WEBVTT 00:00:00.000 --> 00:00:06.040 align:middle line:90% 00:00:06.040 --> 00:00:09.100 align:middle line:84% So let's take a look at an example of Low Orbit Ion 00:00:09.100 --> 00:00:10.030 align:middle line:90% Cannon. 00:00:10.030 --> 00:00:11.780 align:middle line:84% Now, before I start this demonstration, 00:00:11.780 --> 00:00:16.690 align:middle line:84% I do want to reiterate that DDoS attacks are very illegal. 00:00:16.690 --> 00:00:18.790 align:middle line:84% You do not want to launch this on any network 00:00:18.790 --> 00:00:21.040 align:middle line:90% that you don't own. 00:00:21.040 --> 00:00:23.260 align:middle line:84% Now, this attack is actually launched 00:00:23.260 --> 00:00:25.420 align:middle line:90% on my own virtual network. 00:00:25.420 --> 00:00:28.390 align:middle line:84% So I have a little lab environment set up here 00:00:28.390 --> 00:00:30.500 align:middle line:90% that we're going to run. 00:00:30.500 --> 00:00:31.870 align:middle line:90% So let's take a look. 00:00:31.870 --> 00:00:33.850 align:middle line:84% So this is a Low Orbit Ion Cannon. 00:00:33.850 --> 00:00:36.940 align:middle line:84% It's a Windows program, pretty easy to use. 00:00:36.940 --> 00:00:41.560 align:middle line:84% On the background here, we have Kali Linux. 00:00:41.560 --> 00:00:43.690 align:middle line:84% This is my virtual machine that I'm running here. 00:00:43.690 --> 00:00:45.910 align:middle line:84% And in the back, I have Wireshark running, 00:00:45.910 --> 00:00:47.260 align:middle line:90% as you can see here. 00:00:47.260 --> 00:00:49.750 align:middle line:84% Now, I'm running Wireshark so you can 00:00:49.750 --> 00:00:51.190 align:middle line:90% see what's actually going on. 00:00:51.190 --> 00:00:53.800 align:middle line:84% And I'm taking a look at UDP traffic, 00:00:53.800 --> 00:00:57.740 align:middle line:84% because that's what I'm going to be launching the attack as. 00:00:57.740 --> 00:01:02.450 align:middle line:84% Now, Low Orbit Ion Cannon is a pretty common one. 00:01:02.450 --> 00:01:05.630 align:middle line:84% The way it works is, the first section, if you have a URL, 00:01:05.630 --> 00:01:08.090 align:middle line:84% you can type a URL in or IP address. 00:01:08.090 --> 00:01:09.920 align:middle line:84% In this case, I used the IP address, 00:01:09.920 --> 00:01:13.290 align:middle line:84% because this is a virtual machine I'm attacking. 00:01:13.290 --> 00:01:16.860 align:middle line:84% Now, once you have it, have your target set, 00:01:16.860 --> 00:01:19.260 align:middle line:90% you'll see this change. 00:01:19.260 --> 00:01:22.440 align:middle line:84% Click Lock On, and we can see our target here. 00:01:22.440 --> 00:01:25.740 align:middle line:84% Now, down in here is the TCP/UDP message. 00:01:25.740 --> 00:01:29.010 align:middle line:84% Now, what's happening is, this is the message that's 00:01:29.010 --> 00:01:31.860 align:middle line:90% being flooded at this target. 00:01:31.860 --> 00:01:33.840 align:middle line:90% "A cat is fine too." 00:01:33.840 --> 00:01:38.315 align:middle line:84% So this message is being sent over and over and over again 00:01:38.315 --> 00:01:40.440 align:middle line:84% and in quick succession where it's eventually going 00:01:40.440 --> 00:01:43.370 align:middle line:90% to flood out that computer. 00:01:43.370 --> 00:01:46.270 align:middle line:84% Now, down in here, we can select a port address. 00:01:46.270 --> 00:01:49.930 align:middle line:84% We can set the method - TCP, UDP, HTTP. 00:01:49.930 --> 00:01:51.880 align:middle line:84% We can select a number of threads. 00:01:51.880 --> 00:01:54.550 align:middle line:84% And we can set this for faster or slower. 00:01:54.550 --> 00:01:58.280 align:middle line:84% Now, once all this is set, we click the button up here. 00:01:58.280 --> 00:02:01.180 align:middle line:84% And then in the background, we could see down in here how many 00:02:01.180 --> 00:02:02.260 align:middle line:90% requests are being sent. 00:02:02.260 --> 00:02:06.760 align:middle line:84% And in here, you can see all the UDP requests that it's getting. 00:02:06.760 --> 00:02:10.630 align:middle line:84% Now, if we click on one of these UDP requests, 00:02:10.630 --> 00:02:15.040 align:middle line:84% you can see down in here, that's the message that's being sent. 00:02:15.040 --> 00:02:18.280 align:middle line:84% So these attacks in general are pretty devastating, 00:02:18.280 --> 00:02:20.610 align:middle line:84% especially if you get several computers. 00:02:20.610 --> 00:02:25.740 align:middle line:84% Now, to take down a gigabyte server bandwidth wise, 00:02:25.740 --> 00:02:29.940 align:middle line:84% a large network like Xbox, PlayStation, Sony, and what 00:02:29.940 --> 00:02:33.420 align:middle line:84% not, it's going to take more than a single computer. 00:02:33.420 --> 00:02:37.160 align:middle line:84% This is going to take hundreds, thousands, tens of thousands 00:02:37.160 --> 00:02:39.820 align:middle line:84% of computers on launching this type of attack 00:02:39.820 --> 00:02:43.030 align:middle line:90% to effectively take it down. 00:02:43.030 --> 00:02:44.785 align:middle line:84% But that's really not that unusual 00:02:44.785 --> 00:02:48.670 align:middle line:84% when we start looking at the news and you consider 00:02:48.670 --> 00:02:51.040 align:middle line:84% how many computers are out there infected with a botnet 00:02:51.040 --> 00:02:54.100 align:middle line:84% and people don't even know - so again, 00:02:54.100 --> 00:02:55.870 align:middle line:84% very, very devastating, as you saw, 00:02:55.870 --> 00:02:59.510 align:middle line:84% really easy to perpetrate these type of attacks. 00:02:59.510 --> 00:03:01.900 align:middle line:84% So mitigation, what type of ways can we 00:03:01.900 --> 00:03:06.430 align:middle line:84% help prevent or at least deal with these type of attacks? 00:03:06.430 --> 00:03:08.280 align:middle line:84% Well, a big one is called Cloudflare. 00:03:08.280 --> 00:03:10.410 align:middle line:84% And they're a business, San Francisco-based company 00:03:10.410 --> 00:03:11.970 align:middle line:90% found in 2009. 00:03:11.970 --> 00:03:13.980 align:middle line:84% And their primary business is denial - 00:03:13.980 --> 00:03:16.530 align:middle line:84% to distribute Denial of Service protection. 00:03:16.530 --> 00:03:20.340 align:middle line:84% And they're one of the largest anti-DDoS companies around. 00:03:20.340 --> 00:03:24.180 align:middle line:84% Now, the way they work is, they basically sit between you 00:03:24.180 --> 00:03:27.570 align:middle line:84% and whatever, your server or your websites and what not. 00:03:27.570 --> 00:03:29.740 align:middle line:84% And as traffic comes in that's malicious, 00:03:29.740 --> 00:03:30.990 align:middle line:90% they scan that traffic. 00:03:30.990 --> 00:03:32.400 align:middle line:90% They recognise it's malicious. 00:03:32.400 --> 00:03:34.960 align:middle line:90% And they offset that traffic. 00:03:34.960 --> 00:03:39.262 align:middle line:84% Now, for the most part, Cloudflare works very well. 00:03:39.262 --> 00:03:40.470 align:middle line:90% They have a lot of bandwidth. 00:03:40.470 --> 00:03:43.590 align:middle line:84% They have a lot of really smart people working for them. 00:03:43.590 --> 00:03:45.930 align:middle line:84% And they're able to mitigate that traffic. 00:03:45.930 --> 00:03:49.260 align:middle line:84% There has been cases where the traffic was so unusually 00:03:49.260 --> 00:03:51.690 align:middle line:90% large that it did fail. 00:03:51.690 --> 00:03:54.240 align:middle line:84% But again, it's overall, it's a really good option 00:03:54.240 --> 00:03:57.810 align:middle line:84% if you're running a large network. 00:03:57.810 --> 00:03:59.700 align:middle line:84% You might want to take a look at Cloudflare 00:03:59.700 --> 00:04:02.340 align:middle line:84% as a solution for DDoS attacks if that's something 00:04:02.340 --> 00:04:04.350 align:middle line:90% that you're concerned about. 00:04:04.350 --> 00:04:08.400 align:middle line:84% Other mitigation options are, deny the traffic 00:04:08.400 --> 00:04:10.670 align:middle line:84% to the specific IP addresses flooding you. 00:04:10.670 --> 00:04:13.830 align:middle line:84% So if you know that IP address that's hitting you, 00:04:13.830 --> 00:04:17.810 align:middle line:84% you could try blocking it from your firewall, for example. 00:04:17.810 --> 00:04:20.555 align:middle line:84% The problem with this is, if you have a lot of requests 00:04:20.555 --> 00:04:23.490 align:middle line:84% - you get hundreds, thousands, tens of thousands, 00:04:23.490 --> 00:04:26.165 align:middle line:84% hundreds of thousands of these IP addresses 00:04:26.165 --> 00:04:28.700 align:middle line:84% - that's not going to be too feasible to actually go 00:04:28.700 --> 00:04:32.090 align:middle line:84% through and blacklist every one of these. 00:04:32.090 --> 00:04:34.730 align:middle line:84% Also if you have that many flooding you, 00:04:34.730 --> 00:04:36.800 align:middle line:84% you're probably going to overwhelm your firewall 00:04:36.800 --> 00:04:38.540 align:middle line:90% anyways. 00:04:38.540 --> 00:04:41.150 align:middle line:84% Other option is, have your DNS provider sinkhole 00:04:41.150 --> 00:04:42.710 align:middle line:90% the bad traffic. 00:04:42.710 --> 00:04:46.430 align:middle line:84% What that means is, that as the traffic comes in the DNS 00:04:46.430 --> 00:04:49.220 align:middle line:84% server, the DNS server recognises IP addresses. 00:04:49.220 --> 00:04:51.740 align:middle line:84% And it forwards it off somewhere else away 00:04:51.740 --> 00:04:54.820 align:middle line:90% from your actual servers. 00:04:54.820 --> 00:05:00.280 align:middle line:84% Now, DNS sinkholing is typically going to be done by your ISP. 00:05:00.280 --> 00:05:03.550 align:middle line:84% They generally handle your DNS traffic. 00:05:03.550 --> 00:05:06.850 align:middle line:84% Most likely if you're getting hit with a DDoS attack, 00:05:06.850 --> 00:05:09.590 align:middle line:84% they're probably going to recognise it anyways. 00:05:09.590 --> 00:05:11.680 align:middle line:84% But if you don't see any action being taken, 00:05:11.680 --> 00:05:14.098 align:middle line:84% you probably want to call them and say, hey, 00:05:14.098 --> 00:05:15.640 align:middle line:84% we're getting hit with a DDoS attack. 00:05:15.640 --> 00:05:20.530 align:middle line:84% Could you sinkhole that traffic off? 00:05:20.530 --> 00:05:23.200 align:middle line:84% Other option is to switch your core service 00:05:23.200 --> 00:05:24.680 align:middle line:84% with secondary internet connection. 00:05:24.680 --> 00:05:27.400 align:middle line:84% So if you're lucky enough to have more than one internet 00:05:27.400 --> 00:05:31.360 align:middle line:84% connection - say, one connection's with Comcast, 00:05:31.360 --> 00:05:35.620 align:middle line:84% one's with AT&T, your main one's Comcast - what you could do 00:05:35.620 --> 00:05:37.900 align:middle line:84% is you could switch your critical servers off 00:05:37.900 --> 00:05:40.930 align:middle line:84% to the other connection if you're able to. 00:05:40.930 --> 00:05:43.005 align:middle line:84% That way your core servers are still 00:05:43.005 --> 00:05:44.380 align:middle line:84% running while you're still trying 00:05:44.380 --> 00:05:47.590 align:middle line:84% to deal with the flood that's happening 00:05:47.590 --> 00:05:49.540 align:middle line:90% to you and your network. 00:05:49.540 --> 00:05:52.510 align:middle line:84% Now, to recap, DDoS attacks can be costly. 00:05:52.510 --> 00:05:56.590 align:middle line:84% A DDoS attack can not only take down a site or server, 00:05:56.590 --> 00:05:59.140 align:middle line:84% but also intends to be very costly, because it 00:05:59.140 --> 00:06:01.690 align:middle line:90% takes these services offline. 00:06:01.690 --> 00:06:04.480 align:middle line:84% DDoS attacks are pretty simple overall. 00:06:04.480 --> 00:06:08.020 align:middle line:84% They're pretty easy to launch and oftentimes with larger ones 00:06:08.020 --> 00:06:12.785 align:middle line:84% are going to be done by botnets or even as a service. 00:06:12.785 --> 00:06:16.120 align:middle line:84% Services such as Cloudflare can really 00:06:16.120 --> 00:06:20.300 align:middle line:84% help you with protect your company from DDoS attacks. 00:06:20.300 --> 00:06:21.800 align:middle line:84% Blocked by your firewall - you could 00:06:21.800 --> 00:06:23.630 align:middle line:84% try blocking the offending IP addresses 00:06:23.630 --> 00:06:27.050 align:middle line:84% from your firewall in an attempt to mitigate the attacks. 00:06:27.050 --> 00:06:30.260 align:middle line:84% But again, if you're getting a lot of different attacks 00:06:30.260 --> 00:06:32.450 align:middle line:84% from different locations, probably not going 00:06:32.450 --> 00:06:35.320 align:middle line:90% to be a really viable option. 00:06:35.320 --> 00:06:38.950 align:middle line:84% DNS sinkholing, again, you could try sinkholing the traffic 00:06:38.950 --> 00:06:41.380 align:middle line:84% from your DNS provider, which is most likely going 00:06:41.380 --> 00:06:43.218 align:middle line:90% to be your ISP. 00:06:43.218 --> 00:06:45.760 align:middle line:84% And secondary connection - if you're fortunate enough to have 00:06:45.760 --> 00:06:48.218 align:middle line:84% a secondary internet connection, you could try failing over 00:06:48.218 --> 00:06:51.520 align:middle line:84% your critical servers to the non-flooded line while you try 00:06:51.520 --> 00:06:55.220 align:middle line:84% dealing with the DDoS attack or waiting for it to go away. 00:06:55.220 --> 00:06:58.437 align:middle line:84% So this was about DDoS attacks and Denial of Service attacks. 00:06:58.437 --> 00:07:00.520 align:middle line:84% In the next video, we're going to be taking a look 00:07:00.520 --> 00:07:03.910 align:middle line:84% at how a malicious hackers - or rather, a malicious hacker's 00:07:03.910 --> 00:07:05.032 align:middle line:90% methodology. 00:07:05.032 --> 00:07:05.990 align:middle line:90% Thank you for watching. 00:07:05.990 --> 00:07:08.010 align:middle line:90% I'll see you in the next video. 00:07:08.010 --> 00:07:09.000 align:middle line:90%