Metaphasic Denial-of-Service Attacks
by Everett Vinzant
A Denial-of-Service attack (DoS attack) or Distributed Denial-of-Service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users.
In a denial-of-service attack there is an implied one-to-one relationship between the attacker and the victim. An example of this is using a computer on the Internet to send so much traffic to a server that the server fails to process it all. As this failure occurs, other traffic is left unprocessed. This prevents legitimate users from connecting to a website, processing orders, or accessing email.
A distributed denial-of-service attack varies only in the structure of the attack. In a distributed denial-of-service attack, there is an implied many-to-one relationship between the attacker(s) and the victim. Typically, an individual or entity (crime family) will commandeer control of hundreds or thousands of computers by a virus or Trojan. Once this network of computers is created, they can "gang up" on a server. The end result is the same, the server is overwhelmed, and service fails.
The possibility of a third attack type exists.
This hybrid of the two attacks offers a distinct advantage that will be addressed. Metaphasic denial-of-service or MDoS is a method of combining several denial-of-service attack types. Some of the same techniques used in a DDoS attack are employed.
First, hundreds or thousands of computers are taken control of. The same method used for DDoS will be effective for this (viruses, Trojans, etc.). If there are a thousand computers in the created "zombie net," it is divided into multiple serfdoms.
Each serfdom is assigned a specific DoS attack type. One serfdom may attack TCP/IP handshakes. One may attack an Apache server. One may attack SQL databases. After five or ten serfdoms are created, an attack is initiated with the first serfdom. The attack lasts five to seven minutes. Then the first serfdom's attack ceases, while the second serfdom's attack begins. This process occurs until all serfdoms are exhausted (everyone has had their turn to attack). The length of the attack can easily be an hour.
There are several reasons for this attack.
First, it's a matter of psychology. The first attack will be detected, but not responded to in five to seven minutes. By the time this is identified as an attack, it ceases. The assumption exists that someone upstream has identified the problem and stopped it. Then the next attack begins. The attacks occur until all of the serfdoms have fulfilled their role.
Second, because this method rotates types of attacks specific to the network being attacked, there is actually an hour of DoS.
Third, and most importantly, you have the undivided attention of the security group at a given location.
This is the crucial part of the Metaphasic denial-of-service attack.
Since everyone is focused on the DoS attacks, a firewall/IDS bypass attack is used. While the security department is focused on an incoming attack, they miss the surgical strike done to the network. Logs may not be examined. If they are, unusual traffic may be credited to the DoS attack, providing cover.
This is a classic distraction/flanking maneuver.