DDoS Attacks

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
It was in early 2000, that most people became aware of the dangers of distributed denial of service (DDoS) attacks when a series of them knocked such popular Web sites Yahoo, CNN and Amazon off the air. More recently, a pair of DDoS attacks nailed The SCO Group's Web site and many people thought that it was a hoax because surely any company today could stop a simple DDoS SYN attack. Wrong.

It's been almost four years now, but DDoS attacks are still difficult to block. Indeed, some DDoS attacks, including SYN, if they're made with enough resources are impossible to stop.

No server, no matter how well it's protected, can be expected to stand up to an attack made by thousands of machines. Indeed, Arbor Networks, a leading anti-DDoS company, reports DDoS zombie armies of up to 50,000 systems. Fortunately, major DDoS attacks are difficult to make. Unfortunately, minor DDoS attacks are easy to make.

In part, that's because there are so many kinds of DDoS attacks For example, last January, the Slammer worm targeted SQL Server 2000 but its effect, as infected SQL Server installations tried to spread Slammer, was to cause DDoS attacks on network resources as every bit of bandwidth was consumed by Slammer.

Thus, a key to thinking about DDoS is that DDoS is not so much a kind of attack, as an effect of many different kinds of network attacks. It may do it by attacking the TCP/IP protocol, it may do it by assaulting server resources, or it could be as simple as too many users demanding too much bandwidth at one time.

Typically, though, when we're talking about DDoS, we mean attacks on your TCP/IP protocol. There are three kinds of these attacks: the ones that target holes in a particular TCP/IP stack; those that target native TCP/IP weaknesses; and the boring, but effective, brute force attacks. For added trouble, brute force works well with the first two methods.

The Ping of Death is a typical TCP/IP implementation attack. In this assault, the DDoS attacker creates an IP packet that exceeds the IP standard's maximum 65,536-byte size. When this fat packet arrives, it crashes systems that are using a vulnerable TCP/IP stack. No modern operating system or stack is vulnerable to the simple Ping of Death, but it was a long-standing problem with Unix systems.

The Teardrop, though, is an old attack that relies on poor TCP/IP implementation that is still around. It works by interfering with how stacks reassemble IP packet fragments. The trick here is that as IP packet are sometimes broken up into smaller chunks, each fragment still has the original IP packet's header, and field that tells the TCP/IP stack what bytes it contains. When it works right, this information is used to put the packet back together again. What happens with Teardrop though is that your stack is buried with IP fragments that have overlapping fields. When your stack tries to reassemble them, it can't do it, and if it doesn't know to toss these trash packet fragments out, it can quickly fail. Most systems know how to deal with Teardrops now and a firewall can block Teardrop packets in return for a bit more latency on network connections since this makes it disregard all broken packets. Of course, if you throw a ton of Teardrop busted packets at a system, it can still crash

Page 2: Original SYN

And, then, there's SYN, to which there really isn't perfect cure. In SYN, the attack works by overwhelming the protocol handshake that has to happen between two Internet-aware applications when they start a work session by sending a TCP SYN (synchronization) packet, which is followed by a TCP SYN-ACK acknowledgment packet. Then, the first program replies with an ACK (acknowledgment). That done, the applications are ready to work with each other.

A SYN attack simply buries its target by swamping it with TCP SYN packets. Each SYN packet demands a SYN-ACK response and causes the server to wait for the proper ACK in reply. Of course, the attacker never gives the ACK, or, more commonly, it uses a bad IP address so there's no chance of an ACK returning. This quickly hogties a server as it tries to send out SYN-ACKs while waiting for ACKs. When the SYN-ACK queues fill up, the server can no longer take any incoming SYNs, and that's the end of that server until the attack is cleared up. The Land attack make SYN one-step nastier by using SYN packets with spoofed IP addresses from your own network.

There are many ways to slow SYN such as setting your firewall to block all incoming packets bad external IP addresses like to, to, to, and to and all internal addresses. But, as SCO discovered, if you throw enough SYN packets at a site, any site can still be SYNed off the net.

Common brute force attacks include the Smurf attack and the User Datagram Protocol (UDP) flood. When you're Smurfed, Internet Control Message Protocol (ICMP) echo request packets, a particular type of ping packet, overwhelm your router. Making matters worse, each packet's destination IP address is spoofed to be your local broadcast address. You're probably already getting the picture. Once your router gets into the act of broadcasting ICMP packets too if won't be long before your internal network is frozen.

A UDP flood works by someone spoofing a call from one of your system's UDP chargen program, this test program generates semi-random characters for received packets, with another of your network's UDP echo service. Once these characters start being reflected your bandwidth quickly vaporizes.

Fortunately, for these two anyway, you can usually block them. With Smurfing, just setting your router to ignore broadcast addressing and setting your firewall to ignore ICMP requests should be all you need.

To dam up UDP floods just block all non-service UDP services request for your network. Programs that need UDP will still work. Unless, of course, the sheer volume of the attack mauls your Internet connection.

That's where the DDoS attack programs such as Tribe Force Network (TFN), Trin00, Trinity and Stacheldraht come in. These programs are used to set DDoS attack agents in unprotected systems. Once enough of them have been set up in naove users' PCs, the DDoS controller sets them off by remote control to bury target sites from hundreds or even thousands of machines.

Unfortunately, as more and more users add broadband connections without the least idea of how to handle Internet security, these kinds of attacks will only become more common.

Page 3: Deflecting DDoS Attacks

So what can you do about the DDoS threats? For starters, all the usual security basics can help. You know the drill: make sure you have a firewall up that aggressively keeps everything out except legal traffic; keep your anti-viral software up to date lest your site become a home for DDoS agents like TFN; and keep your network software up to date with current security patches. This won't stop all DDoS attacks, but it will stop some of them like Smurfing.

You should also keep yourself current on the latest DDoS developments. The best site for this is the University of Washington hosted: Distributed Denial of Service (DDoS) Attacks/tools.

There is no silver bullet for DDoS attacks. Several companies, such as Arbor Networks, Mazu Networks and netZentry offer program and services that can help you manage DDoS assaults.

Essentially, these corporate approaches consist of intense real-time monitoring of your network looking for telltale signs of incoming DDoS attacks. These give you a chance to harden your network or even switch to another ISP provider in an attempt to dodge a DDoS attack. For example, Riverhead actually diverts DDoS attacks to its own servers and filters out the good traffic, which it then passes along to your site.

You may not think you need these services, since in a worse case scenario; you're still going to get knocked off the net. But, not every attack will be a massive one with thousands of attackers. For most attacks, these services can help.

And, let's face it, today almost all businesses need to be on the net 24 by 7. With DDoS attacks on the rise according to CERT, you'd be wise to at least familiarize yourself with DDoS prevention services. After all, it's not only your network in danger, it's your business.

Submit a Comment

Loading Comments...