Bringing the net to its knees: how it was done

The heartbeat of commerce on the internet skipped a beat with the recent launch of distributed Denial of Service (DoS) attacks against some of the world's largest ebusiness sites.

Evidence is still been collated on the attacks which brought companies including Yahoo, eBay, Buy.com and Amazon.com to their knees. But what is clear is that distributed hosts were commandeered to send a flood of random requests to the victim sites, making it impossible for legitimate users to connect.

Denial of service attacks are not new, but the scale, ferocity and simplicity of the technology behind the latest assaults is. With hindsight, it's easy to track the events leading to the attack.

As early as November 1999 the Cert Coordination Centre said it had received reports of intruders installing distributed denial of service tools on compromised hosts. Vulnerabilities in various RPC (Remote Procedure Call) services were exploited to install tools including trinoo (or trin00) and tribe flood network (or TFN).

"These tools appear to be undergoing active development, testing and deployment on the internet," a notice from the Cert co-ordination centre at the time warned. Cert acts as a clearing house for internet security problems and was started by the US department of defence.

The FBI issues an alert
America's National Infrastructure Protection Office (NIPC), run by the FBI, issued an alert at the end of last year. "During the past few weeks the NIPC has seen multiple reports of intruders installing distributed-denial-of-service tools on various computer systems, to create large networks of hosts capable of launching significant co-ordinated packet flooding denial-of-service attacks," it said.

Cert put out a new alert on 3 January which warned that something was imminent. "A distributed denial of service tool called 'Stacheldraht' has been discovered on multiple compromised hosts at several locations," it said.

What is now clear is that tools such as Stacheldraht (German for barbed-wire), Tribal Flood network (TFN) and trinoo were installed across many systems to form a co-ordinated infrastructure for launching attacks.

These tools, once installed on a compromised system or so-called 'Zombie' agents, can be triggered by a simple ICMP command to start an extremely efficient flood of false requests to a target site. While the warning signs were there, the timing and scale of the attack against a string of prestige sites took systems administrators by surprise.

Random vandalism
Nobody has claimed responsibility for the attacks, and analysts agree that anyone could have carried them out.

"It looks and feels an awful lot like random vandalism," said Neil Barrett, technical director of Information Risk Management. "It emphasises that any fool with internet access can have a go."

Bruce Schneier, CTO of Counterpane Internet Security, said: "These attacks are incredibly difficult, if not impossible, to defend against. In a traditional denial-of-service attack, the victim computer might be able to figure out where the attack is coming from and shut down those connections. But in a distributed attack, there is no single source."

Schneier said technology to force a client to authenticate itself before making a connection would not work against a distributed denial of service attack, and likewise filtering by service providers is unlikely to provide a 'magic bullet' solution.

"Large-scale filtering at the ISPs can help, but that requires a lot of effort and will reduce network bandwidth noticeably," he added.

Barrett empahasised that network managers were not entirely powerless in the face of the attacks. "It isn't an instantaneous swamp and measures like intrusion detection or a good alert system on a firewall can be put in place. With these you can see if an attack is building up and bar connection on the fly."

Threat to British ebusiness
Deri Jones, managing director of security tester NTA Monitor, said that the threat posed by denial of service attacks is just as potent for British firms making a foray into ebusiness as it is for prestige US sites.

"Denial of Service attacks (DoS) occur commonly on the internet, and about 20 per cent of the 150-plus organisations security tested by NTA Monitor every quarter have significant exposure to such attacks," said Jones.

Jones added that when a system falls under attack, administrators might relax security systems in order to diagnose problems or information may alternatively be released as systems buckle under the strain.

"Such information may be simply information on the directory structure of the internals of a system, or worse still, may be a 'core dump' information leak from which active accounts and passwords may be derivable," he explained.

The underlying problem lies with the insecurity of the hosts used as platforms for the attack, which can be any site with internet access, including other ecommerce sites, home users with permanent connections or academic sites. With wider deployment of always on DSL connections to the internet with static IP addresses, this problem can only get worse

A member of the North American Network Operators Group (NANOG) warned: "Make sure that you, as an admin, have on your firewall the necessary rules to deny spoofed IPs from within your own network. If you don't, you are irresponsible and quite possibly a contributing cause to this whole mess."

Technical background: denial of service attack tools

In addition to the trin00 and TFN attacks, two additional tools are currently being used to implement these distributed denial of service attacks: TFN2K and Stacheldraht. Both of these tools are based on the original TFN trin00 attacks. Attackers can install one of these DDoS programs (trin00, TFN, TFN2K or Stacheldraht) on hundreds of compromised machines and direct this network of machines to initiate an attack against single or multiple victims. This attack occurs simultaneously.

The TFN2K distributed denial of service system consists of a client/server architecture. The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded. The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out 'decoy' packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program.

Stacheldraht (Barbed Wire) consists of three parts: the master server, client, and agent programs. The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password 'sicken', which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims and lists of master servers, and to perform DoS attacks against specified machines. Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN and UDP flood attacks.

The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth.