A Distributed
Denial of Service (DDoS) is an attack on a network which is designed
to bring it to a halt. This is done by sending useless traffic to a specific service/port
on a server. The amount of traffic sent would overwhelm the service, so that legitimate
traffic would be dropped or ignored.
DDoS attacks have developed from the wild 1997 basic DoS
attacks. These attacks originate from one source and can
emerge from 100’s of locations around the world. The
most visible attacks were those in February 2000, where
high traffic sites (eBay/Amazon/ Yahoo/CNN/Buy.Com/Datek/ZDNet)
were faced with the task of handling huge amounts of spoofed
traffic. In recent days, there have been attacks on Cisco
which resulted in considerable downtime. Some public blacklists
have also been targeted by spammers and taken out of business.
The following are
different types of attacks.
Smurfing: The culprit sends a large amount of ICMP echo traffic
at IP Broadcast addresses, all of it having a spoofed source
address of a victim. This multiplies the traffic by the
number of hosts.
Fraggle: This is the cousin of the smurf attack. This attack
uses UDP echo packets in the same was as the ICMP echo traffic.
Ping Flood:
The culprit attempts to disrupt service by sending ping
requests directly to the victim.
Syn Flood:
Exploiting the flaw in the TCP threeway handshake,
the culprit will create connection requests aimed at the
victim. These requests are made with packets of unreachable
source addresses. The server/device is not able to complete
the connection and as a result the server ends up using
the majority of its network resources trying to acknowledge
each SYN.
Land:
The culprit sends a forged packet with the same source and
destination IP address. The victims system will get confused
and crash or reboot.
Teardrop:
The culprit sends two fragments that cannot be reassembled
properly by manipulating the offset value of the packet
and cause a reboot or halt of the victim’s system.
Bonk:
This attack usually affects Windows OS machines. The culprit
sends corrupted UDP Packets to the DNS port, 53. The system
gets confused and crashes.
Boink:
This is similar to the Bonk attack; accept that it targets
multiple ports instead of only 53.
Worming:
The worm sends a large amount of data to remote servers.
It then verifies that a connection is active by attempting to contact a website
outside the network. If successful, an attack is initiated.
This would be in conjunction with a mass-mailing of some sort.
Proactive Measures
With the current TCP/IP implementation, there is very little that companies
can do to prevent their network from being DDoSed. Some companies can be proactive
and make sure all their systems are patched and are only running services they
need. Also implementing, Egress/Ingress filtering and enable logging on all
routers will disable some DDoS attacks. “Egress filtering is the process
of examining all packet headers leaving a subnet for address validity. If the
packet’s source IP address originates inside the subnet that the router
serves, then the packet is forwarded. If the packet has an illegal source address,
then the packet is simply dropped. There is very little overhead involved, therefore
there is no degradation to network performance.”
-Cisco Website
Below you will
find a simple SYN attack detection script that could be set to run every 5 minutes
via a cronjob. In case of an attack you would receive and email with IP information;
remember the IP information is usually spoofed.
#!/usr/bin/perl -w
#Simple Script to monitor syn attacks.
$syn_alert=15;
$hostname=`hostname`;
chomp($hostname);
$num_of_syn=`netstat -an | grep -c SYN`;
if($num_of_syn > $syn_alert)
{
`netstat -an | grep SYN | mail -s
“SYN ATTACK DETECTED ON
$hostname” admin\@yourcompany.com`;
}
else {
}
exit;
Conclusion: DDoS
attacks are very difficult to trace and stop. New hardware appliances are being
manufactured specifically for these types of attacks. Many dedicated server
providers simply unplug the server that is being attacked until the attack has
stopped. This is not a solution this is a careless and temporary fix. The culprit
will still exist and is not held accountable for their actions. Once an attack
is detected hosts should immediately engage their upstream providers.
|
