Distributed Reflective Denial of Attacks

by Spyrochaete

The purpose of the following report is to educate those with an interest in Internet security.  I wouldn't commit the acts described below and neither should you.  Hosting services online costs someone money.  Find a more constructive way to express your opinions.

p.s., I'm a college student, not a professional (dammit, Jim).  Sorry if something I've said is inaccurate.  G.I.G.O.

The worldwide Internet is composed of an overlapping array of hardware that directs small fragments of information along various temporary pathways from source to destination.  Because of the tremendously high volume of traffic continuously flowing through the virtual veins of the Internet, it is possible for wayward-minded individuals to harness the services of the powerful hardware at the system's logical core without detection, for example, to attack the system of their choice.

One such attack that is particularly effective and undetectable by the managers of intermediate communications hardware is the Distributed Reflective Denial-of-Service (henceforth DRDoS) attack.

DRDoS is the latest in the series of Denial-of-Service (DoS) attacks.  An explanation of the history of this type of attack is in order to fully understand the ramifications of this new threat.

The standard Denial-of-Service (DoS) attack is one of the more common attacks by "script kiddies."  A properly motivated individual can effectively perform such an attack on the target of their choice with little effort.  DoS is the result of local routing hardware being overloaded with fraudulent instructions.  Specifically, DoS is the result of exploiting vulnerabilities in the TCP/IP three-way handshake in which a client and server become aware of each other by swapping synchronization packets.

Occasionally, an ordinary, legitimate synchronization (SYN) packet will become corrupted causing it to be misinterpreted by the computer on the other end.  Servers allow such packets a short grace period before abandoning them.  Altering the source IP address of an outgoing SYN packet hides the origin of their source and directs the converse computer to attempt to synchronize with a nonexistent (or unresponsive) host.  When this occurs innocently (which it does, regularly and inevitably, however infrequently) the overhead in computing resources is inconsequential and harmless.  But when exploited by a malevolent individual, this can be performed by a single computer frequently enough to sufficiently saturate the victim's connection that its services cease.  If the attacker can harness the power of a more powerful machine than the one at his or her disposal, the attack would be that much more effective.

An attack originating from any one machine is not likely to be very powerful or completely incapacitating.  Instructing a main router or firewall to ignore IP addresses generating too-frequent packets is a way to terminate such an attack.  Although the security system will be bogged down as it examines and discards every unwelcome packet, the network will not be affected by the completion of the packets' journey.  By randomizing the spoofed IP address generated in each packet by the attacker, this solution can be invalidated.

The Distributed Denial-of-Services (DDoS) attack uses the same principal to debilitate its target but is exponentially more effective.  The attacker incurs the services of several remote computers ("Zombies") by acquiring control over them and issuing simple commands.  A common method of secretly achieving control over a computer is to distribute a Trojan virus which installs software that connects the computer to a common server (e.g., IRC) from which the attacker can control a list of zombies en masse like a general commanding infantry.  Each zombie simultaneously performs its own DoS attack, saturating the victim greatly and making the process even more difficult to defend against.  A properly coordinated DDoS attack can put almost any system at the mercy of an attacker.

DRDoS is a very recent iteration of the DoS attack and is quite ingenious in its design.  DRDoS resembles DDoS in that it employs the power of several sources to attack one victim, but it does so in a stealthier, overwhelming manner.  In a DRDoS attack, the attacker sends tainted instructional packets to a very large number (hundreds) of innocent clients, alerting them that the victim's computer is requesting a certain service.  The very small amount of traffic generated per intermediate attacking server will be so insignificantly small, perhaps smaller than legitimate requests, that it is quite unlikely the attack will be noticed by administrators at all.  The astronomical number of service packets (for example, two packets per second multiplied by 3,000 servers) is sufficient to overwhelm virtually any system anywhere.

One example of a DRDoS attack is the Border Gateway Protocol (BGP) attack.  Routers regularly exchange routing tables with their neighbors (routers sharing borders) by asking for and granting permission with each other.  In preparation for such an attack, the attacker's first step is to acquire a large list of fast Internet routers.  This can be done very easily by performing the IP utility TRACERT on a number of websites and cataloging, say, the middle five entries.  These entries are very likely to be core routers that bridge the huge segments of the Internet.  This can be verified by resolving the names of the IP addresses (for example, descriptive FQDNs such as ra1shge34.mt.bigpipeinc.com and if-10-0.core1.chicago3.teleglobe.net obviously represent central routers).

An enormous list can be compiled in a few hours automatically via a simple script.  The attacker then cycles through the list of routers, sending a sweep of tainted packets stating that the victim is actually a router requesting to exchange routing tables.  The sheer volume of incoming packets will incapacitate the victim entirely and immediately until the attacker chooses to terminate the cycle.

This attack, at the moment, is truly impossible for the victim to defend against.  It is infeasible to block the IP addresses of the Internet's major routers because they are required to communicate with valid clients.  Because network services are distributed inside the service socket range (ports 1-1023), disabling all communication from these ports may prevent such an attack entirely, but conversely may impede genuine service if the server must occasionally act as a client to fulfill its regular duties.  In fact, the only viable solution to this and many other attacks lies with Internet service providers who have the power to prevent packets with spoofed IPs from leaving the confines of their services.  Unfortunately, the majority of ISPs do not employ this function.

DRDoS is a very damaging, very real concern for the networked world and should not be taken lightly.  It is the responsibility of every network administrator to be diligent in preventing their own domains from taking part in such an attack.  Auditing a network's activity and employing diligence, education and insight are all essential to keep one's site secure.

Works Cited

• grc.com/files/drdos.pdf
• www.webopedia.com
• Hacker Proof, Kris Jamsa, Thomson Delmar Learning (2001)

Shouts to: msmittens, lord__nikon, axiom dadak, purple motion, skaven, necros, mental floss, and efnet #2600 before it got taken over by hackers.