Click here to return to the James Madison University main page
  
 Computing Home | Self-Help | Accounts Info | Downloads | e-campus | Forms | Passwords | JMU  November 22, 2009


Search Computing
Site map
Updates
System Alerts
Security and Virus News
Computer Security
Computer Security Home
StartSafe
R.U.N.S.A.F.E.
Hot Topics - Current Issues
Critical Security Updates
Cleaning Windows Infections
Internet Fraud
SPAM
Report Computer Security Incidents
Security Awareness (only accessible on-campus)
Policies
 
Contact Us:
flynngn@jmu.edu
540.568.2364
Policy & Security
Computer Security
Computing Policies
R.U.N.S.A.F.E.
Report a violation
Computing Links
AVP Information Technology
CampusLink
CampusNet
Computer Purchases
Computing Support
Database Administration
Desktop Services
e-campus
HelpDesk
Information Systems
Labs
Network Engineering
PC Services
Systems and Operations
Technical Services

 

 

This page is no longer maintained and is preserved for archival reference purposes only.

 

Distributed Denial of Service (DDOS) Attacks

The Problem

There are several tools being distributed on compromised computers that allow vandals to remotely control those computers to launch attacks rendering a victim's computers inoperable. The attacks of several prominent Web sites during the week of February 6-12, 2000 used these Distributed Denial of Service (DDOS) attack tools. The nature of the attack is such that it is very difficult to stop and next to impossible to prevent single-handedly. Some sites have experienced several days of downtime while trying to restore services.

The core problem is the existence of the compromised computers used to create the attack (note 1). The computers used in the attacks are compromised several ways including remote attacks on vulnerable, defective software and taking advantage of computers whose owners have loaded remotely controllable software such as remote control trojans and IRC bots. Some reports have put the number of compromised systems in the thousands.  Many of the systems are compromised because patches for software defects that were reported and fixed months ago are never installed, because anti-virus tools are not kept up to date, and because the computer owners give away control of their computers by indiscriminately running unknown programs.

Recent studies have indicated these attacks may be widespread and underreported.

The basis of the attack is to overload a victim's computer resources by flooding them with traffic. This is done by commanding multiple compromised systems to send high rates of traffic. In addition, the traffic is often formulated in such a way that it consumes resources at abnormal rates.

Halting an attack is extremely complicated and time consuming for several reasons:

  • The flood of traffic will likely shut down the victims network making it harder for them to diagnose the problem, collect enough data to determine the sources involved, and communicate effectively. The upstream network provider may fail from the amount of traffic also increasing the isolation.
  • With some types of attacks, the victim may be able to filter the traffic by its source with a firewall. But there are issues with the number of filters that can be put in place, how long it takes to install the filters, and what happens when the filters block traffic which the organization needs to perform its business. In addition, even with filters, there will be performance degradation because of the processing they require....sometimes to the point of making them ineffective as a defensive tool. If the attack overloads the upstream provider, then filtering is useless.
  • The victim may see traffic from hundreds or even thousands of computers. The traffic may be coming from compromised computers all over the world. To stop the attack requires tracing each different address back to the network and system from which it originated. Then the responsible organization must be contacted and asked to help shut down and/or clean the offending system. This can obviously be challenging across organizational and national boundaries. The tools allow a vandal to automate attacks times and frequencies so they may come and go before they can be traced.
  • If being attacked from a hundred different organizations is bad, imagine not knowing which hundred they are. Many of the DDOS tools allow the attacking machines to forge their source address and change them in a random manner. This may make it appear as though the attack is originating from tens of thousands of different computers when it actually may only be ten. This makes it impossible for an organization to single-handedly a) know where the traffic is coming from or b) filter the packets. The attack must be traced step by step from the victim back to the source through all the intermediary ISPs. This requires a large amount of cooperation and technical help from the ISPs who may be in different countries, minimally staffed, and minimally motivated to help. In some attacks, the actual traffic isn't even coming from the attacking computers. Its coming from networks which are configured to allow themselves to be used as traffic amplifiers. In those cases, it is the traffic feeding the remote networks that has forged source addresses. This means the back-tracking must start on someone else's network which increases the complications even more. And again, the attacker may vary the attack time and frequency to harry the victim and avoid capture.
  • Once the source organizations are identified, the victim must ask them one by one to clean or shutdown a compromised computer. That computer may serve a critical function for the source organization. It may be their email server for example. The source organization may not be staffed on weekends or at night. They may speak a different language. They may not have the authority or desire to help. The staff may be unfamiliar with the attack, system administration, network topology, or any number of things that may delay shutting down the attacking computer. If there are hundreds of computers involved in the attack, a victim can't spend too much time hunting down each one before the recovery efforts are measured in days.

What you Can Do

If you are responsible for a unix computer, the following basic unix administration practices should be followed:

If you are responsible for a Windows computer, the following basic Windows operating precautions should be followed:

These precautions will help prevent your computer from being used in a DDOS attack.

If you know of compromised systems or systems that are improperly administered that may result in a compromise, please notify the people in charge of those systems so that the problems can be cleared up. This will make the net safer for everyone.

Further Information

An excellent collection of DDOS information is available on David Dittrich's site.

Further information on Paul Ferguson's site including lots of Cisco specific information and a wonderful cartoon

CERT Advisory on Distributed Denial of Service Attacks

CERT October 2001 Update on DoS trends (pdf)

Sun Security Bulletins

Sun Recommended Patches

Security Resources for System Administrators (and operators) of Linux, Windows, and Generic Unix Computers

Wtrinscan - a windows program that will scan for wintrinoo

Remote Intrusion Detector (RID) - a unix program that will scan for a variety of DDOS tools

Note 1: One could obviously argue that other issues are the core problems. Among them being :

  • Defective computer products that are vulnerable to compromise.
  • Computer products that are vulnerable to attacks
  • Unrestricted freedom of movement in the Internet
  • The jerks doing the attacks

However, barring invulnerable computer products, restricted Internet access, or human behavioral controls I believe the best results will be obtained, at least at the organizational level, by focusing on the compromised computers used to perform the attack. Besides, if our computers are compromised, we'd better be worried about them for a lot of reasons besides their possible use in a DDOS attack. The compromised computers used in these attacks are privately owned computers whose owners assume their communications are private, their data intact, and any accounts accessed from the computers secure. If the computer is compromised enough to allow a DDOS tool, all those assumptions are false.

Other technical approaches to the problem are primarily effective only when widely implemented by the majority of Internet connected sites. These include egress filtering for spoof prevention and anti-smurf configurations. Egress filtering is a measure to prevent an attacker from being able to use forged packets which makes the attack more difficult to track down. It does nothing to prevent an attack. For it to be successful, most, if not all,  Internet connected networks worldwide must implement it. Anti-smurf configurations similarly must be implemented in the majority of Internet connected networks to prevent them from being used as attack amplifiers.

Another technical solution to the problem is traffic limiting. Bascally, this consists of putting limits on the types of traffic allowed into a network. This works better for some attacks than others. It requires high end router features and may put significant load on the router doing the filtering. This may cause performance problems similar to the attack itself. Another problem area is the network link itself which may become saturated with traffic. To address this, upstream providers would also have to rate limit traffic which presents problems in administration, coordination, and identification of appropriate traffic levels for various traffic types at various points in the network.

Personal Reflection

 

 
JMU Division of Administration and Finance James Madison University Website
Publisher:  IT Technical Services   Contact: Security Engineering
Last Revised: May 17, 2007 Privacy Statement