Univ. Researcher Traces Response to DDOS Attacks

DENVER (08/18/2000) - In August 1999, University of Washington researcher David Dittrich discovered that machines on the university's network had been invaded by a new type of attack program that harnessed thousands of compromised computers to launch denial-of-service attacks against targeted systems.

In February, these distributed denial-of-service (DDOS) attack tools were used to disrupt service at large e-commerce sites. Later attacks compromised name servers, Web servers, e-commerce sites, day trading companies, NASA, military systems, ISPs and home systems around the world.

Earlier this month, the South Korean government announced that 200 small corporations, 30 educational organizations and 20 government systems were paralyzed by DDOS attacks.

During the 9th Annual Usenix Security Symposium in Denver this week, Dittrich discussed the history of DDOS attacks, why computer systems were vulnerable, and how to prevent a new wave of security breaches. He noted that security researchers and the federal Computer Emergency Response Team (CERT) released an advisory about the existence of DDOS tools months before they were used to attack e-commerce sites.

Dittrich made the critical discovery that the DDOS attacks were the work of organized groups that used known security holes to infect machines with agent programs. The DDOS agent programs give intruders the ability to remotely control the compromised machines and use them to bombard targeted sites with data packets.

According to Dittrich, the DDOS attack tools were developed by people who initially sought to take over channels on Internet Relay Chat. "They did it to see if they could do it and because it was easy enough that they could," said Dittrich.

Dittrich said he traced the initial DDOS agents to a small ISP in Texas that provided the connection to a master machine that was controlling the agents. He noted that most ISPs are often unwilling to investigate DDOS intrusions and are often eager to quickly reestablish intruders' accounts.

Simply cutting off accounts doesn't halt attacks anyway, he said. "If they are just shutting the account down, that is a loosing battle because if they break in and install a sniffer and compromise passwords, they will have hundreds of accounts and [the ISP] won't be able to keep up," said Dittrich.

According to Dittrich, poorly trained network administrators and the lack of firewalls and intrusion detection systems still make it difficult to find the source and strategy of DDOS attacks. "Poor system network forensic tools and skills means that we have no idea who did what, when, where and how," said Dittrich.

Ian Poynter, president of Jerboa Inc., a Cambridge, Mass., security consulting firm, said he appreciates Dittrich's insights and said he'd like to see Dittrich spread this information from Usenix's audience of researchers and developers to CIOs and CEOs who can take steps to defend their networks. "I'm not sure they want to listen, but they need to listen," said Poynter. "[DDOS attacks] can only be fixed by a coordinated effort, and we all have a role to play."

Dittrich recommends that victim sites contact their upstream providers and backbone providers and have them locate the part of the upstream network where the packet flow is low enough to capture and analyze the packets that may lead to the source of the attack.

While Dittrich explained that although many companies claim to sell products that can guard against DDOS attacks, there is no silver bullet that will keep networks safe. He noted that some vendors sell host-based solutions while others focus on network-based prevention, detection and response. "If you don't have anything to enforce host-based security, you are just shunting the problem off to a place where it won't be solved," said Dittrich.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaComputer Emergency Response TeamJerboaNASA

Show Comments