.
TOC Notes on
Denial of Service
Case
Case Analysis:

-1- It is instructive to review the analysis of the spamming case within the context of the current case.
Whether for spamming or denial of service, over time the dark side:

  • moves from individual actors to organized gangs
  • gives increasing importance to financial goals
However denial of service attacks differ from spamming in measuring financial success in one of two distinct ways:
  • revenues benefiting the author of the attacks, in the form of extortion money or as the result of disabling competition, or
  • losses suffered by the victim, as the result of missed revenues and extra security-related costs
While these two views may reinforce each other, since extortion money increases with the potential to inflict losses, one must realize that a purely negative goal is enough to justify a DOS attack and much easier to achieve. This makes DOS attacks more intractable than spamming, which aims at a positive response from a fraction, however small, of its target.

-2-The grc.com case provides a practical example of how to fight a DOS attack.

  • The sudden inability to access a web site, both symptom and goal of the attack, is clear and universal. In each case, however one needs to find what specific web site resource is overwhelmed by the attacker to make the service collapse. In the grc.com case, the targeted resource was the company's Internet access bandwidth.
  • Once the component under attack is identified, the next step is to ascertain the precise manner in which the attack is carried. The grc.com Internet pipe was flooded with UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) packets, i.e. two special Internet protocols.
  • The third step is to design a filter to shield the resource from the attack. To protect its site, Steve Gibson simply decided to reject all UDP and ICMP packets.
-3-Fighting a DOS attack with a filter is one more application of pattern recognition, already mentioned in chapters I-2 (credit fraud) and IV-1 (spamming). Before implementing the filter, one must therefore understand the nature of the associated trade off:
  • in the case of grc.com, the good news is that Steve Gibson's decision eliminates the possibility of false negatives: all attacking packets will be captured; but
  • the price to pay is significant: all innocent UDP and ICMP packets will become false positives
UDP and ICMP are commonly used by Internet for ancillary tasks, while the payload, commercial interaction with grc.com, relies on HTTP HyperText Transfer Protocol) and perhaps SMTP (Simple Mail Transfer Protocol). In an emergency situation such as "Wicked"'s DOS attack, Steve Gibson's trade off is excellent.

As one can imagine, not all possible trade off's will be found acceptable. Furthermore what is acceptable in an emergency situation may not be so as a lasting solution.
If Steve Gibson had not found an indirect way to stop the attacker all together, he could have continued cataloging the IP addresses of "Wicked"'s zombie network and use them for designing the filter. Notice that this would have inevitably introduced some false negatives, i.e. unidentified zombies, but decreased false positives to a small number of misidentified innocent PC's.

-4-The grc.com case illustrates another recurring theme: the inescapable importance of business partners (see for example chapters II-1 on healthcare and III-1 on protection).
Here the point is that no matter the filter designed by grc.com, it will be totally ineffective if it not deployed before the attacking packets reach the company's Internet access pipe. In order to defend itself, grc.com must secure the cooperation of its ISP.

Steve Gibson's lively account of his tribulation shows that such a cooperation does not occur as a matter of course. In fact emergencies will always strained a relationship unless advance plans have been drawn, agreed upon and hopefully tested in realistic conditions.

-5-In the Information Age, one must realize that emergencies are always compounded by a concomittant decrease in communications. Assume for example telephone links between grc.com and its ISP used VOIP technology. Then Steve Gibson would have had a even more difficult time to contact his ISP while the DOS attack was unleashed.
To name some examples of such side effects:

  • lack of compatibility between emergency communication networks of fire and police forces in New York during the 9/11/01 terrorist attack
  • loss of cellular telephone coverage around New Orleans during hurricane Katrina of 2005 because of collapsed towers and flooded facilities and
  • potentially, coordinated DOS attacks on selected emergency, logistics and financial communication centers to compound the effects of some future terrorist attack

-6-The way in which Steve Gibson reaches closure on the DOS attack provides one more lesson.
When he defined the relevant system, he did not forget to include the attacker himself as well as his potential partners.
Granted such considerations did nothing to help him resolve the emergency. But in the long term, his efforts to understand the psychology and the motivation of his ennemies, the type of relationships they had between themselves as well as the extent of their technology paid off by eliminating the threat at its root.

Pure technical resources and expertise are indispensible to face the dark side. But risk management should always look at the global system.
The extortion story on gambling sites reinforces the lesson. The most remarkable aspect of this case is the ability of the British police to obtain the cooperation of foreign governments to arrest the perpetrators when they tried to collect the ransom, a well established weak point. Compare this to the "sorry, not my problem" attitude of some of Steve Gibson's correspondents.

General Comments:

-1- A "denial of service attack" (DOS) seeks to prevent ordinary users from using the Internet service which is the target of the attack. It must further have two characteristics:

  • it is delivered over the Internet itself
  • it acts by saturating a resource necessary to service delivery
According to this definition, bombing the physical facility which hosts the service is not a DOS, although the effect seen by an ordinary user is identical. Finding a way to take control of the computer(s) supporting the service is not a DOS either, but a penetration attack.
However, as long as the attack is carried over the Internet and exhausts some resource, the nature of the resource can be anything: the Internet access bandwidth, as in this chapter case, another internal communication resource, some form of memory, etc...

In a sense DOS attacks are the reverse of spamming.
  • spamming is an outward process which tries to broadcast a message to the whole world
  • a DOS is an inward process which focuses on a specific site to hide it from the whole world
The dark side, of course, do not care for these academic distinctions:
  • DOs attacks have used spam to blanket a specific site to the point of saturation
  • malicious code from a penetration attack may trigger a DOS as a side effect, consuming all the processing time normally devoted to services hosted by the compromised computer
-2-Contrary to spamming, the motivation of DOS attacks is quite varied:
  • extortion, for monetary gain, as seen in this chapter case against gambling sites
  • competitive advantage , to benefit indirectly from weakening the victim (see the case of the hired hacker )
  • personal revenge, to hurt the victim, as illustrated by the actions of "Wicked" in this chapter case against grc.com
  • economic warfare, to cripple the victim's economic activities, whether a company subject to violent vigilantism or a country subject to war or terrorism
This is important when one goes beyond a purely technical response and takes the people responsible for the attack into consideration.

-3-Comparing DOS with spamming leads to another insight.
One can argue that spamming did not exist before the Information Age. This phenomenon was created because Internet technologies allowed the cost of emitting and transporting commercial messages (see chapter II-2 on marketing for a definition) to become vanishingly small.
While, from a strict definition, DOS attacks are also new, they are but the latest twist on traditional practices of such as blockades, picketing, customer intimidation...

This again may influence how one considers DOS. In particular one should distinguish between the objective of the attack and its means. Remember that spamming is legal in the US if it does not use illegal means. In the same way, a reading of the Computer Fraud and Abuse Act of 1996 (see protection) seems to imply that, as long as the DOS is not motivated by extortion and does not attempt to "penetrate" the target via some unauthorized access method, it is not illegal to flood a target site resource to a point of saturation.

In other words, if a trade union were to mount a DOS against a company with a significant e-commerce activity, using for example the computers of all willing members, it might be judged a legal form of what we propose to call e-picketing.

-4-We listed economic warfare as one potential reason for DOS attacks. There is some amount of controversy on the subject.
On the one hand, this happens everyday. Anti-spamming organizations (see spamming) do not hesitate to include whole blocks of IP addresses on their blocking lists. This remedial action has been known to close down Internet access to whole countries.
On the other hand, the actual impact of economic warfare has been negligible so far. In the fight against spamming, the countries in question were small, with little at stake on the Internet. As for countries with sizable Internet-based economies, many voices have been raised to downgrade the potential for damage, e.g. Putting cyberterrorism into context, by Kathryn Kerr, AusCERT, October 24, 2003 and CYBERTERRORISM - Fact or Fancy?, by Mark M. Pollitt, FBI Laboratory.

For a sober view of the subject, we refer to an April 2005 report to Congress on Computer Attacks and Cyberterrorism: Vulnerabilities and Policy Issues for Congress by Clay Wilson. As quoted, "a 1999 report by The Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School concluded that it is likely that any severe cyberattacks experienced in the near future by industrialized nations will be used by terrorist groups simply to supplement the more traditional physical terrorist attacks."
While rare are the weapons whose implementation change the course of history, new weapons can indeed be quite effective in compounding damages. In our case analysis, we stressed the potential harm of coordinated DOS attacks on selected emergency, logistics and financial communication centers.

-5-In another quote, the Cyberterrorism report mentions the following conclusion of a war game: "The simulated cyberattacks determined that the most vulnerable infrastructure computer systems were the Internet itself". There is a heavy dose of irony behind this statement since the Internet came out of the efforts in the seventies by the Defense Advanced Research Projects Agency (DARPA) to mitigate the vulnerabilities of war time communication systems (see Birth of a Network). Yet this is just another example of the helicoidal nature of progress: by its very success in creating a highly flexible and resilient network, Internet has gathered enough influence to create new dependencies, and therefore vulnerabilities.

It remains that, through multipath routing, Internet communications offer organizations an extremely reliable way to reach out to their constituencies. DOS attacks, to go back to the topic of this chapter, have no perceptible effect on the Internet itself. Rather the real irony is in the way organizations have been using the Internet, a highly decentralized architecture, to centralize their sales and marketing. Compare for example a large bookstore chain such as Waldenbooks, with "more than 700 stores located throughout all 50 states" to Amazon.com and its one virtual store.

Whichever side one takes, attacker or target, DOS attacks aims at all the critical bottlenecks created by centralization. Any measure to further decentralization will be an effective deterrent.
At one extreme using a peer to peer network, e.g. FastTrack, a protocol popularized by Grokster (see chapter IV-3 on copying), an organization could communicate with its users in a manner impervient to DOS attacks. This of course would require the user to download a software client, a step most organizations will consider impractical.
On the other hand simply planning to replace the equipment under attack by a duplicate, as one does to ensure business continuity, will suffer from the fact that the DOS attack does not rely in general on penetrating the target computer. The replacement will therefore be subject to the same effects from the attack as the original.
A common prevention method is rather to deploy significantly more resources than would be necessary in a well behaved environment, thus diluting the impact of a DOS attack. This is an extension of load balancing, which distributes the tasks among multiple copies of the same basic resources, a virtual decentralization.

-6- In the previous paragraph we argued that centralization makes DOS attacks more powerful by creating bottlenecks. The same problem occurs when the business activity of the target is highly concentrated in time. This is the case of horse racing or team sports gambling sites, where many gamblers wait till the last minute to take all available information into account. Other examples include auction sites, administrative sites accepting public transactions such the settling of taxes till a yearly deadline, or emergency related sites especially if the emergency is created by the same attacker. In those cases a DOS-induced delay of a couple of hours to a couple of days can produce disproportionate damage to the target.

It is also useful to remember that, for an ordinary user, there is no difference between a site which is the victim of a DOS attack and a site overwhelmed by a surge in regular traffic. We suggest to call ADOS (auto DOS) this self-induced problem, which originates in a lack of forecast regarding the reaction of the public.

Solutions:
for offense
As for spamming, we preface this section with a disclaimer: our intent is definitely not to encourage illegal activity. For example, our "solution list" comes from the CSRC Computer Security Incident Handling Guide, an unimpeachable source.
Since DOS attacks do not have to follow any particular implementation, several solutions exist, including:

  • reflector attack, triggering a UDP exchange loop between an unsuspecting intermediary and the victim
  • amplifier attack, using ICMP (aka "smurf" attack) or UDP broadcast functionalities of unsuspected intermediaries to flood the target with reply traffic
  • synflood attack, targeting the victim's TCP/IP connection pool
  • processing overload, using anonymous File Transfer Protocol (FTP) to initiate multiple transfers of very large files
A more powerful solution, common to illegal spamming, is to create a network of compromised (aka zombie) computers or "bot network". According to Clay Wilson: "a “bot network” or “bot herd” (a “bot” is a remotely controlled, or semi-autonomous computer program that can infect computers), sometimes comprised of hundred or thousands of compromised computers that can all be controlled remotely by a single hacker. This “bot herd” hacker may instruct the computers through an encrypted communications channel to spy on the owner of each infected computer, and quietly transmit copies of any sensitive data that is found, or he may direct the “herd” to collectively attack as a swarm against other targeted computers."
The strength of a Distributed DOS attack (DDOS) is in direct relation with the size of the network thus enslaved. Sizes of 100,000 machines have been reported (source The Register ).
A make or buy choice is available according to several reports (e.g. Heise online). Byron Acohido and Jon Swartz, of USA Today, quoted going prices in september 2004, pegging a 20,000 network at $ 2,000 to 3,000. We refer to our spamming solutions to find a seller.

In chapter III-1 on protection, we mentioned that new technologies bring new vulnerabilities. As an example, a flood of text messages (Small Message Standard or SMS) has the potential to shut down voice and data communications on cellular networks according to a report by a Penn State University research team (Sept 2005). This new DOS attack solution reinforces our analysis of economic warfare, stressing the risk to emergency communications.

for defense
The source we used to study the offense offers a methodology to strengthen a potential target according to the common pattern: prevention / detection / correction.

Prevention has four components:

  • strategy: see our discussion above on avoiding excessive centralization in virtual space and in time
  • personel: see how to create a computer security incident response team
  • partners: linking with the Internet Service Provider (ISP) to establish crisis communication and agree on filter deployment,
    and, for major companies, with the appropriate police agencies
  • technical means: including deployment of oversized resources to make saturation less likely, preventive filtering and detection tools.
Detection is successful if the targeted victim may learn of a DOS attack before the latter succeeds in shutting down access by ordinary users. Network traffic analysis can be very useful in this regard.
The next task is to understand the nature of the attack so as to design possible filters and assess their associated trade offs (see comments on the case)

Correction must be understood as a two step process:
  • temporary emergency measures to shield the targeted resource from the attack, which may or may not outlast the attack.
    For example Steve Gibson's temporary fix did outlast the attack. On the other hand simply changing the IP address of the target will only provide a respite until the attacker updates its own parameters.
  • long term solutions, which may involve going after the attackers with all legal means at one's disposal and putting together new, improved prevention measures.
One must remember that a similar methodology must also be applied to fight being enlisted against one's will as an accessory to the attack.

Tools available
Note that classifying tools between offense and defense is misleading because of the dual nature of knowledge.

for offense
For more information about known DDOS tools, we refer to:

for defense
All network security tools (see chapter III-1 on protection) contribute to fight DOS. Some will prove more useful than others given the special nature of DOS attacks, as seen by the comments of Steve Gibson on the effectiveness of some firewalls (see case story).

Because so much happens at the packet level, including sending ill formed packets, "low-level" tools such as packet sniffers are especially useful. Here are three sources:

At a higher level, one finds so called "Intrusion Detection System" (IDS), whether network or host based, real time or not. Like any filter, an IDS will generate its own trade off between raising too many false alarms (false positives) and ignoring real attacks (false negatives). Here are two sources: The tools mentioned so far are generic in the sense that they may be used to protect a network against many different types of attacks, notably penetration by malicious code. Some tools are advertized specifically for DDOS attacks in mind (see this Google search).

Finally all anti-virus softwares (see the Computer Security Resource Center) offer assistance for cleaning up a compromised computer which has been taken over as an intermediary in a DDOS attack.

The Intranet Dilemma:

DOS attacks target the service offered by a server, not the data it manages. Therefore the methodology outlined in the chapter III-1 on protection) cannot be applied without some modification.
In common practice, the two perspectives are combined in the so called Intranet approach: all computer resources of the organization are networked together, using Internet protocols, and this network, which must be connected to Internet to interact with the ouside world, whether customers, suppliers or employees from remote locations, is protected as a whole against all attacks. I.e. data protection is made secondary to network protection rather than network access being a way to protect the data.

Setting up an Intranet is not without consequences. Since every computer "within the wall" protecting the Intranet is an ideal intermediary to launch a successfull attack against servers on the same Intranet, employees' PC's must be made completely safe. This unfortunate fact of life, which we call the Intranet Dilemma, leads to one of two equally troublesome situations:

  • employees' freedom to use their PC's as they see fit is seriously restricted by the network administrator, lest a PC be compromised. For those who have witnessed the transition from computer terminals to PC's in the eighties, the inability to do much more than access centrally authorized applications from their desktop PC is likely to appear a "terminal disease".
  • the network administrator lets the employees free to access the Internet but lives in fear that some employee, willingly or unwillingly, will compromise his or her PC by downloading malicious code.
Within small organizations, employees and network administrators can achieve a good level of harmony. Large organizations can find the dilemma much more difficult to face.

We propose the following alternative, based on giving priority back to data protection: whenever the data which resides on an employee' PC is not critical, consider this PC as any other PC used for remote access, such as from this employee's home.
This course of action requires to solve two issues:
  • user identification. Remote access is consider with reason as more dangerous than local access, especially under threat from keyloggers embedded in malicious code. But one may solve the difficulty and accept the trade off of using so called two-factor authentification based on security tokens
  • internal network security. The Intranet Dilemma comes from the imperative of protecting the internal network from attacks. If an employee's PC does not need the extra protection, it follows it cannot be directly connected to the internal network. One may consider setting up a wireless network to accommodate this "outside the wall" population.
While this alternative is bound to appear heretical, many overworked network administrators may welcome the idea to drastically dowsize the PC user population under their direct control and focus more on protecting the data plant, in particular against:
  • attacks propagated from mobile devices to desktop PC's. According to David Maynor, an intrusion detection expert at Internet Security Systems, "such [mobile] devices would allow remote attackers to leap past firewalls guarding corporate borders" (source John Markoff, New York Times, Oct. 2005). Extending the Intranet and its exacting controls to employees' smart phones and PDA's is sure to encounter deep resistance. If, on the contrary, most PC's are put at arm-length outside the Intranet, the penetration risk will be no different than today.
  • rogue insiders' attacks. Trying to gain privileges beyond one's assigned role by cracking fellow employees' PC's is easier within an Intranet than if one's interactions with the organization are restricted by firewall rules.

August 2005
Copyright © 2005 Philippe Coueignoux. All rights reserved.