This page is no longer maintained and is preserved for archival reference purposes only.
Distributed Denial of Service (DDOS) Attacks
There are several tools being distributed on compromised computers that allow vandals to remotely control those computers to launch attacks rendering a victim's computers inoperable. The attacks of several prominent Web sites during the week of February 6-12, 2000 used these Distributed Denial of Service (DDOS) attack tools. The nature of the attack is such that it is very difficult to stop and next to impossible to prevent single-handedly. Some sites have experienced several days of downtime while trying to restore services.
The core problem is the existence of the compromised computers used to create the attack (note 1). The computers used in the attacks are compromised several ways including remote attacks on vulnerable, defective software and taking advantage of computers whose owners have loaded remotely controllable software such as remote control trojans and IRC bots. Some reports have put the number of compromised systems in the thousands. Many of the systems are compromised because patches for software defects that were reported and fixed months ago are never installed, because anti-virus tools are not kept up to date, and because the computer owners give away control of their computers by indiscriminately running unknown programs.
Recent studies have indicated these attacks may be widespread and underreported.
The basis of the attack is to overload a victim's computer resources by flooding them with traffic. This is done by commanding multiple compromised systems to send high rates of traffic. In addition, the traffic is often formulated in such a way that it consumes resources at abnormal rates.
Halting an attack is extremely complicated and time consuming for several reasons:
What you Can Do
If you are responsible for a unix computer, the following basic unix administration practices should be followed:
If you are responsible for a Windows computer, the following basic Windows operating precautions should be followed:
These precautions will help prevent your computer from being used in a DDOS attack.
If you know of compromised systems or systems that are improperly administered that may result in a compromise, please notify the people in charge of those systems so that the problems can be cleared up. This will make the net safer for everyone.
However, barring invulnerable computer products, restricted Internet access, or human behavioral controls I believe the best results will be obtained, at least at the organizational level, by focusing on the compromised computers used to perform the attack. Besides, if our computers are compromised, we'd better be worried about them for a lot of reasons besides their possible use in a DDOS attack. The compromised computers used in these attacks are privately owned computers whose owners assume their communications are private, their data intact, and any accounts accessed from the computers secure. If the computer is compromised enough to allow a DDOS tool, all those assumptions are false.
Other technical approaches to the problem are primarily effective only when widely implemented by the majority of Internet connected sites. These include egress filtering for spoof prevention and anti-smurf configurations. Egress filtering is a measure to prevent an attacker from being able to use forged packets which makes the attack more difficult to track down. It does nothing to prevent an attack. For it to be successful, most, if not all, Internet connected networks worldwide must implement it. Anti-smurf configurations similarly must be implemented in the majority of Internet connected networks to prevent them from being used as attack amplifiers.
Another technical solution to the problem is traffic limiting. Bascally, this consists of putting limits on the types of traffic allowed into a network. This works better for some attacks than others. It requires high end router features and may put significant load on the router doing the filtering. This may cause performance problems similar to the attack itself. Another problem area is the network link itself which may become saturated with traffic. To address this, upstream providers would also have to rate limit traffic which presents problems in administration, coordination, and identification of appropriate traffic levels for various traffic types at various points in the network.