|
|
SANS Warning: DDOS Danger Now Greater than Ever
According to a Feb. 24, 2000 press release by the SANS Institute, "James Madison University has found 160 Windows98 computers infected with the trinoo distributed denial of service Trojan. The news here is that the infection has spread to personal computers. The vast number of PCs connected to the Internet, now able to be used in DDoS attacks, raises the threat level substantially."
|
In this article:
The Feb. 7 through 9, 2000 attacks on Yahoo, Amazon.com and others have shown that distributed denial of service attacks are threatening to surpass viruses as the most destructive forces in Cyberspace.These attacks may take over the resources of dozens to (conceivably) thousands of Internet host computers to simply fill up all available bandwidth at the victim network. Some of the more sophisticated attacks also throw in corrupted packets in an attempt to crash computers. Unfortunately, to shut down a giant web site is hardly an act of genius. It's an act of destruction, like setting fire to an apartment building. It involves running one hacker program to scan for computers that are vulnerable to a break-in program that the attacker has, breaking into these vulnerable hosts, and then installing a distributed DOS program on the hacked computers. How the most widespread distributed DOS techniques work
Smurf
Smurf attacks are probably the easiest distributed DOS attack to commit. In its simplest form, the attacker begins by using a commonly available program to scan the Internet to locate routers that that allow entry to broadcast pings. When he or she locates this kind of router, then next step is to forge ping packets with the origination address of the intended victim. This is done using packet manipulation tools such as those you can find at http://www.phrack.com and http://www.packetfactory.net. This type of attack can also use other Internet Control Message Protocol (ICMP) techniques.
To avoid arrest, the attacker will typically use a hacked computer to send out these forged ping packets. These packets are then sent to the network behind the vulnerable router. Each computer on this network echoes each attacking ping out to the victim designated in the ping's forged header. So if there are two hundred computers on this intermediary network, for every single ping of the attacking computer, they will send 200 pings out to the victim.
The defense against Smurf attacks is to contact an admin of the network being used as the intermediary for the attack. Smurf attacks also are stressful on the network that has been appropriated for the attack. So it is easy to get an admin's help. The quick fix is typically to deny broadcast pings at the intermediary network's border router, and be quite strict about what, if any, ICMP packets your border router allows.
For more details on Smurf attacks, see the Computer Emergency Response Team's advisory at
http://www.cert.org/advisories/CA-1998-01.html.
MacOS 9 Smurf
According to a CERT advisory, http://www.cert.org/advisories/CA-1999-17.html, MacOS 9 can generate a large volume of traffic directed at victim.com in response to a small amount of traffic from an attacker. An intruder can use this asymmetry to amplify traffic by a factor of approximately 37.5. This is similar to a "smurf" attack. Unlike smurf, however, it doesn't use a broadcast ping to set it off.
Trin00
Trinoo (often also called trin00) is a distributed tool used to launch coordinated UDP flood denial of service attacks from many sources. A trin00 network consists of a small number of servers, or masters, and a large number of clients, or daemons. A denial of service attack utilizing a trin00 network is carried out by an intruder connecting to a trin00 master and instructing that master to launch a denial of service attack against one or more IP addresses. The trin00 master then communicates with the daemons giving instructions to attack one or more IP addresses for a specified period of time.
More information on trin00 is available at http://xforce.iss.net/alerts/advise40.php3.
Tribal Flood Network
One of the most dangerous distributed denial of service attack program is the Tribal Flood Network (TFN), written by Mixter. This attack system uses Unix type computers to carry out ICMP flood, SYN flood, UDP flood, and Smurf attacks. It also creates back door with root permissions on the attacking computers. As usual, the attackers break into other people's computers to run the attacks.
More details on Tribal Flood Network are available at http://www.cert.org/incident_notes/IN-99-07.html.
Stacheldraht
Stacheldraht (German for "barbed wire") combines features of trin00 and Tribal Flood Network. It adds encryption of communication between the attacker and Stacheldraht masters, and automates updates. For more information, see: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis and
http://www.cert.org/reports/dsit_workshop.pdf
Tribal Floodnet 2K
Like Tribal Flood Network, Tribal Floodnet 2K (TFN2K) launches coordinated denial-of-service attacks from many sources against one or more targets. It makes TFN2K traffic difficult to recognize and filter, to remotely execute commands, to spoof the source of the traffic, to carry TFN2K traffic many protocols including UDP, TCP, and ICMP, and features to confuse attempts to find other attack machines in a network taken over by TFN2K network by sending "decoy" packets. It also attempts to crash the victim computers by sending bad packets.
For information on how it works, see http://www.cert.org/advisories/CA-1999-17.html
Other Distributed DOS Weapons
Want to learn how criminals can create these distributed DOS weapons? Randy Marchany of Virginia Tech has released an analysis of a TFN-like toolkit, using many publicly available elements, at http://www.sans.org/y2k/TFN_toolkit.htm.
What if You Discover Your Network Is Being Used to Run Distributed DOS Attacks?
Help is available from the SANS Institute at http://www.sans.org/y2k/DDoS.htm. Perhaps most significantly, this tutorial advises "Also, don't forget that if the attackers have full access to your system, they can read your mail and will know when you report the incident and what response you get. Do your communication from another system. During a network security incident the phone and fax are the recommended communication channels… is it worth it to leave the system connected to the Internet? Even though this system may be your department's web server, email server, etc., is it *really* more important to stay online?"
If you believe your site has been used to run any distributed DoS attack, the FBI is requesting that you contact your local FBI office: http://www.fbi.gov/contact/fo/fo.htm.
Cisco has a tutorial on how to gather forensic evidence against distributed DOS attacks at http://www.cisco.com/warp/public/707/newsflash.html#forensics.
How to Prevent Your Network from being Used in Distributed DOS Attacks
CERT offers additional instructions:
· Prevent installation of distributed attack tools on your systems Remain current with security-related patches to operating systems and applications software. Follow security best-practices when administrating networks and systems… · Monitor your network for signatures of distributed attack tools Sites using intrusion detection systems (e.g., IDS) may wish to establish patterns to look for that might indicate trin00 or TFN activity based on the communications between master and daemon portions of the tools. Sites who use pro-active network scanning may wish to include tests for installed daemons and/or masters when scanning systems on your network. · If you find a distributed attack tool on your systems:
It is important to determine the role of the tools installed on your system. The piece you find may provide information that is useful in locating and disabling other parts of distributed attack networks. We encourage you to identify and contact other sites involved…
As of this writing, Elias Levy of Bugtraq reports that most of these break-ins have exploited weaknesses in RPC (remote procedure call) implementation. However, that is probably because that happens to be the break-in tool that the current crop of vandals happens to have at hand. Once different bands of vandals create their own tool kits or get a hold of copies of these distributed attack programs, they will use their own favorite break-in tools. In general, you simply have to learn to be vigilant against break-in attempts. Some organizations encourage their employees to play break-in games so that they are the ones who find any weaknesses first.
What if You Are on the Receiving End of Distributed DOS Attacks?
Levy also suggests:
A number of routers in the market today have features that allow you you limit the amount of bandwidth some type of traffic can consume. This is sometimes referred to as "traffic shaping". In Cisco IOS software this feature is called Committed Access Rate (CAR). CAR allows you to enforce a bandwidth policy against network traffic that matches an access list.
This can be used in a proactive way if you know most of your network traffic will be of some particular type. For example if you are running a web farm you can configure the system such as any web traffic gets as much bandwidth as it requires while limiting all other traffic to smaller manageable rate.
It can also be used in a reactive way if you can craft an access rule that will match some of the network traffic using by the DDOS attack. For example if the attack is employing ICMP packets or TCP SYN packets you could configure the system to specifically limit the bandwidth those types of packets will be allowed to consume. This will allow some of these packets which may belong to legitimate network flows to go through.
Information on Cisco's tools to deflect Distributed DOS attacks: Cisco's Policing & Shaping Overview
http://www.cisco.com/warp/public/707/newsflash.html
Russ Cooper, moderator of the NTBugtraq email list, has more suggestions for warding off most DOS attacks:
You can call your ISP and get them to tell you, in writing, that they have anti-spoofing rules on all of their routers… You could temporarily disable ICMP from anyone other than your direct upstream provider. You can contact your ISP and ask them what they will do if you come under attack (or if they come under attack). You can sell your .com stocks...;-]
First, remember that access control lists won't help you. The attacks could appear to come from any IP address. You will definitely be better off if you can block distributed DOS attacks upstream from your border router. In many cases the problem is simply that your entire bandwidth is eaten up.
A good relationship with your ISP and upstream backbone is essential. Unless you are directly connected to an Internet backbone point of presence, your ISP should handle working with the backbone provider to identify where these attacks are entering their system - and then black holing them. In case your ISP is not accustomed to handling these attacks, it is a good idea to talk to them in advance of any problems so they know whom to call and what to do without wasting time. If your ISP or backbone provider is unfamiliar with how to prevent their system from carrying DOS attacks, they need to learn about network ingress filtering from RFC 2267 http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=2827&type=ftp&file_format=txt
How to Catch Distributed DOS Tools on Your Network Before Criminals Launch Attacks
ISS's Internet Scanner 6.01 will find detect hosts infected by DDOS agents.
All times are GMT +1. The time now is 02:22 PM.
Back To The Fight-Back! Index
| 
