The Initial Intrusions (Phase 1)

• Initial root compromise points of origin
  • "No charge" ISPs
    • Single PPP account "guest", password "password"
    • No AUP, no user records, no Caller-ID, no trap/trace
  • Compromised systems in Korea, Germany, Sweden, Jamaica, UK, etc.
  • Compromised name servers, web servers, home systems, software development companies, "day trading" companies, e-commerce sites, ISPs, NASA, .mil sites... you name it
  • Using wingate and telnet gateways to bounce off foreign sites
  • Stolen dialup accounts
• 24x7 scanning, sifting into sets of single architecture/service/vulnerability combination
• Attacks then come in waves, hitting many systems in a very short time period:exploit, install backdoor, install tools, lather, rinse, repeat
• Anatomy of setting up a DDoS network
• Often using "Root Kits" to conceal programs/files/connections

The Distributed DoS Attacks (Phase 2)

• Victim network(s) become unresponsive, routers fail, normal diagnostic tools useless
  • Identification of all agents difficult
  • Most sites not prepared to analyze packets (e.g. w/tcpdump)
  • May look like hardware failure on the network backbone
  • Must coordinate with upstream providers immediately (upstream networks may/may not be saturated also)
  • Upstream providers in better position to gather forensic evidence (but may also be under pressure to restore service first)
• Attack may/may not be noticed on agent networks (e.g., single subnet saturated, but backbone "normal")
• Only takes several hundred systems (especially if Internet 2 sites) to knock a large network off the Internet
• Multiple attacking systems at multiple sites means a long time to neutralize network and fully stop attack (especially on weekends and where international language bariers exist)
• Third party effects felt elsewhere (e.g., TCP SYN|ACK and RST|ACK packets to spoofed networks)

[Next] | [Prev] | [Top]