| v> | | | | has been done, the applications are ready to work |
| DDOS Attacks: What are they exactly? | | | | with each other. |
| Since many sites have been claiming DDOS | | | | A SYN attack simply buries its target by |
| Attacks without much of an explanation. We | | | | swamping it with TCP SYN packets. Each SYN |
| figured that we should provide some details. | | | | packet demands a SYN-ACK response and |
| What Exactly is a DDOS Attack? | | | | causes the server to wait for the proper ACK in |
| It was in early 2000 that most people became | | | | reply. Of course, the attacker never gives the |
| aware of the dangers of distributed denial of | | | | ACK, or, more commonly, it uses a bad IP |
| service (DDoS) attacks when a series of them | | | | address so there's no chance of an ACK |
| knocked such popular Web sites as Yahoo, CNN, | | | | returning. This quickly hogties a server as it tries |
| and Amazon off the air. | | | | to send out SYN-ACKs while waiting for ACKs. |
| It's been almost four years since they first | | | | When the SYN-ACK queues fill up, the server can |
| appeared, but DDoS attacks are still difficult to | | | | no longer take any incoming SYNs, and that's the |
| block. Indeed, if they're made with enough | | | | end of that server until the attack is cleared up. |
| resources, some DDoS attacks - including SYN | | | | The Land attack makes SYN one-step nastier by |
| (named for TCP synchronization) attacks - can be | | | | using SYN packets with spoofed IP addresses |
| impossible to stop. | | | | from your own network. |
| No server, no matter how well it's protected, can | | | | There are many ways to reduce your chances of |
| be expected to stand up to an attack made by | | | | getting SYNed, including setting your firewall to |
| thousands of machines. Indeed, Arbor Networks, | | | | block all incoming packets from bad external IP |
| a leading anti-DDoS company, reports DDoS | | | | addresses like 10.0.0.0 to 10.255.255.255, 127.0.0.0 |
| zombie armies of up to 50,000 systems. | | | | to 127.255.255.255, 172.16.0.0 to 172.31.255.255, |
| Fortunately, major DDoS attacks are difficult to | | | | and 192.168.0.0 to 192.168.255.255, as well as all |
| launch; unfortunately, minor DDoS attacks are | | | | internal addresses. But, as SCO discovered, if you |
| easy to create. | | | | throw enough SYN packets at a site, any site can |
| In part, that's because there are so many types | | | | still be SYNed off the net. |
| of DDoS attacks that can be launched. For | | | | Brute Force Attacks |
| example, last January, the Slammer worm | | | | Common brute force attacks include the Smurf |
| targeted SQL Server 2000, but an indirect effect | | | | attack and the User Datagram Protocol (UDP) |
| as infected SQL Server installations tried to | | | | flood. When you're Smurfed, Internet Control |
| spread Slammer was to cause DDoS attacks on | | | | Message Protocol (ICMP) echo request packets, a |
| network resources, as every bit of bandwidth | | | | particular type of ping packet, overwhelm your |
| was consumed by the worm. | | | | router. Making matters worse, each packet's |
| Thus, a key to thinking about DDoS is that it's not | | | | destination IP address is spoofed to be your local |
| so much a kind of attack as it is an effect of | | | | broadcast address. You're probably already getting |
| many different kinds of network attacks. In other | | | | the picture. Once your router also gets into the |
| words, a DDoS may result from malignant code | | | | act of broadcasting ICMP packets, it won't be long |
| attacking the TCP/IP protocol or by assaulting | | | | before your internal network is frozen. |
| server resources, or it could be as simple as too | | | | A UDP flood works by someone spoofing a call |
| many users demanding too much bandwidth at | | | | from one of your system's UDP chargen |
| one time. | | | | programs. This test program generates |
| Typically, though, when we're talking about DDoS | | | | semi-random characters for received packets |
| attacks, we mean attacks on your TCP/IP | | | | with another of your network's UDP echo service. |
| protocol. There are three types of such attacks: | | | | Once these characters start being reflected, your |
| the ones that target holes in a particular TCP/IP | | | | bandwidth quickly vaporizes. |
| stack; those that target native TCP/IP | | | | Fortunately, for these two anyway, you can |
| weaknesses; and the boring, but effective, brute | | | | usually block them. With Smurfing, just setting |
| force attacks. For added trouble, brute force also | | | | your router to ignore broadcast addressing and |
| works well with the first two methods. | | | | setting your firewall to ignore ICMP requests |
| The Ping of Death is a typical TCP/IP | | | | should be all you need. |
| implementation attack. In this assault, the DDoS | | | | To dam up UDP floods, just block all non-service |
| attacker creates an IP packet that exceeds the | | | | UDP services requests for your network. |
| IP standard's maximum 65,536 byte size. When | | | | Programs that need UDP will still work. Unless, of |
| this fat packet arrives, it crashes systems that | | | | course, the sheer volume of the attack mauls |
| are using a vulnerable TCP/IP stack. No modern | | | | your Internet connection. |
| operating system or stack is vulnerable to the | | | | That's where the DDoS attack programs such as |
| simple Ping of Death, but it was a long-standing | | | | Tribe Force Network (TFN), Trin00, Trinity, and |
| problem with Unix systems. | | | | Stacheldraht come in. These programs are used |
| The Teardrop, though, is an old attack still seen | | | | to set DDoS attack agents in unprotected |
| today that relies on poor TCP/IP implementation. | | | | systems. Once enough of them have been set up |
| It works by interfering with how stacks | | | | in naÃ?Æ?Ã?¯ve users' PCs, the DDoS |
| reassemble IP packet fragments. The trick here is | | | | controller sets them off by remote control, |
| that as IP packets are sometimes broken up into | | | | burying target sites from hundreds or even |
| smaller chunks, each fragment still has the original | | | | thousands of machines. |
| IP packet's header as well as a field that tells the | | | | Unfortunately, as more and more users add |
| TCP/IP stack what bytes it contains. When it | | | | broadband connections without the least idea of |
| works right, this information is used to put the | | | | how to handle Internet security, these kinds of |
| packet back together again. | | | | attacks will only become more common. |
| What happens with Teardrop, though, is that your | | | | Deflecting DDoS Attacks |
| stack is buried with IP fragments that have | | | | So what can you do about DDoS threats? For |
| overlapping fields. When your stack tries to | | | | starters, all the usual security basics can help. You |
| reassemble them, it can't do it, and if it doesn't | | | | know the drill: make sure you have a firewall set |
| know to toss these trash packet fragments out, | | | | up that aggressively keeps everything out except |
| it can quickly fail. Most systems know how to deal | | | | legal traffic, keep your anti-viral software up to |
| with Teardrop now, and a firewall can block | | | | date so your computers do not become a home |
| Teardrop packets at the expense of a bit more | | | | for DDoS agents like TFN, and keep your |
| latency on network connections, since this makes | | | | network software up to date with current |
| it disregard all broken packets. Of course, if you | | | | security patches. This won't stop all DDoS |
| throw a ton of Teardrop busted packets at a | | | | attacks, but it will stop some of them like |
| system, it can still crash. | | | | Smurfing. |
| And, then, there's SYN, to which there really isn't | | | | You may not think you need these services, since |
| a perfect cure. In a SYN Flood, the attack works | | | | in a worse case scenario you're still going to get |
| by overwhelming the protocol handshake that has | | | | knocked off the net. But not every attack will be |
| to happen between two Internet-aware | | | | a massive one with thousands of attackers. For |
| applications when they start a work session. The | | | | most attacks, these services can definitely help. |
| first program sends out a TCP SYN | | | | And, let's face it, today we have PC's the net |
| (synchronization) packet, which is followed by a | | | | 24-7. With DDoS attacks on the rise, you'd be |
| TCP SYN-ACK acknowledgment packet from the | | | | wise to at least familiarize yourself with DDoS |
| receiving application. Then, the first program | | | | prevention services. After all, it's not only your |
| replies with an ACK (acknowledgment). Once this | | | | network in danger, it's your business. |