Chapter 10: Denial of Service Attacks

OVERVIEW

Since the beginning of the new millennium , denial of service (DoS) attacks have matured from mere annoyances to serious and high-profile threats to e-commerce. The DoS techniques of the late 1990s mostly involved exploiting operating system flaws related to vendor implementations of TCP/IP, the underlying communications protocol for the Internet. These exploits garnered cute names such as "ping of death," Smurf, Fraggle, boink, and teardrop, and they were effective at crashing individual machines with a simple sequence of packets until the underlying software vulnerabilities were largely patched.

In 2000, the world was rudely awakened to a new DoS paradigm, distributed denial of service (DDoS), which organized legions of machines on the Internet to simply overwhelm the capacity of even the largest online service providers with illegitimate requests . The techniques leveraged in these attacks focused on a different set of features inherent to TCP/IP, primarily the protocol's inherent limitation on the number of spurious SYN requests it could handle (we'll describe SYN attacks in more detail later in this chapter). These attacks remain effective tools of online extortion today because most online infrastructures have not hardened themselves to such floods and they lack the capacity to deal with the volume of requests generated during modern distributed attacks.

One of the most frightening aspects of this maturation from "single-packet" exploits to distributed attacks on IT capacity was the rise of so-called zombie networks. Several security researchers at the time, including Simple Nomad (http://www.nmrc.org) and Dave Dittrich (see http://staff.washington.edu/dittrich/misc/ddos), highlighted this phenomenon following unprecedented attacks that temporarily disabled the major online providers Yahoo!, eBay, and others in February 2000. Zombies are essentially computers that have been compromised and subverted to do the bidding of a remote controller. Through the use of bot software that allows the controller to broadcast commands to legions of infected systems, the controlling entity can wield the combined power of thousands of computers (and the networks to which they are attached) to overwhelm the capacity of even the largest online providers. Despite warnings from the security communityand indeed the very visible example set with Yahoo! and others in February 2000the distributed nature of this problem was never confronted, and it is estimated today that there are zombie/bot armies numbering as high as 140,000 computers that can be used to take down an Internet-hosted site with very little forewarning. Computing cycles on zombie networks are now bartered commonly on the Internet today, prized by spammers, online extortionists, and anyone else who wants raw, distributed, anonymous computing power on demand. And just in case you think your site is immune to such attacks due to redundant capacity, some simple math illustrates the futility of trying to win this arms race: A medium- sized zombie network of, say, 3000 systems generating a modest 25 Kbps of traffic results in 75,000,000 bps of trafficthat's roughly 75 Mbps, enough to overwhelm most commercial-grade Internet pipes in existence today.

More recently, DDoS has taken a new turn , focusing on the application logic of online businesses rather than just the infrastructure supporting them. For example, Internet search engine providers Google, Yahoo!, Alta Vista, and Lycos were victimized in July 2004 by the unintentional effect of a MyDoom worm variant that performed computationally expensive searches for new victims using their public search engines. The key difference with prior attack paradigms such as SYN flooding is the use of legitimate requests that actually exercise the business logic of the targeted application. By leveraging the amplifying effects of distributed zombie networks, the effect was made all the more devastating. Perhaps most frustrating is that DDoS victims have little recourse against hapless zombie computers out on the Internet that are little more than victims themselves. Although such connection-oriented, application-layer attacks had been conjectured for some time (including in previous editions of this book), this episode certainly let the genie out of the bottle on application-layer DoS and DDoS, and the stakes are now much higher for developers of online applications who must additionally consider availability along with the other key pillars of online security, confidentiality, and integrity.

It is also worth mentioning that DoS affects not only online business, but critical national infrastructures as well. In the post-9/11 electronic millennium, it is often much easier to disrupt the operation of a network or system than to gain unauthorized access. And with the adoption of Supervisory Control and Data Acquisition (SCADA) networkconnected systems, the risk of a DoS attack could be catastrophic. For those unfamiliar with the SCADA network, this interconnected ribbon of computer systems is used for maintaining the nation's infrastructure, including power, water, and utilities.

This chapter will discuss DoS and DDoS from the perspective of an organization with an online presence, because such organizations are the most at risk from these attacks. We will focus primarily on defining a systematic approach to DoS mitigation rather than in-depth examination of DoS and DDoS tools, reflecting our belief that, while testing of simulated attacks is of course recommended, it's generally not productive to waste time with the idiosyncrasies of such tools when the basic premises upon which they work are well understood .