Understanding and Preventing DDoS Attacks - Page 2

By Steven J. Vaughan-Nichols | Posted Jan 9, 2004
Page 2 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Original SYN

And, then, there's SYN, to which there really isn't a perfect cure. In a SYN Flood, the attack works by overwhelming the protocol handshake that has to happen between two Internet-aware applications when they start a work session. The first program sends out a TCP SYN (synchronization) packet, which is followed by a TCP SYN-ACK acknowledgment packet from the receiving application. Then, the first program replies with an ACK (acknowledgment). Once this has been done, the applications are ready to work with each other.

A SYN attack simply buries its target by swamping it with TCP SYN packets. Each SYN packet demands a SYN-ACK response and causes the server to wait for the proper ACK in reply. Of course, the attacker never gives the ACK, or, more commonly, it uses a bad IP address so there's no chance of an ACK returning. This quickly hogties a server as it tries to send out SYN-ACKs while waiting for ACKs.

When the SYN-ACK queues fill up, the server can no longer take any incoming SYNs, and that's the end of that server until the attack is cleared up. The Land attack makes SYN one-step nastier by using SYN packets with spoofed IP addresses from your own network.

There are many ways to reduce your chances of getting SYNed, including setting your firewall to block all incoming packets from bad external IP addresses like 10.0.0.0 to 10.255.255.255, 127.0.0.0 to 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255, as well as all internal addresses. But, as SCO discovered, if you throw enough SYN packets at a site, any site can still be SYNed off the net.

Brute Force Attacks

Common brute force attacks include the Smurf attack and the User Datagram Protocol (UDP) flood. When you're Smurfed, Internet Control Message Protocol (ICMP) echo request packets, a particular type of ping packet, overwhelm your router. Making matters worse, each packet's destination IP address is spoofed to be your local broadcast address. You're probably already getting the picture. Once your router also gets into the act of broadcasting ICMP packets, it won't be long before your internal network is frozen.

A UDP flood works by someone spoofing a call from one of your system's UDP chargen programs. This test program generates semi-random characters for received packets with another of your network's UDP echo service. Once these characters start being reflected, your bandwidth quickly vaporizes.

Fortunately, for these two anyway, you can usually block them. With Smurfing, just setting your router to ignore broadcast addressing and setting your firewall to ignore ICMP requests should be all you need.

To dam up UDP floods, just block all non-service UDP services requests for your network. Programs that need UDP will still work. Unless, of course, the sheer volume of the attack mauls your Internet connection.

That's where the DDoS attack programs such as Tribe Force Network (TFN), Trin00, Trinity, and Stacheldraht come in. These programs are used to set DDoS attack agents in unprotected systems. Once enough of them have been set up in naïve users' PCs, the DDoS controller sets them off by remote control, burying target sites from hundreds or even thousands of machines.

Unfortunately, as more and more users add broadband connections without the least idea of how to handle Internet security, these kinds of attacks will only become more common.

Page 3: Deflecting DDoS Attacks

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter