what is ddos?

[Mike]

In my opinion and experience, the denial of service can be through heavy network traffic but usually involves a little more to be effective.

Let's suppose a person wished to render a network virtually useless for "testing" purposes. While sheer network traffic alone through a DDoS group of thousands of drones would work, another tactic would be to first interrogate the network through port scans, sometimes over a period of weeks or months to avoid detection. Emailing the target and getting an NDR can also be useful for identifying the email system and OS of it's host. Once ports were found to be open, the ports would be sent additional traffic which may result in further identification of exact versions of routers, switches, and servers in general but especially smtp/dns/iis/sql vulnerabilities. Those last four can come out of the box installed with vulnerabilities, those introduced by updates or user misconfigurations. Requests that call a routine resulting in a memory leak, or requests designed to exhaust cpu cycles, or cause thousands of lookups beyond the device capabilities all can be effective. The end result always being that the target system be incapacitated and unable to do either a single function, or complete failure, the tester's choice.

Exploiting a service specifically with traffic designed to exploit known limitations and vulnerabilities results in a faster, and near perfect network shutdown (via a router failure by cpu utilization, server failure due to cpu or network utilization for example).

On the opposite end, one could simply drop USB thumb drives in the parking lot of the target, and as employees picked them up and used them once on the internal network it would launch hidden code to do whatever you asked of it, including code which results in an internal DoS attack (with user priviledges). This would be a vector for introducing the DoS attack, and thereby part of the attack.

Yes, routers and servers can be configured to prevent these attacks in general. However, due to new exploits being discovered daily, a complete security plan including patch management and firmware updates are highly successful in mitigating these attacks. On the Nighthawk, I am not familiar with that router and cannot comment.

In general DoS prevention on a router or service port is as simple as setting allowed IP ranges and/or a rate limit and cutoff if exceeded, with sometimes a failback timer to open it back up. Many routers provide than functionality. Some routers provide for GeoExclusions (ie: check a box to allow/deny WAN traffic to/from a country) are very useful and effective. There are also routers that can use RBLs and Blacklists not just SMTP traffic.

It is illegal, and enforced if the corporation has contributed to the politicians and elected officials, hits the news cycle a few times, or causes great loss or suffering. Rarely are they attackers located in the US, and prosecution of offenses from foreign soil cannot be inititated from the US, only requested of the foreign nation.

In addition to various sections of the United States Code (18, 19 USC), here in California Penal Code section 502©5 prohibits any person who "Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of
computer services to an authorized user of a computer, computer
system, or computer network."

A person with some free time might set up a "honeypot" of various vulnerable devices and systems wide open on the internet and when someone rings the bell or comes on in, a counter sweep and tit-for-tat against the attacker can sometimes be very productive if not downright entertaining. Oh yeah, they have that - check out DEF CON, or check out the classes from SANS.