DDoS: How to take down WikiLeaks, MasterCard or any other Web site

DDoS: How to take down WikiLeaks, MasterCard or any other Web site

Summary: DDoS attacks can take any site down these days, not just WikiLeaks or MasterCard, just ask Google. Here's how these assaults do their damage.


I can't tell you who's attacked first WikiLeaks and more recently MasterCard, PayPal, and Visa with Distributed Denial of service (DDoS) assaults , but I can tell you it wasn't hard. It wasn't even, as such things go, that bad. Just ask Google if you want to know what a real DDoS attack is like.

WikiLeaks was buried under attacks that threw up to 10 Gigabits per second (Gbps) at its servers. We don't know exactly how hard MasterCard or Visa were hit, but at an educated guess, it was probably an order of magnitude worse. Few sites can handle that level of cyber-warfare.

What's behind these attacks? People tend to think of DDoS as causing havoc by jamming network bandwidth with useless traffic. While that's certainly one kind of DDoS attack, others work by devouring server resources. That means it's possible for a successful DDoS raid to be made no matter how much bandwidth you have because it attacks your servers' resources. To really protect a network against attacks, both your Internet connection and your servers need defenses.

Usually, DDoS attacks are aimed at your network's TCP/IP infrastructure. These assaults come in three varieties: those that exploit weaknesses in a given TCP/IP stack implementation; those that target TCP/IP weaknesses; and the tried and true brute force attack.

These days, the last, method thanks to botnet armies of zombied Windows PCs that make it easy to do, are the most popular. Why be fancy when you can just bury your enemies' sites under waves of bad data requests?

Indeed, these days you don't need to be any kind of hacker these days to launch a DDoS attack. According to VeriSign, you can rent a botnet for $8.94 an hour from criminals.

Why pay money though when you can get people to launch DDoS strikes with a program a trained monkey could use? What seems to be happening to the commercial companies in this latest wave of DDoS attacks, according to SANS' Internet Storm Center, is that people are using a Java port of Low Orbit Ion Cannon, an open-source DoS attack tool, to smack around MasterCard, Visa, etc. All the user has to do is push a button, and, ta-da, the attack begins.

Low Orbit Ion Cannon is a brute-force program. All it does is crank out multiple simultaneous requests for a Web page that's unlikely to exist on the site. The only thing that's "interesting' about this attack is that it uses Twitter to co-ordinate its users' attacks.

If do you want to know how DDoS attacks manage their assaults, here's my 20,000 foot overview of DDoS techniques.

Page 2: [Breaking TCP/IP]  »

TCP/IP Stack Implementation Weaknesses

The canonical example of an attack that goes after TCP/IP implementation weaknesses is the Ping of Death attack. In this exploit, your enemy creates an IP packet that exceeds the IP standard's maximum 65,536-byte size. When this bloated packet arrives it crashes systems that are using a vulnerable TCP/IP stack and operating system.

All modern operating systems and stacks should be immune to the Ping of Death attack, but every now and again I find someone running something that can still be smacked around by the Ping of Death. The moral of the story is that you should always update your network equipment and software. Just because it's still running after all these years doesn't mean that it's safe.

Another attack that relies on poor TCP/IP implementation is Teardrop, which exploits defects in the way systems reassemble IP packet fragments. On their way from hither to yon on the Internet, an IP packet may be broken up into smaller pieces. Each of these still has the original IP packet's header, as well as an offset field that identifies which bytes of the original packet it contains. With this information, an ordinary broken packet is reassembled at its destination and network continues uninterrupted. When a Teardrop attack hits, your server is bombarded with IP fragments that have overlapping offset fields. If your server or router can't disregard these fragments and attempts to reassemble them, your box will go castors up quickly. If your systems are up-to-date, or if you have a firewall that blocks Teardrop packets, you shouldn't have any trouble.

TCP/IP Weaknesses

Another oldie but badie DDoS attach method is the SYN attack. SYN works by taking advantage of the protocol handshake between two Internet applications. It's designed to work by starting an application session by sending a TCP SYN (synchronization) packet to another program. That application then replies with a TCP SYN-ACK acknowledgment packet; the first program then responds with an ACK (acknowledgment). Once the applications have made their handshake, they're ready to work with each other.

A SYN attack overwhelms its victim with a flood of TCP SYN packets. Every SYN packet forces the targeted server to produce a SYN-ACK response and then wait for the appropriate ACK. This quickly leads to a situation where outstanding SYN-ACKs pile up behind each other in a backlog queue. When the backlog queues fill up, the system stops acknowledging incoming SYN requests.

If the SYN attack includes SYN packets with bad source IP addresses, the situation grows worse more quickly. In such a case, when the SYN-ACKs are sent out, the ACK never comes back. The quickly overfilling backlog queue usually puts an end to legitimate application SYN requests getting through.

A variation on this the Land attack employs spoofed SYN packets, with IP addresses forged to look like they come from within your network. Now, the SYN attacks appear to be coming from within your firewall, adding to your problems.

Again, most modern operating systems and firewalls can stop SYNing in its tracks. Another easy way to prevent SYNing is to set your firewall to block all incoming packets with known bad source IP addresses. This list should include external packets that bear spoofed IP addresses from the following IP ranges, which are reserved for internal use only: to, to, to, and to

But why should your enemies worry about sneaking in the back windows when they can simply bulldoze your systems? That's the approach that the Smurf attack and the User Datagram Protocol (UDP) flood use.

When you're Smurfed, your enemy floods your router with Internet Control Message Protocol (ICMP) echo request packets-a special kind of ping packet. Each packet's destination IP address is also your broadcast address, which causes your router to broadcast the ICMP packets to all your network's hosts. Needless to say, with a large network, this quickly leads to an electronic traffic jam of mammoth proportions. And as with the Land attack, if the cracker combines Smurfing with spoofing, matters get even worse.

The simple way to avoid Smurfing is to turn off broadcast addressing at your router or switch and set your firewall to block ICMP echo requests. You may also be able to set your server so it won't respond to requests to send ICMP packets to IP broadcast addresses. These changes won't interfere with your network's normal operations because few applications need IP's broadcast features.

It's not as easy to deal with UDP flood DDoS attacks, since some applications, like Domain Name System (DNS) and Simple Network Management Protocol (SNMP), use UDP. In a UDP flood, an attacker spoofs a call to connect one system's UDP chargen (character generator) service, a test program that generates characters for received packets, with another system's UDP echo service. The result? Chargen's semi-random characters are reflected back and forth between systems, starving legitimate applications' bandwidth needs.

One way to prevent UDP attacks is to disable or filter all UDP services request for your host. As long as you allow non-service UDP requests, normal applications that require UDP or use it as a backup data transport protocol will continue to work normally.

Page 3: [Brute Force]  »

Brute Force

With all these ways to stop DDoS attacks, you might think DDoS attacks would be no more difficult to handle than spam. Wrong. When any malcontent can co-op hundreds to tens-of-thousands of PCs to launch DDoS assaults on your Web sites, there are no easy, cheap ways to defense against them. All they had to do is ask for Web pages, which may or may not exist, and have all of them do as many times in a second as they can manage.

Malware like Conficker puts hundreds of thousands of Windows PC at the hands of would-be attackers. The resulting tidal waves of direct attacks won't be bothered by a few dikes and storm surge walls. You can only change servers, which is what WikiLeaks tried with Amazon Web Services, or vastly increase your Web hosting site resources in an attempt to stem the flood.

I fear, no, I know, we're only going to see more such DDoS attacks. As the Internet expands, more people are getting broadband access, giving crackers more unprotected Windows systems to exploit. Worse still, thanks to programs like Low Orbit Ion Cannon, you too can get together some like-minded friends, and put down any mid-sized Web site that bugs you.

Mind you, with tools like those, you can be tracked down and you may face criminal charges. A college student was recently jailed for 30-months for attacking the Web sites of conservative pundits with DDoS tools.

Even with this threat hanging over their heads, though, I don't see them stopping. We're in for some bad times ahead on the Web my friends. DDoS attacks are only to become more and more common.

Topics: Networking, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

    This attack worries me , because I am a writer that uses paypal to accept donations. How do I know that my information is not compromised from these attacks. I know that WikiLeaks uses this as revenge, but I want no part of it.
    • As a 'writer' you should be more cautious with words

      @genxanime ... You don't 'know' anything of the kind. WikiLeaks publishes leaked information. The DDoS irritations (that's all they amount to) are conducted by a group called "Anonymous" which claims to have "not much" connection with WikiLeaks.

      I've seen headlines today asserting that Facebook banned WikiLeaks. I'm looking at their Facebook page right now, not taken down.

      What appears to be the case is that some person or persons is trying to make WikiLeaks radioactive in the press by slander and innuendo, and one would think a writer would pay more attention to specifics.
      • Sure, HollywoodDog, someone is trying to

        [i]make WikiLeaks radioactive in the press by slander and innuendo[/i], it's not like wikileaks would ever have something like this planned out ahead of time.

        My guess is that it's the US government that's behind these DDoS assaults as a way to make wikileaks look "radioactive"....
        John Zern
      • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

        The US Gov. would not directly do it, sub it out to the highest bidder.
        Say Russia or maybe China, no they would not do that??.
      • The Government has made Assange a martyr

        @HollywoodDog ... and emboldened the half of geeks on the planet who consider him a hero. It apparently doesn't take that much to launch DDoS attacks.

        If somebody can be held responsible for what third parties do claiming to represent him, then Jesus has some 'splainin' to do.
      • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

        I think it?s more that it was rumored that Facebook would take them off line.
      • Correction

        @HollywoodDog not all DDoS attacks are preformed by the group Anonymous. In fact a lot of people do it but just haven't done anything drastic. Thank you for understanding.
    • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

      @genxanime OK, a couple of things. One DDoS attacks knock out Web sites, they don't do anything to the data within a site. Your information is safe from this kind of attack. Second, WikiLeaks is _not_ behind these DDoS attacks. I am sorry to report that WiikiLeaks are not condemning these attacks.

    • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

      @genxanime First of all, anyone who claims to be a writer should double check his or her information before writing about it. WikiLeaks was not the ones conducting the DDOS attacks.

      As for PayPal, teh DDOS attacks on it in revenge for dropping WikiLeaks , while illegal, were neither immimoral, nor unethical. The precedent of the Boston Tea Party makes this an approved method of dissent. Furthermore, it merely denied access, it didn't actually destroy anything, unlike the loss of the complete cargo of tea.
      • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down


        Practice what you preach. The article's author did NOT claim that WikiLeads was "the ones conducting the DDoS attacks".

        But this error was not big enough for you: you had to put your foot in your mouth, showing you know nothing about ethics, by claiming that these attacks "were niethe immimoral[sic] nor unethical". They were both -- as is your support for their evil deeds.
  • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

    No worries. This is a different kind of attack. Over-whelming their network or their Web-site with a DDoS isn't going to effect your data.

    It may, however, in the case of PayPal delay payments if the attacks kept up long enough. I doubt they will.

  • Anarchist Hypocrites

    These anarchist hackers claim it's not so much to support Wikileaks, but it's the battle for the issues of censorship and control on the Net.
    Coldblood, et al, are doing nothing other than censoring and attempting control of the beliefs of those that disagree with them. Sheer, shameless, unmitigated
    • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

      @preachjohn Yep. They're also doing WikiLeaks no good what-so-ever with their 'support.'

      • Hackers rarely help anyone

        except give legitimate hackers (those paid to find security issues) a bad name.
        John Zern
      • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

        @sjvn@... Oh, I wouldn't say no good. They make the service provided by Mastercard and Paypal take a lot longer, at least for information pages. That can piss off enough customers to have a financial impact.
  • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

    Best article I have read on this site in quite sometime. Very informative
    • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

      @jacjar1 Thanks!

  • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

    If the DDOS attack flood the data and occupied all the incoming bandwidth of the website, how can I defend?
    • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down


      You CAN'T! That is the problem with DDoS attacks, it's basically impossible the way that the internet is designed today to defend against these attacks.
      That does need to change, I agree sincerely with anyone who says that.
    • RE: DDoS: How to take WikiLeaks, MasterCard or any other Web-site Down

      @hellowiki <br><br>the only "defense" against a raw bandwidth DDoS attack is to have more bandwidth than the attacker can waste, or to move out of the path of the attack.<br><br>example: ISP A gives me a 10 M/s pipe, ISP B gives me a 2 M/s pipe. for normal circumstances, i use carrier A exclusively, and carrier B's connection is idle. DDoS attack comes in directed at my IP addresses. in response, i change my DNS pointers to use the IP block carrier B provides, shut down carrier A's router entirely, and post a message apologizing for slow response due to an ongoing DDoS attack on my sites. i notify ISP A, and ISP A starts the backtrace to try to find and stop the DDoS attackers, my users see the DDoS in progress message and have a valid explanation for why my sites are currently so slow.<br><br>obviously that is a very simplified example, and would be easily nuked by an attacker that pays attention to the target, or if they attacked by DNS name rather than purely by IP address, but against raw bandwidth DDoS attacks, the only next step up is to start mangling routing tables to drop attacker packets at higher levels in the network than i can reach