Olufemi Anthony EMTM 615 - Introduction to Networking
1. Introduction
Distributed Denial of Service (DDoS) attacks have made big
headlines lately with the disabling of many high profile websites. In the summer
of 1999, such attacks affected many sites, including Yahoo, Buy.com, eBay,
Amazon, Datek, E*Trade, and CNN. The victims were unreachable for several hours
each. Microsoft is now the latest victim. Nevertheless, these attacks have been
around for a while - the earliest high profile case was the NY ISP Panix.com
that was nearly put out of business in 1996. These attacks are all the more
problematic since there is no easy way to catch the perpetrators, unlike other
hacker attacks.
�
�
2. Technical Description
In order to mount DDoS attacks, hackers break into hundreds
or thousands of vulnerable hosts on the Internet.
This can only be done in an automated manner, using any one of these tools -
TFN and TFN2K.
TFN and TFN2K can perform various attacks such as UDP flood attacks (similar to
Trinoo), ICMP flood attack (similar to Smurf), and TCP SYN flood attacks.
These attacks are referred to as flood attacks because they involve
overwhelming a server with network requests, bringing it to it's knees. To
illustrate, I will describe the two main methods of attack.
�
2.1 TCP SYN Flood
In order to set up a TCP connection, a handshake must be
made as follows in the TCP layer:
A client initiates a SYN
message to the server
The server responds with a
SYN-ACK message back to the client.
The client sends back an ACK
message with data to confirm and the connection is established.
Once the connection is established, the client and server can exchange TCP
packets. There can be requests from different hosts so each SYN/ACK request is
tracked in a table. If there are too many of these requests at a time, the
table can overflow and the server will be unable to accept any new requests.
To set up a TCP SYN flood attack, a request is sent out with a fake IP to
which the server will send a SYN-ACK response and wait for an ACK response that
it will never receive. The pending connections will eventually time out. If
there are too many requests resulting in too many half connections, the server
is flooded, the table overflows and the server is unable to accept new
connections. This is what causes the denial of service.
What makes the flood so effective is the fact that there are thousands of
these requests, all sent from compromised machines that have been broken into.
This makes it difficult to trace the perpetrators, for the attacker's machine
could be any one of these hosts.
�
2.2 Smurf Attacks
Smurf attacks are the most recent in the category of�Denial
of Service (DOS) attacks. They work as follows:
The attacker, from a
compromised machine, sends a large no. of�ICMP echo (ping requests)
to a set of machines on a particular subnet called the reflector. The
source address of these packets is falsified to be that of the intended
"victim/target" machine.
The reflector machines then
respond to each ping request, with the destination address being that of
the ultimate victim machine.
The victim machine becomes
flooded with these replies and could be eventually brought to its knees.
�
There are 2 parties affected by this attack, the reflector
machines, and the spoofed address target, or victim.
A related attack similar to the smurf is the "fraggle". In this case
UDP echo requests are sent instead of ICMP echo requests.
Together, smurf and SYN flood attacks account for the vast majority of the
flooding Denial of Service attacks reported.
3. Tracing
The source addresses of requests used in these attacks are
always spoofed, and are of no use in identifying the attackers. The only
reliable way to identify the attacker is to painstakingly track backwards hop
by hop through the network. This process requires the cooperation of network administrators
along the paths the malicious requests traveled in order to examine the log
information in the various routers on these paths. Law enforcement agencies are
also involved in taking action against identified attackers.
The tracing process is as follows:
The final router along the path that forwarded the malicious requests to the
host or subnet of hosts is identified and the router(s) from which it received
the traffic are identified. For each of these routers, (or just one, depending
on resources), the logs are examined and a previous router along the path is
found. This process is followed backward until a compromised machine is found.
This machine is then examined to find out the source of its attacker.
There are several complications in this method:
The perpetrators only send
requests for a short period of time, so as to avoid detection.
Sophisticated perpetrators
will penetrate multiple hosts and send attack requests from these hosts,
making the tracing process more difficult.
Other issues such as legal
and political issues (e.g. the perpetrator may be in a foreign country) may
make it difficult to prosecute the perpetrators.
There has to be cooperation
by the network administrators in charge of the routers along the path that
the attack originated from. Most attempts at tracing DOS attacks fail.
Hence most network operators are reluctant to spend time and resources in
helping to trace the source of attacks if their own systems were not
affected. Most will only assist in a trace if law enforcement is involved.
4. Solutions
While there is no foolproof solution, there are various ways
to mitigate the problems caused by DoS attacks.
�
Secure the organization's
servers
It is important for an organization to make its servers as secure as
possible, so as to prevent penetration of it's machines by attackers who
wish to use those machines for DoS attacks. Such attacks would not be
possible if machines on the Internet were made more secure and
invulnerable to penetration.
Implement Ingress filtering[i]
at point of contact to the Internet
This is an anti-spoofing method known as Ingress filtering. Ingress
filtering does not protect against flood attacks from legitimate ip
addresses, but it prevents an attacker within the originating network from
launching such an attack using spoofed source addresses that do not
conform to ingress filtering rules. This provides protection in both
directions; it prevents an organization's machines from being used to
mount these attacks, if any are broken into, and it prevents some attacks
that might help intruders break into those machines. IP Address spoofing
attacks could be rendered harmless if Ingress filtering was universally
applied on the Internet.
Controlling Directed
Broadcasts[ii]
This method offers protection against the smurf attacks described above.
Packets directed at the broadcast address from outside a subnet are called
IP Directed Broadcast packets. The ICMP echo requests from the attacking
machine are often sent to broadcast addresses on the reflector hosts,
making them IP directed broadcast packets. Because of the nature of the IP
addressing architecture, only the last router in the chain, the one that
is connected directly to the target subnet, can conclusively identify a
directed broadcast. Directed broadcasts are rarely used legitimately,
since IP broadcasts are generally made from within a host on the same
subnet. Such packets should be blocked at their point of entry into the
subnet.
�
5. Conclusions
DoS attacks will continue to occur throughout the Internet
for the time being. The open, flexible and distributed nature of the Internet
while a great characteristic makes it vulnerable to such attacks. There are
various ways to limit the damage done by such attacks outlined in the section
above. Network administrators must be educated and made aware of these measures
and the network equipment manufacturers, such as Cisco are building more
intelligent features into their routers to enable early detection of such
attack.
[i] Ingress
Filtering � see RFC2267 : http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt
[ii] Cisco: �Improving
Security on Cisco routers� : http://www.cisco.com/warp/public/707/21.html#directed-bcast
