Explain by Example: DDoS Attack

Disclaimer: The following content is not officially endorsed by Microsoft.

[Based on a true story]

So I was just casually minding my own business the other day when all of a sudden, DING. A new email comes through to my inbox:

And I realized it was a phishing email immediately. Not because I'm a security expert because, you see, I don't actually have a Netflix account. But even so, let's take a closer look at some of the giveaways and suspicious behaviors from this particular email.

First of all, the sender's email ([email protected]) looks like a shorter version of my randomized WiFi password:

This is usually one of the most obvious indications of phishing or spam emails. As soon as you receive something from an "unofficially" looking email address, you need to discard it (or report it) immediately. I actually discarded this email immediately but then I thought, hmm...

After watching Enola Holmes on Netflix just the other day, I felt like putting my detective hat on so I pulled the email back out and dug into the content a little further...

I'm not a grammatical expert but seeing sentences like, 'Obviously we'd love to have you back.' and special characters used in between 'TV shows & movies' and that signature, '- The Team Netflix' just raises so many red flags for me. These must be some novice phishers or maybe I'm just really picky when it comes to falling for baits. I also had a look at their contact number (007-803-321-2130):

And found that it was a Russian country code:

I've never been to Russia. I'm not located in Russia. Nor do I have any accounts set up in Russia so yeah, seems legit. A legitimately fake or scam contact number that is. That's when I decided to put my trusty web developer hat on and I thought, why don't I Right-click and Inspect the email to pull out the URL that 'Restart Membership' button directs me to:

It looks like if I had fallen for the bait, I would be directed to this domain:

https://shwtareopla.alkeiumadkskxd.com

So, what can I do with this information? I looked them up, of course!

Dang it. Besides figuring out that they only registered this domain 4 days prior to sending that email out to me, it looks like they have hidden their contact details:

But no worries, I can just PING them ??

Hmm, so it looks like they are also hosting their malicious intents in one of Google's servers so as soon as I connect to Google's servers, I probably can't trace it any further. Bummer.

But...

If I could trace it and I had my malicious hat on, I could potentially set up a DDoS attack and take down their servers and then when the judge asks me in court, I'll just call it self-defense or ethical hacking.

Wait, hold up, what's a DDoS attack?

A DDoS (Distributed Denial of Service) attack is an attack on a server or network in which tons of requests are used to flood the service in such a way that it completely overwhelms the server making it unable to handle any other requests from legitimate users.

Let's imagine one day, on your way to work, you come across a large group of puppies and kittens and they all want your attention. Completely overwhelmed by these cute fluffy animals, you forget that you were actually supposed to be going to work that day. And because these cute fluffy animals were either barking or purring, you miss the ringtone from your phone where your boss is trying to find out why you are not showing up to work. Fifteen missed calls later, your boss fires you for being an incompetent employee. Bummer.

Well, a DDoS attack is kind of like that except less cute and more malicious.

My idea behind simulating a DDoS attack to take my fake Netflix phishers down is because:

1. There is a chance that as soon as I open up that link, a malicious script might be injected into my browser or PC.
2. There is a chance I might get asked to fill in personal information such as credit card credentials into some form to "update my membership". They will then compromise my details and try to commit fraud.
3. There is a chance that some poor soul out there has fallen for this bait.

If I could take their severs down with some uh, ethical hacking, that means even if someone falls for their phishing bait, they would be stay safe.

Now you might be wondering...

How does one pursue a DDoS attack?

The first thing they teach you in programming school is always, always, always try and reuse code. And like a good student, I follow rules. So the first thing I did was a quick search for DDoS scripts on the web and found that GitHub had about 15 public repositories for DDoS scripts:

Scanning through the public repositories, it looks like most people built their DDoS scripts using either Python or C. Since I'm more comfortable with Python, I decided to stick with Python.

[Note to, uh, the entire world: Do not try this at home or against any online, legitimate applications, servers, or systems]

First of all, we need to create some packets. There is a library in python called scapy which allows us to do exactly that (and more). Once we have installed scapy, we want to import the library so we can start using it. I simply do an import all because I haven't figured out exactly which parts I'm going to be using:

from scapy.all import * 

Then I'm going to try and build a packet operating on Layer 2:

packet = Ether()/IP()/TCP()

It's a super basic packet using all the default values and if I do a:

packet.show()

I get something like:

Ethernet: type = IPv4
...
IP: src = 10.1.1.4 
IP: dst = 127.0.0.1
IP: ttl = 64 
IP: proto = tcp
...
TCP: sport = ftp_data
TCP: dport = http
TCP: flags = S

It's a pretty boring packet, with all the default values, I'm just going to end up sending this packet back to myself if I don't modify some of the configurations of the packet.

After a bit of ethical hacking around, I simulated some fake source IP addresses and put together a script like this:

Then I found out that the service I was trying to take down took itself down. Bummer. But, I am glad to know that there is one less malicious thing running around on the internet.

I still wanted to test out my script so I set up my own fake Netflix server and simulated the attack on that machine. After running the script for about 1-2 mins, I found that I had managed to bump the CPU up to somewhere between 35-48% and network traffic to a total of 10 MB. And only using one machine too! To be fair, my fake Netflix server had relatively weak resources.

Since I was (technically) simulating the attack over the internet, I got scared the FBI might come knocking on my door so I stopped the script after a while and decided to call it a day to my ethical hacking experimentation.

Now, you might be wondering. If it is that easy for an amateur hacker like me to start messing around with DDoS attacks to services, how does one prevent themselves from being DDoS attacked?

Well, if we're talking about cloud services and specifically cloud services running in Azure, then let me introduce you to...

Azure DDoS Protection

Azure DDoS Protection allows you to protect yourself (or rather, your services running in the cloud) from DDoS attacks. One of the attacks that Azure DDoS Protection could safeguard you from is the flooding attacks such as the one I simulated. I spoofed a lot of what seems to be legitimate packets (but they are not) and just flooded the fake Netflix server with the fake-but-legitimately-looking-packets. Yes, I do realize the irony with the fake-but-legitimately-looking-Netflix-email here. After all, getting a taste of your own medicine is never a pleasant experience.

Azure DDoS Protection protects against more than volumetric attacks. In the world of DDoS, there are many different types of attacks like SYN flood attacks which is basically like telling someone you want to shake their hands, but you don't actually shake their hands so they're left hanging onto the hope that one day you'll want to shake their hands. Or attacks like reflection attacks which is basically like when someone responds to your questions with your own question rather than an answer but you don't realize that is what they have done because they were very deliberate in the response they crafted back. These are typically protocol attacks where an attacker might try to exploit some of the vulnerabilities in the protocols that you might have chosen to communicate in.

The third type of DDoS attacks that Azure DDoS Protection can help mitigate are the Layer 7 attacks. These could be things like SQL injection or XSS (cross-site scripting) attacks which is essentially finding loopholes in your applications and exploiting those vulnerabilities by injecting malicious code into them.

So you can use Azure DDoS Protection to sanitize, monitor and protect you from DDoS attacks from Layer 3 up through to Layer 7. And if you don't know what these layers mean, check out my Networking article.

But how does Azure DDoS Protection work?

Well, we all know that in the COVID-19 world, if you are displaying any symptoms of fever, coughs, sore throats, headaches, shortness of breathing, and other cold-like abnormalities, the first thing you need to do is go and get tested.

You can think of DDoS Protection operating in a similar manner in that DDoS Protection will monitor the packets and traffic that is coming into your cloud environment and check for certain "symptoms" in the traffic to see if it indicates a potential DDoS attack. These "symptoms" (called thresholds) are defined in the DDoS policy which is essentially a measure of how likely a packet or traffic could be a potential DDoS attack.

If traffic is displaying "symptoms" of a DDoS attack, DDoS Protection automatically activates DDoS mitigation. You can think of DDoS mitigation like being sent to a testing facility to get tested to check if it is indeed a DDoS attack.

During DDoS mitigation, a couple of checks will be made:

1. Are the packets malformed in any way? Does it follow internet standards?
2. Has the packet been spoofed? Does the source (or client) actually wants to do a handshake with me or will they leave me hanging?
3. If the first two doesn't apply then we will just have to throttle (rate-limit) the traffic a bit because the amount of demand coming in is just too high for the service to handle.

If at any stage during the DDoS mitigation check that the traffic does check out to be a DDoS attack, the packets will get dropped. Otherwise, the packets will be let through to your cloud environment because it will most likely be legitimate user traffic.

Now, before I close out, I just want to say that the fake Netflix I referred to is not a representation or portrayal of the official Netflix service. I started reading 'That will never work' by Marc Randolph (CEO and Co-founder of Netflix) and the memoir is so well written that it makes me want to work for them so I would never (and I hope you will also never) DDoS attack Netflix. Besides, I still need to thank Netflix for providing me enough entertainment to keep me sane during lockdown.

If you want to find out more about Azure DDoS Protection, you can access the official documentation here.

P.S: If you want to support Explain by Example, you can buy me a coffee here ?