By denying access to and from the Internet, these attacks can reap havoc on a company's ability to conduct business online and interact with customers and other stakeholders. Even a few hours downtime can inflict immeasurable damage upon an organizations' reputation and erode customer loyalty. More worryingly, a new, more sophisticated attack has found recent notoriety after claiming some high profile scalps - the distributed denial-of-service attack (DDoS) - the latest weapon in the malicious hackers arsenal.
The Proliferation of Hacking
Despite improvements in security over the past few years, the threat to networks connected to the Internet continues to grow due to the development of new attack techniques by hackers. The creation of malicious programs known as software attack tools means that these are now readily available on the Internet, and because many tools now feature simplified graphical user interfaces (GUIs), unskilled or novice hackers now find it a simple enough task to mount an attack. This development opens 'hacking' to a much wider cross-section of the Internet population, including an organization's own non-technical employees who may decide to assault their firm 'for a laugh.' As a result, the number of attacks has grown and is expected to continue to escalate.
So How Do They Do It?
Traditional DoS attacks are designed to bring down a computer or network by overloading it with a large amount of network traffic using TCP, user datagram protocol (UDP) or Internet control message protocol (ICMP) data packets. By themselves, these packets look harmless, making them easy to sneak through a company's routers and firewalls. Disguised as either legitimate traffic or traffic from current vendor equipment in use, these packets are often exempt from the necessary checks that each packet normally receives.
Distributed DoS Attacks Explained
A distributed DoS attack is an advanced version of the DoS attack and is becoming increasingly popular. DDoS uses many different machines connected to the Internet. This new attack uses an array of compromised systems to launch a distributed flood attack against a single target, which is accomplished by loading software on compromised machines located on different corporate or public institution networks. Hackers favor university networks as launch sites for DDoS attacks because applications are greatly distributed. Once the software has been installed on hundreds of machines, an attacker can activate it remotely.
Attack Method Advancements
Hackers are becoming more effective in disrupting a company's network servers and Internet traffic thanks to sophisticated attack tools that can load and run programs on remote workstations, allowing the hacker to launch attacks with less chance of being caught. Open distribution programs also allow hackers with modest computer networking and programming ability to stage an attack. At the time of writing, attackers have been known to use the following four programs to launch DDoS attacks: Trin00, TribeFlood Network (TFN), TFN2K, and Stacheldraht.
Trin00 and TFN are currently being used to implement DDoS attacks. For example, the Trin00 program launches a specific DoS attack at single or multiple IP addresses. Once the attack begins, each machine running the Trin00 daemon floods the target location with UDP packets directed to random and changing ports. This attack is called a UDP flood. Trin00 sends a large number of UDP packets containing 4 data bytes (all zeros) and all coming from one source port to random destination ports on the target host. The target host returns ICMP port unreachable messages and then slows down because it is busy processing the UDP packets. At this point, there will be little or no network bandwidth left.
TFN can also launch DoS attacks at single or multiple IP addresses and supports more DoS attacks than Trin00. TFN attacks can be SYN flood, UDP flood, ICMP flood or Smurf attack. Worse still, recent mutations of these programs can send out packets with different source IP addresses, making it even more difficult to filter out the bogus traffic. TFN2K is an updated version of TFN; Stacheldraht combines features of both Trin00 and TFN while adding encryption to the communication between the attacker and the master machines.
In the recent attacks against Amazon, eBay, and E*TRADE, a DDoS program was installed on machines at various universities. After the hacker installed the tool on enough machines, he/she sent a command to start the program. One method of starting the attack is to send a message to the compromised machine that firewalls typically pass, such as an ICMP echo response packet. The packet has a command inside that tells the zombie program to start creating traffic. The ICMP echo reply message with phony data has been used to start the Trin00 program. At that point each compromised PC started a UDP flood attack to the target company.
Security devices are catching up with these techniques right now. Obviously the goalposts are always moving and this will be an ongoing battle between network managers, security vendors and the hacking community. One development is to correlate inbound and outbound traffic, notably UDP and ICMP traffic. Correlation must occur to ensure that inbound traffic is in response to legitimate outbound traffic. In practice, this means using a 7-layer switch to watch inbound UDP and ICMP packets and match those packets with outbound flows. Genuine requests will be allowed into the network and frauds rejected. Most firewalls only allow or deny all ICMP echo replies.
Totally securing your network will never be easy. However by implementing the right security policy and equipment you can successfully defend your network against the most harmful, yet simple to execute, attacks around today. This means taking a rounded view of security and considering all aspects of the network - not just for attacks coming in - but also from compromised machines looking out.
Paul Lawrence is senior technical director at Top Layer Networks (www.toplayer.com).