Distributed Denial of Service Attacks

This whole deal was so interesting to me, and there was so much mis-information out about what went on, and so little correct information about what really happened, that I put this together.

This is in reference to the distributed denial-of-service attacks that affect a number of major mass-market web sites in February, 2000, and which caused (quite rightly, if only it had been done with more accuracy!) quite a stir...

Executive Summary:

Since the initial command to the masters is sent from a stolen or a one-time logon, and since the commands from the masters to the slaves is a transaction which uses machines that aren't even known to be compromised, the perpetrator(s) are at least two steps removed from the machines (the slaves) that perform the actual attack, and the real owners of the slave machines don't even know they're being used!

The actual ammunition, as it were, is generally a UDP flood.

UDP stands for User Datagram Protocol; this is one of the fundamental communications protocols that makes the Internet run; for example, DNS or the Domain Name System uses UDP. DNS is the name server system that maps domain names (www.finchhaven.com) to IP addresses (

It's not something that can be ignored...

This is why some authorities say this form of attack is extremely difficult to prevent!

A very comprehensive, but technical, discussion comes from Dave Dittrich at the UW's University of Washington's Computing & Communications Client Services group

And a superlative interview (although very technical..) with Dave Dittrich at /.

For some chilling reading, here's Mixter's "FAQ and Guide to Cracking"

Another very good discussion of this incident was made in "CRYPTO-GRAM, February 15, 2000" a "A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography" that I subscribe to, from http://www.counterpane.com

Some very important points that seem to have been missed in the popular media:

(Re-posted by permission given in the newsletter, although Bruce Schneier *does* ask that the entire newsletter be posted, which I'm *not* doing... ;-)

     Distributed Denial-of-Service Attacks

Suddenly, distributed denial-of-service (DDS) attacks are big news.  The 
first automatic tools for these attacks were released last year, and CERT 
sent out an advisory in November.  But the spate of high-profile attacks in 
mid-February has put them on the front pages of newspapers everywhere.

Not much is new.  Denial-of-service attacks have been going on for 
years.  The recent attacks are the same, only this time there is no single 
source of the attack.  We've seen these for years, too.  The attacker first 
breaks into hundreds or thousands of random insecure computers (called 
"zombies") on the Internet and installs an attack program.  Then he 
coordinates them all to attack the target at the same time.  The target is 
attacked from many places at once; his traditional defenses just don't 
work, and he falls over dead.

It's very much like the pizza delivery attack: Alice doesn't like Bob, so 
she calls a hundred pizza delivery parlors and, from each one, has a pizza 
delivered to Bob's house at 11:00 PM.  At 11, Bob's front porch is filled 
with 100 pizza deliverers, all demanding their money.  It looks to Bob like 
the pizza Mafia is out to get him, but the pizza parlors are victims 
too.  The real attacker is nowhere to be seen.

This sounds like a complicated attack on the Internet, and it is.  But 
unfortunately, it only takes one talented programmer with a poor sense of 
ethics to automate and distribute the attacks.  Once a DDS tool is publicly 
available, an attacker doesn't need skill; he can use a simple 
point-and-click interface to infect the intermediate sites, as well as to 
coordinate and launch the attack.  This is what's new: easy-to-use DDS 
tools like Trin00 and Tribal Flood Network.

These attacks are incredibly difficult, if not impossible, to defend 
against.  In a traditional denial-of-service attack, the victim computer 
might be able to figure out where the attack is coming from and shut down 
those connections.  But in a distributed attack, there is no single 
source.  The computer should shut down all connections except for the ones 
it knows to be trusted, but that doesn't work for a public Internet site.

Other defenses also have problems.  I've seen proposals that force the 
client to perform an expensive calculation to make a connection.  (RSA 
pre-announced such a "solution.")  This works against standard 
denial-of-service attacks, but not against a distributed one.  Large-scale 
filtering at the ISPs can help, but that requires a lot of effort and will 
reduce network bandwidth noticeably.

At least one report has suggested that a lack of authentication on the 
Internet is to blame.  This makes no sense.  The packets did harm just by 
the attempt to deliver them; whether or not they were authenticatable is 
completely irrelevant.  Mandatory authentication would do nothing to 
prevent these attacks, or to track down the attackers.

There have been two academic conferences on DDS attacks in recent weeks, 
and the general consensus is that there is no way to defend against these 
attacks.  Sometimes the particular bugs exploited in the DDS attacks can be 
patched, but there are many that cannot.  The Internet was not designed to 
withstand DDS attacks.

Tracing the attacker is also incredibly difficult.  Going back to the pizza 
delivery example, the only thing the victim could do is to ask the pizza 
parlors to help him catch the attacker.  If all the parlors coordinated 
their phone logs, maybe they could figure out who ordered all the pizzas in 
the first place.  Something similar is possible on the Internet, but it is 
unlikely that the intermediate sites kept good logs.  Additionally, it is 
easy to disguise your location on the Internet.  And if the attacker is in 
some Eastern European country with minimal computer crime laws, a bribable 
police, and no extradition treaties, there's nothing you can do anyway.

So far, these attacks are strictly denial-of-service.  They do not affect 
the data on the Web sites.  These attacks cannot steal credit card numbers 
or proprietary information.  They cannot transfer money out of your bank 
account to trade stocks in your name.  Attackers cannot gain financially 
from these attacks.  Still, they are very serious.  And it is certainly 
possible that an attacker can use denial of service as a tool for a more 
complicated attack that IS designed to steal something.

This is not to say that denial-of-service attacks are not real, or not 
important.  For most big corporations, the biggest risk of a security 
breach is loss of income or loss of reputation, either of which is achieved 
by a conspicuous denial-of-service attack.  And for companies with more 
mission- or life-critical data online, a DOS attack can literally put a 
person's life at risk.

The real problem is that there are hundreds of thousands, possibly 
millions, of innocent naive computer users who are vulnerable to 
attack.  They're using DSL or cable modems, they're always on the Internet 
with static IP addresses, and they can be taken over and used as launching 
pads for these (and other) attacks.  The media is focusing on the mega 
e-corporations that are under attack, but the real story is the individual 

Similarly, the real solutions are of the "civic hygiene" variety.  Just as 
malaria was defeated in Washington, DC, by draining all the swamps, the 
only real way to prevent these attacks is to protect those millions of 
individual computers on the Internet.  Unfortunately, we are building 
swampland at an incredible rate, and securing everything is 
impracticable.  Even if personal firewalls had a 95% market penetration, 
and even if they were all installed and operated perfectly, there would 
still be enough insecure computers on the Internet to use for these attacks.

I believe that any long-term solution will involve redesigning the entire 
Internet.  Back in the 1960s, some people figured out that you could 
whistle, click, belch, or whatever into a telephone and make the system do 
things.  This was the era of phone phreaking: black boxes, blue boxes, 
Captain Crunch whistles.  The phone company did their best to defend 
against these attacks, but the basic problem was that the phone system was 
built with "in-band signaling": the control signal and the data signal 
traveled along the same wires.  In the 1980s, the phone company completely 
redesigned the phone system.  For example SS7, or Signaling System 7, was 
out-of-band.  The voice path and data path were separated.  Now it doesn't 
matter how hard you whistle into the phone system: the switch isn't 
listening.  The attacks simply don't work.  (Red boxes still work, against 
payphones, by mimicking the in-band tones that count the coins deposited in 
the phones.)

In the long term, out-of-band signaling is the only way to deal with many 
of the vulnerabilities of the Internet, DDS attacks among 
them.  Unfortunately, there are no plans to redesign the Internet in this 
way, and any such undertaking might be just too complicated to even

So, what is the solution?

Apparently the real solution is 100% secure systems -- that any computer with a permanent connection to the Internet be 100% secured from the initial compromise by the cracker.

OK! So that's not going to happen!

So what is needed is at least a greatly heightened awareness of system security from sysadmins who manage Internet connected computer systems.

And yet this will only help, only some what...

Bruce Schneier apparently thinks a re-design of the Internet itself may be needed!

Certainly what is *not* needed is greater Federal power to do wire-taps and other forms of digital/electronic surveillance!

Stay tuned, folks! This will be interesting!

And finally, here's another take on the whole deal...

The Transport Control Pixies and the Internet Pixies system the Internet
currently uses can be abused, as the recent DoS attacks illustrate,
especially with the fat pipes to which many people now have access.

These pipes allow many malicious Pixies to be sent to a target,
completely overwhelming the targets ability to process them. 

The large numbers of Pixies that can traverse these fat pipes is the
main problem as I see it. A good short-term solution would be the
replacement of the fat pipes with bundles of thin pipes. At the targets
end, each thin pipe would have a small tap - when a DoS attack is detected,
simply open the taps in turn to allow the unwanted Pixies to drain
out into a bucket. Alternatively, a manned barrier could be set up at
the end of each thin pipe, and any swarthy looking, suspiciously odious,
black hatted, or otherwise dubious Pixies can be turned away. This doesn't
aid tracing the source, but will allow the force of the attack to be
diminished such that the target can remain relatively unscathed. 

Tracing an attack to the immediate source can easily be accomplished
by having a little valve in the thin pipe that when turned will shut
off the Pixie flow. Subsequent Pixes entering the pipe will cause it to
bulge gradually as the backlog builds up. By repeating this procedure
back from each machine the source will eventually be found. To save
having to walk all that way, the valves could have long pieces of string
attached to them so they can be turned on and off remotely. 

Finding the perpetrator of the DoS is more problematic. These days,
the normal breadcrumb back trail can be easily garbled by the less
than savoury element on the internet. The new Internet Pixie v6
implements the Taut String from End to End system to tie the source
to destination - any severing of the string to re-route it can be
instantly detected by loss of tension. However, this does us
no good currently. 

It only takes a single Pixie to start a DoS attack, and finding it
may not always be possible. An amateur will often leave the initial
Pixie unharmed. If a suspicious one is found, sieze it immediately
(ensure to keep its hands away from any magic pouches/flowers/musical
instruments that it may have on its person). A poorly cast Mind Erasure
spell can easily be undone by any one of a number of Re_Mind perl scripts.
A properly cast Mind Erasure can be tricky to undo and will require
a special Module be used - if you're not at ease with compiling programs,
pop the Pixie in a Jiffy Bag and post it to hemos@slashdot.org
(you may need to flatten the packet a little to get it into the floppy
disk orifice) - hemos will de-spell it and send the results back by return). 

A professional won't allow such evidence to remain - a common method is
the Pixie On A Bungee technique. The perpetrator fires said Pixie into
the attack machine with a long rubber band attached. With skill, the Pixie
shoots in, pushes the Start lever and gets yanked back out at very high
speed. A telltale clue of this is often fingernail scratches - sometimes
a misjudgement as to bungee length can leave fingers embedded in the lever
handle. Unfortunately, unless the Pixie drops his ID card, the chances of
tracking back further are very small, and really best left to the authorities. 


This was at /.


Canon Pro90 IS Digital Imaging!

All my digital photography
copyright John D Sage/FinchHaven
1999, 2000, 2001, 2002

Any and all e-mail addresses associated with this domain in any way
are located in the State of Washington,
and as such may not, by law, be harvested for spam.

This page preened using GNU Emacs 20.5.1
at www.FinchHaven.com by Webmaster
Last modified: Sun Nov 12 06:40:10 2006


Goto the Top