Today is Saturday, 21st December 2024
Sponsored:

Botnets / DDoS

Author: DarkKnightH20

What is DoS/DDoS?

DoS stands for Denial of Service. As the name states, it’s a condition in which an application or service becomes unavailable, hence denial of service. This condition can be induced through many ways, such as bad programming, which often leads to vulnerabilities that cause CPU usage to skyrocket, as well as crashing, lag, and freezing. For our article’s purpose, we’ll count DoS-like conditions as being achieved through more common means–through the flooding of packets.

So…We’ve got DoS down, but what is DDoS?

DDoS, or Distributed Denial of Service, uses DoS methods, but expands on the concept by making many computers at once attack the target. DDoS, however, focuses on flooding the victim’s port(s) to (A) Lag them (B) Crash them (C) Stop legitimate traffic from reaching the port/service. Though individual computers can be DDoS’ed, websites and IRC servers are primary targets.

Bots?

DDoS can be a group effort done by friends, or, most commonly, through a botnet. A botnet has usually one commander that talks to all the “friendly” computers to tell them what to do. Called “bots”, these computers are often infected with a “backdoor” that allows the commander of the botnet to easily execute commands, download/execute files, etc. Majority of the time, these computers don’t even know they’re infected with a backdoor.

How are the bots controlled?

They can be controlled through a variety of ways. However, the most common method is through IRC. Each infected computer connects to an IRC server and joins a channel (that’s likely password protected). The commander logs in to the bots through writing a command to the room, and then does as he/she wishes, often issueing commands to initiate a DDoS on a remote target.

What type of flooding methods are there?

There are many different flooding methods that can be used–

  • General TCP Flooding — AKA the bots connect to a given remote port, then simply flood until disconnected, in which case they reconnect and start over again.
  • HTTP — Done through TCP as well, this method works web servers hard (on port 80 generally) by requesting many files at once via bots in an attempt to (A) Waste bandwidth (B) Lag the website (C) Stop legitimate traffic. Depending on how the attack is carried out, you can flood with HTTP Post Requests. HTTP Post Requests are done when submitting a form (i.e. a tagboard message, forum post, registration page, or even a blog comment). Flooding using HTTP Post Requests not only cause normal HTTP disruption, but also can cause the script being flooded to create huge logs. If the script is also tied to a SQL database, then it’s even more deadly.
  • UDP — This method doesn’t use a direct connection, as UDP does not really require one. As with the other methods, flooding is used to disrupt service on the port in question.
  • IRC Flood — All bots connect to the IRC server, then have several different flooding methods available -> Private Message (PM) flooding, room creation flood, file sending flood, join room and spam text flood, etc. (excuse my lack of a good name for each of these sub-IRC methods 🙂 )
  • Ping Flood — As with normal pinging, once Computer A pings Computer B, Computer B sends a reply. This causes incoming and outgoing flooding when applie to a botnet, as the victim is recieving many requests over and over again, while attempting to respond to them all. This method is easily blocked.
  • Syn Flood — One of the most well-known methods out there, this method involves sending a “SYN Request” to the target. The target then replies to it to acknowledge the request, then waits for more data. Generally, there is no more data afterward, causing the server to wait a little bit until timing out. Though not usually a problem, issues can arrise when applied to a botnet. The victim will have many of these partial connections, causing a waste of resources and disruption of possible traffic.
  • How are botnets made?

    Botnets are created through many ways. Sometimes, people bind a botnet client to another exe, then send it to people or post it on websites (usually in the disguise of a hack). Spam in email inbox’s can contain these files as well. However, using vulnerabilities is the most preferred way. Some use internet browser exploits or email software vulnerabilities to cause the automatic downloading (and executing) of a file (i.e. bot client/backdoor). Some use Instant Messaging (IM) software (including IRC and other chatting software). However, OS vulnerabilities are the most commonly used. Worms are created to exploit these vulnerabilities and often spread bots (and the worm) while doing so. This creates a nice army for a botnet. In fact, many botnets are self-spreading. A plugin is simply installed on the clients (pre-installed or installed via an update through a bot command) that allows allows for scanning and exploiting of IP ranges. When victims are found, these self-spreading bots pass themselves along, creating a rising army. However, self-spreading bots is a nice way of getting bots destroyed. A raise in suspicion is caused by this and leaves a long trail of activity leading to the owner.

    Other uses of a Botnet

    Botnets don’t have to be used only for flooding. They can be used for spamming (E-mail, forums, IM, Net Sending, etc.) and cracking/bruteforcing passwords, which can significantly cut down the time it takes for a successful crack. They can also be used to crack encryptions, a very useful concept for those who do not have their own super computers. They can be used to P2P files, as well as distribute files in general as well.

    Disadvantages of a Botnet

    Generally speaking, paper trails are left with a botnet. When performing an attack on a website for example, server logs capture loads of data that can be used to find the attacker. Even personal computers have firewalls to grab IP addresses that they can report to their ISP, of which is likely to have a much better log of the attack. If you’re adept in the field of security, then keep this in mind if a “friend” of yours attacks you with a botnet — bots are commonly created through infecting a computer that lacks security updates. If that computer was so easily infected with a backdoor, chances are, that you too may be able to hack it and grab the bot client. After doing so, you can do a number of things, such as send a copy to your ISP/authorities or even reverse engineer it to grab the password/server info/etc. If you get the username and password, you may in fact be able to hijack the entire botnet (or break it up). Packet sniffing can even grab this data for you.

    Protecting Bots

    Bots should be packed, encoded, or altered a lot to avoid detection. Custom-made clients are the most undetectable type, however, as attempts to avoid detection can also RAISE detection (i.e. most virus scanners recognize packers such as UPX). To avoid firewall detection, bots should add their server’s IP to the firewall’s “trusted” or “accepted” list. Bots should also have a login system of their own so that they’re unusuable by anybody other than the person logging in to them. If the bots communicate with the owner through an IRC server (or even other means of communication), then a backup server should be available for them to connect to incase the server is ever down . Also, if using a public IRC server to communicate, bots should not have random names derrived from random letters and numbers. A dictionary list should be used to avoid suspicion, as well as fake version info (i.e. they use random versions of mIRC), and join a secret, password-protected channel.

    Protecting Against Bots

    People should update their OS with the latest patches to avoid being infected through worms and vulnerabilities, while also avoiding unfamiliar websites, odd emails, and making sure to have the latest anti-virus protection (and definitions). Firewalls should be used (hardware and software) to increase security.

    How to Protect from a Botnet Attack

    Protecting yourself can be difficult and often happens before you get the chance to do much about it. A great computer with a great internet connection can take a beating without issues depending on the size of the botnet. If you have a server, a backup computer or connection that kicks in if the primary server/connection is having issues is a great fail switch. Blocking the IP of the attacking computers is helpful, but still requires your computer to work itself a bit, as it has to look at the IP still, then ignore it. Plus, IPs can be spoofed (changed to show a different IP). Filtering has the same issue. If being DDoSed/DoSed on your home computer, you can call your ISP and request a new IP address. If you have a dynamic IP, then simply disconnect and wait for a new IP (release and renew via IPConfig can do this usually). Also, there are services offered online for those who wish to protect their website form DDoS attacks, as well as server applications to help with the load.

    Misc

    Most bots are coded in C++ and are more known to infect Windows users. However, Java bots that work on Windows, Mac, and Linux/Unix aren’t entirely uncommon.
    When a new big vulnerability is out, a botnet is likely to be using it relatively soon. Sometimes though, bots use unknown vulnerabilities. When this is the case, they’re eventually discovered, reverse-engineered, then dissected until the exploit is found and an attempted patch is made.
    Botnets can spread through networks too. Though I have not seen this done yet, bots can be given the ability to spread through wireless access points, especially if the acess point is insecure.

    Note: I do not support the creation of botnets. They’re illegal.


    10 Comments

    1. Comments  dkraft   |  Monday, 30 November 2009 at 4:08 PM

      illegal ?
      How about some supporting references ?
      so far all you’ve done is requote wikipedia.
      http://en.wikipedia.org/wiki/Ddos#Distributed_attack

    2. Comments  DarkKnightH20   |  Monday, 30 November 2009 at 8:20 PM

      Yes, illegal. Especially if the bots are people infected against their own will.

      References? I don’t know too many people who reference themselves, but if you want me to I’ll be more than gladly to do so. I didn’t use Wikipedia, but thank you for your comment and sorry to hear you disliked my article.

    3. Comments  Sammy   |  Monday, 30 November 2009 at 10:26 PM

      lol! Sounds like dkraft doesn’t know what DOS’ing is. NOOOB!

    4. Comments  sarah lee   |  Wednesday, 02 June 2010 at 6:59 AM

      Hi I have recently been getting ddossed on an irc (ausnet) server. i then got a bnc which is meant to be secure and serves the purpose of hiding an ip, but the same ppl somehow accessed the bnc and linked email address too and changed the password. irc also has open ports so im not sure if that plays a part in it. Ive heard that a vpn which is similar to a proxy is a good method of protection but i am still not sure and need some advice on how to protect my ip while using irc? also could you elaborate on this\’If that computer was so easily infected with a backdoor, chances are, that you too may be able to hack it and grab the bot client. After doing so, you can do a number of things, such as send a copy to your ISP/authorities or even reverse engineer it to grab the password/server info/etc. I’d love to hear from you, thanks:)

    5. Comments  DarkKnightH20   |  Wednesday, 02 June 2010 at 3:23 PM

      Hi and thanks for the comment! Sounds pretty rough. Do you have a dynamic IP address or a static one? If your IP doesn’t change, then you can easily be targeted. Some IRC servers offer privacy options built-in to the server itself where you simply write “/mode $nick +x” (substituting “$nick” with your nick) to hide your IP address. This on top of a secure BNC helps tremendously. I know that QuakeNet has this feature, but have never used ausnet so it may not have such a feature. If your BNC was hacked into, I’d suggest finding another BNC service elsewhere. Some people find free hosting for such services and setup their own personal BNC through such. Others use proxies pure proxies, as you mentioned. If you’d like to go through proxies, find high anonymity proxies through online proxy lists (opposed to transparent ones that don’t hide IPs) and run them through a proxy scanner to see which ones really work and which ones don’t.

      As for the comment about hacking infected computers, that means that the user who is infected likely does not update their system with security patches and therefore may possibly be hacked again easily (this is a big variable though, since the user infected could easily patch their system after being infected). On a side note, be sure to use highly secure passwords on any account you’re using in case the attacker simply password cracked your information. Good luck!

    6. Comments  sarah lee   |  Wednesday, 02 June 2010 at 4:01 PM

      thanks for reply. yes i do have dynamic but they’ve ddossed me 3 times now on. i use //mode $me +x on mirc which i think is maybe similar to the ‘/mode $nick +x’ that you mentioned but obviously it isn’t good enough. im assuming now that the bnc is not secure enough considering they have the capability to hack into it, the password was very random and im not sure what password cracking involves.. how exactly does hosting work? and how affective are proxies against hackers? some proxies are also not allowed to be used on irc servers. I’m just trying to do my research on finding something completely secure and that can prevent my ip from being found and having the same recurring issue.

    7. Comments  DarkKnightH20   |  Wednesday, 02 June 2010 at 4:21 PM

      There are services that offer secure shell hosting, which can be used to host your own private BNC. I don’t know of any off the top of my head, but run in to them from time to time. The mode $me mode $nick are identical. If you use mIRC, they specifically recommend SOCK proxies, which are harder to find, but HTTP proxies work too.

      When is it that you type in the /mode $nick +x command? Do you have a script that automatically does it for you? The reason I ask is because commonly what happens is people have “auto join” enabled so that when they login, they immediately join the room they’re interested in, and unfortunately that usually occurs before the +x privacy is activated, thus allowing everyone to see your information unmasked. For that reason, it’s best to ensure the +x is enabled far before the auto joining of a specific channel.

      Proxies can be very effective on IRC if they’re NOT transparent. You’ll be masked instantly just like a BNC. A combination of both would be even more effective if you can find a secure place to setup a BNC and use a well-made BNC script. Here’s some information on both host masking (which you do already) and setting up a proxy with mIRC–

      http://www.ehow.com/how_6056576_hide-ip-irc.html

      I should have mentioned this earlier — but do you have DCC enabled? If so, disable it immediately. Disable both DCC chat and DCC file sending, as they can be used to grab your IP address. Hope that helps! If not, sorry I’m not being very helpful, as I’ve never run into the issue myself. Are you positive that you’re not infected with anything like a keylogger as well? Just thought I’d ask.

    8. Comments  sarah lee   |  Thursday, 03 June 2010 at 4:20 AM

      i did have dcc and dcc filesharing enalbed, i have now disabled that. i am well protected against Attacks, but i am sure this person is getting my ip from mIRC client, if i use a proxy, does this mean hi will not be able to get my ip or my proxy ip?
      also if he does somehow get my proxy ip and decide to ddos it will this effect me and will i have to change my proxy ip again?
      as long as i can stop this person from getting my ip then i shouldnt have a problem.

    9. Comments  DarkKnightH20   |  Thursday, 03 June 2010 at 2:29 PM

      If you use a proxy that has high anonymity, then the person will get the IP address of the proxy rather than yours (if the person manages to get your IP at all that is). If the proxy does end up getting DDoSed, the proxy will be the one taking the damage instead of you, since the entirety of the botnet will be focused on flooding packets to the proxy specifically and not your IP. The proxy *could* go down if the attack is heavy enough, in which case you would disconnect from mIRC because the proxy can no longer handle the legitimate data you’re sending. Your connection would still remain in tact though, which is the important part 🙂 Unfortunately, it does mean you’d have to switch to another proxy if that is the case, or wait for it to go back up.

    10. Comments  V.H.   |  Wednesday, 23 March 2011 at 12:57 PM

      Good writing and good article!!

    Leave a Reply





    Sponsored

    Affiliate Articles:

    Amazon Deals

    Top