|
|
Denial of Service Attacks (DoS Attacks)
Author: Chey Cobb, CISSP & Stephen Cobb, CISSP
Status: This article first appeared in Infosecurity
News, 2001.
Although it was not intended as an information security awareness program, the recent televising of Homer’s Odyssey served to freshen our collective memory of the original Trojan horse. This beast lives on, several millennia later, in malicious code that gains access to systems by masquerading as something it is not. But the war between Greece and Troy also illustrates a potentially more serious information security problem, denial of service attacks.
Systems Under Siege
The lifeblood of today’s organization is information, and the denial of service attacks we are going to talk about in this article are attempts to prevent or delay access to information, or information processing systems.
In their crudest form, denial of service attacks simply abuse systems and software to such an extent that they fail. Lately, we have seen a rash of announcements about the susceptibility of Windows NT to such attacks. But Windows NT is not the only operating system that is open to such attacks.
A variety of Unix processes can be compromised this way and TCP/IP itself can be abused to the point where it breaks down. This is essentially what happens in a SYN flood attack, the most widely reported example of which targeted PANIX, the New York ISP (denying crucial services to about 6,000 individuals and 1,000 companies.
Many other ISPs have faced similar attacks, apparently inspired by similar motives. For example, while researching this article we learned of a large European Internet service provider who was recently targeted by someone looking for personal revenge against the administrator for terminating an account.
Why Do They Happen?
According to Sarah Gordon, a data security analyst, “many of the current denial of service attacks are ‘acting out’ by scripters with nothing better to do.” Such acting out has become a whole lot easier in the last twelve months, with widespread online publication of scripts for SYN flooding and other attacks.
In March, Jon McCown, who tests firewalls submitted for the National Computer Security Association’s certification process, warned of a SYN attack tool written for Windows 95 or NT, which “makes ‘jamming’ a site very much a point-and-click affair.” Although initial testing showed that it did not alter the source IP (allowing the culprit to be traced more easily) McCown noted that it did do “a fair job of saturation, using multiple source sockets with adjustable settings for link speed/target characteristics.” Developments like this suggest that attacks are likely to increase.
Internet security expert Steve Bellovin thinks we “will see more such attacks by people who just want to gain attention.” Christopher Hughes, a senior analyst with Computer Sciences Corporation, concurs, saying that, at least in the short term, “denial of service attacks will become increasingly common, especially against Windows NT and 95 boxes.” However, Hughes is hopeful that, “After a year or so, the real hackers will tire of it, and there will be patches available for the known exploitations.”
Types and Levels of Attack
We have listed seven recent denial of service (DoS) attacks in the box below. Attacks currently in vogue on the Internet tend to fall into one of four categories:
1. tying up the server with bogus requests
2. tying up CPU cycles, memory, or other resources
3. disabling web traffic by misconfiguring routers (often an accidental occurrence)
4. mailbombs to individuals, lists or domains
But to some security experts, these attacks are just a subset of a potentially larger problem. According to Michael Miora, president of Spectria InfoSec, a security and disaster recovery consultancy based in Playa del Rey, CA, “denial of service attacks are an important element of overall security and they will become ever more important as other security attacks become more difficult.”
This echoes the thesis advanced by the Winn Schwartau, the author of Information Warfare. Schwartau has probably done more than anyone else to raise public and professional awareness of the inherent weaknesses in our information infrastructure. He postulates that “as we continue to deploy better and better defenses, such as strong encryption and sophisticated firewalls, we will be able to achieve the first two goals of information security, that is, insuring the confidentiality and integrity of our data…but that will only lead some attackers to target the third goal, availability.”
Schwartau has experienced denial of service attacks first-hand. His Web site, www.infowar.com, was targeted by hackers who objected to one of the guests he hosted in his chat room. But he thinks the real problem is much more sinister, pointing to the recent trial of IRA supporters in the UK who are alleged to have plotted a total shutdown of London’s electricity supply. They planned to do this with a few small explosive devices strategically placed at switching units.
For many years the IRA has known just how much disruption is caused when computer and communication equipment is destroyed by a single large device exploded outside financial offices. But strict security precautions within London, directed against truck and car bombs, appears to have displaced the threat, to sites outside the city.
You might think cutting off the electricity is the worst denial of service attack that an information system could face, but telecommunications expert Ron Eward of Melbourne, FL-based Martech, Inc. would beg to differ. He sees the telecom layer as the weakest link in today’s globally networked systems because “the concentration of traffic in some areas is so intense that they represent obvious points of vulnerability in the network.” Accordingly, “We are advising clients to look beyond simple backup lines, beyond diversity to triversity routing and other strategies to protect mission critical data flows.”
Just how mission critical is network traffic? One source at a major US airline, who preferred to remain anonymous for obvious reasons, told us that if the company’s network ever went down for more than 48-hours it would never recover. The figure might be even less for businesses heavily dependent upon just-in-time shipments, such as large retail chains operating on tight margins. And as Eward points out, “you don’t have to cut the cable to cause havoc with delivery schedules – some denial of service attacks can be subtly controlled so as to degrade network traffic, slowing it down rather that blocking it completely, and making it harder to identify the culprit.”
Of course, not everyone accepts Schwartau’s theory, that attacks on information systems will be displaced by wider implementation of encryption and access controls. And even those that do are unsure when this will take place. As Bellovin points out, cryptography is only half the answer to current problems, the other half is “a solution to the buggy software problem -- and we don't have one.” He suggests that a large percentage of the problems revealed by the last eighteen month’s worth of CERT advisories cannot be fixed with encryption and “most are due to buggy software.”
Responding to DoS Attacks
These days it seems all network administrators have more than their fair share of bug-inflicted denial of service attacks, and there is no doubt that these do cause genuine losses. But Miora cautions security managers not to overlook the more remote, yet still real possibility of “physical sabotage and other destructive acts.” He urges close cooperation with contingency planners “to ensure there are measures in place for prevention, protection, and recovery.”
As Bellovin points out, the current crop of network-based denial of service attacks “are hard to counter because they can occur any time it's cheaper for the attacker to send a message than it is for the recipient to deal with it.” He doesn’t see any general solution to the problem.
Yet specific responses have been effective in some cases, for example, as Kennedy points out, “the UNIX vendor community responded promptly to SYN floods by releasing kernel modifications.” However not all vendors participated and UNIX and the TCP/IP stack are not the only vulnerable systems.
Kennedy suggests that the real answer might be intrusion detection “I would not be surprised to see IDS deployed widely to protect large enterprises over the next one to two years…the intrusion detection suites have become more sophisticated and provide more features.” He adds that “All of the commercial products I'm aware of include SYN flood defenses as well the ability to detect other attacks on the networks they protect.” Firewall vendors have also responded to the problem. For example FireWall-1 SYNDefender intercepts all SYN packets and mediates connection attempts before they reach the operating system, preventing the target host from being flooded by unresolved connection attempts.
It is somewhat ironic that, Marcus Ranum, chief scientist at V-ONE, Inc. and a leading pioneer of firewall technology, thinks the answer may not lie in technology, but in “legal structures backed by tracking technologies that will allow us to sue the jockey shorts off of the clowns who think it's cute to harm other people's businesses for a laugh.” He believes the best way to deal with the problem is to “locate the perpetrator and make him (or less likely her) wish they had never heard of the Internet.”
Gordon concurs that the only long-term solution is “an
improvement in the standard of behavior.” She sees “an awareness
of the ethical implications of their actions” as a vital element
society’s education of users. Clearly, education on a number of
levels is vital to our efforts to minimize the DoS problem. As Bellovin
observes, “increased awareness of the problem will aid in future
protocol designs.” Already there are some hopeful signs, for example,
IPv6 addresses the TCP session issue by encrypting the packet headers
and validating where the packet is coming from, meaning that anyone trying
a denial-of-service attack over TCP/IP could be traced easily. Now that
we are learning to take denial of service attacks seriously, detection,
prosecution, education, and system hardening will all play a role in defending
against, and ultimately discouraging, their perpetration.
Seven Deadly SYNs?
Recently Observed Denial of Service Attacks
SYN Floods
A flood of SYN TCP/IP packets is used to consume all available new network
connections on a targeted host, resulting in delays responding to legitimate
network connections and eventual halting of request servicing. This applies
to all TCP connections, telnet, Web, email, etc. Creating half-open connections
is easily accomplished with IP spoofing. The attacking system sends SYN
messages to the victim server system which appear to be legitimate but
in fact reference a client system that is unable to respond to the SYN-ACK
messages. This means that the final ACK message will never be sent to
the victim server system.
Ping of Death
Uses a ping packet of an abnormal size exceeding the TCP/IP specification
to either cause a system crash or network programs to stop processing
on the targeted host.
Mail Bombs
Sending huge volumes of data to a SMTP host will often crash the server,
causing legitimate mail services to be denied, possibly resulting in lost
mail.
CPU Hogging
Uses up CPU processing cycles to prevent legitimate processes from being
executed. This is one of the oldest known forms of denial of service and
mature operating systems are likely to have a defense (e.g. many flavors
of Unix allow administrators to set limits on CPU usage by user and automatically
decrease the priority of the highest-priority processes when applications
become starved for CPU time. The method used by current versions of Windows
NT to schedule concurrently running applications leave it vulnerable to
attacks of this type. NT attempts to deal with CPU-hogging applications
by boosting the priority of other applications, but according to Mark
Russinovich, a consulting associate with Open Systems Resources, who helped
bring this problem to light, NT will only boost applications to a certain
level, which is below the level to which some users can set their applications.
If a CPU-hogging attack is launched then other applications, even system
utilities such as Task Manager, never get a chance to execute while it
is running. Note that this weakness could be exploited by an ActiveX control
or a Netscape plug-in.
Malicious Applets
Several examples of hostile applets embedded in web pages have published
on the web, many of which are denial of service attacks based on consuming
CPU or memory resources of the client accessing the page. A variation
on this theme is the attack displayed from a Georgia Tech site that paints
huge black windows on the client’s screen, in such a way that you
can't access other parts of the screen. The applet then displays a fake
name/password dialog box, instructing you to enter your name and password
in order to restart the browser securely (this illustrates how one might
cull name/password pairs from people on the Internet).
Accidental DoS
Some denial of service attacks are accidental, for example, when a corrupt
DNS table is propagated through a large part of the backbone networks
(in April virtually all Net traffic was suddenly steered toward a backbone
provider called MAI Network Services Inc. in McLean, Va. and the company’s
Director of Network Services revealed that a client ISP had sent up bad
routing tables which were mistakenly announced to Sprint -- he is quoted
as saying “What should have been a 30-minute hiccup turned into
a three-hour megalapse”).
Chargen DoS Attack
Uses a connection between two UDP services, each of which produces output,
leading to a very high number of packets and thus a denial of service
on the machine(s) where the services are offered. As recently discussed
example involves connecting a host's chargen service to the echo service
on the same or another machine. If two or more hosts are connected like
this, the intervening network may also become congested and deny service
to all hosts whose traffic traverses that network.
Out of Band Attacks
In May, a number of Windows users complained of being knocked off Internet
chat groups after being targeted with a program known as "WinNuke." This
sends "out of band" data to port 139 on a computer running Windows 95
or NT. If someone is armed with WinNuke and has the victim's IP address
it only takes a few clicks to launch an attack.