HomeAbout MeSecurityDCLinuxEee PCMusic3D GraphicsRobotsContact Me

User save yourself
16th December 2002


Prevention, or even more effective reaction to DDos attacks, is a fight with windmills, to which both, producers of net equipment, and suppliers of internet services are not hasting to. Maybe it is time, for internet users, to handle the problem by themselves.
 
Author: Tomasz Grabowski
Translation: Aleksandra Malak
 
 
Problems with net devices, and especially with links, happens relatively often. Many times they disappear by themselves, before the administrator will find its reason. Sometimes however, the reason for those problems is not infrastructure at all, but dispersion attack called DDoS (Distributed Denial of Service). The symptoms are mostly very similar. At the beginning a moderation in Internet access is noticeable. After that, there are few minute interruptions in web actions. Sometimes it happens, that the lack of communication lasts few hours, and even a few days.

Inflowing movement effectively fills all available band of internet connection, and considerably overload net devices of a victim, leading often to its immobilization. In both cases, the victims net is no longer available outside. In situation, when Internet connection is indispensable for functioning of a company, losses caused by DDoS attacks  can be painful. Preclusion of communication with a world for a company, can be also only a medium, for realization of other target: to divert attention of web administrators from the real attack.

After famous DDoS attacks on the biggest internet portals in year 2000, and after latest attacks on skeleton DNS servers, we already know, that DDoS attacks are very real threaten, but we still don’t know how to defend against them. The one’s that even once mete out the DDoS attack will never forget overwhelmed powerlessness and surprises, that methods of protection against the attacks, commonly considered as effective, didn’t work in that exact situation.


A big farm in fundaments

To carry out an effective attack Distributed Denial of Sernice type, the intruder must take control, over few hundred or a few thousand computers in internet first. More dissipate they are between different nets, much bigger probability it will succeed – because dissipation, makes coordination of prevention actions difficult.  Even a position of computers in net counts, and especially the size of available net band. After getting access to computers, the burglar installs very accessible and easy in usage software for leading the attacks, for example Trinoo, Stacheldraht or Trible Flood Network. On burglars order, dormant programs are awaken and ready to do advisable actions. For example. it can be sending a great number of common, or properly prepared packets in direction of specified IP address/addresses.

Does having a proper arsenal of computers to lead the DDoS attack is a problem? Unfortunately not. In that purpose the intruders are using a special software, which in defined range of IP addresses finds the computers that posses known security gaps. Next, they using them to get the administrators authority and automatically the are installing software to lead the attacks. To lead the DDoS attack you don’t need to have any special and expert knowledge. You don’t even need a lot of time. In Academic Centre of Computer Science in Szczecin (ACI) we conducted a precise analysis of action of one of those tools. Tests shown, that searching and taking control over a hundred computers can take the intruder about 20 minutes.

Reasons for DDoS attacks can be many: from a desire to make a joke or make somebody’s life difficult, through simple vandalism, to purpose elimination from the net uncomfortable content, and even a terrorism. Luckily, in most cases the reason is trivial. The analysis of attacks made by Academic Urban Computer Net in Szczecin (AMSK) allowed to determine, that the motivation for majority intruders were so called IRC wars. Their target is to deprive the victim of access to Internet on few minutes, and to take control over managed from his net IRC (Internet Relay Chat) channels at that time. People who are dealing with that kind of actions, are mostly teenagers, who are considering it as a real fun. We got to conclusion, that areas of increased risk are in fact all services offering access to system accounts, so companies, which offer clients interactive access to their system with usage of telnet service or SSH.

Massed DDoS attacks, which last few hours or days are not frequent. In most cases (approximately 80%), which we tested in AMSK, DDoS attacks manifested with sporadic, few minute breaks in access to Internet. Long - standing attacks total up only 5% of all DDoS attacks. This correctness is a result of a fact, that with a lengthen of time when the attack goes on, the probability of targeting the attacker increases. Long –lasting DDoS attacks are most often connected with losing control by intruder, over computers he used, and in most cases the attacker don’t want to get rid of “goods” he collected.


Fight with windmills

The characteristic of movement generated during the DDos attack is very similar to the one, that takes place during a normal work of a net. That’s why a simple filtering of movement will not give, in case of DDoS attacks, any results. Packets sent to our net often do not have any common feature, basing on which, we could create their synthetic description. Anyway problem lies somewhere else: there are so many packets, that instantaneously they fill all available band of internet connection.

Tracking the source of attacks with usage of simple methods is not possible, because packets send during DDoS attacks have usually false sender address. It indicates on very important need of cooperation between suppliers of internet services, which although should, not always check the movement leaving their net, at an angle of compatibility of real addresses with the ones saved in packets. They also not always check the reasons of increased movement on some interfaces of their routers.

Defense against concrete DDoS attack can last few hours, and even few days. It depends on the number of attacking computers and the quality of cooperation between suppliers of internet services. To maximally limit the influence of potential DDoS attack on companies functioning, we should properly prepare ourselves. It’s worth to check, if the supplier serving the company has a plan of action in case of DDoS attack. But the plan is still not enough – nobody, who didn’t even try to simulate DDoS attacks in his net, is really prepared to its coming.

We also need to examine if will not become a tool in intruders hands, when he will attack different net. The basic caution medium, is keeping a vigil over a software actualization. After that, taking control over companies computers, will be much harder for intruder to do. Next case, is such a configuration of routers, to make sending packets with a sender address different than the real address, through company’s net impossible. It will not give the certainty, that company’s net will not be used to some kind of attack, but it will enable the victim of a DDoS attack, to  inform us about the situation, so fast reaction will be possible.

We can’t counteract DDoS attacks, using net devices of latest generation. In last few years, many interesting projects connected with detection and tracking DDoS attack sources appeared, for example IP Traceback, ICMP Traceback or CenterTrack. Yet none of it had its large scale implementation, what really is a basic condition of its effectiveness. Producers don’t hurry with equipping their devices in new software, tracing its numerous defects. The main defect, is that the intruder is able to deceive  devices that are using those techniques, and direct the suspicions to net that is not connected with the attack. Moreover, practical tests shown, that in case of a geographically, very dispersed attack, those techniques are rather disappointing. For now we just need to track authors of the attack, basing on better or worst cooperation of suppliers of mail services.


Helpful Jennie

The situation is not completely hopeless. Instead manual detection of increased movement on interfaces, Internet suppliers could use to that purpose a special software, that can do it automatically. Tracking the author of the attack would then take incomparably lesser time than presently. Solutions of that type assigned mostly for big corporations net, and bigger ISP, is offered by few companies like Arbor, Mazu, Captus or Asta. After the installation, those tools are “learning” the movement typical for given net, and then, they detect anomalies. Algorithms used in those tools will not give a 100% certainty of tracking the source of the attack, nevertheless, they will help to decrease its power. Main defect of those solutions is, that they require purchasing dedicated devices, and they cooperate only with Cisco and Juniper routers.

Considering those limits, in Academic Centre of Computer Science in Szczecin, we started open source project called Jennie, in frames of which, the software for fighting with DDoS attacks is developed. System allows to determine, among others, if the net is a source or a target of the attack, and to detect, on which interfaces hostile packet go through. It can also suggest, to administrator, ways to low down negative influence of the attack on net, for example indicate, on  which interface and what kind of filters should he start. After detecting the attack, Jennie would redirect suspicious movement to specialized station, in which it would be analyzed it in details, the result of those analysis is the information, about what, and how should be configured, on individual devices. Moreover this specialized system will log on the content of all suspicious  packets, to enable their further analysis, for example in order to evidences.

Jennies packet would be also equipped in motion detectors, characteristic for known programs, used for DDoS attacks. It would be helpful in detecting computers over which the control was taken, for example by correlation of its action, with course of the attack so far, or by “pretending” intruders actions, who is checking if he still has access to possessed computers. For proper work of Jennie system one Pc computer would be needed, though two or three would definitely improve its functioning. Software would gather information’s by SNPM protocol, so it would be able to work with all net devices. People interested in technical details of Jennies software or participating in the project can visit the web site: http://jennie.man.szczecin.pl .

All users unite

Spectacular DDoS attacks happens rarely, but even the one we don’t notice are real threaten for companies safety. Methods of attacks used nowadays were invented few years ago. However theoretical assumptions are presently known – and if they will be realized – they would make future of DDoS attacks more sophisticated and dangerous than what we have seen sp far. It’s worth to devote more attention to Curious Yellow project, which very precisely describes how DDoS attacks may look like in the future, and new menaces based on their grounds.

Easiness with which we can start DDoS attacks, their hard to predict effects and the problems with tracking their authors should force all to cooperation, in order to find effective precaution mediums. If for active fight with DDoS attacks, either producers of net devices, or internet services suppliers don’t hurry, the users of internet should try their strength.