Stopping DDOS Attacks

Considering how difficult they are to trace back to the original offender, if anyone is willing to do so, what might be an alternative means of ending DDOS attacks?

On Thursday, February 20, 2003, at about 0130 GMT, the popular LiveJournal site became the victim of a massive distributed denial-of-service attack. LiveJournal staffers and upstream providers first tried to filter by IP, but they soon discovered what the "D" in DDOS means. After blocking about one quarter of the IP addresses on the Internet, they got on their load balancer and implemented some unknown but effective measures (repeated e-mails to them went unanswered). I can only assume these measures included some quality of service/rate limiting methods. Despite continued flooding, the site returned to usability after about four days of being somewhere between slow and totally unreachable.

Being a paid LiveJournal subscriber myself, I roused myself from the storm of dark imprecations on the soul of someone who would try to destroy a site that has become the epitome of "on-line community" to wonder, what do you do about such an event?

In the absence of comment from LiveJournal, I asked Robert Dinse, head honcho of (an ISP that dates back to when ! was part of an e-mail address and not a hint the e-mail might be spam), how DDOSes worked, and what he did about them. "The most common [attacks] are smurf and fraggle", says Dinse. "Smurf works by sending an ICMP echo request packet to a network with an open broadcast address. The packet has the source IP forged to be that of the target host. That causes every machine on the network to respond with an ICMP echo reply to the forged host IP address. Thus the network with an open broadcast address acts as an amplifier. Fraggle works the same as smurf except that it uses UDP echo request and echo reply." Naturally, having the source IP forged renders the attack untraceable by normal means.

The more sophisticated attacks involve viruses that infect machines and log themselves into an IRC channel to wait for attack instructions. There's a longish discussion on that topic here. In this case, the source IP addresses, if not spoofed, are those of several hundred semi-innocent zombie PCs. This was the attack perpetrated on LiveJournal's Apache/Linux web servers--loading them up with connection requests.

Technical means are available to prevent such attacks. Smurf and fraggle can be stopped by not allowing broadcast addresses to pass through your firewall. Additionally, do not allow packets that should be coming from inside actually come from outside. TCP SYN flood attacks can be stopped with SYN Cookies, a bit of cryptological magic on the TCP packet sequence number that is built into most IP stacks, including most default Linux kernels. Full-out connection requests can be rate-limited, either with mod_throttle in Apache or with iptables in the IP stack. Of course, if the sheer volume of packets coming down from your ISP clogs your bitpipe, you have to convince the ISP to put the filters on upstream traffic. This method is fine for a relatively small outfit like Eskimo, but what about their upstream? Most backbone providers, Dinse indicated, run their routers relatively close to capacity, and adding filters takes resources they are unwilling to give.

Okay, fine, that's the technical side of how to mitigate the effects of a DDOS. But what do you actually do about it; that is, how do you get back to the parties responsible and bring them to justice? Quoting Dinse again:

To chase down the originator requires [that] the attack be sustained long enough to contact someone at the network that was used for an amplifier, for them to get their backbone involved, and for the backbone to be willing to go from router to router interface by interface and trace it back, usually into another backbone or two or three.

The attacks are usually not sustained for long periods of time. The sites used as reflectors are more often than not large universities or corporations where it's very difficult to find out who is responsible. When you get them, more often than not they're not willing to chase it further. If they are their backbone, more often than not is not [at all]. If they are [willing], it usually runs into another network that is not.

In all of the years I've been providing internet service, we have never successfully chased a DDOS attack back to the origin, and it's not for lack of trying. [Author's emphasis mine.]

And that's only the legwork. What about getting the Feds involved? In the case I mentioned above, the FBI was totally uninterested. Of course, this case occurred in May 2001. It seems that the new Department of Homeland Security is somewhat more interested in such things. Then again, this is the same outfit that sat on the recent Sendmail vulnerability for two+ months. Hackers everywhere are justifiably skeptical. A slide I found from the October 2002 meeting of the North American Network Operators' Group is particularly telling. It seems that the FBI is totally uninterested in technical solutions to the problem; they prefer to treat the symptoms, not actually track the miscreants back to their lairs. So any possibility of getting hold of one of the zombie PCs, dissecting the virus and finding the ultimately responsible party basically is nonexistent. And heaven forbid the perpetrator should turn out to be across some line on a map or a juvenile.

The answer to our question about what to do, then, seems to be "nothing". But we know in our heart of hearts that's not an acceptable answer, and we're hackers, therefore smarter than the average bear. So what is the answer? A UN commission? Street justice? A big foam clue bat?

Or something completely different? We fought spam for years and finally, amongst ourselves, came up with a number of fairly effective tools, including one (Bayesian analysis) that even AOL and Microsoft are implementing. These tools haven't cut network traffic yet, but AOL's tools were recently released, and Microsoft's are still in beta. (Us penguin-heads can Google for spambayes, ESR's bogofilter or grab Mozilla 1.3.) The solution in this case is simply to make it impractical to spam. Can it be that simply leaning on our upstreams to implement proper filtering will likewise make a DDOS impractical?

Glenn Stone is a Red Hat Certified Engineer, sysadmin, technical writer, cover model and general Linux flunkie. He has been hand-building computers for fun and profit since 1999, and he is a happy denizen of the Pacific Northwest.




Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Stopping ddos attacks

Anonymous's picture

Depending on how complex the attack is and the number of zombies involved
you can employ a few full proof techniques.

If you can analyze the traffic and find out which IP's are causing the largest number of requests,then you can generate a filter list and apply it to your router interface. Sometimes if you don't have a router you can give it to your hosting provider and they will apply it to their router for you.

When the attack is too large or complex like what we experienced 2 months ago, I just went to Dosarrest and they had my site up and running in minutes, A great group of guys over there too.

In the end their solution is cost effective if your site is profitable.

Stopping DDos

Linuxcares12's picture

See the below URLs. It has been very helpful. If you plan to install firewall, do remember to install only one - either CSF or APF.

Re: Stopping DDOS Attacks

Anonymous's picture

You should have interviewed a real expert. Smurf and fraggle haven't been the most common denial of service attacks in almost 10 years. The most common, and still most effective attack is a distributed TCP SYN flood with spoofed source IP addresses.

SYN Cookies do not stop this type of DOS attack, and they only help a small amount in weathering out the attack.

These type of DOS attacks won't be resolved until IPV6 is implemented. In the mean time every network in the world to needs to block traffic from leaving their network with a source IP address that is not on their network. This can prevent their network from being used as the base of attack. If all networks did this, then a DOS attack could never be initiated.

In the mean time, it is recommended that you use something like an Attack Mitigator from Top Layer. It will help you to weather an attack much better than syn cookies. And before anyone says it, dropping packets that include source routing information also doesn't help.

Re: Stopping DDOS Attacks

Anonymous's picture

"In the mean time every network in the world to needs to block traffic from leaving their network with a source IP address that is not on their network. This can prevent their network from being used as the base of attack. If all networks did this, then a DOS attack could never be initiated."


That would stop a DoS attack but not a DDoS attack in which infected drones hammer from their valid IP address... this article was about DDoS. Even w/ ipv6 DDoS will be possible... spoofed attacks will not, however.

Re: Stopping DDOS Attacks

Anonymous's picture

Spot on. I was about to suggest the same resolution - stop packets leaving a network with an ip address outside of the network. If all ISP's did this these attacks would not happen. But that won't happen, as it will cost them time and money.

The same goes for spam. Block all outgoing emails with an adress that does not exist within the network and jail the person involved for life. They wouldn't do it again. Or is that a bit over the top?

Router vendors can easily put an end to these attacks

Anonymous's picture

router vendors are in a unique position to eliminate spoofing. all you need

is the next version of the firmware in edge routers to have egress filtering

enabled *by default*

within a year there would be so few networks that supported spoofing that it

would be a forgotten problem

sure, this might increase the required CPU speed and cost of manufacture for

CISCO and for backbone providers.

and, yeah, this may be why they don't do it.

but a minor increase in cost is absolutely no excuse

Re: Router vendors can easily put an end to these attacks

Anonymous's picture

This and the previous comment are intuitive and would sound as though they come from informed sources, but the DDOS infected clients could still "portf***" the victims. Ideas on that one?

DDoS from Routers

Compucrash's picture

One of the main problems we have with people DDoSing is not only the SYN packets but them simply using the ping command from routers. The problem is that a lot of companies never change their default router passwords and these passwords are readily available on the internet. Most of the DDoS attacks that happen against my servers are from Cisco routers which have not had their passwords changed. Ontop of that router manufacturers should make it impossible to ping anyone with less than a 2 second time out. People packeting from these routers can use the ping command a long with a large packet size depending on the bandwidth of the router and a 0 second pause between sent signals. Even if you combine 2 routers against a simple home connection or most business connections that is enough to saturate the bandwidth. I know of atleast 30 routers online right now whose passwords are the default in which I will be contacting their owners as soon as possible to warn them of this. The person who has attacked me has proceeded to rub it in my face on IRC also and has access to over 900 such routers. This makes his bandwidth power that he can use almost unstoppable by any network even if they all used a 2 second pause. The main way to stop DDoS attacks is to secure the systems that they are using and make it harder for them to get into them. I think I will begin pushing on manufacturers and law makers to try to find a solution to this and also impliment measures that would enable easier tracking of the scoundrels that are behind these attacks. What I need from everyone else is for the support. I know that I am damn tired of people using bandiwdth against me and my business line and there needs to be something done about it and it could be if they would just look into it a little further. If you are tired of it and if the ball gets rolling don't be lazy get up and join the fight. DDoS has to be stopped one way or another.

dos attack

Anonymous's picture

hi I was researching for a book I would like to write. I guess I managed to make some people mad, and they are VERY pc savvy. My home pc constantly being knocked off net. I got a laptop, put in a network card from a phone co. I was naive enough to think , since my ip kept changing, not even in my state, they would not know it was me. NOw my laptop is constantly being knocked off. Any help on how to stop them? What can I change? look at? if I wipe pcs clean? additional firewall software?
I think they ping/ dos attack me with larger packets, but maybe they had something in a cookie? and they activate it from where they are? can they see my phone number on the laptop set up? if I change, or not have it in the box?
I appreciate any help if anyone has time. Im not pc smart, but a fast learner. btw Im not crazy, the home pc has been going on sev yrs, a little local cable co, they are nice, but sure do not know much, and I doubt they are very secure.
they cannot see why I am having these issues.
btw this person knows my address, info too

Not really under attack

Anonymous's picture

Hi, I highly doubt that you were under a DoS attack. You do seem to have (or had) on or several virus, trojan, rootkit, spyware, ad-ware etc. on your computer. The computer should be cleaned from these at your local computershop with knowledge of this, updated and then made sure you have a antivirus and firewall that is up-to-date (many people assume their five year old antivirus program still does them any good).
Cookies are not dangerous so please don't confuse them with DoS or DDoS attacks.

BTW: dos (or DOS) is an operatingsystem.

DOS aint a system like Linux

Anonymous's picture

DOS aint a system like Linux its the base of windows 95 n shit