Distributed Denial of Service (DDOS)

- Presenter: David Andersen (dga@wind.lcs.mit.edu)
- Scribe: Dwaine Clarke (declarke@theory.lcs.mit.edu)
- Date: 02/14/00

- Everyone introduced themselves.
- DDOS was used in big ways last week to take out sites such as Yahoo, CNN.com, Buy.com, eBay, Amazon.com [1]

Basic idea of How it works

                                     | Victim |
                              ^^^  ^^^        ^^^   ^^^ 
                              |||  |||        |||   |||
                           |||     |||        |||    |||
                         |||       |||        |||      |||
                     |||           |||        |||         |||
                    -------      -------     -------    -------  
Compromised hosts  |       |    |       |   |       |  |       |
 called "zombies"   -------      -------     -------    -------
                            ^        ^         ^        ^
			    |        |         |        |
       Attacker sends         |      |         |      |
low bandwidth, hard to trace,   |    |         |    |
messages to "zombies"             |  |         |  |    
                                   | Attacker's |
                                   |   Client   |
- A client-server architecture
- The attacker compromises (i.e. gets root access) to a couple of hundred machines within a university or business and installs daemons such as Trinoo and TFN2K on them. The compromised machines are called "zombies".
- At a chosen time, he runs the client and sends messages to the "zombies" commanding them to flood the victim for a few hours. Simultaneity is important; the more zombies flooding the victim at the same time, the more successful the attack. The messages from the attacker to the "zombies" are low bandwidth, hard to trace, and sometimes encrypted.
- Programs which aid DDOS attacks can be easily obtained and run. [2]
- Two common types of DDOS: Smurfing and Syn Floods.

Smurfing [3]
- The attacker sends ICMP echo request packets from a remote location to the IP broadcast addresses of several networks. These packets are spoofed with the IP address of the victim.
- If the routers are configured appropriately, all of the machines on a broadcast address's network receive the ICMP echo request packets. The broadcast address is called a "smurf amplifier".
- The machines on the "smurf amp" all respond, sending ICMP replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable.
- There is a magnification effect and you can take out a T1 with a modem
- Analogy: in a room full of people, you shout "Everyone, say hi to Dave", and everyone shouts back at Dave: "Hi Dave" -> Dave is flooded

SYN floods [4]
- The attacker compromises (gets root access) tons of "zombies", and directs them to send TCP SYN packets to the victim
- These SYN packets have their IP address spoofed to an unreachable host, and thus connections cannot be made. The victim's machine tries to remember the open connections in a buffer. As more SYN packets are received, the buffer overflows, rejecting legitimate connection requests
- An effective solution is to use "SYN cookies", which allow a machine to not have to remember an incoming connection until the TCP handshake is completed.
- Most newer OSies are not vulnerable to this anymore.

Vunerable "zombies"
- Universities. They don't use firewalls. Though the general security policies may be good, there are small "patches" i.e. labs or dorms where individual security is lax. Hard to keep everyone secure
- Class B networks giving huge chucks of their network to one broadcast domain
- Big labs with a lot of computers all on 1 broadcast domain

Trying to determine the identity of the attacker
- Packets may have been spoofed so you sometimes have to trace the packets Hop by Hop. This can make it difficult as businesses do not like to release information on their breakins and might try to quickly destroy the evidence to save embarrassment. Packets may have also been encrypted. There are tools which can help such as MCI's DOStracker. [2]
- Reconstruct attacks from logs. This could be difficult as sometimes, good logs are not created, and some crackers remove logs when they break into machines.
- Reading newsgroups etc. and listening for attackers bragging
- Proving in a court of law that a particular attacker is the culprit is difficult. It could be harder if court orders have to be obtained to get companies to help.
- If a cracker returns to the same machine, he'll be caught as the machine will be closely monitored.

- The signatures on several malicious daemons are detectable, so administrators can scan for them. Many products are available. However, some programs are open source, and attackers can change their signatures so that scanners do not detect them.
- Use Akamai, a distributed service. Denial of service attacks depend on being able to find bottlenecks. Yahoo uses a centralized database which the attackers were able to exploit. Noted that Akamai just caches static pages; it is hard to distribute dynamic and interactive pages
- Use Ingress and Egress filtering. [5]

Possible Futures for Denial of Service attacks
- automated clients
- make the programs which crack machines and install hosts worm-like. When an attacker is ready to launch an attack, he sends messages to several companies/universities. There would be a high probability that many of the machines which receive the messages are compromised "zombies".

[1] http://www.cnn.com/2000/TECH/computing/02/09/denial.of.service.03/index.html
[2] David Andersen. Distributed Denial of Service Attacks (DDOS)
[3] http://www.cert.org/advisories/CA-98.01.smurf.html
[4] Roger Dingledine, Kevin Fu. Concepts in Computer and Network Insecurity
[5] P. Ferguson, D. Senie. http://www.ietf.org/rfc/rfc2267.txt