News

DDoS Do's and Don'ts

The recent spate of Distributed Denial of Service attacks on such major Web players as Amazon, CNN Interactive, Buy.com, eBay, and others has raised consciousness of network security. While the attacks ravaged the giants of e-business over the last week, they have also brought about an equal amount of awareness that could reduce vulnerability to such attacks in the future.

Distributed Denial of Service (DDoS) attacks carry standard Denial of Service (DoS) attacks a step further. DoS attacks involve massive bandwidth consumption that prevents normal network traffic from being carried to and from the targeted machines. The attacker will send repeated requests, or pings, to the target machine with a spoofed IP address as the source. Often the spoofed address will appear to be one from inside the target machine's network. The flood of network requests shuts down normal network traffic. If the attack does not shut down the network, often the ISP will shut down the network to all traffic in order to weed out the attackers.

DDoS attacks involve the same sort of bandwidth flooding, but with requests coming from, or appearing to come from, several sources rather than a single source. Additionally, in a DDoS attack, the various sources of requests can be remotely managed rather than directly managed by a user. Because the attacks come from many sources, the network routers are slow to detect a DoS attack and deflect the requests. The result is a downed network.

The recent attacks have led to the discoveries of new hacking software. Trin00 and TFN are already well-known DDoS systems designed to implement an attack. The recent discovery of the TFN2K and Stacheldracht systems helps to explain, if not resolve, the rash of attacks. Both of the new hacker tools are based on the TFN and Trin00 attacks. Both systems use remote client management to send out packets from several machines simultaneously to the targets.

Despite their capacity for remote client management, Russ Cooper, owner and administrator of the NT BugTraq (www.ntbugtraq.com) mailing list and Web site, is not convinced the attacks originated from remote clients. In a statement on the NT BugTraq Web site, Cooper says that because the attacks occurred in "prime time," and the request packets appeared to be sent at intervals that would be too distant to have been sent by an automated remote system, the attacks originated from machines that were actively manned by hackers.

No one had taken credit for the high-profile attacks as of today.

What can Windows NT/2000 and IIS users do to combat these attacks? Analyst Dennis Szerszen of the Hurwitz Group (www.hurwitz.com) says that while these types of attacks are mostly more Unix-oriented than Windows-oriented because of their network nature, generally they are OS-neutral, striking machines that are on the targeted networks regardless of operating system. Carnegie Mellon University's CERT (www.cert.org) recommends a tool developed to detect Trin00 and TFN on some systems, distributed by the FBI, and a Perl script called "gag" which can detect Stacheldracht agents running on the local network. -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Starts Countdown to Dynamics GP End-of-Support

    Dynamics GP, Microsoft's venerable enterprise resource planning (ERP) solution for midsized businesses, is set to lose support in four years.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Windows Recall Preview Starts Rolling Out with Windows 11 24H2

    Microsoft on Tuesday began rolling out Windows 11 version 24H2, describing the update as a "full OS swap that contains new foundational elements required to deliver transformational Al experiences and exceptional performance."

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.