3.4 Distributed Denial of Service Attacks
DDoS attacks use a combination of the techniques described in this chapter to launch a large-scale attack against a network or network device. DDoS attacks are very effective in knocking their targets offline, because they are focused attacks that generally exploit a small number of weaknesses.
A DDoS attack is relatively simple: An attacker scans a series of network blocks looking for specific vulnerabilities. When a vulnerable host is found it is exploited and used to scan for other hosts with the same vulnerability or group of vulnerabilities. This creates a chain of computers that are under control of the attacker.
The tools used to launch DDoS attacks are automated: when the DDoS tool locates a vulnerable host, it is automatically compromised and a rootkit is installed. The first set of vulnerable hosts are called handlers. The handlers are then used to locate a second set of vulnerable hosts, known as agents (this process is outlined in Figure 3.6). By creating a two-tier system, the attacker is able to keep his or her source IP address from being discovered. Instead, the attacker launches the attack from the handlers.
DDoS attacks serve only one purpose: to make a network or host unavailable. This is accomplished by using compromised hosts to issue a large stream of TCP requests against the target. The large number of TCP requests use up system resources on the target host or network, making it unavailable for legitimate traffic.
There are several tools used to launch DDoS attacks. The most well-known, and the first DDoS ever detected is Trin00 (also spelled Trinoo) and its cousin for Microsoft Windows, Wintrinoo. Trin00 works by sending a large number of UDP packets with four bytes of data. These packets are sent from the same source port on the attacking machine, but sent to various source ports on the target host or network. The target host or network responds with ICMP port unreachable messages, until all available resources are used up and the system shuts down.
The Tribal Flood Network (TFN) behaves in much the same manner as Trin00 except in the way the attacker communicates with the handlers. Trin00 uses UDP packets to send information among attacker, handler, and agent. UDP packets are easily detected by an IDS so TFN relies on ICMP packets for communication between the levels.
The attack structure is basically the same between TFN and Trin00, but the use of ICMP packets for communication makes TFN much more difficult to detect than Trin00 attacks.
A third tool is Stacheldraht. Once again Stacheldraht's attack model is the same as TFN and Trin00, but the communication between devices is different.
Stacheldraht uses a combination of ICMP and TCP to communicate between the attacking hosts. In addition, Stacheldraht encrypts all information sent between the attacking hosts using symmetric key encryption.
As administrators have started taking network security more seriously, large-scale DDoS attacks, like those that affected eBay and Amazon in February 2000, have become less common. However, smaller DDoS attacks still occur with amazing frequency. Because it is hard to stop DDoS attacks once they have been launched, the most effective method of prevention is to not let them start in the first place. This requires keeping systems properly patched to prevent hosts from being used as either handlers or agents. If a script kiddie is unable to find any hosts from which to launch the attack, the attack will not occur.