[LONG] Yahoo Down or Why DoS Attacks Work

Jean L Francois Jean.L.Francois@aexp.com
09 Feb 2000 11:51:46 -0700


Here is an article I read that may help shed some light
on what is happening.
====================================================

    Denial of service attacks are one of the perennial nightmares for system 
and network
    administrators. Unlike most attacks there isn't a lot you can do to stop 
or prevent them. Applying a service patch
    doesn't always work when 40,000 computers are sending dozens of http 
requests a second to your webserver. On
    Monday, Yahoo! was partially knocked offline when one of their routers at 
a California data center was hammered into
    the ground by a distributed denial of service attack. Estimates say Yahoo! 
lost several million dollars (I'm not sure
    where people get numbers for monetary losses for these sites), but more 
importantly they have been embarrassed, and
    it has been proven that they are vulnerable (although investors don't seem 
to mind, their stock closed up half a buck
    today). 
    Traditionally DOS attacks have been a problem, but not a major one. Until 
recently the availability of tools (publicly
    that is) has been limited, making the execution of a really effective 
(read large-scale) DOS attack mildly challenging
    (i.e. your mother probably couldn't do it, but the kid down the street 
probably could learn enough hanging out on IRC).
    There are currently around a half dozen well known distributed DOS attacks 
floating around (stacheldraht, Tribe
    FloodNet (TFN), Tribe FloodNet 2K (TFN2K), etc.) and while finding the 
code for these is hard, it is far from impossible.
    This means the bar has been lowered, instead of having to develop and 
write your own tools you can simply download
    them from any number of web sites. Most DOS attacks are relatively simple, 
you seize control of as many remote
    machines as you can (by exploiting well known security holes that should 
have been patched usually), and then send a
    lot of data at your victim. It may be as simple as TCP-IP packets with the 
SYN bit set (used to start a TCP
    connection), with the intention of denying legitimate connections to the 
target machine (each SYN packet will be
    evaluated, and held for a while, filling up a finite queue). It may be 
something more complex like establishing a proper
    TCP-IP connection to the victims secure e-commerce web server and sending 
lots of fragmented data which will also fill
    up the various queues intended to hold it. The number of DOS attacks is 
infinite, you can minimize their effect, but
    never completely block them, short of removing the service (which is 
essentially what the attacker is trying to do). 
    Today's attack on Yahoo! was quite well done (while only partially 
successful I suspect the attacker spent a lot less
    than the amount of money Yahoo! probably lost because of it), first of all 
the network would have to be probed, as the
    attack was directed at a choke point on the network (one of the routers). 
A quick check on auctions.yahoo.com
    reveals about 8 or so "servers" associated with the name (note: these are 
most likely clusters of servers sitting behind
    something like a Cisco director to spread the load). Taking a look at 
traceroute output reveals the ISP providing the
    bandwidth, looking at their webpages reveals a map of their network 
usually (or you can generate one yourself, but it's
    late so I cheated). After a few minutes of gentle probing it looks like 
there is one major choke point, a router on their
    ISP's end that most of the traffic passes through (most of the traffic to 
the auction sites pass through it by default). I
    suspect that router is big enough that any DOS attack sufficient to nuke 
it will take considerable effort, but you can
    connect to it via telnet so things aren't perfect. It appears that there 
are two routers connected to this large router
    (and connected to those are the servers it appears, so chances are these 
two routers are actually at Yahoo!), which
    is definitely a good idea, as that is what probably saved Yahoo! from 
being completely dead in the water on Monday.
    This network probe took me around 5 minutes and I used nothing fancy, just 
dig, nslookup, traceroute and telnet
    (heck, these tools are even available by default on Windows), and anyone 
could easily learn how to do it.
    In addition to this are situations where a system can be unintentionally 
DOS'ed. A few weeks ago an article on Slashdot
    linked to SecurityPortal and a very popular article about Linux vs 
Microsoft. Site traffic was much higher than usual,
    which was something we weren't expecting, and consequently our server 
admin spent most of the day babysitting the
    network and making sure things didn't get to bad. We survived, but a lot 
of sites do not survive being "Slashdotted"
    (they get slow, and sometimes the admins will take them offline or the 
servers simply get wedged).
    So what can you do to prevent network DOS attacks? Not much, but there are 
a lot of techniques you can use to
    minimize their effect. 
       Make sure you are running the latest version of the software, many 
older versions of popular packages and operating
       systems suffer problems that make executing a DOS attack very easy, 
most modern software has been somewhat
       hardened by the vendor. 
       Tune and tweak your software, for example with the Apache webserver 
there are a variety of settings that can be
       tuned to increase the amount of traffic that can be handled. Proper 
tuning can save a significant amount of money
       that might otherwise be spent on hardware. Generally speaking set 
timeouts for network connections, http sessions
       and so on to smaller values as load increases, the drawback of doing 
this is you may "lose" slow legitimate
       connections (like people connecting over extremely slow links). 
       Distribute the load across multiple servers, and multiple sites if 
possible. Most sites will use either "Round Robin DNS"
       (a very simple, and usually effective method of distributing load to 
multiple servers / sites) or hardware such as a
       Cisco director to send incoming requests for data to one of many 
servers. One added benefit is that this also makes
       upgrades, and testing of new software significantly easier. 
       Do not enable any services you do not specifically need, and install a 
firewall, if nothing else this will allow you to
       block addresses from which attacks are originating (assuming they are 
not being spoofed and so forth). 
    There are also many things you can do as an ISP or network service 
provider to "be a good neighbor" and ensure that if
    any of your customers commit DOS attacks, or are used to commit DOS 
attacks that at least the remote end can trace
    it down.
       Install a firewall with outgoing filters to restrict packets leaving 
the network to only those networks that actually
       exist behind the firewall. This will prevent attacks from being 
launched from your network that are almost impossible
       to trace down. Provide technical contact information in your DNS 
listing that is up to date and useful (this is one of
       the first places most administrators will look when trying to contact 
you). 
       Firewall incoming data bound for ports such as 31337 and other well 
known ports that software like stacheldraht uses
       to control remote machines (note most of these software packages are 
easily customizable, and many now encrypt
       their communications to defeat any Network Intrusion Detection Systems 
you may have). 
       Consider deploying a Network Intrusion Detection System, these require 
a lot of work to setup properly and are high
       maintenance (knowing that attacks are coming in, or originating from 
your network is no good unless you act upon it).
    If everyone had outgoing filters on their firewall DOS attacks would not 
be spoofed (well not to the degree they tend
    to be right now), and you could at least trace back the attack with a 
higher degree of confidence, and block that
    network, which currently may or may not be effective. 

    Summary

    There is no easy answer to DOS attacks, but if you utilize good computing 
practices (keeping software up to date,
    firewalling your network properly, tuning of servers, etc.) you can 
minimize any effects it will have. Think of DOS
    attacks as a small disaster (like a meteorite hitting your datacenter, but 
not as bad), generally speaking a good
    business continuity plan (usually referred to as a disaster recovery plan) 
will be applicable for any really effective DOS
    attack (people to contact, etc.). As the volume, and complexity of 
services available on the Internet grows, and the
    online population, so will the number and scale of DOS attacks. 

    Kurt Seifried (seifried@securityportal.com) is a security analyst and the 
author of the "Linux Administrators
    Security Guide", a source of natural fiber and Linux security, part of a 
complete breakfast.

    Related links:
    
http://www.zdnet.com/zdnn/stories/news/0,4586,2434394,00.html?chkpt=zdhpnews01 
- Massive attack
    knocks Yahoo! offline
    http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html - 
CERTŪ Advisory CA-99-17
    Denial-of-Service Tools
    http://staff.washington.edu/dittrich/misc/stacheldraht.analysis - The 
"stacheldraht" distributed denial of
    service attack tool
    http://www.rootshell.com/ - exploit code (disclaimer: I'm only including 
it to show how easy it is to get these tools,
    I do NOT advocate the use of them)