; Using the open source model allows a significant number of
people to contribute to the development of new strains and versions of the DDoS tools. Contributions from hackers from a variety of backgrounds allow the code to develop organically and in surprising directions. Additionally, coding neophytes can pick at the source code used for a particular attack to hone and refine their own burgeoning skills.
; Trinoo, one of the first publicly available DDoS programs, rose to
fame in August 1999 after it was used to successfully mount an attack on the University of Minnesota. Like most multi-tier DDoS attacks, the early stages of a trinoo attack involves the attacker compromising machines to become masters.The masters then receive copies of a number of utilities, tools, and—of
course—the trinoo control and daemon programs.The master then compiles a list of machines with specific vulnerabilities (pos- sibly involving buffer overflows in RPC services) targeted to act as zombies in the forthcoming attack.The trinoo daemon is then installed and configured to run on the compromised hosts.
; The main components of TFN2K after compile time are two
binaries, namely tfnand td.Using a well-defined syntax, the
client program (tfn) sends commands to the TFN2K daemon (which can be unlimited in number) installed on compromised hosts.The daemon (td) then carries out the commands as directed by the client. At the most basic level, tfn instructs td to
either commence or halt attacks.TFN2K is quite versatile; it works on a number of platforms—even on Windows platforms using UNIX shells such as vmware and cygwin.
; The compilation of the Stacheldraht source code results in the
generation of three binaries.The three binaries are client,mserv,
and td, each of which is used in a separate tier in the attack
model. Mserv is the client software because it runs on the master.
Compromised hosts to be used as zombies are then configured to run the td binary, which contains the actual code to assemble attack packets and traffic streams.When the client binary is run, it establishes a telnet-like session with the master running the mserv program. Stacheldraht uses the freely available Blowfish encryption algorithm based on a 64-bit block cipher.
How Can I Protect My Site
against These Types of Attacks?
; DDoS countermeasures include egress filtering of spoofed
addresses and ingress filtering of broadcast packets. Egress filtering
encompasses the filtering of outbound traffic, whereas ingress filtering relates to the filtering of inward-bound network traffic. Your ISP should be required to implement ingress filtering, which can aid in identifying zombie networks.
; Options available to minimize DDoS exposure include keeping
the security profile current; profiling traffic patterns; splitting DNS infrastructure; using load balancing; tightening firewall configurations; securing perimeter devices and using traffic shaping; implementing an IDS, vulnerability scanner, and/or proxy server; taking snapshots and conducting integrity checks of existing configurations; configuring sacrificial hosts;
increasing network and host management; maintaining a response procedure;, and deploying more secure technologies.
; Network choke pointsare usually an excellent place to apply egress rules or filters. Choke points requiring egress filtering include all internal interfaces on firewalls, routers, and dial-in servers.
; Operating systems should be configured to ignore directed
broadcasts, to incorporate SYN flood resilience, to establish strong passwords, and have all unnecessary services turned off.
; A profusion of tools are available to aid in the identification and
recovery of networks involved in DDoS attacks, including Nmap, Find_ddos, Zombie Zapper, tfn2kpass, RID, DDosPing, Ramenfind, DDS, GAG, and Tripwire.
; In case of attack, your response procedure should incorporate
information gathering; contacting the ISP; applying more aggressive filters; applying different routing options; attempting to stop the attack; changing the IP address of the target system, and commencing incidence investigation.
Q:What sites should I be examining for updated DDoS tools and secu- rity information?
A:A number of excellent sites provide a significant amount of infor-
mation.Table 2.3 provides a rough sampling of just a few of the sites available.
Table 2.3Sources for DDoS Tools and Security Information
Site name Link
David Dittrich’s DDoS site www.washington.edu/people/dad
Security Focus www.securityfocus.com
Bindview’s Razor team http://razor.bindview.com
Internet Security Systems X-Force http://xforce.iss.net National Infrastructure Protection www.nipc.gov Center
Packet Storm http://packetstorm.security.com
Hideaway.Net www.hideaway.net
Attrition.org www.attrition.org
Linux Security www.linuxsecurity.com
Windows IT Security www.ntsecurity.net
Technotronic.com www.technotronic.com
Carnegie Mellon Software Institute www.cert.org
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author”form.
Q: I would like to configure my UNIX hosts not to respond to directed broadcasts. How do I do this?
A: Disabling directed broadcast is a good start to reduce the likelihood
of being an amplifier network. If you are unsure whether edge devices have disabled directed broadcast, then they can be disabled at the operating system level. Be aware that using this method will take considerably more time than correctly configuring edge devices. Linux can be configured to ignore directed broadcasts by using this command:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
To disable directed broadcasts on Solaris, use the following command:
ndd –set /dev/ip ip_forward_directed_broadcasts 0
Q: My network has been compromised and Stacheldraht installed on
several hosts. I have applied egress rules to my edge devices. Does this mean that spoofed packets cannot exit my network?
A: No. Even if the test Stacheldraht ICMP echo fails, the lowest eight
bits of the address space is still spoofed.
Q: I have managed to track down the network addresses of hosts
involved in a DDoS attack directed at my site.Why is Zombie Zapper not able to shut the clients down?
A:The networks infested with the Zombie hosts may not have sufficient
bandwidth available for packets to make it back to the attacking hosts. Be very careful when using DDoS tools in this fashion; other administrators or monitoring agencies may mistake the intent of your directed packets.