Chapter 16

Chapter 16. Denial of Service Attacks

IN THIS CHAPTER

        What Is Denial of Service?

        Exploitation and Denial of Service

        Denial of Service Attack Index

        Other DoS Resources

In this chapter you learn about denial of service (DoS) attacks, how they work, their history, targets, and programs used to launch them.

What Is Denial of Service?

Denial of service is the category of attacks that cause a loss of service, or an inability to function. They come in many forms and strike many different targets. The results can last for minutes, hours, or days and can impact network performance, data integrity, and system operation.

The first DoS attack of significance was the Morris Worm, estimated to have taken some 5,000 machines out of commission for several hours. At the time (November 1988), it was a disaster for academic and research centers but had little impact on the rest of the world. Today, comparable DoS attacks, such as those against Yahoo!, Amazon, and other major Web sites (February 2000), have resulted in millions of dollars in lost business and revenue. The frequency of denial of service attacks is increasing at an alarming rate, due in part to the prevalence of tools written for this purpose. The complexity of the attacks is also being taken to new levels, which mandates the need for stringent security practices and the implementation of new protection mechanisms.

Many denial of service tools are written as proof-of-concept code examples to demonstrate insecurities within common operating systems, such as Windows, Linux, Solaris, and the BSD-derived UNIXes. The Morris Worm was an experiment in distributed computing, albeit a little forcefully done. Poor development practices and a failure to introduce security early into new applications and operating systems cause many of these exploitable problems to exist. The growing complexity of network design and organization pushes the limits of current technology and exacerbates new vulnerabilities. The presence of denial of service is a double-edged sword. On one hand, it is unfortunate that conditions exist to allow denial of service techniques to proliferate. On the other, its presence is part of the technology evolution that generates higher security products and applications.

The standard for security has risen greatly, and this is apparent with the reaction to denial of service attacks. Only recently are we seeing legislation that deals with this form of attack. It is no longer considered a silly prank when revenue is lost in our Internet-driven economy.

How Denial of Service Works

Denial of service attacks are generally brought on by exploiting programming flaws in software and by writing specialized programs whose purpose is to perform attacks. Denial of service attacks generally work in one of the following ways:

        Bandwidth consumption

        Resource saturation

        System and application crash

Bandwidth consumption is an attack against network resources and refers to the complete use of available network bandwidth by an attacking computer or computers. This makes network response slow or stops the server completely while the attack is ongoing and causes an inability to reach services such as Web sites, email, and files. Resource saturation targets specific computer systems that provide services such as Web, email, DNS, and FTP and causes them to slow or halt. System and application crashes result in denial of service, as the particular system or software freezes, crashes.

Bandwidth Consumption

Each network can support only a finite amount of network traffic at one time, and this amount is dependent upon a few factors: network speed, equipment types, and their performance. Common communication links from an ISP to an organization are ISDN, DSL, Broadband (using cable modems), T1, and T3. These link types also reflect different bandwidth capabilities. Common Local Area Network (LAN) topologies use 10BASE-T and 100BASE-T. For further information about network bandwidth and speeds, see http://www.speedguide.net/Cable_modems/bandwidth.shtml.

Denial of service by bandwidth consumption occurs when the entire capacity of the network link is used. When the network bandwidth capacity is reached, new network data cannot be sent. This means new connections to the Internet, file servers, Web servers, email servers, or any other function that requires network communication will not work. Connections that are already established will slow to a crawl, freeze, or be disconnected.

Attacks against bandwidth can occur via specialized attack programs and misconfiguration of network equipment. The programs used to cause denial of service are discussed later in the section "Recent DoS Attacks." Misconfiguration of network equipment includes any device that connects to the network, such as computer systems, routers, switches, and other devices.

Bandwidth attacks are active; the denial of service occurs only as long as the bandwidth is fully used. As soon as the attacking program stops sending data or the device is configured properly, bandwidth again becomes available. Most network functionality will return to normal, except for a few connections that might need restarting.

Common attacks include protocol-based exploits that consume network bandwidth by sending crafted network data. The access device, such as a router, can fail as it becomes inundated with more traffic than it can process. Another form of bandwidth attacks relies on the reaction of network-connected systems and devices to specific network data. Many or all of the computers on the target network can be made to respond simultaneously to network traffic such as IP broadcasts (IP packets that are sent to the broadcast address of a network instead of to a specific machine), thereby consuming all of the available bandwidth. The "Smurf" attack is one popular example of this form of attack. This and other forms are outlined in the section "Recent DoS Attacks."

Resource Saturation

Like a network, each computer system also has a finite set of resources including memory, storage, and processor capacities. Resource saturation is the event of using up all of one or more of these resources, which leaves none for other applications. The SYN flood is a popular example of an attack that uses all the available networking resources on a system.

Each operating system that supports TCP/IP network connectivity has limitations on the number of connections that can be maintained at one time. The SYN flood exploits the three-way handshake of a TCP connection, which is outlined in Chapter 4, "A Brief Primer on TCP/IP." The SYN flood succeeds by creating "half-open" connections on the port on the target server. Half-open connections are those in which the three-way handshake is not completed. Normally, the handshake completes, or times out, causing the connection to be deleted. Each port can only support a finite number of half-open connections and when this number is exceeded, no other new connections can be made. By sending only the first packet of the TCP handshake with invalid or spoofed source addresses, the server responds to the SYN packet with an acknowledgement. Because this acknowledgement goes to a falsified address, the response to it never arrives. This causes a backlog of half-open connections that it are waiting to complete, disallowing new connections from being accepted.

The Web server is a good sample target for a denial of service attack, although any network service can be targeted. As we have all probably experienced, a busy Web server tends to respond more slowly to our requests. A bit of knowledge about TCP/IP and the Hypertext Transfer Protocol (HTTP) is needed to understand how these attacks work. A single HTTP request and connection is made when the browser connects to the Web server. This request asks the server for a particular file; the server then sends the file, and the connection is closed. Under these circumstances, a Web server can handle a large number of requests because the requests usually take a very short time to complete, and they arrive one after another. As the server receives more simultaneous requests, the application becomes loaded as it processes all of these connections at the same time. Even with this slowdown, the Web server can still function.

In order to cause the Web server to stop functioning, the attacker needs to increase the time needed to handle these connections or to increase the processing power needed to handle each one. A SYN flood against a Web server makes the server unable to accept new connections by exceeding the maximum number of connections for the port it uses. The SYN flood is difficult to defend against. If the attacker forges packets to look as if they are coming from an unreachable system, the server has no way of knowing that they are not typical traffic. The server then responds as it would to any other connection and waits for a timeout to occur before it realizes it should close the connection. As outlined in the SYN flood description above, the denial of service occurs when the Web server receives a large number of these forged packets, so many that it cannot handle any more new connections and inevitably is stuck waiting for these falsified connections to timeout before it can continue processing. Similar attacks are the ICMP and UDP flood, which use other protocols to achieve the same effect.

Another example of resource saturation can occur with the use of external programs such as Common Gateway Interface (CGI) programs with the Web server. Programs that store data in files on the Web server can be exploited to fill the hard disk on the server. The server operating system uses files for much of its normal functionality, and, when full, it can often fail to function. Similarly, applications that allocate a lot of memory or require a lot of processing power for complex computations can be exploited to use all of those resources, preventing new processes and applications from functioning. These attacks are not exploitable only via the Web server any access to the system might allow an attack to succeed. The email bomb discussed in the "Exploitation and Denial of Service" section is a good example of this.

System and Application Crash

System and application crashes are fast and easy approaches to denial of service, wherein a programming flaw is exploitable and causes the application or operating system to crash. A well-known example of these crashes include the "Ping of Death" attack that uses oversized ICMP echo requests. The target machine would crash due to improperly implemented handling of this network data.

These attacks are also commonly directed against network access devices such as IP routers, cable routers, managed Ethernet switches, VPNs, and other application specific devices. These devices often support some form of management interface including a Command Line Interface (CLI) and a Web management interface. Through various methods including a large number of simultaneous connections, buffer overflows in user input routines, and improper data validation, these devices have been made to crash. A denial of service attack on an access device has a wider influence than an attack on a single machine because these devices are typically gateways to multiple networks.

Many of these attacks can be prevented by safe configuration of the network device. This includes changing factory-set default passwords and configuring the device to allow management from only a select group of machines.

Exploitation and Denial of Service

This section outlines common attacks through the denial of service methods outlined in the previous section:

        Email bomb resource attacks

        Protocol attacks

Email Bomb Resource Attacks

Email bombs are insidious attack methods that make up for simplicity with their effects.

A traditional email bomb is simply a series of messages (perhaps thousands) sent to your mailbox. The attacker's object is to fill your mailbox with junk or to fill the hard disk or file system on which the mail server runs with junk. If mailbox quotas are used, the receiver of an email bomb cannot receive new messages until the mailbox is cleaned up. If the file system of the mail server is full, no other users can receive new messages. Email bombs lead to loss of important data, and increased bandwidth and resource usage, which can translate into higher network charges. If you use a dial-up connection, that can also translate into increased connection charges and wasted time.

Email Bomb Packages

Email bomb packages are programs that automate the process of email-bombing someone. System administrators should be aware of these packages and the filenames associated with them. (While this knowledge will not prevent your system from being attacked, it might prevent your users from attacking other systems.)

Table 16.1 lists the most popular email bomb packages and filenames associated with them. If you run a network with multiple users, you should scan your drives for those filenames.

Many of these files can be found at http://web.searchalot.com/home/hazfresse//bomber.htm.

Dealing with Email Bombs

Kill files, exclusionary schemes, or mail filters are all cures for an email bomb. Using these tools, you can automatically reject mail sent from the source address with these tools. There are various ways to implement such an exclusionary scheme. UNIX users can find a variety of sources online.

If you use Windows or MacOS instead, I would recommend any of the mail filter applications listed in Table 16.2. Many of these are shareware, so you can try them before you buy them.

If someone starts bombing you, you can also try a human approach by contacting the attacker's postmaster. This is generally effective; the user will be counseled that this behavior is unnecessary, and that it will not be tolerated. In most cases, this proves to be a sufficient deterrent. Some providers have strong appropriate usage policies and will immediately terminate the user's account if used it is inappropriately.

Lastly, know this: Not all ISPs are responsible. Some of them might not care whether their users are email-bombing others. If you encounter this situation, you don't have many choices. The easiest cure is to disallow any traffic from their entire domain.

Email Bombs as Security Risks

In many circumstances email bombs can result in denial of service. For example, one individual bombed Monmouth University in New Jersey so aggressively that the mail server temporarily died. This resulted in an FBI investigation, and the young man was arrested.

Note

Most mail packages will die given the right circumstances on the right platform. For example, one of my clients found that directing a 40MB mail message to mailserv on UnixWare will kill the entire box. The freeze is unrecoverable except via reboot, and reboot is no recovery at all. There is no fix for this.

If you experience this level of attack, you should contact the authorities. This is especially so when the attacker varies his origin, thus bypassing mail filters or exclusionary schemes at the router level. Chances are, if the attack is that persistent, your only remedy is to bring in the police.

The recent trend towards email-based viruses also presents a denial of service condition. The automation and integration of newer applications allows greater flexibility and increased functionality, but also presents security risks if not used appropriately. Windows-based macro and Visual Basic Script (VBS) viruses demonstrate this clearly. The VBS.LoveLetter or "I Love You" virus and the VBS.SST worm or "Anna Kournikova" virus show the fine line between viruses and denial of service. Both viruses exploit the capabilities of Microsoft's Outlook mail client to automatically execute executable code contained in messages. The virus code replicates and sends itself to many other recipients, magnifying the problem and resulting in widespread infection and loss of service as files are deleted and mail servers cease functioning. Disabling Windows Scripting Host can help alleviate the problem of automatic execution. See http://www.sophos.com/support/faqs/wsh.html for further information.

List Linking

List linking attacks have similar effects to email bombs, but their appearance is more inconspicuously malignant. In list linking, the target subscribes you to dozens of mailing lists, which can fill your mailbox and possibly the mail server with data.

Note

Mailing lists distribute mail messages collected from various sources. These messages typically concentrate on a special-interest subject. These mail servers (sometimes called list servers) collect such messages and mail them to members of the list on a daily, weekly, or monthly basis. Members can subscribe to such a list in several ways, though most commonly through email.

Mail-bombing packages automate the process of list linking. For example, Kaboom and Avalanche are two well-known email bomb packages that offer point-and-click list linking. The results of such linking can be disastrous. Most mailing lists generate at least 50 mail messages daily, and some of those include binary attachments. If the attacker links you to 100 lists, you will receive 5,000 email messages per day. Furthermore, you must manually unsubscribe from each mailing list once you are linked. Moreover, attackers often choose times when you are known to be away, such as when you are on vacation. Thus, while you are absent, thousands of messages accrue in your mailbox. This can amount to a denial of service attack, par ticularly if your system administrator puts quotas on mailboxes.

List linking is particularly insidious because a simple mail filter doesn't really solve the problem it just sweeps it under the rug. Here's why: The mail keeps coming until you unsubscribe from the lists. In fact, it will generally keep coming for a minimum of six months. Some mailing lists request that you renew your membership every six months or after some other specified period of time. This typically entails sending a confirmation message to the list server. In such a message, you request an additional six months of membership. Naturally, if you fail to provide such a confirmation message, you will eventually be taken off the list. However, in this scenario, your first opportunity to get off the list will not occur for six months. Therefore, no matter how irritating it might be, you should always deal with list linking immediately.

The cure for list linking is to unsubscribe from all lists you have been linked to. Doing this is more difficult than it sounds for a variety of reasons. One reason is that new lists seldom include instructions to unsubscribe. Therefore, you might be forced to trace down that information on the Web. If so, expect several hours of downtime.

Tip

To help fight against list linking, most mailing list administration software requires confirmation of subscriptions and also provides passwords for list members. These passwords are used to modify the user's subscription information and provide authentication. It is useful to keep copies of the initial subscription messages after signing on to a mailing list. These informational messages are invaluable and often contain the pertinent information needed to unsubscribe and maintain list membership.

Your ability to quickly and effectively unsubscribe from all lists will also depend largely on your email package. If your email client has powerful search functions that allow you to scan subject and sender headings, you can gather the list server addresses very quickly. However, if you use an email client that has no extended search functions, you are facing an uphill battle. If you are currently in this situation and have been list linked, communication with the maintainer of the list is often useful. Most mailing lists function by programs that automate most of the functionality that the list provides. Contact with a real person is vital in the event of list linking. Should all attempts to unsubscribe fail, the user can implement permanent mail filtering, or, in the worst case scenario, a new email address might be warranted.

A Word About Mail Relay

Another issue related to mail bombing and list linking, as well as the overall presence of Unsolicited Commercial Email (UCE) or "spam," is the ability of the attacker to relay mail. In order to obscure their identity, most mail bombs arrive from fictitious users. The ability to falsify attacker's identity arises from the configuration of various ISPs'mail servers. Mail relaying allows a mail server to be used to send mail to foreign networks.

As part of the transaction for sending a mail message, the software used to send mail connects to the mail server. The recipient's address and the sender's address are specified, and the message is then transmitted. Mail relaying occurs when either the sender's address or the system from which the sender connects to the server is not on the same network as the server. Mail servers that are configured to relay allow foreign users and systems to send mail to any other user. Servers that are configured to disallow relaying will not allow messages with sender addresses on unknown networks, or from systems on those networks.

In general, mail relaying is seen as a security risk and is disabled. For those systems that allow relaying, little that can be done to prevent its misuse. Filtering packages are incapable of supplying the needed security. Filtering by domain name or IP addresses might disallow legitimate email from being sent; this is not the desired outcome. For example, filtering to stop UCE from AOL will likely disallow millions of users'email from being delivered.

The issue of mail relaying is complex because messages such as mail bombs and UCE are syntactically the same as legitimate mail messages. Therefore, it is important to be aware of this issue as it relates to denial of service because it is one piece of the prevention puzzle.

Protocol Attacks

Attacks against network protocols make up a large portion of the denial of service attacks that occur. Protocol attacks result in bandwidth consumption, system crashes, and resource saturation, causing denial of service conditions. These attacks are very threatening and can stop network connectivity and system functionality for an indeterminate amount of time. Prevention of protocol attacks also requires considerably more advanced and complex procedures and countermeasures.

Protocol attacks strike at the heart of IP implementations. Hence, they can crop up on any platform. Worse still, because IP implementations are not drastically different from platform to platform, a single DoS attack might well work on several target operating systems. A well-known example of this is the LAND attack, which could incapacitate almost two dozen different operating systems, including Windows NT and a slew of UNIX flavors. Other examples include the previously mentioned SYN, UDP, and ICMP flood attacks.

Furthermore, analysis of DoS code releases shows consistently that, when a new attack is out, it will eventually work on nearly all platforms, even if it doesn't initially. New strains of DoS attacks are released about every two weeks or so. Such releases are typically written on a sin gle build platform (Linux, for example) to attack a single target platform (Windows NT, for example). After such code is released, it is examined by the hacker and cracker communities. Within days, someone releases a modified version (a mutation) that can incapacitate a wider variety of operating systems.

The "Ping of Death," SYN flood, UDP flood, and fragmentation attacks should sound familiar by now. These protocol attacks rely on the continued existence and use of these common protocols. Their effects are widespread because of the prevalence of vulnerable operating systems and network equipment. New methods to prevent and defend against exploitation at this basic level have arisen. These methods are outlined in the denial of service attack index that follows.

Denial of Service Attack Index

Here is a comprehensive index of recent and old DoS attacks; each is fully documented. The fields provided and their significance are as follows:

        Filename. The filename provided is the one by which the attack is most well known. However, as folks distribute exploit code, different people name the file different things. There are various reasons for this, but the most common is to obscure the exploit code from system administrators. Since system administrators generally know the filenames of such tools, crackers rename them.

        Author. In this field, you often see aliases or email addressed, instead of real names. In the index, I have made every good faith effort to obtain the name, email address, or alias of each program's original author. If you authored one of the following programs and credit has erroneously been given to some other party, please contact Sams and let them know.

        Location. This is the location of the source code for the exploit. From this URL, you can download the source and test it on your own machine.

        Background. The Background field denotes locations where further documentation can be found. This usually points to an article or mailing list posting that details the attack's chief characteristics.

        Build Operating System. This field indicates either what platform the attack code was written on or which operating system will successfully run the code.

        Target Operating System. This field indicates what platform can be successfully attacked using the source code found at the Location.

        Impact. This field briefly describes the effect of an attack using the source code.

        Fix. This field points to URLs that hold patches or workarounds.

Recent DoS Attacks

Smurf

Filename: smurf.c

Author: TFreak

Location: http://www.rootshell.com and search for "smurf"

Background: http://www.cert.org/advisories/CA-1998-01.html

Build Operating System: UNIX

Target Operating System: Any system that responds to ICMP data.

Impact: Causes denial of service via spoofed ICMP echo requests to a network broadcast address.

Fix: Disable IP directed broadcasts on the router and configure operating systems not to respond to packets sent to IP broadcast addresses.

Fraggle

Filename: fraggle.c

Author: TFreak

Location: http://www.rootshell.com and search for "fraggle"

Background: Smurf with a UDP twist, see the rootshell entry.

Build Operating System: UNIX

Target Operating System: Any system that responds to UDP data.

Impact: Causes denial of service by making systems send UDP network data to a spoofed target.

Fix: Disallow unused ports on the firewall and configure network equipment and operating systems not to respond to UDP broadcasts.

The following flood attacks are general mechanisms that are still common today, although the technology has been available for quite some time.

ICMP Flood

Filename: pingflood.c

Author: Various

Location: http://www.rootshell.com and search for "pingflood"

Background: http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm

Build Operating System: UNIX

Target Operating System: Various

Impact: Denial of service via network bandwidth overutiliziation.

Fix: Block ICMP traffic at the firewall and at the operating system. Monitor the network for attack signatures.

SYN Flood

Filename: synflood.c

Author: Various

Location: http://www.rootshell.com and search for "synflood"

Background: http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm and http://www.niksula.cs.hut.fi/~dforsber/synflood/result.html

Build Operating System: UNIX

Target Operating System: Various

Impact: Denial of service as the target system exceeds its maximum number of half-open/queued connections.

Fix: Configure the operating system to allow a higher number of open connections. Monitor the network for attack signatures.

UDP Flood

Filename: udpflood.tgz

Author: Various

Location: http://www.rootshell.com and search for "udpflood"

Background: http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm

Build Operating System: UNIX

Target Operating System: Various

Impact: Denial of service as the target system receives more traffic than it is capable of handling at one time.

Fix: Disallow UDP traffic and services on the firewall and operating systems. Monitor the network for attack signatures.

Historical List of Well-Known DoS Attacks

The following attacks are early, well-known and well-documented denial of service attacks. The vulnerabilities allowing most of these attacks to succeed have been solved in newer versions of operating systems, but many organizations still have older and unpatched systems around. If you are responsible for securing a network, make sure you cover these bases. Fixes are available for all of these attacks and should be understood and implemented. Take a moment now to run through the following attacks to see if you're vulnerable. Most are easily fixed.

For more information about past and present denial of service attacks organized by operating system, software and device, see "The DoS Database," http://www.attrition.org/security/denial/.

Teardrop

Filename: teardrop.c

Author: Route@infonexus.com

Location: http://www.rootshell.com and search for "teardrop"

Background: See the source and comments.

Build Operating System: UNIX

Target Operating System: Windows 95 and Windows NT

Impact: IP fragment attack will lock up the target.

Fix: Search for "teardrop" in the knowledge base at http://support.microsoft.com/

Teardrop was an early denial of service attack that spawned several variants. This set the stage for many new denial of service attacks and approaches to denial of service tool creation.

Bonk, Boink Attacks

Filename: bonk.c, boink.c

Author: The people at ROOTSHELL.COM

Location: http://rootshell.com/ and search for "bonk" or "boink"

Background: See source.

Build Operating System: UNIX

Target Operating System: Windows 95 and Windows NT. Patched and later versions are unaffected.

Impact: This utility will crash any Windows 95 or NT box, and it is basically a modified version of code previously written by route@infonexus.com. The malformed packet has a fragment offset that is greater than the header length.

Newtear Attack

Filename: newtear.c

Author: Route@infonexus.com (Michael Schiffman)

Location: http://www.rootshell.com/ and search for "newtear"

Background: See source.

Build Operating System: Linux, BSD

Target Operating System: Windows 95 or Windows NT < SP3. Windows 2000 is not affected.

Impact: A variation of Teardrop that results in blue screen. The system crashes as a result.

Fix: Search for "modified teardrop" in the Knowledge Base at http://support.microsoft.com/.

INETINFO.EXE Attack

Filename: inetinfo, inetinfo.c, inetinfo.pl

Author: Bob Beck. Also by Chris Bayly and Evan L. Carew

Location: http://www.rootshell.com and search for "inetinfo"

Background: http://support.microsoft.com/support/kb/articles/q160/5/71.asp

Build Operating System: UNIX, others

Target Operating System: Windows NT 4.0. SP >2 and 2000 are unaffected.

Impact: Arbitrary text targeting ports 135 and 1031 will kill IIS.

Jolt

Filename: jolt.c

Author: Jeff W. Roberson

Location: http://www.rootshell.com and search for "jolt"

Background: http://www.rootshell.com

Build Operating System: UNIX

Target Operating System: Windows 95. 98/NT/2000 is unaffected.

Impact: Varying results; Windows 95 freeze or blue-screen.

Fix: http://support.microsoft.com

Tip

The patch for Jolt only works if you also install the VTCPUPD patch, which is available at http://support.microsoft.com/.

Jolt was reportedly derived from older DoS attacks for POSIX and SYSV systems. As a side note, its author reports that some systems will blue screen when attacked.

Jolt2

Filename: jolt2.c

Author: Phonix (phonix@moocow.org)

Location: http://www.rootshell.com and search for "jolt2"

Background: http://www.rootshell.com

Build Operating System: UNIX

Target Operating System: Windows 98/NTsp5/NTsp6/2000.

Impact: 100% CPU utilization.

Fix: http://support.microsoft.com/

LAND

Filename: land.c

Author: The people at http://www.rootshell.com

Location: http://www.rootshell.com and search for "land" Background: http://www.cisco.com/warp/public/770/land-pub.shtml.

Build Operating System: UNIX

Target Operating System: Many networked operating systems, including older versions of BSD, Linux, Solaris, Digital UNIX, HP-UX and Windows 95, Cisco IOS.

Impact: Connects request packets specifying source and destination as the same lock up the target.

Fix: http://support.microsoft.com/

The LAND attack sent tremors through the Internet community, primarily because of the sheer number of systems affected. In particular, it was learned that certain network hardware was also vulnerable to the attack, including routers.

Note

Only certain hardware was vulnerable to LAND. It is known that NCD X Terminals, Catalyst LAN switches (Series 5000 and Series 2900), and Cisco IOS/700 were all vulnerable. If you fear that your router is vulnerable, I suggest compiling and using land.c as a test.

You should contact your vendor regarding fixes. It can take time to route out all LAND variations because so many mutations have cropped up. One version crashes Windows 95 and NT, even with Service Pack 3 installed. Windows NT is currently up to service pack 6a. If your systems are current, this attack does not pose a threat. Workarounds for Cisco hardware can be found at http://www.securityfocus.com. Otherwise, contact your respective vendor.

If your operating system is Windows 95, get the patch for the original LAND attack as well as several mutations. That patch can be found by searching for "land" under the Windows 95 knowledge base at http://support.microsoft.com/.

Pong

Filename: pong.c

Author: FA-Q

Location: http://www.ludat.lth.se/~dat92jni/dat/pong/pong.c

Background: See source code.

Build Operating System: Linux

Target Operating System: Windows 95, but can affect most other network OSes.

Impact: Targets are flooded with spoofed ICMP echo requests to the network broadcast address. Flood caused Windows 95 to crash.

Fix: Configure routers and network equipment to disallow traffic to broadcast addresses.

The Pentium Bug

Filename: pentium_bug.c

Author: Whiz (whizpig@tir.com)

Location: http://www.rootshell.comand search for "pentium"

Background: http://support.intel.com/support/processors/pentium/ppiie/descrip.htm

Build Operating System: Any Pentium

Target Operating System: None; this is firmware bug.

Impact: The target locks up.

Fix: http://support.intel.com/support/processors/pentium/ppiie/descrip.htm#Workaround

This hole affects early Pentium processors up to the Pentium II. It allows malicious users with physical access to issue illegal instructions that cause the system to function improperly, often triggering a system crash. This form of attack demonstrates that denial of service is not limited to network-based attacks. Keep in mind the physical access component of computing, and be sure to be attentive to its security.

Winnuke

Filename: winnuke.c

Author: _eci

Location: http://www.rootshell.com and search for "nuke" Background: See the source code. Build Operating System: Linux, BSDI

Target Operating System: Windows 95 and Windows NT. 98/2000 are not affected.

Impact: Windows 95 and NT failed to react properly to packets with the Out-of-band (OOB) flag set. Often caused a system panic requiring reboot.

Fix: http://support.microsoft.com/

Winnuke will kill any unpatched Windows 95 or Windows NT box, forcing a reboot. This attack has gone through several mutations and is available for many build operating systems. The "nukenabber" tool helps to identify the presence of this tool on a network.

Nukenabber is a small, compact port sniffer written by puppet@earthling.net. The program listens on ports 139, 138, 137, 129, and 53. These are all ports on which DoS attacks have been implemented in the past. Nukenabber notifies you when your machine is under Winnuke attack. The program is available here:

    http://www.dynamsol.com/puppet/nukenabber.html

Ping of Death

Filename: pingexploit.c, win95ping.c

Author: Bill Fenner (fenner@freebsd.org)

Location: http://www.rootshell.com and search for "ping"

Background: See the source code.

Build Operating System: BSD UNIX, other ports are available.

Target Operating System: Windows 95 and Windows NT 3.51. Windows 98/NT4/2000 are not affected.

Impact: Oversized ICMP echo request packets (> 64k) were not handled appropriately, causing a system crash.

Fix: http://support.microsoft.com/

DNSKiller

DNSKiller will kill a Windows NT 4.0 box's DNS server. The source was written for a Linux environment. However, it can also well run on BSD-ish platforms. For more information, see http://archives.neohapsis.com/archives/bugtraq/1997_1/0152.html.

arnudp100.c

arnudp100.c is a program that forges UDP packets and can be used to implement a denial of service attack on UDP ports 7, 13, 19, and 37. To understand the attack, I recommend examining the following paper: Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks by Cisco Systems. Another good source for this information is CERT Advisory CA-96.01.

Cisco Systems'Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks can be found online at http://cio.cisco.com/warp/public/707/3.html.

Distributed Denial of Service Attacks

In early 2000, the Internet community saw a new method of attack unleashed upon several popular Web sites including CNN, E*Trade, Datek, Amazon.com, Yahoo!, and Buy.com that caused them to be unreachable for several hours. These attacks were unlike normal denial of service attacks in that the flood of network traffic appeared to come from many different systems, simultaneously, Network administrators and security personnel scrambled to identify the causes and sources of the attacks, as well as to find methods to stop them and bring their crawling Web sites back into service. Rumors spread about a coordinated underground cracking community conspiring to attack simultaneously. The reality soon became known, that a new form of attack the distributed denial of service (DDoS) attack would become a nightmare for Web sites and businesses.

Distributed denial of service attacks, as the name implies, occur when a several systems, from a handful to thousands, simultaneously attack a specified target. Some of the well-known and analyzed attack forms are: Trinoo (or Trin00), Tribe Flood Network (TFN), TFN2k (an updated version of TFN), and Stacheldraht (German for "barbed wire").

These attacks function via a master and slave mechanism. The master is the controlling station where the attacker defines the target and method of attack. The slave stations are remote systems that have been compromised and have had the attack tool installed. The master signals the slave stations to launch the attack. The attack is also stopped by another signal from the master system.

A good general overview of distributed denial of service attacks can be found in Distributed Denial of Service Attacks, by Bennett Todd, at http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html.

This section provides an index of distributed denial of service attack tools. The background information includes full analyses of the attack methods and source code.

Trinoo (Trin00)

Filename: trinoo.tgz

Author: Project DoS

Location: http://packetstorm.securify.com/distributed/

Background: http://staff.washington.edu/dittrich/misc/trinoo.analysis

Build Operating System: UNIX

Target Operating System: UNIX

Impact: Denial of service until the attack is stopped.

Fix: Patch systems to prevent compromise, monitor UDP traffic for trinoo fingerprints, and run DDoS scanner tools such as RID (available at http://packetstorm.securify.com/distributed/) to detect the presence of the program on your network. Blocking UDP traffic on high numbered ports might stop the problem, but might also cause other network applications not to work.

Tribe Flood Network (TFN)

Filename: tfn.tgz

Author: Mixter

Location: http://packetstorm.securify.com/distributed/

Background: http://staff.washington.edu/dittrich/misc/tfn.analysis

Build Operating System: UNIX

Target Operating System: UNIX

Impact: Denial of service until the attack is stopped.

Fix: Use RID (see trinoo entry) to scan for the presence of the software on your network, block all ICMP echo traffic. (This might not be possible depending on network needs of the organization.)

TFN2k

Filename: tfn2k.tgz

Author: Mixter

Location: http://packetstorm.securify.com/distributed/

Background: http://packetstorm.securify.com/distributed/TFN2k_Analysis.htm

Build Operating System: UNIX

Target Operating System: UNIX, Windows NT/2000

Impact: Denial of service until the attack is stopped.

Fix: Disallow unnecessary TCP, UDP, and ICMP network traffic. Protect systems against compromise by frequent monitoring and updating. Use application proxies to prevent the attack.

Stachledraht

Filename: satchel.tgz

Author: Unknown

Location: http://packetstorm.securify.com/distributed/

Background: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

Build Operating System: Linux, Solaris

Target Operating System: Linux, Solaris

Impact: Denial of service until the attack is stopped.

Fix: Use RID (see link in trinoo entry) to scan for the presence of the software on your network, and block all ICMP echo traffic. (This might not be possible depending on network needs of the organization.)

Summary

Denial of service attacks represent the newest trend in hostile Internet activity and are evolving at an alarming rate. The care and diligence used to design and implement networks, software, and operating systems has a great effect on the ability of the attacker to cause denial of service. Prevention and awareness are two factors that have an immediate impact on the success of these attacks. Filtering of unnecessary services and network data, stronger authentication and access control of remote systems and users, and proactive monitoring and updating of systems and software can help protect your network against these attacks.

Other DoS Resources

Finally, you will find several useful links for further information on DoS attacks.

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. http://www.cisco.com/warp/public/707/newsflash.html

CERT Advisory CA-2000-01 Denial-of-Service Developments. http://www.cert.org/advisories/CA-2000-01.html

Denial of Service (DoS) Attack Resources. http://www.denialinfo.com/

Denial of Service Attacks DDOS, SMURF, FRAGGLE, TRINOO. http://www.infosyssec.com/infosyssec/secdos1.htm

Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. ftp://ftp.isi.edu/in-notes/rfc2267.txt

Results of the Distributed-Systems Intruder Workshop. http://www.cert.org/reports/dsit_workshop.pdf

Consensus Roadmap for Defeating Distributed Denial of Service Attacks. http://www.sans.org/ddos_roadmap.htm