|
|
This whole deal was so interesting to me, and there was so much mis-information out about what went on, and so little correct information about what really happened, that I put this together.
This is in reference to the distributed denial-of-service attacks that affect a number of major mass-market web sites in February, 2000, and which caused (quite rightly, if only it had been done with more accuracy!) quite a stir...
(NOTE: I will use the correct term, correctly. These guys are not *hackers* but rather *crackers* -- this is one fact the mass media has really gotten wrong! See: How To Become A Hacker)
Since the initial command to the masters is sent from a stolen or a one-time logon, and since the commands from the masters to the slaves is a transaction which uses machines that aren't even known to be compromised, the perpetrator(s) are at least two steps removed from the machines (the slaves) that perform the actual attack, and the real owners of the slave machines don't even know they're being used!
The actual ammunition, as it were, is generally a UDP flood.
UDP stands for User Datagram Protocol; this is one of the fundamental communications protocols that makes the Internet run; for example, DNS or the Domain Name System uses UDP. DNS is the name server system that maps domain names (www.finchhaven.com) to IP addresses (216.32.192.136)
It's not something that can be ignored...
A very comprehensive, but technical, discussion comes from Dave Dittrich at the UW's University of Washington's Computing & Communications Client Services group
And a superlative interview (although very technical..) with Dave Dittrich at /.
Another very good discussion of this incident was made in "CRYPTO-GRAM, February 15, 2000" a "A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography" that I subscribe to, from http://www.counterpane.com
(Re-posted by permission given in the newsletter, although Bruce Schneier *does* ask that the entire newsletter be posted, which I'm *not* doing... ;-)
Distributed Denial-of-Service Attacks
Suddenly, distributed denial-of-service (DDS) attacks are big news. The
first automatic tools for these attacks were released last year, and CERT
sent out an advisory in November. But the spate of high-profile attacks in
mid-February has put them on the front pages of newspapers everywhere.
Not much is new. Denial-of-service attacks have been going on for
years. The recent attacks are the same, only this time there is no single
source of the attack. We've seen these for years, too. The attacker first
breaks into hundreds or thousands of random insecure computers (called
"zombies") on the Internet and installs an attack program. Then he
coordinates them all to attack the target at the same time. The target is
attacked from many places at once; his traditional defenses just don't
work, and he falls over dead.
It's very much like the pizza delivery attack: Alice doesn't like Bob, so
she calls a hundred pizza delivery parlors and, from each one, has a pizza
delivered to Bob's house at 11:00 PM. At 11, Bob's front porch is filled
with 100 pizza deliverers, all demanding their money. It looks to Bob like
the pizza Mafia is out to get him, but the pizza parlors are victims
too. The real attacker is nowhere to be seen.
This sounds like a complicated attack on the Internet, and it is. But
unfortunately, it only takes one talented programmer with a poor sense of
ethics to automate and distribute the attacks. Once a DDS tool is publicly
available, an attacker doesn't need skill; he can use a simple
point-and-click interface to infect the intermediate sites, as well as to
coordinate and launch the attack. This is what's new: easy-to-use DDS
tools like Trin00 and Tribal Flood Network.
These attacks are incredibly difficult, if not impossible, to defend
against. In a traditional denial-of-service attack, the victim computer
might be able to figure out where the attack is coming from and shut down
those connections. But in a distributed attack, there is no single
source. The computer should shut down all connections except for the ones
it knows to be trusted, but that doesn't work for a public Internet site.
Other defenses also have problems. I've seen proposals that force the
client to perform an expensive calculation to make a connection. (RSA
pre-announced such a "solution.") This works against standard
denial-of-service attacks, but not against a distributed one. Large-scale
filtering at the ISPs can help, but that requires a lot of effort and will
reduce network bandwidth noticeably.
At least one report has suggested that a lack of authentication on the
Internet is to blame. This makes no sense. The packets did harm just by
the attempt to deliver them; whether or not they were authenticatable is
completely irrelevant. Mandatory authentication would do nothing to
prevent these attacks, or to track down the attackers.
There have been two academic conferences on DDS attacks in recent weeks,
and the general consensus is that there is no way to defend against these
attacks. Sometimes the particular bugs exploited in the DDS attacks can be
patched, but there are many that cannot. The Internet was not designed to
withstand DDS attacks.
Tracing the attacker is also incredibly difficult. Going back to the pizza
delivery example, the only thing the victim could do is to ask the pizza
parlors to help him catch the attacker. If all the parlors coordinated
their phone logs, maybe they could figure out who ordered all the pizzas in
the first place. Something similar is possible on the Internet, but it is
unlikely that the intermediate sites kept good logs. Additionally, it is
easy to disguise your location on the Internet. And if the attacker is in
some Eastern European country with minimal computer crime laws, a bribable
police, and no extradition treaties, there's nothing you can do anyway.
So far, these attacks are strictly denial-of-service. They do not affect
the data on the Web sites. These attacks cannot steal credit card numbers
or proprietary information. They cannot transfer money out of your bank
account to trade stocks in your name. Attackers cannot gain financially
from these attacks. Still, they are very serious. And it is certainly
possible that an attacker can use denial of service as a tool for a more
complicated attack that IS designed to steal something.
This is not to say that denial-of-service attacks are not real, or not
important. For most big corporations, the biggest risk of a security
breach is loss of income or loss of reputation, either of which is achieved
by a conspicuous denial-of-service attack. And for companies with more
mission- or life-critical data online, a DOS attack can literally put a
person's life at risk.
The real problem is that there are hundreds of thousands, possibly
millions, of innocent naive computer users who are vulnerable to
attack. They're using DSL or cable modems, they're always on the Internet
with static IP addresses, and they can be taken over and used as launching
pads for these (and other) attacks. The media is focusing on the mega
e-corporations that are under attack, but the real story is the individual
systems.
Similarly, the real solutions are of the "civic hygiene" variety. Just as
malaria was defeated in Washington, DC, by draining all the swamps, the
only real way to prevent these attacks is to protect those millions of
individual computers on the Internet. Unfortunately, we are building
swampland at an incredible rate, and securing everything is
impracticable. Even if personal firewalls had a 95% market penetration,
and even if they were all installed and operated perfectly, there would
still be enough insecure computers on the Internet to use for these attacks.
I believe that any long-term solution will involve redesigning the entire
Internet. Back in the 1960s, some people figured out that you could
whistle, click, belch, or whatever into a telephone and make the system do
things. This was the era of phone phreaking: black boxes, blue boxes,
Captain Crunch whistles. The phone company did their best to defend
against these attacks, but the basic problem was that the phone system was
built with "in-band signaling": the control signal and the data signal
traveled along the same wires. In the 1980s, the phone company completely
redesigned the phone system. For example SS7, or Signaling System 7, was
out-of-band. The voice path and data path were separated. Now it doesn't
matter how hard you whistle into the phone system: the switch isn't
listening. The attacks simply don't work. (Red boxes still work, against
payphones, by mimicking the in-band tones that count the coins deposited in
the phones.)
In the long term, out-of-band signaling is the only way to deal with many
of the vulnerabilities of the Internet, DDS attacks among
them. Unfortunately, there are no plans to redesign the Internet in this
way, and any such undertaking might be just too complicated to even
consider.
|
Apparently the real solution is 100% secure systems -- that any computer with a permanent connection to the Internet be 100% secured from the initial compromise by the cracker.
OK! So that's not going to happen!
So what is needed is at least a greatly heightened awareness of system security from sysadmins who manage Internet connected computer systems.
And yet this will only help, only some what...
Bruce Schneier apparently thinks a re-design of the Internet itself may be needed!
Certainly what is *not* needed is greater Federal power to do wire-taps and other forms of digital/electronic surveillance!
The Transport Control Pixies and the Internet Pixies system the Internet
currently uses can be abused, as the recent DoS attacks illustrate,
especially with the fat pipes to which many people now have access.
These pipes allow many malicious Pixies to be sent to a target,
completely overwhelming the targets ability to process them.
The large numbers of Pixies that can traverse these fat pipes is the
main problem as I see it. A good short-term solution would be the
replacement of the fat pipes with bundles of thin pipes. At the targets
end, each thin pipe would have a small tap - when a DoS attack is detected,
simply open the taps in turn to allow the unwanted Pixies to drain
out into a bucket. Alternatively, a manned barrier could be set up at
the end of each thin pipe, and any swarthy looking, suspiciously odious,
black hatted, or otherwise dubious Pixies can be turned away. This doesn't
aid tracing the source, but will allow the force of the attack to be
diminished such that the target can remain relatively unscathed.
Tracing an attack to the immediate source can easily be accomplished
by having a little valve in the thin pipe that when turned will shut
off the Pixie flow. Subsequent Pixes entering the pipe will cause it to
bulge gradually as the backlog builds up. By repeating this procedure
back from each machine the source will eventually be found. To save
having to walk all that way, the valves could have long pieces of string
attached to them so they can be turned on and off remotely.
Finding the perpetrator of the DoS is more problematic. These days,
the normal breadcrumb back trail can be easily garbled by the less
than savoury element on the internet. The new Internet Pixie v6
implements the Taut String from End to End system to tie the source
to destination - any severing of the string to re-route it can be
instantly detected by loss of tension. However, this does us
no good currently.
It only takes a single Pixie to start a DoS attack, and finding it
may not always be possible. An amateur will often leave the initial
Pixie unharmed. If a suspicious one is found, sieze it immediately
(ensure to keep its hands away from any magic pouches/flowers/musical
instruments that it may have on its person). A poorly cast Mind Erasure
spell can easily be undone by any one of a number of Re_Mind perl scripts.
A properly cast Mind Erasure can be tricky to undo and will require
a special Module be used - if you're not at ease with compiling programs,
pop the Pixie in a Jiffy Bag and post it to hemos@slashdot.org
(you may need to flatten the packet a little to get it into the floppy
disk orifice) - hemos will de-spell it and send the results back by return).
A professional won't allow such evidence to remain - a common method is
the Pixie On A Bungee technique. The perpetrator fires said Pixie into
the attack machine with a long rubber band attached. With skill, the Pixie
shoots in, pushes the Start lever and gets yanked back out at very high
speed. A telltale clue of this is often fingernail scratches - sometimes
a misjudgement as to bungee length can leave fingers embedded in the lever
handle. Unfortunately, unless the Pixie drops his ID card, the chances of
tracking back further are very small, and really best left to the authorities.
Wingnut
|
|
|
|
All my digital photography |
|
Any and all e-mail addresses associated with this domain in any way are located in the State of Washington, and as such may not, by law, be harvested for spam. | |
|
This page preened using GNU Emacs 20.5.1 |
counter |