Menu
We can prevent DDoS attacks

We can prevent DDoS attacks

The attacks that hobbled Web sites Yahoo, Etrade Group, and CNN earlier this month sounded a warning: secure your PCs or be subjected to similar attacks in the near future.

The Web attacks, technically known as distributed denial of service, or DDoS, were launched primarily from Solaris and Linux machines that had been compromised.

The choice of machines was due to the fact that DDoS tools were originally developed by hackers with backgrounds in Unix. But these same tools have already been ported, so they will compromise Windows clients and NT servers. Windows-based DDoS attacks will inevitably come. If your system is used to attack other systems, you run the risk of a lawsuit.

Ironically, DDoS attacks are so technically crude that they can be almost entirely prevented by a simple change in most networks. Systems that spread the DDoS attack failed to have "egress filtering" turned on. I'll describe what this means after a brief introduction to the way February's DDoS attacks worked.

Step 1: During several months last year, hackers placed versions of DDoS tools on Internet sites for anyone to download. These tools have names such as Trinoo, TFN (Tribe Flood Network), and Stacheldraht (German for barbed wire). If you want to see what you're up against, go to www.technotronic.com/denial.html and packetstorm.security.com/distributed.

Step 2: Using DDoS tools, the hacker created a three-tier architecture in several weeks. On the hacker's workstation Tools found servers with security weaknesses and planted software there. The servers, known as masters, talked to demon software planted on other machines, known as zombies.

Step 3: Once hundreds of zombie computers were ready, the attacker sent data packets to the masters. These instructed the zombies to flood the targeted victims.

Each zombie, on a high-speed Internet connection, might send many thousands of packets. The address of the originating computer was spoofed, or falsified.

This made packets arriving at the victim's Web site appear to be coming from many machines rather than a specific set of identifiable machines.

The attacker is difficult to locate, because zombies are hard to find. The fact that the IP address of each packet was spoofed gives the Internet community a way to prevent such attacks.

Every ISP can prevent incoming packets with false IP addresses from being passed on (this is called ingress filtering). And every corporation with an Internet connection can ensure that spoofed packets don't leave the corporate network. (This is called egress filtering. See www.sans.org/y2k/egress.htm for details.)Either fix involves a simple change to a configuration file for a router. It imposes no performance penalty, because the system only checks that the address prefix of each packet is valid. The Internet Society provides a paper called Request for Comments 2267 that describes these procedures and other steps to take (see info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt.)In addition, firewalls are essential protection for any system with a high-speed connection to the Internet. WatchGuard Technologies, which I wrote about in several columns last year, offers five firewall appliances scaled for small to large businesses. WatchGuard provides an excellent white paper on the latest attacks (see www.watchguard.com/press/ddos1.asp, particularly the Resources section).

Steve Steinke, editor at networkmagazine.com, belittled my warnings in a January editorial that said unless a PC "is configured to be a server, there's nothing a hacker can do to it except for some sort of denial of service attack, which would obviously call for an intervention by the ISP".

Vice president of WatchGuard Tom Hooper said after reading this, "He seems to think he can call his ISP for a magic fix.

'The reality is, with distributed DoS [denial of service] tools like TFN and Trinoo, the ISP is powerless."

Once a DDoS attack has started, an ISP may find itself powerless. But ingress and egress filtering can eliminate the fertile ground from which DDoS attacks spring.

It won't end all attacks, but it's so central that I urge you to take these steps today.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments