Hey guys! Been ages since I was on and Im here to say, YES I'm Alive for 1! And merry christmas and happy new year as #2 =).
A friend of mine wrote this article which I found particularly interesting, and I figured I'd reprint it as I think you might find it just as interesting, so enjoy: (original Article by lmn8r c/o www.clan-si.com;
"It is a hobby of mine to follow prices and find deals for everything. I also enjoy running servers, and I have been doing so for a long time now. I can save you 15 percent or more on your hosting by switching to... Lately bandwidth, datacenter efficiency, and hardware costs have plummeted. From what I can tell this is due to (the ones that survived the bubble) large IT companies making advances in hosting technology, and that slowly trickles down to wholesalers, resellers, colocation, webhosting companies. This inexpensive access to the world wide web has given birth to inexpensive cloud computing.
Cloud computing to the laymen is another fancy catch phrase that marketing think tanks come up with. Similar to "go green" and "smart grid" their goal is to entice investors to invest. To people who actually deal with cloud computing on a day to day basis, all it really is is offloading computer tasks to another computer. We do this already at home, we keep a gaming computer with the latest hardware specifically to game on while neglecting that old laptop we still use. Both computers are just as useful, they each have their purpose, but in terms of gaming, your 'cloud' is your gaming computer. The cloud, thanks to the common practice of drawing the internet as a cloud on network topology maps, is the internet et al. What makes cloud computing special is that these computers exist solely on the internet. You don't take them home with you, and they don't turn off. With assembly lines churning away in Bangladesh or wherever, companies now can make wholesale purchases of computers for an extremely cheap price. Everyone is now realizing that you don't need anything special to run a datacenter, just a large warehouse with a thick wire to the electric grid and a fiber optic loop. With the introduction of 10-gigabit ethernet standard and 100-gigabit already in prototype, core network routers and switches are fast enough to deliver cheaper and cheaper bandwidth.
At the time of this article, the cheapest wholesale bandwidth with an SLA you can buy is about $1.50/mbps. Moore's law effects more then just your desktop cpu, all networking hardware is governed by the advancement of information technology. Only two years ago when I purchased colocation from what was at the time the best deal around, the internet costed roughly $3/mbps per month. You might say now that my internet service provider is paying less, I must be getting ripped off if i'm paying the same. Not true, because they have away around that: offer more. More bandwidth, just give it to me like cheap beer, gushing out of switches. Oh by the way, a pure ISP is not making money unless every single port on every single switch is utilized. It's all about margins, like sharing the last joint among friends, everyone wants a puff once it's passed. Medium and large sized hosting companies are now realizing they make more money off selling to resellers then they do themselves. The 10% discount they give to resellers gives them enough margin, enough piece of the pie to make resellers do all the marketing grunt work for them. Why do they need to spend $200,000 buying ad space when they can simply cut $100,000 out of their network operations by offering discounts to resellers. After all, once the computers are on, and the switches filled they basically run themselves. No creativity needed. This has created fledgling fire sale of never before seen prices on hosting, aka cloud space.
This glut of bandwidth and computing power is great if you want to host pet videos or create RSS feeds of other RSS feeds. It's also useful for not so legitimate uses like denial of service attacks. A non technical person would picture cloud computing as rows and rows of computers in a datacenter, but with DoS attacks don't need that much to succeed. If you had malicious intent and rows computers on the internet you could take down any website on the internet with ease. That's exactly what happens when you hear about distrubuted denial of service attacks using botnets. Botnets, which use infiltrated home computers to commense attacks have their own advantages and disadvantages. A botnet is like an army of ants. Home computers aren't typically very fast, but most importantly are usually poorly connected to the internet. A bot with a 384kbps upload speed is an ant. You need a lot of them to swarm say a wildebeest if you were performing a DDoS attack. They're also good if you want to send spam, since it's damn tough to block spam from 20,000 different IP's. Other then that, botnets aren't very efficient. The problem is herding them. Like it's natural cousins, herding animals is difficult, and the difficulty and complexity increases the more you have to herd. Botnets are weapons of opportunity rather then intention. Pretty much all of the time, botnets are created by some exploit found in some popular software (like Windows) and that is how a machine is taken over. Exploits will always exist as the low hanging fruit for hackers, since they are known and readily usable. Another problem with botnets, and the reason they've remained uncommon is because it's damn hard to create one. Reverse engineering software takes a ton of patience, and when you do succeed you have a laundry list of to-do's to make and keep a functional bot computer. Reporting servers need to be dynamic, the way it seeks out other bots needs to be dynamic, it never ends. Nobody wants to put all that work into something that may be patched tomorrow. Like how most industries start, a need exists where someone says "why can't I just pay and have it done?" Well, that is exactly what i'm talking about.
No, not hiring the teenager next door to code you an OMFG!111 ub3r L33t worm a la carte, we're not that evolved yet. However, we have gotten to the point where servers and/or hosting has become cheap enough where you can purchase a gorilla to take down the wildebeest. Just recently as an experiment I purchased a VPS hosting package for the low price of $5/month. It came with the usual things, root access of course, limited CPU time and a RAM ceiling for my applications. It came with a monthly transfer quota. But here is the kicker: 100mbps port. Now you may be laughing now about how serious I take 100mbps since it's so common these days amongst ISP's, but 100mbps is no laughing matter. Put it into perspective. 100mbps or 100,000kbps is the equivalent to 260 bots assuming a bot's upload averages to 384kbps. This for only $5/mo. I'm pretty sure launching denial of service attacks is against the terms of service but do they care? No, this is unmanaged hosting, like I said before once it's on it basically takes care of itself. They have their fee, and as long as your smart about not going overboard, especially at peak times, your hosting company will be none the wiser. This deal I purchased was indeed a deal, a one-time offer but offers like these are on the cusp of becoming common and competitive. Now that I have 100mbps what shall I do? I can't leave it maxing out all the time, remember I have a monthly transfer quota. This is where smart denial of service attacks come into play.
A denial of service attack works by introducing ratios. A medium popular website, say tomshardware.com, has probably 4-5 different servers that operate solely as HTTP servers. Each of these servers probably has it's own 100mbps port. To overload the website to the point of denying service, I would need to meet a 1:1 or higher ratio to what their bandwidth can handle. At around 500mbps total I would need at least five VPS packages running at full steam to begin overloading their website. A botnet could do it just fine, one the size of 5,000 could create up to 2,000mbps of garbage being sent to their web servers, creating a 4:1 DoS ratio. The only problem is I don't have a botnet, or know anyone who does. Do I want to spend months trolling various IRC channels hoping to meet the right people,? No, instead I spend time learning my target. Behind those 4-5 HTTP servers lies probably two database servers, and an SAS storage server. Contrary to popular belief, all but the largest websites are basically oversold and stretched thin. Tomshardware probably makes decent money from the articles they write, ad revenue, and sponsorships they get. Still, their money goes towards writers and hardware to be tested. They, like every small and medium sized company only wants to spend as much as they need to on hosting. The probability is low they will ever get attacked, so they only meet the minimum of requirements to host a speedy and reliable website. After all, computers are upgradable, and when your website or server becomes to slow you simply upgrade. This is where smart denial of service attacks have their advantage. Conventional military tactics don't apply when it comes to the internet. When you go into battle, the army that is the most well prepared usually wins. On the internet, companies don't need to prepare because they know types of internet warfare, such as denial of service attacks, are rare. The internet is still a peaceful place, people are gleefully trading with p2p, posting their private information on public blogs. The status quo has been you either need a lot of money, or exceptional computer skills to become a threat to your average joe on the web. This is beginning to change.
Now that I know the limitations on my end such as my port speed, I can now begin to learn the limitations of my target. Although Tomshardware's HTTP servers are the front line, they're too obvious and well fortified target. The HTTP servers need the database and storage servers to pull data onto their website. A smart company keeps more vulnerable servers like these off the web, but on the private network. This may be the case, if so you may be forced to go after the HTTP servers. If they are indeed vulnerable and you can find out their IP's it isn't very hard to begin flooding them. How you do it is a matter of fashion and necessity. My style is doing UDP floods, since UDP is pretty arbitrary even to most network admins, but is mainstream enough to not immediately be detected. Some people do SYN packets, or ICMP I hear is popular. I never liked ICMP for any real DoS attacks because theres so many ways to identify and block those types of packets. You can also send custom packets specific to your attack or whatever.
For all practical purposes, I don't have the money to get enough VPS's or dedicated servers to launch an attack on a target as large as Tomshardware. My target is smaller and more manageable for my budget. I'm going after a gameserver. Gameservers are my specialty, I know a lot about them since I run them myself. You don't truly know a computers weakness until you've had to secure against it from others. I picked one server that I would like to attack. It's not that I don't like this particular server, it's just there. It's a specimen and I hold the hour glass and i'm gonna burn it. It helps if the gameserver i'm going after has an active website where people discuss the server. I can use peoples angst complaining about the server being unavailable as a measure of my accomplishment. Gameservers are unique in that they're already CPU intensive applications as it is. That is their weakness. I don't need to flood the gameservers entire network port to slow it down, I go after the weakest link. My weapon of choice is a specially crafted packet designed to force the gameserver to do more work to discard it. It's actually a really old KNOWN exploit but like most things, people never expect someone to actually attack them. Since i'm using custom packets I only really need to push about 20mbps outbound from my VPS in order to lag the server to steady 600 ping with heavy packet loss. It's not enough to crash it, or even cause disconnects, but it works because people get fed up and leave. Nobody wants to play in a laggy gameserver. Since I have a monthly bandwidth quota I don't push a steady stream of bandwidth out either. I only need to flood in small bursts. 20mbps will never catch the eye of network admins at my hosting company so I need not worry about that.
Like anything busy, there are peak times and slow times. There are also two types of hosting packages you can purchase on the cheap. One is metered hosting, which is why I have now as an experiment. The other is unmetered hosting. Metered hosting usually gives you the benefit of more guaranteed available bandwidth, especially at peak times. Everyone else on the network is metered too, so people will limit themselves. Unmetered on the other hand is like an all you can eat buffet, only fatties show up and consume everything. Unmetered transfer means off-peak hours yield better throughput then peak time, but on the other hand you have unlimited transfer, so you can flood it nonstop. Since i'm attacking a gameserver i'll want to attack it specifically at peak time to do the most damage. That's when the most amount of people want to play, and i'll get the most "raged" server regulars bitching about it on their website. Keeping my monthly quota in mind, I write a short script to time my flooding on and off in regular intervals scheduled around peak time. This way the server lags out to the point where everyone leaves, and it usually takes a little while to build up players again. The more monthly transfer I have available the more intervals, and longer they can be. Like I said before i'm not targeting the network port, i'm going after the gameserver application itself in order to max out it's CPU. Being only 20mbps, and also it being irregular, network admins on either side often dismiss it. Most network admins still expect the old style continuous and ratio based denial of service attacks. This same idea works the same on websites. Most network admins measure traffic coming to the HTTP servers not other application, database, or storage servers. They don't see a traditional DoS attack according to their mrtg graphs and netflow reports so they don't think there is an attack, which buys you time.
The best thing about my experiment is that if I wanted to take down a competing gameserver it only costed me $5. I didn't need to upgrade my own server, or offer any incentives to people that might cost me money. I'm not limited to just one gameserver either, if well planned, I could probably have launched an attack on the top 10 gameservers in the game. All this for the price of a pack of cigarettes. No contract either, so when i'm done with what I need I just let my VPS expire and move on. It's like a disposal mini botnet. In terms of business sense this has a lot more merit. E-commerce websites traditionally are pretty hardy, but it's come to the point now where a company could simply purchase a bunch of servers to temporarily take down their competitors website for a month. By then nobody would visit their competitors website anymore because it's always down or extremely slow, and move on. Nothing ever stands still on the internet so this type of tactic could have the potential to become a highly controversial, yet effective competitive edge business have. Likewise, once DoS attacking becomes a business tactic, prosecuting it will become that much harder. Whenever you hear about a botnet being taken down it's always because the owners either kept an obviously tracable connection to it at all times, they were dumb and did something like naming it after their mom, or insecurely bragged about it to all their e-friends. By this time concealing this tactic will be as hard as cooking the books financially.
This style of smart denial of service attacking is a temporary thing. Eventually people will figure out how to mitigate it, and it will become mainstream that hosting companies automatically can block it. Right now though it's fresh and unexpected. In the future I forsee inexpensive 1gbps connections under the $100/mo mark. That's faster then what your average hard drive can usefully read at. If the internet were at a bandwidth equilibrium, DoS attacks wouldn't happen. Right now it's unbalanced, and if your able to find a good deal on a cheap server, you've just bought yourself a botnet."
The thoughts in this article can be adapted to other uses, therefore do not represent my views in specific, I just thought it was an interesting standpoint =)
Hope you guys have a good Christmas Holiday peroid.
Alpha.