A Denial of Service is any action which causes normal service to not be
available to legitimate users.  There are many forms of DoS attacks
which could range from simple PING floods (pinging a particular host
many more times than it has the capacity to respond to) to sending
unexpected data which would cause a service to perform poorly or crash.

A DDoS is a Distributed DoS attack.  It means that it is launched from
multiple machines on multiple networks.  DDoS attacks are more severe
because it's much more difficult to filter the traffic when it's coming
from many networks (you can't just blacklist the world ya know).  Also,
many times DDoS attacks involve spoofing the source to form what is
known as a "smurf" attack.  The attacking machines (collective known as
group A) will send bad information to machines on other networks which
don't have good filtering in place (group B) as group A is sending the
attacks, they will spoof the origination point as coming from group C
(the real target).  When group B gets the bad data, it will respond back
to what it *thinks* is the source (group C) and flood them with messages
asking them to resend or correct the data.  Now group B and group C are
flooding each other (usually only group C feels a major impact) and the
real source (group A) is effectively concealed).

So how do these attacks get initiated?  Well back in the old days it was
pretty simple.  Someone with a fast connection, say a T1 would just ping
flood anyone on a dial-up connection until they dropped off the net, but
methods have evolved substantially.  By far the most common means now is
by a distributed worm that carries a Trojan payload.  Many of the recent
worms, including Sobig.F by many suspicions, carry a malicious program
which executes after the victim computer is infected.  This program will
bury itself deep in the system and stay off the task list.  At a
specific time, or by a specific command the program will activate and
start spewing bad information to an amplifying network so that the
traffic will be bounced to the victim network and start a DDoS.

This is the number one reason why EVERY desktop connected to a network
should have strong security.  It has very little to do with what kind of
information is actually on your computer.  Many people think they're
"safe" because there's "nothing of value" on their computer.  Besides
the fact that there's far more on their computer than they know about
and it could probably be used to steal their identity, most break-ins
and exploits are actually used to create "zombies" to participate in
DDoS attacks.  A zombie is a computer that has been taken over by a
Trojan and is being remotely controlled by a cracker (or more often, a
script kiddie).

With the introduction of broadband, many casual Internet users now have
bandwidth approaching that of a T1, but very few users take even basic
steps to protect their systems.  This results in millions of juicy
targets just waiting to be taken over and used in DDoS attacks.  You
might think this is particularly true in the US with our widespread use
of broadband, but actually South Korea and Japan have adopted broadband
much more quickly and completely.  Also, South Korea in particular has
lagged a little bit on the practice of patching and securing systems, so
they are prime targets.  You may also notice that a lot of spam comes
from Korea--this is because many hosts in SK have been infected by
Trojans that are known as "spambots".  They are simply SMTP programs
that will send out hundreds of thousands of messages based on updates
that they receive from their master.  Every few days, or even hours the
spambots are updated with the latest message to send.

Unfortunately, there's very little one can do during a DDoS attack.  The
traffic your network is receiving is coming from legitimate networks and
hosts, it has just been instigated by malicious traffic.  You can't
block the addresses that the traffic is coming from because that would
deny access to many users.  Also, if you're just blocking at the ingress
point into your site, it's likely already too late, since it's using up
all your bandwidth to your provider.  Your provider, or more properly
your ISPs provider needs to be filtering the traffic in order to have a
good effect, but when it's coming from thousands of different addresses
on different networks, how do you do that?  The answer is that most ISPs
DON'T filter DDoS traffic because it's too much work and causes too many
complaints when legitimate traffic is blocked as a result.

The only thing you can really do when under attack is politely but
firmly complain to your ISP and keep complaining over and over until
they do something about it, and also contact law enforcement.  Generally
local law enforcement will be powerless to deal with Internet attacks,
and Federal law enforcement will be too busy with other problems to help
you, but if the attack is big enough they might be willing to help
(especially if you're a valuable part of the economy or infrastructure).

So OK, enough of the doom and gloom what can we actually do about it? 
First, every netizen has an obligation to secure their machine!  Do not
be complacent and allow your machine or your network to be used as a
pawn in a DDoS attack.  Implement a firewall for your network (even if
it's only a $100 Linksys/D-link/Netgear broadband router/firewall),
implement anti-virus software on all your machines, follow best
practices of not opening messages with attachments (unless you were
expecting that exact attachment at that exact time), don't run applets
and scripts on suspicious websites, don't click through links found in
spam and pop-ups, etc.

At higher level, ISPs *MUST* start filtering egress traffic.  That is to
say, do not allow *ANY* traffic out of their network that doesn't have
an originating address that is on their network.  That would stop many
smurf attacks dead in their tracks because the source addresses are
spoofed.  In fairness, some ISPs already filter egress traffic, but not
nearly enough.  Other things at the ISP level is to disable broadcast
and multicast traffic.  One thing ISPs (at least in the US) are starting
to get better at is scanning their networks for vulnerable hosts and
shutting down their connections until they're fixed.  If there are very
few vulnerable hosts to convert to zombies, then the severity of attacks
will decrease sharply, perhaps to the point where it's no longer a
serious threat.  While I do believe ISPs should allow their customers to
run services on their machines if done responsibly, there has to be
filtering of some ports, particularly the Microsoft protocol ports (as
they are often exploited easily).

So as in most things, the responsibility is two-fold.  First, network
administrators need to properly filter traffic and have well thought out
and enforce security policies.  On the flip side, users need to act
responsibly and secure their own hosts, even if they don't think there's
anything "important" on it.  It all has to do with being a good Netizen.

########################################################################
# Author:  Brian Keefer AKA chort
#
# References:
# Building Internet Firewalls by Zwicky, Cooper & Chapman published by
# O'Reilly
#
# All in One CISSP Certification by Harris published by
# McGraw-Hill/Osborne
#
# Notice:
# You are free to republish this information under the conditions that
# you include these credits.  The author retains all rights.
########################################################################