Table of Contents

• What is a denial-of-service attack?
• What is a distributed denial-of-service attack?
• How can I protect my network from DDoS?
• Why can't I just block DDoS traffic?
• What is AXENT doing about DDoS?
• Why is it important to detect DDoS tools?
• Why is it important to detect DDoS tools?
• Where can I learn more about DDoS?

A new generation of sophisticated attack tools has recently been used to block access to several large commercial websites including Amazon.com, E*Trade, Yahoo, Buy.com, and eBay. AXENT has researched and developed countermeasures to this new and apparently growing threat to the Internet.

AXENT's Netprowler and Netrecon have countermeasures available today that can detect and alert you to the presence of these attack tools so you do not unwittingly participate in one of these attacks. These countermeasures are very effective in locating specific DDoS attack tools by tricking the tools into identifying themselves or by analyzing the communication used to install, control, or initiate attacks.

AXENT will continue to devote resources to counteracting this threat. Countermeasures are currently being developed for Enterprise Security Manager (ESM), Intruder Alert, NetRecon, and NetProwler to identify deployed DDoS tools (see below).

AXENT will continue to release new countermeasures to counteract future attack tools, as well as publishing signature analysis available for use by outside security agencies.

What is a denial-of-service attack?

A denial-of-service (DoS) attack results in users of a service being denied access. For example, DoS attacks can be used to crash a web server, or send a flood of communication that blocks legitimate visitors.

Flood attacks tend to consume the bandwidth of both the sender and the receiver. Internet connectivity is like a pipe system, and the network with the biggest pipe will win in a flood attack. Because attackers do not have legitimate access to the required bandwidth, and because floods can sometimes be traced to the sender, attackers are motivated to break into other networks to use their bandwidth. This makes it more difficult to trace attackers, since they may have already covered their tracks.

What is a distributed denial-of-service attack?

A distributed denial-of-service (DDoS) attack is a simple variation of an ordinary denial-of-service, in which the attacker hijacks the bandwidth of multiple networks and uses them to mount a more powerful coordinated attack. Tools to coordinate distributed denial-of-service attacks have been made publicly available, and are rapidly increasing in sophistication. The availability of these tools has made distributed denial-of-service very easy for a moderately skilled attacker.

It is important to note that DDoS attacks do not require significant bandwidth from any single attack agent. Many small hoses can be coordinated to fill a very large pipe.

How can I protect my network from DDoS?

While there are no practical methods to prevent DDoS attacks, there are some ways to lessen the impact:

• Increase the bandwidth at the service (get a bigger pipe). This involves planning for far more traffic than legitimate service requires. This countermeasure makes it more difficult to overload a service.
• Implement redundancy in the service. Identify single points of failure for the service and build in backup servers. The attacker may be able to redirect the attack to the new system, but this increases the risk of getting caught, and makes it more difficult to sustain the attack.

Why can't I just block DDoS traffic?

First, blocking the communication requires examination to determine whether it should be blocked. Before communication can be examined, it must be received, and by then, the bandwidth has been consumed.

Second, flood attacks are difficult to distinguish from legitimiate communication. A flood attack against a web server can simply be an overwhelming number of web accesses. Further, the Internet Protocol as it exists today does not provide a secure way of identifying the source of communication. This means that flood attacks can appear to come from anywhere.

What is AXENT doing about DDoS?

NetRecon 3.0, Security Update 1 (Released January 28, 2000) checks for the following DDoS vulnerabilities:

• stacheldraht trojan horse allows attack-by-proxy
• trinoo trojan horse daemon allows attack-by-proxy
• trinoo trojan horse master allows attack-by-proxy
• tfn trojan horse daemon allows attack-by-proxy

NetProwler 3.0 Security Update 6 (Released December 15, 1999) watches for the following DDoS activity:

• Trin00 Broadcast
• Trin00 Master Connect
• Trin00 Master

AXENT's Raptor Firewall is effective in preventing the protected network from being used to carry out a DDoS attack.

Good general network security reduces the likelihood of an attacker successfully installing DDoS tools. Enterprise Security Manager and NetRecon can be used to manage and assess general network security.

NetProwler and Intruder Alert can help to identify compromises in the early stages, before DDoS tools can be installed and used.

AXENT has released DDoS detection signatures for NetRecon and NetProwler, and is continuing to develop further countermeasures. The current countermeasures detect the presence of DDoS attack tools.

Why is it important to detect DDoS tools?

Such tools will only be on your system if your network has been compromised, which alerts you that you should begin the recovery process. Finding and responding to DDoS attack tools decreases the bandwidth available to attackers. A community-wide effort to do so greatly reduces the ability of attackers to launch significant attacks against any network.

It is important to report DDoS incidents to the authorities so an effort can be made to catch the attackers.

Where can I learn more about DDoS?