Distributed Denial of Service Attacks (DDoS)
By Rik Farrow
In my November 1999 column "Blocking Buffer Overflow Attacks," I mentioned that
some security experts were bored by the lack of innovative exploits. Well, a new
class of exploit known as a Distributed Denial of Service (DDoS) attack has
surfaced recently, and it's frightening. The emergence of DDoS also explains why
someone wouldscan and break into thousands of systems, which is seemingly
inexplicable behavior?except in light of this new exploit.
Network-based denial of service attacks became popular after the SYN floods that
took down Web servers in 1996. Winnuke, teardrop, Land, bonk, snork, and smurf
are but a few of the denial of service attacks that crash systems or clog
networks. While these attacks are unpleasant enough, a new dimension has been
added: These attacks can now be launched simultaneously from hundreds of
remote-controlled attack servers.
Three tools for DDoS attacks, which can be found at hacker download sites, are
trinoo, Tribe FloodNet (TFN), and TFN2K. At the time this article was written, a
tool named stacheldraht (which means ?barbed wire? in German) appeared,
encompassing the most harmful features of TFN and trinoo.
In an ordinary network-based denial of service attack, an attacker uses a tool
to send packets to the target system. These packets are designed to disable or
overwhelm the target system, often forcing a reboot. Often, the source address
of these packets is spoofed, making it difficult to locate the real source of
In the DDoS attack, there might still be a single attacker, but the effect of
the attack is greatly multiplied by the use of attack servers known as "agents"
(see figure ). Called "daemons" in trinoo and "servers" in TFN, these agents are
remotely controllable by the hacker. To get an idea of the scope of this attack,
over 1,000 systems were used at different times in a concerted attack on a
single server at the University of Minnesota. The attack not only disabled that
server but denied access to a very large university network.
Before an attacker can launch a DDoS attack, he or she does have some work to
do, including gaining root or administrator access to as many systems as
possible. So far, Solaris and Linux systems have been used as agents in DDoS
attacks. To gain access, scanning tools like sscan are used to probe for systems
with specific vulnerabilities. With a list of these systems ready, the attacker
uses a script to break into each of them and install the server software.
Dave Dittrich of the University of Washington mentions in his description of
trinoo that the remote copy command (rcp) is often used during installation. The
installation server will be another compromised system, and the sudden increase
in rcp activity can be an indicator that a system has not only been compromised
but is also being used to break into many more systems. Once the agent has been
installed and started, it is ready to use.
TFN and trinoo take different approaches to remote control. In both cases, the
attacker uses a client to send commands that control the agents. The trinoo
master, called a handler, listens at port 27665/TCP for connections, only
completing them after the appropriate password ( betaalmostdone , in the default
version) has been provided. Once the attacker has authenticated to the handler,
he or she can send commands to all agents to launch UDP floods at one or more
target systems for periods lasting from one second up to 2,000 seconds. The
source address of trinoo packets is not spoofed, making finding the agents
easy?except that there will be so many of them.
Trinoo supports other commands that can change the size of packets sent, stop an
attack, check the status of an agent, and change the length of the attack. The
agents send responses back to the handler using port 31335/UDP. The agents also
contain a list of the IP addresses of all handlers and can be commanded to send
a *HELLO* back to all handlers, something that can be done to flush them out.
(For more on flushing out handlers, find the URLs for Dittrich's papers in
Resources, page 76.)
TFN uses Internet Control Message Protocol (ICMP) echo replies (the same type of
packet used in a Ping reply) to communicate between the client and the agents.
Different code values designate different commands; for example, 345 means to
start a SYN flood.
TFN supports several denial of service attacks: SYN floods, UDP floods, ICMP
floods, and smurfing. Since the TFN server runs as a root, the source address
may be spoofed (and most likely will be), making attacks harder to trace.
TFN2K appeared in December 1999 and included strong encryption (CAST-256
algorithm) for the control packets. The method for sending control messages
changed so that the source address could be spoofed and different types of
packets could be sent. The TFN2K agent sniffs the network interface and checks
for data from a client network address that it can decrypt into valid commands.
This makes detecting and tracking the handler more difficult. No responses are
sent back to the handler, so the handler must assume that the TFN agent is
TFN2K can run on both Unix and Windows NT systems. One command supports
listening to a TCP port and running a Unix shell or cmd.exe as root or
administrator, permitting the attacker to verify that the client is running, as
well as update the client software or execute other commands on the ?owned?
system. Another command permits the execution of any one-line command as root or
administrator. These backdoor commands alone make TFN2K attractive to an
The stacheldraht tool combines features of TFN and trinoo. Like TFN,
stacheldraht can spoof source addresses. Stacheldraht can test to see if RFC
2267 filtering is in place by attempting to send a packet with the source
address of 22.214.171.124. If this is blocked, source addresses will still be spoofed,
but only on the lowest eight bits of the address.
Stacheldraht has an update feature that makes it possible to automatically
replace the agents with new versions and start them. Stacheldraht uses encrypted
TCP packets (somewhat like trinoo) to communicate between clients (the hacker?s
interface) and handlers. It uses encrypted TCP or ICMP packets to talk to
agents. The default ports for the client and agents are 16660 and 65000,
The primary source and targets of DDoS attacks so far have been noncommercial
entities. The majority of businesses have firewalls, which help prevent their
being targeted as sites for distribution of the agents, or as hosts for agents
themselves. Keep in mind that a poorly configured firewall is just as bad as no
firewall, so just having a firewall is no guarantee of protection.
Once the DDoS attack has been launched, it?s hard to stop. Packets arriving at
your firewall may be blocked there, but they may just as easily overwhelm the
incoming side of your Internet connection. If the source addresses of these
packets have not been spoofed, you can try to find and then contact the
responsible parties (for what may be hundreds of computers around the world) and
ask them to stop the agents. If the addresses are spoofed, you will have no way
of knowing if they reflect the true source of the attack until you track down
some of the alleged sources (unless the addresses chosen were RFC 1918
Imagine what it would be like to be a victim of hundreds of simultaneous
attackers. Are you ready to try to contact hundreds of people around the world
(anyone at your office speak Russian or Tagalog?), even as the attackers switch
to another set of agents?
The sheer volume of sources involved in DDoS attacks makes attempts to stop it
mind-boggling. However, there are preventative measures to help stop these
attacks from occurring in the first place.
First and foremost, these attacks rely on finding thousands of vulnerable,
Internet-connected systems and systematically compromising them using known
vulnerabilities. If these systems are patched, the compromise will be prevented
in the first place.
John Ladwig, security architect at the University of Minnesota, made this
comment about the attack on an Internet Relay Chat (IRC) server at the
university: "It frightened me that someone would throw away approximately 2,000
compromised hosts, primarily very well-connected and fairly powerful ones,
presumably to seize IRC channels." What this implies is that the attackers
either have, or presume to have, an infinite supply of vulnerable systems from
which to launch future attacks.
If you discover a system that has been compromised, don't simply format the hard
drive and reinstall. The attacker often leaves traces behind that can lead to
other compromised systems. David Brumley, assistant computer security officer
for Stanford University, wrote, "Often we'll find a list of hundreds of
compromised hosts (usually because an intruder is using rcp over a rootkit and
the rcps are logged in SYSLOG) on another site that the administrator was ready
to just delete!" This list is a treasure trove for security people. Don?t
All of these DDoS tools require lists of agents, and the trinoo agents
themselves include an encrypted list of masters. Finding a handler system with a
list of agents makes the task of uncovering the agents much simpler?like finding
a list of sites where terrorists have placed bombs. Even if you have the
in-house capability to handle an incident of this type, send the files to the
CERT Coordination Center ( www.cert.org ), along with the circumstances under
which you discovered the files.
Finally, you can prevent your own networks from being the source of packets with
spoofed source addresses. RFC 2267 describes techniques for ingress
filtering? that is, filtering packets at the edge of networks so that only
packets with legal source addresses may pass through the routers. Stopping all
spoofed packets will not prevent these attacks, but it will make cleaning up
after them much simpler.
Dave Dittrich's analyses of three Distributed Denial of Service (DDoS) attacks
are available at the following sites: http://staff.washington.edu/ dittrich/misc/trinoo.analysis
, http://staff.washington.edu/ dittrich/misc/tfn.analysis , and http://staff.washington.edu/
dittrich/misc/ stacheldraht.analysis .
CERT?s stacheldraht advisory, CA-99-17, is at www.cert.org/ advisories/
CERT Incident Note IN-99-07, relating to denial of service attacks, can be found
at www.cert.org/ incident_notes/IN-99-07.html . Break-in techniques are
described in CERT Incident Note IN-99-04 at www.cert.org/ incident_notes/IN-99-04.html
A Web page with links to tools and information about how to prevent various
denial of service attacks is at www.technotronic.com/denial.html .
RFC 2267, entitled ?Defeating Denial of Service Attacks which Employ IP Source
Address Spoofing,? is available at www.landfield.com/rfcs/rfc2267.html .
Rik Farrow is an independent security consultant. He can be reached at firstname.lastname@example.org
. His Web site, www.spirit.com, contains security links and information about
network and computer security courses.