Here is an article I read that may help shed some light on what is happening. ==================================================== Denial of service attacks are one of the perennial nightmares for system and network administrators. Unlike most attacks there isn't a lot you can do to stop or prevent them. Applying a service patch doesn't always work when 40,000 computers are sending dozens of http requests a second to your webserver. On Monday, Yahoo! was partially knocked offline when one of their routers at a California data center was hammered into the ground by a distributed denial of service attack. Estimates say Yahoo! lost several million dollars (I'm not sure where people get numbers for monetary losses for these sites), but more importantly they have been embarrassed, and it has been proven that they are vulnerable (although investors don't seem to mind, their stock closed up half a buck today). Traditionally DOS attacks have been a problem, but not a major one. Until recently the availability of tools (publicly that is) has been limited, making the execution of a really effective (read large-scale) DOS attack mildly challenging (i.e. your mother probably couldn't do it, but the kid down the street probably could learn enough hanging out on IRC). There are currently around a half dozen well known distributed DOS attacks floating around (stacheldraht, Tribe FloodNet (TFN), Tribe FloodNet 2K (TFN2K), etc.) and while finding the code for these is hard, it is far from impossible. This means the bar has been lowered, instead of having to develop and write your own tools you can simply download them from any number of web sites. Most DOS attacks are relatively simple, you seize control of as many remote machines as you can (by exploiting well known security holes that should have been patched usually), and then send a lot of data at your victim. It may be as simple as TCP-IP packets with the SYN bit set (used to start a TCP connection), with the intention of denying legitimate connections to the target machine (each SYN packet will be evaluated, and held for a while, filling up a finite queue). It may be something more complex like establishing a proper TCP-IP connection to the victims secure e-commerce web server and sending lots of fragmented data which will also fill up the various queues intended to hold it. The number of DOS attacks is infinite, you can minimize their effect, but never completely block them, short of removing the service (which is essentially what the attacker is trying to do). Today's attack on Yahoo! was quite well done (while only partially successful I suspect the attacker spent a lot less than the amount of money Yahoo! probably lost because of it), first of all the network would have to be probed, as the attack was directed at a choke point on the network (one of the routers). A quick check on auctions.yahoo.com reveals about 8 or so "servers" associated with the name (note: these are most likely clusters of servers sitting behind something like a Cisco director to spread the load). Taking a look at traceroute output reveals the ISP providing the bandwidth, looking at their webpages reveals a map of their network usually (or you can generate one yourself, but it's late so I cheated). After a few minutes of gentle probing it looks like there is one major choke point, a router on their ISP's end that most of the traffic passes through (most of the traffic to the auction sites pass through it by default). I suspect that router is big enough that any DOS attack sufficient to nuke it will take considerable effort, but you can connect to it via telnet so things aren't perfect. It appears that there are two routers connected to this large router (and connected to those are the servers it appears, so chances are these two routers are actually at Yahoo!), which is definitely a good idea, as that is what probably saved Yahoo! from being completely dead in the water on Monday. This network probe took me around 5 minutes and I used nothing fancy, just dig, nslookup, traceroute and telnet (heck, these tools are even available by default on Windows), and anyone could easily learn how to do it. In addition to this are situations where a system can be unintentionally DOS'ed. A few weeks ago an article on Slashdot linked to SecurityPortal and a very popular article about Linux vs Microsoft. Site traffic was much higher than usual, which was something we weren't expecting, and consequently our server admin spent most of the day babysitting the network and making sure things didn't get to bad. We survived, but a lot of sites do not survive being "Slashdotted" (they get slow, and sometimes the admins will take them offline or the servers simply get wedged). So what can you do to prevent network DOS attacks? Not much, but there are a lot of techniques you can use to minimize their effect. Make sure you are running the latest version of the software, many older versions of popular packages and operating systems suffer problems that make executing a DOS attack very easy, most modern software has been somewhat hardened by the vendor. Tune and tweak your software, for example with the Apache webserver there are a variety of settings that can be tuned to increase the amount of traffic that can be handled. Proper tuning can save a significant amount of money that might otherwise be spent on hardware. Generally speaking set timeouts for network connections, http sessions and so on to smaller values as load increases, the drawback of doing this is you may "lose" slow legitimate connections (like people connecting over extremely slow links). Distribute the load across multiple servers, and multiple sites if possible. Most sites will use either "Round Robin DNS" (a very simple, and usually effective method of distributing load to multiple servers / sites) or hardware such as a Cisco director to send incoming requests for data to one of many servers. One added benefit is that this also makes upgrades, and testing of new software significantly easier. Do not enable any services you do not specifically need, and install a firewall, if nothing else this will allow you to block addresses from which attacks are originating (assuming they are not being spoofed and so forth). There are also many things you can do as an ISP or network service provider to "be a good neighbor" and ensure that if any of your customers commit DOS attacks, or are used to commit DOS attacks that at least the remote end can trace it down. Install a firewall with outgoing filters to restrict packets leaving the network to only those networks that actually exist behind the firewall. This will prevent attacks from being launched from your network that are almost impossible to trace down. Provide technical contact information in your DNS listing that is up to date and useful (this is one of the first places most administrators will look when trying to contact you). Firewall incoming data bound for ports such as 31337 and other well known ports that software like stacheldraht uses to control remote machines (note most of these software packages are easily customizable, and many now encrypt their communications to defeat any Network Intrusion Detection Systems you may have). Consider deploying a Network Intrusion Detection System, these require a lot of work to setup properly and are high maintenance (knowing that attacks are coming in, or originating from your network is no good unless you act upon it). If everyone had outgoing filters on their firewall DOS attacks would not be spoofed (well not to the degree they tend to be right now), and you could at least trace back the attack with a higher degree of confidence, and block that network, which currently may or may not be effective. Summary There is no easy answer to DOS attacks, but if you utilize good computing practices (keeping software up to date, firewalling your network properly, tuning of servers, etc.) you can minimize any effects it will have. Think of DOS attacks as a small disaster (like a meteorite hitting your datacenter, but not as bad), generally speaking a good business continuity plan (usually referred to as a disaster recovery plan) will be applicable for any really effective DOS attack (people to contact, etc.). As the volume, and complexity of services available on the Internet grows, and the online population, so will the number and scale of DOS attacks. Kurt Seifried (seifried@securityportal.com) is a security analyst and the author of the "Linux Administrators Security Guide", a source of natural fiber and Linux security, part of a complete breakfast. Related links: http://www.zdnet.com/zdnn/stories/news/0,4586,2434394,00.html?chkpt=zdhpnews01 - Massive attack knocks Yahoo! offline http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html - CERTŪ Advisory CA-99-17 Denial-of-Service Tools http://staff.washington.edu/dittrich/misc/stacheldraht.analysis - The "stacheldraht" distributed denial of service attack tool http://www.rootshell.com/ - exploit code (disclaimer: I'm only including it to show how easy it is to get these tools, I do NOT advocate the use of them)