1 00:00:04,120 --> 00:00:07,160 Speaker 1: Get in touch with technology with tech Stuff from how 2 00:00:07,200 --> 00:00:13,640 Speaker 1: stuff works dot com. Hey there, and welcome to tech Stuff. 3 00:00:13,720 --> 00:00:17,360 Speaker 1: I'm your host, Jonathan Strickland, and I love all things tech, 4 00:00:17,440 --> 00:00:21,520 Speaker 1: and today we're going to continue our discussion about deeds 5 00:00:21,600 --> 00:00:27,080 Speaker 1: attacks distributed denial of service attacks. In the last episode, 6 00:00:27,080 --> 00:00:30,680 Speaker 1: I talked about them from a very high level, right, 7 00:00:30,680 --> 00:00:32,919 Speaker 1: I gave a very high level explanation of what they 8 00:00:32,960 --> 00:00:34,720 Speaker 1: are and how they work. And today we're going to 9 00:00:34,800 --> 00:00:39,000 Speaker 1: get into a little bit more granular specific discussion, though 10 00:00:39,040 --> 00:00:43,200 Speaker 1: not exhaustive, because honestly, to get into a truly exhaustive 11 00:00:43,200 --> 00:00:49,040 Speaker 1: discussion about the DOS attacks requires an incredible amount of groundwork. 12 00:00:49,120 --> 00:00:51,680 Speaker 1: You have delay in order to get the technical understanding, 13 00:00:51,760 --> 00:00:54,640 Speaker 1: and and to be honest, there are certainly elements of 14 00:00:54,720 --> 00:00:59,560 Speaker 1: de DOS attacks, particular implementations that go well beyond my understanding, 15 00:01:00,040 --> 00:01:03,440 Speaker 1: so I don't want to reveal the depth of my 16 00:01:03,560 --> 00:01:07,199 Speaker 1: ignorance too quickly. But first, a distributed denial of service attack, 17 00:01:07,200 --> 00:01:09,280 Speaker 1: in case you don't remember, it's a it's a tough 18 00:01:09,280 --> 00:01:11,880 Speaker 1: thing to defend against. It's because it's really hard to 19 00:01:11,920 --> 00:01:15,360 Speaker 1: tell the difference between legit communication from people who are 20 00:01:15,400 --> 00:01:19,160 Speaker 1: trying to access a an online service, whether it's a 21 00:01:19,160 --> 00:01:23,680 Speaker 1: website or an app or whatever, and an attack it's 22 00:01:23,720 --> 00:01:27,120 Speaker 1: it's hard to tell because the way the Internet works, 23 00:01:27,600 --> 00:01:30,200 Speaker 1: it tries to be agnostic towards the kind of data 24 00:01:30,240 --> 00:01:33,399 Speaker 1: that's going across the system. In many ways, that's a 25 00:01:33,440 --> 00:01:35,959 Speaker 1: great thing, but in other ways it can make it 26 00:01:36,080 --> 00:01:40,240 Speaker 1: very challenging when people are using data itself as a 27 00:01:40,280 --> 00:01:44,279 Speaker 1: way to attack a target. So let's say you've landed 28 00:01:44,280 --> 00:01:47,520 Speaker 1: a job and you are the personal assistant of a 29 00:01:47,560 --> 00:01:53,360 Speaker 1: really powerful, really polarizing entrepreneur. One of your jobs is 30 00:01:53,400 --> 00:01:57,040 Speaker 1: to open this entrepreneurs mail. And whether this is a 31 00:01:57,400 --> 00:02:01,760 Speaker 1: man entrepreneur or a woman entrepreneur, it's your choice. But 32 00:02:01,840 --> 00:02:04,480 Speaker 1: this entrepreneur gets a lot of mail, and you're to 33 00:02:04,600 --> 00:02:08,800 Speaker 1: forward anything important to the entrepreneur, and then you have 34 00:02:08,840 --> 00:02:13,600 Speaker 1: to handle everything else yourself. But this particular entrepreneur has 35 00:02:13,639 --> 00:02:16,160 Speaker 1: ticked off a lot of folks because they're so polarizing, 36 00:02:16,440 --> 00:02:19,000 Speaker 1: and some of those folks have decided that the best 37 00:02:19,000 --> 00:02:23,520 Speaker 1: way to respond is to send hate mail, like a 38 00:02:23,600 --> 00:02:27,200 Speaker 1: lot of hate mail, Like like one person hates this 39 00:02:27,560 --> 00:02:31,840 Speaker 1: entrepreneur so much that not only has this person written 40 00:02:31,840 --> 00:02:34,920 Speaker 1: a letter, but also went out to make hundreds or 41 00:02:35,040 --> 00:02:38,880 Speaker 1: thousands of copies of that hate letter and then mailed 42 00:02:39,240 --> 00:02:42,320 Speaker 1: all of those copies off to the entrepreneur. And your 43 00:02:42,400 --> 00:02:44,840 Speaker 1: job is to go through the mail. So you're spending 44 00:02:44,880 --> 00:02:48,320 Speaker 1: all of your time opening up envelopes and looking to 45 00:02:48,360 --> 00:02:50,400 Speaker 1: see if it's an important piece of mail or if 46 00:02:50,400 --> 00:02:53,160 Speaker 1: it's just another hate mail message. But you're smart, you 47 00:02:53,160 --> 00:02:55,120 Speaker 1: know you catch onto what's going on after you know 48 00:02:55,560 --> 00:02:58,320 Speaker 1: a couple of hours, so you realize, hey, I'll just 49 00:02:58,360 --> 00:03:01,360 Speaker 1: look at the return address because if it's from that person, 50 00:03:02,040 --> 00:03:04,600 Speaker 1: I know it's just hate mail. So I'll just toss 51 00:03:04,639 --> 00:03:07,640 Speaker 1: those letters aside, unopened. I already know what's inside of 52 00:03:07,639 --> 00:03:10,440 Speaker 1: it already. I'll stop wasting time, or at least as 53 00:03:10,520 --> 00:03:13,760 Speaker 1: much time. But then this person who hates your entrepreneur, 54 00:03:14,639 --> 00:03:18,240 Speaker 1: they begin to start sending these letters from different addresses, 55 00:03:18,760 --> 00:03:21,080 Speaker 1: So now you have to start making a list of 56 00:03:21,120 --> 00:03:23,560 Speaker 1: addresses that you should be on the lookout for. It's 57 00:03:23,600 --> 00:03:26,320 Speaker 1: not just this one now, it's a group of them. 58 00:03:26,360 --> 00:03:29,359 Speaker 1: Either this person is traveling around and sending mail, or 59 00:03:29,520 --> 00:03:32,320 Speaker 1: he or she is just making up addresses willy nilly. 60 00:03:32,360 --> 00:03:35,600 Speaker 1: Either way, it's making your job harder. So now you're 61 00:03:35,600 --> 00:03:37,240 Speaker 1: starting to keep a list every time you open a 62 00:03:37,240 --> 00:03:39,400 Speaker 1: piece of mail, you look in, Oh, it's another copy 63 00:03:39,440 --> 00:03:41,640 Speaker 1: that hate letter, but it's a new address. While just 64 00:03:41,680 --> 00:03:45,200 Speaker 1: add it to the list. Then this person goes a 65 00:03:45,240 --> 00:03:48,320 Speaker 1: step further and starts to recruit other people to send 66 00:03:48,400 --> 00:03:51,680 Speaker 1: more copies of the same hate letter to you, and 67 00:03:51,680 --> 00:03:55,560 Speaker 1: they're using other return addresses, and it's different types of 68 00:03:55,600 --> 00:03:58,440 Speaker 1: handwriting too, And now you're back to where you started. 69 00:03:58,600 --> 00:04:01,080 Speaker 1: Every piece of mail comes in, you don't know what's 70 00:04:01,120 --> 00:04:03,240 Speaker 1: inside it until you open it, and you spend that 71 00:04:03,280 --> 00:04:05,720 Speaker 1: time and effort doing it. Now, you could try to 72 00:04:05,800 --> 00:04:07,920 Speaker 1: keep an up to date list of all the bad 73 00:04:07,960 --> 00:04:11,200 Speaker 1: addresses out there, but that could get cumbersome really quickly, 74 00:04:11,280 --> 00:04:14,120 Speaker 1: and eventually that list might be so long that you're 75 00:04:14,160 --> 00:04:17,880 Speaker 1: unable to consult it efficiently. You are spending so much 76 00:04:17,920 --> 00:04:20,840 Speaker 1: time looking to see if a new letter is on 77 00:04:20,960 --> 00:04:24,119 Speaker 1: that list, and if a new return addresses on that list, 78 00:04:24,600 --> 00:04:26,440 Speaker 1: that you're just wasting more time than you would if 79 00:04:26,480 --> 00:04:29,120 Speaker 1: you opened it and looked in it anyway. Or maybe 80 00:04:29,440 --> 00:04:31,880 Speaker 1: some of those same people who have sent you hate 81 00:04:31,920 --> 00:04:36,080 Speaker 1: mail have other messages, really relevant ones that have been 82 00:04:36,120 --> 00:04:38,560 Speaker 1: sent in the mail, or maybe they used an address 83 00:04:38,560 --> 00:04:43,400 Speaker 1: from someone who is a relevant uh communicator, and your 84 00:04:43,440 --> 00:04:46,280 Speaker 1: boss might think it's really important, so you run the 85 00:04:46,360 --> 00:04:49,520 Speaker 1: risk of throwing away a legitimate message while trying to 86 00:04:49,560 --> 00:04:51,880 Speaker 1: get rid of all these fake ones. Well to a 87 00:04:51,920 --> 00:04:55,640 Speaker 1: targeted computer being on the receiving end of ADDOS attack 88 00:04:55,880 --> 00:04:59,719 Speaker 1: is kind of similar to this. An administrator might notice 89 00:04:59,839 --> 00:05:02,960 Speaker 1: the there's an unusual amount of traffic coming from a 90 00:05:02,960 --> 00:05:07,200 Speaker 1: specific IP address, and that that IP address appears to 91 00:05:07,279 --> 00:05:10,400 Speaker 1: be belonging to someone who's trying to bring down the 92 00:05:10,440 --> 00:05:13,400 Speaker 1: computer system, whatever it may be, and so they might 93 00:05:13,440 --> 00:05:16,680 Speaker 1: try and block that specific I P address from being 94 00:05:16,720 --> 00:05:19,360 Speaker 1: able to send messages to the server or the router 95 00:05:19,560 --> 00:05:23,880 Speaker 1: or whatever. But if it's an actual distributed denial of 96 00:05:23,960 --> 00:05:27,000 Speaker 1: service attack, the number of attacking machines could be in 97 00:05:27,000 --> 00:05:29,800 Speaker 1: the hundreds of thousands. So at some point you have 98 00:05:29,839 --> 00:05:32,680 Speaker 1: to worry that you're blocking legitimate traffic, that you're you 99 00:05:32,720 --> 00:05:35,800 Speaker 1: can't block everything, but then you can't be certain that 100 00:05:35,880 --> 00:05:39,240 Speaker 1: every You know that any given IP address isn't a 101 00:05:39,240 --> 00:05:42,160 Speaker 1: compromised one, so you might try to mitigate it by 102 00:05:42,240 --> 00:05:45,520 Speaker 1: rolling out a system whereby legitimate users are identified in 103 00:05:45,560 --> 00:05:48,880 Speaker 1: some way, So instead of trying to identify illegitimate users 104 00:05:48,920 --> 00:05:51,479 Speaker 1: like the ones that are coming from an attacker. You 105 00:05:52,120 --> 00:05:55,400 Speaker 1: roll out some new policy so that anyone who's making 106 00:05:55,480 --> 00:05:58,960 Speaker 1: legitimate use of your service has a particular marker associated 107 00:05:58,960 --> 00:06:01,600 Speaker 1: with them in some way. But then there's the possibility 108 00:06:01,640 --> 00:06:03,320 Speaker 1: that the bad guys figure this out and they just 109 00:06:03,360 --> 00:06:07,120 Speaker 1: disguise their own traffic as legit, which sets you right 110 00:06:07,120 --> 00:06:09,800 Speaker 1: back to square one again. So let's cover some of 111 00:06:09,800 --> 00:06:12,640 Speaker 1: the specific types of de dos attacks out there and 112 00:06:12,720 --> 00:06:15,840 Speaker 1: what they do. First. As I mentioned in the last episode, 113 00:06:16,080 --> 00:06:19,479 Speaker 1: you have volumetric attacks. These are the easiest to understand 114 00:06:19,520 --> 00:06:22,960 Speaker 1: and explain because it's all about overwhelming your target with 115 00:06:23,080 --> 00:06:27,719 Speaker 1: just messages. The target receives so many messages, so much data, 116 00:06:27,760 --> 00:06:30,080 Speaker 1: that it gets bogged down just trying to respond, which 117 00:06:30,120 --> 00:06:33,200 Speaker 1: slows down everything else and can even cause the system crash. 118 00:06:33,720 --> 00:06:35,840 Speaker 1: There are several different ways to do this. I mentioned 119 00:06:35,839 --> 00:06:38,640 Speaker 1: the ping flood in the last episode, but that's really 120 00:06:38,680 --> 00:06:42,200 Speaker 1: just one example. Some attackers might use a clever system 121 00:06:42,240 --> 00:06:45,880 Speaker 1: to not only increase their own effectiveness, but reduce the 122 00:06:45,960 --> 00:06:49,080 Speaker 1: chance that they would be identified or caught. So you 123 00:06:49,160 --> 00:06:51,360 Speaker 1: might remember in that last episode I talked about the 124 00:06:51,440 --> 00:06:55,039 Speaker 1: IP addresses and if there were no way to change 125 00:06:55,040 --> 00:06:58,440 Speaker 1: your IP address, carrying out an attack directly against a 126 00:06:58,480 --> 00:07:01,960 Speaker 1: target would be really dangerous. Like if my IP address 127 00:07:02,040 --> 00:07:06,080 Speaker 1: was was tied directly to my identity all the time, 128 00:07:06,680 --> 00:07:09,760 Speaker 1: then it would be crazy for me to make any 129 00:07:09,760 --> 00:07:12,720 Speaker 1: sort of attack against a prepared target because they would 130 00:07:12,800 --> 00:07:17,080 Speaker 1: know who who came from. But your target uh might 131 00:07:17,120 --> 00:07:20,080 Speaker 1: not be able to identify the attacker because there's a 132 00:07:20,080 --> 00:07:23,800 Speaker 1: technique called i P spoofing that gets around this. So 133 00:07:24,240 --> 00:07:27,240 Speaker 1: in i P spoofing, an attacker impersonates the user of 134 00:07:27,280 --> 00:07:32,520 Speaker 1: another machine by manipulating IP packet headers. Remember, data passes 135 00:07:32,600 --> 00:07:36,440 Speaker 1: over the Internet inside packets bundles of data called packets, 136 00:07:36,440 --> 00:07:40,280 Speaker 1: and each packet has a header that contains meta information, 137 00:07:40,320 --> 00:07:44,560 Speaker 1: including where the data supposedly originated from. So it's sort 138 00:07:44,560 --> 00:07:47,600 Speaker 1: of like writing down someone else's return address on a 139 00:07:47,680 --> 00:07:49,640 Speaker 1: letter before you send it off. When you do i 140 00:07:49,800 --> 00:07:53,960 Speaker 1: P spoofing, you're creating a fake or you're duplicating an 141 00:07:54,000 --> 00:07:56,800 Speaker 1: IP address, whatever, it's not one that belongs to you. 142 00:07:57,320 --> 00:08:00,680 Speaker 1: So someone looks at the incoming IP address, they don't 143 00:08:00,680 --> 00:08:03,840 Speaker 1: know for sure that the computer sending all that traffic 144 00:08:04,000 --> 00:08:06,840 Speaker 1: is the one that's actually identified in that address. Now, 145 00:08:06,880 --> 00:08:10,239 Speaker 1: i P spoofing is relatively simple in the grand scheme 146 00:08:10,280 --> 00:08:13,120 Speaker 1: of things, But clever hackers will even go further. Let's 147 00:08:13,120 --> 00:08:15,120 Speaker 1: say a hacker has managed to get control of a 148 00:08:15,200 --> 00:08:18,440 Speaker 1: large collection of compromise machines, also known as a boton neet. 149 00:08:18,560 --> 00:08:20,960 Speaker 1: The hacker plans to use the botton net to overwhelm 150 00:08:21,000 --> 00:08:23,840 Speaker 1: the target with a direct approach. The target might be 151 00:08:23,880 --> 00:08:26,240 Speaker 1: able to identify some of the machines belonging to this 152 00:08:26,320 --> 00:08:28,360 Speaker 1: boton net, but it would be much more difficult to 153 00:08:28,480 --> 00:08:31,120 Speaker 1: make the leap between the boton net and the hacker 154 00:08:31,160 --> 00:08:34,040 Speaker 1: who's actually pulling the strings. Right, you'd be able to 155 00:08:34,080 --> 00:08:36,440 Speaker 1: see the incoming traffics coming from all these machines, but 156 00:08:36,440 --> 00:08:39,640 Speaker 1: you wouldn't know who's who's actually behind it all. But wait, 157 00:08:39,760 --> 00:08:42,800 Speaker 1: you can get even more clever than that. So imagine 158 00:08:42,840 --> 00:08:45,439 Speaker 1: you have a hacker who has control of a bot net, 159 00:08:45,760 --> 00:08:48,000 Speaker 1: and the hacker wants to send a ton of messages 160 00:08:48,040 --> 00:08:51,160 Speaker 1: to a target web server. But instead of directing all 161 00:08:51,200 --> 00:08:55,079 Speaker 1: those compromise machines in a direct attack, instead of saying army, 162 00:08:55,280 --> 00:08:59,959 Speaker 1: go sick them, the hacker instead has the machines under 163 00:09:00,160 --> 00:09:04,800 Speaker 1: his or her control send messages to uninfected computers that 164 00:09:04,880 --> 00:09:07,840 Speaker 1: are not the target. So these are outside the button net, 165 00:09:08,000 --> 00:09:11,360 Speaker 1: and they also are not your ultimate target. In other words, 166 00:09:11,840 --> 00:09:16,120 Speaker 1: computers that are are just completely innocent, but the messages 167 00:09:16,160 --> 00:09:19,320 Speaker 1: that your button net is sending to these computers have 168 00:09:19,600 --> 00:09:23,360 Speaker 1: a spoofed IP address. Specifically, they have a spoofed IP 169 00:09:23,440 --> 00:09:25,480 Speaker 1: address that make it look like they all come from 170 00:09:25,520 --> 00:09:30,520 Speaker 1: the targeted computer. The innocent computers out there, thinking they 171 00:09:30,520 --> 00:09:33,960 Speaker 1: have just received a message from the target, respond because 172 00:09:34,040 --> 00:09:36,000 Speaker 1: that's the way the internet works. They say, hey, got 173 00:09:36,080 --> 00:09:38,520 Speaker 1: your message, what do you want? And then you have 174 00:09:38,600 --> 00:09:41,320 Speaker 1: this target computer, the one that the hackers wanted to 175 00:09:41,360 --> 00:09:44,439 Speaker 1: take down, starting to get hit by thousands or hundreds 176 00:09:44,480 --> 00:09:47,240 Speaker 1: of thousands of responses to a message it did not 177 00:09:47,600 --> 00:09:50,440 Speaker 1: send out. It's a bunch of people saying, hey, I 178 00:09:50,480 --> 00:09:52,480 Speaker 1: got your I got your text, and you're like, I 179 00:09:52,480 --> 00:09:54,599 Speaker 1: didn't send a text, except you're getting it from a 180 00:09:54,679 --> 00:09:58,240 Speaker 1: hundred thousand people all at once. These innocent computers are 181 00:09:58,280 --> 00:10:01,600 Speaker 1: called reflectors. They are refle electing this message back at 182 00:10:01,600 --> 00:10:05,240 Speaker 1: a target, and this makes finding the responsible hacker even 183 00:10:05,280 --> 00:10:08,760 Speaker 1: more challenging because when you do that first trace of 184 00:10:08,800 --> 00:10:12,079 Speaker 1: the message back to the individual machines, they are all 185 00:10:12,160 --> 00:10:14,880 Speaker 1: uninfected devices. They're not part of that bot net To 186 00:10:14,920 --> 00:10:17,520 Speaker 1: begin with, all they did was respond to a computer 187 00:10:17,640 --> 00:10:21,400 Speaker 1: they thought had messaged them. It's evil, I tells you evil. 188 00:10:22,400 --> 00:10:26,520 Speaker 1: But again, these are all variations on volumetric attacks. There 189 00:10:26,520 --> 00:10:29,600 Speaker 1: are other approaches as well. For example, there are TCP 190 00:10:29,880 --> 00:10:35,080 Speaker 1: state exhaustion attacks. What the what? Well that requires some explanation. 191 00:10:35,360 --> 00:10:39,760 Speaker 1: TCP stands for Transmission Control Protocol, and with the Internet Protocol, 192 00:10:40,000 --> 00:10:41,920 Speaker 1: it is one of the main sets of rules that 193 00:10:42,000 --> 00:10:46,439 Speaker 1: determine how computers communicate across the Internet. Internet protocol is 194 00:10:46,480 --> 00:10:48,840 Speaker 1: all about making sure data gets from one point to 195 00:10:48,880 --> 00:10:52,640 Speaker 1: another in bundles of data packets, and Transmission Control Protocol 196 00:10:52,679 --> 00:10:55,240 Speaker 1: is more about making sure all that data gets reassembled 197 00:10:55,280 --> 00:10:58,120 Speaker 1: properly and that none of it goes missing. So it's 198 00:10:58,160 --> 00:11:00,520 Speaker 1: a set of rules that checks to make sure messages 199 00:11:00,559 --> 00:11:04,439 Speaker 1: being sent across the Internet our whole and properly reassembled. 200 00:11:05,120 --> 00:11:08,720 Speaker 1: During a communication between devices on the Internet, TCP goes 201 00:11:08,760 --> 00:11:13,719 Speaker 1: through numerous states or phases. Elements on networks, such as 202 00:11:13,840 --> 00:11:16,920 Speaker 1: load balancers, which help make sure traffic on the Internet 203 00:11:17,040 --> 00:11:20,960 Speaker 1: is balanced properly. It's it's no one section of the 204 00:11:21,000 --> 00:11:24,320 Speaker 1: network is getting too much traffic and getting congested. It 205 00:11:24,400 --> 00:11:26,880 Speaker 1: helps move some of that traffic around. To keep things 206 00:11:27,200 --> 00:11:31,800 Speaker 1: nice and efficient, have what are called connection state tables, 207 00:11:31,880 --> 00:11:35,760 Speaker 1: and these tables include information about every single connection going 208 00:11:35,840 --> 00:11:40,000 Speaker 1: through that point. Information includes the source address for the connection, 209 00:11:40,400 --> 00:11:44,240 Speaker 1: the port used by that source, the destination address, and 210 00:11:44,280 --> 00:11:46,680 Speaker 1: the port that the destination is using for the and 211 00:11:46,760 --> 00:11:49,719 Speaker 1: also the connection state such as whether it's an established 212 00:11:49,760 --> 00:11:53,720 Speaker 1: connection or not. A TCP state exhaustion attack attempts to 213 00:11:53,760 --> 00:11:57,040 Speaker 1: fill up those tables with garbage traffic in an effort 214 00:11:57,040 --> 00:12:00,120 Speaker 1: to overload the system, whether it might be a firewall 215 00:12:00,200 --> 00:12:03,040 Speaker 1: or a load balancer or some other component. And then 216 00:12:03,040 --> 00:12:06,640 Speaker 1: there are application layer attacks. These are the most complicated 217 00:12:06,640 --> 00:12:09,320 Speaker 1: to explain, and so I'll go into further detail in 218 00:12:09,400 --> 00:12:12,040 Speaker 1: just a moment. But first, how might I take a 219 00:12:12,160 --> 00:12:23,000 Speaker 1: quick break to thank our sponsor. Okay, what is an 220 00:12:23,040 --> 00:12:27,400 Speaker 1: application layer attack? Well, they focus on the application or 221 00:12:27,600 --> 00:12:30,200 Speaker 1: service at layer seven, but that's not really helpful if 222 00:12:30,240 --> 00:12:32,679 Speaker 1: you don't know about layers. So let's talk about that. 223 00:12:32,960 --> 00:12:35,319 Speaker 1: And as I said in the last episode back in November, 224 00:12:36,280 --> 00:12:38,760 Speaker 1: I did an episode title Dip into the Seven Layers 225 00:12:38,760 --> 00:12:41,960 Speaker 1: of the OSI model. The OSI model is a conceptual 226 00:12:42,120 --> 00:12:45,440 Speaker 1: model to help describe the various communications functions in a 227 00:12:45,480 --> 00:12:48,560 Speaker 1: telecommunication system, and it's really just a way for us 228 00:12:48,600 --> 00:12:51,040 Speaker 1: to think about all the different elements that work together 229 00:12:51,440 --> 00:12:55,079 Speaker 1: to allow for the complex communication we can do over networks. 230 00:12:55,559 --> 00:12:59,360 Speaker 1: They do not refer to actual physical layers so much, 231 00:12:59,760 --> 00:13:03,160 Speaker 1: even though each layer serves all layers above it and 232 00:13:03,360 --> 00:13:06,800 Speaker 1: is served by all layers below it. Layer seven is 233 00:13:06,840 --> 00:13:09,960 Speaker 1: the topmost layer, meaning it does not serve any other 234 00:13:10,080 --> 00:13:12,920 Speaker 1: layers because it's at the top of the heat, but 235 00:13:13,000 --> 00:13:15,559 Speaker 1: it is served by all the layers that are underneath. 236 00:13:15,960 --> 00:13:18,240 Speaker 1: So let's go from the bottom and work our way up. 237 00:13:18,520 --> 00:13:21,079 Speaker 1: At layer one, you have the physical layer that consists 238 00:13:21,080 --> 00:13:25,640 Speaker 1: of the actual physical specifications of data connections, whether they're electrical, optical, 239 00:13:25,760 --> 00:13:29,480 Speaker 1: or whatever, and the processes associated with them. Layer two 240 00:13:29,600 --> 00:13:32,000 Speaker 1: is the data link layer, which is a direct link 241 00:13:32,040 --> 00:13:37,320 Speaker 1: between any two nodes, so you've got two computing devices 242 00:13:37,360 --> 00:13:40,440 Speaker 1: on the same network. Layer two is that direct link. 243 00:13:40,840 --> 00:13:44,040 Speaker 1: Layer three is the network layers, so this goes one 244 00:13:44,080 --> 00:13:47,640 Speaker 1: step beyond having a direct link between two computers. This 245 00:13:47,720 --> 00:13:50,920 Speaker 1: includes both the process any functional means to send data 246 00:13:50,960 --> 00:13:54,920 Speaker 1: across two nodes in separate but connected networks. Layer four 247 00:13:55,000 --> 00:13:58,319 Speaker 1: is the transport layer, which allows for the communication between 248 00:13:58,400 --> 00:14:02,720 Speaker 1: processes running on different hosts on different networks, so you 249 00:14:02,800 --> 00:14:06,800 Speaker 1: go from the computers being connected across different networks to 250 00:14:06,880 --> 00:14:10,760 Speaker 1: the processes running on computers being connected through different networks. 251 00:14:10,760 --> 00:14:13,240 Speaker 1: This gets a little confusing because it sounds a bit 252 00:14:13,320 --> 00:14:15,960 Speaker 1: like layer three, but think about Layer three is allowing 253 00:14:16,000 --> 00:14:18,600 Speaker 1: for the connection between the machines, and layer four goes 254 00:14:18,640 --> 00:14:22,280 Speaker 1: a step further and allows actual programs or processes running 255 00:14:22,320 --> 00:14:25,520 Speaker 1: on those machines to communicate with each other. Layer five 256 00:14:25,760 --> 00:14:29,160 Speaker 1: is the session layer that creates the actual communication channels 257 00:14:29,200 --> 00:14:32,800 Speaker 1: between computers, and it's all about actually establishing, maintaining, and 258 00:14:32,920 --> 00:14:37,520 Speaker 1: terminating communication sessions. Layer six is the presentation layer, which 259 00:14:37,560 --> 00:14:39,800 Speaker 1: is kind of like a translator, so it handles stuff 260 00:14:39,840 --> 00:14:43,640 Speaker 1: like encryption and decryption of data being sent or received 261 00:14:43,680 --> 00:14:46,800 Speaker 1: from a network. It's usually part of an operating system. 262 00:14:47,000 --> 00:14:50,200 Speaker 1: And then we get the layer seven, the application layer. Now, 263 00:14:50,440 --> 00:14:53,040 Speaker 1: the name could be a little misleading, as the application 264 00:14:53,120 --> 00:14:57,520 Speaker 1: layer does not actually include the applications themselves. Instead, it 265 00:14:57,560 --> 00:15:01,000 Speaker 1: includes the services that applications can access when they need 266 00:15:01,040 --> 00:15:04,000 Speaker 1: to send data or to receive data from a network. 267 00:15:04,600 --> 00:15:07,440 Speaker 1: Applications can include any kind of software, so a web 268 00:15:07,480 --> 00:15:10,680 Speaker 1: browser is a type of application, but the browser itself 269 00:15:10,800 --> 00:15:14,120 Speaker 1: is not part of layer seven. Instead, the web browser 270 00:15:14,160 --> 00:15:18,080 Speaker 1: taps into these services offered by layer seven whenever it 271 00:15:18,080 --> 00:15:20,680 Speaker 1: needs to communicate with a network, such as when you 272 00:15:20,760 --> 00:15:23,240 Speaker 1: need to click on a link in a web page, 273 00:15:23,640 --> 00:15:28,160 Speaker 1: and that way it sends that message through Layer seven 274 00:15:28,440 --> 00:15:31,360 Speaker 1: further down the stack, so that I can go out 275 00:15:31,560 --> 00:15:34,680 Speaker 1: and actually retrieve the information and come back up and 276 00:15:34,720 --> 00:15:38,200 Speaker 1: then be displayed in your web browser. At this top 277 00:15:38,280 --> 00:15:41,200 Speaker 1: layer of the OSI model you have the processes that 278 00:15:41,280 --> 00:15:44,800 Speaker 1: handle some of the most common Internet requests, such as 279 00:15:44,960 --> 00:15:48,760 Speaker 1: um will HTTP get an h T t P post. 280 00:15:49,520 --> 00:15:52,800 Speaker 1: Get and post are two of the most common commands 281 00:15:53,120 --> 00:15:56,640 Speaker 1: common requests that go across the Internet. So what the 282 00:15:56,640 --> 00:15:59,000 Speaker 1: heck are those? Well? First of all, h T t 283 00:15:59,120 --> 00:16:03,080 Speaker 1: P stands for Hypertext Transfer Protocol. This is the set 284 00:16:03,120 --> 00:16:06,000 Speaker 1: of rules designed to make it possible for client computers 285 00:16:06,200 --> 00:16:10,720 Speaker 1: to communicate with server computers across the Internet. HTTP works 286 00:16:10,840 --> 00:16:15,080 Speaker 1: as a request response protocol, so sticking with web browsers, 287 00:16:15,320 --> 00:16:17,760 Speaker 1: a simple example is when you type in a U 288 00:16:17,880 --> 00:16:20,440 Speaker 1: r L to your web browsers address bar, your web 289 00:16:20,480 --> 00:16:23,920 Speaker 1: browser makes this, takes this information, it interprets it as 290 00:16:23,920 --> 00:16:27,240 Speaker 1: a request, sends that request out to the Internet, which 291 00:16:27,280 --> 00:16:30,800 Speaker 1: relays the request to the appropriate server computer that hosts 292 00:16:30,840 --> 00:16:33,480 Speaker 1: the website you want to see. The server returns a 293 00:16:33,560 --> 00:16:36,320 Speaker 1: response to your web browser, which hopefully contains the web 294 00:16:36,400 --> 00:16:40,360 Speaker 1: page you wanted in the first place. HTTP get is 295 00:16:40,360 --> 00:16:43,120 Speaker 1: pretty much what sounds like. It's a request to get 296 00:16:43,280 --> 00:16:47,600 Speaker 1: data from a specific resource. The get request is used 297 00:16:47,600 --> 00:16:51,800 Speaker 1: to ask for data, but it does not modify data. POST, 298 00:16:51,880 --> 00:16:55,120 Speaker 1: on the other hand, is used to send data to 299 00:16:55,520 --> 00:16:59,320 Speaker 1: a server, typically to update or to create a resource 300 00:16:59,560 --> 00:17:03,440 Speaker 1: on that server. Now, these attacks don't require the same 301 00:17:03,840 --> 00:17:08,080 Speaker 1: bandwidth as a volumetric approach, so remember volumetric is where 302 00:17:08,080 --> 00:17:12,159 Speaker 1: you're trying to get as many different UH in incoming 303 00:17:12,200 --> 00:17:16,000 Speaker 1: messages to flood a a recipient as you possibly can, 304 00:17:16,040 --> 00:17:19,239 Speaker 1: which means you're taking up a lot of bandwidth in 305 00:17:19,280 --> 00:17:21,520 Speaker 1: the In this kind of application layer approach, you don't 306 00:17:21,560 --> 00:17:23,720 Speaker 1: have to do that as much if you're trying to 307 00:17:23,800 --> 00:17:27,560 Speaker 1: overload a specific computer UH. With the application layer, you 308 00:17:27,600 --> 00:17:31,919 Speaker 1: rely less on data being sent from the attacker to 309 00:17:31,960 --> 00:17:35,080 Speaker 1: the target and more about the actual request because the 310 00:17:35,119 --> 00:17:38,080 Speaker 1: target has to do more work with a layer seven 311 00:17:38,119 --> 00:17:41,200 Speaker 1: attack than a network level attack. On network level, we're 312 00:17:41,240 --> 00:17:44,240 Speaker 1: just talking about the underlying infrastructure having to deal with traffic. 313 00:17:44,760 --> 00:17:47,280 Speaker 1: But at the application layer, we're talking about the target 314 00:17:47,320 --> 00:17:51,199 Speaker 1: computer having to actually do something. It has to reference something, 315 00:17:51,240 --> 00:17:54,400 Speaker 1: which is easier to understand if we use a specific example. 316 00:17:54,480 --> 00:17:56,719 Speaker 1: So let's say I want to target a web based 317 00:17:56,840 --> 00:18:00,400 Speaker 1: email service, and so I create an attack that will 318 00:18:00,400 --> 00:18:03,280 Speaker 1: make a relatively small botton net send a series of 319 00:18:03,359 --> 00:18:06,560 Speaker 1: login requests to the to the web mail service. So 320 00:18:07,040 --> 00:18:10,280 Speaker 1: it's as if all these different zombie computers are coming 321 00:18:10,280 --> 00:18:12,639 Speaker 1: to this service and saying, Hey, I've got an email 322 00:18:12,640 --> 00:18:15,760 Speaker 1: account with you, guys, here's my log in, here's my password, 323 00:18:15,800 --> 00:18:18,200 Speaker 1: give me access to that email. Each time the service 324 00:18:18,240 --> 00:18:21,120 Speaker 1: receives one of these requests, it has to reference its 325 00:18:21,160 --> 00:18:26,320 Speaker 1: system to verify the login credentials and either allow access 326 00:18:26,440 --> 00:18:29,399 Speaker 1: or deny the request, probably denying. They're probably sending a 327 00:18:29,400 --> 00:18:33,080 Speaker 1: lot of bogus login requests that this still requires the 328 00:18:33,160 --> 00:18:37,640 Speaker 1: system to reference its database every single time. It has 329 00:18:37,680 --> 00:18:40,960 Speaker 1: to verify whether or not that's a legitimate request to 330 00:18:41,040 --> 00:18:43,480 Speaker 1: get access to email. Then it has to send a 331 00:18:43,520 --> 00:18:46,520 Speaker 1: response to the requesting computer. So think of a time 332 00:18:46,560 --> 00:18:48,879 Speaker 1: when you went to log into a service but you 333 00:18:49,000 --> 00:18:51,679 Speaker 1: typed in the wrong password, and typically you would get 334 00:18:51,680 --> 00:18:54,000 Speaker 1: a message that would say, hey, dude, that's tot's not 335 00:18:54,080 --> 00:18:56,280 Speaker 1: what you set up when you made your account, but 336 00:18:56,520 --> 00:18:59,399 Speaker 1: that requires resources from the server. It actually has to 337 00:18:59,480 --> 00:19:02,239 Speaker 1: reference to log in against its table of data and 338 00:19:02,240 --> 00:19:05,679 Speaker 1: then send that appropriate response. A d DOS attack that 339 00:19:05,800 --> 00:19:08,679 Speaker 1: aims at this layer can quickly overwhelm the target. An 340 00:19:08,680 --> 00:19:11,399 Speaker 1: attacker can use an h T t P flood attack, 341 00:19:11,960 --> 00:19:15,040 Speaker 1: which might seem to be legitimate on the surface, but 342 00:19:15,080 --> 00:19:18,320 Speaker 1: in reality is a botton net attack using HTTP request 343 00:19:18,440 --> 00:19:22,200 Speaker 1: to bog down the target computer and take services offline 344 00:19:22,359 --> 00:19:25,119 Speaker 1: or at the very least slow everything down big time. 345 00:19:25,560 --> 00:19:28,240 Speaker 1: All right, So now let's get into a rundown of 346 00:19:28,320 --> 00:19:31,600 Speaker 1: some specific types of d DOS attacks. Now I'm not 347 00:19:31,600 --> 00:19:33,240 Speaker 1: going to go through all of them because some of 348 00:19:33,240 --> 00:19:36,199 Speaker 1: them require a much more involved explanation of what's going on, 349 00:19:36,280 --> 00:19:38,720 Speaker 1: and we'll get bogged down in some pretty dry material 350 00:19:38,760 --> 00:19:42,520 Speaker 1: about protocols and network architecture. But at layer three, that 351 00:19:42,600 --> 00:19:45,840 Speaker 1: network layer, you've got that ping flood that I mentioned earlier. 352 00:19:45,840 --> 00:19:49,119 Speaker 1: It's also called an ic MP flood attack. That was 353 00:19:49,160 --> 00:19:51,440 Speaker 1: what I talked about in that last episode. And you've 354 00:19:51,480 --> 00:19:55,240 Speaker 1: also got the i P slash i c MP fragmentation 355 00:19:55,440 --> 00:19:59,240 Speaker 1: style of attacks that requires a quick bit of explanation. Now, 356 00:19:59,240 --> 00:20:01,720 Speaker 1: remember when I say we send data over the Internet 357 00:20:01,800 --> 00:20:04,680 Speaker 1: using packets, we bundle it together in packets. Well, you 358 00:20:04,760 --> 00:20:07,040 Speaker 1: might have noticed I did not mention how much data 359 00:20:07,080 --> 00:20:09,960 Speaker 1: a packet can actually hold, which is because different networks 360 00:20:10,000 --> 00:20:14,080 Speaker 1: can handle different sizes of packets. The maximum sized packet 361 00:20:14,119 --> 00:20:18,040 Speaker 1: a particular network can handle is called that network's maximum 362 00:20:18,080 --> 00:20:23,240 Speaker 1: transmission unit, or MTU. If a packet is larger than 363 00:20:23,320 --> 00:20:26,679 Speaker 1: the networks MTU, it has to be broken apart, has 364 00:20:26,720 --> 00:20:30,920 Speaker 1: to be fragmented into smaller bundles of data. But only 365 00:20:30,960 --> 00:20:33,680 Speaker 1: the first fragment of the data packet has the layer 366 00:20:33,800 --> 00:20:38,359 Speaker 1: for information within that packets header. All subsequent fragments, however 367 00:20:38,400 --> 00:20:41,960 Speaker 1: many there may be, could be one of fifty. They 368 00:20:42,119 --> 00:20:44,640 Speaker 1: do not have that information in their headers, and that's 369 00:20:44,640 --> 00:20:48,240 Speaker 1: something an attacker can exploit. In a volumetric attack, there 370 00:20:48,240 --> 00:20:51,200 Speaker 1: are attacks that aim at the fourth layer, that transmission layer. 371 00:20:51,280 --> 00:20:55,560 Speaker 1: For example, there's the User Datagram Protocol flood attack. This 372 00:20:55,800 --> 00:20:59,080 Speaker 1: set of rules allows applications to send messages to a 373 00:20:59,119 --> 00:21:02,560 Speaker 1: networked host on an IP network, and the attacker used 374 00:21:02,840 --> 00:21:06,760 Speaker 1: uses a a spoofed source address to pose as the 375 00:21:06,800 --> 00:21:12,280 Speaker 1: target computers. So the attackers actually using this spoof to 376 00:21:12,400 --> 00:21:15,720 Speaker 1: appear to be the actual target, and then the attacker 377 00:21:15,840 --> 00:21:18,280 Speaker 1: sends out what is called a u d P request 378 00:21:18,400 --> 00:21:22,920 Speaker 1: to a ton of different computers on different random ports. Now, 379 00:21:22,960 --> 00:21:26,280 Speaker 1: those computers received this u DP request, and then they 380 00:21:26,400 --> 00:21:29,919 Speaker 1: look for an application that would be located on the 381 00:21:29,960 --> 00:21:33,960 Speaker 1: respective port that was associated with that request, and most 382 00:21:33,960 --> 00:21:35,879 Speaker 1: of the time there's not gonna be any sort of 383 00:21:35,920 --> 00:21:39,560 Speaker 1: application on that port, and so the computer sends off 384 00:21:39,600 --> 00:21:43,040 Speaker 1: a quick response that essentially says, hey buddy, sorry, but 385 00:21:43,119 --> 00:21:46,439 Speaker 1: there's no application in that port. Better luck next time. Except, 386 00:21:46,480 --> 00:21:50,080 Speaker 1: as I mentioned, the hacker spoofed their address to make 387 00:21:50,080 --> 00:21:52,520 Speaker 1: it look like they were sending this from whatever the 388 00:21:52,560 --> 00:21:56,320 Speaker 1: target computer is, So then the target computer starts getting 389 00:21:56,320 --> 00:21:59,000 Speaker 1: these messages, all these messages saying, hey buddy, I'm sorry, 390 00:21:59,040 --> 00:22:02,080 Speaker 1: but there aren't any applications in that port. Better like 391 00:22:02,240 --> 00:22:04,600 Speaker 1: next time. And if you've ever had your phone number 392 00:22:04,640 --> 00:22:07,640 Speaker 1: spoofed by some jerk and then started to receive angry 393 00:22:07,640 --> 00:22:10,320 Speaker 1: calls as a result, you know what this is like. Now, 394 00:22:10,359 --> 00:22:12,280 Speaker 1: I've never had that happen on my personal number, but 395 00:22:12,320 --> 00:22:15,000 Speaker 1: I actually once worked for a company that had its 396 00:22:15,040 --> 00:22:18,080 Speaker 1: main phone number spoofed by someone who was using a 397 00:22:18,080 --> 00:22:21,240 Speaker 1: fax machine, and this poor woman was getting phone calls 398 00:22:21,600 --> 00:22:23,359 Speaker 1: and she would pick up the phone and it would 399 00:22:23,359 --> 00:22:25,320 Speaker 1: clearly be a fax machine. It would be making that 400 00:22:25,400 --> 00:22:28,520 Speaker 1: terrible fax machine noise. But the telephone number that was 401 00:22:28,560 --> 00:22:32,280 Speaker 1: on her color I D was our telephone number, which 402 00:22:32,280 --> 00:22:35,600 Speaker 1: clearly wasn't coming from us. I mean, I was there. 403 00:22:35,720 --> 00:22:38,639 Speaker 1: I knew we weren't faxing her. So someone was actually 404 00:22:38,680 --> 00:22:41,320 Speaker 1: spoofing our phone number. She was justifiably getting sick and 405 00:22:41,320 --> 00:22:42,880 Speaker 1: tired of it, so she would call us and yell 406 00:22:42,960 --> 00:22:45,280 Speaker 1: at us, But we weren't actually doing anything. There was 407 00:22:45,320 --> 00:22:48,000 Speaker 1: nothing we could do. We there was someone else out 408 00:22:48,040 --> 00:22:50,600 Speaker 1: there spoofing our number. Well, hackers do that same thing 409 00:22:51,200 --> 00:22:54,199 Speaker 1: on purpose with IP addresses, and in this way you 410 00:22:54,240 --> 00:22:57,400 Speaker 1: have all these innocent computers responding to what they interpret 411 00:22:57,560 --> 00:23:01,560 Speaker 1: as a legitimate request, flooding target computer with messages. As 412 00:23:01,560 --> 00:23:04,680 Speaker 1: a result, there's another attack called the t C P 413 00:23:05,240 --> 00:23:08,120 Speaker 1: S Y N flood that's pretty ugly, And this attack, 414 00:23:08,240 --> 00:23:11,959 Speaker 1: the hacker engages all of a target servers communication ports 415 00:23:12,000 --> 00:23:15,320 Speaker 1: with a communication request that never completes the process to 416 00:23:15,480 --> 00:23:19,200 Speaker 1: establish a connection, which means the status is left half open. 417 00:23:19,600 --> 00:23:23,000 Speaker 1: So the process is called a handshake, and there should 418 00:23:23,000 --> 00:23:25,760 Speaker 1: be a three way handshake between a client and a 419 00:23:25,760 --> 00:23:30,760 Speaker 1: server that establishes communications, but this attack stops the handshake 420 00:23:30,880 --> 00:23:35,520 Speaker 1: halfway through. So every communication port gets engaged with one 421 00:23:35,560 --> 00:23:39,600 Speaker 1: of these requests, but it's never the request is never completed, 422 00:23:40,000 --> 00:23:42,320 Speaker 1: so it all gets gummed up with a half finished 423 00:23:42,320 --> 00:23:45,159 Speaker 1: handshake process and nothing can go through, Which makes me 424 00:23:45,200 --> 00:23:47,520 Speaker 1: think of those phone operators who have a rule that 425 00:23:47,560 --> 00:23:49,719 Speaker 1: states they can't be the first person to hang up 426 00:23:49,760 --> 00:23:51,920 Speaker 1: on a phone call. So if they call you and 427 00:23:51,960 --> 00:23:55,119 Speaker 1: they're following the rules, you can complete a conversation and 428 00:23:55,160 --> 00:23:57,600 Speaker 1: then you can just hold them there because they're not 429 00:23:57,640 --> 00:24:00,680 Speaker 1: allowed to hang up on you. That'll show them no, 430 00:24:00,880 --> 00:24:03,040 Speaker 1: don't do that. Those those folks, they're they're just doing 431 00:24:03,080 --> 00:24:06,560 Speaker 1: their job. Any attack that involves a request for a 432 00:24:06,640 --> 00:24:10,200 Speaker 1: secure session, such as logging into an account, falls into 433 00:24:10,200 --> 00:24:14,239 Speaker 1: the category of an s s L exhaustion attack. This 434 00:24:14,320 --> 00:24:15,879 Speaker 1: is one of those that requires the target to do 435 00:24:15,920 --> 00:24:18,040 Speaker 1: a lot of work and so it requires less traffic 436 00:24:18,080 --> 00:24:21,879 Speaker 1: to actually overtax the target. Or how about a slow 437 00:24:21,960 --> 00:24:25,440 Speaker 1: Loris attack named after the animal. This one is also 438 00:24:25,560 --> 00:24:28,600 Speaker 1: kind of ingenious. So the attacker sends out an h 439 00:24:28,720 --> 00:24:32,320 Speaker 1: T t P request in chunks to a target web server. 440 00:24:32,640 --> 00:24:36,280 Speaker 1: Now the server cannot complete this request until it gets 441 00:24:36,359 --> 00:24:40,000 Speaker 1: all of the chunks. To protect against this breaking, the 442 00:24:40,040 --> 00:24:43,440 Speaker 1: Internet servers have a time out feature, so if they 443 00:24:43,440 --> 00:24:46,520 Speaker 1: don't get the next chunk within a set amount of time, 444 00:24:47,040 --> 00:24:50,000 Speaker 1: it will time out, and then that that session will 445 00:24:50,000 --> 00:24:53,520 Speaker 1: be closed. So the slow Loris attack is a balancing act. 446 00:24:53,720 --> 00:24:55,920 Speaker 1: It's all about sending those chunks of an h t 447 00:24:56,040 --> 00:25:00,320 Speaker 1: t P request header to a target server, just asked 448 00:25:00,400 --> 00:25:04,160 Speaker 1: enough to not trigger the time out request, so as 449 00:25:04,200 --> 00:25:07,000 Speaker 1: the server is about to give up, it receives the 450 00:25:07,040 --> 00:25:10,159 Speaker 1: next chunk, and then the time out counter resets, and 451 00:25:10,200 --> 00:25:13,000 Speaker 1: the attacker aims to come up every communication port on 452 00:25:13,040 --> 00:25:15,879 Speaker 1: the server with those style requests, which clogs up the 453 00:25:15,920 --> 00:25:20,480 Speaker 1: communication system and prevents legitimate users from accessing the server. Now, 454 00:25:20,480 --> 00:25:22,959 Speaker 1: there are tons of other variants, but you get the idea. 455 00:25:23,160 --> 00:25:25,919 Speaker 1: All these strategies aim at the same goal, forcing the 456 00:25:25,960 --> 00:25:29,880 Speaker 1: target to focus on handling meaningless tasks at the expense 457 00:25:29,920 --> 00:25:32,080 Speaker 1: of what it is supposed to be doing. Kind Of 458 00:25:32,080 --> 00:25:34,960 Speaker 1: feel the same way with notifications while I'm working, whether 459 00:25:35,000 --> 00:25:38,480 Speaker 1: it's emails, Slack, base Camp, instant messages, whatever I feel 460 00:25:38,480 --> 00:25:40,359 Speaker 1: they're meant to pull my focus away from what I 461 00:25:40,359 --> 00:25:43,240 Speaker 1: should be doing, which we all know is beating tari 462 00:25:43,359 --> 00:25:45,440 Speaker 1: at pub G, and I will do it one day 463 00:25:45,600 --> 00:25:47,840 Speaker 1: when we come back, we'll talk about some of the 464 00:25:47,840 --> 00:25:59,320 Speaker 1: strategies people employ to defend against de dos attacks. So 465 00:25:59,359 --> 00:26:02,720 Speaker 1: the first step to defending against an attack is knowing 466 00:26:02,800 --> 00:26:05,920 Speaker 1: that an attack is actually happening. This is actually pretty 467 00:26:05,960 --> 00:26:08,320 Speaker 1: darn tricky because you have to be able to discern 468 00:26:08,359 --> 00:26:12,560 Speaker 1: between what is unusually heavy but legit legitimate traffic and 469 00:26:12,600 --> 00:26:16,000 Speaker 1: an outright de dos attack. So an important defense element 470 00:26:16,080 --> 00:26:19,600 Speaker 1: is the ability to detect anomalies, so outliers that go 471 00:26:19,720 --> 00:26:22,640 Speaker 1: beyond what you would typically see in your network traffic. 472 00:26:23,080 --> 00:26:25,919 Speaker 1: To do that, you first have to establish what is 473 00:26:26,119 --> 00:26:28,399 Speaker 1: the norm for your network. You have to know what 474 00:26:28,440 --> 00:26:31,639 Speaker 1: the baseline is, So you've got to figure out what 475 00:26:31,720 --> 00:26:34,439 Speaker 1: was the baseline for bandwidth usage for example, what do 476 00:26:34,480 --> 00:26:37,040 Speaker 1: you typically see across your network at different times of 477 00:26:37,040 --> 00:26:41,040 Speaker 1: the day, or CPU utilization or things like that. And 478 00:26:41,080 --> 00:26:44,280 Speaker 1: once you establish those baselines, then you can keep an 479 00:26:44,280 --> 00:26:47,800 Speaker 1: eye out for situations that exceed your baseline activity to 480 00:26:47,880 --> 00:26:51,320 Speaker 1: a level that could indicate a potential attack is happening, 481 00:26:51,359 --> 00:26:54,399 Speaker 1: and then you can take a closer look. Another step 482 00:26:54,840 --> 00:26:58,080 Speaker 1: is monitoring the actual traffic going across the network. Now, 483 00:26:58,119 --> 00:27:01,600 Speaker 1: I don't necessarily mean spying on data, although there are 484 00:27:01,680 --> 00:27:05,159 Speaker 1: companies that do recommend doing exactly that and taking a 485 00:27:05,200 --> 00:27:09,360 Speaker 1: peek inside of packets to make sure that they are legitimate. Um, 486 00:27:09,400 --> 00:27:12,920 Speaker 1: I'm a little I'm of a divided mind on that, 487 00:27:13,080 --> 00:27:16,040 Speaker 1: because on the one hand, it's a valuable tool if 488 00:27:16,080 --> 00:27:19,160 Speaker 1: you want to make sure that traffic is actually legitimate 489 00:27:19,200 --> 00:27:22,639 Speaker 1: and not, you know, part of an attack. But on 490 00:27:22,720 --> 00:27:25,200 Speaker 1: the other hand, I also don't like the idea of 491 00:27:25,240 --> 00:27:28,840 Speaker 1: people peeking into packets because that's not the way the 492 00:27:28,880 --> 00:27:32,639 Speaker 1: Internet is supposed to work anyway. The method I'm talking 493 00:27:32,680 --> 00:27:35,600 Speaker 1: about here doesn't actually tell you anything that's going on 494 00:27:35,840 --> 00:27:38,960 Speaker 1: inside the data packets. Instead, you would be able to 495 00:27:38,960 --> 00:27:41,920 Speaker 1: see things in terms like the number of packets traveling 496 00:27:41,960 --> 00:27:45,720 Speaker 1: across your network and where those packets originate. So you 497 00:27:45,720 --> 00:27:49,320 Speaker 1: would get information from the header of the packets, but 498 00:27:49,480 --> 00:27:52,119 Speaker 1: not from the internal part of the packet, so you 499 00:27:52,119 --> 00:27:55,200 Speaker 1: would know where the packet was supposed to go, where 500 00:27:55,240 --> 00:27:57,880 Speaker 1: it was coming from. And it doesn't give you any 501 00:27:57,880 --> 00:28:00,800 Speaker 1: information about what the packets actually represent. It just tells 502 00:28:00,840 --> 00:28:03,399 Speaker 1: you which I P addresses are or appear to be 503 00:28:03,680 --> 00:28:07,880 Speaker 1: sending information to a server or machine on your network. 504 00:28:08,359 --> 00:28:11,879 Speaker 1: If you've detected an abnormality and network traffic, and then 505 00:28:11,920 --> 00:28:14,000 Speaker 1: you use a tool like that to see where the 506 00:28:14,040 --> 00:28:16,480 Speaker 1: traffic is going, you might be able to suss out 507 00:28:16,560 --> 00:28:19,439 Speaker 1: an attempt to create a U d P flood attack, 508 00:28:19,520 --> 00:28:21,840 Speaker 1: for example. If you do that, you can take the 509 00:28:21,880 --> 00:28:24,640 Speaker 1: next steps to try and stop it. If you determine 510 00:28:24,640 --> 00:28:28,119 Speaker 1: that some of that traffic is in fact malicious, you 511 00:28:28,119 --> 00:28:31,960 Speaker 1: can set a firewall to block traffic from that I 512 00:28:32,080 --> 00:28:35,919 Speaker 1: P address or those addresses if it's a distributed denial 513 00:28:35,960 --> 00:28:39,440 Speaker 1: of service attack. So a firewall is a network security system. 514 00:28:39,520 --> 00:28:43,360 Speaker 1: It can be hardware, it can be software, but it's 515 00:28:43,360 --> 00:28:47,320 Speaker 1: a system that acts like a barrier between a network 516 00:28:47,440 --> 00:28:50,400 Speaker 1: and the larger internet, or a machine and a network. 517 00:28:50,800 --> 00:28:54,480 Speaker 1: It's named that because it's like a fire a physical firewall, 518 00:28:54,640 --> 00:28:57,080 Speaker 1: something that can hold up if there's a fire on 519 00:28:57,120 --> 00:28:58,920 Speaker 1: the other side of the wall, it's not going to 520 00:28:59,040 --> 00:29:02,640 Speaker 1: come through, right, same sort of idea. All traffic has 521 00:29:02,680 --> 00:29:05,680 Speaker 1: to pass through the firewall, and the firewall follows a 522 00:29:05,720 --> 00:29:09,680 Speaker 1: predetermined set of security rules, so you can actually adjust 523 00:29:09,800 --> 00:29:12,959 Speaker 1: those rules. You can change what the rules are, so 524 00:29:13,040 --> 00:29:17,000 Speaker 1: maybe you're an administrator for say a company network, and 525 00:29:17,040 --> 00:29:20,640 Speaker 1: you've identified a website that hosts malicious software. You know 526 00:29:21,200 --> 00:29:24,000 Speaker 1: this site has got some bad juju on it. You 527 00:29:24,040 --> 00:29:27,160 Speaker 1: don't want any employees to go to that site and 528 00:29:27,200 --> 00:29:31,080 Speaker 1: potentially infect their machines, which could then possibly spread malicious 529 00:29:31,080 --> 00:29:33,960 Speaker 1: code to everyone else on your network. So you set 530 00:29:34,000 --> 00:29:37,440 Speaker 1: a rule in your firewall and it blocks any computer 531 00:29:37,720 --> 00:29:40,760 Speaker 1: on the company network from being able to contact that 532 00:29:40,880 --> 00:29:44,400 Speaker 1: specific websites server. If you were to try to go there, 533 00:29:44,400 --> 00:29:46,680 Speaker 1: you would get an error message. You could do the 534 00:29:46,720 --> 00:29:49,840 Speaker 1: same thing but in reverse, by denying any incoming traffic 535 00:29:49,920 --> 00:29:52,680 Speaker 1: from a specific I P address, saying all right, well, 536 00:29:52,680 --> 00:29:56,920 Speaker 1: if you get anything from this address, block it. Of course, 537 00:29:56,960 --> 00:29:59,200 Speaker 1: if you're wrong about the nature of the traffic, you 538 00:29:59,240 --> 00:30:02,320 Speaker 1: could be blocked and innocent person's communications with your server. 539 00:30:03,000 --> 00:30:08,280 Speaker 1: They're also network infrastructure tools called intrusion prevention or intrusion 540 00:30:08,360 --> 00:30:12,280 Speaker 1: detection systems, which are really more about trying to detect 541 00:30:12,280 --> 00:30:15,880 Speaker 1: hackers that are trying to get unauthorized access to your systems, 542 00:30:16,480 --> 00:30:19,800 Speaker 1: but they can sometimes set up alerts that will let 543 00:30:19,800 --> 00:30:21,960 Speaker 1: you know that something hinky is going on in general, 544 00:30:21,960 --> 00:30:23,760 Speaker 1: and you can take a quick closer look and see 545 00:30:24,120 --> 00:30:26,960 Speaker 1: if maybe that's an indicator of Adidas attack. They also 546 00:30:27,000 --> 00:30:29,320 Speaker 1: can create a lot of false positives, however, so it's 547 00:30:29,320 --> 00:30:33,240 Speaker 1: not like it's a a full proof way of detecting 548 00:30:33,280 --> 00:30:37,479 Speaker 1: this uh. So it's just one more tool in the 549 00:30:37,480 --> 00:30:40,680 Speaker 1: toolbox for people who are trying to protect their networks. 550 00:30:41,040 --> 00:30:44,720 Speaker 1: There's also a method called reverse path forwarding sometimes that 551 00:30:44,760 --> 00:30:48,640 Speaker 1: can help out. The process involves verifying the incoming packets 552 00:30:48,680 --> 00:30:52,760 Speaker 1: are coming from legit IP addresses, because if a hacker 553 00:30:52,800 --> 00:30:56,240 Speaker 1: is spoofing addresses, they might not be careful enough to 554 00:30:56,240 --> 00:30:59,720 Speaker 1: make sure they're spoofing a legitimate IP address, right They 555 00:30:59,760 --> 00:31:03,480 Speaker 1: could be spoofing and the IP address that's in those 556 00:31:03,560 --> 00:31:06,960 Speaker 1: data packets actually doesn't connect to any real device that 557 00:31:07,080 --> 00:31:09,920 Speaker 1: is connected to the Internet. And if that's the case, 558 00:31:10,320 --> 00:31:15,080 Speaker 1: if you do this reverse path forwarding approach, and you determine, hey, 559 00:31:15,120 --> 00:31:17,920 Speaker 1: these messages are supposedly coming from this I P address, 560 00:31:17,960 --> 00:31:20,400 Speaker 1: but that IP address is not actually in use right now, 561 00:31:21,200 --> 00:31:24,800 Speaker 1: that tells me that these are not legitimate packets. This 562 00:31:24,960 --> 00:31:28,360 Speaker 1: is uh an attack that has a spoofed IP address 563 00:31:28,360 --> 00:31:33,000 Speaker 1: attached to it, So then you could discard those packets. Essentially, 564 00:31:33,120 --> 00:31:35,520 Speaker 1: you tell your firewall, hey, get rid of anything that's 565 00:31:35,520 --> 00:31:39,120 Speaker 1: coming from this address because that's not legit. Another strategy 566 00:31:39,280 --> 00:31:42,520 Speaker 1: is just compartmentalization, in which a company will make certain 567 00:31:42,560 --> 00:31:46,920 Speaker 1: that valuable services exist on separate servers, possibly on separate 568 00:31:47,000 --> 00:31:50,800 Speaker 1: but connected networks, and that way, if one service or 569 00:31:50,880 --> 00:31:54,560 Speaker 1: network is targeted in particular, the other ones could remain 570 00:31:54,680 --> 00:31:57,720 Speaker 1: viable while security teams work to mitigate the effects of 571 00:31:57,760 --> 00:32:00,880 Speaker 1: the attack. That doesn't prevent attack from happening, but it 572 00:32:00,960 --> 00:32:04,640 Speaker 1: helps limit their effect on an overall system. So again, 573 00:32:04,720 --> 00:32:07,479 Speaker 1: let's say that there's uh, let's let's use Google as 574 00:32:07,480 --> 00:32:11,680 Speaker 1: an example. Let's say that there's an attack on Google 575 00:32:11,720 --> 00:32:17,120 Speaker 1: Mail Gmail, and that attack is hitting Gmail servers really hard. Well, 576 00:32:17,120 --> 00:32:21,400 Speaker 1: Google could have those compartmentalized, so it's not affecting other 577 00:32:21,480 --> 00:32:24,080 Speaker 1: Google services. Like you would go to the web search 578 00:32:24,160 --> 00:32:27,440 Speaker 1: and everything's fine. You can't tell that Google the Gmail 579 00:32:27,520 --> 00:32:30,440 Speaker 1: is down or maybe there are other elements that are 580 00:32:30,480 --> 00:32:33,880 Speaker 1: also working just fine. It's just Gmail is being affected. 581 00:32:34,200 --> 00:32:37,400 Speaker 1: That's through compartmentalization. And again it doesn't stop an attack, 582 00:32:37,520 --> 00:32:41,440 Speaker 1: it just reduces how much damage an attack can do. 583 00:32:42,280 --> 00:32:46,400 Speaker 1: And then there are content delivery networks or c d ns. 584 00:32:47,280 --> 00:32:52,920 Speaker 1: These are not on their own an anti d DOS measure, 585 00:32:53,400 --> 00:32:57,520 Speaker 1: but they can help. Uh. These are distributed servers that 586 00:32:57,560 --> 00:33:00,960 Speaker 1: respond to requests from clients based upon a graphic location 587 00:33:01,200 --> 00:33:03,880 Speaker 1: of that client. This is more helpful if I use 588 00:33:03,920 --> 00:33:06,600 Speaker 1: an example. So let's say I'm a business owner and 589 00:33:06,640 --> 00:33:09,520 Speaker 1: I launch a new website. And when I first started out, 590 00:33:09,960 --> 00:33:12,760 Speaker 1: my website is housed on servers that I have in 591 00:33:12,800 --> 00:33:16,440 Speaker 1: my garage, right like, this is just a startup company. 592 00:33:16,640 --> 00:33:18,720 Speaker 1: It's something I wanted to do in my spare time. 593 00:33:18,760 --> 00:33:21,800 Speaker 1: But it catches on and my site people find it 594 00:33:21,840 --> 00:33:24,640 Speaker 1: amazing and they love it, and more and more users 595 00:33:24,640 --> 00:33:26,880 Speaker 1: start to visit the site. So I need to scale up. 596 00:33:27,440 --> 00:33:30,440 Speaker 1: My little server just can't handle this traffic. So soon 597 00:33:30,560 --> 00:33:34,840 Speaker 1: I'm leasing server space from large data centers. And because 598 00:33:34,840 --> 00:33:37,600 Speaker 1: folks are really wanting to use my services and they're 599 00:33:37,600 --> 00:33:39,720 Speaker 1: all across the United States, I choose to go with 600 00:33:39,760 --> 00:33:42,400 Speaker 1: a provider that has data centers and a few different 601 00:33:42,440 --> 00:33:46,520 Speaker 1: strategic locations around the country, And that way, my customers 602 00:33:46,680 --> 00:33:50,160 Speaker 1: can end up connecting to a server that's geographically close 603 00:33:50,200 --> 00:33:53,240 Speaker 1: to them, probably through some sort of automated feature in 604 00:33:53,280 --> 00:33:55,360 Speaker 1: my web service, so the user doesn't even have to 605 00:33:55,360 --> 00:33:57,840 Speaker 1: think about this. There they don't see it. They just 606 00:33:57,960 --> 00:34:00,360 Speaker 1: know that the web page is loading nice and fast 607 00:34:00,480 --> 00:34:03,440 Speaker 1: because the system is making sure they're connecting to the 608 00:34:03,480 --> 00:34:07,160 Speaker 1: instance of my website that's closest to them. But then 609 00:34:07,200 --> 00:34:10,120 Speaker 1: I scale up again and now it's time to go global, 610 00:34:10,400 --> 00:34:13,400 Speaker 1: and at this stage I need a content delivery network. 611 00:34:13,480 --> 00:34:16,040 Speaker 1: This is a larger company that can host my service 612 00:34:16,160 --> 00:34:20,000 Speaker 1: across the globe. And essentially the content delivery network just 613 00:34:20,080 --> 00:34:22,879 Speaker 1: makes a copy of my website to sit on one 614 00:34:23,000 --> 00:34:25,520 Speaker 1: or more servers in every single data center has a 615 00:34:25,520 --> 00:34:28,359 Speaker 1: deal with around the globe. Now, no matter where you are, 616 00:34:28,719 --> 00:34:31,040 Speaker 1: when you pull up my website, there's not a super 617 00:34:31,080 --> 00:34:34,320 Speaker 1: long delay while it connects to the server and pulls 618 00:34:34,360 --> 00:34:37,240 Speaker 1: that information back and loads it in your browser, unless, 619 00:34:37,280 --> 00:34:39,440 Speaker 1: of course, the data transfer speeds in the area you 620 00:34:39,480 --> 00:34:43,120 Speaker 1: are in are terrible, which that is a different matter. Now, 621 00:34:43,160 --> 00:34:47,080 Speaker 1: because c d ends are global in nature, and because 622 00:34:47,280 --> 00:34:49,880 Speaker 1: of the way that they approach this, they can actually 623 00:34:49,920 --> 00:34:52,319 Speaker 1: absorb a lot of traffic and they can balance the 624 00:34:52,400 --> 00:34:56,120 Speaker 1: load as well. So if one geographic area is being 625 00:34:56,200 --> 00:34:59,800 Speaker 1: hit really hard, the c d N could potentially redirect 626 00:35:00,080 --> 00:35:04,200 Speaker 1: quests to less traffic servers. So while the most convenient 627 00:35:04,239 --> 00:35:07,920 Speaker 1: server might normally be in your home city. If that 628 00:35:07,960 --> 00:35:10,800 Speaker 1: particular site is being hit by a di DOS attack, 629 00:35:10,920 --> 00:35:14,359 Speaker 1: the c d N could route your request to a 630 00:35:14,400 --> 00:35:18,080 Speaker 1: different server in a nearby city, and it might take 631 00:35:18,120 --> 00:35:21,400 Speaker 1: a little longer than it normally would, but it will work, 632 00:35:21,920 --> 00:35:24,040 Speaker 1: Whereas if you try to connect to the server you 633 00:35:24,160 --> 00:35:26,920 Speaker 1: usually connect to, it might not work because it's being attacked. 634 00:35:27,239 --> 00:35:31,240 Speaker 1: So cd ns do not stop attacks. They don't prevent attacks, 635 00:35:31,280 --> 00:35:33,880 Speaker 1: they just soak up the damage. They're kind of a 636 00:35:33,880 --> 00:35:36,600 Speaker 1: bullet sponge. So it's really not much of a stop 637 00:35:36,640 --> 00:35:41,000 Speaker 1: gap because we keep seeing di dos attacks increase in 638 00:35:41,040 --> 00:35:44,200 Speaker 1: the amount of data that they're throwing at their targets. 639 00:35:44,719 --> 00:35:47,200 Speaker 1: So if you're getting to this point where you're getting 640 00:35:47,719 --> 00:35:53,880 Speaker 1: exponentially larger amounts of data being shot at targets, eventually 641 00:35:54,040 --> 00:35:56,600 Speaker 1: you're gonna hit a point where, even if you're huge, 642 00:35:56,680 --> 00:36:00,239 Speaker 1: you're still gonna feel it. So it's not really a 643 00:36:00,360 --> 00:36:03,880 Speaker 1: solution so much as it it's just a way to 644 00:36:05,000 --> 00:36:09,680 Speaker 1: put off how badly dedest attacks are going to affect you. 645 00:36:10,040 --> 00:36:12,520 Speaker 1: And again, there are all sorts of people who use them. 646 00:36:12,560 --> 00:36:15,600 Speaker 1: There are activists, there are criminals who are trying to 647 00:36:15,719 --> 00:36:19,200 Speaker 1: extort money from potential targets, and there are people who 648 00:36:19,160 --> 00:36:22,040 Speaker 1: are doing it just for the lulls, so it's tough. 649 00:36:22,080 --> 00:36:25,160 Speaker 1: Because the tools are easy to get hold of, it's 650 00:36:25,200 --> 00:36:29,880 Speaker 1: relatively easy to attack using these approaches, but it's really 651 00:36:29,920 --> 00:36:32,759 Speaker 1: hard to defend against it. So it's one of those 652 00:36:32,760 --> 00:36:35,960 Speaker 1: things where it's a it's a disproportionate amount of work. 653 00:36:36,120 --> 00:36:38,560 Speaker 1: The attacker doesn't have to do very much work, and 654 00:36:38,600 --> 00:36:40,840 Speaker 1: the defender has to do a ton of work. So 655 00:36:40,920 --> 00:36:43,799 Speaker 1: even when you're successful in defending, you're still using a 656 00:36:43,800 --> 00:36:46,879 Speaker 1: lot of resources to do it well. That wraps up 657 00:36:46,960 --> 00:36:50,600 Speaker 1: these discussions about distributed denial of service attacks and what 658 00:36:50,680 --> 00:36:53,680 Speaker 1: they are and why they're so infuriating and why it's 659 00:36:53,680 --> 00:36:56,360 Speaker 1: important to know about them. If you guys have suggestions 660 00:36:56,360 --> 00:36:58,600 Speaker 1: for future episodes of tech Stuff, send me an email. 661 00:36:58,719 --> 00:37:01,239 Speaker 1: The address for the show is tech Stuff at how 662 00:37:01,320 --> 00:37:03,839 Speaker 1: stuff works dot com, or drop me a line on 663 00:37:03,880 --> 00:37:06,120 Speaker 1: Facebook or Twitter to handle it. Both of those is 664 00:37:06,239 --> 00:37:09,640 Speaker 1: text Stuff h s W. Make sure you follow us 665 00:37:09,680 --> 00:37:13,799 Speaker 1: on Instagram and I'll talk to you again really soon 666 00:37:20,040 --> 00:37:22,439 Speaker 1: for more on this and thousands of other topics. Because 667 00:37:22,480 --> 00:37:33,520 Speaker 1: it how stuff Works dot Com