Distributed Denial-of-Service Attacks and You
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
By Paul Robichaux
It sounds like a bad 1950s monster movie: "Attack of the Killer Zombies." Unfortunately, though, it could easily be a headline from the recent spate of network attacks targeted at corporate, government, education, and private computer systems. In this article, you will learn how these attacks work and how to keep from becoming an unwitting zombie in the army of a malicious attacker.
On This Page
Understanding the Problem
Getting Pecked to Death by Ducks
How Attacks Work
How to Protect Yourself
Where to Learn More
Understanding the Problem
The more technical term for a zombie attack is a distributed denial-of-service (DDoS) attack. This sounds like an intimidating term, but it's actually pretty simple. Let's start with the "denial of service" part. Imagine that your town's emergency response center only had one phone line, and that a prankster kept calling it and hanging up. During the time the phone line was in use, no one else could report a legitimate emergency. That's denial of service.
Of course, this would not be a recommended way to design an emergency service, so it's safe to assume that even small towns have several inbound lines. Let's say you live in a mid-size town that has 100 inbound 911 lines. What would happen if a coordinated gang of 120 bad actors went to pay phones and simultaneously called 911. The call center would be flooded, and legitimate inbound calls wouldn't be able to get through. Unlike the earlier attack, though, it's harder to prevent coordinated action from many people at once, especially if you don't know who or where they are. That's where the "distributed" in DDoS comes from.
What does this have to do with zombies? Simple. Imagine that you're a malicious attacker who can trick someone into running a program of your choice. That program can lie dormant, like a monster-movie zombie, until you send it a signal; at that point, it can begin generating network traffic sent to a particular target. If you can recruit enough zombies, you can flood even very large services like Yahoo! or CNN, for example.
Getting Pecked to Death by Ducks
This may seem counterintuitive at firsthow can a few individual systems tie up a behemoth like CNN? The answer is twofold: scale and bandwidth. Let's say you can get 500 machines, each of which is on a garden-variety DSL line, to attack a single host. A typical DSL line allows 256Kb/s of upstream bandwidth, so let's conservatively say that the 500 machines can generate 500 * 128Kb/s = 64000 Kb/s = 62.5 Mb/s. As it turns out, this is roughly the size of 42 T1 lines, or about 1.4 T3 linesa considerable amount of bandwidth. If the target only has a single T1 (or even only a dozen), it's toast. Of course, varying the number of hosts and their average bandwidth changes the traffic volume that can be brought to bear, but the important point is that a moderate number of independent systems, acting together, can easily flood even very large networks. There are other tricks that can be used to increase the effectiveness of these attacks, but you don't have to understand them to protect yourself. (If you do want more details, SANS maintains an excellent summary of attack methods.)
How Attacks Work
I mentioned earlier that DDoS attacks depend on getting the DDoS client to run on a wide range of machines. The usual trick is to package it as a " Trojan horse", an innocuous-looking but secretly malicious program that unsuspecting people will run. The key word is "unsuspecting". Many computer users don't think twice about running executable programs or attachments that they get from unknown sources, especially if they think that the program they've downloaded will give them something (like lottery winnings) for nothing. For example, I know of one DDoS attacker who would pose in AOL chat rooms as a teenage girl, offering self-running slide shows of "herself" to people who chatted with her. Of course, the "slide show" was actually a disguised Trojan; over time, this attacker was able to bag a large number of DDoS clients to do his bidding. Of course, someone who's trying to build an arsenal of DDoS clients doesn't want to waste time sending Trojans to well-educated security professionals; better to send them to people who will run the malicious code without a second thought, especially if they aren't likely to notice that their machine is infected.
Once a Trojan is activated, one of the first things it typically does is register its presence somewhere, usually by sending TCP/IP packets to a well-known destination. The popular SubSeven Trojan registers itself by sending messages to an attacker-selected IRC channel. These registration messages usually indicate the IP address of the zombied machine, and it may include some useful information like the apparent bandwidth between the zombie and a preselected target.
Once a machine's infected, it typically stays that way. Depending on the Trojan, it may actively attempt to disguise itself (as with the recent Code Red variant that added a second, bogus copy of explorer.exe to infected machines), or it may depend on user inattention to stay hidden. Whenever the attacker desires to, he can send a trigger command to one, or all, infected zombies; that command will tell the Trojan to attack a designated target by sending it lots of packets. The Trojan may also attempt to spread itself, and many Trojans offer an attacker direct remote control of a compromised machine.
How to Protect Yourself
It's hard to defend against DDoS attacks. There are actually two separate issues: keeping your network from being attacked by others and hardening your machines so they can't be compromised and used in attacks.
The first step is to protect your own network against being attacked. This is hard to do, since any network is vulnerable to being overloaded by seemingly-legitimate traffic. Turning on ingress filtering (as described in RFC 2267) will help screen out junk packets. In addition, there are a number of settings for the Windows NT/2000 TCP/IP stack that you can adjust to harden it against common attacks. Here's what to do:
Go to Microsoft's security bulletin site. Download all the pertinent patches that you don't already have installed. Do this now, then come back and finish reading. (While you're there, sign up to get bulletins automatically.)
Configure your firewall to block (or, better, ignore) traffic on any port you don't actually need. If you don't know which ports should be open for particular services, see Microsoft Knowledge Base (KB) article 150543.
Review the TCP/IP hardening settings described in " Security Considerations for Network Attacks ". Apply them to any server which is exposed directly to the Internet.
Unfortunately, protecting your machines against attacks can be difficult because attackers keep changing their modus operandi. It's simpler to prevent your computers from becoming zombies and contributing to the DDoS problem. A few simple steps that you can take now will do the trick:
Protect your machines against compromise. If your machines don't get Trojans on them in the first place, they won't act as DDoS participants.
Be careful. Don't run attachments you get from unknown or untrusted sources. Be careful with programs that come fromor claim to come from-- adult sites, online casinos, and the like. If you're running Windows 2000 or Windows XP, never use the Administrator account, or any account with similar privileges, for routine tasks. Having a Trojan is bad; it's worse when that Trojan runs with administrative privileges.
Be proactive. One great way to help keep Trojans off your machines is to deploy the Outlook E-mail Security Update (built in to Outlook 2002, or available as a download for Outlook 2000/98). This update restricts which types of attachments may be sent and opened using Outlook.
Use the operating system's security measures. For Windows 2000 and Windows XP, make sure that System File Checking (SFC) is enabled. If you're using Windows XP, be sure that you have the Internet Connection Firewall (ICF) enabled. By default, it's turned off; turning it on greatly strengthens your Internet-connected XP machines' defenses. ICF provides a degree of egress filtering as well.
Limit connectivity. If you have computers that are directly connected to the Internet, configure your routers and firewall so that their connectivity is restricted. For example, on a typical client machine you might only allow traffic on a few selected ports (HTTP, SMTP, FTP, IMAP, and POP) to pass from those machines through the firewall.
Use antivirus software. The major antivirus vendors are all very good at quickly producing updates when a new Trojan is released in the wild. Diligent use of these tools will help keep your machines clean, particularly if you use them to scan new files before you execute them.
Use a personal firewall on individual machines. There are a number of good-quality "personal firewalls" available. Windows XP includes ICF, and other vendors, such as ZoneAlarm and Symantec, make firewalls for other versions of Windows. These programs filter inbound and outbound traffic, alerting you when something unusual happens. For example, ZoneAlarm will warn you every time an application on your computer tries to open an outbound TCP/IP connection. By paying attention to its warnings, you can quickly learn to separate harmless traffic (HTTP requests from Internet Explorer, for example) from suspicious traffic (say, IRC traffic allegedly originating from winword.exe).
Enable egress filtering. P.T. Barnum is famously reputed to have fleeced people who attended his circus by hanging signs directing them "This Way to Egress", but if you understand that egress filtering is a way for you to control which packets are allowed to leave your network you'll understand why it's useful. In general, egress filtering keeps your routers from forwarding any packets whose actual source address doesn't match the real one. DDoS attacks commonly involve spoofing the origin address of the attack packets; with egress filtering on, your network will never forward those packets out to the rest of the world.
Pay attention. This sound so banal as to be worthless, but it's actually worth repeating, if only because not everyone does it as diligently as they should. To help keep safe:
Watch your network traffic. This is particularly useful for home users and small networks, where you have some idea of what "normal" outbound traffic looks like. If your cable modem normally has a few blinks per minute, and one day suddenly the "transmit" light comes on and stays on, that's a sign that something unusual is happening.
Watch the news. I'm not talking about CNN, but regular visits to http://www.microsoft.com/security, the Computer Emergency Response Team (CERT) website, and places like ntbugtraq.com will help keep you up to date on the latest threats and countermeasures.
Don't get alert-happy. When you use a tool like ZoneAlarm, it's easy to get conditioned to the warning messages it generates, to the point where you blindly click "OK" when it asks you whether program X should be allowed to access the Internet. Don't get complacent!
Where to Learn More
The Computer Emergency Response Team (CERT) keeps tabs on emerging attacks and technologies. In particular, their advisory to home users contains a lot of good informationyou might consider sending it to all of your network users so they can secure their own machines at home.
Microsoft offers a tool for checking your network computers to make sure they have all relevant security hotfixes. Get it and use itoften.
Microsoft TechNet also maintains a master summary page covering DDoS-related attacks.
Paul Robichaux is the principal of Robichaux & Associates, Inc., which provides programming, technical communications, and security services to customers ranging in size from local auto dealerships to Microsoft. He's glad to have his latest book (Managing Microsoft Exchange Server, published by O'Reilly & Associates) on the shelves so he can spend more time with his family.
For any feedback or comments in regards to the content of this article, please send them to Microsoft TechNet.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.