A Brief History of Distributed Denial of Service Attacks Uniforum Chicago August 22, 2000 Viki Navratilova Security Architect, BlueMeteor, Inc.

Tonights Talk t is DDoS?What is DDoS? Famous DDoS incidentsFamous DDoS incidents Brief History of DDoS toolsBrief History of DDoS tools Whats new in DDoS toolsWhats new in DDoS tools Where to get more info on DDoS toolsWhere to get more info on DDoS tools How to keep DDoS from getting you downHow to keep DDoS from getting you down

Denial of Service (DOS) An attack to suspend the availability of a service Early DOS – smashing computer with sledge hammer Network DOS – modern times Prevent a Network- based service from doing its job Can be as easy as pulling the network plug

What is DDoS? Distributed Denial of Service Many zombie computers ganging up on one computer, directed by one master, which is controlled by the attacker

The Week of Famous DDoS Attacks February CNN, Yahoo, E-Bay, Datek taken down for several hours at a time due to traffic flooding Underadministrated computers at California college used as the slave attack computers Trinoo, Tribal Flood Network, TFN2K, and Stacheldraht suspected tools used in attacks

Early DDoS Tools (c. 1990? – 1997) Simple 1-tier attacks – computer with bigger bandwidth wins, kicks loser off modem/irc channel Ping flood SYN flood UDP flood Smurf Attack – early 2-tier attack Attacker machine imitates victim, gets everyone to flood real victim Ping flood

Smurf Attack (2-tier) slaves Broadcast Pings Ping Replies 31337! victim

Modern DDoS Tools Once sites blocked broadcast pings, attackers found new ways to accomplish same things DDoS tools gave new way to communicate across networks to slave attack computers Attacker has to infiltrate several slave computers with DDoS slave client Master client sometimes found on ISPs name server – unlikely to be taken off network

DDoS Attacks (3-tier) Master Slave Victim D00d!

Why DDoS Tools Suck for Your Network Hard to Trace to original culprit Difficult to cut off flow of traffic attacking you because its coming from everywhere Difficult to catch pre-attack communications between master and slave machines

Trinoo – First Publicly Available DDoS Tool (c. 1997) Attacker, Master, Slave Communications via unencrypted UDP Easy to detect communications and passwords Attack Method : UDP Flood Solaris & Linux machines

Tribe Flood Network (TFN) (c. 1998) Attacker & Master communicate via unencrypted TCP, UDP, SSH, ICMP, telnet No password required to run commands Commands are sent as pre-determined 16-bit binary numbers Master & Slaves talk ICMP DOS Attacks available : ICMP, SYN, UDP, &Smurf-style Floods Linux & Solaris

TFN2K (1999) Builds on TFN Decoy packets & other measures make traffic difficult to identify & filter Fakes source address of communications New attacks include malformed packet floods – greater devastation in fewer packets Available for Unix & NT Systems

Stacheldraht Barbed Wire Fine German Engineering (late 1999) Master – Slave communications require passwords telnet-like encrypted connections over TCP and ICMP Only way to prevent communications is to block all ICMP traffic (undesirable) Ability to upgrade master & slave software via rcp – increases client functionality Several DOS attacks like TFN Solaris & Linux

Whats New in DDoS Tools (since February 2000) Shaft (Nov 1999) – modeled after Trinoo –Attacker-master : password : tcp / master-zombie : udp –Can switch master servers and ports on the fly –Uses ticket system to match zombies with their masters –Keeps zombie packet statistics Mstream (April 2000) –Still in development –Attacker to master commands sent in one packet over unencrypted TCP – password protected –Master and zombies talk over udp –All logged in users (attackers) are notified of access attempts

Where to Find More Info on DDoS Tools Dave Dittrichs White Papers Packetstorms Distributed Attack Tools CERT Coordination Center

Break

How to Keep DDoS Tools from Getting You Down Pay attention to your machines! Egress filter your network, i.e. make sure whatever comes out of your network only has source addresses that belong to you Ingress filter – confirm that packets coming to you have source addresses that arent on your inside network Use tcpdump on Solaris or Linux to capture logs, and report incident to law enforcement (NIPC) tcpdump –i interface –s 1500 –w capture_file snoop –d interface –o capture_file –s 1500

Cisco Router Configuration Options Ip verify unicast reverse-path : confirms packets that arrive should be going back on same interface, otherwise drops Rate limit ICMP and SYN packets Filter non-routable address space: Interface xy ip access-group 101 in access-list 101 deny ip any access-list 101 deny ip any access-list 101 deny ip any access-list 101 permit ip any any

Tools to Help Detect DDoS Tools NIPC Tools – locates installations on hard drive by scanning file contents Zombie Zapper – puts Trinoo, TFN, Stacheldraht, and Shaft zombies to sleep when flooding Remote Intrusion Detector (RID) : Locates Trinoo, Stacheldraht, TFN on network

Q & A

Thank you