Counter-Attacking DDOS Zombies
In this article, I will discuss a non-standard approach to fighting DDOS zombies. This approach is theoretical and based some assumptions about the nature of DDOS attacks. Disclaimer: This method may not be entirely legal, so it is presented for informational purposes. (wink)
As background, I highly recommend the following article about the programmers that deflected the DDOS attacks against the books last year. http://prolexic.com/news/20050501-csomagazine.php
DDOS stands for Distributed Denial of Service. It is "distributed" in that there are many (hundreds or thousands) of computers attacking your site, eating resource and effectively blocking (denying) service to your customers.
The hackers build "zombie armies" by taking control of home computers through viruses or unprotected ports. They then "command" the zombies to attack specific websites or addresses.
For the hackers to start, stop and redirect attacks, they must have some means of communicating with the zombies. For a 10,000 to 20,000 sized army (very large, and the size used against the books), the hacker is NOT going to contact each machine to command it and probably cannot. If the zombies spread themselves like a virus, then the hacker has no "list" and the dial-up users will have different addresses each time anyway. Therefore, the zombies must "check in" periodically for new orders. An analysis of the attack pattern may give some clues to the delays in the command and control structure. If all the books got together to form a timeline of attacks, they could probably map the switchovers between one book to the next.
Most likely, the zombies read a webpage with simple text instructions regarding the attack (where, when, how long and standing orders). The zombies may have a built-in list of IP addresses and then the instructions may include newer lists. It would be nice if we could disrupt the command and control!!
The counter attack requires access to a zombie or two (okay, not trivial, but not impossible). You will also need a good programmer with hacker skills.
First of all, ISPs don`t like zombies either. Take a few of the attacking IP addresses and start contacting ISPs (or have your ISP do it). For cable/DSL, the ISP can identify the home owner by IP address. Get them to send a technician out to a few homes to identify and isolate the zombie program and sent it to you. (For enough money, you can get someone to do this, or you can threaten to sue them for complicity in the attack.)
If you can get your hands on a zombie, you can track all the commands that come to it. There is now the possibility of hijacking the command and control if you can locate the websites. If you are lucky, you can get the host of the website to cooperate. Possibly, they will agree to replace the "instructions" page with new instructions that will shut down the zombies, or re-point them to a website you control, thus breaking the chain. Also, by monitoring the hacker updating his the original instructions page, you might be able to track him down as well.
Variation on this method: some of the IP addresses may lead you to websites or other means to identify the owners yourself. Try contacting them directly, warn them of the problem, and offer a reward to cooperate with you. (How much is it costing you to be down and to beef up your bandwidth?)
Now, for the potentially illegal method (kids, don`t try this at home)....
If you can`t find a cooperating ISP, try hacking the zombie computers directly. If they`ve got a zombie on them, then they are probably not well protected. Start running the list of IP addresses that attacked you through hacker software until you get into a few machines. Find the zombie program and try to disrupt the command and control chain as described previously.
Zombies could spread either by email or by the virus scanning random IP addresses for new machines with open ports and known exploit. If you can determine that it was by scanning a specific port (ex. 1234), then you can really do some punitive damage to the hacker!!
Write your own hack (or get one from some hacker bulletin board) to take control of that port yourself and disable the zombie. Even better, something that will install the patch or alert the owner how to get anti-virus/update to fix computer. Now, the beauty of this is: when the hacker throws his valuable 20,000 zombie army at you, you pick off each address as it comes in and send the code to disable the zombies. The more he attacks you, the weaker his army becomes and the less able he is to attack the next sportsbook. Since it takes him a while to re-command the zombies, you could wipe him out before he knows what hit him.
My entire approach is different from the current methods of absorbing the attack and leaving the zombie army intact and free to evolve new attack patterns. Both methods attempt to destroy the army or the ability to control it.
The methods do require someone with serious programming skills in this area. There is also the ethical/legal dilemma of hacking a computer that is attacking you (especially when law enforcement is not willing/able to help you).
Next Week(s): Poker Bots.