What is a Distributed Denial of Service Attack?

Trojans are often used to launch Distributed Denial of Service (DDoS) attacks against targeted systems, but what is a DDoS attack and how is it carried out?

At its most basic level, a Distributed Denial of Service (DDoS) attack overwhelms the target system with data, such that the target system’s response slows down or stops altogether. In order to create the necessary amount of traffic, a network of zombie or bot computers is most often used.

DDoS, zombies and botnets

Zombies or botnets are computers that have been compromised by attackers, usually through the use of Trojans, allowing these compromised systems to be controlled remotely. Collectively, these systems are manipulated to create the high flow of traffic necessary to create a DDoS attack.

The use of these botnets is often auctioned off and traded between attackers, so a compromised system can be under the control of multiple criminals, each with a different purpose in mind. Some attackers may use the botnet as a spam relay, others as a malware download site, some to host phishing scams, and others for the aforementioned DDoS attacks.

How does a DDoS attack happen?

Various techniques can be used to facilitate a distributed denial of service attack. Two of the most common are HTTP GET requests and SYN Floods. One of the most notorious examples of an HTTP GET attack was the MyDoom worm, which targeted the SCO.com website. The GET attack works as its name suggests – it sends a request for a specific page (usually the home page) to the target server. In the case of the MyDoom worm, 64 requests were sent every second from each infected system. With tens of thousands of computers infected by MyDoom, the attack quickly overwhelmed SCO.com, which took it offline for several days.

A SYN Flood is basically an aborted handshake. Internet communications use a three-way handshake. The initiating client initiates with a SYN, the server responds with a SYN-ACK, and the client must respond with an ACK. Using spoofed IP addresses, an attacker sends the SYN, which causes the SYN-ACK to be sent to an unsolicited (and often nonexistent) address. The server then waits for the ACK response without success. When a large number of these aborted SYN packets are sent to a target, server resources are depleted and the server succumbs to SYN Flood DDoS.

Various other types of DDoS attacks can also be launched, including UDP Fragment Attacks, ICMP Floods, and the Ping of Death.