Stopping DDOS Attacks
March 26th, 2003 by Glenn Stone in
On Thursday, February 20, 2003, at about 0130 GMT, the popular LiveJournal site became the victim of a massive distributed denial-of-service attack. LiveJournal staffers and upstream providers first tried to filter by IP, but they soon discovered what the "D" in DDOS means. After blocking about one quarter of the IP addresses on the Internet, they got on their load balancer and implemented some unknown but effective measures (repeated e-mails to them went unanswered). I can only assume these measures included some quality of service/rate limiting methods. Despite continued flooding, the site returned to usability after about four days of being somewhere between slow and totally unreachable.
Being a paid LiveJournal subscriber myself, I roused myself from the storm of dark imprecations on the soul of someone who would try to destroy a site that has become the epitome of "on-line community" to wonder, what do you do about such an event?
In the absence of comment from LiveJournal, I asked Robert Dinse, head honcho of Eskimo.com (an ISP that dates back to when ! was part of an e-mail address and not a hint the e-mail might be spam), how DDOSes worked, and what he did about them. "The most common [attacks] are smurf and fraggle", says Dinse. "Smurf works by sending an ICMP echo request packet to a network with an open broadcast address. The packet has the source IP forged to be that of the target host. That causes every machine on the network to respond with an ICMP echo reply to the forged host IP address. Thus the network with an open broadcast address acts as an amplifier. Fraggle works the same as smurf except that it uses UDP echo request and echo reply." Naturally, having the source IP forged renders the attack untraceable by normal means.
The more sophisticated attacks involve viruses that infect machines and log themselves into an IRC channel to wait for attack instructions. There's a longish discussion on that topic here. In this case, the source IP addresses, if not spoofed, are those of several hundred semi-innocent zombie PCs. This was the attack perpetrated on LiveJournal's Apache/Linux web servers--loading them up with connection requests.
Technical means are available to prevent such attacks. Smurf and fraggle can be stopped by not allowing broadcast addresses to pass through your firewall. Additionally, do not allow packets that should be coming from inside actually come from outside. TCP SYN flood attacks can be stopped with SYN Cookies, a bit of cryptological magic on the TCP packet sequence number that is built into most IP stacks, including most default Linux kernels. Full-out connection requests can be rate-limited, either with mod_throttle in Apache or with iptables in the IP stack. Of course, if the sheer volume of packets coming down from your ISP clogs your bitpipe, you have to convince the ISP to put the filters on upstream traffic. This method is fine for a relatively small outfit like Eskimo, but what about their upstream? Most backbone providers, Dinse indicated, run their routers relatively close to capacity, and adding filters takes resources they are unwilling to give.
Okay, fine, that's the technical side of how to mitigate the effects of a DDOS. But what do you actually do about it; that is, how do you get back to the parties responsible and bring them to justice? Quoting Dinse again:
To chase down the originator requires [that] the attack be sustained long enough to contact someone at the network that was used for an amplifier, for them to get their backbone involved, and for the backbone to be willing to go from router to router interface by interface and trace it back, usually into another backbone or two or three.
The attacks are usually not sustained for long periods of time. The sites used as reflectors are more often than not large universities or corporations where it's very difficult to find out who is responsible. When you get them, more often than not they're not willing to chase it further. If they are their backbone, more often than not is not [at all]. If they are [willing], it usually runs into another network that is not.
In all of the years I've been providing internet service, we have never successfully chased a DDOS attack back to the origin, and it's not for lack of trying. [Author's emphasis mine.]
And that's only the legwork. What about getting the Feds involved? In the GRC.com case I mentioned above, the FBI was totally uninterested. Of course, this case occurred in May 2001. It seems that the new Department of Homeland Security is somewhat more interested in such things. Then again, this is the same outfit that sat on the recent Sendmail vulnerability for two+ months. Hackers everywhere are justifiably skeptical. A slide I found from the October 2002 meeting of the North American Network Operators' Group is particularly telling. It seems that the FBI is totally uninterested in technical solutions to the problem; they prefer to treat the symptoms, not actually track the miscreants back to their lairs. So any possibility of getting hold of one of the zombie PCs, dissecting the virus and finding the ultimately responsible party basically is nonexistent. And heaven forbid the perpetrator should turn out to be across some line on a map or a juvenile.
The answer to our question about what to do, then, seems to be "nothing". But we know in our heart of hearts that's not an acceptable answer, and we're hackers, therefore smarter than the average bear. So what is the answer? A UN commission? Street justice? A big foam clue bat?
Or something completely different? We fought spam for years and finally, amongst ourselves, came up with a number of fairly effective tools, including one (Bayesian analysis) that even AOL and Microsoft are implementing. These tools haven't cut network traffic yet, but AOL's tools were recently released, and Microsoft's are still in beta. (Us penguin-heads can Google for spambayes, ESR's bogofilter or grab Mozilla 1.3.) The solution in this case is simply to make it impractical to spam. Can it be that simply leaning on our upstreams to implement proper filtering will likewise make a DDOS impractical?
Glenn Stone is a Red Hat Certified Engineer, sysadmin, technical writer, cover model and general Linux flunkie. He has been hand-building computers for fun and profit since 1999, and he is a happy denizen of the Pacific Northwest.
Delicious
Digg
Reddit
Newsvine
TechnoratiSubscribe now!
Recently Popular
| How Should Mozilla Execute Its Vision? | Jul-08-08 |
| Why Python? | May-01-00 |
| Building a Call Center with LTSP and Soft Phones | Aug-25-05 |
| Add an Auto-Incrementing Build-Number to Your Build Process | Jul-08-08 |
| An Open Video to HP | Jul-02-08 |
| Automating the creation of slide shows in OpenOffice.org | Jul-07-08 |
Featured Video
Shawn Powers has a message for hardware vendors. Listen up!
From the Magazine
August 2008, #172
There's nuttin like a Cool Project to give you some relief from the summer heat, so get out your parka cuz we got a bunch of em. First up is the BUG, not a bug, The BUG. It's got a GPS, camera and more, in a hand-sized package that's user programmable. The BUG does everything. It's both a floor wax and a dessert topping. Get one now. Need a software version of a Swiss Army knife? Take a look at Billix, and don't leave home without it. Then, chew on this one, an X server on a Gumstix device driving an E-Ink display. Need more storage? How about 16 Terabytes? Can do.
And, of course, we have the usual cast of characters: Marcel, Reuven, Dave, Kyle, Doc, plus the new kid on the block Shawn Powers. But it doesn't stop there: build a MythTV box on a budget, build your own GIS system, set up the tools to monitor your enterprise and more. Finally, remember The War of the Worlds? Now you can play too.
Re: Stopping DDOS Attacks
On March 26th, 2003 Anonymous says:
You should have interviewed a real expert. Smurf and fraggle haven't been the most common denial of service attacks in almost 10 years. The most common, and still most effective attack is a distributed TCP SYN flood with spoofed source IP addresses.
SYN Cookies do not stop this type of DOS attack, and they only help a small amount in weathering out the attack.
These type of DOS attacks won't be resolved until IPV6 is implemented. In the mean time every network in the world to needs to block traffic from leaving their network with a source IP address that is not on their network. This can prevent their network from being used as the base of attack. If all networks did this, then a DOS attack could never be initiated.
In the mean time, it is recommended that you use something like an Attack Mitigator from Top Layer. It will help you to weather an attack much better than syn cookies. And before anyone says it, dropping packets that include source routing information also doesn't help.
Re: Stopping DDOS Attacks
On April 18th, 2003 Anonymous says:
"In the mean time every network in the world to needs to block traffic from leaving their network with a source IP address that is not on their network. This can prevent their network from being used as the base of attack. If all networks did this, then a DOS attack could never be initiated."
--------------
That would stop a DoS attack but not a DDoS attack in which infected drones hammer from their valid IP address... this article was about DDoS. Even w/ ipv6 DDoS will be possible... spoofed attacks will not, however.
Re: Stopping DDOS Attacks
On March 31st, 2003 Anonymous says:
Spot on. I was about to suggest the same resolution - stop packets leaving a network with an ip address outside of the network. If all ISP's did this these attacks would not happen. But that won't happen, as it will cost them time and money.
The same goes for spam. Block all outgoing emails with an adress that does not exist within the network and jail the person involved for life. They wouldn't do it again. Or is that a bit over the top?
Router vendors can easily put an end to these attacks
On March 27th, 2003 Anonymous says:
router vendors are in a unique position to eliminate spoofing. all you need
is the next version of the firmware in edge routers to have egress filtering
enabled *by default*
within a year there would be so few networks that supported spoofing that it
would be a forgotten problem
sure, this might increase the required CPU speed and cost of manufacture for
CISCO and for backbone providers.
and, yeah, this may be why they don't do it.
but a minor increase in cost is absolutely no excuse
http://www.ddos-ca.org/
Re: Router vendors can easily put an end to these attacks
On March 27th, 2003 Anonymous says:
This and the previous comment are intuitive and would sound as though they come from informed sources, but the DDOS infected clients could still "portf***" the victims. Ideas on that one?
DDoS from Routers
On May 24th, 2007 Compucrash (not verified) says:
One of the main problems we have with people DDoSing is not only the SYN packets but them simply using the ping command from routers. The problem is that a lot of companies never change their default router passwords and these passwords are readily available on the internet. Most of the DDoS attacks that happen against my servers are from Cisco routers which have not had their passwords changed. Ontop of that router manufacturers should make it impossible to ping anyone with less than a 2 second time out. People packeting from these routers can use the ping command a long with a large packet size depending on the bandwidth of the router and a 0 second pause between sent signals. Even if you combine 2 routers against a simple home connection or most business connections that is enough to saturate the bandwidth. I know of atleast 30 routers online right now whose passwords are the default in which I will be contacting their owners as soon as possible to warn them of this. The person who has attacked me has proceeded to rub it in my face on IRC also and has access to over 900 such routers. This makes his bandwidth power that he can use almost unstoppable by any network even if they all used a 2 second pause. The main way to stop DDoS attacks is to secure the systems that they are using and make it harder for them to get into them. I think I will begin pushing on manufacturers and law makers to try to find a solution to this and also impliment measures that would enable easier tracking of the scoundrels that are behind these attacks. What I need from everyone else is for the support. I know that I am damn tired of people using bandiwdth against me and my business line and there needs to be something done about it and it could be if they would just look into it a little further. If you are tired of it and if the ball gets rolling don't be lazy get up and join the fight. DDoS has to be stopped one way or another.