search / subscribe / upload / contact












RSS-Feed Depeschen

<< ^ >>

Date: 2000-02-16

Schneier über DDoS-Attacken

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

Wie immer maßvoll im Urteil, aber dabei kräftig in der
Aussage und mit viel Wissen rund um die Techno-Historie
ausgestatet, ist Bruce Schneiers monatliche Analyse, die
diesmal klar/erweise den Distributed Denial of Services
Attacken auf yahoo und andere gilt.

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
relayed vom Autor B.S. der hier zu Hause ist:
http://www.counterpane.com
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Suddenly, distributed denial-of-service (DDS) attacks are big
news. The first automatic tools for these attacks were
released last year, and CERT sent out an advisory in
November. But the spate of high-profile attacks in mid-
February has put them on the front pages of newspapers
everywhere.

Not much is new. Denial-of-service attacks have been going
on for years. The recent attacks are the same, only this time
there is no single source of the attack. We've seen these for
years, too. The attacker first breaks into hundreds or
thousands of random insecure computers (called "zombies")
on the Internet and installs an attack program. Then he
coordinates them all to attack the target at the same time.
The target is attacked from many places at once; his
traditional defenses just don't work, and he falls over dead.

It's very much like the pizza delivery attack: Alice doesn't like
Bob, so she calls a hundred pizza delivery parlors and, from
each one, has a pizza delivered to Bob's house at 11:00 PM.
At 11, Bob's front porch is filled with 100 pizza deliverers, all
demanding their money. It looks to Bob like the pizza Mafia
is out to get him, but the pizza parlors are victims too. The
real attacker is nowhere to be seen.

This sounds like a complicated attack on the Internet, and it
is. But unfortunately, it only takes one talented programmer
with a poor sense of ethics to automate and distribute the
attacks. Once a DDS tool is publicly available, an attacker
doesn't need skill; he can use a simple point-and-click
interface to infect the intermediate sites, as well as to
coordinate and launch the attack. This is what's new: easy-
to-use DDS tools like Trin00 and Tribal Flood Network.

These attacks are incredibly difficult, if not impossible, to
defend against. In a traditional denial-of-service attack, the
victim computer might be able to figure out where the attack
is coming from and shut down those connections. But in a
distributed attack, there is no single source. The computer
should shut down all connections except for the ones it
knows to be trusted, but that doesn't work for a public
Internet site.

Other defenses also have problems. I've seen proposals that
force the client to perform an expensive calculation to make a
connection. (RSA pre-announced such a "solution.") This
works against standard denial-of-service attacks, but not
against a distributed one. Large-scale filtering at the ISPs
can help, but that requires a lot of effort and will reduce
network bandwidth noticeably.

At least one report has suggested that a lack of
authentication on the Internet is to blame. This makes no
sense. The packets did harm just by the attempt to deliver
them; whether or not they were authenticatable is completely
irrelevant. Mandatory authentication would do nothing to
prevent these attacks, or to track down the attackers.

There have been two academic conferences on DDS attacks
in recent weeks, and the general consensus is that there is
no way to defend against these attacks. Sometimes the
particular bugs exploited in the DDS attacks can be patched,
but there are many that cannot. The Internet was not
designed to withstand DDS attacks.

Tracing the attacker is also incredibly difficult. Going back to
the pizza delivery example, the only thing the victim could do
is to ask the pizza parlors to help him catch the attacker. If
all the parlors coordinated their phone logs, maybe they
could figure out who ordered all the pizzas in the first place.
Something similar is possible on the Internet, but it is
unlikely that the intermediate sites kept good logs.
Additionally, it is easy to disguise your location on the
Internet. And if the attacker is in some Eastern European
country with minimal computer crime laws, a bribable police,
and no extradition treaties, there's nothing you can do
anyway.

So far, these attacks are strictly denial-of-service. They do
not affect the data on the Web sites. These attacks cannot
steal credit card numbers or proprietary information. They
cannot transfer money out of your bank account to trade
stocks in your name. Attackers cannot gain financially from
these attacks. Still, they are very serious. And it is certainly
possible that an attacker can use denial of service as a tool
for a more complicated attack that IS designed to steal
something.

This is not to say that denial-of-service attacks are not real,
or not important. For most big corporations, the biggest risk
of a security breach is loss of income or loss of reputation,
either of which is achieved by a conspicuous denial-of-service
attack. And for companies with more mission- or life-critical
data online, a DOS attack can literally put a person's life at
risk.

The real problem is that there are hundreds of thousands,
possibly millions, of innocent naive computer users who are
vulnerable to attack. They're using DSL or cable modems,
they're always on the Internet with static IP addresses, and
they can be taken over and used as launching pads for these
(and other) attacks. The media is focusing on the mega e-
corporations that are under attack, but the real story is the
individual systems.

Similarly, the real solutions are of the "civic hygiene" variety.
Just as malaria was defeated in Washington, DC, by draining
all the swamps, the only real way to prevent these attacks is
to protect those millions of individual computers on the
Internet. Unfortunately, we are building swampland at an
incredible rate, and securing everything is impracticable.
Even if personal firewalls had a 95% market penetration, and
even if they were all installed and operated perfectly, there
would still be enough insecure computers on the Internet to
use for these attacks.

I believe that any long-term solution will involve redesigning
the entire Internet. Back in the 1960s, some people figured
out that you could whistle, click, belch, or whatever into a
telephone and make the system do things. This was the era
of phone phreaking: black boxes, blue boxes, Captain
Crunch whistles. The phone company did their best to
defend against these attacks, but the basic problem was that
the phone system was built with "in-band signaling": the
control signal and the data signal traveled along the same
wires. In the 1980s, the phone company completely
redesigned the phone system. For example SS7, or
Signaling System 7, was out-of-band. The voice path and
data path were separated. Now it doesn't matter how hard
you whistle into the phone system: the switch isn't listening.
The attacks simply don't work. (Red boxes still work,
against payphones, by mimicking the in-band tones that
count the coins deposited in the phones.)

In the long term, out-of-band signaling is the only way to deal
with many of the vulnerabilities of the Internet, DDS attacks
among them. Unfortunately, there are no plans to redesign
the Internet in this way, and any such undertaking might be
just too complicated to even consider.

Discussion of DDS attacks:
<http://staff.washington.edu/dittrich/talks/cert/>

CERT Advisory: <http://www.cert.org/incident_notes/IN-99-
07.html>

Tool to check if Tribal Flood Network or Trin00 is installed on
your computer: <http://www.nfr.net/updates/>

Tutorial on DOS attacks:
<http://www.hackernews.com/bufferoverflow/00/dosattack/dos
attack.html>

Trin00 Analysis:
<http://staff.washington.edu/dittrich/misc/trinoo.analysis>

Tribal Flood Network Analysis:
<http://staff.washington.edu/dittrich/misc/tfn.analysis>

Stacheldraht Analysis:
<http://staff.washington.edu/dittrich/misc/stacheldraht.analysi
s>

Declan McCullagh's essay on the topic:
<http://www.wired.com/news/politics/0,1283,34294,00.html>

-.- -.-. --.-
Heraus zum Linux Demo Day am 17. Februar in Linz [AT]
http://www.quintessenz.at
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-.
Wer schon einmal aufgestanden ist,
soll sich jetzt widersetzen.
http://o5.or.at
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 2000-02-16
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<< ^ >>

BigBrotherAwards Eintritt zur Gala sichern ... 25. Oktober 2023 #BBA23

	related topiqs
	quintessenz


	/q/depeschen
	qTalk 26.Feb. 2019 20 Uhr Hardware-Bugs



	CURRENTLY RUNNING
	q/Talk 1.Juli: The Danger of Software Users Don't Control Dr.h.c. Richard Stallman live in Wien, dem Begründer der GPL und des Free-Software-Movements

	!WATCH OUT!
	bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien Wie OpenStreetMaps die Welt abbildet und was ein erfolgreiches Crowdsourcing Projekt ausmacht.