DDoS Do's and Don'ts

The recent spate of Distributed Denial of Service attacks on such major Web players as Amazon, CNN Interactive,, eBay, and others has raised consciousness of network security. While the attacks ravaged the giants of e-business over the last week, they have also brought about an equal amount of awareness that could reduce vulnerability to such attacks in the future.

Distributed Denial of Service (DDoS) attacks carry standard Denial of Service (DoS) attacks a step further. DoS attacks involve massive bandwidth consumption that prevents normal network traffic from being carried to and from the targeted machines. The attacker will send repeated requests, or pings, to the target machine with a spoofed IP address as the source. Often the spoofed address will appear to be one from inside the target machine's network. The flood of network requests shuts down normal network traffic. If the attack does not shut down the network, often the ISP will shut down the network to all traffic in order to weed out the attackers.

DDoS attacks involve the same sort of bandwidth flooding, but with requests coming from, or appearing to come from, several sources rather than a single source. Additionally, in a DDoS attack, the various sources of requests can be remotely managed rather than directly managed by a user. Because the attacks come from many sources, the network routers are slow to detect a DoS attack and deflect the requests. The result is a downed network.

The recent attacks have led to the discoveries of new hacking software. Trin00 and TFN are already well-known DDoS systems designed to implement an attack. The recent discovery of the TFN2K and Stacheldracht systems helps to explain, if not resolve, the rash of attacks. Both of the new hacker tools are based on the TFN and Trin00 attacks. Both systems use remote client management to send out packets from several machines simultaneously to the targets.

Despite their capacity for remote client management, Russ Cooper, owner and administrator of the NT BugTraq ( mailing list and Web site, is not convinced the attacks originated from remote clients. In a statement on the NT BugTraq Web site, Cooper says that because the attacks occurred in "prime time," and the request packets appeared to be sent at intervals that would be too distant to have been sent by an automated remote system, the attacks originated from machines that were actively manned by hackers.

No one had taken credit for the high-profile attacks as of today.

What can Windows NT/2000 and IIS users do to combat these attacks? Analyst Dennis Szerszen of the Hurwitz Group ( says that while these types of attacks are mostly more Unix-oriented than Windows-oriented because of their network nature, generally they are OS-neutral, striking machines that are on the targeted networks regardless of operating system. Carnegie Mellon University's CERT ( recommends a tool developed to detect Trin00 and TFN on some systems, distributed by the FBI, and a Perl script called "gag" which can detect Stacheldracht agents running on the local network. -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

comments powered by Disqus
Most   Popular