Index

Distributed Denial of Service (DDoS) Date Entered: Wednesday, 05 April 2000   Author: David Brumley and Joel de la Garza   Story:

What is a distributed denial of service (DDoS) attack?

Denial of service attacks are not new. Many large scale websites are
under constant pressures from various forms of attack. Security professionals began warning the Internet community about the threat of such coordinated distributed attacks in October 1999.

DDoS attacks occur when one or more malicious hackers send more data to a computer than it can handle. In the case of a very popular web site, this effect can take place unintentionally, in the same way that busy phone signals can occur on Mother's Day.   But malicious hackers use this type of attack to disrupt business by bringing down major websites.

Why do you use the term hacker?

Traditionally, the term hacker means anyone adept at computer programming, regardless of intent. Many of the most skilled security experts in the world proudly refer to themselves as white hat hackers and to malicious hackers as black hat hackers. For better or worse, today the term hacker is frequently used to describe anyone using technology to commit malicious activities.

How can these attacks be prevented?

Information security is much more than a technology problem.  If you are a system or network administrator you are responsible for the security of your networks, and there are a number of practical steps that you can take, immediately.

1. Set up router logging

During an incident you will want to collect information about the type of packets traversing your network. When constitutionally appropriate, this information can also help law enforcement to locate the intruder. We have found the following tools particularly useful:

ARGUS - A network packetlogger.
ftp://ftp.andrew.cmu.edu/pub/argus/

TCPDUMP - TCPDUMP can log all information about the packets on your network. ftp://ftp.ee.lbl.gov/tcpdump.tar.Z

Configure your CISCO router to log the packets routed.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_5/config/nde.htm

2. Look for DDoS daemons/agents installed on your network.

David Brumley recently released a program called the Remote Intrusion Detector (RID). This tool can be used to find compromised machines on your network that could be used to launch DDoS attacks upon your network or against other systems. The official website for this program is http://theorygroup.com/Software/RID.

The program is also available on Packet Storm http://packetstorm.securify.com/.

ddos_scan is another program that can be helpful in finding DDoS agents. It was written by Dave Dittrich. http://www.washington.edu/People/dad/ddos_scan.tar

The National Infrastructure Protection Center has released a scanner for TFN/TRINOO/TFN2K/Stacheldraht.  http://www.fbi.gov/nipc/trinoo.htm

3. Create an incident response team (IRT)

The IRT is responsible for handling Denial of Service and other attacks.   Do this ahead of time, as normal communication lines may not be available during an attack.  For assistance with this task, write to Securify.

The Computer Emergency Response Team (CERT) provides information on setting up an IRT. http://www.cert.org/security-improvement/modules/m06.html

If you find yourself being used as an amplifier or unwitting participant, you should contact the FBI at: nipc.watch@fbi.gov

What can I do as an individual?

Single handedly, individuals cannot stop denial of service attacks.  Network service provider -- the people responsible for the network infrastructure -- must make changes in their router configuration files.  You can ask your Internet Service Provider (ISP) if they have configured their routers properly.  Of course, they probably won't tell you if their routers are misconfigured, but your call can sound an alarm for them to take immediate action.

What can I do during an ongoing attack?

1. If you are an ISP, log as much of the activity as possible then start backtracking the packets.

2. If you are a customer/user of a computer system, contact your ISP or MIS department immediately.

Where can I find more information on DDoS?

Stanford University Network Security Team
http://security.stanford.edu

PacketStorm
http://PacketStorm.Securify.com

Dave Dittrichs analysis on TRINOO, TFN, and Stacheldraht
http://www.washington.edu/People/dad/