[LONG] Yahoo Down or Why DoS Attacks Work
Jean L Francois
Jean.L.Francois@aexp.com
09 Feb 2000 11:51:46 -0700
Here is an article I read that may help shed some light
on what is happening.
====================================================
Denial of service attacks are one of the perennial nightmares for system
and network
administrators. Unlike most attacks there isn't a lot you can do to stop
or prevent them. Applying a service patch
doesn't always work when 40,000 computers are sending dozens of http
requests a second to your webserver. On
Monday, Yahoo! was partially knocked offline when one of their routers at
a California data center was hammered into
the ground by a distributed denial of service attack. Estimates say Yahoo!
lost several million dollars (I'm not sure
where people get numbers for monetary losses for these sites), but more
importantly they have been embarrassed, and
it has been proven that they are vulnerable (although investors don't seem
to mind, their stock closed up half a buck
today).
Traditionally DOS attacks have been a problem, but not a major one. Until
recently the availability of tools (publicly
that is) has been limited, making the execution of a really effective
(read large-scale) DOS attack mildly challenging
(i.e. your mother probably couldn't do it, but the kid down the street
probably could learn enough hanging out on IRC).
There are currently around a half dozen well known distributed DOS attacks
floating around (stacheldraht, Tribe
FloodNet (TFN), Tribe FloodNet 2K (TFN2K), etc.) and while finding the
code for these is hard, it is far from impossible.
This means the bar has been lowered, instead of having to develop and
write your own tools you can simply download
them from any number of web sites. Most DOS attacks are relatively simple,
you seize control of as many remote
machines as you can (by exploiting well known security holes that should
have been patched usually), and then send a
lot of data at your victim. It may be as simple as TCP-IP packets with the
SYN bit set (used to start a TCP
connection), with the intention of denying legitimate connections to the
target machine (each SYN packet will be
evaluated, and held for a while, filling up a finite queue). It may be
something more complex like establishing a proper
TCP-IP connection to the victims secure e-commerce web server and sending
lots of fragmented data which will also fill
up the various queues intended to hold it. The number of DOS attacks is
infinite, you can minimize their effect, but
never completely block them, short of removing the service (which is
essentially what the attacker is trying to do).
Today's attack on Yahoo! was quite well done (while only partially
successful I suspect the attacker spent a lot less
than the amount of money Yahoo! probably lost because of it), first of all
the network would have to be probed, as the
attack was directed at a choke point on the network (one of the routers).
A quick check on auctions.yahoo.com
reveals about 8 or so "servers" associated with the name (note: these are
most likely clusters of servers sitting behind
something like a Cisco director to spread the load). Taking a look at
traceroute output reveals the ISP providing the
bandwidth, looking at their webpages reveals a map of their network
usually (or you can generate one yourself, but it's
late so I cheated). After a few minutes of gentle probing it looks like
there is one major choke point, a router on their
ISP's end that most of the traffic passes through (most of the traffic to
the auction sites pass through it by default). I
suspect that router is big enough that any DOS attack sufficient to nuke
it will take considerable effort, but you can
connect to it via telnet so things aren't perfect. It appears that there
are two routers connected to this large router
(and connected to those are the servers it appears, so chances are these
two routers are actually at Yahoo!), which
is definitely a good idea, as that is what probably saved Yahoo! from
being completely dead in the water on Monday.
This network probe took me around 5 minutes and I used nothing fancy, just
dig, nslookup, traceroute and telnet
(heck, these tools are even available by default on Windows), and anyone
could easily learn how to do it.
In addition to this are situations where a system can be unintentionally
DOS'ed. A few weeks ago an article on Slashdot
linked to SecurityPortal and a very popular article about Linux vs
Microsoft. Site traffic was much higher than usual,
which was something we weren't expecting, and consequently our server
admin spent most of the day babysitting the
network and making sure things didn't get to bad. We survived, but a lot
of sites do not survive being "Slashdotted"
(they get slow, and sometimes the admins will take them offline or the
servers simply get wedged).
So what can you do to prevent network DOS attacks? Not much, but there are
a lot of techniques you can use to
minimize their effect.
Make sure you are running the latest version of the software, many
older versions of popular packages and operating
systems suffer problems that make executing a DOS attack very easy,
most modern software has been somewhat
hardened by the vendor.
Tune and tweak your software, for example with the Apache webserver
there are a variety of settings that can be
tuned to increase the amount of traffic that can be handled. Proper
tuning can save a significant amount of money
that might otherwise be spent on hardware. Generally speaking set
timeouts for network connections, http sessions
and so on to smaller values as load increases, the drawback of doing
this is you may "lose" slow legitimate
connections (like people connecting over extremely slow links).
Distribute the load across multiple servers, and multiple sites if
possible. Most sites will use either "Round Robin DNS"
(a very simple, and usually effective method of distributing load to
multiple servers / sites) or hardware such as a
Cisco director to send incoming requests for data to one of many
servers. One added benefit is that this also makes
upgrades, and testing of new software significantly easier.
Do not enable any services you do not specifically need, and install a
firewall, if nothing else this will allow you to
block addresses from which attacks are originating (assuming they are
not being spoofed and so forth).
There are also many things you can do as an ISP or network service
provider to "be a good neighbor" and ensure that if
any of your customers commit DOS attacks, or are used to commit DOS
attacks that at least the remote end can trace
it down.
Install a firewall with outgoing filters to restrict packets leaving
the network to only those networks that actually
exist behind the firewall. This will prevent attacks from being
launched from your network that are almost impossible
to trace down. Provide technical contact information in your DNS
listing that is up to date and useful (this is one of
the first places most administrators will look when trying to contact
you).
Firewall incoming data bound for ports such as 31337 and other well
known ports that software like stacheldraht uses
to control remote machines (note most of these software packages are
easily customizable, and many now encrypt
their communications to defeat any Network Intrusion Detection Systems
you may have).
Consider deploying a Network Intrusion Detection System, these require
a lot of work to setup properly and are high
maintenance (knowing that attacks are coming in, or originating from
your network is no good unless you act upon it).
If everyone had outgoing filters on their firewall DOS attacks would not
be spoofed (well not to the degree they tend
to be right now), and you could at least trace back the attack with a
higher degree of confidence, and block that
network, which currently may or may not be effective.
Summary
There is no easy answer to DOS attacks, but if you utilize good computing
practices (keeping software up to date,
firewalling your network properly, tuning of servers, etc.) you can
minimize any effects it will have. Think of DOS
attacks as a small disaster (like a meteorite hitting your datacenter, but
not as bad), generally speaking a good
business continuity plan (usually referred to as a disaster recovery plan)
will be applicable for any really effective DOS
attack (people to contact, etc.). As the volume, and complexity of
services available on the Internet grows, and the
online population, so will the number and scale of DOS attacks.
Kurt Seifried (seifried@securityportal.com) is a security analyst and the
author of the "Linux Administrators
Security Guide", a source of natural fiber and Linux security, part of a
complete breakfast.
Related links:
http://www.zdnet.com/zdnn/stories/news/0,4586,2434394,00.html?chkpt=zdhpnews01
- Massive attack
knocks Yahoo! offline
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html -
CERTŪ Advisory CA-99-17
Denial-of-Service Tools
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis - The
"stacheldraht" distributed denial of
service attack tool
http://www.rootshell.com/ - exploit code (disclaimer: I'm only including
it to show how easy it is to get these tools,
I do NOT advocate the use of them)