TISC Insight, Volume 2, Issue 3

Welcome to Volume 2, Issue 3 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.

The editorial calendar at this time includes:

Kurt Seifried (Special Column on DDOS attacks!)
Ed Tittel
Todd Glassey
Eric Schultze/George Kurtz
Bill Hancock (return engagement!)
Stephen Kent (return engagement!)
Char Sample/Ian Poynter (return engagement!)

For previous Insights issues are posted click here.

TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, complain directly to me.

In this issue, we look at DOS. Another time, I may have actually felt it necessary to qualify "DOS". But even my 12-year old has heard enough about the recent flurry of DOS--technically DDOS--attacks for me to feel there's *no* ambiguity.

'Nuf sed:-)

From the Editor: Expert Reactions to the DDOS attacks

DOS attacks are scary--they are often easier to launch than to prevent--and the ability to distribute DOS attacks demonstrates they can cause considerable embarrassment and financial loss. While I can never fathom how analysts derive "damage" estimates--and so have modest faith in them--by February 10, The Yankee Group's algorithm arrives at the staggering figure of $1.2 Billion. This apparently includes the cost of improving the security infrastructure. (My question is "who's infrastructure?":-)

I invited Marcus Ranum, CEO of Network Flight Recorder, Dr. Bill Hancock, Vice President of Security at Exodus Communications, Mark Mellis of SystemExperts, and Stuart McClure, a consultant at Rampart Security Group and one of InfoWorld's Security Watch Team to comment on the recent spate of attacks on Yahoo!, eBay, Amazon, CNN Interactive, Buy.com, ZDNet, and E*Trade.

Dave:	What's your reaction to the recent flurry of DOS attacks against high-profile web sites?
Stuart:	Not much of a surprise for me. We all know how simple distributed denial of service (DDOS) attacks are to perform. The only surprise is perhaps how long it took for someone to actually be bold enough to attempt them. The attacks highlight how responsibility should shift from the culprits and victims to everyone including both the ISPs and the hijacked sites (.EDU, @home, etc.).
Marcus:	It's amazingly stupid. If I were Bezos I'd offer some stock as a reward reward for whoever turned the perpetrator in. Then I'd sue the bastard out of existence.
Dr. Bill:	Most of them are irritating, but not life threatening. These are not hacks. these are "clog the toilet" attacks to deny use of corporate systems or networks. In most cases, putting in the proper filters on routers to deal the ICMP Echo requests, smurf, SYN attacks, TCP establish or one of the with others being experienced does the bulk of good. Installing packet quantity limiting filters usually helps handle the rest. It's yet another example of lack of controls in protocol stacks and operating systems when it comes to network science. Many of these types of attacks can be defeated with security screening facilities installed as part of the protocol stack in a system.
Dave:	Any recommendations? How should the U.S. federal government respond, if at all?
Marcus:	The federal government's hands are basically tied. They should help identify the miscreant and then just stay out of the way.
Dr. Bill:	If you are the government, any response will make some component of the population angry. The most reasonable thing the government can do is realize that cybercrimes are just that - crime - and place proper criminal law and financial penalties against the offender(s) as a deterrent. Add in a highly trained law enforcement cadre with proper tools and technologies to track down and apprehend criminals and a lot of this will be minimized.
Stuart:	Education. Increase budgets to train people in the "art" of security. You simply can't give an IT guy the responsibility for security without providing the appropriate tools (knowledge, tools, and support). There is an enormous talent shortage in the security field. The blackhats are quickly gaining ground.
Dave:	What other measures do you anticipate?
Marcus:	My suspicion is that this will help fuel more demands for monitoring and accountability at ISPs. That will also get interesting.
Stuart:	We should see a significant response from ISPs. Traditionally, they haven't taken security that seriously (because their clients have not). Now that ISPs and their clients are making Headline News, their preventative security measures should hit high gear.
Dr. Bill:	Any ISP that truly has their customer's interests at heart should at least install proper network security measures to safeguard the customer's network connectivity. It's absolutely appalling how many ISPs implement little to none of the available technologies, nor push to install known technologies until something "ugly" happens. One hopes that these sort of experiences would change their minds and have them install router filtering, firewalls and other technologies to reduce the opportunity for infilteration.
Mark:	These attacks are acting as a catalyst, forcing a fundamental change in the relationship between ISPs and their customers. In the past, ISPs' only real product has been bandwidth. Now they must provide filtering, both at the victim's connection and at every other point where packets can enter the network. Effective prevention of this sort of attack can only be mounted by the ISPs, because they are the people who can block packets with forged source addresses at the entrance point to the Internet - they know and can control what packets come from where. ISPs have been reluctant to do this for their customers, though, because it requires them to spend more money on their equipment and people.

Thanks, all. These comments set the stage nicely for our special feature column...

About our special feature:

Our special feature this issue is Kurt Seifried's February 8, 2000 analysis of the Yahoo! and subsequent distributed denial of service attacks. IMO, it's a good, insightful piece of work. Kurt's written another good column, Future DOS attacks.

Thanks to our friends at SecurityPortal.com for permission to distribute.

Kurt's column identifies several ways to minimize your vulnerability to a DOS attack. I am certain you'll find it helpful.

It's critical for companies to understand whether and how IDS can forewarn of impending DOS attacks, how to properly configure firewalls, how to implement effective counter-measures against network attacks. Appreciating the difference between logs and evidence acceptable in a court of law is important as well. Marcus Ranum, Tina Darmorhay, Phil Cox, and "Dr. Bill" Hancock are among the faculty who will address these topics at TISC in April.

Enjoy, and be safe.

Dave

Special Feature: DDOS Attacks

Yahoo! - Why denial of service (DOS) attacks work

Kurt Seifried
February 8, 2000

Denial of service attacks are one of the perennial nightmares for system and network administrators. Unlike most attacks there isn't a lot you can do to stop or prevent them. Applying a service patch doesn't always work when 40,000 computers are sending dozens of http requests a second to your webserver. On Monday, Yahoo! was partially knocked offline when one of their routers at a California data center was hammered into the ground by a distributed denial of service attack. Estimates say Yahoo! lost several million dollars (I'm not sure where people get numbers for monetary losses for these sites), but more importantly they have been embarrassed, and it has been proven that they are vulnerable (although investors don't seem to mind, their stock closed up half a buck today).

Traditionally DOS attacks have been a problem, but not a major one. Until recently the availability of tools (publicly that is) has been limited, making the execution of a really effective (read large-scale) DOS attack mildly challenging (i.e. your mother probably couldn't do it, but the kid down the street probably could learn enough hanging out on IRC). There are currently around a half dozen well known distributed DOS attacks floating around (stacheldraht, Tribe FloodNet (TFN), Tribe FloodNet 2K (TFN2K), etc.) and while finding the code for these is hard, it is far from impossible. This means the bar has been lowered, instead of having to develop and write your own tools you can simply download them from any number of web sites. Most DOS attacks are relatively simple, you seize control of as many remote machines as you can (by exploiting well known security holes that should have been patched usually), and then send a lot of data at your victim. It may be as simple as TCP-IP packets with the SYN bit set (used to start a TCP connection), with the intention of denying legitimate connections to the target machine (each SYN packet will be evaluated, and held for a while, filling up a finite queue). It may be something more complex like establishing a proper TCP-IP connection to the victims secure e-commerce web server and sending lots of fragmented data which will also fill up the various queues intended to hold it. The number of DOS attacks is infinite, you can minimize their effect, but never completely block them, short of removing the service (which is essentially what the attacker is trying to do).

Today's attack on Yahoo! was quite well done (while only partially successful I suspect the attacker spent a lot less than the amount of money Yahoo! probably lost because of it), first of all the network would have to be probed, as the attack was directed at a choke point on the network (one of the routers). A quick check on auctions.yahoo.com reveals about 8 or so "servers" associated with the name (note: these are most likely clusters of servers sitting behind something like a Cisco director to spread the load). Taking a look at traceroute output reveals the ISP providing the bandwidth, looking at their webpages reveals a map of their network usually (or you can generate one yourself, but it's late so I cheated). After a few minutes of gentle probing it looks like there is one major choke point, a router on their ISP's end that most of the traffic passes through (most of the traffic to the auction sites pass through it by default). I suspect that router is big enough that any DOS attack sufficient to nuke it will take considerable effort, but you can connect to it via telnet so things aren't perfect. It appears that there are two routers connected to this large router (and connected to those are the servers it appears, so chances are these two routers are actually at Yahoo!), which is definitely a good idea, as that is what probably saved Yahoo! from being completely dead in the water on Monday. This network probe took me around 5 minutes and I used nothing fancy, just dig, nslookup, traceroute and telnet (heck, these tools are even available by default on Windows), and anyone could easily learn how to do it.

In addition to this are situations where a system can be unintentionally DOS'ed. A few weeks ago an article on Slashdot linked to SecurityPortal and a very popular article about Linux vs Microsoft. Site traffic was much higher than usual, which was something we weren't expecting, and consequently our server admin spent most of the day babysitting the network and making sure things didn't get to bad. We survived, but a lot of sites do not survive being "Slashdotted" (they get slow, and sometimes the admins will take them offline or the servers simply get wedged).

So what can you do to prevent network DOS attacks? Not much, but there are a lot of techniques you can use to minimize their effect.

Make sure you are running the latest version of the software, many older versions of popular packages and operating systems suffer problems that make executing a DOS attack very easy, most modern software has been somewhat hardened by the vendor.
Tune and tweak your software, for example with the Apache webserver there are a variety of settings that can be tuned to increase the amount of traffic that can be handled. Proper tuning can save a significant amount of money that might otherwise be spent on hardware. Generally speaking set timeouts for network connections, http sessions and so on to smaller values as load increases, the drawback of doing this is you may "lose" slow legitimate connections (like people connecting over extremely slow links).
Distribute the load across multiple servers, and multiple sites if possible. Most sites will use either "Round Robin DNS" (a very simple, and usually effective method of distributing load to multiple servers / sites) or hardware such as a Cisco director to send incoming requests for data to one of many servers. One added benefit is that this also makes upgrades, and testing of new software significantly easier.
Do not enable any services you do not specifically need, and install a firewall, if nothing else this will allow you to block addresses from which attacks are originating (assuming they are not being spoofed and so forth).

There are also many things you can do as an ISP or network service provider to "be a good neighbor" and ensure that if any of your customers commit DOS attacks, or are used to commit DOS attacks that at least the remote end can trace it down.

Install a firewall with outgoing filters to restrict packets leaving the network to only those networks that actually exist behind the firewall. This will prevent attacks from being launched from your network that are almost impossible to trace down. Provide technical contact information in your DNS listing that is up to date and useful (this is one of the first places most administrators will look when trying to contact you).
Firewall incoming data bound for ports such as 31337 and other well known ports that software like stacheldraht uses to control remote machines (note most of these software packages are easily customizable, and many now encrypt their communications to defeat any Network Intrusion Detection Systems you may have).
Consider deploying a Network Intrusion Detection System, these require a lot of work to setup properly and are high maintenance (knowing that attacks are coming in, or originating from your network is no good unless you act upon it).

If everyone had outgoing filters on their firewall DOS attacks would not be spoofed (well not to the degree they tend to be right now), and you could at least trace back the attack with a higher degree of confidence, and block that network, which currently may or may not be effective.

Summary

There is no easy answer to DOS attacks, but if you utilize good computing practices (keeping software up to date, firewalling your network properly, tuning of servers, etc.) you can minimize any effects it will have. Think of DOS attacks as a small disaster (like a meteorite hitting your datacenter, but not as bad), generally speaking a good business continuity plan (usually referred to as a disaster recovery plan) will be applicable for any really effective DOS attack (people to contact, etc.). As the volume, and complexity of services available on the Internet grows, and the online population, so will the number and scale of DOS attacks.