Appendix A. Glossary

The following is a glossary of terms associated with DDoS.

agent

A malware program responsible for performing actions under control of a handler. In the context of DDoS, this would be the program that floods a victim. Other agents could be responsible for distributed sniffing, distributed file service, distributed password cracking, etc. An agent in a classic handler/agent network does not directly respond to user commands, instead having these commands relayed to it from a handler. IRC bots, on the other hand, do (in most cases) respond directly to commands from the attacker.

See also army, bot, botnet, handler.

amplification

Attacks that use amplification use some kind of request that will elicit a response that is larger in size, or number of replies, than the original query. For example, if an incoming ICMP Echo Request packet is 100 bytes, and the attacker can trick 100 hosts into replying, the result is 10,000 bytes out for every 100 bytes of requests, or a 100-fold amplification. Similarly, if a forged DNS request comes in that is some 80 bytes long, but causes a reply that is 400 bytes long, a fivefold amplification is obtained. Amplification attacks typically also involve IP spoofing; for example, in the Smurf attack the attacker spoofs the IP address of the victim.

anomaly detection

A variety of defense approaches that aim to detect the occurrence of a DDoS attack (or some other malicious activity) by monitoring network state or traffic for anomalies. The defense system usually builds a model of normal network behavior the baseline model. It then continuously monitors a large number of parameters and periodically compares observations with the baseline. Mismatches trigger the attack detection.

See also signature detection and misbehavior detection.

army

An informal term used to describe the collection of compromised hosts that a DDoS attacker coordinates to perform a DDoS attack. For blended threats (such as Phatbot), these hosts can also provide many services besides DDoS, such as anonymous proxying, keystroke monitoring and sniffing, spam delivery, etc. Such collections more closely resemble classic client/server architectures than the army analogy suggests. All such collections organized to perform attacks are often generically referred to as a network, both in and outside the DDoS context.

See also agent, blended threat, bot, botnet, handler, and network.

artifact

Used in conjunction with malware, meaning something left behind on a compromised system. Typically a program or script, but it can also be just a text file containing information, e.g., a README file.

See also malware.

BGP

Border Gateway Protocol is a protocol that is used between Internet routers to exchange routing information. Through this exchange, routers learn how to reach foreign IP addresses (not residing on their network). BGP is the Internet's major routing protocol. For more information see RFC 1771 at http://www.ietf.org/rfc/rfc1771.txt.

blended threat

A term, coined by incident response organizations in Australia in 1998, referring to malware packages that provide more than one type of service to an attacker, such as file service for pirated media, IRC control functions, scanning, sniffing, proxy services for anonymity, and DDoS. An example of a blended threat that is bundled into a single self-updating and self-propagating program is Phatbot. See http://www.lurhq.com/phatbot.html for a high level description of Phatbot functions.

See also artifact and malware.

BNC

Also known as bounce, this is an IRC relay program. It functions like a password-protected (usually) proxy server that accepts an incoming, possibly encrypted, connection on a high-numbered TCP port, such as 12345, and then makes a connection out to a preprogrammed IRC server, typically on the normal IRC server port of 6667. It serves as one type of stepping stone.

See also stepping stone.

bot

Short for robot, this is an IRC client program that runs in the background and watches for certain strings to show up in an IRC channel. When it sees those strings, the bot is programmed to perform some action, such as invite someone into an IRC channel, give them operator permissions, scan a netblock looking for vulnerable hosts, or perform a DoS attack.

See also artifact, blended threat, botnet, and malware.

botnet

A network of bots that all synchronize through communication in an IRC channel. Botnets have been known to grow to as large as over 400,000 hosts, although most are typically in the hundreds of bots up to the tens of thousands of bots. Botnets can be established on any normal IRC channel, although more frequently compromised systems at sites with high availability and bandwidth, such as research universities, are used as "rogue" IRC servers explicitly for control of botnets. This makes them harder to detect and dismantle, as there is not an IRC operator (IRCop) monitoring the server. Botnets have also been known to channelhop, and sometimes to even hop between IRC networks, to avoid detection. An IRC channel has limited capacity, so a botnet may need to span multiple channels. IRC bots sometimes employ encryption to protect their communication, which makes detection of botnets much more difficult.

See also bot, blended threat, and malware.

challenges

Messages sent by some security mechanisms to alleged clients of the network or host they protect, to determine the validity of their traffic. Depending on the type of challenge, the responder might need to demonstrate that he really initiated contact (as opposed to an attacker spoofing his address), or he might need to demonstrate that a live human user is initiating the communication (a Reverse Turing Test). Puzzles are a special kind of challenge.

See also puzzles.

CIDR (Classless Internet Domain Routing)

A means of specifying the address of a network, and the number of bits used for its netmask, in one term. It replaces the old class designations in IP addresses (e.g., Class C addresses were divided into 24 bits of network address followed by 8 bits for host address and start with bits 110). Thus, a Class C network address of 192.168.100.0 would be written in CIDR notation as 192.168.100.0/24. This is also called a netblock.

collateral damage

Loss, delay, or other negative effects experienced by nonmalicious traffic or a device (host, router, etc.), due to the action of a security mechanism. Sometimes this term also refers to similar damage done by a DDoS attack to a site or traffic that is not itself a target.

Datagram

See packet.

DNS

Domain Name Service is an Internet service that maps names such as www.example.com to IP address 192.0.34.166 and vice versa. DNS is provided by numerous DNS servers distributed all over the Internet. DNS information is vital for most Internet services such as e-mail and Web service, and as such is heavily cached to provide redundancy and rapid response. For more information see RFCs 1034, 1035, and 1591 at http://www.ietf.org/rfc/rfc1034.txt, http://www.ietf.org/rfc/rfc1035.txt, and http://www.ietf.org/rfc/rfc1591.txt.

egress filtering

Filtering traffic passing through a router as it leaves a network (as opposed to ingress filtering, which is entering a network) to prevent spoofing, to eliminate nonroutable addresses, or to restrict IP protocols.

See also IP header in Chapter 4 and IP spoofing, Section 4.5, and the sidebar covering ingress/egress filtering that accompanies that section.

exploit

A piece of code that takes advantage of an existing vulnerability in a program to violate administrative rules. The usual goal of exploit programs is to gain access to a machine, escalate user's privileges or do some kind of damage. The exploit code is given to a vulnerable program either locally (e.g., attacker typing a reply to program's request on a keyboard) or remotely (e.g., attacker sending exploit over the network to a remote server, such as Web server).

See also malware.

false negatives

Failures of a monitoring, auditing, or alerting system to detect the presence of something it is looking for. This may be a malicious event for an IDS, an open port when scanning, detection of a DDoS attack, etc. Such failures may allow an attack to continue unhindered, or render a defense system ineffective.

See also false positives.

false positives

False indications of the presense of something being looked for by a monitoring, auditing, or alerting system. False positive alerts in a detection system waste time in response to non-events. In a DDoS defense system, they can lead to engaging the defense system often when no attack is ongoing. This can lead those who are monitoring the system to disregard alerts or turn off the defenses.

See also false negatives.

filtering

Generally, dropping packets based on some well-defined and easily observed characteristic of the packets. Many DDoS defense mechanisms use filtering of some kind to counter the flood. There are many kinds of filtering, based on the location where performed and the criteria used: Ingress filtering and egress filtering are examples. Unlike rate limiting, filtering tends to imply that all packets matching the targeted characteristics are dropped, whether or not their quantity is troublesome.

See also egress filtering, ingress filtering, and rate limiting.

flooding

Attacking a host by sending a deluge of traffic (meaningful or meaningless, it does not matter) that overwhelms either the host or the network. Examples of flooding attacks are ping floods (send large amounts of ICMP Echo Request packets), UDP floods (send large amounts of UDP packets), and SYN flooding (barraging the host with connection requests that are never finalized).

handler

A malware program responsible for controlling a large number of agents who perform some distributed function. In the context of DDoS, the handler provides the attacker with a front end (typically a command-line shell) that provides status, control of when attacks start and stop, selection of attack method and duration, and sometimes automated update and communication with other users.

A handler can be a discrete program (a malware artifact) found on a compromised computer, or it may be an IRC channel, in the case of DDoS botnets.

See also agent, malware.

ingress filtering

Filtering traffic passing through a router as it enters a network (as opposed to egress filtering, which is leaving a network), e.g., to prevent spoofing, to eliminate nonroutable addresses, or to restrict IP protocols.

See also IP header, IP spoofing, Section 4.5, and the sidebar on ingress/egress filtering that accompanies that section.

IP header

The portion of an IP packet containing control information that describes how to handle the packet. RFC 791 [Ins81a] defines the Internet protocol datagram headers as shown in Figure A.1

Figure A.1. Illustration of IP header as explained in RFC 791

What follows the header is the data (often called the payload) being sent to the destination. There is a checksum to help detect whether the header has been corrupted, but there is nothing to authenticate any of the fields in the header. (This is the reason that someone can spoof source addresses, by simply putting any value they wish into the Source address field and sending the packet off on its journey.) RFC 791 can be found at http://www.ietf.org/rfc/rfc0791.txt.

Some research DDoS defense schemes require inserting a mark into the IP header. Such marks are usually inserted into fields that are deemed unused or hardly used, such as the Identification field.

See also http://www.networksorcery.com/enp/protocol/ip.htm.

IP spoofing

There are two fields in an IP packet header that give information about the sender and intended recipient of the packet source address and destination address, respectively. In IPv4, there is no enforcement that these addresses are correct, which means that an attacker can put any address she wants in the source address field of a packet and inject it into the network (where the router will dutifully route the packet on to the intended recipient). This is known as spoofing, or source address forgery. The attacker must have administrative privileges on a compromised machine in order to perform IP spoofing.

By forging the address of a host at another site and sending a service request packet to a service port that is actively listening, the attacker can trick the receiving host into sending responses, not to the host that sent them, but to the host whose address was forged in the packet. This causes a reflection and sometimes amplification of traffic, and is one way that spoofing is used in DDoS.

See also the discussion of how to prevent IP Spoofing at the border of a network in Section 4.5 and the sidebar discussion of ingress/egress filtering in Chapter 4. One of the primary uses of ingress/egress filtering discussed in this book is for prevention of IP Spoofing.

See also amplification,IP header, http://en.wikipedia.org/wiki/IP_spoofing, and reflector.

IRC (Internet Relay Chat)

A distributed network of servers that relay text chat messages from server to server, and to any clients connected to one of the IRC servers. IRC has been in use since the late 1980s, and has emerged from BITNET RELAY, a VMS-based network chat program. There are many IRC networks, such as Dalnet, EFnet, and Undernet. IRC predates, and is not directly compatible with, instant messaging protocols such as AIM, ICQ, Jabber, etc.

ISP (Internet Service Provider)

This typically refers to a tier two network provider, or provider of Internet services to end customers (e.g., dialup, broadband, cable modem, or wireless).

See also NSP.

malware

A blend of the words malicious software. Malware is any program that an attacker uses to do her thing, be it scanning, sniffing, hiding, breaking into more systems, or performing denial of service on some system.

See also agent, artifact, bot, and handler.

misbehavior detection

A variety of defense approaches that aim to detect the occurrence of a DDoS attack (or some other malicious activity) by monitoring network activity looking for behavior that matches predefined models of bad behavior. Unlike signature detection, these models are more generic and are created based either on observation of known DDoS attacks or deduction of characteristics of a denial of service on a machine or network. The system then continuously monitors a large number of parameters and periodically compares observations with the models. Matches trigger the attack detection.

See also anomaly detection, false positive, false negative, and signature detection.

netblock

See CIDR.

network

A term that reflects a functional relationship between distributed and coordinated computers, similar to social networks, criminal networks, and client/ server networks. It is often used interchangeably with army in the context of DDoS attacks, though that term should not be taken to suggest that DDoS attacks are the only danger from such collections of attack machines. Blended threats (such as Phatbot) provide a wide variety of services for attackers, with the same host providing both a pirate music service and participating in a DDoS attack, and the fact that the attacker can use the host for these and many other types of misbehavior at a moment's notice is the greatest threat.

See also agent, army, blended threat, bot, botnet, network, and handler.

NSP (Network Service Provider)

This term typically refers to a tier one, or "backbone" (or "transit") network provider, or a provider of network service to edge networks, or ISPs.

See also ISP.

packet

Data is routed across the Internet in chunks called packets or datagrams via a protocol called IP protocol. Each packet has an IP header specifying who sent this packet and where it is going, and some control information.

For a tutorial on TCP/IP, see http://www.ietf.org/rfc/rfc1180.txt

See also protocol and IP header.

port

Communications over the network between two computers using the TCP/IP protocol suite is done over ports, or numbered interface slots maintained by the TCP/IP stack. Services are usually assigned special well-known ports, such as port 22 for SSH, or port 80 for HTTP. To specify port 80 on a specific protocol, such as TCP, you would use 80/tcp in a log file or in an output of a monitoring program.

In a DoS attack using a SYN flood, an attacker may, for instance, target one or both of ports 22/tcp and 80/tcp, hoping that his SYN requests on those ports can make the TCP/IP stack fill up with half-open connections and refuse any new ones.

See also protocol and TCP/IP.

protocol

Communication over the network between two computers using the TCP/IP protocol suite is done using one of many different transport protocols. These are different predetermined mechanisms for communication that are defined by standards.

Datagrams, or packets, are routed across the Internet using the IP protocol. IP is defined by RFC 791: http://www.ietf.org/rfc/rfc0791.txt.

The two most commonly used transport protocols in the TCP/IP suite are TCP (the Transmission Control Protocol) [Ins81b] and UDP (the User Datagram Protocol.) [Pos80].

TCP is defined by RFC 793: http://www.ietf.org/rfc/rfc0793.txt.

UDP is defined by RFC 768: http://www.ietf.org/rfc/rfc0768.txt.

There is also a control message protocol, ICMP (Internet Control Message Protocol) [Pos81], which can tell hosts that networks are not available, hosts are not available, and ports are not available, or can be used to tell if a host is alive or not. (Of course, there are many other things that ICMP can do, as well.) ICMP is defined by RFC 792: http://www.ietf.org/rfc/rfc0792.txt.

ICMP is commonly used for DDoS attacks to send a datagram flood, or to exploit improperly configured routers in a Smurf attack.

There are also many application protocols that provide vocabulary for client and server applications, such as the SSH protocol for secure remote terminal access, the HTTP protocol for Web services, and the FTP protocol for transferring files. These application protocols generate packets that are then "wrapped" with TCP or UDP protocol information and sent to their destination. They are then unwrapped by the destination application and processed. For a list of the currently defined application protocols, see http://www.iana.org/assignments/protocol-numbers.

puzzles

A special kind of challenge message used by some DDoS defense mechanisms. The defense mechanism will allow a certain client's traffic through to a potential target only after the client has solved the puzzle, which generally takes a significant amount of time. If working properly, DDoS nodes are unable to solve puzzles quickly enough to perpetrate an effective attack. Puzzle approaches are also referred to as proof-of-work systems.

See also challenges.

rate limiting

Allowing only some predefined quantity of traffic (defined in number of packets and/or bytes per second) to traverse a particular network link. Rate limiting is used by many DDoS defense mechanisms. Unlike filtering, rate limiting tends not to drop all traffic matching the characteristics it is looking for, and might drop no traffic at all, if the quantity is low enough.

See also filtering.

reflector

A host that is used to attack another site, but without having to compromise and install any DDoS agent on it first. In fact, it may be completely patched and secure, or may even be a firewall itself! It is simply used to reflect, or relay, packets from one host to another host by virtue of the fact that the source address in the incoming request was forged and the reply thus goes to the victim, not the true sender of the packet. (This is different from unwitting agents.)

See also IP spoofing and unwitting agents.

rootkit

A set of programs or operating system kernel modification that hides the presence of an intruder on a system. This may be done by replacing common operating system commands, or by altering what operating system commands can see by diverting system calls.

See also malware.

signature detection

Attack detection approaches based on remembering data or communication patterns seen at the time of previous attacks, and looking for similar patterns in current traffic. The defense system usually builds a database of known patterns (signatures) and continuously monitors incoming traffic looking for those patterns.

See also anomaly detection, false negative, false positive, and misbehavior detection.

source address forgery

See IP spoofing.

spoofing

See IP spoofing.

stepping stone

A general term used to describe an attacker's use of indirection for connections. A stepping stone can be a stolen account that an attacker uses to log on, then connect to another host; an unrestricted proxy (e.g., SOCKS or HTTP) that is used to relay a connection; a compromised host with a IRC "bounce" (e.g., BNC) program or other backdoor installed by the attacker. These are often used for gaining anonymity.

Attackers will often use multiple stepping stones, chaining them together across multiple continents and time zones. They may disable logging and wipe out log files, or install a rootkit before using the stepping stone, or they may use it once (from another stepping stone) and then never use the host again, making it impossible to track the attacker.

See also BNC.

TCP/IP

The name of a suite of protocols that form the foundation of the Internet. For the purposes of this book, the primary protocols in the TCP/IP suite that come up are the transport protocols TCP and UDP, the routing protocol IP, and the control message protocol ICMP.

For a tutorial on TCP/IP, see http://www.ietf.org/rfc/rfc1180.txt.

See also packet, IP header, protocol, and port.

traceback

An attempt to trace the true origin of a packet or a stream of packets. Because of IP spoofing, merely assuming that the packet was sent by the node specified as the source address in its IP header is not always effective, so other methods of tracing packets to their origin are required.

troll

A name given to someone who acts in a malicious manner in a public forum, such as a newsgroup or e-mail list. One method used is to send a highly inflammatory message that is intended to stir controversy resulting in lengthy arguments and degradation of discourse. Some even aim to degrade things to the point where people abandon the group entirely.

See also http://en.wikipedia.org/wiki/Internet_troll.

unwitting agent

A term that researchers use to refer to computers that are used for DDoS attack by exploiting a vulnerability that allows an attacker to run commands remotely on the system. An example is the Power bot [Dita], which used the Windows Internet Information Server Unicode Directory Traversal vulnerability to run PING.EXE, sending a flood of ICMP Echo Request packets at its victim. The attacker's bots simply use a list of vulnerable hosts, sending each one an HTTP GET request that starts the flooding.

There is a primary subtle difference between an "unwitting agent" and other DDoS attack scenarios. In an unwitting agent scenario, the attack is done using legitimate programs already installed on the computer, but started by way of exploiting a vulnerability to run the program. This is different from a worm that uses an exploit to cause the system to run attacker code, but contains its own attack payload and runs in memory (e.g., Slammer or Code Red), and is also not a reflection attack as described by Vern Paxson [Pax01], which includes tricking an otherwise secure server into replying to forged service requests.

See also agent and blended threat.