It was in early 2000, that most people became aware of the dangers of distributed denial of service (DDoS) attacks when a series of them knocked such popular Web sites Yahoo, CNN and Amazon off the air. More recently, a pair of DDoS attacks nailed The SCO Group's Web site and many people thought that it was a hoax because surely any company today could stop a simple DDoS SYN attack. Wrong.

It's been almost four years now, but DDoS attacks are still difficult to block. Indeed, some DDoS attacks, including SYN, if they're made with enough resources are impossible to stop.

No server, no matter how well it's protected, can be expected to stand up to an attack made by thousands of machines. Indeed, Arbor Networks, a leading anti-DDoS company, reports DDoS zombie armies of up to 50,000 systems. Fortunately, major DDoS attacks are difficult to make. Unfortunately, minor DDoS attacks are easy to make.

In part, that's because there are so many kinds of DDoS attacks For example, last January, the Slammer worm targeted SQL Server 2000 but its effect, as infected SQL Server installations tried to spread Slammer, was to cause DDoS attacks on network resources as every bit of bandwidth was consumed by Slammer.

Thus, a key to thinking about DDoS is that DDoS is not so much a kind of attack, as an effect of many different kinds of network attacks. It may do it by attacking the TCP/IP protocol, it may do it by assaulting server resources, or it could be as simple as too many users demanding too much bandwidth at one time.

Typically, though, when we're talking about DDoS, we mean attacks on your TCP/IP protocol. There are three kinds of these attacks: the ones that target holes in a particular TCP/IP stack; those that target native TCP/IP weaknesses; and the boring, but effective, brute force attacks. For added trouble, brute force works well with the first two methods.

The Ping of Death is a typical TCP/IP implementation attack. In this assault, the DDoS attacker creates an IP packet that exceeds the IP standard's maximum 65,536-byte size. When this fat packet arrives, it crashes systems that are using a vulnerable TCP/IP stack. No modern operating system or stack is vulnerable to the simple Ping of Death, but it was a long-standing problem with Unix systems.

The Teardrop, though, is an old attack that relies on poor TCP/IP implementation that is still around. It works by interfering with how stacks reassemble IP packet fragments. The trick here is that as IP packet are sometimes broken up into smaller chunks, each fragment still has the original IP packet's header, and field that tells the TCP/IP stack what bytes it contains. When it works right, this information is used to put the packet back together again. What happens with Teardrop though is that your stack is buried with IP fragments that have overlapping fields. When your stack tries to reassemble them, it can't do it, and if it doesn't know to toss these trash packet fragments out, it can quickly fail. Most systems know how to deal with Teardrops now and a firewall can block Teardrop packets in return for a bit more latency on network connections since this makes it disregard all broken packets. Of course, if you throw a ton of Teardrop busted packets at a system, it can still crash

Page 2: Original SYN