Deconstructing Denial of Service attacks

Assess your risks and avoid unwitting participation

The recent Denial of Service (D.O.S.) attack against Yahoo! may have only lasted a few hours, but its impact may reverberate throughout the industry for years to come.

D.O.S. attacks have been with us for some time. Most firewalls know how to repel them, and most IT managers know how to track down the perpetrators with relative ease. However, the attack on Yahoo! utilised a relatively new tact, against which Yahoo! and its customers had very little recourse.

Like most D.O.S. attacks, this one overran Yahoo! with a continuous stream of poorly formed IP packets. Here's what happens: an attacking machine generates what appear to be normal messages, such as the User Datagram Protocol (UDP) packets. In the case of a UDP D.O.S. attack, these packets claim to come from the same server that's receiving them. In trying to respond to this influx of miscommunication, the victimised server eventually becomes unable to accept any more connections.

Yahoo's attack, however, enlisted the support of a large number of unwitting attackers, making it difficult for Yahoo! to restore its services and locate the perpetrators. This twist basically puts an extra layer between the attacker and the victim that both amplifies the attack and obfuscates the attacker.

To accomplish this feat, an attacker creates a collection of machines:

    The Client. This is the machine from which a hacker coordinates the attack.

    The Hosts. These machines (between three and four) are under the attacker's direct control. They act as generals on a battlefield to carry out the attacker's orders.

    The Broadcaster. Numbering in the hundreds, these machines act as the infantry, running the code that directly generates the denial of service attack.

    The Target. Usually one or more machines on the same network that will have to respond to the traffic generated by the broadcasters. The attacker then puts this collection to work. Through port scanning software, the attacker obtains a list of broadcasters and hosts to which he/she can gain root privileges. He then installs daemon software on these machines, usually many at one time through batch processes. This software usually runs as an automated process, which conceals its presence from machine owners.

The broadcaster machines announce their presence and readiness to the three or four host machines. Using strong encryption techniques, the attacker distributes a list of target IP addresses to the master machines. The master machines then instruct the broadcasters to simultaneously launch a D.O.S. attack against these IP addresses using fraudulent (spoofed) source addresses.

This form of attack presents an almost unstoppable threat to all Internet-connected machines (such Web, mail, news, and application servers). Because the attack comes from many different machines, would-be victims must either disconnect from the Internet or deny access to all clients in order fully protect themselves.

Fortunately, there are many tools available to ISPs and IT managers, which can look for UDP- and ICMP-based attacks. There are also many tools available that can scan systems to see if there is any host or broadcaster software installed. However, there is an equally thriving, open source development initiative behind the software responsible for such attacks. For example, the Computer Emergency Response Team / Coordination Center (CERT/CC) has already catalogued three such beasts:

  • Tribe FloodNet (TFN)

  • Trin00

  • Stacheldraht

These tools together with existing port scanners (which check for system vulnerabilities) enable hackers with little or no experience to bring down even the largest Web site without fear of reprisal. But that's only part of the problem. The real problem rests with those of us who maintain machines outside of the corporate firewall.

Though these tools are obviously a server-side issue, a problem for ISPs, hosting services, and corporate IT managers, it is our machines that bear the responsibility for the attacks they spawn. It is the home computer connected permanently to the Internet via Digital Subscriber Line (DSL) service or a cable modem that must be secured.

To ensure that you're not an unwitting participant in a D.O.S. attack, we recommend that you check with your ISP to ensure that your equipment is properly secure. For example, your ISP has equipped you with a Cisco router as a part of your DSL service, you must ensure that the router employs packet filtering that will disallow inbound traffic.

You should also ensure that your Linux or Windows machines don't contain any security holes that will grant an outsider root or administrative access. Such precautions are beyond the scope of this article, although there are a number of online resources available that will walk you through the steps necessary to create a secure environment. As a starting point, we recommend an excellent collection of Windows and Unix security FAQs maintained by Internet Security Systems.

Interestingly, Mac OS 9 is particularly vulnerable to this sort of complicity. A bug in Open Transport allows Macintosh computers to act as amplifiers in D.O.S. attacks. Certainly there are many other security vulnerabilities in the Mac OS, but at least for this particular issue, there's a patch available from Apple and this Help & How-To article will help get you going.

Even with such due diligence on your part, the Internet is only as strong as its weakest link where coordinated, distributed D.O.S. attacks are concerned. All it will take is one hundred or so vulnerable machines and a hacker with the determination and tools to carry out another attack on another Yahoo!.

What do you think? Tell the Mailroom. And read what others have said.

Take me to Hackers

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All