What is a DDOS attack?

Distributed Denial of Service (DDOS) Attacks

The Problem

There are several tools being distributed on compromised computers that allow vandals to remotely control those computers to launch attacks rendering a victim's computers inoperable. The attacks of several prominent Web sites during the week of February 6-12, 2000 used these Distributed Denial of Service (DDOS) attack tools. The nature of the attack is such that it is very difficult to stop and next to impossible to prevent single-handedly. Some sites have experienced several days of downtime while trying to restore services.

The core problem is the existence of the compromised computers used to create the attack. The computers used in the attacks are compromised several ways including remote attacks on vulnerable, defective software and taking advantage of computers whose owners have loaded remotely controllable software such as remote control trojans and IRC bots. Some reports have put the number of compromised systems in the thousands. Many of the systems are compromised because patches for software defects that were reported and fixed months ago are never installed, because anti-virus tools are not kept up to date, and because the computer owners give away control of their computers by indiscriminately running unknown programs.

Recent studies have indicated these attacks may be widespread and underreported.

The basis of the attack is to overload a victim's computer resources by flooding them with traffic. This is done by commanding multiple compromised systems to send high rates of traffic. In addition, the traffic is often formulated in such a way that it consumes resources at abnormal rates.

Halting an attack is extremely complicated and time consuming for several reasons:

• The flood of traffic will likely shut down the victims network making it harder for them to diagnose the problem, collect enough data to determine the sources involved, and communicate effectively. The upstream network provider may fail from the amount of traffic also increasing the isolation.
• With some types of attacks, the victim may be able to filter the traffic by its source with a firewall. But there are issues with the number of filters that can be put in place, how long it takes to install the filters, and what happens when the filters block traffic which the organization needs to perform its business. In addition, even with filters, there will be performance degradation because of the processing they require....sometimes to the point of making them ineffective as a defensive tool. If the attack overloads the upstream provider, then filtering is useless.
• The victim may see traffic from hundreds or even thousands of computers. The traffic may be coming from compromised computers all over the world. To stop the attack requires tracing each different address back to the network and system from which it originated. Then the responsible organization must be contacted and asked to help shut down and/or clean the offending system. This can obviously be challenging across organizational and national boundaries. The tools allow a vandal to automate attacks times and frequencies so they may come and go before they can be traced.
• If being attacked from a hundred different organizations is bad, imagine not knowing which hundred they are. Many of the DDOS tools allow the attacking machines to forge their source address and change them in a random manner. This may make it appear as though the attack is originating from tens of thousands of different computers when it actually may only be ten. This makes it impossible for an organization to single-handedly a) know where the traffic is coming from or b) filter the packets. The attack must be traced step by step from the victim back to the source through all the intermediary ISPs. This requires a large amount of cooperation and technical help from the ISPs who may be in different countries, minimally staffed, and minimally motivated to help. In some attacks, the actual traffic isn't even coming from the attacking computers. Its coming from networks which are configured to allow themselves to be used as traffic amplifiers. In those cases, it is the traffic feeding the remote networks that has forged source addresses. This means the back-tracking must start on someone else's network which increases the complications even more. And again, the attacker may vary the attack time and frequency to harry the victim and avoid capture.
• Once the source organizations are identified, the victim must ask them one by one to clean or shutdown a compromised computer. That computer may serve a critical function for the source organization. It may be their email server for example. The source organization may not be staffed on weekends or at night. They may speak a different language. They may not have the authority or desire to help. The staff may be unfamiliar with the attack, system administration, network topology, or any number of things that may delay shutting down the attacking computer. If there are hundreds of computers involved in the attack, a victim can't spend too much time hunting down each one before the recovery efforts are measured in days.