# INFO FOR NOVEL: Dos and DDos attack



## Phase (Nov 10, 2015)

Hi all! 

I need some info on how dos and ddos attacks work i have a idea about what it entails but i just want to polish my knowledge. Also i'm particularly interested in how you can track a dos or ddos attack to a certain relative location... just a simple explanation of how that works will go a long way !!! THANKS :icon_cheesygrin::icon_cheesygrin:


----------



## Bishop (Nov 10, 2015)

DoS attacks and DDoS attacks are the network equivalent of blasting a firehose through a funnel. They shove packets of information (in some cases... there's actually a LOT of different ways to do this) into a network to force it to its limit.

DoS is usually one IP or one source that pushes data packets to a target network and floods it with ping packets, invalid logins, etc etc..., whatever type of data the attack takes the form of, and makes the network so bogged down that it can't continue its normal functions due to lack of bandwidth. DDoS attacks are the same thing, but are done from multiple IP addresses or source computers. 

These usually are done through rented servers and computers. You can rent them in other countries, connect into them using a VPN service, and then launch the attack from those IP addresses. That way, legally, US investigators (or wherever...) can't trace beyond that country--at least not legally. International law prohibits such international investigations (MOST of the time).

IP tracing is done through internet providers, generally. I get my internet from X company, and they have server records of what IPs are connecting to it, so you can get a general idea of its physical path based on where it goes. When I send data, it goes from my local IP, to a series of IPs as it travels the network, say from my office here to my company's London office. It goes from my IP, to my company's local servers, then out to our internet provider's servers, across the pipeline, over the Atlantic... hits the London server, you get the point. It's more complex than that, but that's a good basic idea of it anyway.

It's an incredibly crude tactic, and does little more than temporarily (or permanently in some rare, very skilled cases) down the network. As noted, rarely some people have the ability to so severely damage the network's software/firmware infrastructure as to require the network hardware to be completely replaced or rebuilt (not physically rebuilt--it causes no physical damage but can destroy BIOS systems on some of the network gear). This is usually done by punk hackers trying to get revenge or prove some altruistic point. Artful hackers with goals rarely use this type of tactic because they want access, which this specifically prohibits. It's the hacking equivalent of beating the target with a club. Usually, it's done by black software or malware specifically designed for this purpose that the hackers purchase--they rarely build this sort of program from scratch like you see on TV.

Let me know if you want more detail, but that's kind of the gist of it. You shove so much information into their network that it can't handle anything else.

EDIT: I probably should mention, the reason I know this is that I work IT Architecture for a financial firm, and security and defense is one of my responsibilities (along with a security team, of course).


----------



## Phase (Nov 11, 2015)

BISHOP, BISHOP, BISHOP ...  I don't know how to thank you, literally you've just posted the answer to every question I've been wondering about for months. You, my friend, are a legend... 

TRUST IN THE WF COMMUNITY TO GIVE YOU THE ANSWERS TO ANYTHING AND EVERYTHING :thumbl:


----------



## Aquilo (Nov 11, 2015)

Great post, Bishop!


----------



## Bishop (Nov 11, 2015)

I'm happy to help; this is my job after all! IT is one of the few things I'm actually pretty decent at!


----------



## Phase (Nov 11, 2015)

Bishop , how would you go around getting the dos attackers isp name. Is that where macroscopic and microscopic tracebacks come in (googled it not sure if it's called that) and can you perhaps give me an small explanation of it, in layman's terms if possible. 

[-o<


----------



## Bishop (Nov 11, 2015)

Phase said:


> Bishop , how would you go around getting the dos attackers isp name. Is that where macroscopic and microscopic tracebacks come in (googled it not sure if it's called that) and can you perhaps give me an small explanation of it, in layman's terms if possible.
> 
> [-o<



Short answer is that there's places on the web you can just input an IP address and it will query ISP databases to see which one hosts it. This is what 99.99% of people would do, and in fiction or movies is often the most glossed-over part of the process (of course, in TV they always seem to be able to narrow the IP address down to the exact ROOM the computer is in, which is impossible... it's more like being able to see what city the address is in).

Bear in mind, there are ways to spoof (fake) IP addresses, as well as hijack them from reputable sources, or just hide behind proxy services. These make getting an accurate location nearly impossible, and often are dead-ends for investigators.

So let's say I pull off a DoS attack. I'm going to use a ping flood (where you flood a target IP address with ping requests--requests that send packets of test data--with so many ping requests that it floods the network). I set up a VPN to a neutral location, maybe in the Baltics somewhere, where I'm renting a server set. I'm using that server set for a proxy connection, so it appears that I'm doing it from there. I flood the server with ping requests and crash it. A ping request (and any data packet at all) gets logged. Even if I break the target's network infrastructure completely, there's still log data showing the IP address(es) that I sent those ping requests from. They then--literally--just need to google "find IP address location" (there are more professional and robust programs/services that do this--most security/antivirus software, for instance, does this automatically by default when it sees IPs) and a dozen services come up where they input the IP from the log data and it pops the ISP for my proxy, therein showing a general location--that location in the Baltics.

From the victim side, when an attack comes in on our company, we can usually trace it to somewhere in Eastern Europe by it's IP address (which our security programs provide for us). Most attacks we get are phishing scams, sending emails from SMTP (Simple Mail Transfer Protocol) servers trying to get our userbase to reply or open malicious attachments and thereby getting a hook into our network--This is also the reason major corporations don't let users have administrative rights on their PCs. If Joe Schmo in HR opens a dirty email, and has admin rights, the email's nasty attachment might pull his administrative credentials and thereby get administrative rights on our networks--and, as Bill Murray says in Ghostbusters: "And that's bad..." We generally do not get DoS or DDoS attacks, because there's nothing to be gained from an outside source to take down our network. If they did, we have enough redundant systems that the outage would be very temporary and because we have multiple server locations, very little would actually be interrupted within the company. Even then, it would just be a slap in the face--most malware/hackers/black-hat technicians are in it for money. Rarely does a DoS or DDoS attack result in profit.


----------



## Phase (Nov 11, 2015)

Awesome. I guess a dos attack won't be able to crash a website server, Right? Or is it possible. Also how many IP's sends data packets with a Ddos attack that are capable to turn shut a website server down for a few hours?


----------



## Bishop (Nov 11, 2015)

Phase said:


> Awesome. I guess a dos attack won't be able to crash a website server, Right? Or is it possible. Also how many IP's sends data packets with a Ddos attack that are capable to turn shut a website server down for a few hours?



A DoS attack certainly can crash a website. If properly executed, it can flood the site's host server and force a crash. Websites are easier to restore from such an attack than other potential targets, but it's very very possible.

The number and size of packets required is incredibly hard to say. The reason is that it depends on the state of the defenses of the target as well as the available network bandwidth. Like how it takes only a little bit of concrete to seal up a water pipe, but a LOT of concrete to seal up a highway tunnel. If you're writing one of these into a work of fiction, I would recommend steering away from giving specific numbers like that; while it could increase the accuracy of your book's information, it is information that the average reader wouldn't bother to learn, and those that know about IT might question it at its face value. As for the IPs in a DDoS attack, it can be anywhere from two IPs to thousands, depending on the resources of the attacker and how large the target is.

So, in practical terms, shutting down Google.com would require an insanely high DDoS attack, and their defenses are state of the art and would likely recognize the threat before it got too big. But MomAndPop.com might be a locally hosted, single-server site and might only take a minimal amount of data flood to overload. Basically, the size and strength of the dam dictates how much water/pressure is needed to break it.


----------



## pgbthewriter (Nov 11, 2015)

Bishop said:


> Basically, the size and strength of the dam dictates how much water/pressure is needed to break it.



I also work in ICT security, I love this example


----------



## Phase (Nov 11, 2015)

Bishop said:


> If you're writing one of these into a work of fiction, I would recommend steering away from giving specific numbers like that; while it could increase the accuracy of your book's information, it is information that the average reader wouldn't bother to learn, and those that know about IT might question it at its face value. As for the IPs in a DDoS attack, it can be anywhere from two IPs to thousands, depending on the resources of the attacker and how large the target is.



Great thank Bishop. Yeah, i'm staying away from the numbers, just needed to know the least amount of IP's required to be able to crash a website and whether or not DoS attack would be able to do it, and that's one.

 So with regards to my novel the character's website can get DoS-ed and he can retrieve the IP or multiple IPs from the logs, look the IP/s up on a ISP lookup site and get a relative location/s of the IP/s address along with the ISP/s name. From there the character can go to the listed ISP/s and try to get further information on that IP. The DoS attacker would also not have had a VPN obscuring his true IP address. 

Does this seem right?  

Thanks a lot Bishop


----------



## Bishop (Nov 11, 2015)

If your attacker didn't have a VPN or proxy or masking on his IP address then IT readers would think him an amateur--obviously not a problem if the character is, but something to think about!

Now, let's say it happens as you say; your character gets the ISP and a general area of the log. Tracking it down to a specific computer is a bit tougher, but the ISP CAN do this. So if he were to get in contact with the ISP and determine a more narrow scope, they'd be able to provide him with an address; the question is WOULD they. Likely not, unless it was part of a police investigation and a warrant was involved. Companies are usually hesitant to give up customer information.

Now, if your victim is a really savvy hacker in his own right, he may be able to pull further information from the ISP's database using seedy means of his own, but that's another type of hacking all together!


----------



## TJ1985 (Nov 11, 2015)

I'll confess that you guys are talking about subatomic particles whilst I am mystified by blue belly-button lint when I haven't worn blue. That said, it might not be a bad idea to read up on the oopsie of the website associated with "Obamacare" as it was all over the news when it went live and then went blooey. I'm thinking if a single person could somehow convince the server that it was getting that kind of loading, the server would have no other option but to... pitch a hissy fit and take a break for a few months.


----------



## Bishop (Nov 12, 2015)

TJ1985 said:


> That said, it might not be a bad idea to read up on the oopsie of the website associated with "Obamacare" as it was all over the news when it went live and then went blooey.



While I've not personally researched it, this type of situation is basically an inadvertent DDoS attack. Basically, they didn't build the server structure with the right number of initial users in mind. The same thing happens with video games (sadly) often enough, where on release day none of the online features work because the servers are overloaded with people trying to play.


----------



## Phase (Nov 12, 2015)

Yeah, the ISP probably won't give him the details but i'll find away around it. The setting is South Africa, the place where a few connection can get you anything :icon_cheesygrin: :victorious:


----------



## aj47 (Nov 12, 2015)

The ISP may assign a price to the info.  Just saying.  And you don't need the ISP--you can socially-engineer an ISP employee to get that info--if it's the right employee.  

I used to run an ISP.  I don't know what level of tech South Africa has in your story--whether it's dial-up or cable or 4G or what.  However, in any case, the ISP knows because sometimes service charges depend on that information.  Like with a typical cellphone data plan -- they have to know who you are and how much data you're using to charge you (or not, depending if you're over/under your contractual limit).


----------



## Joe_Bassett (Nov 12, 2015)

This is so informative!


----------

