The Initial Intrusions (Phase 1)
- Initial root compromise points of origin
- "No charge" ISPs
- Single PPP account "guest", password "password"
- No AUP, no user records, no Caller-ID, no trap/trace
- Compromised systems in Korea, Germany, Sweden, Jamaica, UK, etc.
- Compromised name servers, web servers, home systems,
software development companies, "day trading" companies,
e-commerce sites, ISPs, NASA, .mil sites... you name it
- Using wingate and telnet gateways to bounce off
foreign sites
- Stolen dialup accounts
- 24x7 scanning, sifting into sets
of single architecture/service/vulnerability combination
- Attacks then come in waves, hitting many
systems in a very short time period:exploit,
install backdoor, install tools, lather, rinse, repeat
- Anatomy of setting up a DDoS network
- Often using "Root Kits" to conceal programs/files/connections
The Distributed DoS Attacks (Phase 2)
- Victim network(s) become unresponsive, routers fail,
normal diagnostic tools useless
- Identification of all agents difficult
- Most sites not prepared to analyze packets (e.g. w/tcpdump)
- May look like hardware failure on the network backbone
- Must coordinate with upstream providers immediately
(upstream networks may/may not be saturated also)
- Upstream providers in better position to gather forensic
evidence (but may also be under pressure to restore service
first)
- Attack may/may not be noticed on agent networks (e.g., single
subnet saturated, but backbone "normal")
- Only takes several hundred systems (especially if Internet 2
sites) to knock a large network off the Internet
- Multiple attacking systems at multiple sites means a long
time to neutralize network and fully stop attack
(especially on weekends and where international language
bariers exist)
- Third party effects felt elsewhere (e.g., TCP
SYN|ACK and RST|ACK packets to spoofed networks)
[Next]
|
[Prev]
|
[Top]
Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Sat Jul 22 02:43:12 PDT 2000