By Kurt Seifried, [email protected]
This FAQ covers denial of service attacks (DoS) in great depth, and has links to software that can be used to execute DoS attacks, we do not condone or encourage the use of this software, however we feel that since the "bad people" (or just curious people) can find it easily, we might as well tell you where it is. Also, reviewing the DoS attack code can be helpful in assisting you in finding evidence of compromised systems, particularly if you do not have security scanning packages.
1.0 What are Denial of Service (DoS) attacks?
1.1 What are Distributed Denial of Service (DDoS) attacks?
1.2 Is a DoS/DDoS Attack a threat to sensitive data?
2.0 Who commits DoS/DDoS attacks, and why?
2.3 Financial gain
3.0 Are the attackers likely to be caught, and what are the penalties for DoS/DDoS attacks?
4.0 How can I protect my systems and networks
from DoS/DDoS attacks?
4.1 Protecting the border's and gateways
4.2 Protecting Internet servers
4.3 Protecting internal servers and clients
4.4 Specific OS protection
4.4.1 Cisco routers
4.4.3 Windows 95 / 98
4.4.4 Windows NT 4.0
4.4.5 Windows 2000
5.0 How can I prevent my systems and networks from being used for DoS/DDoS attacks right now?
6.0 How can I prevent my systems and networks from being used for DoS/DDoS attacks in the future?
7.0 How do I detect a DoS/DDoS attack directed at me?
8.0 What should I do if I am the target of a DoS/DDoS attack?
9.0 How do I detect a DoS/DDoS attack originating from me?
10.0 What should I do if I am the origin of a DoS/DDoS attack?
11.0 How do I trace a DoS/DDoS attack and preparing evidence?
12.0 DoS/DDoS attacks, software and counter
12.3 Tribe Flood Network
13.0 Who do I contact if I am attacked or an attack originates from me?
14.0 What is in the future for DoS/DDoS attacks?
Denial of service attacks are simple and usually quite effective. An attacker attempts to overwhelm a service with requests, similar to a 5 year old constantly tugging on his mother's sweater while she is trying to have a phone conversation, you can only do so many things at a time. For example if you have a mail server capable of receiving and delivering 10 messages a second an attacker simply sends 20 messages per second, chances are the legitimate traffic (as well as a lot of the malicious traffic) will get dropped, or the mail server might stop responding entirely. Typically attackers will go for high visibility targets such as the web server, or for infrastructure targets like routers and network links.
If using one computer to launch an attack against your target works, well using 50, or 5,000 computers is probably going to work that much better (and enable the attacker to go "elephant hunting" for things like Yahoo!). It also allows the attacker to take a step or more back from the actual machines executing the attacks, making it more difficult to trace them.
DoS and DDoS attacks typically do not pose a direct threat to sensitive data. Usually the attacker is trying to prevent a service from being used, not actually compromise it. However a DoS/DDoS attack may be used as a diversion while another attack is made to actually compromise systems. Additionally administrators are more likely to make mistakes during an attack and possibly change a setting that creates a vulnerability that can be exploited. Services may need to be stopped or restarted, and if this is done incorrectly problems can be created, when modifying your network make sure you understand the effects of what you are doing (which may be different then normal while under attack).
There are far too many reasons to even have a remotely comprehensive list, but I will list a few anyway to give a quick overview.
Some attackers are only testing or playing with tools they have downloaded and do not actually realize the amount of damage they can create.
Some attackers disagree with corporate policies, or color scheme used on the website, and attack the site for no real reason. Think of it as a simple act of vandalism similar to someone spray painting "NARF NARF" on the side of your building.
This is a real potential nightmare, for example a company might be attacked to delay the launch of an online service, or to discredit it. Attackers might be paid by a competitor, or are attempting to manipulate a stock price.
It is hard to say - most attackers are not highly skilled, but their tools are good at concealing identities. They may possibly be caught through a combination of painstaking auditing and cross referencing of log files and someone bragging or squealing on IRC. The FBI press conference on February 9th mentioned possible penalties of up to 5-10 years incarceration.
http://abcnews.go.com/sections/tech/DailyNews/yahoo000209.html FBI press conference
Generally speaking good security practices are the best long term protection. Disabling all unnecessary services, keeping software up to date, and subscribing to various email security lists will help. Having a current list of contact names and numbers for emergencies will be especially useful during an emergency. Thre is no one thing you can do to stop DoS/DDoS attacks (i.e. no "Anti DoS attack verion 1.0" software, despite what some vendors claim).
The extremeties of your network are usually the most accessible to an attacker, and the best choke points to attacks (most sites will have one link to the Internet, take that down and you have effectively taken down any services offered by that site). There are a number of measures you can take to protect your external routers, basic firewalling precautions (such as blocking spoofed addresses and so on) and protecting the mechanism used to broadcast and receive routing information (i.e. BGP, OSPF, and so on).
Disable any unneeded services and make sure the software is up to date. If possible place at least one firewall in between the server and the Internet, this way if there is an attack on the server you can probably block it at the server. Realistically if the attacker is determined they can flood your bandwidth and there is nothing you can do on your end to "fix" it. The key for most sites is to filter the traffic before it gets to your links, which means having your ISP firewall attcks, this may not be possible if the attack comes from enough different sites (i.e. it is impractical to add 10,000 firewall rules).
Firewall them heavily, no external hosts should require access to internal hosts on your network. If external hosts do require access you should consider Virtual Private Networking (VPN) to provide secure access to your internal LAN.
Linux has support for firewalling software and most Linux distributions ship with it. IPCHAINS (the current firewalling software) can easily block various hostile packets, and can easily be setup to prevent the machine from spoofing (i.e. a university lab with Linux workstations). For more information on IPCHAINS, and various utilities to make configuring it easier please see:
You can also prevent IP spoofing from a machine very easily by enabling source address verification vi the rp_filter facility. From the IPCHAINS-HOWTO, miscellaneous section:
#!/bin/bash # This is the best method: turn on Source Address Verification and get # spoof protection on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done." else echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED. echo "CONTROL-D will exit from this shell and continue system startup." echo # Start a single user shell on the console /sbin/sulogin $CONSOLE fi
Create this file as /etc/rc.d/init.d/rp_filter (or wherever appropriate) and then enable it at boot time by creating a symlink to it, or calling it in the network startup script. Hopefully in future vendors will add this as standard and enable it by default. The IPCHAINS-OWTO is available at:
Unfortunately Windows 95 / 98 has no real built in protection against attacks, however there are several add-on products (some free) that will protect you against most common threats. Please do not take these listings as an endorsement, we are simply listing various options available.
http://www.zonelabs.com/download_ZA.htm - Zone labs "ZoneAlarm" is free
http://www.mcafee.com/products/#Guard Dog - McAfee's "Guard Dog 2.0" is $29.95 US
http://www.networkice.com/Download/PURCHASE.HTM - Network ICE's "BlackICE Defender" is $39.95 US
http://www.symantec.com/sabu/nis/ddos.html - Symantec's "Norton Internet Security 2000" is $53.95 US
Windows NT 4.0 does have built in firewalling however it is not 100% reliable and we would not advise relying upon it as your only security measure. There are of course several third party firewall proucts for NT,
http://www.networkice.com/Download/PURCHASE.HTM - Network ICE's "BlackICE Defender" is $39.95 US, it will work on servers but you will need to configure it to allow access (by default lit blocks most things). Network ICE is releasing a server version this year that will cost $50 US to upgrade to, or $139.95 US to purchase.
http://www.checkpoint.com/products/firewall-1/index.html - Firewall 1
Windows 2000 (recently released) has pretty good built in firewalling capabilities (a lot better then NT 4.0). These are appropriate for end user machines and small to medium sized servers, for a larger server you may want to consider a third party add on product. The firewalling configuration is done via the Microsoft Management Console tools, and can be configured remotely (of course be careful when doing this as you could easily lock yourself out of the machine).
OpenBSD ships with PF which is a really nice stateful packet filter (free to). More information on PF is available at:
NetBSD ships with IPF which is a stateful packet filter (free to). More information on IPF is available at:
FreeBSD ships with IPF which is a stateful packet filter (free to). More information on IPF is available at:
Solaris can use IPF or a variety of third party add on firewalls. More information on IPF is available at:
http://www.checkpoint.com/products/firewall-1/index.html - Firewall 1
Firewall any unneeded services, turn off any unneeded services, this will reduce the number of services that can be attacked. As far as actually preventing an attack from succeeding the best you can do is buy the most powerful servers you can afford, and tune the software (while under attack if necessary) to handle as many connections as possible. Reducing the timeouts on connections to services will decrease the effect of a flood somewhat, but legitimate connections may fail as well.
An unusually large amount of traffic, servers suddenly experiencing above average loads, all these can be signs of a DoS/DDoS attack, on the other hand it might represent a high usage peak. In any event you should examine the traffic and usage patterns, if the traffic is legitimate then you will probably want to tune your network and servers, or add additional equipment, if the traffic is an attack then you will need to deal with it accordingly. There are a number of Network Intrusion Detection Systems (NIDS) which can detect hostile attacks with a pretty good degree of accuracy, they may are a good investment if installed and maintained properly.
One of the more effective methods is to have filters on your firewall to block outgoing traffic that does not originate from your network (spoofed data). If you find this type of traffic hitting the firewall you can be relatively sure that internal hosts are being used for malicious purposes. Trace the data back to its origin, which should not be too difficult since (in theory) the network is under your control, and then depending on your security policy you might take the machine offline and examine it. Another effective method is to block the commonly used ports (like 37337) that are used to remotely control compromised machines. In addition to this I would advise scanning your network for open ports on a regular basis using tools such as nmap or saint, any changes should be investigated and appropriate action taken. Also there is a good network scanner called Nessus which will detect most common vulnerabilities, it is very easy to use (built on a client server architecture with Windows and Java clients available), and free. The newer DDOS programs however do typically not respond to scans, so scanning the network for open ports is primarily useful for finding the old tools, and for finding potential security holes in machines on your network.
This heavily depends on your network security policy. You may for example wish to ultimately prosecute the offender, in which case you will need to take great pains to preserve the chain of evidence.
If you wish to stop your systems from being used to launch attacks you should not just reboot them and remove the agent. You will also need to plug any and ALL security holes, otherwise the intruder will break in again in short order. Assuming you cannot patch all the machines then you should try to limit access to them in other ways, by firewalling them off for example. Unfortunately in many environments (especially "public ones" like educational institutions) even updating all the software and making sure the mchines are secure against network attacks will not always be 100% effective.
You should install software on all your important network machines and ideally on every single host that can detect changes and additions to the filesystem. This will allow you to hopefully nip attacks in the bud (i.e. you notice one machine has been compromised, and you can start taking corrective action) or for after the fact clean-up when trying to find out how widespread the penetration is.
http://www.tripwire.com/ - Commercial Tripwire for various UNIX platforms and Windows
http://www.tripwire.com/products/linux.cfm - Free Tripwire for Linux (officially supported on Red Hat, but it should work on most distributions).
http://www.tripwire.org/ - OpenSource Tripwire (hopefully coming soon and shipping with various Linux distributions).
There is a lot of DoS/DDoS software available on the Internet, and several organizations (including the FBI) have helped create and distribute software to counter it. Several Network Intrusion Detection Systems (NIDS) are capable of detecting these attacks, and of detecting remote usage of this software on your network.
Smurf is one of the older DDoS attacks, and was one of the first to be widely publicized. It simply consists of sending a forged ICMP packet (that appears to be from the intended victim, i.e. 184.108.40.206) to the broadcast address of another network (220.127.116.11 for example), every machine on the remote network (so say 100 machines) all reply, to the victim. This has the effect of amplifying the attackers bandwidth, especially when you start pinging network addresses where hundreds of hosts respond. Smurf works because people do not configure their routers and/or firewalls correctly, there is no sane reason to need to send a broadcast ICMP packet to a remote network. Broadcast ICMP pings are useful on local networks, for determining which IP addresses are actively in use and so forth, but broadcast traffic should be blocked at the router and/or firewall. Simply add a firewall rule blocking traffic to your network address at the firewall and/or router - this is typically a relatively simple operation. If you want to see if a network is susceptible to being used to amplify ICMP pings simply visit one of the following websites, enter your network address and you will receive an answer quickly.
Trinoo is an older and somewhat simpler DDoS tool compared to the current crop. It is more advanced than the older generation, in that it uses password based authentication to allow access, these passwords are simply crypt()'ed and compiled in, and you can determine whether the binary on a machine is a master binary or a slave binary using a technique described in Dittrich's paper. If you find a master binary chances are there is also a list of controlled hosts, which can be useful for assessing the degree of penetration of an attack. Trinoo uses unencrypted communications between the "masters" and "daemons" and typically uses ports:
1524 tcp 27665 tcp 27444 udp 31335 udp
for communication, making it somewhat easier to find. In addition if you run crack on the crypt()'ed password in a daemon binary you can monitor the network for that keyword and detect when the attacker is sending orders to the daemon (this is useful if you are pursuing an investigation and want to track the person down for prosecution).
TFN was written mostly as a proof of concept by a german hacker (in the traditional sense of the word) to demonstrate how vulnerable most networks are (guess what, he's right). Unfortunately this tool was used in a series or large scale attacks against large e-commerce sites which resulted in a large amount of press and political activity (Mixter has since been arrested on unrelated charges in Germany). TFN uses a client / server approach, an attacker compromises a large number of machines and controls them through intermediaries, the control packets are labeled as ICMP_ECHOREPLY, which is typically allowed through most firewalls, and the commands themselves are 16 bit numbers (compiled into the program so they can be arbitrary).
Tribal Flood 2000 is one of the more advanced denial of service software packages available. It runs on almost every form of UNIX and has been ported to Windows (so almost the entire Internet is potentially usable). It supports a number of attacks, SYN flooding, UDP floods, ping floods and broadcast ping floods (see Smurf for information on this last attack). All communications between the various components (handler and attacker nodes) is encrypted with the CAST-256 algorithm, and then Base 64 encoded, so the content of control packets basically looks like random ASCII characters. Control is via UDP, TCP and ICMP packets, one way only (the attacker nodes do not respond to the handler nodes and the handler nodes do not respond to the master). These features (encryption, multiple types of control packets, and one way communication make it difficult to detect and block). There are several minor flaws with the way the packets are created however, allowing them to be detected with a relatively good degree of success. Since this program was ported to Windows it is especially useful due to the enormous number of insecure Windows clients on Cablemodem and ADSL networks (and corporate/university networks).
stacheldraht is a continuation of trinoo and TFN, it uses TCP and ICMP for control messages between the handler and attacker nodes. One major advance is the ability to upgrade the program remotely, stacheldraht deletes the current file and downloads a new one via rcp from a remote site (realistically rcp should be blocked at your perimeter firewalls since rcp is not a very secure way for moving files around the internet and is probably not used in any case). Like the others there are signatures that can be used to detect the data, and a perl program is available to detect an agent, assuming it has the default configuration (with the source code for stacheldraht and attacker could change this).
Shaft is essentially a continuation of the Trinoo, TFN and Stacheldraht denial of service programs. It does have several new features however, it can switch handler servers (machines that take commands from a master and then issue them to all the attack nodes) and it can switch ports, making it harder to detect.
If you are being attacked the best person to contact immediately would be your upstream network provider (whoever you pay for bandwidth), they can help you trace the attack down, and/or block it (they in turn will probably contact their upstream provider, etc.). You might also try contacting the site from which the attack originates, however this can be difficult due to time zone differences, language differences, and so on. When contacting the remote site do not use email, there is a chance their email server and computer network may be fully compromised, instead find their phone number and call them (this is more likely to get a response as well). You can use whois to list the contact information for domains and network blocks, for example if you wanted to contact example.org (a fictitious domain):
[[email protected] username]$ whois example.org [rs.internic.net] Whois Server Version 1.1 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: EXAMPLE.ORG Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NS.ISI.EDU Name Server: VENERA.ISI.EDU Updated Date: 31-aug-1999 >>> Last update of whois database: Thu, 10 Feb 00 02:15:17 EST <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars.
So you now know which server to ask for the information, since there are multiple DNS registrars now:
[[email protected] seifried]$ whois [email protected] [whois.networksolutions.com] The Data in Network Solutions' WHOIS database is provided by Network Solutions for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Network Solutions does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to Network Solutions (or its systems). Network Solutions reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Registrant: Internet Assigned Numbers Authority (EXAMPLE2-DOM) 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292 US Domain Name: EXAMPLE.ORG Administrative Contact, Technical Contact, Zone Contact: Internet Assigned Numbers Authority (IANA) [email protected] 310-823-9358 Fax- - 310-823-8649 Record last updated on 14-Jun-1999. Record created on 31-Aug-1995. Database last updated on 10-Feb-2000 15:20:08 EST. Domain servers in listed order: VENERA.ISI.EDU 18.104.22.168 NS.ISI.EDU 22.214.171.124
So you would now know who to contact (the IANA). Also you can look up information on who "owns" the network addresses (all blocks of network addresses are assigned by central authorities to prevent conflicts). The same utility (whois) is used to look up information on these. The contact information given will either be for the direct owner of the network block, or the company that "resold" the network block (usually to a customer). In any case it is a good place to start.
[[email protected] seifried]$ whois [email protected] [whois.arin.net] IANA (RESERVED-6) Internet Assigned Numbers Authority Information Sciences Institute University of Southern California 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6695 Netname: RESERVED-10 Netblock: 10.0.0.0 - 10.255.255.255 Coordinator: Internet Assigned Numbers Authority (IANA-ARIN) [email protected] (310) 823-9358 Fax- (310) 823-8649 Domain System inverse mapping provided by: BLACKHOLE.ISI.EDU 126.96.36.199 Record last updated on 14-Oct-1999. Database last updated on 17-Feb-2000 05:35:09 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and nic.mil for NIPRNET Information.
ARIN is the central registry for network numbers in north america, and if the network block is owned by say a German company ARIN's whois server will point you to the right server to use:
[[email protected] seifried]$ whois [email protected] [whois.arin.net] European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C2) These addresses have been further assigned to European users. Contact information can be found in the RIPE database, via the WHOIS and TELNET servers at whois.ripe.net, and at http://www.ripe.net/db/whois.html Netname: RIPE-CBLK2 Netblock: 192.168.0.0 - 188.8.131.52 Maintainer: RIPE Coordinator: RIPE Network Coordination Centre (RIPE-NCC-ARIN) [email protected] +31 20 535 4444 Fax- - +31 20 535 4445 Domain System inverse mapping provided by: NS.RIPE.NET 184.108.40.206 NS.EU.NET 220.127.116.11 AUTH03.NS.UU.NET 18.104.22.168 NS2.NIC.FR 22.214.171.124 SUNIC.SUNET.SE 126.96.36.199 MUNNARI.OZ.AU 188.8.131.52 NS.APNIC.NET 184.108.40.206 To search on arbitrary strings, see the Database page on the RIPE NCC web-site at http://www.ripe.net/db/ Record last updated on 16-Oct-1998. Database last updated on 17-Feb-2000 05:35:09 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and nic.mil for NIPRNET Information.
If you intend to contact law enforcement your local police department is probably not equipped to handle it. You are much better off contacting a national organization (such as the FBI in the US, or the RCMP in Canada). There are many CERT (Computer Emergency Response Teams) organizations spread around the world that can provide you with assistance. Contact information is below.
If an attack is originating from your site you may wish to contact the person on the receiving end of it so that you can coordinate
There is a list of CERT sites for various countries and large organizations available at:
http://www.fbi.gov/ - Main page
http://www.fbi.gov/contact/fo/fo.htm - List of local field offices
1-202-324-3000 - Head office phone number
http://www.cert.org/ - Main page
http://www.cert.org/contact_cert/contactinfo.html - Contact information
1-412-268-7090 - 24 hour CERT Hotline
http://www.rcmp-grc.gc.ca/ - Main page
http://www.rcmp-grc.gc.ca/tsb/index.htm - Technical Security Branch
1-613-993-3891 - Incident report number
[email protected] - Incident report email address
Europe used to have a CERT but this has been split up. The various organizations that provide national CERT services are available at: http://www.eurocert.net/.
http://www.cert.dfn.de/ - Main page
http://www.bka.de/ - Main page
+49 (0) 611-55-0
http://www.ja.net/CERT/cert.html - Main page
Various police services
http://www.police.uk/ - Main page
http://www.auscert.org.au/ - Main page
http://www.auscert.org.au/Information/Auscert_info/contact.html - Contact information
+61 7 3365 4417
The existing denial of service programs will get more sophisticated, as attackers learn from the mistakes of others, and various discussion forums distill the information gained. Recently an email trojan went around, it was simply a VB Script program, and it spread like wildfire. In the future someone may write a relatively "stealthy" virus that installs attack software on the windows client and possibly tries to infect other hosts via email. This method could easily infect a huge number of hosts for a short amount of time, with a steady "decay" rate as people cleaned up their systems, however the window of oppurtunity would exist to flatten many sites (ironically enough if anti-virus vendors and popular forums for alerting users about these problems were attacked it could probably "survive" for a while). Unfortunately people do not seem to be learning from these widespread infections (Melissa, then ILOVEYOU several months later)
More attacks at emerging services is a likely bet. We have already seen this with major attacks against e-commerce sites (but not against the e-commerce technology specifically). With the growth of encryption online (secure web server, IPSec, etc) there will likely be more attacks against them, especially with the high CPU overhead associated with encryption. Granted there are hardware cryptographic accelerators that can easily handle high loads, they are quite expensive, and simply shift the weak link in the chain somewhere else. I also suspect there will be more attacks against services that provide authentication, such as PKI and LDAP servers, as the effect of "taking out" a major authentication provider would be felt by many people and be extremely disruptive to businesses (this would be similar to attacking root DNS servers for example).
Last updated 16/03/2002
Copyright Kurt Seifried 2002