HostedDB - Dedicated UNIX Servers

-->
WWW Security FAQ: Securing Against Denial of Service Attacks

[W3C] The World Wide Web Security FAQ


DISCLAIMER

This information is provided by Lincoln Stein (lstein@cshl.org). The World Wide Web Consortium (W3C) hosts this document as a service to the Web Community; however, it does not endorse its contents. For further information, please contact Lincoln Stein directly.
^Up to Table of Contents
<<Back to Specific Servers Forward to Bibliography>>

11. Securing against Denial of Service attacks

Overview

Q88: What is a Denial of Service attack?

Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests. The high-profile attacks of the week of February 6th, 2000 were primarily bandwidth attacks, and all of the targets were high-profile internet web sites. A complete description of Denial of Service attacks is available from CERT on http://www.cert.org/tech_tips/denial_of_service.html.

Q89: What is a Distributed Denial of Service attack?

A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.

Q90: How is a DDoS executed against a website?

A website DDoS is executed by flooding one or more of the site's web servers with so many requests that it becomes unavailable for normal use. If an innocent user makes normal page requests during a DDoS attack, the requests may fail completely, or the pages may download so slowly as to make the website unusable. DDoS attacks typically take advantage of several computers which simultaneously launch hundreds of thousands of requests at the target website. In order not to be traced, the perpetrators will break into unsecured computers on the internet, hide rogue DDoS programs on them, and then use them as unwitting accomplices to anonymously launch the attack.

Q91: Is there a quick and easy way to secure against a DDoS attack?

No. From a simplistic perspective, the best solution is to secure computers from being hijacked and used as attack platforms. This cuts the problem off before it can ever manifest. Thus many experts suggest that we "pull together as a community" to secure our internet computers from becoming unwitting accomplices to such malicious intruders. Unfortunately, for every business that has the knowledge, budget, and inclination to make such changes, there are many more which lack such resources.

Plus, the attackers are most likely going to use non-commercial computers as attack platforms, because they are usually easier to break into. University systems are a favorite, because they are often understaffed or the systems are set to minimum security levels to allow students to explore the systems as part of their education. Further, this is not just a national problem. Any internet server in the world could be used as an attack platform.

Still, the simplest and most effective solution for preventing DDoS is through a global cooperative effort to secure the internet. The first step in the process, therefore, is concerned with scanning your internet computers to make sure they are not being used as unwitting DDoS attack platforms. This is not just good internet citizenry, however, because this also serves to document and verify that your internet computers are not suspect when DDoS attacks occur.

Q92: Can the U.S. Government make a difference?

Certainly. The government could impose many types of restrictions on the internet that could greatly limit such types of attacks, at least from U.S.-based computers. Getting on the web could require the equivalent of a "Driver's License", having a website could require the equivalent of a "Commercial Permit", and all ISP's could be tightly regulated, much as the public utilities (Water, Power, etc.) are today. However the government is treading a fine line between limiting criminal activity and limiting economic growth, education, freedom of information, and general personal freedoms. For the time being, the U.S. government appears to be looking for approaches that are consistent with a non-intrusive approach.

For example, President Clinton proposed that we develop an information security "cyber-corps" of recent college grads to fight DDoS and other cybercrimes. While this is a sensible proposal, will there be a rush of computer science grads who will want to join such a group? Computer science students are by and large interested in science, not in law enforcement, so if Clinton's proposal goes through, it will be interesting to see if the government can attract the best of the best to join the "cyberpolice".

It should be noted, however, that in all likelihood a more intrusive government role is inevitable if uncontrollable attacks continue. If the government tries to be both helpful and non-intrusive, they may be simply ignored by commercial ventures. For example, during the week of February 6, 2000, a report from Federal Computer Week revealed "that only 2,600 individuals had downloaded a free security tool from the FBI's Web page. That tool, which detects denial-of-service code, has been available since December."

Step by Step

Q93: How do I check my servers to see if they are active DDoS hosts?

  • Acquire one or more filesystem scanning tools to determine if any of the known DDoS tools are present on your server file system.
  • Use manual methods to double-check for DDoS activity originating from your network (techniques from Kurt Seifried, seifried@securityportal.com).
  • Q94: What should I do if I find a DDoS host program on my server?

  • Recognize that the presence of a rogue (Trojan Horse) program on your system indicates that a vulnerability exists which has been exploited. Other subtle and not so subtle changes could have been made to the system, so a complete analysis of your security vulnerabilities is required. While your system may not yet be displaying any overt problems, this is no reason to soften the incident response approach.
  • Execute your organization's incident response policy. If no policy has yet been put in place, then perform the following emergency steps, at minimum:
  • Write everything down, starting from the first suspicion of an incident. Depending on the severity of the compromise, this will help you both technically and legally.
  • Do not broadcast the information regarding the compromise to your organization. This can not be helpful, and could lead to media involvement. Only inform those individuals who can directly assist in helping to fix the problem, your manager, and law enforcement officials.
  • Contact the strongest security experts in your organization for assistance. If none are available, ask management to request immediate assistance from a consulting firm that is experienced in incident handling for the operating systems and system software that you are running.
  • Physically remove the compromised computer from the network (unplug the network cable). If the computer is mission-critical, then deploy a hot-backup server if available. If no hot-backup is available, then downtime is unavoidable.
  • Backup the compromised computer's file system. Before beginning the backup, dump any dynamic data tables maintained by your operating system to standard files so that they can be analyzed later. For example, the lists of currently executing processes, of currently logged-in users, and of current network connections should be dumped to flat files. Then make two backups of the system using two different backup programs.
  • Shut down the compromised computer.
  • Re-start the computer.
  • Reformat the drives used by the system software.
  • Reinstall the operating system.
  • Apply all operating system patches.
  • Perform system "hardening" - this involves establishing operating system-specific settings to negate commonly known vulnerabilities.
  • Restore the file system - do not overwrite any system files, and examine any password files manually before the restore.
  • Put the computer back on the network.
  • Check all other computers on the network to see if the same vulnerability has been exploited elsewhere.
  • A comprehensive incident handling approach is currently available on http://www.cert.org/tech_tips/root_compromise.html.

    Q95: How can I prevent my servers from being used as DDoS hosts in the future?

  • Recognize and understand the vulnerabilities of internet servers:
  • If your system has already been compromised, then backup the filesystem, re-install the operating system and restore the filesystem.
  • Install operating system updates provided by OS vendor.
  • Secure the servers.
  • A comprehensive treatment on server-side security is currently available on http://www.cert.org/security-improvement/modules/m07.html.

    Q96: How can I prevent my personal computer from being used as a DDoS host?

  • Recognize and understand the vulnerabilities of internet clients:
  • If your system has already been compromised, then backup the filesystem, re-install the operating system and restore the filesystem.
  • Install operating system updates provided by OS vendor.
  • Secure the clients/personal computers.
  • A detailed description of client-side DDoS is available on http://www.jmu.edu/info-security/engineering/issues/wintrino.htm.

    Q97: What is a "smurf attack" and how do I defend against it?

  • smurf is a simple yet effective DDoS attack technique that takes advantage of the ICMP (Internet Control Message Protocol). ICMP is normally used on the internet for error handling and for passing control messages. One of its capabilities is to contact a host to see if it is "up" by sending an "echo request" packet. The common "ping" program uses this functionality. smurf is installed on a computer using a stolen account, and then continuously "pings" one or more networks of computers using a forged source address. This causes all the computers to respond to a different computer than actually sent the packet. The forged source address, which is the actual target of the attack, is then overwhelmed by response traffic. The computer networks that respond to the forged ("spoofed") packet serve as unwitting accomplices to the attack. The basic characteristics and defense strategies against smurf follow. Further information is available from CERT. A complete description of smurf by Craig Huegen is available on http://users.quadrunner.com/chuegen/smurf.txt.
  • Q98: What is "trinoo" and how do I defend against it?

  • trinoo is a complex DDoS tool that uses "master" programs to automate the control of any number of "agent" programs which launch the actual attack. The attacker connects to the computer hosting the master program, starts the master, and the master takes care of starting all of the agent programs based on a list of IP addresses. The agent programs then attack one or more targets by flooding the network with UDP packets. Prior to the attack, the perpetrator will have compromised the computer hosting the master programs and all the computers hosting the agent program in order to install the software. The basic characteristics of and suggested defense strategies against the trinoo DDoS attack follow. A complete description of the trinoo was developed by Dave Dittrich and is available on http://staff.washington.edu/dittrich/misc/trinoo.analysis.
  • Q99: What are "Tribal Flood Network" and "TFN2K" and how do I defend against them?

  • Tribe Flood Network, like trinoo, uses a master program to communicate with attack agents located across multiple networks. TFN launches coordinated Denial of Service Attacks that are especially difficult to counter as it can generate multiple types of attacks and it can generate packets with spoofed source IP addresses. Some of the attacks that can be launched by TFN include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast. The basic characteristics of and suggested defense strategies against the TFN DDoS attack follow. A complete description of the TFN was developed by Dave Dittrich and is available on http://staff.washington.edu/dittrich/misc/tfn.analysis. A TFN incident analysis from CERT is also available.
  • TFN2K is a more advanced version of TFN, that "fixes" some of the weaknesses of TFN. A CERT incident analysis is available.
  • Q100: What is "stacheldraht" and how do I defend against it?

  • Stacheldraht, (German for "barbed wire"), developed by Mixter, is also based on the TFN and trinoo client/server model where a master program communicates with potentially many thousands of agent programs. The perpetrator connects to the master program to initiate the attack. Stacheldraht adds the following new features: encrypted communication between the attacker and the master program, as well as automated updates of the agent programs using rcp (remote copy).

  • Stacheldraht launches coordinated Denial of Service Attacks that are especially difficult to counter as it can generate multiple types of attacks and it can generate packets with spoofed source IP addresses. Some of the attacks that can be launched by Stacheldraht include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast. The basic characteristics of and suggested defense strategies against the Stacheldraht DDoS attack follow. A complete description of Stacheldraht was developed by Dave Dittrich and is available on http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.

  • To initiate Stacheldraht, the attacker accesses the master program and sends it the IP address of one or more targets. The master program proceeds to communicate with all of the agent programs, instructing them to initiate the attack.
  • Q101: How should I configure my routers, firewalls, and intrusion detection systems against DDoS attacks?

  • Against Smurf
  • Against trinoo
  • Against TFN and TFN2K
  • Against Stacheldraht

  • ^Up to Table of Contents
    <<Back to Specific Servers Forward to Bibliography>>

    Lincoln D. Stein (lstein@cshl.org)

    Last modified: Sun Mar 19 21:42:05 EST 2000