DoS: Know your enemy, protect yourself

Denial of service attacks can result in lost revenue, or simply a loss of credibility. A brief run-through of the different ways DoS attacks are carried out, should only be accompanied by what possible solutions are available. Thankfully, we have both.

Tuesday, May 22, started out as just another day at CERT Coordination Center at Carnegie Mellon University in Pittsburgh. By day's end, CERT, widely regarded as the Fort Knox of computer security, would be knocked off the net by a distributed denial of service (DDoS) attack.

In 2001, even the crème de la crème of network security is vulnerable. If it can happen to CERT, it can happen to you.

You can help prevent DDoS assaults across the Internet and lower your vulnerability to attacks. But if someone really wants to put your business under with a DDoS attack, they will. Microsoft, Yahoo, and Exodus have all fallen to DDoS attacks within the last 12 months; you or your customers could be next.

The nature of the beast
Denial of service (DoS) attacks are exactly what they sound like: attempts to prevent your server from delivering services. Attackers can do this in many ways. For example, you could describe the Outlook e-mail worm Melissa and its ilk as DoS agents because they cause their damage by making Outlook clients flood e-mail servers with worm-laden messages to the point that the servers collapse under the load.

This is an important point. People tend to think of DoS attacks as causing havoc by jamming network bandwidth with useless traffic. While that's certainly one kind of DoS attack, another succeeds by devouring server resources. That means it's possible for a successful DoS raid to be made over a low-speed modem connection if it attacks server resources. To really protect a network against attacks, both network and servers should be armed and ready

For corporate users, firewalls and products like Zone Labs Inc.'s Zone Alarm Pro can help. In addition, several companies, such as Asta Networks Inc. and Mazu Networks Inc., now offer business-level protection against DDoS attacks.

Asta's Vantage System takes a page from anti-viral programs by looking for tell-tale signs of DDoS attacks. It constantly analyzes packets for known DDoS patterns and unusual patterns, such as a non-standard stream of packets on its way to your Domain Name Server (DNS). When it looks like an attack is on the way, the system notifies a network manager, who can then use router filters or even switch network providers in mid-stream to attempt to stem the attack.

Mazu Networks' TrafficMaster Inspector for DDoS tries to detect attacks in the making by using constant Gigabit Ethernet-speed traffic analysis as far upstream as possible. In essence, Mazu attempts to catch attacks in real-time, then allow good traffic to keep flowing by blocking only DDoS packets. Its approach makes it suitable for ISPs and data centers.

Usually, DoS attacks are aimed straight at your network's TCP/IP infrastructure. These assaults come in three varieties: those that exploit weaknesses in a given TCP/IP stack implementation; those that target TCP/IP weaknesses; and the tried and true brute force attack. The canonical example of an attack that goes after TCP/IP implementation weaknesses is the Ping of Death attack. In this exploit, your enemy creates an IP packet that exceeds the IP standard's maximum 65,536-byte size. When this bloated packet arrives it crashes systems that are using a vulnerable TCP/IP stack and operating system.

All modern operating systems and stacks are immune to the Ping of Death attack, but older Unix systems may still be vulnerable.

Another attack that relies on poor TCP/IP implementation is Teardrop, which exploits defects in the way systems reassemble IP packet fragments. On their way from hither to yon on the Internet, an IP packet may be broken up into smaller pieces. Each of these still has the original IP packet's header, as well as an offset field that identifies which bytes of the original packet it contains. With this information, an ordinary broken packet is reassembled at its destination and network continues uninterrupted. When a Teardrop attack hits, your server is bombarded with IP fragments that have overlapping offset fields. If your server or router can't disregard these fragments and attempts to reassemble them, your box will go castors up quickly. If your systems are up-to-date, or if you have a firewall that blocks Teardrop packets, you shouldn't have any trouble. Attempts to whack your system using TCP/IP weaknesses also abound. The most popular of these is the SYN attack. SYN works by taking advantage of the protocol handshake between two Internet applications. It's designed to work by starting an application session by sending a TCP SYN (synchronization) packet to another program. That application then replies with a TCP SYN-ACK acknowledgment packet; the first program then responds with an ACK (acknowledgment). Once the applications have made their handshake, they're ready to work with each other.

A SYN attack overwhelms its victim with a flood of TCP SYN packets. Every SYN packet forces the targeted server to produce a SYN-ACK response and then wait for the appropriate ACK. This quickly leads to a situation where outstanding SYN-ACKs pile up behind each other in a backlog queue. When the backlog queues fill up, the system stops acknowledging incoming SYN requests.

If the SYN attack includes SYN packets with bad source IP addresses, the situation grows worse more quickly. In such a case, when the SYN-ACKs are sent out, the ACK never comes back. The quickly overfilling backlog queue usually puts an end to legitimate application SYN requests getting through.

Adding insult to injury, the similar Land attack employs spoofed SYN packets, with IP addresses forged to look like they come from within your network. Now, the SYN attacks appear to be coming from within your firewall, adding to your problems. Most up-to-date operating systems and firewalls can stop SYNing in its tracks. Another easy way to prevent SYNing is to set your firewall to block all incoming packets with known bad source IP addresses. This list should include external packets that bear spoofed IP addresses from the following IP ranges, which are reserved for internal use only: 10.0.0.0 to 10.255.255.255, 127.0.0.0 to 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. But why should your enemies worry about sneaking in the back windows when they can simply bulldoze your systems? That's the approach that the Smurf attack and the User Datagram Protocol (UDP) flood use.

When you're Smurfed, your enemy floods your router with Internet Control Message Protocol (ICMP) echo request packets--a special kind of ping packet. Each packet's destination IP address is also your broadcast address, which causes your router to broadcast the ICMP packets to all your network's hosts. Needless to say, with a large network, this quickly leads to an electronic traffic jam of mammoth proportions. And as with the Land attack, if the cracker combines Smurfing with spoofing, matters get even worse.

The simple way to avoid Smurfing is to turn off broadcast addressing at your router and set your firewall to block ICMP echo requests. You may also be able to set your server so it won't respond to requests to send ICMP packets to IP broadcast addresses. These changes won't interfere with your network's normal operations because few applications need IP's broadcast features.

It's not as easy to deal with UDP flood DoS attacks, since some legal applications, like RealVideo, use UDP. In a UDP flood, an attacker spoofs a call to connect one system's UDP chargen service, a test program that generates characters for received packets, with another system's UDP echo service. The result? Chargen's semi-random characters are reflected back and forth between systems, starving legitimate applications' bandwidth needs.

One way to prevent UDP attacks is to disable or filter all UDP services request for your host. As long as you allow non-service UDP requests, normal applications that require UDP or use it as a backup data transport protocol will continue to work normally. With all these ways to stop DoS attacks, you might think DoS attacks would be no more difficult to handle than spam. Wrong. Thanks to DDoS attacks that are so simple that any malcontent can co-op dozens or hundreds of machines to launch DoS assaults on your systems.

Sheer volume alone can wash down your barricades and leave your network connection flooded with garbage. With tools like Tribe Force Network (TFN), Trin00 and Stacheldraht, anyone can plant DDoS attack zombies in unprotected systems. Later, the attacker sends out the target information, and, presto! Instant DDoS.

These attacks, devised between 1997 and 1999, are easy to spot. Newer DDoS attacks, however, use "pulsing zombies." Instead of launching brute force attacks, these send waves of low-bandwidth traffic, which their masters hope will stealth their way past network alarms set for massive attacks. DDoS attacks are only going to increase. As the Internet expands, more people are getting broadband access, giving crackers more unprotected systems to exploit.

Adding fuel to the fire, Windows XP, which Microsoft is positioning as the next mass consumer operating system, will use "raw" TCP/IP sockets. Normally, programmers write applications to use a specific socket--a software object that connects applications to TCP/IP--associated with that function.

TCP/IP also defines a SOCK_RAW socket type, or a raw socket. Not all operating systems support these, but Unix and Windows XP do. By using raw sockets a programmer can write code that can call on any TCP/IP socket. While handy for programming beyond the normal TCP/IP standards, raw sockets lend themselves to spoofing and building rogue applications like DDoS zombies, because they allow developers to use commonly used sockets in unexpected ways. For example, with raw sockets you can build a DDoS attacker that gets its instructions using socket 80--the Web's Hypertext Transfer Protocol (HTTP) socket of choice.

While Windows 2000, Unix, and its descendents, Linux and the BSD operating systems, also have raw sockets, these operating systems tend to be in technically adept hands. These users, while they may not always police their own systems the way they should, often know how to lock their systems down. XP, however, which will be in the hands of anyone buying a new system from Circuit City, is far less likely to have expert administrators looking out for new DDoS agents.

Because of this, experts, like Steve Gibson of Gibson Research Group predict that the current explosion of DDoS attacks (4,000 a week by Gibson's estimate) will vastly increase. Theoretically, this could lead to the Internet itself slowing from hundreds of thousands of DDoS attacks. Besides protecting your own systems from DDoS Zombie attacks and the methods described above, you should encourage anyone who uses broadband Internet to install a basic firewall. ZDNet's Downloads site has a list of personal firewalls that are simple to manage and provide basic protection.

Zone Labs' ZoneAlarm is just what the doctor ordered for a technically savvy user who wants to know exactly what's happening on his network connection. Using ZoneAlarm on a friend's PC with a DSL connection we found not one, but two, DDoS agents attempting to launch attacks. We also noticed that there were daily attempts to hack into his system. If you have a broadband connection, security isn't just a good idea, it's a necessity.

Will any defense be enough? Only time and experience will tell, but if you're not protecting yourself against DDoS attacks today, you're not only in danger of losing your network connection, you may be part of the problem.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All