June 25, 2018 • 39 mins
What exactly is a denial of service attack? And what makes one a distributed denial of service? In this episode, we learn more about the basics of DDoS attacks.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Get in touch with technology with tech Stuff from how
stuff works dot com. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer and
how Stuff Works in the Love all Things Tech. And recently,
Randall Charles Tucker, who once proclaimed himself to be the
(00:25):
Bitcoin Baron, was sentenced to a twenty month prison term
and find more than sixty nine thousand dollars for launching
distributed denial of service ord DOS attacks against municipal websites,
which not only affected normal city operations but also emergency
response systems. So today we're gonna take a look at
(00:47):
de DOS attacks and their history, and in our next
episode I will go into more detail about the different
kinds of the DOS attacks out there and the security
measures administrators deployed to mitigate their impact. Because this is
an ongoing important story. We've heard a lot about DIDOS
attacks in recent years. There was one that affected some
(01:07):
apartment buildings over in northern Europe and had them shut
down the uh the HVAC systems during the coldest days
of the year, so people no longer had heat. This
is a serious thing. So what the heck is a
di DOS attack. Well, it helps to break this down
by looking at what denial of service means, and generally speaking,
(01:29):
denial of service refers to using tactics that prevent or
discourage people from using something online they otherwise would use
if there were no outside interference, which is a pretty
broad definition. It can cover lots of stuff, and not
just stuff that involves hacking or inserting some malicious code
or sending commands over the internet. A denial of service
(01:52):
attack by itself also does not necessarily aim to steal
information or spy on anyone or anything like that, although
it can certainly accompany those types of attacks as well.
So there are a lot of instances where the denial
of service attack is just part of an overall attacker strategy,
or an attacker might use the threat of a denial
(02:14):
of service attack to extort money from a potential target,
essentially saying pay up or we're gonna shut you down. Often,
attackers will demonstrate their capabilities with a small scale attack
to accompany their demands to show they mean business. So
in other words, they might actually launch a small attack,
bring down a service temporarily, and say that was just
(02:36):
a taste of what could happen if you don't cough
up the dough. But as I said, denying service all
by itself can be the full motive, and it doesn't
have to require code or scripts or overwhelming internet infrastructure.
So for example, let's say I'm looking online for a
forum to talk about one of my interests. And for
(02:57):
this example, we'll just say it's musical theater. Because I
love musicals and I would love to go online and
chat with other fans of musicals. I find a forum.
It's great, there are tons of other enthusiastic fans. Maybe
there are some performers in there as well. We have
threads discussing shows and writers and inspiring performances, maybe some
(03:18):
embarrassing missteps, personal stories from our own performances or the
times we've attended plays, all the stuff you would typically
find on a forum about any given sort of interest.
But then something frustrating starts to happen. The forum gets
invaded by one or more troublemakers. These people disrupt conversations
(03:39):
just for fun. They might hurl insults at people, which
isn't exactly subtle or clever, but it can be an
effective tactic. Or they might be more insidious and post
inflammatory messages that are couched in seemingly reasonable language, which
gives the troublemaker kind of an out right like, Oh,
I'm so sorry you're offended. All I was trying to
(03:59):
do is say such and such. You know, they never
said anything blatantly awful. They just implied it, or they
danced around it quite a bit, but ultimately they get
what they want, which is to disrupt the conversation and
turn the attention toward themselves. We tend to call these
folks trolls, and the original reason for that is back
in the old newsgroup days, they were said to be
(04:20):
phishing for hits or trolling as it were. Trolling in
the sense of drawing a bated line through the water
to lure fish. These trolls were trying to get a
rise out of people and derail conversations, mostly just for laughs.
I've done episodes about trolls before, so I'm going to
leave it at that. But trolling is a type of
(04:42):
denial of service. It disrupts the activity that was supposed
to happen on that site. It discourages people from participating,
it denies them that opportunity. And there was no code
needed to do it. But in the case I mentioned
just now, trolls were mostly looking to get a rise
out of people they found humor and upsetting the apple cart.
(05:02):
They might not have any goals beyond just being a
nuisance and exerting some small amount of power over people.
Maybe they belong to a different forum and there's a
rivalry between the two, But there's some people who just
as as uh you might hear in Batman, want to
watch the world burn. But denial of service can have
(05:22):
far more serious effects than just inconveniencing users. For a business,
a denial of service attack can prevent them from conducting
their business, which results in lost revenue. So if you
run an online store and someone brings down your site
or prevents people from getting to your site, you're not
going to make any sales during that time. That's lost money.
(05:44):
Denial of service attacks can also hurt a company or
services reputation. So for example, there was a massive denial
of service attack that affected Sony's PlayStation network and Microsoft's
Xbox Live service back in during the holiday season, and
it made a lot of gamers really angry. They were
accusing both companies of not doing enough to secure their
(06:06):
services to make sure they were robust against such attacks.
This is sort of like pouring lemon juice in the wound.
In some ways, you know they're already hurting because they've
been knocked down, and now the users are yelling at
them too. But there is a valid argument to be
made that services, particularly really big, heavily trafficked services, need
(06:28):
to invest in good security measures. I talked about a
non technical approach to denial of service attacks with that
forum example, but most of the time when we talk
about the denial of service attack, we tend to mean
one that involved bringing down a system using some sort
of technology based attack vector. So you can think of
denial of service attacks belonging to three large categories in general.
(06:52):
The first category is volumetric. That means the goal is
to overwhelm the target by sending a huge number requests
or messages to that target device, more messages than the
target can actually handle. And I always think of this
in a rather old fashioned way. When I was growing up,
cell phones weren't really a thing. Everyone had landlines. You know,
(07:15):
you'd be at home and you use your phone, which
was plugged into the wall, and in fact, most of
the time. It was a wired handset. Didn't have a
whole lot of wireless ones when I was growing up,
and they existed, I just didn't have them. And call
waiting was not a common feature in those early days,
which meant if you called someone and they were already
on the phone, you would get a busy signal. Well,
(07:35):
this volumetric category of denial of service attacks is kind
of like having a jerk calling you over and over
again and they call you, you you pick up, you hear
it's that same jerk. You hang up, they immediately hit
redial and they call you right back again, and the
phone starts to ring, and that means no one else
can get through to you. Anyone who tries is just
going to get a busy signal, so they're getting a
(07:58):
denial of service. And because you can't receive any other
calls due to this person calling you up repeatedly, you
also get a denial of service. Now that analogy doesn't
work quite as well today because we can do stuff
like block incoming calls pretty much routinely, and call waiting
is a standard feature on almost every phone service. But
you get the idea. Next, we have the application de
(08:20):
DOS flood attack. This concentrates not on individual applications. That
that's what the phrase makes you think, like, oh, this
is like a Spotify de dos attack or something. No.
It rather it refers to the application layer of a
communications network. And I talked about the application layer back
(08:41):
in the Dip into the Seven Layers of the O
SI Model episode that published back in November. But this
would be a flood attack similar to the volumetric one
I just mentioned, but it aims to overwhelm the system
with a large number of requests at the application layer
rather than the network layer. I'll explain more about what
that means in the next episode. And the third category
(09:04):
is a low rate denial of service attack also known
as a vulnerability attack, and those attacks take advantage of
vulnerabilities or limitations and application implementations and so are kind
of related to application de dos flood attacks, but they're
slightly different. I'll explain more about that in the next
episode two. Then you have a distributed denial of service
(09:25):
attack that ups the anti in ad DOS attack. Hundreds
or thousands or even hundreds of thousands of machines combine
their efforts to bring down a target to go back
to my phone analogy for a second. Let's just say
that that jerk who was calling me really wants to
irritate me by making my phone line absolutely useless, so
(09:45):
he actually recruits all of his jerk friends and gives
them my phone number. Then he and all his jerk
friends just keep dialing me up over and over, which
makes it even harder to handle than the one jerk
doing it all by himself. So let's say I managed
to finally get an open line, so I make a
call to the phone company and ask them to block
(10:06):
the number that just called me, and they agree for
whatever reason. Well, that just reduces the jerk faces attack
vectors by one, right, It just removes one of the callers.
But a group of jerk friends, with the exception of
the one I managed to catch when I asked for
the number to be blocked, can keep on calling me.
They they're calling from different phone numbers, so their calls
(10:28):
keep coming through, and I can keep trying to block
the numbers one by one. But this is laborious and
time consuming, and in the meantime I'm not able to
use my phone for anything else. That's what ad dos
attack does, but instead over the phone lines, it does
it over the Internet. In general, it uses an enormous
number of machines to carry out an attack, and individually
(10:49):
those machines might not be able to generate the sheer
volume of data that could overwhelm a target, but collectively
they can do it, and they can be difficult to stop.
In a moment, I'll talk about a real example of
how an attacker might overwhelm the target machine over the
Internet using a simple denial of service tactic. But first
let's take a quick break to thank our sponsor. One
(11:18):
real world denial of service attack falling into the category
of the volumetric attack, involves flooding web server with requests
called pings. A ping is a very simple message that
computers used to test connections between them on a network.
It measures the reachability of another computer. So consider that
(11:41):
the Internet is a network of networks, and between your
computer and some other computer on the Internet, there may
be hundreds of machines. Some of them are routers, some
of them are switches, some of them are computers. For
your computer to communicate with this target computer, traffic has
to go through the net work from your computer to
(12:01):
the distant one, and then traffic needs to be able
to come back from the target machine to your machine,
and a ping is a test to see if such
a thing is really possible. It measures the round trip
time for a message to be sent out from computer
A to go to computer B and then return back
to computer A. The name comes from an older technology,
(12:22):
which would be sonar and sonar where we use sounds
underwater to detect objects by listening for echoes. We would
send out a sound a ping or from a speaker
essentially underwater, and then we would listen in on a
microphone for a returning echo. So you send out a ping.
If you get an echo of that ping, you know
(12:42):
there is something out there under the water that is
reflecting that sound back at you. In fact, you may
remember in movies like The Hunt for October they talk
about this a lot. They use pings in order to
send secret messages to each other. But in the Internet,
we send out a small amount of data and then
we essentially listen back for its return and use the
(13:03):
travel time to judge the connection strength between the two computers,
or really just how much time does it take for
a message to go across the Internet and back again.
Mike must created the pain utility back in to help
test I P network connections. A quick ping could indicate
if there was a connectivity problem. If you send out
(13:24):
a ping and nothing comes back, you know there's a
problem with that connection. If you send out a paying
and it comes back but it comes back pretty like
there's a pretty long gap, and we're talking on the
order of less than a second typically, but it still
can be a long gap if you're talking about actually
sending real data across the network. Again, it can tell you, oh,
you need to really take a look at your network
(13:45):
and see where the problem is. There might be a
broken element that you need to replace. It's also a
great tool if you want to use bandwidth heavy applications
because it can indicate whether such a connection is even possible.
So let's say that you want to play an online
computer game, maybe it's a multiplayer computer game competitive. You
want to make sure you can find a server that
(14:09):
doesn't have a long latency issue between you and the
server you want to pin get a good time. And
it may be that that's a game that has multiple servers,
so you want to find the server that has the
best connection between your computer and that server. So that
you can have the best experience when you're playing well.
If one were to send an enormous number of PING
(14:30):
requests to the same target computer, such as a web server,
that target could become overwhelmed by all those requests. It
would attempt to respond to each request, which takes up
resources it would otherwise use for normal operations. So let's
say a hacker has targeted the website hosting that musicals
forum I wanted to pop into, and instead of going
(14:53):
in there and starting a flame war in the forums,
they just start sending PING requests an uncountable number of
PAIN requests to that forums host computer, which is trying
to respond to each PIN request dutifully. I mean, that's
what it does. And as a result, the system becomes
unstable and crashes, and I get an error message when
(15:13):
I try to go to that forum site. This tactic
is called a ping flood. It's just one denial of
service tactic. I'll go into a lot of other ones
later on. Now, I mentioned earlier how a di DOS
attack can be effective by leveraging thousands or hundreds of
thousands of machines in a coordinated attack. But how does
(15:35):
that happen? How do you get to a point where
hundreds of thousands of machines can work together. How does
an attacker get control of that many devices? Well, sometimes
it happens by people volunteering to be part of this group.
There are activist groups that will send out a message
and say, hey, if you want to be part of
this movement, you can download the software and then we
(15:58):
can use your computer to be part of this attack
on whatever the target is. But in other cases it's
happening through trickery. Uh, it ends up being a compromised device. Right,
So for target computers, a hacker either rights some malware
or more likely makes use of existing malware. There's tons
(16:20):
of malware that's already been written out there. A lot
of the people who use these tactics aren't necessarily coders
or programmers. They are what some folks dismissively referred to
as script kitties. They go and they find code that
will do what they want it to do that someone
else has already written, and then they'll essentially download that
(16:40):
and use that kind of as a just an attack package.
So they're not having to make it themselves. They're already
it's kind of off the shelf hacker sort of software.
So they then use this malware to create a way
to infect numerous machines, typically by fooling people into execute
eating a file on their computers or their their computing devices.
(17:04):
The malware contains a way for the hacker to direct
those computers to send messages to a specific target. Um.
They may be completely automated. You just hit a little
button and then everything does it. You know. You hacker
might put in the IP address for the target machine,
but otherwise everything else gets taken care of automatically, and
the hacker uses those devices to turn all their focus
(17:26):
onto the target machine and then they bombard it with
countless messages. Uh. Or the hacker might exploit a known
vulnerability in various Internet connected devices such as routers, or
even stuff like smart TVs or Internet connected thermostats. Essentially,
the Internet of Things and the smart home movement have
created the potential for truly enormous coordinated attacks because again,
(17:49):
they don't have to send really sophisticated information across the Internet.
It could be as simple as pings. Pings are one
of the most basic messages you can send, so if
you just get devices that are capable of sending a ping,
then you're you're all set to go. And part of
this is because that Internet of Things developed faster than
companies could create good security measures to protect those devices
(18:12):
from people who would compromise them. And part of it
falls on the consumers shoulders, because a lot of people
don't bother to ever update their security settings. Right, they'll
get a new thing out of the box, they'll plug
it into their network, and they never bother to update
the log in and passwords on their devices, so they're
using the default settings for their login and passwords, and
(18:33):
that can create the opportunity for a hacker to access
those devices. If a company is using essentially a the
same sort of login and password for all of its
products along a certain line, that all you have to
do is know what that is, and then you have
access to countless instances of those unprotected devices because so
(18:56):
many people do not bother to update it a law.
The routers I've seen have had a log in that's
kind of like admin one and a password that might
literally be the word password. So if you just plug
that in, if you're a hacker to try and compromise
someone's home systems, chances are it's gonna work on a
(19:18):
lot of people because they never bothered to change it.
So uh, lesson there, change your passwords on your devices
from the default to something else. Now, some companies they
go a little bit further. They'll they'll create a password
for each device that is unique to that device, right.
They don't use the exact same password for all of
their routers, for example, And that's a good step that
(19:41):
makes it much harder to do. You you can't just
use a blanket attack the way a hacker normally would. Anyway,
I don't put the full blame on the consumer, and
I don't put the full blame on the manufacturer. It's
a problem that both parties have to pay attention to.
But there are some manufacturers out there who have made
product with very poor or completely absent security measures, And
(20:03):
in those cases, I pretty much blame the manufacturer of
the company, not the customers, because if you didn't even
include any kind of security measures in your device, then
there was nothing really the customer could do on their
side to protect themselves. And in any case, the collection
of infected computers and devices would be called a bot net.
Sometimes people call it a zombie computer army. Although you
(20:26):
hardly ever hear that phrase these days, it's almost always
just bought net and it's because the compromise computers are
being controlled by some sort of remote entity, either a
human hacker or an automated script or bought This can
happen even without you being aware of it. By the way,
you may only notice that your device is operating more
slowly than normal, and you wonder, well, why is my
computer no longer as fast as it used to be.
(20:48):
One possible explanation is that some of your computer systems
are being dedicated to sending out the tax over the
Internet and you never know it. Or you might get
a message about how much data you're using over a
given length of time and your thinking, that's weird, I'm
not even home when all this stuff is happening. Well,
that's an indicator that something has gone wrong. So to
understand how most distributed denial of service attacks work, it's
(21:11):
good to remind ourselves of how information tends to travel
across the Internet. There are protocols like TCP I P,
which that's actually two different sets of protocols. Those are
really rules that information has to follow to travel across
the Internet. The architects of the Internet who worked on
our pannet first one of the actual methodology of allowing
(21:32):
information to go from point A to point B to
be very light with the data. In other words, the
process itself shouldn't have been data specific. It should be
data agnostic. It doesn't matter what the information is. It's
just concerned with making sure that information can get from
the source to its destination. That's the only thing that's important.
(21:53):
The end points, the edge machines where a message originates
and where it terminates, would do all the heavy thing,
but the middle bits would be much less hands on
with the data, with a deeper concern with just making
sure it gets to the right destination. And it's verify
that everything got to where it needed to go. So
the Internet sends data in bundles called packets. This is
(22:14):
really where TCP comes in. A single file might consist
of hundreds or thousands or millions of packets, and the
packets are just bundles of data, and your computer sends
this information over the Internet. So let's say you want
to send a big file. Let's say it's a film.
You've got a film and it's an enormous file and
(22:34):
you want to send it across the Internet to a
friend of yours. Well, the data gets chopped up into
these packets, and the packets include a header that has
important meta information about the data the packet carries. Namely,
it has the identity of the sender's computer, and it
has the identity of the destination computer. And also it
(22:55):
has information about how the data inside the packets fits
in with all the other path gets of data that
are being sent. So one way to imagine this is
to think about having like a giant poster for an
awesome movie. Let's say it's Big Trouble in Little China. Now,
on the back of the poster, you've got a grid,
and inside each cell of this grid is a number,
(23:16):
and their insequential order. So the top left corner has
the number one, and then when you move to the right,
they increase sequentially till you get to the number twenty.
And then you dropped down a row so that the
first number on the far right side, on the second
row is twenty one. You go sequentially to the left,
and so on you zig zag all the way down,
so you've got the whole poster numbered. And let's say
(23:38):
it's got a hundred cells total, so it's one to
one hundred you send. You cut up the poster into
these cells, so you you cut up all the little
blocks because that's the only way you're gonna be able
to send it to your friend. And you send it
to your friend in one hundred different envelopes, and your
friend opens up the one hundred different envelopes and then
they see the numbers on the back and they're able
(23:58):
to put the poster back to other based on those numbers. Now,
it doesn't make a whole lot of sense in this
real world example, but over the Internet it makes perfect sense.
And that's because the Internet depends upon relatively cheap, unreliable connections,
which is actually a good thing. See in the old days,
before the Internet, before Arpanet, connecting computers together would require
a dedicated connection linking computer A with computer B. We're
(24:22):
talking direct connection between the two, which ends up being limiting.
It's also expensive, and if the connection were to fail,
you would have to repair it before any communication could continue.
Because it's just this direct communication channel that the architects
of the Arpanet wanted to make certain that communication could
continue even if individual pathways were to shut down. If
(24:45):
you think about like a town, it's saying, well, the
main road has been shut down because a tree fell
across it. But luckily they're all these side roads you
can take to still get to the same destination. Might
take you a little longer and you go a little
further out of the way, but you can will get
there well. To that end, the architects of the arpanet
built their infrastructure on cheap hardware. Individually, those pieces of
(25:07):
hardware aren't as reliable as the more expensive, more sophisticated
types of hardware out there, but collectively, this is a
approach that makes a lot of sense because it made
scaling the Internet easier. It didn't require a whole huge
investment to add more infrastructure to the Internet. It scaled
up very very quickly. But if you build your network
(25:28):
on top of hardware that sometimes goes offline, you have
to make sure that the rules the data follows are flexible,
that they're able to handle that situation and route around
those problems. And that's where packet switching comes in. Packets
of data follow whatever path is best at that given time,
as in whatever connection is the most reliable, fastest connection
(25:51):
between the originating computer and the destination computer. Now that
can change over time just from not just physical things
that are going on on the network, but also traffic
that's passing across the network at the same time from
other computers. So one hundred digital packets representing the same
file could potentially take one hundred different pathways to get
(26:12):
to their destination, so that it's kind of like a
caravan all splitting up and taking different routes in order
to get to the final destination. Now, there's probably never
going to be a case where every single packet is
going to take its own individual pathway. Some of them
may end up taking at least part of the same
journey to get to their destination. But you get the idea. Uh,
(26:33):
it makes the Internet much more robust because one pathway
could fail and data can still find a way to
the intended destination. In addition, computers will send more packets
than what are needed as a redundancy measure. This is
probably that TCP protocol which is redundant. It's like a
t M machine. But TCP does make certain that all
the different packets get to where they need to go,
(26:56):
and if anything didn't show up, then it can make
certain that essentially a replacement packet gets sent so that
it can verify that all the packets that are necessary,
all one hundred of them, for example, have made it
to their destination, and that the communication from that that
part of the communication at any rate, is complete. This
(27:17):
approach makes the Internet easy to build out, but it
also makes it more challenging to do anything across the
infrastructure layer in response to people who exploit the system,
because the underlying connections are really only concerned with moving
data from origin to destination. They're not concerned with what
that data is or what purpose it serves. Now, I've
(27:37):
got a little more to say about the basics of
distributed denial of service attacks, but first let's take another
quick break to thank our sponsor. One other element of
the Internet I feel I should mention before I talk
about the history of denial of service attacks. Is the
(27:57):
domain name system. And you guys is likely at least
have heard of an IP address. I mentioned it earlier
in this episode. Those are the addresses that identify a
device that's connected to the Internet. Uh. It can be
a device like a router that then sends out temporary
addresses to anything that's connected to the router, but you
get it. This is the way that a computer system
(28:20):
knows where to send information. They're necessary for communication. It's
like if you were to send a letter, you would
have to include an address on the letters envelope, so
the postal service knows where to deliver that letter, and
if you wanted to get a letter back in return,
you would want to have a return address on there
if you've got to want to get a response. And
the Internet is similar. All devices have an IP address
(28:43):
to facilitate communication um at least through a router if
nothing else. But the devices address might change over time,
so that's a little different. It's not like the device
is always going to have the exact same IP address.
It may change depending upon what network gets connected to.
In fact, it will change depending upon what network gets
connected to. So it's not exactly analogous to a physical address,
(29:05):
but it's similar enough for us to kind of think
about that. Now here's a problem. However, these addresses are
not easy for us to remember. You know, IPv four
addresses and IPv six addresses. These are series of numbers
and sometimes letters within the case with IPv six, where
they don't seem to make any rhyme or reason to us.
They're hard for us to recall. So we had to
(29:27):
come up with a way to map addresses based on
language to the IP addresses that machines can deal with. So,
for example, www dot how stuff works dot Com is
a u r L an address that we humans can
easily remember, and there are special computers called DNS servers
that resolve these u r l s into IP addresses
(29:50):
so that traffic can go to the right locations. So
an attack on DNS servers which has happened can slow
down traffic to numerous website because the servers will be
so busy dealing with the attack they have trouble resolving
u r l s into IP addresses, even though the
actual websites themselves are perfectly fine. So if there's an
(30:11):
attack on a DNS server that would typically resolve www
dot how stup works dot Com to its respective IP address,
how stup works dot Com is fine. We haven't been
attacked by anybody, but the the name server that would
actually do the job of resolving that you are l
into an IP address, it's busy handling this attack, so
(30:33):
it would look like our site is loading super slowly
that you just can't even pull anything up. But it's
not a problem on our end, it would be a
problem in the middle. So there are a lot of
different ways that attackers can potentially affect the traffic and
the speed of internet connections. Now, to end this episode,
I'm going to talk about some early denial of service
(30:55):
attacks and some of the more notable examples, and in
our next episode, I'm going to focus more on the
spe cifis for types of de DOS attacks and how
companies try to handle them. So, first of all, it's
hard to get definitive history of denial of service attacks
because oddly enough, hackers were not too concerned about documenting
their actions as they unfolded. But before there was d DOS,
(31:16):
there were plenty of denial of service examples. One of
them happened in nineteen seventy four with David Dennis, who
was thirteen years old at the time. I wondered if
he might be able to affect all the terminals connected
to a computer at the Computer Based Education Research Laboratory
at the University of Illinois Urbana Champagne Campus. Dennis knew
(31:36):
that he could cause a terminal, which think of a
terminal as kind of as a keyboard and a monitor
in itself is not a computer, but it's connected to
a computer. You have multiple terminals all hooked up to
this central computer and they're all sharing those resources. Well,
he knew that if he was using a terminal connected
to this computer and he executed a command called external
(31:59):
or e x E, which was a command that would
tell the terminal that it was supposed to communicate with
a connected external device. But if you didn't have an
external device connected to the terminal and you and you
sent this command anyway, it would make the terminal lock up.
The terminal would be searching for this external device, it
would not find it, and that would send the terminal
(32:21):
into the terminal equivalent of a tizzy. And the only
way to fix it would be to shut everything down
and reboot. So he thought, what if I did this,
but I created a way for to do it across
all the terminals connected to that computer at the same time,
not just one, because I mean then I'm just I'm
just sitting there having to change it. So he wrote
(32:41):
some code and figured out a way to send that
command to all the terminals connected to a computer at
the same time, making them execute that e x D
command without the individual users knowledge or permission, and this
forced to shut down and nearly all the terminals connected
to that computer. The university ended up does stabling this
feature that would allow people to send such a command
(33:03):
to all the terminals from one single spot. They said,
you know, we gotta turn this default setting off. They
didn't think about it until after it had happened. In
Robert Morris unleashed a denial of service attack by accident.
He had developed a bit of code that would make
its way through the machines connected through the arpanet, and
the purpose was to find out how big the network was.
(33:24):
He just wanted to know how big the network was.
No one was really sure that this was something that
was growing very kind of organically and rapidly. So Morris
thought he had the perfect solution. He had this code
that would go out and essentially infect every single node
on the system that it encountered. But it was meant
to infect just as a way of making count of
(33:47):
each of the nodes. Really, he just wanted to find
out what the head count was. However, he made a
mistake when he was creating this code, and it ended
up being the equivalent of a worm. It went through
the system and it would replicate itself. It would infect
the same machines multiple times. It failed to detect that
it had already infected a machine, so it just kept
(34:10):
passing through this arpanet system, infecting node after note after node,
again and again and again, coming up the network and
essentially causing a shutdown of sixty thousand nodes. And he
would end up being fined ten thousand dollars and sentenced
to fours community service for that mistake. The earliest example
of a distributed denial of service attack that I could
(34:32):
find happened in nine. An Italian activist group called the
Strano Network or Strange Network launched a denial of service
attack against the French government in a protest against the
that nation's policies relating to nuclear power. But this was
done with actual human operators who were working voluntarily. They
were they had agreed to be part of this sort
(34:54):
of virtual sit in, and they were working on their
computers in an attempt to overwhelm on the target servers.
So this attack was limited both in scope and duration. Also,
back in those days, you were paying by the hour
for Internet access, so the actual protest lasted about an
hour because no one was willing to pour in a
whole lot of money to sit at their computer and
(35:18):
actively carry out this attack. The denial of service attack
became a go to strategy for activist groups in general.
One such group, called the Electronic Disturbance Theater or e
d T, developed a tool called flood Kit, which would
send a large volume of messages towards a targeted computer
across the Internet. A predetermined target is the important part
(35:39):
to remember here. Anyone who wanted to make use of
flood kit could download it, and the tool even had
to drop down menu that would let users select the
predetermined targeted computers like the White House Computer System. E
d T would arrange for virtual sit ins in which
they would schedule a coordinated effort to attack a specific
target like the White House servers, and then users would
(36:00):
all use that drop down menu to launch their individual
attacks as a big collective so as a collective of
individual attacks in that sense, and again in this case,
it was a voluntary action. It wasn't like they were
infecting computers and trying to uh take them over without
the user's consent. In two thousand, Michael Cols, a teenage
(36:21):
hacker who used the handle Mafia Boy, launched a series
of distributed denial of service attacks against high profile targets
like Yahoo, Amazon, Dell, and others. He also attempted to
attack the d n S system by targeting several of
the root name servers. He had compromised computers at university
networks and used them to send traffic to his targets
(36:42):
that would overwhelm the targets, and years later he would
say the whole purpose behind it was so that he
could impress and intimidate other hackers, so he was doing
it for the online street cred In other words, He
was eventually tracked down by agencies like the FBI and
got a pretty light punishment all things considered. He was
sentenced to eight months in a youth group home. And
(37:04):
part of the reason for the relatively light sentence is
that the law was dragging behind technology, because it's hard
to charge someone with a crime when you don't have
a law defining that crime yet. And this is something
we've seen in technology over and over where the developments
of tech have outstripped the social constructs like law. In
two thousand seven, in Russia, a massive de dos attack
(37:26):
shut down not just a site or made a service slow,
and actually shut down internet coverage for entire cities. The
attack was aimed at an Internet service provider, and it
was so effective that the provider went offline multiple times
in waves of attack that hit over the period of
a month. So they would get back up and then
they would be hit by another attack and it would
(37:46):
go down again. At the peak of an attack, traffic
being sent to the provider reached ten gigabytes per second,
which was pretty darn staggering back in two thousand seven. Later, Anonymous,
the most famous secret society of activists and techno anarchists,
began to make use of voluntary button nets to attack targets.
(38:07):
They urged people who wanted to lend their computer's power
to an attack to download software called the low orbit
ion cannon. This would make the users computer join a
large bot net, which then could be directed to attack
specific targets. Essentially, this is what hackers often try to
do through tricking others to install malware, only in this case,
(38:27):
Anonymous was outright saying, Hey, your computer is going to
be part of this if you download the software. So
if you want to help bring down the man, download
and install it now. That wraps up this episode. In
our next one, we're gonna talk more about how de
dos works and also the various strategies that people and
companies used in order to try and mitigate the effects
(38:48):
of de dos. As it turns out, it's pretty tricky.
If you guys enjoyed this episode, let me know. Also
give me a shout out if you have any suggestions
for future episode topics. Whether it's a technolology, a company,
a person in tech, maybe there's someone you want me
to interview, let me know by sending me an email.
The address is tech stuff at how stuff works dot com,
(39:09):
or drop me a line on Facebook or Twitter. The
handle for both of those is text stuff H s W.
Don't forget to follow us on Instagram and I'll talk
to you again really soon. For moral thiss and thousands
of other topics. Is that how stuff works dot com
Get in touch with technology with tech Stuff from how
stuff works dot com. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer and
how Stuff Works in the Love all Things Tech. And recently,
Randall Charles Tucker, who once proclaimed himself to be the
(00:25):
Bitcoin Baron, was sentenced to a twenty month prison term
and find more than sixty nine thousand dollars for launching
distributed denial of service ord DOS attacks against municipal websites,
which not only affected normal city operations but also emergency
response systems. So today we're gonna take a look at
(00:47):
de DOS attacks and their history, and in our next
episode I will go into more detail about the different
kinds of the DOS attacks out there and the security
measures administrators deployed to mitigate their impact. Because this is
an ongoing important story. We've heard a lot about DIDOS
attacks in recent years. There was one that affected some
(01:07):
apartment buildings over in northern Europe and had them shut
down the uh the HVAC systems during the coldest days
of the year, so people no longer had heat. This
is a serious thing. So what the heck is a
di DOS attack. Well, it helps to break this down
by looking at what denial of service means, and generally speaking,
(01:29):
denial of service refers to using tactics that prevent or
discourage people from using something online they otherwise would use
if there were no outside interference, which is a pretty
broad definition. It can cover lots of stuff, and not
just stuff that involves hacking or inserting some malicious code
or sending commands over the internet. A denial of service
(01:52):
attack by itself also does not necessarily aim to steal
information or spy on anyone or anything like that, although
it can certainly accompany those types of attacks as well.
So there are a lot of instances where the denial
of service attack is just part of an overall attacker strategy,
or an attacker might use the threat of a denial
(02:14):
of service attack to extort money from a potential target,
essentially saying pay up or we're gonna shut you down. Often,
attackers will demonstrate their capabilities with a small scale attack
to accompany their demands to show they mean business. So
in other words, they might actually launch a small attack,
bring down a service temporarily, and say that was just
(02:36):
a taste of what could happen if you don't cough
up the dough. But as I said, denying service all
by itself can be the full motive, and it doesn't
have to require code or scripts or overwhelming internet infrastructure.
So for example, let's say I'm looking online for a
forum to talk about one of my interests. And for
(02:57):
this example, we'll just say it's musical theater. Because I
love musicals and I would love to go online and
chat with other fans of musicals. I find a forum.
It's great, there are tons of other enthusiastic fans. Maybe
there are some performers in there as well. We have
threads discussing shows and writers and inspiring performances, maybe some
(03:18):
embarrassing missteps, personal stories from our own performances or the
times we've attended plays, all the stuff you would typically
find on a forum about any given sort of interest.
But then something frustrating starts to happen. The forum gets
invaded by one or more troublemakers. These people disrupt conversations
(03:39):
just for fun. They might hurl insults at people, which
isn't exactly subtle or clever, but it can be an
effective tactic. Or they might be more insidious and post
inflammatory messages that are couched in seemingly reasonable language, which
gives the troublemaker kind of an out right like, Oh,
I'm so sorry you're offended. All I was trying to
(03:59):
do is say such and such. You know, they never
said anything blatantly awful. They just implied it, or they
danced around it quite a bit, but ultimately they get
what they want, which is to disrupt the conversation and
turn the attention toward themselves. We tend to call these
folks trolls, and the original reason for that is back
in the old newsgroup days, they were said to be
(04:20):
phishing for hits or trolling as it were. Trolling in
the sense of drawing a bated line through the water
to lure fish. These trolls were trying to get a
rise out of people and derail conversations, mostly just for laughs.
I've done episodes about trolls before, so I'm going to
leave it at that. But trolling is a type of
(04:42):
denial of service. It disrupts the activity that was supposed
to happen on that site. It discourages people from participating,
it denies them that opportunity. And there was no code
needed to do it. But in the case I mentioned
just now, trolls were mostly looking to get a rise
out of people they found humor and upsetting the apple cart.
(05:02):
They might not have any goals beyond just being a
nuisance and exerting some small amount of power over people.
Maybe they belong to a different forum and there's a
rivalry between the two, But there's some people who just
as as uh you might hear in Batman, want to
watch the world burn. But denial of service can have
(05:22):
far more serious effects than just inconveniencing users. For a business,
a denial of service attack can prevent them from conducting
their business, which results in lost revenue. So if you
run an online store and someone brings down your site
or prevents people from getting to your site, you're not
going to make any sales during that time. That's lost money.
(05:44):
Denial of service attacks can also hurt a company or
services reputation. So for example, there was a massive denial
of service attack that affected Sony's PlayStation network and Microsoft's
Xbox Live service back in during the holiday season, and
it made a lot of gamers really angry. They were
accusing both companies of not doing enough to secure their
(06:06):
services to make sure they were robust against such attacks.
This is sort of like pouring lemon juice in the wound.
In some ways, you know they're already hurting because they've
been knocked down, and now the users are yelling at
them too. But there is a valid argument to be
made that services, particularly really big, heavily trafficked services, need
(06:28):
to invest in good security measures. I talked about a
non technical approach to denial of service attacks with that
forum example, but most of the time when we talk
about the denial of service attack, we tend to mean
one that involved bringing down a system using some sort
of technology based attack vector. So you can think of
denial of service attacks belonging to three large categories in general.
(06:52):
The first category is volumetric. That means the goal is
to overwhelm the target by sending a huge number requests
or messages to that target device, more messages than the
target can actually handle. And I always think of this
in a rather old fashioned way. When I was growing up,
cell phones weren't really a thing. Everyone had landlines. You know,
(07:15):
you'd be at home and you use your phone, which
was plugged into the wall, and in fact, most of
the time. It was a wired handset. Didn't have a
whole lot of wireless ones when I was growing up,
and they existed, I just didn't have them. And call
waiting was not a common feature in those early days,
which meant if you called someone and they were already
on the phone, you would get a busy signal. Well,
(07:35):
this volumetric category of denial of service attacks is kind
of like having a jerk calling you over and over
again and they call you, you you pick up, you hear
it's that same jerk. You hang up, they immediately hit
redial and they call you right back again, and the
phone starts to ring, and that means no one else
can get through to you. Anyone who tries is just
going to get a busy signal, so they're getting a
(07:58):
denial of service. And because you can't receive any other
calls due to this person calling you up repeatedly, you
also get a denial of service. Now that analogy doesn't
work quite as well today because we can do stuff
like block incoming calls pretty much routinely, and call waiting
is a standard feature on almost every phone service. But
you get the idea. Next, we have the application de
(08:20):
DOS flood attack. This concentrates not on individual applications. That
that's what the phrase makes you think, like, oh, this
is like a Spotify de dos attack or something. No.
It rather it refers to the application layer of a
communications network. And I talked about the application layer back
(08:41):
in the Dip into the Seven Layers of the O
SI Model episode that published back in November. But this
would be a flood attack similar to the volumetric one
I just mentioned, but it aims to overwhelm the system
with a large number of requests at the application layer
rather than the network layer. I'll explain more about what
that means in the next episode. And the third category
(09:04):
is a low rate denial of service attack also known
as a vulnerability attack, and those attacks take advantage of
vulnerabilities or limitations and application implementations and so are kind
of related to application de dos flood attacks, but they're
slightly different. I'll explain more about that in the next
episode two. Then you have a distributed denial of service
(09:25):
attack that ups the anti in ad DOS attack. Hundreds
or thousands or even hundreds of thousands of machines combine
their efforts to bring down a target to go back
to my phone analogy for a second. Let's just say
that that jerk who was calling me really wants to
irritate me by making my phone line absolutely useless, so
(09:45):
he actually recruits all of his jerk friends and gives
them my phone number. Then he and all his jerk
friends just keep dialing me up over and over, which
makes it even harder to handle than the one jerk
doing it all by himself. So let's say I managed
to finally get an open line, so I make a
call to the phone company and ask them to block
(10:06):
the number that just called me, and they agree for
whatever reason. Well, that just reduces the jerk faces attack
vectors by one, right, It just removes one of the callers.
But a group of jerk friends, with the exception of
the one I managed to catch when I asked for
the number to be blocked, can keep on calling me.
They they're calling from different phone numbers, so their calls
(10:28):
keep coming through, and I can keep trying to block
the numbers one by one. But this is laborious and
time consuming, and in the meantime I'm not able to
use my phone for anything else. That's what ad dos
attack does, but instead over the phone lines, it does
it over the Internet. In general, it uses an enormous
number of machines to carry out an attack, and individually
(10:49):
those machines might not be able to generate the sheer
volume of data that could overwhelm a target, but collectively
they can do it, and they can be difficult to stop.
In a moment, I'll talk about a real example of
how an attacker might overwhelm the target machine over the
Internet using a simple denial of service tactic. But first
let's take a quick break to thank our sponsor. One
(11:18):
real world denial of service attack falling into the category
of the volumetric attack, involves flooding web server with requests
called pings. A ping is a very simple message that
computers used to test connections between them on a network.
It measures the reachability of another computer. So consider that
(11:41):
the Internet is a network of networks, and between your
computer and some other computer on the Internet, there may
be hundreds of machines. Some of them are routers, some
of them are switches, some of them are computers. For
your computer to communicate with this target computer, traffic has
to go through the net work from your computer to
(12:01):
the distant one, and then traffic needs to be able
to come back from the target machine to your machine,
and a ping is a test to see if such
a thing is really possible. It measures the round trip
time for a message to be sent out from computer
A to go to computer B and then return back
to computer A. The name comes from an older technology,
(12:22):
which would be sonar and sonar where we use sounds
underwater to detect objects by listening for echoes. We would
send out a sound a ping or from a speaker
essentially underwater, and then we would listen in on a
microphone for a returning echo. So you send out a ping.
If you get an echo of that ping, you know
(12:42):
there is something out there under the water that is
reflecting that sound back at you. In fact, you may
remember in movies like The Hunt for October they talk
about this a lot. They use pings in order to
send secret messages to each other. But in the Internet,
we send out a small amount of data and then
we essentially listen back for its return and use the
(13:03):
travel time to judge the connection strength between the two computers,
or really just how much time does it take for
a message to go across the Internet and back again.
Mike must created the pain utility back in to help
test I P network connections. A quick ping could indicate
if there was a connectivity problem. If you send out
(13:24):
a ping and nothing comes back, you know there's a
problem with that connection. If you send out a paying
and it comes back but it comes back pretty like
there's a pretty long gap, and we're talking on the
order of less than a second typically, but it still
can be a long gap if you're talking about actually
sending real data across the network. Again, it can tell you, oh,
you need to really take a look at your network
(13:45):
and see where the problem is. There might be a
broken element that you need to replace. It's also a
great tool if you want to use bandwidth heavy applications
because it can indicate whether such a connection is even possible.
So let's say that you want to play an online
computer game, maybe it's a multiplayer computer game competitive. You
want to make sure you can find a server that
(14:09):
doesn't have a long latency issue between you and the
server you want to pin get a good time. And
it may be that that's a game that has multiple servers,
so you want to find the server that has the
best connection between your computer and that server. So that
you can have the best experience when you're playing well.
If one were to send an enormous number of PING
(14:30):
requests to the same target computer, such as a web server,
that target could become overwhelmed by all those requests. It
would attempt to respond to each request, which takes up
resources it would otherwise use for normal operations. So let's
say a hacker has targeted the website hosting that musicals
forum I wanted to pop into, and instead of going
(14:53):
in there and starting a flame war in the forums,
they just start sending PING requests an uncountable number of
PAIN requests to that forums host computer, which is trying
to respond to each PIN request dutifully. I mean, that's
what it does. And as a result, the system becomes
unstable and crashes, and I get an error message when
(15:13):
I try to go to that forum site. This tactic
is called a ping flood. It's just one denial of
service tactic. I'll go into a lot of other ones
later on. Now, I mentioned earlier how a di DOS
attack can be effective by leveraging thousands or hundreds of
thousands of machines in a coordinated attack. But how does
(15:35):
that happen? How do you get to a point where
hundreds of thousands of machines can work together. How does
an attacker get control of that many devices? Well, sometimes
it happens by people volunteering to be part of this group.
There are activist groups that will send out a message
and say, hey, if you want to be part of
this movement, you can download the software and then we
(15:58):
can use your computer to be part of this attack
on whatever the target is. But in other cases it's
happening through trickery. Uh, it ends up being a compromised device. Right,
So for target computers, a hacker either rights some malware
or more likely makes use of existing malware. There's tons
(16:20):
of malware that's already been written out there. A lot
of the people who use these tactics aren't necessarily coders
or programmers. They are what some folks dismissively referred to
as script kitties. They go and they find code that
will do what they want it to do that someone
else has already written, and then they'll essentially download that
(16:40):
and use that kind of as a just an attack package.
So they're not having to make it themselves. They're already
it's kind of off the shelf hacker sort of software.
So they then use this malware to create a way
to infect numerous machines, typically by fooling people into execute
eating a file on their computers or their their computing devices.
(17:04):
The malware contains a way for the hacker to direct
those computers to send messages to a specific target. Um.
They may be completely automated. You just hit a little
button and then everything does it. You know. You hacker
might put in the IP address for the target machine,
but otherwise everything else gets taken care of automatically, and
the hacker uses those devices to turn all their focus
(17:26):
onto the target machine and then they bombard it with
countless messages. Uh. Or the hacker might exploit a known
vulnerability in various Internet connected devices such as routers, or
even stuff like smart TVs or Internet connected thermostats. Essentially,
the Internet of Things and the smart home movement have
created the potential for truly enormous coordinated attacks because again,
(17:49):
they don't have to send really sophisticated information across the Internet.
It could be as simple as pings. Pings are one
of the most basic messages you can send, so if
you just get devices that are capable of sending a ping,
then you're you're all set to go. And part of
this is because that Internet of Things developed faster than
companies could create good security measures to protect those devices
(18:12):
from people who would compromise them. And part of it
falls on the consumers shoulders, because a lot of people
don't bother to ever update their security settings. Right, they'll
get a new thing out of the box, they'll plug
it into their network, and they never bother to update
the log in and passwords on their devices, so they're
using the default settings for their login and passwords, and
(18:33):
that can create the opportunity for a hacker to access
those devices. If a company is using essentially a the
same sort of login and password for all of its
products along a certain line, that all you have to
do is know what that is, and then you have
access to countless instances of those unprotected devices because so
(18:56):
many people do not bother to update it a law.
The routers I've seen have had a log in that's
kind of like admin one and a password that might
literally be the word password. So if you just plug
that in, if you're a hacker to try and compromise
someone's home systems, chances are it's gonna work on a
(19:18):
lot of people because they never bothered to change it.
So uh, lesson there, change your passwords on your devices
from the default to something else. Now, some companies they
go a little bit further. They'll they'll create a password
for each device that is unique to that device, right.
They don't use the exact same password for all of
their routers, for example, And that's a good step that
(19:41):
makes it much harder to do. You you can't just
use a blanket attack the way a hacker normally would. Anyway,
I don't put the full blame on the consumer, and
I don't put the full blame on the manufacturer. It's
a problem that both parties have to pay attention to.
But there are some manufacturers out there who have made
product with very poor or completely absent security measures, And
(20:03):
in those cases, I pretty much blame the manufacturer of
the company, not the customers, because if you didn't even
include any kind of security measures in your device, then
there was nothing really the customer could do on their
side to protect themselves. And in any case, the collection
of infected computers and devices would be called a bot net.
Sometimes people call it a zombie computer army. Although you
(20:26):
hardly ever hear that phrase these days, it's almost always
just bought net and it's because the compromise computers are
being controlled by some sort of remote entity, either a
human hacker or an automated script or bought This can
happen even without you being aware of it. By the way,
you may only notice that your device is operating more
slowly than normal, and you wonder, well, why is my
computer no longer as fast as it used to be.
(20:48):
One possible explanation is that some of your computer systems
are being dedicated to sending out the tax over the
Internet and you never know it. Or you might get
a message about how much data you're using over a
given length of time and your thinking, that's weird, I'm
not even home when all this stuff is happening. Well,
that's an indicator that something has gone wrong. So to
understand how most distributed denial of service attacks work, it's
(21:11):
good to remind ourselves of how information tends to travel
across the Internet. There are protocols like TCP I P,
which that's actually two different sets of protocols. Those are
really rules that information has to follow to travel across
the Internet. The architects of the Internet who worked on
our pannet first one of the actual methodology of allowing
(21:32):
information to go from point A to point B to
be very light with the data. In other words, the
process itself shouldn't have been data specific. It should be
data agnostic. It doesn't matter what the information is. It's
just concerned with making sure that information can get from
the source to its destination. That's the only thing that's important.
(21:53):
The end points, the edge machines where a message originates
and where it terminates, would do all the heavy thing,
but the middle bits would be much less hands on
with the data, with a deeper concern with just making
sure it gets to the right destination. And it's verify
that everything got to where it needed to go. So
the Internet sends data in bundles called packets. This is
(22:14):
really where TCP comes in. A single file might consist
of hundreds or thousands or millions of packets, and the
packets are just bundles of data, and your computer sends
this information over the Internet. So let's say you want
to send a big file. Let's say it's a film.
You've got a film and it's an enormous file and
(22:34):
you want to send it across the Internet to a
friend of yours. Well, the data gets chopped up into
these packets, and the packets include a header that has
important meta information about the data the packet carries. Namely,
it has the identity of the sender's computer, and it
has the identity of the destination computer. And also it
(22:55):
has information about how the data inside the packets fits
in with all the other path gets of data that
are being sent. So one way to imagine this is
to think about having like a giant poster for an
awesome movie. Let's say it's Big Trouble in Little China. Now,
on the back of the poster, you've got a grid,
and inside each cell of this grid is a number,
(23:16):
and their insequential order. So the top left corner has
the number one, and then when you move to the right,
they increase sequentially till you get to the number twenty.
And then you dropped down a row so that the
first number on the far right side, on the second
row is twenty one. You go sequentially to the left,
and so on you zig zag all the way down,
so you've got the whole poster numbered. And let's say
(23:38):
it's got a hundred cells total, so it's one to
one hundred you send. You cut up the poster into
these cells, so you you cut up all the little
blocks because that's the only way you're gonna be able
to send it to your friend. And you send it
to your friend in one hundred different envelopes, and your
friend opens up the one hundred different envelopes and then
they see the numbers on the back and they're able
(23:58):
to put the poster back to other based on those numbers. Now,
it doesn't make a whole lot of sense in this
real world example, but over the Internet it makes perfect sense.
And that's because the Internet depends upon relatively cheap, unreliable connections,
which is actually a good thing. See in the old days,
before the Internet, before Arpanet, connecting computers together would require
a dedicated connection linking computer A with computer B. We're
(24:22):
talking direct connection between the two, which ends up being limiting.
It's also expensive, and if the connection were to fail,
you would have to repair it before any communication could continue.
Because it's just this direct communication channel that the architects
of the Arpanet wanted to make certain that communication could
continue even if individual pathways were to shut down. If
(24:45):
you think about like a town, it's saying, well, the
main road has been shut down because a tree fell
across it. But luckily they're all these side roads you
can take to still get to the same destination. Might
take you a little longer and you go a little
further out of the way, but you can will get
there well. To that end, the architects of the arpanet
built their infrastructure on cheap hardware. Individually, those pieces of
(25:07):
hardware aren't as reliable as the more expensive, more sophisticated
types of hardware out there, but collectively, this is a
approach that makes a lot of sense because it made
scaling the Internet easier. It didn't require a whole huge
investment to add more infrastructure to the Internet. It scaled
up very very quickly. But if you build your network
(25:28):
on top of hardware that sometimes goes offline, you have
to make sure that the rules the data follows are flexible,
that they're able to handle that situation and route around
those problems. And that's where packet switching comes in. Packets
of data follow whatever path is best at that given time,
as in whatever connection is the most reliable, fastest connection
(25:51):
between the originating computer and the destination computer. Now that
can change over time just from not just physical things
that are going on on the network, but also traffic
that's passing across the network at the same time from
other computers. So one hundred digital packets representing the same
file could potentially take one hundred different pathways to get
(26:12):
to their destination, so that it's kind of like a
caravan all splitting up and taking different routes in order
to get to the final destination. Now, there's probably never
going to be a case where every single packet is
going to take its own individual pathway. Some of them
may end up taking at least part of the same
journey to get to their destination. But you get the idea. Uh,
(26:33):
it makes the Internet much more robust because one pathway
could fail and data can still find a way to
the intended destination. In addition, computers will send more packets
than what are needed as a redundancy measure. This is
probably that TCP protocol which is redundant. It's like a
t M machine. But TCP does make certain that all
the different packets get to where they need to go,
(26:56):
and if anything didn't show up, then it can make
certain that essentially a replacement packet gets sent so that
it can verify that all the packets that are necessary,
all one hundred of them, for example, have made it
to their destination, and that the communication from that that
part of the communication at any rate, is complete. This
(27:17):
approach makes the Internet easy to build out, but it
also makes it more challenging to do anything across the
infrastructure layer in response to people who exploit the system,
because the underlying connections are really only concerned with moving
data from origin to destination. They're not concerned with what
that data is or what purpose it serves. Now, I've
(27:37):
got a little more to say about the basics of
distributed denial of service attacks, but first let's take another
quick break to thank our sponsor. One other element of
the Internet I feel I should mention before I talk
about the history of denial of service attacks. Is the
(27:57):
domain name system. And you guys is likely at least
have heard of an IP address. I mentioned it earlier
in this episode. Those are the addresses that identify a
device that's connected to the Internet. Uh. It can be
a device like a router that then sends out temporary
addresses to anything that's connected to the router, but you
get it. This is the way that a computer system
(28:20):
knows where to send information. They're necessary for communication. It's
like if you were to send a letter, you would
have to include an address on the letters envelope, so
the postal service knows where to deliver that letter, and
if you wanted to get a letter back in return,
you would want to have a return address on there
if you've got to want to get a response. And
the Internet is similar. All devices have an IP address
(28:43):
to facilitate communication um at least through a router if
nothing else. But the devices address might change over time,
so that's a little different. It's not like the device
is always going to have the exact same IP address.
It may change depending upon what network gets connected to.
In fact, it will change depending upon what network gets
connected to. So it's not exactly analogous to a physical address,
(29:05):
but it's similar enough for us to kind of think
about that. Now here's a problem. However, these addresses are
not easy for us to remember. You know, IPv four
addresses and IPv six addresses. These are series of numbers
and sometimes letters within the case with IPv six, where
they don't seem to make any rhyme or reason to us.
They're hard for us to recall. So we had to
(29:27):
come up with a way to map addresses based on
language to the IP addresses that machines can deal with. So,
for example, www dot how stuff works dot Com is
a u r L an address that we humans can
easily remember, and there are special computers called DNS servers
that resolve these u r l s into IP addresses
(29:50):
so that traffic can go to the right locations. So
an attack on DNS servers which has happened can slow
down traffic to numerous website because the servers will be
so busy dealing with the attack they have trouble resolving
u r l s into IP addresses, even though the
actual websites themselves are perfectly fine. So if there's an
(30:11):
attack on a DNS server that would typically resolve www
dot how stup works dot Com to its respective IP address,
how stup works dot Com is fine. We haven't been
attacked by anybody, but the the name server that would
actually do the job of resolving that you are l
into an IP address, it's busy handling this attack, so
(30:33):
it would look like our site is loading super slowly
that you just can't even pull anything up. But it's
not a problem on our end, it would be a
problem in the middle. So there are a lot of
different ways that attackers can potentially affect the traffic and
the speed of internet connections. Now, to end this episode,
I'm going to talk about some early denial of service
(30:55):
attacks and some of the more notable examples, and in
our next episode, I'm going to focus more on the
spe cifis for types of de DOS attacks and how
companies try to handle them. So, first of all, it's
hard to get definitive history of denial of service attacks
because oddly enough, hackers were not too concerned about documenting
their actions as they unfolded. But before there was d DOS,
(31:16):
there were plenty of denial of service examples. One of
them happened in nineteen seventy four with David Dennis, who
was thirteen years old at the time. I wondered if
he might be able to affect all the terminals connected
to a computer at the Computer Based Education Research Laboratory
at the University of Illinois Urbana Champagne Campus. Dennis knew
(31:36):
that he could cause a terminal, which think of a
terminal as kind of as a keyboard and a monitor
in itself is not a computer, but it's connected to
a computer. You have multiple terminals all hooked up to
this central computer and they're all sharing those resources. Well,
he knew that if he was using a terminal connected
to this computer and he executed a command called external
(31:59):
or e x E, which was a command that would
tell the terminal that it was supposed to communicate with
a connected external device. But if you didn't have an
external device connected to the terminal and you and you
sent this command anyway, it would make the terminal lock up.
The terminal would be searching for this external device, it
would not find it, and that would send the terminal
(32:21):
into the terminal equivalent of a tizzy. And the only
way to fix it would be to shut everything down
and reboot. So he thought, what if I did this,
but I created a way for to do it across
all the terminals connected to that computer at the same time,
not just one, because I mean then I'm just I'm
just sitting there having to change it. So he wrote
(32:41):
some code and figured out a way to send that
command to all the terminals connected to a computer at
the same time, making them execute that e x D
command without the individual users knowledge or permission, and this
forced to shut down and nearly all the terminals connected
to that computer. The university ended up does stabling this
feature that would allow people to send such a command
(33:03):
to all the terminals from one single spot. They said,
you know, we gotta turn this default setting off. They
didn't think about it until after it had happened. In
Robert Morris unleashed a denial of service attack by accident.
He had developed a bit of code that would make
its way through the machines connected through the arpanet, and
the purpose was to find out how big the network was.
(33:24):
He just wanted to know how big the network was.
No one was really sure that this was something that
was growing very kind of organically and rapidly. So Morris
thought he had the perfect solution. He had this code
that would go out and essentially infect every single node
on the system that it encountered. But it was meant
to infect just as a way of making count of
(33:47):
each of the nodes. Really, he just wanted to find
out what the head count was. However, he made a
mistake when he was creating this code, and it ended
up being the equivalent of a worm. It went through
the system and it would replicate itself. It would infect
the same machines multiple times. It failed to detect that
it had already infected a machine, so it just kept
(34:10):
passing through this arpanet system, infecting node after note after node,
again and again and again, coming up the network and
essentially causing a shutdown of sixty thousand nodes. And he
would end up being fined ten thousand dollars and sentenced
to fours community service for that mistake. The earliest example
of a distributed denial of service attack that I could
(34:32):
find happened in nine. An Italian activist group called the
Strano Network or Strange Network launched a denial of service
attack against the French government in a protest against the
that nation's policies relating to nuclear power. But this was
done with actual human operators who were working voluntarily. They
were they had agreed to be part of this sort
(34:54):
of virtual sit in, and they were working on their
computers in an attempt to overwhelm on the target servers.
So this attack was limited both in scope and duration. Also,
back in those days, you were paying by the hour
for Internet access, so the actual protest lasted about an
hour because no one was willing to pour in a
whole lot of money to sit at their computer and
(35:18):
actively carry out this attack. The denial of service attack
became a go to strategy for activist groups in general.
One such group, called the Electronic Disturbance Theater or e
d T, developed a tool called flood Kit, which would
send a large volume of messages towards a targeted computer
across the Internet. A predetermined target is the important part
(35:39):
to remember here. Anyone who wanted to make use of
flood kit could download it, and the tool even had
to drop down menu that would let users select the
predetermined targeted computers like the White House Computer System. E
d T would arrange for virtual sit ins in which
they would schedule a coordinated effort to attack a specific
target like the White House servers, and then users would
(36:00):
all use that drop down menu to launch their individual
attacks as a big collective so as a collective of
individual attacks in that sense, and again in this case,
it was a voluntary action. It wasn't like they were
infecting computers and trying to uh take them over without
the user's consent. In two thousand, Michael Cols, a teenage
(36:21):
hacker who used the handle Mafia Boy, launched a series
of distributed denial of service attacks against high profile targets
like Yahoo, Amazon, Dell, and others. He also attempted to
attack the d n S system by targeting several of
the root name servers. He had compromised computers at university
networks and used them to send traffic to his targets
(36:42):
that would overwhelm the targets, and years later he would
say the whole purpose behind it was so that he
could impress and intimidate other hackers, so he was doing
it for the online street cred In other words, He
was eventually tracked down by agencies like the FBI and
got a pretty light punishment all things considered. He was
sentenced to eight months in a youth group home. And
(37:04):
part of the reason for the relatively light sentence is
that the law was dragging behind technology, because it's hard
to charge someone with a crime when you don't have
a law defining that crime yet. And this is something
we've seen in technology over and over where the developments
of tech have outstripped the social constructs like law. In
two thousand seven, in Russia, a massive de dos attack
(37:26):
shut down not just a site or made a service slow,
and actually shut down internet coverage for entire cities. The
attack was aimed at an Internet service provider, and it
was so effective that the provider went offline multiple times
in waves of attack that hit over the period of
a month. So they would get back up and then
they would be hit by another attack and it would
(37:46):
go down again. At the peak of an attack, traffic
being sent to the provider reached ten gigabytes per second,
which was pretty darn staggering back in two thousand seven. Later, Anonymous,
the most famous secret society of activists and techno anarchists,
began to make use of voluntary button nets to attack targets.
(38:07):
They urged people who wanted to lend their computer's power
to an attack to download software called the low orbit
ion cannon. This would make the users computer join a
large bot net, which then could be directed to attack
specific targets. Essentially, this is what hackers often try to
do through tricking others to install malware, only in this case,
(38:27):
Anonymous was outright saying, Hey, your computer is going to
be part of this if you download the software. So
if you want to help bring down the man, download
and install it now. That wraps up this episode. In
our next one, we're gonna talk more about how de
dos works and also the various strategies that people and
companies used in order to try and mitigate the effects
(38:48):
of de dos. As it turns out, it's pretty tricky.
If you guys enjoyed this episode, let me know. Also
give me a shout out if you have any suggestions
for future episode topics. Whether it's a technolology, a company,
a person in tech, maybe there's someone you want me
to interview, let me know by sending me an email.
The address is tech stuff at how stuff works dot com,
(39:09):
or drop me a line on Facebook or Twitter. The
handle for both of those is text stuff H s W.
Don't forget to follow us on Instagram and I'll talk
to you again really soon. For moral thiss and thousands
of other topics. Is that how stuff works dot com
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.