Recent DDoS attacks on various business and organizational websites in Vietnam have left victims frustrated, as they find themselves unable to counter or trace the perpetrators. We spoke with Roberto Preatoni and Carole Theriault, two renowned international security experts, about this issue.
– When did DDoS attacks become a common attack method?
Roberto Preatoni is the founder of the renowned security forum Zone-H (http://www.zone-h.org/), known by the nickname SyS64738. He is also the CEO of Domina Security, a security systems company operating in several European countries. Preatoni is a respected speaker at many annual international security conferences such as Defcon (USA). |
Roberto Preatoni: Since the late 1990s. This activity began when some security experts, while discovering vulnerabilities in the Windows 98 operating system, found that sending a large ping data packet could be enough to incapacitate a target server. This discovery was soon exploited by hackers to disable their intended targets. Thus, the primitive form of DoS (Denial of Service) was born. Meanwhile, DDoS (Distributed Denial of Service) relies on sending a ping command to a list of multiple servers (this method is called an amplifier, which amplifies the target bandwidth), disguising it as a ping packet so that the original IP address is masked with the victim’s target IP. When the servers respond to this ping request, they flood the victim with responses (called pong).
| Carole Theriault is currently a senior security technology advisor at Sophos (UK). She is also a reputable consultant at various security forums and magazines worldwide. |
Carole Theriault: DDoS originated from the primitive form of DoS. DoS is less dangerous because system administrators can often identify and block the troublesome host machine. In contrast, DDoS uses multiple distributed sources to coordinate attacks on the target. It is very difficult to identify which connections are legitimate and which are hostile.
– How is a typical DDoS attack initiated?
 |
Carole Theriault |
Carole Theriault: An access request is sent to the server. The server authenticates and then waits for that command to confirm the aforementioned authentication before allowing the user’s computer to access it. In DDoS attacks, the server is overwhelmed by access requests from a massive number of connections originating from non-existent addresses, meaning the server cannot find legitimate users wanting to access. When the volume of access requests becomes too large, the server is flooded and cannot process the requests it is being asked to handle. Some types of viruses and malware have also caused DDoS attacks. The first cases were large-volume email viruses like Loveletter and Melissa, which flooded mail servers, preventing them from processing valid requests. Nowadays, many types of Internet worms exploit vulnerabilities in computers (for example, the Sasser virus in 2004) to flood Windows machines with flaws, preventing PCs from downloading patches.
 |
Roberto Preatoni |
Roberto Preatoni: Generally, attackers often take control of a computer remotely by exploiting some vulnerability. This computer (which later becomes part of the botnet used for DDoS attacks) will have a hidden process installed to ensure it remains connected in a secret chat room where the author gives it commands. This computer also scans the Internet for other vulnerable computers, infecting them with remote control software so that all newly compromised machines join the aforementioned chat room and are ready to receive commands from the hacker or continue searching for other faulty PCs on the Internet. Typically, within a few days, this botnet can grow from one to hundreds or thousands of members. Once this force is strong enough, they are used simultaneously to execute attack commands against the target at the author’s will. The target will disappear from the network, meaning it is completely offline. At the same time, all interactive activities of the victim on the Internet also stop.
– How many types of DDoS have been recorded to date?
Roberto Preatoni: In general, denial of service attacks can be grouped into several types: HTTP flood (web address attacks), Database flood (database attacks), TCP-IP protocol flood (TCP-IP protocol attacks), Bandwidth flood (bandwidth attacks), Mail bombing (email attacks), SMS bombing (SMS attacks).
Carole Theriault: Specific classification is very difficult. Some experts say there are three types. Many others believe there are up to twelve. The key characteristic of DDoS is to overload systems, paralyzing services and preventing us from processing legitimate transactions. Therefore, in my opinion, DDoS can be viewed in forms such as Internet Control Message Protocol (ICMP) attacks, flooding User Datagram Protocol (UDP), flooding Transmission Control Protocol (TCP), and application attacks through vulnerabilities…
– What is the general situation of DDoS on the Internet in recent years?
Roberto Preatoni: Denial of service attacks continue to increase and are becoming more common among younger hackers, who enjoy the thrill of conquest, and are also very popular in the cybercrime community, who relish the scent of money made from these activities.
Carole Theriault: Indeed, while some DDoS attacks are merely disruptive, many cases are extortion activities. As e-commerce grows, businesses increasingly rely on their websites, making them more susceptible to extortion whenever criminals attack their sites and demand payment. It is difficult to determine the extent of financial damage in this manner, as most victim businesses choose to pay and keep the matter quiet because they do not want to attract negative publicity. In the future, such attacks will continue as long as the potential for profit exists. Many well-known websites globally, such as those of Google and Microsoft, have been victims of DDoS attacks multiple times.
– So what should be done to counter DDoS?
Roberto Preatoni: You can only mitigate the intensity of the attack. There is no countermeasure unless your website is hosted on expensive and powerful systems like Akamai. Tightening database, application, and firewall management can help prevent many denial of service attacks, or at least reduce the impact on the website but not prevent destructive attacks.
Carole Theriault: It is essential to use a protected system, with applications regularly updated with patches, and to establish proper firewalls to filter data packets and prevent unauthorized third parties from accessing the system. Using updated antivirus software is also advisable.
When under attack, you can also increase bandwidth, although this is a very costly solution. In countries with developed IT infrastructure, there are many companies that offer this service in emergencies or during peak access hours when bandwidth needs to be enhanced.
Another measure is to set up a monitoring router on the network to detect before a data stream reaches the web servers of the website. This router will filter outgoing data packets and ensure that the source IP address of all those packets is balanced with the company’s IP address range and is not spoofed.
However, the best place to prevent denial of service attacks is not within the company’s network but at the ISP (Internet Service Provider). For example, they can limit the bandwidth of a specific data stream at any time. Unfortunately, not all ISPs engage in this practice. Perhaps it is best for businesses to discuss security website protection with their ISPs before signing contracts with them.
Phan Khương
