This guide will help you understand what DDoS actually is, it will try to inform you about the current situation. It will first explain the basics about the attacks. Then we will talk about one of the most common way to run DDoS attacks. Finally, we will briefly explain the way to protect yourself from this danger.

Please note that this guide is not complete and not as detailed as it could be, but on purpose. The goal is to keep it simple and understandable for the majority all while giving a few technical details so you can actually understand it. For those that want to learn more, there are some good articles and research papers available on the web (krebsonsecurity, arbotnetworks, prolexic to list only a few).

A DoS (Denial of Service) is an attack against a computer, an infrastructure, a software, a website, a network etc., that aims to make this service unavailable to its users by overloading its resources (network, memory etc). When such attacks are done by more than one machine, it becomes a DDoS (Distributed Denial of Service).

Such attacks are done over the network (Internet mostly, but this can be done in a local network, on LAN) by synchronizing a DoS attack from multiple source on the same target. The difficulty of these attacks is that you need to have the control on multiple machines. Using several home computers, you can manage to shut down another home computer. But if your target is a web server or an even bigger infrastructure, you need much more computers.

So far, these DDoS attacks have been made possible because of the different botnets spread in the world. A botnet is a set (usually large, can be millions) of compromised computers (by viruses, worms etc) that can perform actions once they received the order, such as sending a packet to a precise destination. With such infrastructure, you can manage to send millions of packets towards your target and overload its network. But building a botnet is not easy, it takes time and requires a good knowledge in computer science. At this time, if you wanted to run an attack without controlling a botnet, you had to contact an hacker and to pay him (I don't have enough information about this to say more). Furthermore, such action would directly involves you in an illegual activity that could have heavy consequences if you got caught.

Source: Cisco

These last years, multiple vulnerabilities have been found and exploited to perform DoS and DDoS on websites or infrastuctures.
For instance, Slowloris is a script that allows with a single machine to shut down a web server using Apache 1.XX and 2.XX, which represent a large percentage of the webservers currently running. But there are many of these scripts (which are often called shells) that exploit vulnerabilities in equipments or softwares that allow to shut down a computer or a server. If you put such scripts online, then you can easily attack a website from anywhere. This is how has started the DDoS-as-a-Service phenomenon. Some persons started giving access to these shells in exchange of small amounts of money. Then you could run DDoS attacks without any knowledge in networking, you just needed the IP of your target and some money.

Sometimes, and because web servers got more powerful, a single computer is not enough to shut down the target and then you need several machines running these scripts. But these scripts have spread over the Internet and are hosted, intentionaly or not, on tens or hundreds of web servers and can be used once you know their existence. Having a list of these shells became the key of the business. Some shared them, some didn't because there was money involved, but this kind of DDoS services started to spread, but it was limited by the availability of the scripts. Such script wouldn't stay available for a long time because the victim could find the source of the attack and complain or contact the owner of the server and inform him that he is hosting a malicious script (probably against his will) to make him remove it.

Unfortunatly, others vulnerabilities in network services have been discovered. These vulnerabilites allow the attacker to send a packet to a server and to make it respond to another computer, your target. This is called Reflection Attacks. This is done by using the IP spoofing technique that consists in replacing your own IP in the packet by the one of your target. The main danger of these attacks is that you don't know who is attacking you.

Reflection Attack. Source: Cisco

Now imagine that using this attack, the response of the server sent to the target is bigger than the request the attacker sent, then things get even worse. This is called Amplification Attacks. By misusing some public services (chargen, DNS, NTP, SNMP etc) on the internet, you make a server responds with more data than what you sent, which means that you need even less computers to overload your target. This compensates the need of compromised machines or servers running scripts, what while hidding the real source of the attack.

Amplification attack using openDNS Resolvers

For instance, until the patch that Valve published in the begining of 2014, the Steam protocol allowed to perform such kind of attacks. The response sent was on average 5.5 times bigger than the request. You can learn more about amplification factors (and attacks) here[www.us-cert.gov]. This kind of attacks only requires to know legitimate servers running versions of the services that allow these attacks, and there usually are thousand if not millions of these servers available to anyone.

This, combined with the DDoS-as-a-service phenomenon, helped DDoS to increase a lot in the last 4 or 5 years.

As we previously said, the DDoS-as-a-Service phenomenon increased a lot and became a real business. But what is this business exactly?

A few years ago, some websites appeared and started to provide DDoS attacks using multiple methods (using scripts, amplification attacks, flood etc), they are called Booters (or Stressers). This is probably not the only way to have some DDoS-for-hire, but certainly the easiest for most of the people. The discovery of Amplification attacks made these booters even more efficient. Even if their attacks are not really big, Booters are usually enough to shut down a home, school or entreprise connection and then correspond to the needs of most of the people. But since they advertise themselves as web stressers (tools to test the robustness of your website or infrastructure), they look legual, they just warn their users that they will be the only responsible for any misusing. For your record, there is currently more than 50 different online Booters.

Booter are really easy to use. In most cases, you just need to subscribe, pay (with paypal or bitcoin) and to give an IP address. They usually provide a large set of plans to purchase. The cheapest ones, that cost $1 to $10, allow to run attacks that are 1 minute to 1 hour long. You can run only one at a time, but as much as you want until your plan expires (in 1 day for the cheapest). If you pay more, you can get longer attacks or the ability to run concurrent attacks (several at the same time) or a plan that expires much later. The prices can go really high ($500) and provide up to 3 or 4 concurrents attacks that can last hours and with a lifetime plan.

But this is important to know that they do not always provide what they say and that a Booter is, on average, reachable for 1, maybe 2, years only. Most of these offers are scams. But since users of these services just need to see their target down, without taking care on the kind of attack performed, the size or the real duration, this is enough.

So, if you have a booter, some money, you just need a target and its IP address. Since the two first got easy to get, this last one became the true key of DDoS attacks. When you target is a website, a server, this is usually really easy to get because they need to advertise this address so you can reach them. Consequently, at the beginning, you only needed the URL of a website or the IP of a game server, and it was done.

Example of the user interface of a booter, screenshot made on 2013. Source: krebsonsecurity.com .

With time, after a lot of damages have be done, some solutions appeared to protect these websites or servers. The main idea was to hide the IP address, since this is the bottleneck of this kind of attacks. But you can't do it for a website, otherwise none will be able to reach it anymore. In this case, the solution has been to replace this IP address by one of a machine that is much stronger and harder to DDoS. If this machine is part of a large infrastructure that is monitored by a company that can detect DDoS attacks, then we can assume that this server will be protected against most of DDoS attacks.

This is, to keep it simple, how most of the current DDoS protections work, instead of hidding the address, we subtitute it with another one and then route the traffic to the original machine. Even better, we can replace it by several others IP addresses by using the DNS (Domain Name System) to resolve a website domain name to different IP addresses according to the location of the user. This way, a single DDoS attack involving multiple machines will actually be spread over several servers instead of one, this is load balancing.

This solution works usually fine to protect web servers, websites, even game servers (with some optimization required). You can find a comparison of the most famous protections here[ddos-protection-services-review.toptenreviews.com].

Yes, since most of the DDoS attacks aim to overload the network, there is no difference between overloading a server connection and a home connection. If this is true for the attack itself, this is not the case for the attacker and the target.

We said that it was easy to find IP of a website because it is required to reach it (because such machine wait that someone send a request to it). But this is not the case for a basic user browsing the web, playing games or watching videos because this is him that initiates the connections and then do not need to advertise his IP address. So, how is it possible, how can someone without any networking knowledge find out the address?

The IP address is not advertised, but it is shared with servers or services you are connected to (because they need to know how to respond to you) and some of these services also allow the attacker to retrieve your IP address by exploiting flaws or misuing the system. For instance, there are some Skype resolvers (that you can use for free or by paying on a Booter's website) that can resolve a nickname to the current IP of the user. This works because Skype uses a peer-to-peer architecture and then connects users at each others. You can exploit this architecture and its protocol to get the IP address of anyone connected.

There is many of these resolvers for many services (Steam, XBOX etc) using flaws in the system. Some of them are about to be patched (Steam servers have been recently patched by not publishing IP addresses of the players connected, Skype's patch is still on work at this date (2014, May)) but it works in most cases. A first step would be to be careful (don't accept calls or friendships on Steam or Skype if you don't know the guy) to prevent some of these resolvers from working.

So, most of the time the attacker can manage to get the IP address of someone without even knowing how it works, and then can launch a DDoS attack. So, how to protect yourself ?

If it is harder to get the IP address of a player, it is also harder to protect this IP address. You can't use DNS to resolve you to different IP addresses because DNS is not used for users. You can substitute your IP address with another one, but this is still no straight foward.

As people used web proxies to be anonymous while browsing the web, you can use similar solutions to hide you presence on the network. Currently, the best solutions for users is to use a VPN (Virtual Private Network) or a VPS (Virtual Private Server).
By using a VPN, you create a direct and encrypted connection with a dedicated server that will then send the packets from itself to the Internet. This is like substituting yourself by this server for the Internet. The strongest this other machine is, the harder it is to DDoS. Understand that you only move the problem, DDoS remains possible. If you shutdown this server, you will disconnect all the users connected to it and the results will be the same than if you were using nothing. The key then is to have a robust VPN service that is able to cope with DDoS attacks.
A VPS is slightly different. This is a real virtual server on which you can deploy the tools of your choice to route your traffic and hide your activity and IP address. This is much more complicated to use, but the options are more numerous.

Consequently, there are ways to protect yourself, or at least to be better protected by relying on an infrastructure and/or network that represents you on the Internet and that can cope with DDoS attacks better than you can. However, the biggest attacks can usually shut down these servers as well, but not the kind of attacks that booters currently provide.

If you need to be protected, then you need to use a VPN or a VPS. You will have to pay for it and it will require some configuration efforts. You also have to understand that adding a server in the middle of your connection + some encryption/decryption, might add some delays. Consequently, for gaming, you have to choose carefuly your solution.
But remember that you need this to hide your IP address to the Internet, not to route all your traffic. So if you know that only Skype can let someone find out your IP address, then you must use the VPN only for Skype, and then you won't have any additional delay for your game. This can be a way to reduce the costs of your protection.

More detailled explanations for technical solutions are available on the Internet, just Google it (e.g. "Gamer DDoS protection guide") and you'll find it (such as the Destiny's guide).

VPN example. Green arrow: tunnel between your computer and the VPN server. Yellow arrows: normal connections between the VPN server and the servers and you wanted to reach.

DDoS attacks are attacks that usually aims to overload the network or the resources of its target. This is done by using a lot of compromised machines, some DoS scripts or by misusing some legit and public services to produce a large traffic.
Booters facilitated the use of these attacks by hiding the technical details and providing DDoS-for-hire, at a reasonable price (starting at $1), and tools to find the IP address of your target.

The main solution at this date (2014, May) is to hide or substitute your IP address and to rely on a stronger infrastructure that is able to cope with most DDoS attacks. Such solutions, that usually requires to pay, are currently working, but for how long ?

The measurements has shown that DDoS attacks from Booters are not so big (hardly over 1Gbps, rarely more than 5Gbps) but currently shut down most home, school and entreprise connections. By relying on a stronger infrastructure that as a 10Gbps link or more, you can currently protect yourself against these attacks. But these measurements has also shown that these attacks have the potential to get much worse, much bigger, and then take the top of the most accessible solutions. Then what is currently working might not always be.


Some of you might have noticed that most of the time DDoS are made possible because of misusing services, such as IP spoofing, Amplifaction attacks with DNS, chargen, NTP, SNMP etc. So why nobody fix this ?
Theoretically, it has already been fixed, the patches have already been published for a long time, but the owner of the networks and of the servers are the only one that can update their equipments. Many ISP (Internet Service Provider) still don't want to follow the BCP 38 (Best Common Practice) that suggests to apply ingress filtering to forbid IP spoofing (which would solve almost all the current DDoS issues).
Meanwhile, thousands, if not millions, of servers running unpatched services should also be updated, but their owner don't want to, on purpose or not, this is not the matter.
Then, the problem is not that no solutions have been proposed, but that none has the power to make everyone apply the solutions available. Look for instance at Valve that provided thousands of servers that could be used for DDoS attacks for years and that applied the patch only in 2014. And you can feel lucky that they felt concerned by the damage done on the competitive scene and that they had the ability to patch most of the running servers.

Thank you for reading, I hope you've learnt a couple of things. If it can help to protect yourself, that is a bonus, and I would be glad of it. But remember that my goal is to first inform.