Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
On July 22, 1999, the University of Minnesota server stopped processing requests. Attempts to reach him were unsuccessful, the server was silent. At first, the administrators did not attach much importance to this - this had happened before, but after analyzing the network traffic, they realized that the university server was under attack, which no one had ever encountered. Thus began the era of DDoS.
The server was attacked using a malicious Trinoo script written by a young man from New Orleans named phifli. Using a well-known buffer overflow exploit, Trinoo infected Linux computers, creating a botnet of hundreds of machines ready to attack the target server at the command of the host using UDP flooding.
What made this attack unique? To answer this question, we first need to understand what a denial of service (DoS) attack is. The purpose of such an attack is to disrupt the normal operation of the attacked system or hinder access to network resources, for which a variety of techniques are used.
DoS attacks have a very rich history. The first mention of a successful attack dates back to 1974, when a 13-year-old schoolboy, David Dennis, disrupted terminals in the University of Illinois Computing Laboratory.
Several dozen PLATO terminals were installed in the laboratory, united into a single network and used for teaching students and working together. The EXT command was used to access external devices connected to the terminals. The subtlety was that if the terminal, which had no peripheral devices, received this command, its system would freeze. The only way to get the terminal back to work was through a complete reboot.
David examined the PLATO documentation and discovered this curious feature. Wanting to see the reaction of users when faced with massive terminal freezes, he wrote a small program that sent the EXT command to all available machines, and went straight to the laboratory, where he successfully tested it, causing 31 terminals to freeze simultaneously.
Queue to the clinicTo explain to a person far from computers the essence of DoS and DDoS attacks, you can use the following analogy. Imagine that you are sitting in line at the clinic. Your turn has almost come when a person appears who, with the words “I just ask”, enters the therapist's office and stays there for a couple of hours.The queue is at a loss, the working day ends, and the unknown impudent person does not seek to leave the office. This is a classic DoS attack.If a whole crowd of impudent people came and they constantly distract the doctor with their questions and do not allow the queue to move, then, we sympathize, you are faced with DDoS.
But the real heyday of DoS attacks came in the second half of the 90s, when a huge number of utilities appeared that made it possible to "clog up" the communication channel with garbage (which was not difficult to do in the era of modems and low-speed Internet) or cause a freeze or even restart of a remote computer ...
Such programs were popularly called "nuke" (in honor of the then popular WinNuke utility) and were actively used during the network wars of online chat users. There was even a special verb - "nuknut". Many "nukes" were able to carry out several types of attacks at once, and their interface was understandable even to the most inexperienced users.
Curiously, a DoS attack can be carried out on your own computer by causing it to freeze or restart. Unlucky users who downloaded a new nuka and wanted to try it out immediately, not understanding the essence of the program's operation, were often advised to enter 127.0.0.1 (local computer address) in the address field of the attacked machine, which made the attacker a victim of their own actions.
DoS attacks were not necessarily carried out using special tools. For this, the standard tools that are part of the operating system were often used, such as, for example, the ping command known to any computer scientist.
DDoS attacks have become a further development of DoS attacks. In the case of DDoS, the attacked server is exposed to a large number of computers or other network devices at the same time, which can significantly increase the intensity of the attack and cause failure of even large and well-protected systems.
It was this distributed attack that the University of Minnesota server faced on July 22, 1999, when 114 Trinoo-infected computers began sending UPD packets to it in large quantities.
A typical botnet attack, like Trinoo, is done as follows. At the first stage, the attacker forms a botnet - a network of zombie computers infected with special malware.
Infection can be carried out in a variety of ways: from trivial letters with Trojans to network worms that can independently find vulnerable devices and infiltrate the system. Infected transmit computers their data to the botnet control center and await further commands.
After the botnet is successfully formed, the attacker sends an order to launch the attack through the control center, as a result of which the infected machines start the process of sending the corresponding packets to the target server, trying to cause it to fail or hinder its work.
The attack on the University of Minnesota server was the first in a series of DDoS attacks using Trinoo. Six months later, in early 2000, much more secure servers belonging to such "monsters" as CNN, Amazon, eBay and Yahoo were subjected to similar attacks. The attacks were led by a Canadian hacker under the pseudonym Mafiaboy, who created an impressive zombie network.
The next botnet to replace Trinoo is MyTobworm. Created by an 18-year-old hacker, the network worm quickly spread around the world and allowed successful attacks on the largest network resources of the time.
As is often the case, the first DDoS attacks were carried out of curiosity or hooliganism and were not aimed at extracting profit. However, they quickly fell in love with online ransomware, and soon a whole segment of the criminal business was formed on their basis.
The scheme is extremely simple: attackers attack a large site, causing interruptions in its work, and send its owners a ransom letter. Taking into account the fact that a simple large commercial resource costs its owners a round sum, and protection from a massive DDoS attack is very difficult, the owners often to buy off annoying hackers.
Naturally, extortion is just one of the uses for DDoS attacks. Nowadays, they have become an applied tool in the process of hacking computer systems, a tool in competitive and political struggle, they are used by hacktivists and even schoolchildren who successfully disable electronic diaries so that parents cannot see their assessments.
DDoS attacks can use a wide variety of techniques. For example, one of the largest botnets designed for DDoS attacks, called Mirai, consists of hundreds of thousands of infected smart devices, in particular home and office IP cameras.
Mass infection of smart devices often occurs due to the fact that after purchase, their owners leave default logins and passwords. So if you do not want your IP-camera to live a double life and secretly from you tried to fill up the server on the other side of the ocean, do not be lazy to come up with a password more difficult than the standard "admin -admin "combination.
However, DDoS attacks are not necessarily botnet-related; they can also be carried out manually. As a rule, special programs are used for this, the heirs of those very "nukes" from the 90s. Hundreds and sometimes thousands of users simultaneously launch the utility, type in the victim's address, and the result is not long in coming. On some Internet forums and social networks, branches are specially created to coordinate such "manual" DDoS attacks.
Sometimes unintentional DDoS attacks also occur. This happens when someone posts on some popular resource a link to an interesting article or page located on a not very powerful server. Thousands of people follow the link and ... the server crashes, unable to cope with the influx of visitors.
Over the past 20 years, DDoS attacks have gone through a difficult evolutionary path. The growth in the bandwidth of communication channels and the performance of servers led to an increase in the intensity of attacks. Experts are registering new records, and botnets are increasing their power, replenishing with thousands of zombie devices.
There have also been some truly wake-up calls, such as attacks on root DNS servers that can globally disrupt the Internet's addressing system and, under certain conditions, leave entire countries disconnected.
DDoS attacks were repeatedly predicted to die, but they are not giving up their positions. Nowadays, there are hacker groups on the network that specialize exclusively in carrying out such attacks and offer their services to everyone for a certain fee.
Despite the seeming simplicity of such attacks, they pose a serious threat to the normal functioning of the Internet infrastructure, increase the load on communication channels and annually cause millions of losses for the global economy. Today, in most countries of the world, administrative or criminal liability is provided for carrying out DDoS attacks, but there is no reason to count on the situation being rectified.
Will DDoS attacks disappear in the coming decades? Most likely not, they have long been an integral part of the modern Internet. The genie is out of the bottle, and we can hardly drive him back.
But we can reduce the commercial attractiveness of this criminal business by protecting our computers and smart devices from Trojans seeking to involve them in a botnet. It is also important not to pay ransom to attackers, thereby undermining the economic basis of their activities.
The University of Minnesota server has been under attack for just a few days. Admins did not sleep at night, setting up surge protectors, digging in logs and knocking on their admin tambourines. In the end, they won and went to bed quietly. But the aftermath of this attack has been disrupting the sleep of cybersecurity professionals for 20 years.
