<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<META NAME="Repository" CONTENT="CCEWP">
<META NAME="author" CONTENT="vrussell">
<META NAME="SearchPublicationDate" CONTENT="Thu, 10 Feb 2000 22:30:50 GMT">
<META NAME="FileOwner" CONTENT="ewpadmin">
<META NAME="FileName" CONTENT="newsflash.html">
<META NAME="Folder" CONTENT="/warp/public/707">
<META NAME="Object_ID" CONTENT="1670107">
<META NAME="Chronicle ID" CONTENT="1662907">
<META NAME="Revision" CONTENT="/main/CCO/3">
<META NAME="CCOCategoryType" CONTENT="Support">
<META NAME="PubDate" CONTENT="Thu, 10 Feb 2000 22:30:50 GMT">
<META NAME="PushDate" CONTENT="Thu, 10 Feb 2000 22:31:10 GMT">
<META NAME="ParentTree" CONTENT="/warp/public/707">
<META NAME="Parents" CONTENT="/warp/public/707">
<META NAME="EncodeDesc" CONTENT="">
<META NAME="Language" CONTENT="US_en">

   <META CONTENT="text/html; charset=iso-8859-1" HTTP-EQUIV="Content-Type">
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   <META NAME="DocType" CONTENT="FieldNotice">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.6 [en] (Win95; U) [Netscape]">
   <TITLE>Cisco - Field Notice: Distributed Denial of Service (DDoS) News FlashDistributed Denial of ServiceCisco - Field Notice: Distributed Denial of Service (DDoS) News Flash</TITLE>
<!--  Posted to CCO by vrussell on 2/9/2000 -->
<!--  Source from Security Team -->
</HEAD>

<BODY BGCOLOR="#FFFFFF">
<P>
<A HREF="http://www.cisco.com/pcgi-bin/imagemap/navbar">
<IMG WIDTH="504" SRC="http://www.cisco.com/images/navbar.gif" ALT="navbar" HEIGHT="12" ISMAP BORDER="0"></A><BR>
<A HREF="http://www.cisco.com/warp/public/770/index.shtml">
<IMG WIDTH="504" SRC="http://www.cisco.com/images/techtips/strip_fieldnot.gif" ALT="Strip_FieldNotice" HEIGHT="22" ISMAP BORDER="0"></A>
</P>
<H1>
Distributed Denial of Service (DDoS) News Flash</H1>

<H3>
February 9, 2000</H3>

<HR>
This news flash contains information to help you:
<UL>
<LI><A HREF="http://www.cisco.com/warp/public/707/newsflash.html#overview">understand how DDoS attacks are orchestrated</A>
<LI>
<A HREF="http://www.cisco.com/warp/public/707/newsflash.html#characteristics">recognize programs used to facilitate DDoS attacks</A></LI>

<LI>
<A HREF="http://www.cisco.com/warp/public/707/newsflash.html#prevention">apply measures to prevent the attacks</A></LI>

<LI>
<A HREF="http://www.cisco.com/warp/public/707/newsflash.html#forensics">gather forensic information if you suspect an attack</A></LI>

<LI>
<A HREF="http://www.cisco.com/warp/public/707/newsflash.html#more_info">learn more about host security</A></LI>
</UL>

<H3>
<A NAME="overview"></A>Understanding the Basics of DDoS Attacks</H3>
<P>Refer to the following illustration:
<P><CENTER><IMG SRC="http://www.cisco.com/warp/public/707/ddos.jpg" BORDER=""></CENTER>
<P>
Behind a <B>Client</B> is a person that orchestrate an attack. A <B>Handler</B>
is a compromised host with a special program running on it. Each
handler is capable of controlling multiple agents. An <B>Agent</B> is
a compromised host that is running a special program. Each agent is
responsible for generating a stream of packets that is directed toward the intended victim.
<P>
Attackers have been known to use the following 4 programs to launch DDoS attacks: Trinoo, TFN, TFN2K and
Stacheldraht.

<P>In order to facilitate DDoS, the attackers need to have 
several hundred to several thousand compromised hosts. 
The hosts are usually Linux and SUN computers; however, the tools can be ported to
other platforms as well. The process of compromising a host and
installing the tool is automated. The process can be divided into
the following steps, in which the attackers:
<OL>
<LI>Initiate a scan phase in which a large number of hosts 
(on the order of 100,000 or more) are probed for a known vulnerability.
<LI>Compromise the vulnerable hosts to gain access.
<LI>Install the tool on each host.
<LI>Use the compromised hosts for further scanning and compromises.
</OL>
<P>Because an automated process is used, attackers can compromise and install the tool
on a single host in under 5 seconds. In other words, several thousand
hosts can be compromised in under an hour.

<H3>
<A NAME="characteristics"></A>Characteristics of Common Programs Used to
Facilitate Attacks</H3>
The following are common programs that hackers use to facilitate distributed
denial of services attacks:
<UL>
<LI>
Trinoo</LI>

<P>Communication between clients, handlers and agents use the following
ports:
<PRE>1524 tcp
27665 tcp
27444 udp
31335 udp</PRE>
<P><B>Important Note:</B> The ports listed above are the <I>default</I>
ports for this tool. Use these ports for orientation and
example only, because the port numbers can easily be changed.
<P><LI>
TFN</LI>
<P>Communication between clients, handlers and agents use ICMP ECHO and
ICMP ECHO REPLY packets.
<P><LI>
Stacheldraht</LI>
<P>Communication between clients, handlers and agents use the following
ports:
<PRE>16660 tcp
65000 tcp
ICMP ECHO
ICMP ECHO REPLY</PRE>
<P><B>Important Note:</B> The ports listed above are the <I>default</I>
ports for this tool. Use these ports for orientation and
example only, because the port numbers can easily be changed.

<P><LI>
TFN2K</LI>
<P>Communication between clients, handlers and agents does not use any
specific port (it may be supplied on run time or it will be chosen randomly
by a program) but is a combination of UDP, ICMP and TCP packets.
</UL>
<P>For a detailed analysis of DDoS programs, read the following articles (<B>Note:</B> 
  The following links point to external web sites not maintained by Cisco Systems): 
<P><A HREF="http://staff.washington.edu/dittrich/misc/trinoo.analysis">The
DoS Project's "trinoo" distributed denial of service attack tool</A>
<BR><A HREF="http://staff.washington.edu/dittrich/misc/tfn.analysis">The
"Tribe Flood Network" distributed denial of service attack tool</A>
<BR><A HREF="http://staff.washington.edu/dittrich/misc/stacheldraht.analysis">The
"stacheldraht" distributed denial of service attack tool</A>
<P>Additional information regarding DDoS tools and their variants can be
found at the Packet Storm web site's
<A HREF="http://packetstorm.securify.com/distributed/">Index of Distributed Attack Tools</A>.
<H3>
<A NAME="prevention"></A>Prevention</H3>
The following are suggested methods to prevent distributed denial of service
attacks:
<OL>
  <LI> Use the <B>ip verify unicast reverse-path</B> interface command.</LI>
  <P>This feature checks each packet that is routed into router.&nbsp; If the 
    source IP address does not have a route in the CEF tables that points back 
    to the same interface on which the packet arrived, the router drops the packet. 
  <P>The effect of Unicast RPF is that it stops SMURF attacks (and other attacks 
    that depend on source IP address spoofing) at the ISP’s POP (lease and dial-up). 
    This protects your network and customers, as well as the rest of the Internet. 
    To use unicast RPF, enable ‘CEF switching’ or ‘CEF distributed switching’ 
    in the router. There is no need to configure the input interface for CEF switching. 
    As long as CEF is running on the router, individual interfaces can be configured 
    with other switching modes. RPF is an input side function that enabled on 
    an interface or sub-interface and operates on packets received by the router. 
  <P>It is very important for CEF to be turned on in the router. RPF will not 
    work without CEF. Unicast RPF was first supported in 11.1(17)CC <BR>
    CEF 13 images on the RSP7000, 7200 and 7500 platforms. It is not supported 
    in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that 
    support CEF, including the AS5800. Hence, unicast RFP can be configured on 
    the PSTN/ISDN dial-up interfaces on the AS5800. 
  <P>
  <LI> Filter all RFC1918 address space using access control lists.</LI>
  <P>Refer to the following example: 
  <PRE>interface xy
   ip access-group 101 in
   access-list 101 deny ip 10.0.0.0    0.255.255.255 any
   access-list 101 deny ip 192.168.0.0 0.0.255.255 any
   access-list 101 deny ip 172.16.0.0  0.15.255.255 any
   access-list 101 permit ip any any

</PRE>
  <P>
  <LI> Apply ingress and egress filtering (see RFC 2267) using ACL.</LI>
  <P>
  <LI> Use CAR to rate limit ICMP packets.</LI>
  <P>Refer to the following example: 
  <P><TT>interface xy <BR>
    &nbsp;<A HREF="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_r/qrcmdr.htm#xtocid1802121">rate-limit</A> 
    output access-group 2020 3000000 512000 786000 conform-action <BR>
    transmit exceed-action drop <BR>
    <BR>
    access-list 2020 permit icmp any any echo-reply </TT> 
  <P>For more information, refer to <A HREF="http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip">IOS 
    Essential Features</A>. 
  <P>
  <LI>Configure rate limiting for SYN packets. 
    <P>Refer to the following example: 
    <P><TT>interface {int} <BR>
      &nbsp;<A HREF="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_r/qrcmdr.htm#xtocid1802121">rate-limit</A> 
      output access-group 153 <FONT COLOR="red">45000000</FONT> <U>100000</U> 
      <U>100000</U> conform-action <BR>
      transmit exceed-action drop <BR>
      &nbsp;rate-limit output access-group 152 <FONT COLOR="red">1000000</FONT> 
      <U>100000</U> <U>100000</U> conform-action <BR>
      transmit exceed-action drop <BR>
      <BR>
      access-list 152 permit tcp any host <VICTIM> eq www <BR>
      access-list 153 permit tcp any host <VICTIM> eq www established </TT> 
    <P>In the above example, replace: 
    <UL>
      <BR>
      <FONT COLOR="red">45000000</FONT> with the maximum link bandwidth <BR>
      <FONT COLOR="red">1000000</FONT> with a value that is between 50% and 30% 
      of the SYN flood rate <BR>
      <U>burst normal</U> and <U>burst max</U> rates with accurate values 
    </UL>
    <P>Note that if you set the burst rate greater than 30%, many legitimate SYNs 
      may be dropped. To get an idea of where to set the burst rate, use the <A HREF="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_r/qrcmdr.htm#xtocid1802169">show 
      interfaces rate-limit</A> command to display the conformed and exceeded 
      rates for the interface. Your objective is to rate-limit the SYNs as little 
      as necessary to get things working again. 
    <P> <B>WARNING:</B> It is recommended that you first measure amount of SYN 
      packets during normal state (before attacks occur) and use those values 
      to limit. Review the numbers carefully before deploying this measure. 
    <P> If an SYN attack is aimed against a particular host, consider installing 
      an IP filtering package on that host. One such package is <A HREF="http://coombs.anu.edu.au/ipfilter/">IP 
      Filter</A>. This can be found on http://coombs.anu.edu.au/ipfilter/ Refer 
      to <A HREF="http://coombs.anu.edu.au/ipfilter/examples.html">IP Filter Examples</A> 
      for implementation details. 
</OL>

<H3>
<A NAME="forensics"></A>Forensics: Capturing Evidence</H3>
If possible, capture packet sample for analysis. It is recommended that
you use a SUN workstation or a Linux box on a fast Pentium machine to capture
the packet sample. For capturing, use the tcp dump program (Linux or SUN)
or snoop (SUN only). The command syntax is:
<PRE>&nbsp;&nbsp; tcpdump -i interface -s 1500 -w capture_file

&nbsp;&nbsp; snoop -d interface -o capture_file -s 1500</PRE>
The MTU size in this example is 1500; change this parameter if the MTU
is greater than 1500.
<P>Preserve these logs as evidence for law enforcement.
<H3>
<A NAME="more_info"></A>Further Reading</H3>
For general host security material, read information provided at the <A HREF="http://www.cert.org/">CERT/CC</A>
web page.
<P>For more information, read the following <A HREF="http://www.cisco.com/warp/public/707/advisory.html">Internet
Security Advisories</A>:
<UL>
<LI>
<A HREF="http://www.cisco.com/warp/public/707/22.html">Characterizing and
Tracing Packet Floods Using Cisco Routers</A></LI>

<LI>
<A HREF="http://www.cisco.com/warp/public/707/21.html">Improving Security
on Cisco Routers</A></LI>

<LI>
<A HREF="http://www.cisco.com/warp/public/707/sec_incident_response.shtml">Cisco
Product Security Incident Response</A></LI>
</UL>


<P>
<HR>
<P>

<A HREF="http://www.cisco.com/pcgi-bin/imagemap/guestbar"><IMG WIDTH="504" SRC="http://www.cisco.com/images/guestbar.gif" ALT="Toolbar" HEIGHT="20" ISMAP BORDER="0"></A><BR>

 

<P><FONT SIZE="-1">All contents copyright &copy; 1992--2000 Cisco Systems Inc. 
<A HREF="http://www.cisco.com/public/copyright.html">Important Notices</A> and 
<A HREF="http://www.cisco.com/public/privacy.html">Privacy Statement</A>.</FONT></P>
</BODY>
</HTML>