Understanding and Preventing DDoS Attacks

Bad as they ever were ... and getting worse. Is your network safeguarded against the threat of a DDoS?

 By Steven J. Vaughan-Nichols
Page 1 of 3
Print Article

It was in early 2000 that most people became aware of the dangers of distributed denial of service (DDoS) attacks when a series of them knocked such popular Web sites as Yahoo, CNN, and Amazon off the air. More recently, a pair of DDoS attacks nailed The SCO Group's Web site, which many people thought had to be a hoax, since surely any company today could stop a simple DDoS SYN attack. Wrong.

It's been almost four years since they first appeared, but DDoS attacks are still difficult to block. Indeed, if they're made with enough resources, some DDoS attacks – including SYN (named for TCP synchronization) attacks – can be impossible to stop.

No server, no matter how well it's protected, can be expected to stand up to an attack made by thousands of machines. Indeed, Arbor Networks, a leading anti-DDoS company, reports DDoS zombie armies of up to 50,000 systems. Fortunately, major DDoS attacks are difficult to launch; unfortunately, minor DDoS attacks are easy to create.

In part, that's because there are so many types of DDoS attacks that can be launched. For example, last January, the Slammer worm targeted SQL Server 2000, but an indirect effect as infected SQL Server installations tried to spread Slammer was to cause DDoS attacks on network resources, as every bit of bandwidth was consumed by the worm.

Thus, a key to thinking about DDoS is that it's not so much a kind of attack as it is an effect of many different kinds of network attacks. In other words, a DDoS may result from malignant code attacking the TCP/IP protocol or by assaulting server resources, or it could be as simple as too many users demanding too much bandwidth at one time.

Typically, though, when we're talking about DDoS attacks, we mean attacks on your TCP/IP protocol. There are three types of such attacks: the ones that target holes in a particular TCP/IP stack; those that target native TCP/IP weaknesses; and the boring, but effective, brute force attacks. For added trouble, brute force also works well with the first two methods.

The Ping of Death is a typical TCP/IP implementation attack. In this assault, the DDoS attacker creates an IP packet that exceeds the IP standard's maximum 65,536 byte size. When this fat packet arrives, it crashes systems that are using a vulnerable TCP/IP stack. No modern operating system or stack is vulnerable to the simple Ping of Death, but it was a long-standing problem with Unix systems.

The Teardrop, though, is an old attack still seen today that relies on poor TCP/IP implementation. It works by interfering with how stacks reassemble IP packet fragments. The trick here is that as IP packets are sometimes broken up into smaller chunks, each fragment still has the original IP packet's header as well as a field that tells the TCP/IP stack what bytes it contains. When it works right, this information is used to put the packet back together again.

What happens with Teardrop, though, is that your stack is buried with IP fragments that have overlapping fields. When your stack tries to reassemble them, it can't do it, and if it doesn't know to toss these trash packet fragments out, it can quickly fail. Most systems know how to deal with Teardrop now, and a firewall can block Teardrop packets at the expense of a bit more latency on network connections, since this makes it disregard all broken packets. Of course, if you throw a ton of Teardrop busted packets at a system, it can still crash.

Page 2: Original SYN

This article was originally published on Jan 9, 2004
Get the Latest Scoop with Networking Update Newsletter