There are lots of different kinds of DDoS attacks. If you want specific information regarding the one hitting us, look up DNS Amplification, Chargen Amplification. They are saturation type attacks. You can learn more information about how these attacks work by looking up the difference between UDP and TCP. DNS and Chargen are both UDP protocols. UDP is stateless, where as TCP requires a handshake. This means UDP packets can be sent with Spoofed source addresses (Typically the victim) in order to solicit response floods to that victim.
There's several layers to this. Typically starts with the attacker on his local pc. Now he may be behind something to mask his own IP, be it a VPN or what have you. He will send a signal from there to a botnet command and control server (or multiple servers). These servers will then in turn send out attack commands to thousands of computers that are compromised to start the attack. These thousands of botnet attacks will each contain a list of IP Addresses of servers around the world that have a vulnerability, such as open DNS resolvers (For DNS Amplificiation) or exposed Chargen ports. The botnet computers flood multiple servers at a time with packets saying "Hi, I'm <Victim's IP Address>, Please send me your DNS Repository". This is of course in the form of a very small packet. The response to that request is typically 10 times larger than the original request, or bigger. But because of the spoofed packet, the response gets sent to the victim IP address, not the real computer that requested it.
So we have a Botnet C&C sending out an attack command to thousands of computers who in turn send out requests to thousands of servers who in turn send all their responses to the victim server, all at once.
It's ouch.
|