Contact:[email protected]
Feature: Denial-of-Service Attack FAQ Because of the rapid increase in DDoS attacks, we are providing this FAQ about what they are, how they work, and what can be done to prevent them. 1. What is a denial-of-service (DoS) attack? DoS attacks are designed to disrupt Internet service to a corporate Web site or individual. These attacks come in two varieties: denial-of-service(DoS) and distributed denial-of-service (DDos) attacks. While a DoS attack typically originates from a single source, a DDoS attack comes from multiple sources. In a DDoS attack, the attacker often controls hundreds or thousands of machines, or "soldiers," each of which delivers an attack, thereby exponentially increasing the power of the attack. Furthermore, because DDoS attacks emanate from many computers instead of one, it's easier for the attacker to mask his identity. 2. What are some common types of DoS attacks? Single-User DoS An attacker sends a malformed packet to an individual, usually on his or her PC, aimed at making the machine crash or reboot. Server DoS An attacker seeks to cripple a specific server, such as Web servers, mail servers, or Usenet news servers. The most common server DoS is a SYN flood, where the attacker uses a script to create SYN packets, each with a different spoofed, or forged, source address. Because the source is spoofed, the machine responds to the SYN packet and then waits for as long as it's set to hold the connection open. Sending many SYN packets can cause the machine to run out of resources. A SYN flood attack is similar to what would happen if you received hundreds of phone calls, but for each call the caller left the phone off the hook after you picked up, preventing you from using your phone until the hang-up timed out. Bandwidth DoS The attacker seeks to deny all service to a site by using up all of its bandwidth in a flood of bogus packets. One common bandwidth DoS is the smurf attack, in which the attacker uses a script to create ICMP_ECHO_REQUEST packets, all with the source IP address of the victim, and then sends the packets to a list of networks. These networks - if they haven't been properly configured - will amplify each packet many times and return all the traffic to the victim. For more information on DoS attacks, see the following sites: Craig Huegen's Smurf Attack paper; http://www.quadrunner.com/~chuegen/smurf.cgi IOPS' FAQ on Smurf Attacks; http://www.iops.org/Documents/smurf-faq.html CERT Advisory CA-98-01.smurf "smurf" IP Denial-of-Service Attacks; http://www.cert.org/advisories/CA-98.01.smurf.html CERT Coordination Center's Tech Tips paper on Denial of Service; http://www.cert.org/tech_tips/denial_of_service.html For more information on DDoS attacks, see the following sites: SERT Advisory CA-2000-01 Denial-of-Service developments;ttp://www.cert.org/advisories/CA-2000-01.html CERT Advisory CA-99-17 Denial-of-Service Tools; http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html Dave Dittrich's pages on Trinoo, TFN & stacheldraht (direct pointers) http://staff.washington.edu/dittrich/misc/trinoo.analysis http://staff.washington.edu/dittrich/misc/tfn.analysis http://staff.washington.edu/dittrich/misc/stacheldraht.analysis 3. How do I know if I'm under a DoS or DDoS attack? Here are some common attack symptoms: SYN Attack Markedly sluggish response time Sudden high CPU load levels Large number of half-open connections On Web servers, few pages delivered compared to the load average or request queue Smurf Attack (Victim) High utilization on the site link, resulting in sudden and sluggish response (disproportionately small output rate compared to a large input rate) Large number of ICMP_ECHO_REPLY (ping response) packets from many different machines going to a system on your network Multiple packets from several machines on any given network Smurf Attack (Amplifier) High traffic to the wire or broadcast address of your network Disproportionately small input rate compared to a large output rate 4. What proactive steps can I take to prevent a DoS attack? Don't make yourself a target by bragging about your security expertise or your managed service provider. Don't allow spoofed traffic to leave your network. This can be done through filters on your router that permit only your assigned networks to leave your LAN. For more information, see the following URLs: SANS' Notice on Egress Filtering; http://www.sans.org/y2k/egress.htm RFC-2267, "Network Ingress Filtering"; P. Ferguson & D. Senie; January 1998; ftp://ftp.isi.edu/in-notes/rfc2267.txt Talk to your vendor or service provider about patching and tuning your system. You may be able to improve its performance under stress. Be careful when running IRC (Internet Relay Chat) servers on your LAN. They're the most common victims of DoS attacks. 5. How does Genuity proactively monitor for DoS attacks? We use a variety of tools to monitor the performance of our infrastructure, our leased-line customers, and our data centers. If a site/system stops reporting or presents symptoms of unusual variations in performance, our operators will investigate. All of our operations staff have been extensively trained to recognize DoS and DDoS attacks. 6. What can Genuity do to stop a DoS attack once it's begun? Smurf Attack We install an emergency filter on the infrastructure router upstream of the site or data center for a limited period of time that drops all ICMP traffic. If necessary, we can fine-tune the filter to drop only ICMP_ECHO_REPLY packets. If a Genuity customer is interested in pursuing prosecution of the attacker, or if the attack is impacting our infrastructure, we can search for one of the amplifiers on our network and attempt to backtrace the spoofed stream from the amplifier to a source, or sources. In addition, we can alert other network providers of large disruptive traffic streams and ask them to backtrace as well. SYN Attack Common measures include decreasing the hold timers on the victim to free up resources more quickly, increasing the number of virtual sessions, and increasing memory. Back to the Index