a brief history of distributed denial of service
TRANSCRIPT
A Brief History of Distributed Denial of Service Attacks
Uniforum Chicago
August 22, 2000
Viki Navratilova
Security Architect, BlueMeteor, Inc.
Tonight’s Talk
• What is DDoS?t is DDoS?
• Famous DDoS incidentsFamous DDoS incidents
• Brief History of DDoS toolsBrief History of DDoS tools
• What’s new in DDoS toolsWhat’s new in DDoS tools
• Where to get more info on DDoS toolsWhere to get more info on DDoS tools
• <break><break>
• How to keep DDoS from getting you downHow to keep DDoS from getting you down
Denial of Service (DOS)
• An attack to suspend the availability of a service
• Early DOS – smashing computer with sledge hammer
• Network DOS – modern times
• Prevent a Network-based service from doing its job
• Can be as easy as pulling the network plug
What is DDoS?
• Distributed Denial of Service
• Many “zombie” computers ganging up on one computer, directed by one “master”, which is controlled by the attacker
The Week of Famous DDoS Attacks
• February 7-11 2000• CNN, Yahoo, E-Bay, Datek taken down for
several hours at a time due to traffic flooding
• Underadministrated computers at California college used as the slave attack computers
• Trinoo, Tribal Flood Network, TFN2K, and Stacheldraht suspected tools used in attacks
Early DDoS Tools(c. 1990? – 1997)
• Simple 1-tier attacks – computer with bigger bandwidth wins, kicks loser off modem/irc channel
• Ping flood • SYN flood• UDP flood
• Smurf Attack – early 2-tier attack
• Attacker machine imitates victim, gets everyone to flood real victim
• Ping flood
Smurf Attack (2-tier)
slaves
Broadcast Pings
Ping Replies
31337!
victim
Modern DDoS Tools
• Once sites blocked broadcast pings, attackers found new ways to accomplish same things
• DDoS tools gave new way to communicate across networks to slave attack computers
• Attacker has to infiltrate several slave computers with DDoS slave client
• Master client sometimes found on ISP’s name server – unlikely to be taken off network
DDoS Attacks (3-tier)
Master
Slave Slave Slave
Victim
D00d!
Why DDoS Tools Suck for Your Network
• Hard to Trace to original culprit
• Difficult to cut off flow of traffic attacking you because it’s coming from everywhere
• Difficult to catch pre-attack communications between master and slave machines
Trinoo – First Publicly Available DDoS Tool (c. 1997)
• Attacker, Master, Slave Communications via unencrypted UDP
• Easy to detect communications and passwords
• Attack Method : UDP Flood
• Solaris & Linux machines
Tribe Flood Network (TFN) (c. 1998)
• Attacker & Master communicate via unencrypted TCP, UDP, SSH, ICMP, telnet
• No password required to run commands• Commands are sent as pre-determined 16-bit
binary numbers• Master & Slaves talk ICMP• DOS Attacks available : ICMP, SYN, UDP,
&Smurf-style Floods• Linux & Solaris
TFN2K (1999)
• Builds on TFN• Decoy packets & other measures make
traffic difficult to identify & filter• Fakes source address of communications• New attacks include malformed packet
floods – greater devastation in fewer packets
• Available for Unix & NT Systems
Stacheldraht “Barbed Wire” Fine German Engineering (late 1999)
• Master – Slave communications require passwords • telnet-like encrypted connections over TCP and
ICMP• Only way to prevent communications is to block
all ICMP traffic (undesirable)• Ability to upgrade master & slave software via rcp
– increases client functionality• Several DOS attacks like TFN• Solaris & Linux
What’s New in DDoS Tools (since February 2000)
• Shaft (Nov 1999) – modeled after Trinoo– Attacker-master : password : tcp / master-zombie : udp– Can switch master servers and ports on the fly– Uses ticket system to match zombies with their masters– Keeps zombie packet statistics
• Mstream (April 2000) – Still in development– Attacker to master commands sent in one packet over
unencrypted TCP – password protected– Master and zombies talk over udp – All logged in users (attackers) are notified of access attempts
Where to Find More Info on DDoS Tools
• Dave Dittrich’s White Papers
http://staff.washington.edu/dittrich/misc/ddos
• Packetstorm’s Distributed Attack Tools http://packetstorm.security.com/distributed
• CERT Coordination Center
http://www.cert.org
Break
How to Keep DDoS Tools from Getting You Down
• Pay attention to your machines!• Egress filter your network, i.e. make sure whatever
comes out of your network only has source addresses that belong to you
• Ingress filter – confirm that packets coming to you have source addresses that aren’t on your inside network
• Use tcpdump on Solaris or Linux to capture logs, and report incident to law enforcement (NIPC)
tcpdump –i interface –s 1500 –w capture_file snoop –d interface –o capture_file –s 1500
Cisco Router Configuration Options
• Ip verify unicast reverse-path : confirms packets that arrive should be going back on same interface, otherwise drops
• Rate limit ICMP and SYN packets• Filter non-routable address space: Interface xy
ip access-group 101 in access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any
Tools to Help Detect DDoS Tools
• NIPC Tools – locates installations on hard drive by scanning file contents
http://www.nipc.gov• Zombie Zapper – puts Trinoo, TFN, Stacheldraht,
and Shaft zombies “to sleep” when flooding http://razor.bindview.com
• Remote Intrusion Detector (RID) : Locates Trinoo, Stacheldraht, TFN on network http://www.theorygroup.com/Software/RID/
Q & A
Thank you