Fighting DDoS, part 1

Everyone is probably familiar with the distributed denial-of-service attacks launched in February 2000 on a number of prominent e-commerce sites. If you are new to this issue, see Steve Bellovin's summary of the problem at www.research.att.com/~smb/talks/nanog-dos/index.htm

For my previous commentaries on this issue, see: www.nwfusion.com/newsletters/sec/0221sec1.htm, www.nwfusion.com/newsletters/sec/0228sec1.html and www.acm.org/ubiquity/views/m_kabay_1.html.

A more recent incident was the series of attacks against the Web site of Steve Gibson, a well-known security expert (grc.com/), who has published a detailed report on the incident (see grc.com/dos/grcdos.htm).

In a nutshell, starting at 8 p.m. on May 4, 2001, Gibson's site was deluged with bogus User Datagram Protocol and Internet Control Message Protocol packets, which completely flooded his T1 lines and prevented legitimate access to his Web pages. Working with his ISP, Gibson was able to discard the spurious traffic before it hit his own firewall. Analysis showed that the attacks were coming from 474 compromised computers. Luckily, most of the machines were running Windows 9x and Windows NT, which were unable to forge packet headers. This made it possible to identify the source IP addresses and institute firewall policies to block traffic from those sources.

Over the next two weeks, the attackers changed their tactics several times to break through the firewall rules in place, bringing down Gibson's site for many hours at a time. Over the course of the attacks, Gibson and his ISP logged about 2.4 billion bogus requests directed to various ports on his systems.

The originator of the attacks, apparently a 13 year old child in Kenosha, WI, communicated with Gibson and explained that he had heard rumors that Gibson had been disrespectful toward " script kiddies. " Based on this hearsay, the child and his friends had apparently put a Web site into limbo for several days. The transcripts of some of Gibson's conversations with the perpetrator of the distributed denial-of-service attack are highly revealing and well worth reading.

Eventually, someone sent Gibson a copy of the zombie program they found on an infected PC, and Gibson was able to locate the Internet Relay Chat channel where the zombies were communicating with the teenager's master program. He also documented the infection of home PCs by the Sub7Server Trojan, which automatically reports on compromised machines. After discussing his problems with a leader in the criminal hacker underground, Gibson was able to convince the child to stop harassing him.

The experience convinced Gibson that we are heading for serious difficulties on the Internet if a kid could exert that much power over the adult world.

In the next article in this series, I will review some of the more important techniques of simple (not distributed) denial-of-service attacks as a foundation for understanding and fighting distributed denial-of-service attacks.

Check out the new "Computer Security Handbook, 4th Edition" edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or visit Amazon.

M. E. Kabay, Ph.D., CISSP is Associate Professor of Information Assurance in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail by clicking here. He invites inquiries about his information security and operations management courses and consulting services. Visit his Web site for papers and course materials on information technology, security and management.

Archive of Network World Fusion Focus on Security newsletters

Network World Security and Bug Patch Alert
News of the latest security holes and patches.

Oblix boosts Web access control software
Network World, 07/23/01

Check Point CEO marks milestone
Network World, 07/23/01