ countries, committing criminal denial-of-service attacks may, as a minimum, lead to arrest.<ref>{{cite web\|title=International Action Against DD4BC Cybercriminal Group\|url=https://www.europol.europa.eu/content/international-action-against-dd4bc-cybercriminal-group\|website=EUROPOL\|date=12 January 2016}}</ref> The [[United Kingdom]] is unusual in that it specifically outlawed denial-of-service attacks and set a maximum penalty of 10 years in prison with the [[Police and Justice Act 2006]], which amended Section 3 of the [[Computer Misuse Act 1990]].<ref>{{cite web\|title=Computer Misuse Act 1990\|url=http://www.legislation.gov.uk/ukpga/1990/18/section/3\|website=legislation.gov.uk — The National Archives, of UK\|date=10 January 2008}}</ref>		* In European countries, committing criminal denial-of-service attacks may, as a minimum, lead to arrest.<ref>{{cite web\|title=International Action Against DD4BC Cybercriminal Group\|url=https://www.europol.europa.eu/content/international-action-against-dd4bc-cybercriminal-group\|website=EUROPOL\|date=12 January 2016}}</ref> The [[United Kingdom]] is unusual in that it specifically outlawed denial-of-service attacks and set a maximum penalty of 10 years in prison with the Police and Justice Act 2006, which amended Section 3 of the Computer Misuse Act 1990.<ref>{{cite web\|title=Computer Misuse Act 1990\|url=http://www.legislation.gov.uk/ukpga/1990/18/section/3\|website=legislation.gov.uk — The National Archives, of UK\|date=10 January 2008}}</ref>

	On January 7, 2013, [[Anonymous (group)\|Anonymous]] ~~[[We the People (petitioning system)\|~~posted a petition]] on the [[whitehouse.gov]] site asking that DDoS be recognized as a legal form of protest similar to the ~~[[Occupy movement\|~~Occupy protests]], the claim being that the similarity in purpose of both are same.<ref>{{cite web\|url=http://www.huffingtonpost.com/2013/01/12/anonymous-ddos-petition-white-house_n_2463009.html \|title=Anonymous DDoS Petition: Group Calls On White House To Recognize Distributed Denial Of Service As Protest. \|publisher=HuffingtonPost.com \|date=2013-01-12}}</ref><ref>[https://www.youtube.com/watch?v=59AlNnX_Ksg&feature=feedu "DDOS Attack: crime or virtual sit-in?"]. RT.com. YouTube.com. October 6, 2011. <!-- Official YT channel--></ref>		On January 7, 2013, [[Anonymous (group)\|Anonymous]] posted a petition on the whitehouse.gov site asking that DDoS be recognized as a legal form of protest similar to the Occupy protests, the claim being that the similarity in purpose of both are same.<ref>{{cite web\|url=http://www.huffingtonpost.com/2013/01/12/anonymous-ddos-petition-white-house_n_2463009.html \|title=Anonymous DDoS Petition: Group Calls On White House To Recognize Distributed Denial Of Service As Protest. \|publisher=HuffingtonPost.com \|date=2013-01-12}}</ref><ref>[https://www.youtube.com/watch?v=59AlNnX_Ksg&feature=feedu "DDOS Attack: crime or virtual sit-in?"]. RT.com. YouTube.com. October 6, 2011. <!-- Official YT channel--></ref>

	==References==		==References==

Etenne: /* Side effects of attacks */

2016-02-13T17:26:05Z

Side effects of attacks

← Older revision		Revision as of 17:26, 13 February 2016
Line 250:		Line 250:
	===Backscatter===		===Backscatter===

	In computer network security, backscatter is a side-effect of a spoofed denial-of-service attack. In this kind of attack, the attacker spoofs (or forges) the source address in ~~[[Internet Protocol\|~~IP~~]] [[Packet (information technology)\|~~packets]] sent to the victim. In general, the victim machine cannot distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter.<ref>{{cite web \|url=http://www.caida.org/publications/animations/ \|work=Animations \|title=Backscatter Analysis (2001) \|type=video \|publisher=[[Cooperative Association for Internet Data Analysis]] \|accessdate=December 11, 2013}}</ref>		In computer network security, backscatter is a side-effect of a spoofed denial-of-service attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP packets sent to the victim. In general, the victim machine cannot distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter.<ref>{{cite web \|url=http://www.caida.org/publications/animations/ \|work=Animations \|title=Backscatter Analysis (2001) \|type=video \|publisher=[[Cooperative Association for Internet Data Analysis]] \|accessdate=December 11, 2013}}</ref>

	If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by [[network ~~telescope]]s~~ as indirect evidence of such attacks.		If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by network telescopes as indirect evidence of such attacks.

	The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the [[IP address]] space to determine characteristics of DoS attacks and victims.		The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the [[IP address]] space to determine characteristics of DoS attacks and victims.

Etenne: /* Unintentional denial-of-service */

2016-02-13T17:24:38Z

Unintentional denial-of-service

← Older revision		Revision as of 17:24, 13 February 2016
Line 238:		Line 238:
	Routers have also been known to create unintentional DoS attacks, as both D-Link and Netgear routers have overloaded NTP servers by flooding NTP servers without respecting the restrictions of client types or geographical limitations.		Routers have also been known to create unintentional DoS attacks, as both D-Link and Netgear routers have overloaded NTP servers by flooding NTP servers without respecting the restrictions of client types or geographical limitations.

	Similar unintentional denials-of-service can also occur via other media, e.g. when a URL is mentioned on television. If a server is being indexed by [[Google]] or another [[search engine]] during peak periods of activity, or does not have a lot of available bandwidth while being indexed, it can also experience the effects of a DoS attack.{{citation needed\|reason=I've never seen Google send more than one request per minute to my server, usually much less often than that. Other crawlers may be more aggressive though. Do we have a reliable source about this?\|date=March 2013}}		Similar unintentional denials-of-service can also occur via other media, e.g. when a URL is mentioned on television. If a server is being indexed by [[Google]] or another [[search engine]] during peak periods of activity, or does not have a lot of available bandwidth while being indexed, it can also experience the effects of a DoS attack.

	Legal action has been taken in at least one such case. In 2006, ~~[[Universal Tube & Rollform Equipment\|~~Universal Tube & Rollform Equipment Corporation]] sued [[YouTube]]: massive numbers of would-be youtube.com users accidentally typed the tube company's URL, utube.com. As a result, the tube company ended up having to spend large amounts of money on upgrading their bandwidth.<ref>{{cite news \|title=YouTube sued by sound-alike site \|work=BBC News \|date=2006-11-02 \|url=http://news.bbc.co.uk/2/hi/business/6108502.stm }}</ref> The company appears to have taken advantage of the situation, with utube.com now containing ads for advertisement revenue.		Legal action has been taken in at least one such case. In 2006, Universal Tube & Rollform Equipment Corporation sued [[YouTube]]: massive numbers of would-be youtube.com users accidentally typed the tube company's URL, utube.com. As a result, the tube company ended up having to spend large amounts of money on upgrading their bandwidth.<ref>{{cite news \|title=YouTube sued by sound-alike site \|work=BBC News \|date=2006-11-02 \|url=http://news.bbc.co.uk/2/hi/business/6108502.stm }}</ref> The company appears to have taken advantage of the situation, with utube.com now containing ads for advertisement revenue.

	In March 2014, after [[Malaysia Airlines Flight 370]] went missing, [[DigitalGlobe]] launched a [[crowdsourcing]] service on which users could help search for the missing jet in satellite images. The response overwhelmed the company's servers.<ref>{{cite web\|url=http://wnmufm.org/post/people-overload-website-hoping-help-search-missing-jet\|title=People Overload Website, Hoping To Help Search For Missing Jet\|author=Bill Chappell\|publisher=NPR\|date=12 March 2014\|accessdate=4 February 2016}}</ref>		In March 2014, after Malaysia Airlines Flight 370 went missing, DigitalGlobe launched a crowdsourcing service on which users could help search for the missing jet in satellite images. The response overwhelmed the company's servers.<ref>{{cite web\|url=http://wnmufm.org/post/people-overload-website-hoping-help-search-missing-jet\|title=People Overload Website, Hoping To Help Search For Missing Jet\|author=Bill Chappell\|publisher=NPR\|date=12 March 2014\|accessdate=4 February 2016}}</ref>

	An unintentional denial-of-service may also result from a prescheduled event created by the website itself. This could be caused when a server provides some service at a specific time. This might be a university website setting the grades to be available where it will result in many more login requests at that time than any other.		An unintentional denial-of-service may also result from a prescheduled event created by the website itself. This could be caused when a server provides some service at a specific time. This might be a university website setting the grades to be available where it will result in many more login requests at that time than any other.

Etenne: /* IPS based prevention */

2016-02-13T17:21:44Z

IPS based prevention

← Older revision		Revision as of 17:21, 13 February 2016
Line 212:		Line 212:

	===IPS based prevention===		===IPS based prevention===
	[[Intrusion-prevention ~~system]]s~~ (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.~~{{Citation needed\|date=September 2008}}~~		Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.

	An [[Application-specific integrated circuit~~\|ASIC]]~~ based IPS may detect and block denial-of-service attacks because they have the ~~[[clock rate\|~~processing power]] and the granularity to analyze the attacks and act like a [[circuit breaker]] in an automated way.~~{{Citation needed\|date=September 2008}}~~		An Application-specific integrated circuit based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.

	A ~~[[RateBasedIPS\|~~rate-based IPS]] (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.<ref>{{cite news\|last=Abante\|first=Carl\|title=Relationship between Firewalls and Protection against DDoS\|url=http://www.ecommercewisdom.com/relationship-firewalls-protection-ddos/\|newspaper=Ecommerce Wisdom\|date=March 2, 2013\|accessdate=2013-05-24}}{{dubious\|date=December 2013\|reason=SPS non-expert unreliable blog}}</ref>		A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.<ref>{{cite news\|last=Abante\|first=Carl\|title=Relationship between Firewalls and Protection against DDoS\|url=http://www.ecommercewisdom.com/relationship-firewalls-protection-ddos/\|newspaper=Ecommerce Wisdom\|date=March 2, 2013\|accessdate=2013-05-24}}{{dubious\|date=December 2013\|reason=SPS non-expert unreliable blog}}</ref>

	===DDS based defense===		===DDS based defense===

Etenne: /* Application front end hardware */

2016-02-13T17:20:05Z

Application front end hardware

← Older revision		Revision as of 17:20, 13 February 2016
Line 206:		Line 206:

	===Application front end hardware===		===Application front end hardware===
	Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 [[bandwidth management]] vendors.		Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors.

	===Application level Key Completion Indicators===		===Application level Key Completion Indicators===

Etenne: /* Switches */

2016-02-13T17:19:43Z

Switches

← Older revision		Revision as of 17:19, 13 February 2016
Line 198:		Line 198:

	===Switches===		===Switches===
	Most switches have some rate-limiting and ~~[[Access control list\|~~ACL]] capability. Some switches provide automatic and/or system-wide [[rate limiting]], [[traffic shaping]], [[delayed binding]] ([[TCP splicing]]), [[deep packet inspection]] and [[Bogon filtering]] (bogus IP filtering) to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.~~{{Citation needed\|date=September 2008}}~~		Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.

	These schemes will work as long as the DoS attacks can be prevented by using them. For example, SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from ~~[[Martian packet\|~~dark addresses]] or going to dark addresses can be prevented using [[bogon filtering]]. Automatic rate filtering can work as long as set rate-thresholds have been set correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.~~{{Citation needed\|date=September 2008}}~~		These schemes will work as long as the DoS attacks can be prevented by using them. For example, SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using bogon filtering. Automatic rate filtering can work as long as set rate-thresholds have been set correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

	===Routers===		===Routers===

Etenne: /* Firewalls */

2016-02-13T17:12:50Z

Firewalls

← Older revision		Revision as of 17:12, 13 February 2016
Line 193:		Line 193:

	===Firewalls===		===Firewalls===
	In the case of a simple attack, a ~~[[Firewall (computing)\|~~firewall]] could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses.		In the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses.

	More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic.<ref>{{cite web\|url=http://www.computerworld.com/s/article/94014/How_to_defend_against_DDoS_attacks\|first=Paul \|last=Froutan\|title=How to defend against DDoS attacks\|work=[[Computerworld]]\|date=June 24, 2004\|accessdate=May 15, 2010}}</ref> Additionally, firewalls may be too deep in the network hierarchy, with routers being adversely affected before the traffic gets to the firewall.		More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic.<ref>{{cite web\|url=http://www.computerworld.com/s/article/94014/How_to_defend_against_DDoS_attacks\|first=Paul \|last=Froutan\|title=How to defend against DDoS attacks\|work=[[Computerworld]]\|date=June 24, 2004\|accessdate=May 15, 2010}}</ref> Additionally, firewalls may be too deep in the network hierarchy, with routers being adversely affected before the traffic gets to the firewall.

Etenne: /* Attack tools */

2016-02-13T17:09:09Z

Attack tools

← Older revision		Revision as of 17:09, 13 February 2016
Line 181:		Line 181:
	A wide array of programs are used to launch DoS-attacks.		A wide array of programs are used to launch DoS-attacks.

	In cases such as [[MyDoom]] the tools are embedded in malware, and launch their attacks without the knowledge of the system owner. [[Stacheldraht]] is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a ~~[[Client (computing)\|~~client program]] to connect to handlers, which are compromised systems that issue commands to the ~~[[Zombie computer\|~~zombie agents]], which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.<ref name="Dittrich"/>		In cases such as MyDoom the tools are embedded in malware, and launch their attacks without the knowledge of the system owner. Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.<ref name="Dittrich"/>

	In other cases a machine may become part of a DDoS attack with the owner's consent, for example, in [[Operation Payback]], organized by the group [[Anonymous (group)\|Anonymous]]. The ~~[[Low Orbit Ion Cannon\|~~LOIC]] has typically been used in this way. A wide variety of DDoS tools are available today, including paid and free versions, with different features available. There is an underground market for these in hacker related forums and IRC channels.		In other cases a machine may become part of a DDoS attack with the owner's consent, for example, in Operation Payback, organized by the group [[Anonymous (group)\|Anonymous]]. The LOIC has typically been used in this way. A wide variety of DDoS tools are available today, including paid and free versions, with different features available. There is an underground market for these in hacker related forums and IRC channels.

	UK's [[GCHQ]] has tools built for DDoS, named PREDATORS FACE and ROLLING THUNDER.<ref name="firstlook.org"/>		UK's GCHQ has tools built for DDoS, named PREDATORS FACE and ROLLING THUNDER.<ref name="firstlook.org"/>

	==Defense techniques==		==Defense techniques==

Etenne: /* DDoS extortion */

2016-02-13T17:07:02Z

DDoS extortion

← Older revision		Revision as of 17:07, 13 February 2016
Line 176:		Line 176:

	===DDoS extortion===		===DDoS extortion===
	In 2015, DDoS botnets such as DD4BC grew in prominence, taking aim at financial institutions.<ref>{{cite news\|title=Who's Behind DDoS Attacks and How Can You Protect Your Website?\|url=http://blog.cloudbric.com/2015/09/whos-behind-ddos-attacks-and-how-can.html\|accessdate=15 September 2015\|agency=Cloudbric\|date=10 September 2015}}</ref> Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid in [[Bitcoin]].<ref>{{cite news\|last1=Solon\|first1=Olivia\|title=Cyber-Extortionists Targeting the Financial Sector Are Demanding Bitcoin Ransoms\|url=http://www.bloomberg.com/news/articles/2015-09-09/bitcoin-ddos-ransom-demands-raise-dd4bc-profile?mod=djemRiskCompliance\|accessdate=15 September 2015\|agency=Bloomberg\|date=9 September 2015}}</ref> Security experts recommend targeted websites to not pay the ransom. The attackers tend to get into an extended extortion scheme once they recognize that the target is ready to pay.<ref>{{cite news\|last1=Greenberg\|first1=Adam\|title=Akamai warns of increased activity from DDoS extortion group\|url=http://www.scmagazineuk.com/akamai-warns-of-increased-activity-from-ddos-extortion-group/article/438333/\|accessdate=15 September 2015\|agency=SC Magazine\|date=14 September 2015}}</ref>		In 2015, DDoS botnets such as DD4BC grew in prominence, taking aim at financial institutions.<ref>{{cite news\|title=Who's Behind DDoS Attacks and How Can You Protect Your Website?\|url=http://blog.cloudbric.com/2015/09/whos-behind-ddos-attacks-and-how-can.html\|accessdate=15 September 2015\|agency=Cloudbric\|date=10 September 2015}}</ref> Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid in Bitcoin.<ref>{{cite news\|last1=Solon\|first1=Olivia\|title=Cyber-Extortionists Targeting the Financial Sector Are Demanding Bitcoin Ransoms\|url=http://www.bloomberg.com/news/articles/2015-09-09/bitcoin-ddos-ransom-demands-raise-dd4bc-profile?mod=djemRiskCompliance\|accessdate=15 September 2015\|agency=Bloomberg\|date=9 September 2015}}</ref> Security experts recommend targeted websites to not pay the ransom. The attackers tend to get into an extended extortion scheme once they recognize that the target is ready to pay.<ref>{{cite news\|last1=Greenberg\|first1=Adam\|title=Akamai warns of increased activity from DDoS extortion group\|url=http://www.scmagazineuk.com/akamai-warns-of-increased-activity-from-ddos-extortion-group/article/438333/\|accessdate=15 September 2015\|agency=SC Magazine\|date=14 September 2015}}</ref>

	==Attack tools==		==Attack tools==