Distributed Denial of Service Attacks
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
A new exploit multiplies the disruptive power of denial of service attacks.
by Rik Farrow
In my November 1999 column "Blocking Buffer Overflow Attacks," I mentioned that some security experts were bored by the lack of innovative exploits. Well, a new class of exploit known as a Distributed Denial of Service (DDoS) attack has surfaced recently, and it's frightening. The emergence of DDoS also explains why someone would scan and break into thousands of systems, which is seemingly inexplicable behavior—except in light of this new exploit.
Network-based denial of service attacks became popular after the SYN floods that took down Web servers in 1996. Winnuke, teardrop, Land, bonk, snork, and smurf are but a few of the denial of service attacks that crash systems or clog networks. While these attacks are unpleasant enough, a new dimension has been added: These attacks can now be launched simultaneously from hundreds of remote-controlled attack servers.
Three tools for DDoS attacks, which can be found at hacker download sites, are trinoo, Tribe FloodNet (TFN), and TFN2K. At the time this article was written, a tool named stacheldraht (which means "barbed wire" in German) appeared, encompassing the most harmful features of TFN and trinoo.
On This Page
In an ordinary network-based denial of service attack, an attacker uses a tool to send packets to the target system. These packets are designed to disable or overwhelm the target system, often forcing a reboot. Often, the source address of these packets is spoofed, making it difficult to locate the real source of the attack.
In the DDoS attack, there might still be a single attacker, but the effect of the attack is greatly multiplied by the use of attack servers known as "agents" (see figure ). Called "daemons" in trinoo and "servers" in TFN, these agents are remotely controllable by the hacker. To get an idea of the scope of this attack, over 1,000 systems were used at different times in a concerted attack on a single server at the University of Minnesota. The attack not only disabled that server but denied access to a very large university network.
Before an attacker can launch a DDoS attack, he or she does have some work to do, including gaining root or administrator access to as many systems as possible. So far, Solaris and Linux systems have been used as agents in DDoS attacks. To gain access, scanning tools like sscan are used to probe for systems with specific vulnerabilities. With a list of these systems ready, the attacker uses a script to break into each of them and install the server software.
Dave Dittrich of the University of Washington mentions in his description of trinoo that the remote copy command (rcp) is often used during installation. The installation server will be another compromised system, and the sudden increase in rcp activity can be an indicator that a system has not only been compromised but is also being used to break into many more systems. Once the agent has been installed and started, it is ready to use.
TFN and trinoo take different approaches to remote control. In both cases, the attacker uses a client to send commands that control the agents. The trinoo master, called a handler, listens at port 27665/TCP for connections, only completing them after the appropriate password (betaalmostdone , in the default version) has been provided. Once the attacker has authenticated to the handler, he or she can send commands to all agents to launch UDP floods at one or more target systems for periods lasting from one second up to 2,000 seconds. The source address of trinoo packets is not spoofed, making finding the agents easy—except that there will be so many of them.
Trinoo supports other commands that can change the size of packets sent, stop an attack, check the status of an agent, and change the length of the attack. The agents send responses back to the handler using port 31335/UDP. The agents also contain a list of the IP addresses of all handlers and can be commanded to send a *HELLO* back to all handlers, something that can be done to flush them out. (For more on flushing out handlers, find the URLs for Dittrich's papers in Resources, page 76.)
TFN uses Internet Control Message Protocol (ICMP) echo replies (the same type of packet used in a Ping reply) to communicate between the client and the agents. Different code values designate different commands; for example, 345 means to start a SYN flood.
TFN supports several denial of service attacks: SYN floods, UDP floods, ICMP floods, and smurfing. Since the TFN server runs as a root, the source address may be spoofed (and most likely will be), making attacks harder to trace.
TFN2K appeared in December 1999 and included strong encryption (CAST-256 algorithm) for the control packets. The method for sending control messages changed so that the source address could be spoofed and different types of packets could be sent. The TFN2K agent sniffs the network interface and checks for data from a client network address that it can decrypt into valid commands. This makes detecting and tracking the handler more difficult. No responses are sent back to the handler, so the handler must assume that the TFN agent is responding.
TFN2K can run on both Unix and Windows NT systems. One command supports listening to a TCP port and running a Unix shell or cmd.exe as root or administrator, permitting the attacker to verify that the client is running, as well as update the client software or execute other commands on the "owned" system. Another command permits the execution of any one-line command as root or administrator. These backdoor commands alone make TFN2K attractive to an attacker.
The stacheldraht tool combines features of TFN and trinoo. Like TFN, stacheldraht can spoof source addresses. Stacheldraht can test to see if RFC 2267 filtering is in place by attempting to send a packet with the source address of 188.8.131.52. If this is blocked, source addresses will still be spoofed, but only on the lowest eight bits of the address.
Stacheldraht has an update feature that makes it possible to automatically replace the agents with new versions and start them. Stacheldraht uses encrypted TCP packets (somewhat like trinoo) to communicate between clients (the hacker's interface) and handlers. It uses encrypted TCP or ICMP packets to talk to agents. The default ports for the client and agents are 16660 and 65000, respectively.
The primary source and targets of DDoS attacks so far have been noncommercial entities. The majority of businesses have firewalls, which help prevent their being targeted as sites for distribution of the agents, or as hosts for agents themselves. Keep in mind that a poorly configured firewall is just as bad as no firewall, so just having a firewall is no guarantee of protection.
Once the DDoS attack has been launched, it's hard to stop. Packets arriving at your firewall may be blocked there, but they may just as easily overwhelm the incoming side of your Internet connection. If the source addresses of these packets have not been spoofed, you can try to find and then contact the responsible parties (for what may be hundreds of computers around the world) and ask them to stop the agents. If the addresses are spoofed, you will have no way of knowing if they reflect the true source of the attack until you track down some of the alleged sources (unless the addresses chosen were RFC 1918 addresses).
Imagine what it would be like to be a victim of hundreds of simultaneous attackers. Are you ready to try to contact hundreds of people around the world (anyone at your office speak Russian or Tagalog?), even as the attackers switch to another set of agents?
The sheer volume of sources involved in DDoS attacks makes attempts to stop it mind-boggling. However, there are preventative measures to help stop these attacks from occurring in the first place.
First and foremost, these attacks rely on finding thousands of vulnerable, Internet-connected systems and systematically compromising them using known vulnerabilities. If these systems are patched, the compromise will be prevented in the first place.
John Ladwig, security architect at the University of Minnesota, made this comment about the attack on an Internet Relay Chat (IRC) server at the university: "It frightened me that someone would throw away approximately 2,000 compromised hosts, primarily very well-connected [and] fairly powerful ones, presumably to seize IRC channels." What this implies is that the attackers either have, or presume to have, an infinite supply of vulnerable systems from which to launch future attacks.
If you discover a system that has been compromised, don't simply format the hard drive and reinstall. The attacker often leaves traces behind that can lead to other compromised systems. David Brumley, assistant computer security officer for Stanford University, wrote, "Often we'll find a list of hundreds of compromised hosts (usually because an intruder is using rcp over a rootkit and the rcps are logged in SYSLOG) on another site that the administrator was ready to just delete!" This list is a treasure trove for security people. Don't destroy evidence.
All of these DDoS tools require lists of agents, and the trinoo agents themselves include an encrypted list of masters. Finding a handler system with a list of agents makes the task of uncovering the agents much simpler—like finding a list of sites where terrorists have placed bombs. Even if you have the in-house capability to handle an incident of this type, send the files to the CERT Coordination Center (http://www.cert.org), along with the circumstances under which you discovered the files.
Finally, you can prevent your own networks from being the source of packets with spoofed source addresses. RFC 2267 describes techniques for ingress filtering—that is, filtering packets at the edge of networks so that only packets with legal source addresses may pass through the routers. Stopping all spoofed packets will not prevent these attacks, but it will make cleaning up after them much simpler.
Dave Dittrich's analyses of three Distributed Denial of Service (DDoS) attacks are available at the following sites: http://staff.washington.edu/dittrich/misc/trinoo.analysis, http://staff.washington.edu/dittrich/misc/tfn.analysis.
CERT's stacheldraht advisory, CA-99-17, is at http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html.
CERT Incident Note IN-99-07, relating to denial of service attacks, can be found at http://www.cert.org/incident_notes/IN-99-07.html. Break-in techniques are described in CERT Incident Note IN-99-04 at http://www.cert.org/incident_notes/IN-99-04.html.
RFC 2267, entitled "Defeating Denial of Service Attacks which Employ IP Source Address Spoofing," is available at http://www.landfield.com/rfcs/rfc2267.html.
Rik Farrow is an independent security consultant. He can be reached at mailto: email@example.com. His Web site, http://www.spirit.com, contains security links and information about network and computer security courses.
The above article is courtesy of Network Magazine. Click here to subscribe to Network Magazine.
Copyright © 1999, Miller Freeman Inc. All rights reserved
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.