A number of other tools are available to mitigate or alleviate DDoS attacks. A few of them are briefly detailed in the following list:
■ RID Developed by the Theory Group, RID can help adminis-
trators determine which hosts have been compromised by DDoS tools. RID issues packets that are defined in a configura- tion file; if these packets are replied to, RID knows that a host
has been compromised. Example configurations exist for detecting Stacheldraht (v1.1 and v4),TFN, and Wintrinoo.You can download it from: www.theorygroup.com/software/RID, but it requires libpcap to run.You can download Libpcap from www.tcpdum.org.
■ DDosPing A Windows-based utility that scans remote hosts
for the presence of trinoo,TFN, and Stacheldraht. It can be run and configured via a graphical front-end.You can download it
by selecting the Scanner option at www.foundstone.com/
rdlabs/tools.php.
■ Ramenfind Can be used to detect and remove the Ramen
worm (which has been used to distribute DDoS tools).You can download it from www.ists.dartmouth.edu/IRIA/ knowledge_base/tools/ramenfind.html.
■ DDS Can be used to detect trinoo,TFN, and Stacheldraht.You
can download it from http://staff.washington.edu/dittrich/ misc/ddos.
■ GAG Can be used to detect Stacheldraht agents.You can
download it from http://staff.washington.edu/dittrich/ misc/ddos.
■ Tripwire A freely available tool that can check the file and
directory integrity of a system and determine if modifications have been made, such as the installation of a rootkit or DDoS daemon.You can download it from www.tripwire.com.
■ Commercial third-party tools A number of tools are avail-
able from reputable security companies that can detect DDoS programs.Vulnerability assessment tools can scan a host to deter- mine whether the host is susceptible to a particular (DDoS) vulnerability and sometimes recommend actions. Mainstream examples of this type of software include ISS Internet Scanner (www.iss.net/securing_e-business/security_products/index.php) and Axent NetRecon (http://enterprisesecurity.symantec.com).
Summary
DoS attacks are aimed at ensuring that the service a computing infras- tructure delivers is negatively affected in some way.Though this type of attack does not involve the theft of electronic assets, the effect on the business can be significant. A number of DoS attack tools are available on the Internet; many of them have been designed with the premise that they should be simple to use. Consequently, the use of DDoS tools has extended beyond just those considered to be technically competent and into the hands of relative Internet neophytes.
DoS attacks primarily originate from remote systems, but they can also take place local to the host in question.The effects of a DoS attack are far-reaching and can be detrimental to both business and the corpo- rate image.
Resource consumption attacks and malformed packet attacks are two categories of DoS attacks. A resource consumption attack involves the reduction of available resources by using a directed attack.These attacks can consume system resources such as memory, CPU, connection
queues, or network resources such as bandwidth.Two common examples of resource consumption attacks are SYN flood and Smurf attacks.
A SYN flood achieves its desired impact by interfering with the mechanics of how a TCP connection is initiated.The basic steps involved in setting up a TCP connection involve the client sending a SYN packet to the server.The server then responds to the client’s SYN with an ACK and its own SYN.The combination of the SYN/ACK is sent from the server to the client, which responds with the final part of three-way handshake—an ACK. A SYN flood attack tool leverages this handshake by sending the initial SYN to the server with a spoofed (forged) source address.The server receiving the SYN then responds with a SYN/ACK. Forging the source address has the consequent effect that the SYN/ACK with which the server responds is never answered.
The attacker sends a number of these SYNs in an effort to exhaust the number of allowable half-open connections.The number of SYNs that can be responded to is finite, and eventually the connection queue overflows and the server begins to reject connection requests from legit- imate clients.
A Smurf attack leverages the undesirable ability of some networks to respond to directed broadcasts.The attacker sends directed broadcasts to these networks with a spoofed source address.The attacker substitutes the victim’s address in the source of the directed broadcasts. All hosts on the amplifier network then respond to the broadcast with an ICMP echo reply directed at the victim.This can lead to bandwidth consump- tion and denial of service.
The second attack category—malformed packet attack—crafts a specifically tailored network packet that can result in unexpected behavior on the target systems. Examples include Teardrop and land attacks.
A DDoS attack is the next step in the evolution of DoS attacks, con- sisting of client software, master software, and daemon software.The attack hierarchy consists of compromised hosts running the DDoS soft- ware. After creating a distributed attack hierarchy, the attacker sends con- trol commands to a master computer.This master computer, running the client software, then instructs zombies (running the daemon) to launch a coordinated attack directed at the victim.
Current advances in technology and Internet acceptance make e- commerce sites even more attractive targets for DDoS attacks.
Unfortunately the sensationalism accompanying attacks feeds the cycle of Internet abuse. An attacker may target a site for a number of reasons, including financial gain, recognition, hacktivism, revenge, and the notion of ethical hacking.
There are a number of DDoS tools available in source code format including trinoo,TFN2K and Stacheldraht. One of the first DDoS tools, trinoo is technically not as advanced as its older cousins and is easier to detect.Trinoo follows the three-tier design of most distributed attacks
using an Attacker ➔Client ➔Daemon chain.
TFN2K can be compiled on Linux, Solaris, and Windows NT and consists of two main binaries after compile time—tfn and td.The tfn program is the client program used by the attacker to instruct the daemon process (td) running on zombie machines to commence or halt attacks. Communication between the client and daemon software can be difficult to detect because it is one way, encrypted, and is interspersed with decoy packets.
When compiled, Stacheldraht consists of three binaries—client, mserv, and td. Each of the binaries are used in a separate tier in the attack model. Communication between the client and mserv is symmet- rically encrypted with the Blowfish algorithm.
No solution can satisfactorily protect hosts and networks against DDoS attacks. All a business can do is aim to reduce the effectiveness of DDoS attacks, detect the attacks, and ensure that hosts are not compro- mised and forced to participate in the attacks.The cost of mitigating these attacks has to be realistically examined in relation to the cost of reducing the exposure.