WEBVTT - DDoS Attacks 101 0:00:04.120 --> 0:00:07.160 Get in touch with technology with tech Stuff from how 0:00:07.200 --> 0:00:13.600 stuff works dot com. Hey there, and welcome to tech Stuff. 0:00:13.640 --> 0:00:16.400 I'm your host, Jonathan Strickland. I'm an executive producer and 0:00:16.440 --> 0:00:20.320 how Stuff Works in the Love all Things Tech. And recently, 0:00:21.160 --> 0:00:25.200 Randall Charles Tucker, who once proclaimed himself to be the 0:00:25.239 --> 0:00:30.320 Bitcoin Baron, was sentenced to a twenty month prison term 0:00:30.320 --> 0:00:34.640 and find more than sixty nine thousand dollars for launching 0:00:34.720 --> 0:00:39.600 distributed denial of service ord DOS attacks against municipal websites, 0:00:39.800 --> 0:00:43.400 which not only affected normal city operations but also emergency 0:00:43.479 --> 0:00:47.599 response systems. So today we're gonna take a look at 0:00:47.680 --> 0:00:50.400 de DOS attacks and their history, and in our next 0:00:50.440 --> 0:00:53.320 episode I will go into more detail about the different 0:00:53.440 --> 0:00:56.120 kinds of the DOS attacks out there and the security 0:00:56.120 --> 0:00:59.800 measures administrators deployed to mitigate their impact. Because this is 0:01:00.240 --> 0:01:03.920 an ongoing important story. We've heard a lot about DIDOS 0:01:03.960 --> 0:01:07.720 attacks in recent years. There was one that affected some 0:01:07.920 --> 0:01:12.360 apartment buildings over in northern Europe and had them shut 0:01:12.400 --> 0:01:16.600 down the uh the HVAC systems during the coldest days 0:01:16.840 --> 0:01:20.000 of the year, so people no longer had heat. This 0:01:20.040 --> 0:01:22.800 is a serious thing. So what the heck is a 0:01:22.880 --> 0:01:25.000 di DOS attack. Well, it helps to break this down 0:01:25.040 --> 0:01:29.520 by looking at what denial of service means, and generally speaking, 0:01:29.720 --> 0:01:33.039 denial of service refers to using tactics that prevent or 0:01:33.120 --> 0:01:37.880 discourage people from using something online they otherwise would use 0:01:38.000 --> 0:01:40.600 if there were no outside interference, which is a pretty 0:01:40.640 --> 0:01:44.399 broad definition. It can cover lots of stuff, and not 0:01:44.480 --> 0:01:48.600 just stuff that involves hacking or inserting some malicious code 0:01:48.760 --> 0:01:51.960 or sending commands over the internet. A denial of service 0:01:52.000 --> 0:01:56.000 attack by itself also does not necessarily aim to steal 0:01:56.080 --> 0:01:59.760 information or spy on anyone or anything like that, although 0:02:00.080 --> 0:02:03.680 it can certainly accompany those types of attacks as well. 0:02:04.040 --> 0:02:06.920 So there are a lot of instances where the denial 0:02:06.960 --> 0:02:11.320 of service attack is just part of an overall attacker strategy, 0:02:11.440 --> 0:02:14.519 or an attacker might use the threat of a denial 0:02:14.639 --> 0:02:18.160 of service attack to extort money from a potential target, 0:02:18.240 --> 0:02:21.840 essentially saying pay up or we're gonna shut you down. Often, 0:02:21.880 --> 0:02:25.640 attackers will demonstrate their capabilities with a small scale attack 0:02:25.960 --> 0:02:29.240 to accompany their demands to show they mean business. So 0:02:29.280 --> 0:02:32.640 in other words, they might actually launch a small attack, 0:02:32.840 --> 0:02:36.000 bring down a service temporarily, and say that was just 0:02:36.080 --> 0:02:39.360 a taste of what could happen if you don't cough 0:02:39.440 --> 0:02:42.200 up the dough. But as I said, denying service all 0:02:42.200 --> 0:02:45.320 by itself can be the full motive, and it doesn't 0:02:45.400 --> 0:02:50.040 have to require code or scripts or overwhelming internet infrastructure. 0:02:50.600 --> 0:02:53.440 So for example, let's say I'm looking online for a 0:02:53.480 --> 0:02:57.000 forum to talk about one of my interests. And for 0:02:57.040 --> 0:03:01.000 this example, we'll just say it's musical theater. Because I 0:03:01.080 --> 0:03:04.480 love musicals and I would love to go online and 0:03:04.560 --> 0:03:07.480 chat with other fans of musicals. I find a forum. 0:03:07.520 --> 0:03:10.520 It's great, there are tons of other enthusiastic fans. Maybe 0:03:10.600 --> 0:03:13.080 there are some performers in there as well. We have 0:03:13.200 --> 0:03:18.200 threads discussing shows and writers and inspiring performances, maybe some 0:03:18.280 --> 0:03:22.800 embarrassing missteps, personal stories from our own performances or the 0:03:22.840 --> 0:03:25.680 times we've attended plays, all the stuff you would typically 0:03:25.680 --> 0:03:29.240 find on a forum about any given sort of interest. 0:03:29.560 --> 0:03:33.800 But then something frustrating starts to happen. The forum gets 0:03:33.840 --> 0:03:39.040 invaded by one or more troublemakers. These people disrupt conversations 0:03:39.120 --> 0:03:42.560 just for fun. They might hurl insults at people, which 0:03:42.880 --> 0:03:46.040 isn't exactly subtle or clever, but it can be an 0:03:46.040 --> 0:03:49.440 effective tactic. Or they might be more insidious and post 0:03:49.520 --> 0:03:55.000 inflammatory messages that are couched in seemingly reasonable language, which 0:03:55.040 --> 0:03:57.720 gives the troublemaker kind of an out right like, Oh, 0:03:57.760 --> 0:03:59.720 I'm so sorry you're offended. All I was trying to 0:03:59.760 --> 0:04:02.000 do is say such and such. You know, they never 0:04:02.000 --> 0:04:05.040 said anything blatantly awful. They just implied it, or they 0:04:05.320 --> 0:04:08.920 danced around it quite a bit, but ultimately they get 0:04:08.960 --> 0:04:11.440 what they want, which is to disrupt the conversation and 0:04:11.480 --> 0:04:14.960 turn the attention toward themselves. We tend to call these 0:04:15.000 --> 0:04:18.680 folks trolls, and the original reason for that is back 0:04:18.680 --> 0:04:20.800 in the old newsgroup days, they were said to be 0:04:20.920 --> 0:04:25.640 phishing for hits or trolling as it were. Trolling in 0:04:25.680 --> 0:04:28.520 the sense of drawing a bated line through the water 0:04:28.640 --> 0:04:31.839 to lure fish. These trolls were trying to get a 0:04:31.960 --> 0:04:36.279 rise out of people and derail conversations, mostly just for laughs. 0:04:36.720 --> 0:04:39.600 I've done episodes about trolls before, so I'm going to 0:04:39.760 --> 0:04:42.080 leave it at that. But trolling is a type of 0:04:42.160 --> 0:04:45.480 denial of service. It disrupts the activity that was supposed 0:04:45.520 --> 0:04:49.640 to happen on that site. It discourages people from participating, 0:04:49.720 --> 0:04:53.480 it denies them that opportunity. And there was no code 0:04:53.520 --> 0:04:56.680 needed to do it. But in the case I mentioned 0:04:56.960 --> 0:04:59.360 just now, trolls were mostly looking to get a rise 0:04:59.360 --> 0:05:02.360 out of people they found humor and upsetting the apple cart. 0:05:02.800 --> 0:05:05.480 They might not have any goals beyond just being a 0:05:05.600 --> 0:05:09.360 nuisance and exerting some small amount of power over people. 0:05:09.800 --> 0:05:12.279 Maybe they belong to a different forum and there's a 0:05:12.360 --> 0:05:15.440 rivalry between the two, But there's some people who just 0:05:15.920 --> 0:05:19.359 as as uh you might hear in Batman, want to 0:05:19.400 --> 0:05:22.840 watch the world burn. But denial of service can have 0:05:22.960 --> 0:05:27.800 far more serious effects than just inconveniencing users. For a business, 0:05:28.040 --> 0:05:31.159 a denial of service attack can prevent them from conducting 0:05:31.200 --> 0:05:34.080 their business, which results in lost revenue. So if you 0:05:34.200 --> 0:05:37.440 run an online store and someone brings down your site 0:05:37.600 --> 0:05:40.640 or prevents people from getting to your site, you're not 0:05:40.680 --> 0:05:43.680 going to make any sales during that time. That's lost money. 0:05:44.160 --> 0:05:47.320 Denial of service attacks can also hurt a company or 0:05:47.440 --> 0:05:51.480 services reputation. So for example, there was a massive denial 0:05:51.520 --> 0:05:56.240 of service attack that affected Sony's PlayStation network and Microsoft's 0:05:56.320 --> 0:06:00.080 Xbox Live service back in during the holiday season, and 0:06:00.080 --> 0:06:03.280 it made a lot of gamers really angry. They were 0:06:03.320 --> 0:06:06.360 accusing both companies of not doing enough to secure their 0:06:06.360 --> 0:06:10.039 services to make sure they were robust against such attacks. 0:06:10.720 --> 0:06:13.799 This is sort of like pouring lemon juice in the wound. 0:06:14.080 --> 0:06:17.479 In some ways, you know they're already hurting because they've 0:06:17.480 --> 0:06:20.160 been knocked down, and now the users are yelling at 0:06:20.200 --> 0:06:22.560 them too. But there is a valid argument to be 0:06:22.640 --> 0:06:28.000 made that services, particularly really big, heavily trafficked services, need 0:06:28.040 --> 0:06:31.160 to invest in good security measures. I talked about a 0:06:31.200 --> 0:06:34.240 non technical approach to denial of service attacks with that 0:06:34.320 --> 0:06:38.360 forum example, but most of the time when we talk 0:06:38.480 --> 0:06:41.080 about the denial of service attack, we tend to mean 0:06:41.160 --> 0:06:43.760 one that involved bringing down a system using some sort 0:06:43.800 --> 0:06:47.520 of technology based attack vector. So you can think of 0:06:47.640 --> 0:06:52.640 denial of service attacks belonging to three large categories in general. 0:06:52.920 --> 0:06:56.479 The first category is volumetric. That means the goal is 0:06:56.520 --> 0:07:00.640 to overwhelm the target by sending a huge number requests 0:07:00.720 --> 0:07:05.359 or messages to that target device, more messages than the 0:07:05.400 --> 0:07:08.360 target can actually handle. And I always think of this 0:07:08.520 --> 0:07:11.240 in a rather old fashioned way. When I was growing up, 0:07:11.640 --> 0:07:15.160 cell phones weren't really a thing. Everyone had landlines. You know, 0:07:15.160 --> 0:07:17.040 you'd be at home and you use your phone, which 0:07:17.120 --> 0:07:19.880 was plugged into the wall, and in fact, most of 0:07:19.880 --> 0:07:22.480 the time. It was a wired handset. Didn't have a 0:07:22.520 --> 0:07:24.320 whole lot of wireless ones when I was growing up, 0:07:24.320 --> 0:07:26.800 and they existed, I just didn't have them. And call 0:07:26.880 --> 0:07:29.640 waiting was not a common feature in those early days, 0:07:29.880 --> 0:07:32.800 which meant if you called someone and they were already 0:07:32.880 --> 0:07:35.680 on the phone, you would get a busy signal. Well, 0:07:35.720 --> 0:07:39.400 this volumetric category of denial of service attacks is kind 0:07:39.400 --> 0:07:42.400 of like having a jerk calling you over and over 0:07:42.480 --> 0:07:44.960 again and they call you, you you pick up, you hear 0:07:45.000 --> 0:07:47.320 it's that same jerk. You hang up, they immediately hit 0:07:47.560 --> 0:07:50.679 redial and they call you right back again, and the 0:07:50.680 --> 0:07:52.680 phone starts to ring, and that means no one else 0:07:52.720 --> 0:07:55.360 can get through to you. Anyone who tries is just 0:07:55.400 --> 0:07:58.480 going to get a busy signal, so they're getting a 0:07:58.520 --> 0:08:01.560 denial of service. And because you can't receive any other 0:08:01.680 --> 0:08:05.160 calls due to this person calling you up repeatedly, you 0:08:05.240 --> 0:08:08.320 also get a denial of service. Now that analogy doesn't 0:08:08.320 --> 0:08:10.800 work quite as well today because we can do stuff 0:08:10.800 --> 0:08:14.600 like block incoming calls pretty much routinely, and call waiting 0:08:14.680 --> 0:08:17.480 is a standard feature on almost every phone service. But 0:08:17.600 --> 0:08:20.680 you get the idea. Next, we have the application de 0:08:20.840 --> 0:08:26.280 DOS flood attack. This concentrates not on individual applications. That 0:08:26.280 --> 0:08:29.920 that's what the phrase makes you think, like, oh, this 0:08:30.000 --> 0:08:33.320 is like a Spotify de dos attack or something. No. 0:08:34.240 --> 0:08:37.360 It rather it refers to the application layer of a 0:08:37.679 --> 0:08:41.080 communications network. And I talked about the application layer back 0:08:41.120 --> 0:08:43.400 in the Dip into the Seven Layers of the O 0:08:43.600 --> 0:08:47.960 SI Model episode that published back in November. But this 0:08:48.000 --> 0:08:50.679 would be a flood attack similar to the volumetric one 0:08:50.720 --> 0:08:53.520 I just mentioned, but it aims to overwhelm the system 0:08:53.600 --> 0:08:56.960 with a large number of requests at the application layer 0:08:57.200 --> 0:09:00.480 rather than the network layer. I'll explain more about what 0:09:00.559 --> 0:09:04.080 that means in the next episode. And the third category 0:09:04.120 --> 0:09:07.080 is a low rate denial of service attack also known 0:09:07.080 --> 0:09:10.319 as a vulnerability attack, and those attacks take advantage of 0:09:10.400 --> 0:09:14.920 vulnerabilities or limitations and application implementations and so are kind 0:09:15.000 --> 0:09:18.840 of related to application de dos flood attacks, but they're 0:09:18.840 --> 0:09:21.080 slightly different. I'll explain more about that in the next 0:09:21.080 --> 0:09:25.160 episode two. Then you have a distributed denial of service 0:09:25.160 --> 0:09:29.439 attack that ups the anti in ad DOS attack. Hundreds 0:09:29.559 --> 0:09:33.720 or thousands or even hundreds of thousands of machines combine 0:09:33.760 --> 0:09:36.760 their efforts to bring down a target to go back 0:09:36.760 --> 0:09:39.400 to my phone analogy for a second. Let's just say 0:09:39.400 --> 0:09:42.000 that that jerk who was calling me really wants to 0:09:42.040 --> 0:09:45.880 irritate me by making my phone line absolutely useless, so 0:09:45.920 --> 0:09:48.560 he actually recruits all of his jerk friends and gives 0:09:48.559 --> 0:09:51.720 them my phone number. Then he and all his jerk 0:09:51.760 --> 0:09:54.600 friends just keep dialing me up over and over, which 0:09:54.640 --> 0:09:57.760 makes it even harder to handle than the one jerk 0:09:57.840 --> 0:10:00.480 doing it all by himself. So let's say I managed 0:10:00.520 --> 0:10:03.280 to finally get an open line, so I make a 0:10:03.280 --> 0:10:05.920 call to the phone company and ask them to block 0:10:06.080 --> 0:10:09.840 the number that just called me, and they agree for 0:10:09.920 --> 0:10:13.400 whatever reason. Well, that just reduces the jerk faces attack 0:10:13.520 --> 0:10:17.800 vectors by one, right, It just removes one of the callers. 0:10:17.960 --> 0:10:20.520 But a group of jerk friends, with the exception of 0:10:20.559 --> 0:10:23.400 the one I managed to catch when I asked for 0:10:23.440 --> 0:10:25.800 the number to be blocked, can keep on calling me. 0:10:25.840 --> 0:10:28.760 They they're calling from different phone numbers, so their calls 0:10:28.840 --> 0:10:31.480 keep coming through, and I can keep trying to block 0:10:31.559 --> 0:10:34.280 the numbers one by one. But this is laborious and 0:10:34.360 --> 0:10:37.040 time consuming, and in the meantime I'm not able to 0:10:37.080 --> 0:10:39.920 use my phone for anything else. That's what ad dos 0:10:40.000 --> 0:10:42.839 attack does, but instead over the phone lines, it does 0:10:42.880 --> 0:10:45.720 it over the Internet. In general, it uses an enormous 0:10:45.800 --> 0:10:49.359 number of machines to carry out an attack, and individually 0:10:49.720 --> 0:10:52.080 those machines might not be able to generate the sheer 0:10:52.160 --> 0:10:56.040 volume of data that could overwhelm a target, but collectively 0:10:56.400 --> 0:10:59.160 they can do it, and they can be difficult to stop. 0:10:59.280 --> 0:11:01.280 In a moment, I'll talk about a real example of 0:11:01.280 --> 0:11:04.040 how an attacker might overwhelm the target machine over the 0:11:04.040 --> 0:11:08.080 Internet using a simple denial of service tactic. But first 0:11:08.360 --> 0:11:18.720 let's take a quick break to thank our sponsor. One 0:11:18.800 --> 0:11:23.320 real world denial of service attack falling into the category 0:11:23.480 --> 0:11:28.880 of the volumetric attack, involves flooding web server with requests 0:11:28.920 --> 0:11:32.880 called pings. A ping is a very simple message that 0:11:33.000 --> 0:11:36.880 computers used to test connections between them on a network. 0:11:37.120 --> 0:11:41.000 It measures the reachability of another computer. So consider that 0:11:41.040 --> 0:11:44.280 the Internet is a network of networks, and between your 0:11:44.360 --> 0:11:48.000 computer and some other computer on the Internet, there may 0:11:48.040 --> 0:11:51.160 be hundreds of machines. Some of them are routers, some 0:11:51.240 --> 0:11:53.440 of them are switches, some of them are computers. For 0:11:53.520 --> 0:11:58.760 your computer to communicate with this target computer, traffic has 0:11:58.800 --> 0:12:01.600 to go through the net work from your computer to 0:12:01.600 --> 0:12:03.760 the distant one, and then traffic needs to be able 0:12:03.800 --> 0:12:07.559 to come back from the target machine to your machine, 0:12:07.840 --> 0:12:09.719 and a ping is a test to see if such 0:12:09.760 --> 0:12:12.480 a thing is really possible. It measures the round trip 0:12:12.600 --> 0:12:15.319 time for a message to be sent out from computer 0:12:15.400 --> 0:12:18.480 A to go to computer B and then return back 0:12:18.480 --> 0:12:22.240 to computer A. The name comes from an older technology, 0:12:22.320 --> 0:12:26.120 which would be sonar and sonar where we use sounds 0:12:26.280 --> 0:12:30.280 underwater to detect objects by listening for echoes. We would 0:12:30.280 --> 0:12:34.400 send out a sound a ping or from a speaker 0:12:34.480 --> 0:12:36.920 essentially underwater, and then we would listen in on a 0:12:36.960 --> 0:12:40.680 microphone for a returning echo. So you send out a ping. 0:12:40.800 --> 0:12:42.440 If you get an echo of that ping, you know 0:12:42.520 --> 0:12:46.320 there is something out there under the water that is 0:12:46.400 --> 0:12:49.200 reflecting that sound back at you. In fact, you may 0:12:49.240 --> 0:12:52.280 remember in movies like The Hunt for October they talk 0:12:52.320 --> 0:12:54.240 about this a lot. They use pings in order to 0:12:54.280 --> 0:12:57.800 send secret messages to each other. But in the Internet, 0:12:57.840 --> 0:13:00.160 we send out a small amount of data and then 0:13:00.240 --> 0:13:03.120 we essentially listen back for its return and use the 0:13:03.120 --> 0:13:06.559 travel time to judge the connection strength between the two computers, 0:13:06.640 --> 0:13:09.480 or really just how much time does it take for 0:13:09.600 --> 0:13:12.760 a message to go across the Internet and back again. 0:13:13.520 --> 0:13:17.240 Mike must created the pain utility back in to help 0:13:17.320 --> 0:13:21.000 test I P network connections. A quick ping could indicate 0:13:21.200 --> 0:13:24.280 if there was a connectivity problem. If you send out 0:13:24.280 --> 0:13:26.200 a ping and nothing comes back, you know there's a 0:13:26.240 --> 0:13:28.560 problem with that connection. If you send out a paying 0:13:28.600 --> 0:13:31.360 and it comes back but it comes back pretty like 0:13:31.400 --> 0:13:33.400 there's a pretty long gap, and we're talking on the 0:13:33.520 --> 0:13:36.840 order of less than a second typically, but it still 0:13:36.840 --> 0:13:38.600 can be a long gap if you're talking about actually 0:13:38.640 --> 0:13:43.079 sending real data across the network. Again, it can tell you, oh, 0:13:43.160 --> 0:13:45.559 you need to really take a look at your network 0:13:45.600 --> 0:13:47.960 and see where the problem is. There might be a 0:13:47.960 --> 0:13:50.840 broken element that you need to replace. It's also a 0:13:50.840 --> 0:13:53.880 great tool if you want to use bandwidth heavy applications 0:13:54.280 --> 0:13:57.760 because it can indicate whether such a connection is even possible. 0:13:58.160 --> 0:14:00.920 So let's say that you want to play an online 0:14:01.120 --> 0:14:05.160 computer game, maybe it's a multiplayer computer game competitive. You 0:14:05.200 --> 0:14:08.640 want to make sure you can find a server that 0:14:09.040 --> 0:14:13.280 doesn't have a long latency issue between you and the 0:14:13.320 --> 0:14:16.120 server you want to pin get a good time. And 0:14:16.160 --> 0:14:18.880 it may be that that's a game that has multiple servers, 0:14:18.880 --> 0:14:21.000 so you want to find the server that has the 0:14:21.120 --> 0:14:25.240 best connection between your computer and that server. So that 0:14:25.280 --> 0:14:28.040 you can have the best experience when you're playing well. 0:14:28.080 --> 0:14:30.480 If one were to send an enormous number of PING 0:14:30.520 --> 0:14:34.840 requests to the same target computer, such as a web server, 0:14:35.400 --> 0:14:39.640 that target could become overwhelmed by all those requests. It 0:14:39.640 --> 0:14:42.600 would attempt to respond to each request, which takes up 0:14:42.600 --> 0:14:46.880 resources it would otherwise use for normal operations. So let's 0:14:46.880 --> 0:14:50.400 say a hacker has targeted the website hosting that musicals 0:14:50.440 --> 0:14:53.480 forum I wanted to pop into, and instead of going 0:14:53.560 --> 0:14:55.560 in there and starting a flame war in the forums, 0:14:55.880 --> 0:15:00.400 they just start sending PING requests an uncountable number of 0:15:00.400 --> 0:15:04.560 PAIN requests to that forums host computer, which is trying 0:15:04.560 --> 0:15:07.440 to respond to each PIN request dutifully. I mean, that's 0:15:07.560 --> 0:15:10.520 what it does. And as a result, the system becomes 0:15:10.600 --> 0:15:13.720 unstable and crashes, and I get an error message when 0:15:13.720 --> 0:15:17.520 I try to go to that forum site. This tactic 0:15:17.760 --> 0:15:21.480 is called a ping flood. It's just one denial of 0:15:21.560 --> 0:15:24.680 service tactic. I'll go into a lot of other ones 0:15:24.760 --> 0:15:28.120 later on. Now, I mentioned earlier how a di DOS 0:15:28.160 --> 0:15:31.760 attack can be effective by leveraging thousands or hundreds of 0:15:31.840 --> 0:15:35.320 thousands of machines in a coordinated attack. But how does 0:15:35.400 --> 0:15:37.320 that happen? How do you get to a point where 0:15:37.560 --> 0:15:41.480 hundreds of thousands of machines can work together. How does 0:15:41.520 --> 0:15:45.000 an attacker get control of that many devices? Well, sometimes 0:15:45.720 --> 0:15:49.840 it happens by people volunteering to be part of this group. 0:15:50.240 --> 0:15:53.080 There are activist groups that will send out a message 0:15:53.080 --> 0:15:55.200 and say, hey, if you want to be part of 0:15:55.240 --> 0:15:58.680 this movement, you can download the software and then we 0:15:58.680 --> 0:16:01.720 can use your computer to be part of this attack 0:16:02.000 --> 0:16:05.720 on whatever the target is. But in other cases it's 0:16:05.760 --> 0:16:11.640 happening through trickery. Uh, it ends up being a compromised device. Right, 0:16:11.960 --> 0:16:16.400 So for target computers, a hacker either rights some malware 0:16:16.680 --> 0:16:20.320 or more likely makes use of existing malware. There's tons 0:16:20.360 --> 0:16:23.120 of malware that's already been written out there. A lot 0:16:23.120 --> 0:16:26.840 of the people who use these tactics aren't necessarily coders 0:16:26.920 --> 0:16:31.240 or programmers. They are what some folks dismissively referred to 0:16:31.400 --> 0:16:35.400 as script kitties. They go and they find code that 0:16:35.440 --> 0:16:37.600 will do what they want it to do that someone 0:16:37.640 --> 0:16:40.560 else has already written, and then they'll essentially download that 0:16:40.720 --> 0:16:44.560 and use that kind of as a just an attack package. 0:16:45.080 --> 0:16:47.360 So they're not having to make it themselves. They're already 0:16:47.360 --> 0:16:50.720 it's kind of off the shelf hacker sort of software. 0:16:51.040 --> 0:16:55.280 So they then use this malware to create a way 0:16:55.360 --> 0:17:00.000 to infect numerous machines, typically by fooling people into execute 0:17:00.000 --> 0:17:04.160 eating a file on their computers or their their computing devices. 0:17:04.800 --> 0:17:07.280 The malware contains a way for the hacker to direct 0:17:07.400 --> 0:17:11.520 those computers to send messages to a specific target. Um. 0:17:11.720 --> 0:17:14.040 They may be completely automated. You just hit a little 0:17:14.040 --> 0:17:17.119 button and then everything does it. You know. You hacker 0:17:17.200 --> 0:17:19.760 might put in the IP address for the target machine, 0:17:20.040 --> 0:17:23.639 but otherwise everything else gets taken care of automatically, and 0:17:23.640 --> 0:17:26.360 the hacker uses those devices to turn all their focus 0:17:26.400 --> 0:17:28.600 onto the target machine and then they bombard it with 0:17:28.640 --> 0:17:32.680 countless messages. Uh. Or the hacker might exploit a known 0:17:32.760 --> 0:17:36.679 vulnerability in various Internet connected devices such as routers, or 0:17:36.680 --> 0:17:41.240 even stuff like smart TVs or Internet connected thermostats. Essentially, 0:17:41.600 --> 0:17:44.800 the Internet of Things and the smart home movement have 0:17:44.960 --> 0:17:49.920 created the potential for truly enormous coordinated attacks because again, 0:17:49.960 --> 0:17:53.919 they don't have to send really sophisticated information across the Internet. 0:17:53.960 --> 0:17:56.879 It could be as simple as pings. Pings are one 0:17:56.880 --> 0:18:00.080 of the most basic messages you can send, so if 0:18:00.119 --> 0:18:02.400 you just get devices that are capable of sending a ping, 0:18:02.480 --> 0:18:05.199 then you're you're all set to go. And part of 0:18:05.240 --> 0:18:08.119 this is because that Internet of Things developed faster than 0:18:08.160 --> 0:18:12.040 companies could create good security measures to protect those devices 0:18:12.080 --> 0:18:14.719 from people who would compromise them. And part of it 0:18:14.760 --> 0:18:17.800 falls on the consumers shoulders, because a lot of people 0:18:17.840 --> 0:18:21.080 don't bother to ever update their security settings. Right, they'll 0:18:21.080 --> 0:18:23.520 get a new thing out of the box, they'll plug 0:18:23.560 --> 0:18:26.399 it into their network, and they never bother to update 0:18:26.440 --> 0:18:30.000 the log in and passwords on their devices, so they're 0:18:30.080 --> 0:18:33.359 using the default settings for their login and passwords, and 0:18:33.440 --> 0:18:37.760 that can create the opportunity for a hacker to access 0:18:37.880 --> 0:18:41.320 those devices. If a company is using essentially a the 0:18:41.400 --> 0:18:45.440 same sort of login and password for all of its 0:18:45.520 --> 0:18:48.280 products along a certain line, that all you have to 0:18:48.280 --> 0:18:50.240 do is know what that is, and then you have 0:18:50.320 --> 0:18:56.840 access to countless instances of those unprotected devices because so 0:18:56.880 --> 0:18:59.879 many people do not bother to update it a law. 0:19:00.080 --> 0:19:02.760 The routers I've seen have had a log in that's 0:19:02.800 --> 0:19:05.760 kind of like admin one and a password that might 0:19:05.800 --> 0:19:09.879 literally be the word password. So if you just plug 0:19:09.960 --> 0:19:13.800 that in, if you're a hacker to try and compromise 0:19:14.000 --> 0:19:18.080 someone's home systems, chances are it's gonna work on a 0:19:18.119 --> 0:19:20.399 lot of people because they never bothered to change it. 0:19:21.080 --> 0:19:25.400 So uh, lesson there, change your passwords on your devices 0:19:25.440 --> 0:19:28.600 from the default to something else. Now, some companies they 0:19:28.640 --> 0:19:32.439 go a little bit further. They'll they'll create a password 0:19:32.480 --> 0:19:35.359 for each device that is unique to that device, right. 0:19:35.400 --> 0:19:38.040 They don't use the exact same password for all of 0:19:38.080 --> 0:19:41.240 their routers, for example, And that's a good step that 0:19:41.280 --> 0:19:43.280 makes it much harder to do. You you can't just 0:19:43.359 --> 0:19:47.800 use a blanket attack the way a hacker normally would. Anyway, 0:19:48.080 --> 0:19:51.639 I don't put the full blame on the consumer, and 0:19:51.680 --> 0:19:54.560 I don't put the full blame on the manufacturer. It's 0:19:54.560 --> 0:19:56.840 a problem that both parties have to pay attention to. 0:19:57.320 --> 0:19:59.600 But there are some manufacturers out there who have made 0:19:59.640 --> 0:20:03.439 product with very poor or completely absent security measures, And 0:20:03.440 --> 0:20:06.720 in those cases, I pretty much blame the manufacturer of 0:20:06.800 --> 0:20:10.280 the company, not the customers, because if you didn't even 0:20:09.920 --> 0:20:13.600 include any kind of security measures in your device, then 0:20:13.640 --> 0:20:15.760 there was nothing really the customer could do on their 0:20:15.800 --> 0:20:18.800 side to protect themselves. And in any case, the collection 0:20:18.880 --> 0:20:22.639 of infected computers and devices would be called a bot net. 0:20:23.080 --> 0:20:26.240 Sometimes people call it a zombie computer army. Although you 0:20:26.280 --> 0:20:28.760 hardly ever hear that phrase these days, it's almost always 0:20:28.800 --> 0:20:31.840 just bought net and it's because the compromise computers are 0:20:31.880 --> 0:20:34.960 being controlled by some sort of remote entity, either a 0:20:35.040 --> 0:20:38.360 human hacker or an automated script or bought This can 0:20:38.440 --> 0:20:40.760 happen even without you being aware of it. By the way, 0:20:40.920 --> 0:20:43.600 you may only notice that your device is operating more 0:20:43.640 --> 0:20:46.040 slowly than normal, and you wonder, well, why is my 0:20:46.080 --> 0:20:48.600 computer no longer as fast as it used to be. 0:20:48.960 --> 0:20:52.120 One possible explanation is that some of your computer systems 0:20:52.119 --> 0:20:54.480 are being dedicated to sending out the tax over the 0:20:54.520 --> 0:20:56.880 Internet and you never know it. Or you might get 0:20:56.880 --> 0:20:58.960 a message about how much data you're using over a 0:20:58.960 --> 0:21:01.240 given length of time and your thinking, that's weird, I'm 0:21:01.280 --> 0:21:04.040 not even home when all this stuff is happening. Well, 0:21:04.040 --> 0:21:07.320 that's an indicator that something has gone wrong. So to 0:21:07.440 --> 0:21:11.320 understand how most distributed denial of service attacks work, it's 0:21:11.359 --> 0:21:14.439 good to remind ourselves of how information tends to travel 0:21:14.520 --> 0:21:18.760 across the Internet. There are protocols like TCP I P, 0:21:19.040 --> 0:21:21.760 which that's actually two different sets of protocols. Those are 0:21:21.760 --> 0:21:25.200 really rules that information has to follow to travel across 0:21:25.240 --> 0:21:28.359 the Internet. The architects of the Internet who worked on 0:21:28.440 --> 0:21:32.120 our pannet first one of the actual methodology of allowing 0:21:32.160 --> 0:21:35.440 information to go from point A to point B to 0:21:35.560 --> 0:21:38.520 be very light with the data. In other words, the 0:21:38.520 --> 0:21:42.879 process itself shouldn't have been data specific. It should be 0:21:42.960 --> 0:21:46.440 data agnostic. It doesn't matter what the information is. It's 0:21:46.520 --> 0:21:49.280 just concerned with making sure that information can get from 0:21:49.440 --> 0:21:52.960 the source to its destination. That's the only thing that's important. 0:21:53.520 --> 0:21:58.000 The end points, the edge machines where a message originates 0:21:58.040 --> 0:22:00.320 and where it terminates, would do all the heavy thing, 0:22:00.680 --> 0:22:02.600 but the middle bits would be much less hands on 0:22:02.640 --> 0:22:05.000 with the data, with a deeper concern with just making 0:22:05.000 --> 0:22:07.960 sure it gets to the right destination. And it's verify 0:22:08.119 --> 0:22:10.600 that everything got to where it needed to go. So 0:22:10.640 --> 0:22:14.199 the Internet sends data in bundles called packets. This is 0:22:14.200 --> 0:22:17.840 really where TCP comes in. A single file might consist 0:22:17.920 --> 0:22:21.760 of hundreds or thousands or millions of packets, and the 0:22:21.760 --> 0:22:25.760 packets are just bundles of data, and your computer sends 0:22:25.800 --> 0:22:29.160 this information over the Internet. So let's say you want 0:22:29.160 --> 0:22:32.240 to send a big file. Let's say it's a film. 0:22:32.280 --> 0:22:34.359 You've got a film and it's an enormous file and 0:22:34.400 --> 0:22:35.960 you want to send it across the Internet to a 0:22:35.960 --> 0:22:39.000 friend of yours. Well, the data gets chopped up into 0:22:39.040 --> 0:22:42.920 these packets, and the packets include a header that has 0:22:43.000 --> 0:22:47.600 important meta information about the data the packet carries. Namely, 0:22:47.640 --> 0:22:51.000