Denial of Service (DoS) FAQ February 14, 2000 - Editor's note: Due to the importance of the story and the dynamic nature of the events surrounding it, we will be focusing our cover story on the Distributed Denial of Service Attack for at least a portion of this week. Although the media will obviously focus on the high profile e-commerce sites, the technology and circumstances behind the attacks make it a very real threat for any company that relies on the web. There is not a magic bullet to solve this problem, but we can pull together as a community and reduce the number of vulnerable systems that can be proxied for attacks. There are also some actions you can take to mitigate and recover from such an attack. We hope this list of Frequently Asked Questions about Denial of Service will be of assistance to you. Distributed Denial of Service Related Top News This FAQ covers denial of service attacks (DoS) in great depth, and has links to software that can be used to execute DoS attacks, we do not condone or encourage the use of this software, however we feel that since the "bad people" (or just curious people) can find it easily, we might as well tell you where it is. Also, reviewing the DoS attack code can be helpful in assisting you in finding evidence of compromised systems, particularly if you do not have security scanning packages. 1.0 What are Denial of Service (DoS) attacks? 1.1 What are Distributed Denial of Service (DDoS) attacks? 1.2 Is a DoS/DDoS Attack a threat to sensitive data? 2.0 Who commits DoS/DDoS attacks, and why? 2.1 Curiosity 2.2 Malice 2.3 Financial gain 3.0 Are the attackers likely to be caught, and what are the penalties for DoS/DDoS attacks? 4.0 How can I protect my systems and networks from DoS/DDoS attacks? 4.1 Protecting the border's and gateways 4.1.1 Cisco routers 4.2 Protecting Internet servers 4.3 Protecting internal servers and clients 5.0 How can I prevent my systems and networks from being used for DoS/DDoS attacks right now? 6.0 How can I prevent my systems and networks from being used for DoS/DDoS attacks in the future? 7.0 How do I detect a DoS/DDoS attack directed at me? 8.0 What should I do if I am the target of a DoS/DDoS attack? 9.0 How do I detect a DoS/DDoS attack originating from me? 10.0 What should I do if I am the origin of a DoS/DDoS attack? 11.0 How do I trace a DoS/DDoS attack and preparing evidence? 12.0 DoS/DDoS attacks, software and counter software 12.1 Trinoo 12.2 Tribe Flood Network 12.3 TFN2K 12.4 stacheldraht 12.5 Smurf 13.0 Who do I contact if I am attacked or an attack originates from me? 14.0 What is in the future for DoS/DDoS attacks? 1.0 What are Denial of Service (DoS) attacks? Denial of service attacks are simple and usually quite effective. An attacker attempts to overwhelm a service with requests, similar to a 5 year old constantly tugging on his mother's sweater while she is trying to have a phone conversation, you can only do so many things at a time. For example if you have a mail server capable of receiving and delivering 10 messages a second an attacker simply sends 20 messages per second, chances are the legitimate traffic (as well as a lot of the malicious traffic) will get dropped, or the mail server might stop responding entirely. Typically attackers will go for high visibility targets such as the web server, or for infrastructure targets like routers and network links. 1.1 What are Distributed Denial of Service (DDoS) attacks? If using one computer to launch an attack against your target works, well using 50, or 5,000 computers is probably going to work that much better (and enable the attacker to go "elephant hunting" for things like Yahoo!). It also allows the attacker to take a step or more back from the actual machines executing the attacks, making it more difficult to trace them. 1.2 Is a DoS/DDoS Attack a threat to sensitive data? DoS and DDoS attacks typically do not pose a direct threat to sensitive data. Usually the attacker is trying to prevent a service from being used, not actually compromise it. However a DoS/DDoS attack may be used as a diversion while another attack is made to actually compromise systems. Additionally administrators are more likely to make mistakes during an attack and possibly change a setting that creates a vulnerability that can be exploited. Services may need to be stopped or restarted, and if this is done incorrectly problems can be created, when modifying your network make sure you understand the effects of what you are doing (which may be different then normal while under attack). 2.0 Who commits DoS/DDoS attacks, and why? There are far too many reasons to even have a remotely comprehensive list, but I will list a few anyway to give a quick overview. 2.1 Curiosity Some attackers are only testing or playing with tools they have downloaded and do not actually realize the amount of damage they can create. 2.2 Malice Some attackers disagree with corporate policies, or color scheme used on the website, and attack the site for no real reason. Think of it as a simple act of vandalism similar to someone spray painting "NARF NARF" on the side of your building. 2.3 Financial gain This is a real potential nightmare, for example a company might be attacked to delay the launch of an online service, or to discredit it. Attackers might be paid by a competitor, or are attempting to manipulate a stock price. 3.0 Are the attackers likely to be caught, and what are the penalties for DoS/DDoS attacks? It is hard to say - most attackers are not highly skilled, but their tools are good at concealing identities. They may possibly be caught through a combination of painstaking auditing and cross referencing of log files and someone bragging or squealing on IRC. The FBI press conference on February 9th mentioned possible penalties of up to 5-10 years incarceration. 4.0 How can I protect my systems and networks from DoS/DDoS attacks? Generally speaking good security practices are the best long term protection. Disabling all unnecessary services, keeping software up to date, and subscribing to various email security lists will help. Having a current list of contact names and numbers for emergencies will be especially useful during an emergency. Thre is no one thing you can do to stop DoS/DDoS attacks (i.e. no "Anti DoS attack verion 1.0" software). 4.1 Protecting the border's and gateways The extremeties of your network are usually the most accessible to an attacker, and the best choke points to attacks (most sites will have one link to the Internet, take that down and you have effectively taken down any services offered by that site). There are a number of measures you can take to protect your external routers, basic firewalling precautions (such as blocking spoofed addresses and so on) and protecting the mechanism used to broadcast and receive routing information (i.e. BGP, OSPF, and so on). 4.2 Protecting Internet servers Disable any unneeded services and make sure the software is up to date. If possible place at least one firewall in between the server and the Internet, this way if there is an attack on the server you can probably block it at the server. Realistically if the attacker is determined they can flood your bandwidth and there is nothing you can do on your servers to fix it. The key for most servers is to filter the traffic before it gets to them. 4.3 Protecting internal servers and clients Firewall them heavily, no external hosts should require access to internal hosts on your network. If external hosts do require access you should consider Virtual Private Networking (VPN) to provide secure access to your internal LAN. 5.0 How can I prevent my systems and networks from being used for DoS/DDoS attacks right now? Firewall any unneeded services, turn off any unneeded services, this will reduce the number of services that can be attacked. As far as actually preventing an attack from succeeding the best you can do is buy the most powerful servers you can afford, and tune the software (while under attack if necessary) to handle as many connections as possible. Reducing the timeouts on connections to services will decrease the effect of a flood somewhat, but legitimate connections may fail as well. 6.0 How can I prevent my systems and networks from being used for DoS/DDoS attacks in the future? 7.0 How do I detect a DoS/DDoS attack directed at me? An unusually large amount of traffic, servers suddenly experiencing above average loads, all these can be signs of a DoS/DDoS attack, on the other hand it might represent a high usage peak. In any event you should examine the traffic and usage patterns, if the traffic is legitimate then you will probably want to tune your network and servers, or add additional equipment, if the traffic is an attack then you will need to deal with it accordingly. There are a number of Network Intrusion Detection Systems (NIDS) which can detect hostile attacks with a pretty good degree of accuracy, they may are a good investment if installed and maintained properly. 8.0 What should I do if I am the target of a DoS/DDoS attack? 9.0 How do I detect a DoS/DDoS attack originating from me? One of the more effective methods is to have filters on your firewall to block outgoing traffic that does not originate from your network (spoofed data). If you find this type of traffic hitting the firewall you can be relatively sure that internal hosts are being used for malicious purposes. Trace the data back to its origin, which should not be too difficult since (in theory) the network is under your control, and then depending on your security policy you might take the machine offline and examine it. Another effective method is to block the commonly used ports (like 37337) that are used to remotely control compromised machines. In addition to this I would advise scanning your network for open ports on a regular basis using tools such as nmap or saint, any changes should be investigated and appropriate action taken. Also there is a good network scanner called Nessus which will detect most common vulnerabilities, it is very easy to use (built on a client server architecture with Windows and Java clients available), and free. 10.0 What should I do if I am the origin of a DoS/DDoS attack? This heavily depends on your network security policy. You may for example wish to ultimately prosecute the offender, in which case you will need to take great pains to preserve the chain of evidence. 11.0 How do I trace a DoS/DDoS attack and preparing evidence? 12.0 DoS/DDoS attacks, software and counter software There is a lot of DoS/DDoS software available on the Internet, and several organizations (including the FBI) have helped create and distribute software to counter it. Several Network Intrusion Detection Systems (NIDS) are capable of detecting these attacks, and of detecting remote usage of this software on your network. 12.1 Trinoo Trinoo is an older and somewhat simpler DDoS tool compared to the current crop. It is more advanced than the older generation, in that it uses password based authentication to allow access, these passwords are simply crypt()'ed and compiled in, and you can determine whether the binary on a machine is a master binary or a slave binary using a technique described in Dittrich's paper. If you find a master binary chances are there is also a list of controlled hosts, which can be useful for assessing the degree of penetration of an attack. Trinoo uses unencrypted communications between the "masters" and "daemons" and typically uses ports: 1524 tcp 27665 tcp 27444 udp 31335 udp for communication, making it somewhat easier to find. In addition if you run crack on the crypt()'ed password in a daemon binary you can monitor the network for that keyword and detect when the attacker is sending orders to the daemon (this is useful if you are pursuing an investigation and want to track the person down for prosecution). 12.2 Tribe Flood Network 12.3 TFN2K 12.4 stacheldraht 12.5 Smurf Smurf is one of the older DDoS attacks, and was one of the first to be widely publicized. It simply consists of sending a forged ICMP packet (that appears to be from the intended victim, i.e. 1.2.3.4) to the broadcast address of another network (6.7.8.255 for example), every machine on the remote network (so say 100 machines) all reply, to the victim. This has the effect of amplifying the attackers bandwidth, especially when you start pinging network addresses where hundreds of hosts respond. Smurf works because people do not configure their routers and/or firewalls correctly, there is no sane reason to need to send a broadcast ICMP packet to a remote network. Broadcast ICMP pings are useful on local networks, for determining which IP addresses are actively in use and so forth, but broadcast traffic should be blocked at the router and/or firewall. Simply add a firewall rule blocking traffic to your network address at the firewall and/or router - this is typically a relatively simple operation. If you want to see if a network is susceptible to being used to amplify ICMP pings simply visit one of the following websites, enter your network address and you will receive an answer quickly. 13.0 Who do I contact if I am attacked or an attack originates from me? If you are being attacked the best person to contact immediately would be your upstream network provider (whoever you pay for bandwidth), they can help you trace the attack down, and/or block it (they in turn will probably contact their upstream provider, etc.). You might also try contacting the site from which the attack originates, however this can be difficult due to time zone differences, language differences, and so on. When contacting the remote site do not use email, there is a chance their email server and computer network may be fully compromised, instead find their phone number and call them (this is more likely to get a response as well). You can use whois to list the contact information for domains and network blocks, for example if you wanted to contact example.org (a fictitious domain): [username@server username]$ whois example.org [rs.internic.net] Whois Server Version 1.1 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: EXAMPLE.ORG Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NS.ISI.EDU Name Server: VENERA.ISI.EDU Updated Date: 31-aug-1999 Last update of whois database: Thu, 10 Feb 00 02:15:17 EST The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. So you now know which server to ask for the information, since there are multiple DNS registrars now: [seifried@mail seifried]$ whois example.org@whois.networksolutions.com [whois.networksolutions.com] The Data in Network Solutions' WHOIS database is provided by Network Solutions for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Network Solutions does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to Network Solutions (or its systems). Network Solutions reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Registrant: Internet Assigned Numbers Authority (EXAMPLE2-DOM) 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292 US Domain Name: EXAMPLE.ORG Administrative Contact, Technical Contact, Zone Contact: Internet Assigned Numbers Authority (IANA) iana@IANA.ORG 310-823-9358 Fax- - 310-823-8649 Record last updated on 14-Jun-1999. Record created on 31-Aug-1995. Database last updated on 10-Feb-2000 15:20:08 EST. Domain servers in listed order: VENERA.ISI.EDU 128.9.176.32 NS.ISI.EDU 128.9.128.127 So you would now know who to contact (the IANA). If you intend to contact law enforcement your local police department is probably not equipped to handle it. You are much better off contacting a national organization (such as the FBI in the US, or the RCMP in Canada). There are many CERT (Computer Emergency Response Teams) organizations spread around the world that can provide you with assistance. Contact information is below. If an attack is originating from your site you may wish to contact the person on the receiving end of it so that you can coordinate 14.0 What is in the future for DoS/DDoS attacks? More attacks at emerging services is a likely bet. We have already seen this with major attacks against e-commerce sites (but not against the e-commerce technology specifically). With the growth of encryption online (secure web server, IPSec, etc) there will likely be more attacks against them, especially with the high CPU overhead associated with encryption. Granted there are hardware cryptographic accelerators that can easily handle high loads, they are quite expensive, and simply shift the weak link in the chain somewhere else. I also suspect there will be more attacks against services that provide authentication, such as PKI and LDAP servers, as the effect of "taking out" a major authentication provider would be felt by many people and be extremely disruptive to businesses (this would be similar to attacking root DNS servers for example).