User save yourself
16th
December 2002
Prevention, or even more effective reaction to DDos attacks, is a fight with windmills,
to which both, producers of net equipment, and suppliers of internet services are not hasting to. Maybe it is time, for internet
users, to handle the problem by themselves.
Author: Tomasz Grabowski
Translation:
Aleksandra Malak
Problems with net devices, and especially with links, happens relatively
often. Many times they disappear by themselves, before the administrator will find its reason. Sometimes however, the reason
for those problems is not infrastructure at all, but dispersion attack called DDoS (Distributed Denial of Service). The symptoms
are mostly very similar. At the beginning a moderation in Internet access is noticeable. After that, there are few minute
interruptions in web actions. Sometimes it happens, that the lack of communication lasts few hours, and even a few days.
Inflowing movement effectively fills all available band of internet connection, and considerably overload net devices
of a victim, leading often to its immobilization. In both cases, the victims net is no longer available outside. In situation,
when Internet connection is indispensable for functioning of a company, losses caused by DDoS attacks can be painful.
Preclusion of communication with a world for a company, can be also only a medium, for realization of other target: to divert
attention of web administrators from the real attack.
After famous DDoS attacks on the biggest internet portals
in year 2000, and after latest attacks on skeleton DNS servers, we already know, that DDoS attacks are very real threaten,
but we still don’t know how to defend against them. The one’s that even once mete out the DDoS attack will never
forget overwhelmed powerlessness and surprises, that methods of protection against the attacks, commonly considered as effective,
didn’t work in that exact situation.
A big farm in fundaments
To carry out an effective attack Distributed Denial of Sernice type, the intruder must take control, over few hundred
or a few thousand computers in internet first. More dissipate they are between different nets, much bigger probability it
will succeed – because dissipation, makes coordination of prevention actions difficult. Even a position of computers
in net counts, and especially the size of available net band. After getting access to computers, the burglar installs very
accessible and easy in usage software for leading the attacks, for example Trinoo, Stacheldraht or Trible Flood Network. On
burglars order, dormant programs are awaken and ready to do advisable actions. For example. it can be sending a great number
of common, or properly prepared packets in direction of specified IP address/addresses.
Does having a proper arsenal
of computers to lead the DDoS attack is a problem? Unfortunately not. In that purpose the intruders are using a special software,
which in defined range of IP addresses finds the computers that posses known security gaps. Next, they using them to get the
administrators authority and automatically the are installing software to lead the attacks. To lead the DDoS attack you don’t
need to have any special and expert knowledge. You don’t even need a lot of time. In Academic Centre of Computer Science
in Szczecin (ACI) we conducted a precise analysis of action of one of those tools. Tests shown, that searching and taking
control over a hundred computers can take the intruder about 20 minutes.
Reasons for DDoS attacks can be many:
from a desire to make a joke or make somebody’s life difficult, through simple vandalism, to purpose elimination from
the net uncomfortable content, and even a terrorism. Luckily, in most cases the reason is trivial. The analysis of attacks
made by Academic Urban Computer Net in Szczecin (AMSK) allowed to determine, that the motivation for majority intruders were
so called IRC wars. Their target is to deprive the victim of access to Internet on few minutes, and to take control over managed
from his net IRC (Internet Relay Chat) channels at that time. People who are dealing with that kind of actions, are mostly
teenagers, who are considering it as a real fun. We got to conclusion, that areas of increased risk are in fact all services
offering access to system accounts, so companies, which offer clients interactive access to their system with usage of telnet
service or SSH.
Massed DDoS attacks, which last few hours or days are not frequent. In most cases (approximately
80%), which we tested in AMSK, DDoS attacks manifested with sporadic, few minute breaks in access to Internet. Long - standing
attacks total up only 5% of all DDoS attacks. This correctness is a result of a fact, that with a lengthen of time when the
attack goes on, the probability of targeting the attacker increases. Long –lasting DDoS attacks are most often connected
with losing control by intruder, over computers he used, and in most cases the attacker don’t want to get rid of “goods”
he collected.
Fight with windmills
The characteristic
of movement generated during the DDos attack is very similar to the one, that takes place during a normal work of a net. That’s
why a simple filtering of movement will not give, in case of DDoS attacks, any results. Packets sent to our net often do not
have any common feature, basing on which, we could create their synthetic description. Anyway problem lies somewhere else:
there are so many packets, that instantaneously they fill all available band of internet connection.
Tracking
the source of attacks with usage of simple methods is not possible, because packets send during DDoS attacks have usually
false sender address. It indicates on very important need of cooperation between suppliers of internet services, which although
should, not always check the movement leaving their net, at an angle of compatibility of real addresses with the ones saved
in packets. They also not always check the reasons of increased movement on some interfaces of their routers.
Defense
against concrete DDoS attack can last few hours, and even few days. It depends on the number of attacking computers and the
quality of cooperation between suppliers of internet services. To maximally limit the influence of potential DDoS attack on
companies functioning, we should properly prepare ourselves. It’s worth to check, if the supplier serving the company
has a plan of action in case of DDoS attack. But the plan is still not enough – nobody, who didn’t even try to
simulate DDoS attacks in his net, is really prepared to its coming.
We also need to examine if will not become
a tool in intruders hands, when he will attack different net. The basic caution medium, is keeping a vigil over a software
actualization. After that, taking control over companies computers, will be much harder for intruder to do. Next case, is
such a configuration of routers, to make sending packets with a sender address different than the real address, through company’s
net impossible. It will not give the certainty, that company’s net will not be used to some kind of attack, but it will
enable the victim of a DDoS attack, to inform us about the situation, so fast reaction will be possible.
We
can’t counteract DDoS attacks, using net devices of latest generation. In last few years, many interesting projects
connected with detection and tracking DDoS attack sources appeared, for example IP Traceback, ICMP Traceback or CenterTrack.
Yet none of it had its large scale implementation, what really is a basic condition of its effectiveness. Producers don’t
hurry with equipping their devices in new software, tracing its numerous defects. The main defect, is that the intruder is
able to deceive devices that are using those techniques, and direct the suspicions to net that is not connected with
the attack. Moreover, practical tests shown, that in case of a geographically, very dispersed attack, those techniques are
rather disappointing. For now we just need to track authors of the attack, basing on better or worst cooperation of suppliers
of mail services.
Helpful Jennie
The situation is not
completely hopeless. Instead manual detection of increased movement on interfaces, Internet suppliers could use to that purpose
a special software, that can do it automatically. Tracking the author of the attack would then take incomparably lesser time
than presently. Solutions of that type assigned mostly for big corporations net, and bigger ISP, is offered by few companies
like Arbor, Mazu, Captus or Asta. After the installation, those tools are “learning” the movement typical for
given net, and then, they detect anomalies. Algorithms used in those tools will not give a 100% certainty of tracking the
source of the attack, nevertheless, they will help to decrease its power. Main defect of those solutions is, that they require
purchasing dedicated devices, and they cooperate only with Cisco and Juniper routers.
Considering those limits,
in Academic Centre of Computer Science in Szczecin, we started open source project called Jennie, in frames of which, the
software for fighting with DDoS attacks is developed. System allows to determine, among others, if the net is a source or
a target of the attack, and to detect, on which interfaces hostile packet go through. It can also suggest, to administrator,
ways to low down negative influence of the attack on net, for example indicate, on which interface and what kind of
filters should he start. After detecting the attack, Jennie would redirect suspicious movement to specialized station, in
which it would be analyzed it in details, the result of those analysis is the information, about what, and how should be configured,
on individual devices. Moreover this specialized system will log on the content of all suspicious packets, to enable
their further analysis, for example in order to evidences.
Jennies packet would be also equipped in motion detectors,
characteristic for known programs, used for DDoS attacks. It would be helpful in detecting computers over which the control
was taken, for example by correlation of its action, with course of the attack so far, or by “pretending” intruders
actions, who is checking if he still has access to possessed computers. For proper work of Jennie system one Pc computer would
be needed, though two or three would definitely improve its functioning. Software would gather information’s by SNPM
protocol, so it would be able to work with all net devices. People interested in technical details of Jennies software or
participating in the project can visit the web site: http://jennie.man.szczecin.pl .
All
users unite
Spectacular DDoS attacks happens rarely, but even the one we don’t notice are
real threaten for companies safety. Methods of attacks used nowadays were invented few years ago. However theoretical assumptions
are presently known – and if they will be realized – they would make future of DDoS attacks more sophisticated
and dangerous than what we have seen sp far. It’s worth to devote more attention to Curious Yellow project, which very
precisely describes how DDoS attacks may look like in the future, and new menaces based on their grounds.
Easiness
with which we can start DDoS attacks, their hard to predict effects and the problems with tracking their authors should force
all to cooperation, in order to find effective precaution mediums. If for active fight with DDoS attacks, either producers
of net devices, or internet services suppliers don’t hurry, the users of internet should try their strength.