Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

Security
F E A T U R E  
DDoS: Internet Weapons of Mass Destruction

  January 8, 2001
  By Brooke Paul


Bay. Amazon. CNN. None of these Internet heavy hitters was adequately prepared to withstand a series of DDoS (distributed denial of service) attacks that made headlines and disrupted operations early last year. What makes you think you're in any better position?



DDoS attacks are a new variation on the theme of denial of service, and they pose a serious threat to any Internet-based enterprise, regardless of infrastructure redundancy or robustness. Their danger stems from their simplicity: The tools necessary to set up and initiate the attack are easy to obtain and implement, and the victim can experience hours or even days of service interruptions. Any organization that uses the Internet must take immediate action. You must implement procedures and configurations that will prevent your resources from being used in an attack, as well as reduce the impact and facilitate a rapid response once an attack has been initiated.

DoS removes from service a given resource, such as a server or network, without permission. DDoS attacks -- in which multiple systems generate the attack on a single target -- are the next logical step. Distributing the workload across hundreds or even thousands of systems is one of the best ways to accomplish an intensive task, such as a major DoS attack. Workload distribution not only increases the impact, but also makes stopping the attack--much less identifying the attacker's true source -- much more difficult.

Reports of the first DDoS attacks surfaced in mid-1999, with the highest-profile attacks coming in early 2000 against sites like Amazon.com, CNN.com, eBay and E-Trade. Clearly, the challenge these attacks present is a serious one. While you alone can't do much to protect yourself, as a community we can improve the situation.

Evolution of DDoS Attacks

Setting up and initiating a DDoS attack doesn't take much expertise. New tools are generated regularly, freely available and easily obtained. The key is gaining access to enough systems to deploy a network of DDoS attack agents (sometimes referred to as "zombies" or "agents"). That's easy enough to do, thanks to the large number of unpatched exploits and the wide availability of toolkits to penetrate systems and set up covert operations. Often, DDoS attack networks comprise hundreds of systems that have been compromised over the course of a few weeks. In fact, some toolkits practically automate the job, allowing would-be attackers the luxury of choosing a set of victims and letting the tools do the dirty work. Once enough systems are set up to be part of a DDoS network, an attacker can easily initiate the sequence from one or more attack consoles. The console acts as the management center for the whole DDoS network, letting an attacker easily and efficiently control hundreds or even thousands of systems throughout the world. Much of the activity on these compromised systems goes unnoticed until an attack is launched, making identification of agents on your network difficult without proper tools for detection.

Tools of the Trade

Many tools are available to perpetrate DDoS attacks. Because source code is available for a number of these tools, many of the findings about a particular set of DDoS tools change over time. In fact, the characteristics that are seen "in the wild" often do not match those seen by analysis of the available source code. DDoS tools typically follow a three-tier architecture, known as a DDoS constellation (see "DDoS Constellation Architecture"). The attacker (controlling console) is used to issue commands to the master controller layer. The master controllers are then responsible for controlling a given number of agents that do the actual labor of the attack. The attacker can control a large number of masters, and each master can control a large number of agents. Since any traceback of flooding traffic to ascertain the source of the attack will result in an agent system, finding the master controllers is very difficult, and finding the attacker consoles is even more difficult.

There are basically five methods of attack that are supported by known DDoS tools:

  • Smurf -- ICMP (Internet Control Message Protocol) ping requests to a directed broadcast address. The forged source address of the request is the target of the attack. The recipients of the directed broadcast ping request respond to the request and flood the target's network.

  • ICMP flood -- Similar to Smurf, but without the amplification caused by requests to a directed broadcast address.

  • UDP flood -- Sending large numbers of UDP (User Datagram Protocol) packets to the target system, thus tying up network resources.

  • TCP flood -- Sending large numbers of TCP packets to the target system, thus tying up network resources.

  • TCP SYN flood -- Sending large numbers of TCP connection initiation requests to the target. The target system must consume resources to keep track of these partially opened connections.

The most prominently seen DDoS tools vary by their methods of attack, communication between master and agents, and the system privileges needed to execute an attack. The more recent and sophisticated DDoS tools even come with functionality to update software automatically, easing the burden of running a large DDoS constellation. Seven families of DDoS tools have been seen in the wild. The more common families are trinoo, Tribe Flood Network (TFN and TFN2K) and Stacheldraht.

Trinoo, an early DDoS tool, is relatively unsophisticated by current standards. It initiates only a UDP flood attack. Communication between the master and agents uses unencrypted TCP and UDP. Root/administrator privileges are not needed to use trinoo. This means that any regular user can deploy a trinoo constellation without having to compromise a systems administration account. Given trinoo's relative simplicity, it is easier to detect and combat than more recently developed tools.

TFN and TFN2K use multiple attack types, including UDP, ICMP and TCP SYN floods. It can also emulate a Smurf attack. Communication between the master and the agents uses ICMP_ECHOREPLY packets. Commands and arguments are sent as part of the ICMP ID field and in the data portion of the packets. The main difference between TFN2K and TFN is that the agent is silent in TFN2K, making it more difficult to detect. The master sends multiple commands to the agent and relies on the probability that at least one will get through. In addition, the command packets are mixed with a number of decoy packets sent to random destinations. As TFN evolves, it becomes easier to cause outages and more difficult to detect. TFN and TFN2K are more difficult to deploy than trinoo, because they require root or administrator privileges on the system running the agent.

Like TFN, Stacheldraht has multiple attack options, including UDP, ICMP, TCP SYN and broadcast ping floods. Its use of ICMP_ECHORE

PLY is similar to TFN's, but Stacheldraht can encrypt the console-to-master TCP session. Stacheldraht also has an auto-update feature. Like TFN and TFN2K, Stacheldraht requires root or admin privileges on the system running the agent as well as the master.


   Page: 1 | 2 | Next Page

Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers