Who are the players in this (DoS) Attack Drama?

Now that we have learned how to detect a denial of service attack, let's learn about all the players in this drama, so we know who to contact and make sure we understand who the other victims are, so that we don't make their situation even worse, and are better able to enlist their cooperation in fighting the attack. As you will see, we can fight the attack even without the help of these other players, but sometimes notifying others of the hacker's activity can mitigate the attack in the short term.

In this section, I will lay out a possible sequence of events. Note that there are many variations on this story, so use your imagination as you read on.

Let's start with the hacker who is launching a Denial of Service (DoS) against your website. This type of attacker is most likely a Script Kiddie. This person likely has limited computer abilities, and is using scripts and programs written by others with far greater computer skills. As mentioned previously, trying to understand the motives of this person is a waste of time, and there will likely be little ROI in tracking him down, but the techniques I outline may help you hunt him down if you are still so inclined.

The Script Kiddie needs well-written, easy to use programs and scripts to commit his vandalism against your site. Most often, these scripts have been written by others. To find vulnerabilities in your website, he might use legitimate, easy-to-use security software to scan your machine. This software was written by skilled software engineers to scan your machine for vulnerabilities with the idea that you will then know what you need to fix or mitigate. The Script Kiddie depends on the fact that you are not periodically running security scans against your computer, so that he can run the scan and find the vulnerabilities.

The security scan will likely give references to the vulnerabilities found. For example, here is a list of Microsoft Security Bulletins. Many companies have sites like this that list previous vulnerabilities. Here is a typical life-cycle of one of these security bulletins:

  1. Someone inside or outside the company discovers a vulnerability. This might be because they are actively looking for vulnerabilities, or it might be that they are debugging a computer problem, and notice that the cause of their technical difficulty could be exploited by a hacker. The person who discovered this vulnerability is likely a highly-skilled programmer with a great knowledge of security and/or operating systems. He or she may write a script or program which shows how the new-found vulnerability could be exploited.
  2. Having learned of the potential exploit, the company investigates and releases a hotfix, patch, or "update" for the problem. The company (and a host of other security companies) then post a bulletin or announcement about the potential exploit.
  3. At some point, the company may create a "Service Pack" which includes a whole bunch of updates, security and otherwise. If you are a Windows user, you may have noticed that on the second Wednesday morning (after Super Tuesday) of the month, you often find that your machine has rebooted because it installed some updates. All (good) software companies release these updates, and it is very important that you keep your OS and installed software up-to-date to avoid attacks that utilize exploits against these well-known problems.
  4. Hopefuly, most companies install these updates, but some don't, for various (stupid) reasons, leaving themselves open to attack. A Script Kiddie depends on people not installing software updates so that he can use scripts and programs created by others to attack your machine. A more skilled hacker will attempt a Zero-Day Exploit by reading a security bulletin, and then attempting to write and deploy scripts or programs that exploit the weakness before most people have installed the update.
  5. At this point, having been alerted by the security bulletin, skilled programmers, some with good intentions, some not, may write (more) scripts and programs which utilize this vulnerability. Later on, the Script Kiddie will be able to use these programs for his nefarious activities.

Here is a list of steps the hacker may take:

  1. The hacker decides to attack your website.
  2. He downloads a script that someone else has made. The script might allow him to execute a program on another machine, or it might allow him login to that machine remotely and execute any commands he wants.
  3. The hacker scans the Internet for machines that are vulnerable to this attack. He may do this using a security scanner, or using a script that someone else wrote, or by modifying one of the scripts above so that it scans many, many machines instead of just one machine.
  4. Having found vulnerable machines that he can now use to run his programs, he now launches his attack against your machine. In my case, the hacker was using ApacheBench, a legitimate program you can use to load-test your website. By running this program from multiple hacked machines, he was able to bring my website down as it was not able to handle the simulation of hudreds of thousands of simultaneous visitors visiting my site.
  5. If the hacker is smart, he will try to cover his tracks. Most machines keep many different log files of the machine's activity. A clever hacker will attempt to delete these log files. In particular, he will delete any log entries which include the IP address of his home machine. Additionally, a smart hacker will also log into one hacked machine, then login to another hacked machine from the second, etc. to further cover his tracks. However, a Script Kiddie is unlikely to always do this, and sometimes these people are caught when they forget to take these steps.

As we have seen, if your machine is suffering from a Distributed Denial of Service attack (DDoS), there are other hacked machines taking part. These machines may be owned by an Internet Service Provider (ISP) who charges customers to host their websites on these machines, or they may be owned by a company that either "co-locates" its machine at an ISP or else hosts the machine using their own high-speed Internet connection. In the next section, I will show you how to find out who the ISP and business owners are, but, when contacting these people, please remember that the ISP and website owners are also victims of this attack.