Chapter 1. Introduction

It is Monday night and you are still in the office, when you suddenly become aware of the whirring of the disks and network lights blinking on the Web server. It seems like your company’s Web site is quite well visited tonight, which is good because you are in e-business, selling products over the Internet, and more visits mean more earnings. You decide to check it out too, but the Web page will not load. Something is wrong.

A few minutes later, network operations confirm your worst fears. Your company’s Web site is under a denial-of-service attack. It is receiving so many requests for a Web page that it cannot serve them all—50 times your regular load. Just like you cannot access the Web site, none of your customers can. Your business has come to a halt.

You all work hard through the night trying to devise filtering rules to weed out bogus Web page requests from the real ones. Unfortunately, the traffic you are receiving is very diverse and you cannot find a common feature that would make the attack packets stand out. You next try to identify the sources that send you a lot of traffic and blacklist them in your firewall. But there seem to be hundreds of thousands of them and they keep changing. You spend the next day bringing up backup servers and watching them overload as your earnings settle around zero. You contact the FBI and they explain that they are willing to help you, but it will take them a few days to get started. They also inform you that many perpetrators of denial-of-service attacks are never caught, since they do not leave enough traces behind them.

All you are left with are questions: Why are you being attacked? Is it for competitive advantage? Is an ex-employee trying to get back at you? Is this a very upset customer? How long can your business be offline and remain viable? How did you get into this situation, and how will you get out of it? Or is this just a bug in your own Web applications, swamping your servers accidentally?

This is a book about Denial-of-Service attacks, or DoS for short. These attacks aim at crippling applications, servers, and whole networks, disrupting legitimate users’ communication. They are performed intentionally, easy to perpetrate, and very, very hard to handle. The popular form of these attacks, Distributed Denial-of-Service (DDoS) attacks, employs dozens, hundreds, or even well over 100,000 compromised computers, to perform a coordinated and widely distributed attack. It is immensely hard to defend yourself against a coordinated action by so many machines.

This book describes DoS and DDoS attacks and helps you understand this new threat. It also teaches you how to prepare for these attacks, preventing them when possible, dealing with them when they do occur, and learning how to live with them, how to quickly recover and how to take legal action against the attackers.

1.1 DoS and DDoS

The goal of a DoS attack is to disrupt some legitimate activity, such as browsing Web pages, listening to an online radio, transferring money from your bank account, or even docking ships communicating with a naval port. This denial-of-service effect is achieved by sending messages to the target that interfere with its operation, and make it hang, crash, reboot, or do useless work.

One way to interfere with a legitimate operation is to exploit a vulnerability present on the target machine or inside the target application. The attacker sends a few messages crafted in a specific manner that take advantage of the given vulnerability. Another way is to send a vast number of messages that consume some key resource at the target such as bandwidth, CPU time, memory, etc. The target application, machine, or network spends all of its critical resources on handling the attack traffic and cannot attend to its legitimate clients.

Of course, to generate such a vast number of messages the attacker must control a very powerful machine—with a sufficiently fast processor and a lot of available network bandwidth. For the attack to be successful, it has to overload the target’s resources. This means that an attacker’s machine must be able to generate more traffic than a target, or its network infrastructure, can handle.

Now let us assume that an attacker would like to launch a DoS attack on example.com by bombarding it with numerous messages. Also assuming that example.com has abundant resources, it is then difficult for the attacker to generate a sufficient number of messages from a single machine to overload those resources. However, suppose he gains control over 100,000 machines and engages them in generating messages to example.com simultaneously. Each of the attacking machines now may be only moderately provisioned (e.g., have a slow processor and be on a modem link) but together they form a formidable attack network and, with proper use, will be able to overload a well-provisioned victim. This is a distributed denial-of-service—DDoS.

Both DoS and DDoS are a huge threat to the operation of Internet sites, but the DDoS problem is more complex and harder to solve. First, it uses a very large number of machines. This yields a powerful weapon. Any target, regardless of how well-provisioned it is, can be taken offline. Gathering and engaging a large army of machines has become trivially simple, because many automated tools for DDoS can be found on hacker Web pages and in chat rooms. Such tools do not require sophistication to be used and can inflict very effective damage. A large number of machines gives another advantage to an attacker. Even if the target were able to identify attacking machines (and there are effective ways of hiding this information), what action can be taken against a network of 100,000 hosts? The second characteristic of some DDoS attacks that increases their complexity is the use of seemingly legitimate traffic. Resources are consumed by a large number of legitimate-looking messages; when comparing the attack message with a legitimate one, there are frequently no telltale features to distinguish them. Since the attack misuses a legitimate activity, it is extremely hard to respond to the attack without also disturbing this legitimate activity.

Take a tangible example from the real world. (While not a perfect analogy to Internet DDoS, it does share some important characteristics that might help you understand why DDoS attacks are hard to handle.) Imagine that you are an important politician and that a group of people that oppose your views recruit all their friends and relatives around the world to send you hate letters. Soon you will be getting so many letters each day that your mailbox will overflow and some letters will be dropped in the street and blown away. If your supporters send you donations through the mail, their letters will either be lost or stuffed in the mailbox among the copious hate mail. To find these donations, you will have to open and sort all the mail received, wasting lots of time. If the mail you receive daily is greater than what you can process during one day, some letters will be lost or ignored. Presumably, hate letters are much more numerous than those carrying donations, so unless you can quickly and surely tell which envelopes contain donations and which contain hate mail, you stand a good chance of losing most of the donations. Your opponents have just performed a real-world distributed denial of service attack on you, depriving you of support that may be crucial to your campaign.

What could you do to defend yourself? Well, you could buy a bigger mailbox, but your opponents can simply increase the number of letters they send, or recruit more helpers. You must still identify the donations in the even larger pool of letters. You could hire more people to go through letters—a costly solution since you have to pay them from diminishing donations. If your opponents can recruit more helpers for free, they can make your processing costs as high as they like. You could also try to make the job of processing mail easier by asking your supporters to use specially colored envelopes. Your processing staff can then simply discard all envelopes that are not of the specified color, without opening them. Of course, as soon as your opponents learn of this tactic they will purchase the same colored envelopes and you are back where you started. You could try to contact post offices around the country asking them to keep an eye on people sending loads of letters to you. This will only work if your opponents are not widely spread and must therefore send many letters each day from the same post office. Further, it depends on cooperation that post offices may be unwilling or unable to provide. Their job is delivering letters, not monitoring or filtering out letters people do not want to get. If many of those sending hate mail (and some sending donations) are in different countries, your chances of getting post office cooperation are even smaller. You could also try to use the postmark on the letters to track where they were sent from, then pay special attention to post offices that your supporters use or to post offices that handle suspiciously large amounts of your mail. This means that you will have to keep a list of all postmarks you have seen and classify each letter according to its postmark, to look for anomalous amounts of mail carrying a certain postmark. If your opponents are numerous and well spread all over the world this tactic will fail. Further, postmarks are fairly nonspecific locators, so you are likely to lose some donations while discarding the hate letters coming to you from a specific postmark.

As stated before, the analogy is not perfect, but there are important similarities. In particular, solutions similar to those above, as well as numerous other approaches specific to the Internet world, have been proposed to deal with DDoS. Like the solutions listed above that try to solve the postal problem, the Internet DDoS solutions often have limitations or do not work well in the real world. This book will survey those approaches, presenting their good and bad sides, and provide pointers for further reference. It will also talk about ways to secure and strengthen your network so it cannot be easily taken offline, steps to take once you are under attack (or an unwitting source of the attack), and what law enforcement can do to help you with a DDoS problem.

1.2 Why Should We Care?

Why does it matter if someone can take a Web server or a router offline? It matters because the Internet is now becoming a critical resource whose disruption has financial implications, or even dire consequences on human safety. An increasing number of critical services are using the Internet for daily operation. A DDoS attack may not just mean missing out on the latest sports scores or weather. It may mean losing a bid on an item you want to buy or losing your customers for a day or two while you are under attack. It may mean, as it did for the port of Houston, Texas, that the Web server providing the weather and scheduling information is unavailable and no ships can dock [MK03]. Lately, a disturbing extortion trend has appeared—online businesses are threatened by DDoS if they do not pay for “protection.” Such a threat is frequently backed up by a small demonstration that denies the business service for a few hours [Sha].

How likely are you to be a DDoS target? A study evaluated Internet DDoS activity in 2001, looking at a small sample of traffic observable from its network [MVS01]. The authors were able to detect approximately 4,000 attacks per week (for a three-week period), against a variety of targets ranging from large companies such as Amazon and Hotmail to small Internet Service Providers (ISPs) and dial-up connections. The method they used was not able to notice all attacks that happened during that period, so 4,000 is an underestimate. Further, since DDoS activity has increased and evolved since then, today’s figure is likely to be much bigger. In the 2004 FBI report on cybercrime, nearly a fifth of the respondents who suffered financial loss from an attack had experienced a DoS attack. The total reported costs of DoS attacks were over $26 million. Denial of service was the top source of financial loss due to cybercrime in 2004. It is safe to conclude that the likelihood of being a DDoS target is not negligible.

But DDoS affects not only the target of the attack traffic. Legitimate users of the target’s services are affected, too. In January 2001, a DDoS attack on Microsoft prevented about 98% of legitimate users from getting to any of Microsoft’s servers. In October 2002, there was an attack on all 13 root Domain Name System (DNS) servers. DNS service is crucial for Web browsers and for many other applications, and those 13 servers keep important data for the whole Internet. Since DNS information is heavily cached and the attack lasted only an hour, there was no large disruption of Internet activity. However, 9 of these 13 servers were seriously affected. Had the attack lasted longer, the Internet could conceivably have experienced severe disruption. The aforementioned attack that disabled the port of Houston, Texas, was actually directed at a South African chat room user, with the port’s computers being misused for the attack [Reg]. DDoS affects all of us directly or indirectly and is a threat that should be taken seriously.

1.3 What Is This Book?

This is the first book that is written exclusively about the DoS problem. There have been a number of important shorter treatments of the DDoS problem and solution approaches ([CER99, HMP⁺01]), but this book greatly expands on and updates these seminal works. It is intended to speak to both technical and nontechnical audiences, informing them about this problem and presenting and discussing potential solutions. Whether you are a CTO of a company, a network administrator, or a computer science student, we are sure you will find the information in this book informative and helpful and will want to learn more about DoS and DDoS. We have provided references to further reading, conferences, and journals that publish papers from this field and organizations that deal with the DoS problem specifically for this purpose. Since the DDoS field is very dynamic both in new threats and new defenses, we will gather and publish current information to accompany the book on a Web page: http://staff.washington.edu/dittrich/misc/ddos/book/. Following is an overview of all the useful things you will find inside this book.

• A thorough explanation of DoS and DDoS—why these attacks occur, how frequently they are conducted and in what manner, and how they affect the victim.

• Examples of some DoS and DDoS attack types that have been seen to date and a discussion of trends, in an effort to give the reader a good overview of the field.

• An extensive overview of the defensive methods and tools that exist now or are in research and development stages.

• Examples of the true fragility of services that depend on the current Internet infrastructure that will provide decision makers (or those who advise them) with a better context for making risk assessments and judgments about what services to place in the Internet, how to protect them, and what the consequences might be if they are attacked.

• Descriptions of how DDoS attack tools function, how to respond to DDoS attacks, and how to collect and analyze evidence in ways that support both DDoS defense and the needs of law enforcement, should you choose to pursue criminal prosecution or civil litigation.

1.4 Who Is This Book For?

The book is meant for readers with a good background in general computer networking and some knowledge of general network security issues, but little specialized knowledge of DDoS attacks.

• It is primarily aimed at computer system (end host) and network administrators, those who are responsible for keeping computers and networks functioning in the face of failure (whether natural or human-induced). There should be sufficient depth and detail for technical readers, with many citations to provide the added detail this audience demands.

• It is also aimed at those in management and policy positions who need to understand how to manage businesses and other organizations that rely on the Internet functioning in an operational sense. There should be enough general and easy-to-digest information to bring the picture of DDoS into view for those who have never encountered this subject before, allowing them to see how they may be affected by this problem in the future or how to deal with it now if they are affected.

• This book will be useful to those with political and legal responsibilities, helping them understand how the technical and legal worlds intersect in the Internet. The concepts of cybercrime and cyberwarfare involve the potential use of denial of service as a weapon to disrupt or degrade critical infrastructures. Many services, such as computers designed for medical imaging, were not designed to be used in a hostile network environment. They use Common Off-The-Shelf (COTS) commercial operating systems as delivered by the vendor, and often without securing them or updating the software. These computers are vulnerable to potential denial of service or complete compromise. As more and more critical applications migrate to the Internet, the risk of potential loss of income or even loss of life grows. This book will provide political and legal representatives with the background necessary to make sound decisions on public policy and law enforcement. Understanding the risks and making appropriate investments in protective measures or new security research can help prevent this risky future.

• Finally, the book is meant for anyone who has heard rumors about DDoS and would like to understand more about the phenomenon (e.g., students, teachers, corporate employees, home business owners, journalists). These people will gain detailed knowledge of the problem and of the current defense approaches. Some of them may be intrigued enough to join the search for solutions!

1.5 What Can This Book Help You Do?

This book will help you understand the problem of DDoS. It will help you in evaluating current defenses and in choosing the right ones for you. It will help you protect your network, minimizing damages and quickly recovering if you do get attacked.

We wrote this book because—surprisingly, considering DDoS has existed as a problem since 1999—there are currently no books that focus exclusively on DDoS. Existing network security books either ignore the topic or devote at most a chapter to it. These works provide enough information for computer practitioners who merely need to be familiar with the concept, but not nearly enough for a network administrator or CTO who needs to protect her network from such attacks and must be prepared to recover from them. There are many academic papers on the subject, but their view is limited to their particular research topic. There are also white papers from companies offering products to ameliorate DDoS attacks, but they are primarily interested in demonstrating the effectiveness and other advantages of their particular product.

1.6 Outline of the Remaining Chapters

Since the book is intended for a variety of readers, we divided its content into chapters with different difficulty levels (denoted in italics next to chapter names in the overview below). Chapters marked nontechnical are intended for readers who do not have extensive knowledge of networking and security and who are seeking a gradual introduction to DDoS. These readers may wish to read only the nontechnical chapters. Chapters marked technical are for those readers who are familiar with networking operations, such as system administrators, and who are looking for a quick reference to specific DDoS issues or for a fast technical overview of the problems and potential solutions. These readers may wish to read only the technical chapters. There is also a chapter that bears a nontechnical/technical mark. This chapter has a blend of material that contains both technical and nontechnical items. Both of the above groups should read this chapter. Finally, readers who are specifically seeking to learn about DDoS in order to work in this field in the future, such as students and teachers, will find it useful to read the book from cover to cover, as nontechnical chapters set the stage for technical ones.

• Chapter 2: Understanding Denial of Service. (Nontechnical/technical level) This chapter explains the DDoS phenomenon and illustrates the scope and seriousness of the problem.

• Chapter 3: History of DoS and DDoS. (Nontechnical level) This chapter recounts how and when DoS attacks came about, how they evolved into DDoS attacks, what is behind the DDoS problem, and what aspects of Internet design and management are especially related to this problem.

• Chapter 4: How Attacks Are Waged. (Technical level) This chapter gives a detailed description of the “modus operandi” of a DDoS attack and discusses different DDoS variants.

• Chapter 5: An Overview of DDoS Defenses. (Nontechnical level) This chapter discusses the challenges that DDoS defense is facing. It also discusses different approaches to design a DoS or DDoS defense, and presents some key ideas, found both in research and commercial solutions. These ideas are building blocks of current defenses.

• Chapter 6: Detailed Defense Approaches. (Technical level) This chapter explains practical approaches to strengthen your network and make it resist and recover from DDoS attacks. It discusses how to analyze DDoS incidents and gather detailed information that will help respond to the attack and, later, take legal action against perpetrators.

• Chapter 7: Survey of Research Defense Approaches. (Technical level) This chapter gives an overview of many research approaches to DoS and DDoS defense.

• Chapter 8: Legal Issues. (Nontechnical level) This chapter speaks about laws that are applicable to DoS and DDoS, and steps you can take to bring legal action against attackers.

• Chapter 9: Conclusions. (Nontechnical level) This chapter offers a prognosis for DDoS defense and conclusions, along with useful pointers to Web pages, mailing lists, conferences, and journals that publish DDoS-related information.

• Appendix A: Glossary. (Technical level) This appendix contains a glossary of technical terms used throughout the book, with detailed explanation and organized as an easy reference.

• Appendix B: Survey of Commercial Defense Approaches. (Technical level) This appendix offers a survey of several commercial DDoS solutions to inform the reader of design decisions implemented in these solutions, and functionalities that can be found in the market.

• Appendix C: DDoS Data. (Technical level) This appendix offers a survey of available quantitative studies of the DDoS phenomenon, detailing the frequency and type of observed attacks, how they are performed, and the damages incurred.