Wednesday, February 05, 2014

DoS is not DDoS

Here is the thing about the Snowden Affair: however untruthful the NSA, the press has been worse. General Alexander is a liar, Glenn Greenwald is a worse liar. Every leaked article I read has gaping technical flaws.

The latest example is this story by Glenn Greenwald and NBC News claiming British intelligence performed a "DDoS" on Anonymous. To quote the article

"According to the documents, a division of Government Communications Headquarters Communications (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack." -- NBC News and Glenn Greenwald

This is wrong. The acronym "DDoS" doesn't stand for "denial of service" but "distributed denial of service". The extra 'D' in added to DoS is not an insignificant detail that can be glossed over in the article, escape a fact checker, or be reported without confirmation. DDoS would result in enormous collateral damage, but a mere DoS might not.

DoS, minus the extra D, means disabling the victim's computer. An example DoS is a "syn-flood", which is apparently the attack used in this story. A syn-flood can surgically disable just a single computer without affecting nearby computes.

DDoS, with the extra D, means using a network of many attacking machines, often in the thousands, to flood a victim. It's orders of magnitude worse, with two significant problems.

The first is that the attack computers are not owned by the attacker, but are instead computers spread throughout the Internet that the attacker has infected with a virus. When nation states to use this technique, it would mean that they would not only be hacking the "legitimate" target of the DDoS, but also thousands of innocents. It's possible for a nation state to invest a lot of money and rent thousands of instances throughout the Internet, and avoid infecting innocents with viruses, but the accusation of "DDoS" implies infecting the innocent -- it's not a detail the article could have glossed over.

The second problem is that the flood of traffic is so large hat it impacts intervening networks. If I compromise computers in Tajikistan (or simply rent instances in their data centers) to use as part of my DDoS against Anonymous, I'm going to slow down that entire country's Internet connection. If I'm targeting a member of Anonymous who is using a Comcast connection, I'm going to disable the Internet for everyone in that neighborhood. It's not the computers that are damaged by the DDoS, but all the intervening links. Everyone sharing those links will be effected.

The reason the word "DDoS" appeared in the NSA document is not because it was in fact a DDoS, but because the hacktivists described it as such. That's because hacktivists are largely unskilled teenagers with a very narrow range of expression. These kids do not know how to perform surgical DoS attacks themselves, but only know large-scale DDoS.

Assuming the target was an IRC server in a colo, then it's trivially easy to DoS with a syn-flood without effecting nearby machines. I can do it form my home network on Comcast that has 10-mbps upstream. The DoS would take down IRC but with zero collateral damage.

These PowerPoints that Snowden has been leaking were themselves written by non-technical people exaggerating the actions. With so many layers of non-technical people involved (the authors and the press) it's hard to say exactly what happened. It does appear that the GCHQ takes credit for syn-flooding, but everything else is speculation. The remainder of the Greenwald/NBC article is bunk.

As a technical expert, I question every Greenwald article I've read. He seizes every opportunity to exaggerate the vague breadcrumb's found in these leaked NSA powerpoints.

Disclaimer: I think I've created the world's fastest syn-flood tool. Here's how you'd run my port-scanner masscan to do a syn-flood at 15-million packets/second. You'd need to run it from an ISP that has a 10-gbps link but no egress filtering.

# masscan -p6667 --spoof-ip --source-port 0-65535 --rate 15000000

This would cause a lot of collateral damage, since you'd be running it from a 10-gbps link targeting networks with much slower links. You can run it slower in a method like the following:

# masscan -p6667 --spoof-ip --source-port 0-65535 --rate 10000 --banners

This second command assumes you own the entire subnet address space. With the "--banners" option, instead of sending just a SYN packet, it'll hold open the entire TCP connection, leaving it open for 30 seconds. Masscan can hold open more TCP connections (in this case, 16 million) than most servers. Thus, it wouldn't be the level of traffic that would cause the DoS, which causes collateral damage, but memory/CPU, which only effects the target server.

I point out these features of my tool to point out the vast difference between the 'experts' Greenwald could consult (hackers), and the type of 'experts' he actually consults (anthropology professors).


Michael Foukarakis said...
This comment has been removed by the author.
Roland Dobbins said...

Most DoS is DDoS, and most SYN-floods are DDoS. A DoS is typically a 'magic packet' or 'magic transaction' or somesuch which impacts the availability of the targeted system/service/app; a DDoS attack is a stream of packets/transactions/queries/requests which attempts to impact the availability of the target due to exhaustion of capacity and/or state.

SYN-floods can cause collateral damage for shared-hosting sites, for 'cloud' deployments, for VPS, etc.

It is outrageous for governmental agencies to be launching DDoS attacks; they are *not* surgical and they can cause significant collateral damage near the emission point, on intermediate networks, on hosts/apps/services located coterminously with the target, on ancillary subsystems like DNS, databases, etc.

For example, if I SYN-flood a Web site to the point that it can't respond to legitimate requests, then folks (and their browsers) are going to keep hammering away and trying to reload, which is going to cause the same DNS requests to go out over and over again, and depending upon the cache timeout of the recursive resolvers in question, put more load on the authoritative server for the domain in question - which may be providing authoritative DNS services for 10,000 other unrelated domains, and therefore impact resolution times for those sites, as well.

That's just a simple example. Yes, there's a lot of bragging and exaggeration, but even so, no government agency should be launching DDoS attacks (your DoS/DDoS dichotomy is incorrect, per my previous comments); the collateral damage is too great, without any lasting benefits.

Stripes Cat said...

General Alexander is a liar, Glenn Greenwald is a worse liar. Every leaked article I read has gaping technical flaws.

A liar or merely misinformed? I agree, they shouldn't be so, but there's no point in lying over such a detail that the general public will not distinguish between.

Allen Garvin said...

Wow, I'm glad I came here (via an article on the NBC story). This tool is exactly what I need. For years, I've been scanning small parts of our 10/8 with nmap to keep track of new ports opened--it pretty much runs all day long to do so, so I only do it on a few important network segments, and then only for select ports. Once I patch it so it can feed the output into my mysql db, I can replace the current thing completely.

Thank you.