Ask Security Guru Dave Dittrich About DDoS Attacks

Yes, this is the University of Washington Dave Dittrich behind the software the FBI is trying to get you to use to help find the people doing the massive DoS attacks that have made headlines all over the place. Learn more about Dave and check out the info about the current brou-hah-hah on his home page, then ask away. We'll send the 10 - 15 highest-moderated questions to Dave Friday evening, and post his answers as soon as he can get them to us in between answering questions from mainstream media types who, as you can imagine, are all over him right now.

Is a network proof against DDoS possible?

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?
--

The Constant Fingerprint?

While you've done an excellent job analyzing the various DDoS tools, one thing I think we all realize about DoS tools is that, as time passes, we *are* going to lose the ability to detect whether a packet is fully legitimate or if
contains a covertly channeled service denial command.

What's more insidious is that I don't think we're going to even be able to determine the nature of an attack in progress. Given enough compromised clients, it's more than conceivable that enough pseudo-browsers surfing at a humanistic rate could take down at highly database-driven sites, not to even mention overload the maximum number
of streams a multimedia site can supply. Such an attack would only reflect itself as the attack of the <a href="http://slashdot.org/comments.pl?sid=00/02/08 /1338245&cid=60">Window Shopping Hordes</a>--people who search for everything but buy...nothing at all.

If we won't always be able to detect the initiation of these attacks, and we won't always be able to detect the commencement of these attacks, would it be fair to say that the only moderately reliable fingerprint of an looming attack is the single packet or set of packets that compromised the OS into loading the attack daemon in the first place?

If so, how can we use such fingerprints to our advantage? Should arbitrary core routers initiate tracer logs and NOC notification when large scale OS compromise fingerprints are detected?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Answer: not viable

<i>That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc. </i>

Nope, Sig. You need stateful analysis when you cross the single packet barrier--for example, when the presence of an outgoing SYN creates a temporary tunnel through the firewall for an incoming ACK of a given Port/ISN+1.

It's just a comparison of the 32 bit Source Address with the 32 bit Network Address of the physical interface. That kinda thing doesn't even require Store And Forward...it's one or two AND ops. Where you start getting problems is when you have a layer or two of peered networks...but how many universities route packets for eachother?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Stop Spoofing At The Backbone?

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation(their backup networks will ceae to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Answer: not viable

<i>A switch functions by only analyzing the raw ethernet (or mac) address. </i>

Not necessarily, anymore. L3 Switching and even L4 Switching is quite hot nowadays. Matching bits and ANDing them--that's what switches do, and that's what IP Interface checking does. L3 and L4 switches essentially match more bits in their quest to do better and more accurate QoS. I'm not absolutely sure if Cisco's switches will do the IP range checking, but I wouldn't be surprised if they did it in hardware. Sig, it's a cheap operation.

> A router works at a higher level, and CAN do
> stateful analysis... but for speed you really
> shouldn't - that's what the firewall is for.
> Firewalling the backbones would be... umm..
> very bad.

For cryin' out loud, this has NOTHING to do with State. Either I'm sending out a packet on a bogus source, or I'm not. This contrasts *heavily* against "Firewall receives an ACK packet--is it spoofed, or is it a response to a pre-existing SYN? Better check the state..."

I'm not talking about firewalling the backbones, only the entry points. And what the hell do you think Yahoo screamed at their ISPs to do when lots of traffic was coming down the pipe that had nothing to do with the Web? "KILL EVERYTHING BUT PORT 80!"

That's not firewalling the backbones. That's managing the access points.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Other methods?

From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

I'm no IPv6 expert, but as I understand it, space is reserved for this information in an IPv6 packet, but it's not mandatory to fill it, it's only recommended. Maybe someone who knows more about IPv6 can confirm this?

Re:Long term solutions?

You write:

Given that IP spoofing is a fundamental flaw in IPv4 ...

But is that really true? If every router refused to pass packets that clearly lie about their origin, IP spoofing would be a lot harder to do.

Internet Worm -- Episode 2

What do you have to say to the idea that this could be a DoS attack launched by computers infected with an Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a syncronized DoS?

Antionline: True help?

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Should security research be done in obscurity?

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Recognizing DoS

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this, and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30PM in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing it. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home email and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the web?

Government

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

• Understand the problem well enough
• Spot good solutions if they come along

Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

A fruitless exercise?

In other words, my question is:

Isn't the intersection of the sets:

• Clueless enough to allow massive DoS out of their network.
• Yet likely to install this detector.

pretty darn small?

Questions.

• What decent sites are there that offer security information for a variety of operating systems geared to either the average user or the power user?
• With the influx of dedicated connections, it becomes more necessary for the end user to put security in place, however the end user does not want to pay for these tools. Is there an easy to use freeware package that can deal with this?
• Given the following:
  • ISP companies, campus security, and companies that have connected all their machines to the internet tend not to have a good understanding of security.
  • Those that don't have a good understanding take a dim view of their customers that do.
  • It seems like the average security expert is a former "criminal hacker type" (mediaspace: a perception of reality defined by the media)
  What is our best hope for getting out of the dark ages of computer security anytime soon?
• What would give for odds on this being an attack by the following classifications:an individual, an organized group, or the federal government?

It strikes me as insanely easy to propogate this type of flood attack using a virus with this little dealie as part of the payload. If the virus kept track of the IP addresses of the machines it tried to infect it could be quite deadly. (send command to ping target IP to all possibly infected IP addresses using forged information then Ping target IP) The worst part is that the system could get recursive. (Machine X knows that it tried to infect machine Y. Machine Y knows that it tried to infect machine X. Commands bounce back and forth between them. Ouch. And tracing that one back would be close to impossible...

-----

Other methods?

Dave,

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Thanks.

Re:Why exactly should the average citizen care?

5K a minute is chump change to them.

I run revenue streams for companies like this and I can tell you the numbers that they attribute to loss are greatly exaggerated. They do it because it is more ecenomical to write it off as bad debt(LIN also includes general corp losses) and take the tax break. The more they report as bad debt, the bigger the tax break. Makes quarterly reports look very good at the top and then they bury it deep inside the report. DoS, Hacking, Fraud, Employee theft etc. all this goed into that line item.

Firewalls for Dummies?

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?