Distributed Denial Of Service

As usual, I was listening to security now podcast episode #8, and Steve Gibson was talking about the DOS and how it works, and what is the different between DOS and Distributed DOS. I found it very interesting topic and I heard a lot of information I never heard about it.
DOS stands for Denial Of Service, and it is simply a packet traffic that might cause problems for the other end. When a client want to establish a TCP session, the first packet sent from the source (web browser for instance) to the destination (server for instance) is called SYN packet. When the server receive the SYN packet, it allocate number of resources (memory, processor etc) and send back a SYN/ACK packet. If the sender is keep sending this packet (SYN packet), the server will keep allocating resources to the clients till it run out of resources. So DOS does not consume the connection bandwidth ! it attack and consume the server resources.

Conversely, Distributed DOS does consume and attack the conection bandwidth. It simply works by infecting a large number of computers (hundreds to thousands), and tell these computers to attack a single end-user. These computers act as slaves and start sending traffic to this end-user (SYN packet or any other packets). One of the most popular DDOS example is ping packet attack (ICMP packet).

So as a conclusion, DDOS consumes the victim's connection bandwidth, while DOS attacks the victim's resources.

Hong Kong (.hk) is the most risky county TLD

McAfee has published a study in June 2008 about the malicious web site across the world. It shows an interesting information about the country TLDs (for example (.sa) for Saudi Arabia and (.ae) for UAE) and a generic TLDs (for example (.com) and (.info)). McAfee has tested 9.9 million web sites across the world; 4.1 % of the tested web sites rated as red (avoid) and yellow (use caution).

One of the most interesting information is that Hong Kong (.hk) country TLD is the most risky TLD in the world in 2008 ! 19.2 % of these red and yellow sites are belonged to .hk. China (.cn) scores the second risky country TLD with 11.8 %; Slovenia (.si), Norway (.no) and Japan (.jp) are the least-risky country TLD. For the generic TLD, .info is the most risiest one with 11.8!; .com scores the fourth risky generic TLD.

More and more interesting information are available in this amazing study; below is the study in PDF format:
http://us.mcafee.com/en-us/local/docs/Mapping_Mal_Web.pdf?cid=

Many thanks to Security Now podcast for mentioning this information. In addition, thanks to my friend Abdullah Al-Dosari who challenged me to addict listening to this show.

Adware Business ... What ? & How ?

Couple of days back, I was listening to security now podcast presented by Steve Gibson. Steve is the owner of grc.com web site, and the SpinRite software - the industry's #1 hard drive data recovery. As usual, he was talking about many security topics, but one topic amazed me and I was so interested to dig down and explore more about. The topic was adware business.

Adware business is a way to customize the ads that is shown to the customer who is visiting a web page. Based on some information about the customer or the web page it self, the company that is running the adware business customizes the web page ads to be more relevant. The ISP enables the company to access these information, and off course he is getting paid. Today I will talk about some examples of the adware companies and how they are running their business.


Adzilla is a Vancouver, Canadian-based company running an Adware business. The company is buying the Zip code for the end user from the ISP, and stores it in a hardware called Zillacaster which is basically a proxy server with some extra feature. Adzilla then sell the Zip code to the advertisers and web publisher in order for them to customize the web page ads to be as relevant as possible. By doing this, the customer will get more relevant ads without disclosing the customer identity. Off course the Zip code is an indicator of the people wealth and ethnicity. Adzilla calls this technology “Caller ID for the internet”.



Google AdSense is another technology to run the adware business. Instead of getting the customer information, AdSense do some analysis for the wab page content (it called crawl) and then deliver text and image ads that are relevant to the web page content.



AdSense also allows the web publisher to put a Google web search inside his web page. Every time the page visitor uses this web search tool, the customer is getting paid.




NebuAd is an American on line advertising company. The company installs surveillance hardware called deep packet inspection in the ISP network, analyze every customer packet and monitor the customer browsing habits. In addition, the company uses an ad injection system that allows the ISP to add their own ads into the web page, regardless of the advertisement deal that is already exist between the web publisher and the advertisers.

"This data is stripped of personal and personally identifiable information and held in aggregate only -- NebuAd does not take information from ISP data systems, and does not share any data with ISP's, so no data concentration occurs" -NebuAD