understanding the threat of denial-of-service attacks in society
TRANSCRIPT
Understanding the Threat of Denial-of-ServiceAttacks in Society Today
Ruoxi Chen, Tom Giedgowd, and Lionel Greaves
12/1/2002
Contents
1 Overview 3
2 Real-World Impact of DoS Attacks 52.1 DoS in the News . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Legal Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3 Denial of Service Aftermath . . . . . . . . . . . . . . . . . . . . . 82.4 Evolving Threat of Denial-of-Service Attacks . . . . . . . . . . . . 9
3 DoS/DDoS 113.1 DoS (Denial-of-Service) Attacks . . . . . . . . . . . . . . . . . . . 11
3.1.1 Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.1.2 Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . 123.1.3 DNS and Routing Attacks . . . . . . . . . . . . . . . . . . 13
3.2 DDOS (Distributed Denial-of-Service) Attacks . . . . . . . . . . . 133.2.1 Anatomy of a DDOS Attack . . . . . . . . . . . . . . . . . 13
3.3 DoS and DDoS Tools . . . . . . . . . . . . . . . . . . . . . . . . . 143.3.1 Keystroke Loggers . . . . . . . . . . . . . . . . . . . . . . 143.3.2 Aggressor Exploit Generator . . . . . . . . . . . . . . . . . 153.3.3 Tribe Flood Network, Trinoo, and stacheldraht . . . . . . 163.3.4 Theoretical DDoS Attack . . . . . . . . . . . . . . . . . . 17
3.4 Summary of DoS/DDoS . . . . . . . . . . . . . . . . . . . . . . . 17
4 Countermeasures 194.1 Network Security 101: Protect, Detect, React, Revise . . . . . . . 194.2 Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2.1 Overprovision . . . . . . . . . . . . . . . . . . . . . . . . . 204.2.2 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . 204.2.3 Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . 204.2.4 Multiple Operating Systems . . . . . . . . . . . . . . . . . 214.2.5 Staying Current . . . . . . . . . . . . . . . . . . . . . . . . 224.2.6 Looking Upstream to the ISP . . . . . . . . . . . . . . . . 22
4.3 Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.3.1 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1
4.3.2 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.3.3 Proprietary Solutions . . . . . . . . . . . . . . . . . . . . . 24
4.4 React . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.5 Revise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.6 Future Developments . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.6.1 Hardware Solutions . . . . . . . . . . . . . . . . . . . . . . 254.6.2 Protocol Level Solutions . . . . . . . . . . . . . . . . . . . 254.6.3 Possible Role of ISPs . . . . . . . . . . . . . . . . . . . . . 264.6.4 Role of Government . . . . . . . . . . . . . . . . . . . . . 27
5 Conclusion 28
2
Chapter 1
Overview
Imagine operating a small business out of your home. You sell books, and every-day you receive orders from the telephone and through the mail from your mailbox.One day, without notice, the telephone rings. When you answer it, there is noreply. You hang up, but the phone rings again. Again, no one is on the other line.The phone rings again, and again, and again. The phone doesn’t stop ringing.You go to the mailbox, but where your mailbox used to be is a towering mountainof letters. The letters are addressed to you, but are empty inside. The return ad-dresses have gibberish names like ”Han Solo at 124 Universe Street” or ”GoebhaHjirch at 23,545,564,343 Ave Ave”. The overwhelming amount of useless trafficthat has been directed at your business forces you to shut down. Your small busi-ness has just been the victim of a denial of service attack.
This paper will examine Denial of Service as it relates to the Internet today.The paper is broken up into three separate chapters: the real world impacts ofdenial of service attacks, the technical aspects of denial of service and distributeddenial of service attacks, and countermeasures used to prevent such attacks.
While a Denial of Service Attack is strictly a technical exercise it has many im-portant consequences in the real world. Over the past few years DoS has broughtdown some of the biggest sites on the web and recently threatened to disruptthe entire internet. In some cases it is an attempt at protest, in others it is amischievous kind of prank and in still other cases it is executed with the intent tocause serious damage. The financial losses, in terms of downtime and loss of con-sumer confidence, are huge. The legal landscape is extremely hazy with regard toexactly who is liable for what. Furthermore, the specter of information warfarehas raised its head and started a whole new series of questions. My portion ofthe paper will deal with identifying who some of the perpetrators are, recountingsome of the more famous DoS attacks, detailing their costs to businesses and thecommunity, and discussing the current and future legal environment which willdeal with such attacks.
3
The broad definition of DoS forces many different types of attacks to be an-alyzed. In this section, DoS tools are tested, different techniques are outlined,and the monster threat of DDoS is also examined. This part of the paper willalso examine the targets of such attacks and analyze the methods for attackingthese different targets. There is an examination of DoS and DDoS tools and theirworkings as well as a theoretical custom-made DOS attack including the stepsused to accomplish it and the technical specifications behind it.
Currently, there are a number of countermeasures to protect a network againsta DoS or DDoS attack. These measures must take place across a variety of levelsincluding the network level, individual PC level, and the protocol level. Cur-rently, most implementations of DoS countermeasures take place on the first twolevels. On a broad network level, a combination of verification of source address,filtering, and firewalls is widely implemented and on the PC level, there are anumber of virus-scan-like software that will detect the presence of ”zombie” Tro-jan horses. However, the future of these efforts must culminate upstream at theISP and the protocol level, which seeks to correct the inherent flaw of TCP/IP:the lack of trust. This chapter will explore current countermeasures alongsidefuture ones, and also propose a comprehensive system of our own.
4
Chapter 2
Real-World Impact of DoSAttacks
From the first denial of service attack large enough to be officially recorded, theInternet Worm incident of 1988, to the latest attempts to shut down the rootnameservers of the internet, DoS has changed a great deal. What was onceconsidered to be a tool for petty mischief and pranks is now recognized by gov-ernments around the world as dangerous weapon utilized in wars and crimes onan international level.
Denial of Service has come to have an enormous impact on our world and itspower grows at a nearly exponential rate. As the number of critical institutionsand transactions that are placed under the influence or control of networked re-sources increases, the efficiency of these activities are greatly enhanced, but atthe same time so is their vulnerability to online attacks. It is therefore vital togain a better understanding of the social issues and changes related to denial ofservice attacks.
There are four main facets through which these changes can be viewed. DoSin the News provides a historical timeline of the rise to prominence of denial ofservice attacks in the real world. The topic of Legal Aspects examines how theestablishment’s perception of denial of service has changed over time. The areaconcerned with the consequences that exist in modern times when DoS attacksoccur is entitled Denial of Service: Aftermath. The final point of emphasis is theEvolving Threat of Denial of Service Attacks, which discusses the level to whichthe technology and use of denial of service attacks has evolved and what thatimplies for the future of denial of service attacks.
5
2.1 DoS in the News
The watershed moment for Denial of Service attacks occurred in the early partof the year 2000. February 7, 2000 seems like an innocuous enough date, indeedit is doubtful that many people remember anything special about that specificMonday. Yet that is the date upon which the nature of cybercrime and its impacton society-at-large would be forever changed. At 10:20 AM the level of traffic onthe Yahoo! website began to greatly increase and quickly escalated to a full scaleDenial of Service attack that lasted a total of three hours, with Yahoo! beingseverely disrupted or completely shut down throughout that time. [30] As can beseen on the table on the following page from VisualPulse Reports, even by the1-4 PM timeframe from which this data was drawn, the Yahoo! web portals werestill seriously disrupted.[28]
The reverberations from the impact of the initial attack have only increasedover time. Greater and greater numbers of websites have fallen victim to someform of Denial of Service attacks. Congress has heard reports on the matter fromthe Deputy Attorney General of the United States and the Department of Justicehas gotten directly involved in the effort to protect and prosecute, yet the attackscontinue. [17] Major companies such as Microsoft and Charles Schwab have fallen,with Microsoft losing service for three days. Even CERT, largely acknowledgedas the leading online resource for defense against DoS attacks, fell victim to De-nial of Service in May of 2001. Even as these attacks were being carried out therevelation that the initial assault was committed by a single teenager with toolsdownloaded from the Internet further demonstrated the ease with which thesecrippling invasions could be launched. Of course the media covered these eventsextensively, broadcasting the news of the weaknesses of the internet and the boywho had found them.
Recently the news regarding DoS attacks has taken on an even more serioustone as the Bush Administration has advised businesses and law enforcementagencies that Denial of Service attacks may be utilized by terrorist organiza-tions to attack the economic infrastructure of the United States and other na-tions around the world. [14] Furthermore, Congress has approved legislation totoughen the penalties for hacking and increase security for websites. [22] Then, inOctober of 2002, the most serious and sophisticated Denial of Service attack onrecord occurred when 7 of the 13 root name-servers of the Internet were reducedto the status of ”zero-reachability” by huge attacks that flooded the servers with30 to 40 times the normal amount of traffic. [20] As the tangible effect of thislatest case was negligible it was not as widely covered by the media, but it hasbeen estimated that had more servers went down or if the attack had been car-ried out for a longer period of time that Internet traffic would have been affectedon a global level. Clearly, the impact and importance of these attacks are still
6
escalating as is their importance to the world at large, and thus the media.
2.2 Legal Aspects
The legal environment in which Denial of Service and other methods of hackingexist is a cloudy and complicated one at best. There is considerable debate inthe legal and technical communities around the globe as to whether the lawsthat currently exist are sufficient in scope to deal with cybercrime, and whatcan or should be done if they are not. The problem, of course is that technol-ogy and legislation move at very different speeds. It usually takes laws months,if not years, to be developed, approved and implemented. Technology, on theother hand, seems to change in a matter of days or sometimes even hours. Thisdiscrepancy is illustrated in the fact that until recently many hacking activitieswere prosecuted under laws enacted in the ’80s or even earlier. This is not anextraordinarily long time in the legal world, but is positively ancient in the areaof technology.
Prior to hacking being classified as a threat to our national security it wascombated through a truly disparate group of laws. There was the ComputerFraud and Abuse Act, a relic from the 1980s which was modified to make know-ingly accessing a computer and stealing national defense or other restricted data acrime. Then there were even older federal statutes such as the Major Frauds Act(again defending government information) and a group of federal laws againstwire fraud, racketeering and interstate transport of stolen property were alsoadapted to prosecute cybercrimes. More recent legislation such as the EconomicEspionage Act of 1996 made it a crime to steal trade secrets. [11] These variousand sundry groups of laws were all that were on the books, and then the eventsof September 11 changed the government’s perspective.
Since that day the government has seemingly reclassified hacking as terrorismand has passed several new laws that deal much more severely and directly withcybercrime. The Cyber Security Enhancement Act (CSEA), combined with theUSA Patriot Act, has given law enforcement a great deal more power to deal withDenial of Service attacks and hacking in general. Wiretapping and monitoring ofInternet activity will be considerably easier from a legal perspective. The U.S.Sentencing Commission will revise sentencing guidelines for computer crimes,and even provide for life sentences for activities that are sufficiently damaging,sophisticated and/or malicious. The legislation will also formalize the NationalInfrastructure Protection Center which investigates and responds to any threator attack, virtual or physical, on America’s ’critical’ infrastructure and double itsbudget to US$125 million. [22]
7
One problem that the United States government cannot solve on its own isthe complications that arise due to the oftentimes international nature of cyber-crimes such as denial of service attacks. It is very possible, for instance, for ahacker in Holland to use machines in China to launch a denial of service attackon the FBI’s website. Beyond the difficult task of tracking down the hacker is thequestion of whether that hacker can be prosecuted and, if he can, who should dothe prosecuting? Since every nation has different laws regarding computer crimes(and some have none at all) it can be very difficult to effectively go after hackers.[26]
In response to this problem the United States, and several other nations, havepushed to enact some kind of international treaty through which governments cancooperate to combat the rising wave of cybercrime. Organizations such as G8and the EU have begun laying the groundwork for such a treaty, although thereis much work left to do if they want to see it succeed. [2]
2.3 Denial of Service Aftermath
Prior to the attacks on large websites such as Yahoo! and Microsoft, denial ofservice attacks were largely regarded as annoying but mostly harmless pranks.Now, however, with the growing commercialization and importance of the Inter-net these attacks have become major problems. No longer do these attacks justfrustrate users and providers, now they are imposing incredibly large financialcosts on the worldwide economy and, in some cases, pose a threat of physicaldanger (i.e. a denial of service attack could cause a computer that controls flood-gates on a dam to malfunction). Billions of dollars in resources and lost businessare attributed each year to denial of service attacks.
The direct economic impact of a denial of service attack consists of revenuelosses, losses in market capitalization and the amount that will be spent upgrad-ing security infrastructures. In other words it is the dollar amount that a denialof service attack costs the individual business. It is estimated that the string ofattacks on major websites like Yahoo! and eBay in early 2000 alone cost around$1.2 billion dollars in direct costs. [24]
The secondary impact of a denial of service attack is much harder to put adollar figure to, but is significant nonetheless. It occurs in the loss of consumerconfidence that happens when people perceive the vulnerabilities in the websitewhich is attacked and in the Internet as a whole. It also occurs in other areassuch as businesses having to insure their websites or dealings with websites; or
8
government having to develop tools to help the Internet due to issues of nationalsecurity. It is estimated that Congress authorizes about $1.5 billion annuallyjust to develop tools to combat DoS. [11] Clearly denial of service attacks havebecome a major hindrance to the economy on both a national and a global level.
Prior to the attack on Yahoo! it was believed that denial of service attackswere only capable of dramatically affecting small or medium-sized websites with-out the resources or bandwidth to find a way around the overload of packets. [18]So when the second largest website, in terms of traffic at the time, on the Internetwent down the way businesses approached their online dealings changed dramat-ically. There was a scramble to reassure the public that the Internet was stillsafe. The government and businesses issued statement after statement describ-ing tools like traffic filters and methods such as rerouting traffic, but cautionedthat there was really nothing that could be done. [16] The reality though wasthat the online business world was ill-prepared for this threat. In the rush tocash in on the e-business boom of the ’90s many companies had moved as fast aspossible to enter the market and one thing that was often sacrificed in the nameof speed was security. [10] Security, suddenly, became one of the biggest priorities.
The new emphasis on defending against attacks has still not resulted in afull-proof defense system although several tools have been developed. Obviouslythe government and business arenas are still very much interested in addressingthese problems and continue to spend a great deal of cash on trying to alleviatethe problem. By attacking the technical aspects and seeking more efficient waysto enforce cyber-laws they are starting to make progress.
2.4 Evolving Threat of Denial-of-Service Attacks
As denial of service attacks have evolved from petty mischief to major economiccrimes, so they seem to be again on the verge of change. The events of the monthssince September 11th have given rise to, among other things, the perception ofdenial of service attacks (and hacking in general) as weapons. Legislation suchas the USA Patriot Act and CSEA seem to be moving towards making theseattacks acts of war or treason or terror instead of crimes. Perhaps in certaincases, such as disrupting air traffic control or shutting down vital Internet sites(if not the Internet itself), there is enough potential for serious harm to warrantsuch a distinction. As Rep. Lamar Smith R-Tex claims, ”A mouse can be just asdangerous as a bullet or bomb.” [22] Although there are many facets of this legis-lation which are questionable at best, the toughening of penalties for cybercrimeis appropriate in light of how much America has come to depend on computerand Internet technology.
9
The issue of cyber terrorism existed long before September 11th but in lightof those attacks, and an ensuing rise in denial of service attacks, has been studiedmuch more intensely in recent months. The possible actions that terrorists couldundertake are disturbing in that there is such a discrepancy between the amountof energy/dedication/intelligence required to initiate an attack and the resultingdamage caused. A denial of service attack that required no more than a few peo-ple and some readily available tools got more than halfway to shutting down theInternet. It has also been estimated that small bands of criminals have forcedfinancial institutions in London to surrender over L400 million over threats ofdenial of service attacks. [25] With everything from transportation to healthcareto finance falling more and more under the influence, if not control, of technologythe implications of cyber terrorism are unsettling to say the least.
A second undesirable scenario has also arisen recently, the possibility of infor-mation warfare. The idea of governments or big business utilizing methods suchas DoS against rival governments, corporations or individuals in an effort to un-dermine or destroy them is not surprising, but it is disappointing. The Internet isa tool of great power and seems to have limitless power to create, but it can alsoserve as a weapon with a destructive power that grows exponentially each day. Asdenial of service attacks have already found their way into the Palestinian-Israeliconflict, the war on terrorism and many other conflicts; the question of when andwhere such attacks are legitimate is raised. [12]
How big of an entity does a group have to be to legally undertake such attacksand how far can they go? Does it have to be a state-sponsored activity and doesit have to occur during times of war? These questions all lie currently unansweredas the world struggles to adapt to the new situation. With tools like DoS theworld must change, it will be interesting to see where it goes from here.
10
Chapter 3
DoS/DDoS
The great strides that our civilization has made in the technical realm over thepast couple of decades have affected almost every aspect of our lives. Computersand the Internet have totally revolutionized the way people do business, adver-tise, and communicate. With all of these newfound uses for computers and theInternet, it comes as no surprise that the concept of ”Internet warfare” has alsodeveloped.
3.1 DoS (Denial-of-Service) Attacks
One of the main tactics used in Internet warfare today is the denial of service,or DoS attack. A denial of service attack is when an attack computer or personcauses another computer or network user to be unable to access resources, likeemail or the Internet. This exceedingly broad definition encompasses many areasof Internet warfare, and hundreds of programs that strive to achieve these goals.This section does not deal with every single type of DoS attack, but examinesa few tactics in-depth. There are three main forms of DoS attacks. The mostcommon form of denial of service attack happens when a network is flooded withtoo much traffic, and the network is unable to determine which incoming trafficis genuine and which traffic is malicious. [8] These types of attacks are knownas ”flooding” attacks. The second major type of DoS attack is one that exploitssecurity vulnerabilities in the network and lead to massive resource consumption,like memory, bandwidth, or email. [23] The final type of DoS attack is knownas a Routing and Domain Name System (DNS) attack. This attack is aimedat the routing table; a virtual directory that computes where to direct all ofthe information traveling over the network.[8] The purpose of this section is toprovide an overview of DoS attacks. This by all means is not an all-inclusiveexplanation of all DoS tactics.
11
3.1.1 Flooding
Flooding attacks are the most common of all DoS attacks. There are three maintypes of flooding attacks; SYN, UDP, and ICMP. This section will deal with theICMP tactic. The SYN attack will be dealt with in the DDoS section (3.2).Oftentimes flooding attacks are accomplished by sending a server thousands ofICMP echo request messages. [21] ICMP stands for the Internet Control MessageProtocol, and is part of the TCP/IP protocol. Its main use is to carry error orcontrol messages between the IP software on one end user’s machine, and theIP software on another end user’s machine. In DoS attacks, the ”end user”on the receiving end of the attack can be a web server (www.ebay.com), or arouter. There are 15 different types of ICMP messages or commands. The ”ping”command is synonymous with an ”echo request” message. If an end user receivesa ping command over the ICMP, they formulate a reply, and send it back towhomever sent them the request. The reason why DoS attacks use the ICMPecho request message is because most of the time this traffic is not monitoredby firewalls. The flooding DoS attacks happen when an attacking system sendsanother computer thousands and thousands of these echo request messages, andtie up the system. If a network is not specifically monitoring ICMP, a floodingattack can cripple a server.
3.1.2 Security Vulnerabilities
The security vulnerability category is very broad. These attacks can happen in anumber of different and creative ways. One security exploit that DoS users some-times take advantage is a subsection of the ping command. Within the ICMPecho request message, there is an optional data field. This data field also goesunchecked by most networks and firewalls. There are several uses for this datafield. It can be used as a backdoor into a machine by allowing commands to beexecuted on the target machine. [21] The data section can also be used to collectdata about the machine, be used as an attacker-system communication channel,or an attacker-attacker channel.
There are countless numbers of security exploits and ways to gain accessinto a system. Keystroke loggers are also oftentimes used to gain passwordsand subsequently access to computer systems. Once a security vulnerability hasbeen exploited and an attacker has gained access to a system, certain tools canbe loaded onto a machine to tie up system resources. These tools can tie upmemory, bandwidth, launch thousands of emails, and consume other resourcesof the victim computer. These attack tool are further examined in the sectiondealing with DoS and DDoS tool analysis (3.3).
12
3.1.3 DNS and Routing Attacks
The final types of DoS attacks are the DNS and routing table attacks. Rout-ing table attacks use root spoofing, which forces machines (routers) to misdirectIP datagrams. [21] ICMP route spoofing takes place when a machine receives anICMP redirect message. After receiving the redirect message, a machine typicallyupdates its routing table. Tampering with a machine’s routing table can be aseasy as sending a forged ICMP redirect message to them. Another way of launch-ing a routing table attack is by manipulating a second way that systems routemessages; RIP. RIP is a widely used implementation of vector-distance routing.[21] Disrupting routing tables can be accomplished by broadcasting phony RIPinformation using port 520 (the port that RIP commonly uses). DNS attacks, orDNS spoofing, happen when a DNS server becomes infected by an attack. DNSservers are used to translate IP addresses (124.35.22.152) into domain names(www.yahoo.com). Manipulating this data causes users trying to access a certaindomain name to be redirected to a different machine.
3.2 DDOS (Distributed Denial-of-Service) At-
tacks
The other main tactic of Internet warfare is known as the distributed denial ofservice attack, or DDoS attack. The main difference between DoS attacks andDDoS attacks is that DDoS attacks are carried out by more than one system.This coordinated attack is much more powerful than a typical DoS attack. In aDDoS attack, a user gains control over a few systems, which in turn automaticallygain control of other systems. This exponential growth allows an attacker to haveliterally thousands of computers at his or her disposal. Unlike DoS attacks, DDoSattacks are all structured very similarly. The similarity between the attacks allowsfor a greater in-depth study.
3.2.1 Anatomy of a DDOS Attack
DDoS attacks follow a very similar pattern. A primary account on a computersystem is stolen, and is loaded with a number of tools (scanning tools, attacktools, root kits, DDoS programs, and lists of vulnerable hosts). This primaryaccount is known as a ”Master” or ”Handler”. A scan is preformed on othernetwork systems to identify potential vulnerable targets. A list of vulnerablesystems is compiled, and the primary account connects to the vulnerable systemthrough a TCP port to confirm the success of the takeover. From the list of com-promised systems, subsets are chosen with the desired architecture for the DDoSnetwork. These vulnerable systems that are controlled by the master are knownas ”Agents”, ”Daemons” or ”Zombies”. After the subset is chosen, a script is run
13
which fully installs the DDoS programs and runs them. The installation takesplace in the background so the real computer user doesn’t notice the installationtaking place. This DDoS system allows the attackers to set up the attack veryquickly. [13] The technical differences between the three main DDoS programs(Trinoo, TFN, TFN2K) are discussed within the Analysis of DDoS tools section(3.3). A picture of the DDoS hierarchy is shown on the following page.
Different DDoS tools use different attacks against the victim system. Mosttools allow for the ICMP ping attack that was mentioned above in the DoS sec-tion. In addition to using the ICMP to launch attacks against sites, an attackcalled SYN flooding is also used in some DDoS tools. These attacks use theTCP protocol, and abuse the three-way handshake that is used to establish aconnection between two computers. A typical handshake between two machineslooks something like this. A client initiates a connection to a server by sending aSYN control flag. The server responds to the client with a packet with the SYNand ACK flag activated. The client then responds to this message by sendingthe server an ACK message. After these three steps, a connection is initiated.[19] DDoS tools abuse this handshaking connection protocol by sending a victimserver thousands and thousands of SYN control flags, and never bothering tocomplete the third step of the handshake. These ”half open” requests build upwithin the server and consume memory and bandwidth.
The danger of DDoS lies in the amount of system resources that are at anattackers disposal. [29] The processing speed, memory, and bandwidth all com-bine to form a formidable enemy. DDoS attacks have been used, and have proveneffective, against major web servers that already have some security measures inplace to take care of more simple DoS tactics. The sheer scale of a DDoS attackis overwhelming.
3.3 DoS and DDoS Tools
The purpose of this section of the paper is to focus on individual tools used in DoSand DDoS attacks. I will (as a novice to launching DoS attacks) gather as manyof these tools as possible, report where I found them and who was distributingthem, and test them out.
3.3.1 Keystroke Loggers
The first types of tools that should be examined are ones that aid in the initialstep of DoS and DDoS attacks. A keystroke logger in its simplest form is a pro-gram that monitors every single key that is pressed on a keyboard, and recordsthis log to a file. These programs can be loaded onto unsuspecting user’s ma-
14
chines, and the log files emailed (or ftp’ed) to a remote location. The purposefor a DoS attacker to use a keystroke logger is to steal user’s passwords, and alsogain other valuable information about the system that they are working in. Thekeystroke logger that I am going to examine is Omniquad Desktop SurveillanceVersion 3.6c. This commercial program is available for download from Omni-quad’s website at http://www.omniquad.com. However, this version is a trialversion, but after running a crack on it from http://www.astalavista.com, I wasable to transform the trial version into the full version.
Omniquad Desktop Surveillance has several powerful features. It is able torun in the background of a machine and completely mask its presence. Pressingctrl+alt+delete does not reveal that it is running. Some other features includea regular keystroke logger that writes the output to a file, an activity log thatrecords what programs are being run, ”virtual video” that can be customizedto run all the time or when certain programs are run, full encryption of logs,email forwarding of logs, ftp of logs, and remote control from another IP address.Having this program installed on a target computer would give an intruder lotsof data about the computer (or computers) that he/she is trying to overtake.
3.3.2 Aggressor Exploit Generator
Finding DoS tools on the Internet is very easy. The first step that I took was go-ing to the ”security” website, http://www.astalavista.com. I first learned aboutAstalavista in high school from a friend who used it to find cracks for games andother computer software. In addition to providing links to software cracks, Asta-lavista publishes articles about current security exploits, has links to viruses andTrojans, and source code for all sorts of applications. Astalavista also provideslinks to other so-called ”security” sites that do many of the same types of things.
Following one of the links to the Super Security Search Engine (http://kickme.to/ssse/)allowed me to search for the tools and code used to launch DoS attacks. I thenfollowed a link to (http://neworder.box.sk/codebox.links.php?) where most ofthe DoS and DDoS tools were kept.
The first tool that I downloaded was called Aggressor Exploit Generator,which claimed to be able to launch teardrop / ssping / boink / smurf / and landfor window 95 attacks, and have the capability to customize TCP/IP packetsfor personal attacks. I picked this program because it was able to launch manydifferent types of DoS flood attacks from one program. After downloading andrunning the program, there were two modes, a simple mode and advanced mode.Both modes allowed all of the forms of DoS attacks to be launched, but thesimple mode made launching an attack as easy as entering an IP address. Theadvanced mode had more customizations like packet lengths, flag selections, and
15
port customizations. The program also was a freeware version, and did not haveevery single feature implemented. The simple version made it extremely easy forsomeone new to DoS attacks (me) to be able to launch one.
The tests that I ran were structured like this: I launched the DoS attacksagainst my friend’s computer, and monitored the number of packets received bythe machine, the number of packets sent by the machine, and had someone sittingat the computer to gauge whether or not the relative Internet speed decreased.During the first few tests I ran a ”Suffer” attack (which is another name for anSYN attack), a Boink (or teardrop) attack, and a smurf attack. I ran all of thesetests with a spoofed IP address. After running all of these tests and evaluatingthe results, there was no significant change to the number of packets that I sentthe target computer, and the number of packets that they received. There wasalso no noticeable decrease in Internet speed. After brainstorming with my groupfor a while, we came to the conclusion that Duke’s network probably runs egressfiltering (discussed further in the countermeasure section - Chapter 4) and dropsall spoofed packets. In order to test our theory, we launched the Boink attackagain without spoofing the source IP address. This time there was a noticeableslowing of Internet speed, and a dramatic increase of packets received (after Isent the target computer 20,000 packets, there was a corresponding rise of 20,000received packets on the target machine).
However, our test success raised some serious questions about the possibleconsequences of our actions. Would Duke’s network automatically shut off myInternet connection (a common defense mechanism–Section 4.3.2)? This paranoiaforced our group to discontinue the actual DoS attack, and turn our attention toexamining the DDoS tools.
3.3.3 Tribe Flood Network, Trinoo, and stacheldraht
Finding working binaries of TFN, Trinoo and stacheldraht proved to be extremelydifficult. I exhausted all of the Astalavista links, and scoured a few P2P file-sharing programs (DC++, KaZaA), but found nothing. However, there wastechnical information about these programs that described their abilities andperformance. Tribe Flood Network was written in 1999, and allows for TCPSYN floods, ICMP floods, UDP flooding, and smurf attacks. The handlers, ormasters, are accessed through standard TCP connections like telnet or ssh. Com-munications between the masters and slaves are accomplished through the ICMPecho reply packets TFN supports IP spoofing. [13]
Trinoo was the first DDoS program that was widely used. Trinoo uses UDPflooding as an attack strategy, and also communicates with the daemons usingUDP packets. [9] The source of the Trinoo packets is not spoofed, which makes
16
finding their sources easy. Trinoo also supports commands to change the size ofpackets that are sent, to stop an attack, to check the status of an agent, and tocheck the length of an attack.
stacheldraht operates like a combination of Trinoo and TFN. It uses UDPfloods, ICMP floods, and SYN floods. There is also a feature that allows daemonsoftware updates to automatically happen. The danger of stacheldraht is thatit uses encrypted TCP or ICMP packets to communicate with the agents, sofiguring out how and what they are communicating is extremely difficult. [9]
3.3.4 Theoretical DDoS Attack
I do not feel that I would be capable of launching a DDoS attack against a web-server, but feel quite confident that I would be able to launch a successful DoSattack against an Internet server. These are the theoretical steps that I wouldtake in order to launch a DoS attack against an Internet webserver.
First I would locate a cluster of public computers that do not require anylogin or authorization, and have a very fast Internet connection (like a publiclibrary or a college-computing cluster, i.e. UNC or NC State). If the computersrequired authorization in order to log in, I would steal a username and passwordby installing a keystroke logger on a public machine (like the ones at the librarythat do not need you to login). I would write the log file to the hard drive andcheck it periodically. After gaining access to the machines at the cluster, I wouldinstall the Aggressor Exploit Generator on all of the machines (but run the fullversion rather than the trial one). I would have saved an attack prior to installingall of the software, and just loaded the pre-made attack. The attack that I wouldrun is the SYN attack, that sends thousands of half handshakes to the server.I would walk around the library or cluster pretending to use the machines, butreally be installing and launching the DoS tools. I figure that I would be able toget around a dozen machines all flooding the same site. The attack would notbe able to be traced back to me, because I would launch the attack from someobscure location (like another university) using a stolen login. I would not spoofthe IP addresses, because the network might be filtering out spoofed packets.
3.4 Summary of DoS/DDoS
Given the broad definition of a DoS attack, it would have been near impossibleto fully explore all of the different types of attacks, and all of the tools thatwere created to launch these attacks. After examining the Aggressor ExploitGenerator, and seeing what it alone was capable of, the reality of the power ofa DDoS attack really registered with me. Thousands of systems, all launching a
17
coordinated flooding attack against a server is a frightening thought. The sheervolume of traffic that a DDoS attack would cause is unbelievable. Hopefully, inthe future systems and servers will find ways to combat this Internet warfaretactic.
18
Chapter 4
Countermeasures
It is clear that the scope of DoS/DDoS attacks, the ease with which one canbe launched, and the possible costs should alarm most companies and univer-sity networks. This chapter will look at the most widely-implemented strategiesnetworks are using to combat this technological threat presently as well as thosebeing developed in the future.
4.1 Network Security 101: Protect, Detect, Re-
act, Revise
In defining a strategy to protect against DoS and DDoS, it is useful to refer tothe basic model of network security, which is aptly summed up as ”Protect, De-tect, React, and Revise.” Protecting a network against the threat of DoS attacksencompasses a range measures that are as much legal as they are technical. [1]Detection involves being able to recognize an attack as it occurs, which requiresthat monitoring systems be in place in order to characterize normal versus ab-normal traffic. Reaction is based up on implementing protection mechanisms.Lastly, revision involves analyzing attacks, making security improvements, andpossibly taking legal or criminal actions. However, it is important to note thatthere is no cure-all, no magic bullet to the DoS threat. Rather, the followingsection will seek to lay out the combinations of technologies and other precau-tionary measures that are widely implemented today to reduce the threat of DoSattacks.
4.2 Protect
In order to successfully mitigate DoS/DDoS attacks, proper technical counter-measures and otherwise should be set up in advance. These include overprovision
19
of network resources, load balancing servers, packet filtering strategies, and otherpreventative measures.
4.2.1 Overprovision
Many forms of denial-of-service attacks work by overloading the target network.To guard against these surges of network traffic, legitimate or otherwise, a systemmust overprovision resources wherever possible. This includes resources such asbandwidth, memory, processor speed, etc. As discussed earlier in the paper,some of the most popular forms of DoS attacks work through overloading theweb server with large volumes of small packets, thus filling up the packet queuewith illegitimate packets. Thus, in safeguarding against DoS attacks, one of mostobvious places to overprovision is not necessarily the raw bandwidth capacity (bitsper second), but rather its packet processing ability (packets per second). [1]
4.2.2 Load Balancing
Rather than single-server or single-site approaches, distribute the site across anumber of web servers , or if possible, use multiple sites. By spreading thebandwidth load across multiple servers, it is harder for a DoS/DDoS attack tocompletely disrupt traffic to a site.
Load balancing web servers can be accomplished through a number of waysincluding the use of software-driven solutions such as ”Round Robin DNS,” orhardware solutions such as routers that send incoming requests to the appropriateserver. [27] There are also several companies such as Akamai or Digital Islandthat provide content distribution services for heavily trafficked sites. [19]
4.2.3 Packet Filtering
Packet filtering with border routers is one commonly implemented measure toprevent spoofed packets from filling up the web server queue. The goal of packetfiltering is to drop illegitimate traffic as close to the source as possible, on theouter edges of the network so propagate themselves throughout the network usingup valuable resources. [1]
There are two main types of filtering currently employed: ingress and egressfiltering. Ingress filtering weeds out packets with untrusted source or spoofedpackets, a commonly used tactic in SYN Flooding and most other common formsof DoS attacks. Differentiating between legitimate and illegitimate packets isdone by checking the source address against the network that it originated from.If an ISP owns the router through which a spoofer is trying to access the Internet,then it can check the source IP address against the valid address space, dropping
20
those that do not match and logging the attempt for future reference. [19]
Egress filtering, on the other hand, is the same idea only applied to the endnetwork. Egress filtering is the act of dropping illegitimate packets as they leavethe network. This is important for reasons of accountability and for being agood ”Netizen.” If a company or university network becomes the ”zombies” for aDDoS attack, then the victim can prove negligence on the part of that companyif they did not take adequate precautions and allowed spoofed packets to leavetheir network without being dropped. In legal terms, this is framed as negligence.[15]
To prevent this, an edge router should be set up to cross reference the sourceip addresses of outgoing packets against the network ip address. For example, toemploy egress filtering, Duke—assuming the network address space is 152.3.0.0and that it connects to its ISP using a serial 0/1 interface—can apply an accesslist as follows:
access-list 111 permit ip 152.3.0.0 0.0.255.255any access-list 111 deny ip any any log
interface serial 0/1 ip access-group 111 out[4]
Lastly, comprehensive packet filtering also encompasses one final feature:packet time-out. To quickly rehash an earlier discussion, TCP connections aremade using the ”three-way handshake” model. However, in DoS attacks wherethe third and final part of the handshake is deliberately not made—where theclient is supposed to respond with an ACK—the packets continue to sit in theserver queue until they timeout, usually after a minute. Therefore, one way toempty the queue quicker of illegitimate packets would be to reduce the timeout.[4] This approach unfortunately runs into the problem of penalizing users withslower connections should the timeout be reduced too much.
In short, comprehensive packet filtering not only helps to prevent your ownservers from being the victim of a DoS/DDoS attack, but also safeguards itagainst being used as an accomplice in another attack. However, it must benoted that like other DoS countermeasures, packet filtering is imperfect at bestand only works for certain types of DoS attacks.
4.2.4 Multiple Operating Systems
Most DoS tools, worms, and other malicious technologies target specific operatingsystems. To reduce the threat of this, implement multiple OS’s to encourageoverall network survivability in the case of an OS-specific attack. [1]
21
4.2.5 Staying Current
Often times vendors will release patches or software updates that address specificsecurity issues and backdoors. An example of this is the recent Code Red wormthat took advantage of a vulnerability in Microsoft IIS. Making sure that systemsare loaded with the most recent of these updates prevents hackers from exploitingsuch bugs in launching a DoS attack. [27]
4.2.6 Looking Upstream to the ISP
Some of the most important preventative measures a network can take in miti-gating the threat of DoS/DDoS attacks actually rest within its ISP. As mentionedearlier, the edge routers of ISP’s are the most common place where ingress filter-ing takes place. However, the role of the ISP is even greater than that.
An important precaution to enact with an ISP is possible rate limiting, ortraffic shaping. [1] By having your ISP limit the rate of traffic that your site canreceive, the effects of a massive DoS attacks can be greatly reduced.
Protocol or port blocking is also another contractual service an ISP can offeron request. One of the possible uses of this service would be to temporarily havean ISP shut off ICMP during a ”ping flood.” [1]
4.3 Detect
In order to best react to a DoS/DDoS attack, it is important for a network to beable to detect that an attack is in action as soon as possible. This involves theuse of comprehensive monitoring and intrusion detection systems.
4.3.1 Monitoring
Effective DoS detection is entirely dependent on one crucial factor: monitoring.At the root of it, DoS detection is the characterization of abnormal traffic, abnor-mal being a relative term. Therefore, in order to characterize ”abnormal” traffic,one must first categorize and define ”normal” by setting a baseline of typicaltraffic characteristics, which is the role that monitoring systems provide.
It is essential that monitoring systems measure both throughput measure-ments as well as device performance rates. Examples of throughput measure-ments include bandwidth consumption and packet while performance metricsinclude traits such as CPU and memory utilization. [1] Both measures are im-portant in accurately determining a baseline of network behavior.
22
Monitoring systems must also be heuristic in nature, or in other words, pos-sess learning capabilities. This will help it better differentiate between normalsurges in traffic, such as all the employees logging on at 9 a.m., versus the trafficsurge resulting from an authentic DoS attack. [15]
4.3.2 Detection
Intrusion detection comes in a number of forms that range from technical tosomething as simple as a marked increase in customer support calls about un-responsive servers. Some of the main technical indicators of a DoS attack are asubstantial increase in inbound traffic, server queues filling up, a sudden increasein the number of dropped packets due to timeouts, or an increase in the numberof firewall logs. [1]
Aside from these alarms, it may also be helpful to look at traffic flows forinformation on packets sent or received, an important criteria in characterizingan SYN flood. Again, taking Duke’s network as an example, the following twoflows may be considered suspicious:
Source************Destination*******Protocol*No.Pkts
172.16.26.7:1028***152.3.25.28********TCP*****948529
152.3.25.28********172.16.26.7:1028***TCP*****84592
The imbalance between the number of packets sent from Duke’s web servers(say, 152.3.25.28) to the web browser at 172.16.26.27:1028 and from the browserto the web server suggests a likely SYN flood situation where the connectionqueue is saturated with incomplete three-way TCP handshakes. Thus, Duke’ssystem can be set up to drop all packets originating from 172.16.26.27 in thefuture. [1] However, this more self-selective form of filtering may be ineffectiveagainst distributed denial of service attacks, or those originating from spoofedaddresses.
Lastly, detection should not only be strictly limited to intrusion detectionper se, but should also encompass the analyzation of outbound traffic as well todetect if the network may be used as a zombie in launching an attack. [15] Thiscan be achieved by looking at indicators such as the rate of dropped outboundpackets or any suspicious increase in the edge router logs for outbound traffic.
23
4.3.3 Proprietary Solutions
In light of the scope of DoS/DDoS attacks today, there have are a number of pro-prietary solutions to intrusion detection. Currently, most of these systems rely onone of two overarching methodologies: signature-based detection and anomaly-based detection.
Asta’s Vantage System and Arbor’s Peakflow, two leading DoS-detection com-panies, currently implement signature-based detection. This method comparesagainst a database of attack signatures, flagging those packets that match a sig-nature and allowing all others normal activity.
On the other hand, anomaly-based detection works as discussed in the previ-ous section on ”monitoring.” It first sets a baseline of normal traffic characteris-tics and then makes decisions by comparing abnormal traffic against this baseline.This technology is currently employed by nearly every proprietary DoS detectionsystem. [15]
4.4 React
Once it has been identified that a DoS/DDoS attack is occurring, it is time toset into motion the protective measures discussed earlier. This includes settingrouter ACL’s, reducing packet timeouts, rate limiting, etc.
In addition to using the available technical precautions set up within thenetwork, it is important to attempt to trace the flood traffic back to its pointof origin in order to possibly contact the ISP who may be better suited to dealwith the attack or more pragmatically, to pursue possible legal retributions inthe future. Ideally, the ISP should be able to trace the flood traffic back to itsorigin, but in reality this is dependent on whether or not the source is comingfrom within the ISP’s own netblocks. Otherwise, the tracing the source wouldrequire the help of other providers upstream. [1]
4.5 Revise
In the aftermath of a DoS attack, it is important to analyze the point(s) of fail-ure with the current security plan and draw up possible improvements: perhapsreducing the packet timeout value, achieve better load-balancing, etc. Otherchanges could reside upstream such as a possible restructuring of contractualagreements with the ISP like rate limiting.
24
Another important countermeasure that a DoS attack victim should exploreis to contact law enforcement agencies such as the FBI or the NIPC (NationalInfrastructure Protection Center). Possible evidence to submit would be theborder routers’ logs. Most routers allow for capturing of packet samples throughsome sort of TCP dump command. [3]
4.6 Future Developments
In this section we will examine several possible technological and legal counter-measures against DoS attacks and the analyze the role of groups such as pro-prietary companies, standards-making bodies such as the IETF, developers, andgovernments.
4.6.1 Hardware Solutions
With the increased susceptibility of companies DoS/DDoS attacks in one formor another, there is a growing need for networking hardware to incorporate DoScountermeasures.
One example of such an implementation is Intel’s Internet Exchange Architec-ture with programmable network processors as a highly distributed and flexiblesolution to DoS attacks. The key behind this solution is a set of programmablemicroengines that are designed specifically for forwarding data efficiently in net-working. This technology would be incorporated into Smart-Links (SL), or net-work devices that actively and passively monitor the network and collect statis-tical information and report it to the Network Health Control Center (NHCC).Next, NHCCs would communicate across domains using Simple Object AccessProtocol (SOAP) and XML and serve as a form of reporting and tracing attacks.[5]
As discussed earlier, tracing attacks that use spoofed addresses is currentlya difficult task because they often require referencing across a number of do-mains and require the cooperation of multiple ISPs to pinpoint the origin. Intel’sInternet Exchange Architecture attempts to resolve this problem by creating ahardware-driven cooperative architecture.
4.6.2 Protocol Level Solutions
Currently, most forms of DoS/DDoS attacks work through the exploitation ofloopholes behind the TCP/IP protocol-such as SYN flooding-a protocol designedmore for efficiency than security or authentication. Thus, it is natural that manyof the countermeasures against DoS attacks being actively explored today take
25
place on the protocol level. However, it must be stressed that while new proto-cols might eliminate current forms of DoS attacks, they will also be susceptibleto their own follies that may introduce entirely new forms of attack. Also, theymay be the slowest countermeasures to put in place. Here are some of the mostpromising protocol extensions aimed at mitigating the threat of DoS:
itrace
ICMP Traceback or itrace is a protocol extension currently under developmentby the IETF. Itrace provides a means of tracing the actual source of packet flowsby having routers send out ICMP ”trackback” messages to the destination. Therecipient of the traceback message would know that the packet passed throughthe router that sent it. By analyzing large numbers of traceback messages, itshould be easier to identify the source of the packets, especially if it is a largedata flood attack originating from relatively few sources. [19]
IPsec
IPsec is another protocol extension being developed by the IETF as a way ofensuring ”confidentiality, integrity and authenticity of data communication overIP networks.” While IPsec’s authentication system would help prevent spoofing,it comes with the cost of the extension’s enormous complexity and the need tobe deployed on both ends of a connection. [7]
IPv6
The next version of Internet Protocol (IP) will certainly change the nature ofDoS attacks as well as their countermeasures. Allocation of addresses to usersdirectly should make tracing attack origins easier than the current system of al-location to ISPs. The much larger address space will also make it more difficultfor attackers to scan hosts looking for potential ”zombies.” The possible incorpo-ration of traceback features (i.e. itrace) should also make the task of pinpointingattack origins easier and plans for ingress filtering at the outer edges of ISP wouldhelp to greatly limit the ability of attackers to spoof addresses.[1]
4.6.3 Possible Role of ISPs
In the future, ISPs may begin to play a bigger and bigger role in downplayingthe DoS threat. ISPs are important because while individual networks might beable to control internal traffic, they have little effect on the amount and type oftraffic coming from the ISPs. A possible role that ISPs can fill with regard tothis is an implementation of ingress filtering on its border routers that would au-tomatically drop illegitimate packets so they are not passed on to victims within
26
their netblock.
Another possible role of ISPs would be to ”blackhole” entire networks thathave been known to pass on spoffed traffic by not implementing proper egressfiltering. ISPs certainly demonstrated their willingness to employ this form ofquarantine during the Code Red and Nimda worm outbreaks and may be willingto do the same for poor netizens in the future. [1] This system of blacklistingservers would give greater incentive to the overall Internet community of collectiveprotecting themselves and others against the DoS threat.
4.6.4 Role of Government
The main role of government at present and in the future will mainly rest in lawenforcement and acting as a key source of funding in DoS research and develop-ment. Key government affiliated or funded DoS-combating organizations rangefrom the FBI to the Computer Emergency Response Center (CERT) at CarnegieMellon University to the National Infrastructure Protection Center (NIPC).
For the most part, the government is leaving this domestic threat to theprivate sector and the Internet community to deal with. On February 29, 2000,James X. Dempsey, a senior staff counsel for the Center for Democracy and Tech-nology, gave a testimony before House and Senate subcommittees on the federalresponse to Internet denial-of-service attacks:
”[Internet security] is not a problem to be solved through the criminal justicesystem. Internet security is primarily a matter for the private sector, which hasbuilt this system in such a short time without government interference. It is clearthat the private sector is stepping up its security efforts, with an effectiveness thatgovernment could never match, given the rapid pace of technology change andthe decentralized nature of the medium.... The tools for warning, diagnosing,preventing and even investigating Internet attacks are uniquely in the hands ofthe private sector.”[6]
While these strong statements acknowledge the fact that the governmentshould take a hands-off approach to the DoS threat, one should consider thefact that these statements were made before the 9-11 attacks. As evidenced bythe Patriot Act and more liberal use of Carnivore, the threat of terrorism in thesepost 9-11 days may well force the government into the cyber terrorism arena aswell.
27
Chapter 5
Conclusion
The Internet phenomena loosely categorized under the headings of DoS/DDoSprovides a subject that is both fascinating and frightening in its implications.While DoS attacks have already had quite a large impact on our world, affectingeverything from users to businesses to governments, the potential growth in scaleand sophistication of these attacks is truly amazing. With the wide variety oftools available on the Internet and the lessening degree of technical knowledgeand effort necessary to launch such attacks it would seem that, indeed, we haveseen nothing yet. On the other side are the tools of defense fueled by a desperatedrive to deter, if not stop, these attacks.
The arms race developing between the two sides threatens to escalate intofull-fledged informational warfare. For every weapon, such as Agressor ExploitGenerator and Trinoo, there seems to be a shield, such as the techniques ofpacket filtering and load balancing, ready to counter it. Every major victory forthe hacker is splattered all over the news while the countless instances of success-ful defense go unnoticed.
In this paper the areas of attack, defense and the aftermath of the battlesleft behind in the real world were split up and examined as individual subjects,but they are each part of an evolving landscape in both cyberspace and reality.A fundamental change has occurred in our world as we have entered the age ofInformation Warfare and that is what this project attempts to capture. It is byno means a comprehensive report; instead it is a description of where we standnow and where we may be heading to in the future.
28
Bibliography
[1] Linda Pesante Allen Householder, Art Manion and George M. Weaver, Man-aging the threat of denial-of-service attacks, CERT Coordination Center 10.0(2001).
[2] Elizabeth De Bony, G8 agree to reinforce cooperation on cybercrime, InfoWorld (2000).
[3] Cisco, Strategies to protect against distributed denial of service (ddos) at-tacks, Cisco White Papers (2000).
[4] , Defining strategies to protect against tcp syn denial of service at-tacks, Cisco Tech Notes (2002).
[5] Dylan Larson Priya Rajagopal Davud Durham, Priya Govindarajan andRavi Sahita, Elimination of distributed denial of service attacks using pro-grammable network processors, Intel Research and Development 1.0 (2002).
[6] James X. Dempsey, Internet denial of service attacks and the federal re-sponse, Center for Democracy and Technology (2000).
[7] Dang Nguyen Duc, Denial of service attacks and countermeasures analysis,http://caislab.icu.ac.kr/course/2001/autumn/ice615/termproject/finalpaper-duc.pdf.
[8] Danielle Dunne, What is a denial of service attack?, Darwin Magazine(2001).
[9] Rik Farrow, Distributed denial of service attacks, Network Magazine (2000).
[10] Brian Fonseca, Yahoo outage raises web concerns, Network World Fusion(2000).
[11] James Fontana, Infotech and the law, Washington Technology (1999).
[12] John Fontana, Palestinian crackers share bugs, Wired (2000).
[13] Joern Maier Frank Kargl and Michael Weber, Protecting web servers fromdistributed denial of service attacks, WWW10 (2001).
29
[14] Heather Harreld, Bush urges private sector to shore up networks, InfoWorld(2002).
[15] Shon Harris, Denying denial of service, Information Security Magazine(2001).
[16] Ann Harrison, The denial-of-service aftermath, CNN (2000).
[17] Eric Holder, Internet denial of service attacks and the federal response, USDepartment of Justice (2000).
[18] Jim Hu, Outage a deliberate attack, yahoo says, CNN (2000).
[19] David Karig and Ruby Lee, Remote denial of service attacks and countermea-sures, Princeton University Department of Electrical Engineering TechnicalReport CE-L2001-002 (2001).
[20] Jeordan Legon.
[21] Gabriella O. de Vivo Marco de Vivo and Germinal Isern, Internet securityattacks at the basic levels, GIRAS U.C.V. (1997).
[22] Declan McCullagh.
[23] Peter Neumann, Denial-of-service attacks, Communications of the ACM 43(2000), no. 4, 136.
[24] James Niccolai.
[25] Winn Schwaratau.
[26] Peter Spiegel.
[27] Symantec, Ten steps to protect your enterprise from dos attacks, SymantecSecurity Risks and Threats 659 (2001).
[28] Visualware, Visualpulse captures yahoo denial of service attack, Visualware(2000).
[29] Zhao Wen-Wang and Qin Shi-Yin, Diagnosis of ddos attack and a novelapproach to optimizing control, Ph.D. thesis, EICES, Beijing PolytechnicUniversity, Beijing, P.R. China 100022, April 2001.
[30] Troy Wolverton and Greg Sandoval.
30