The following recommendations should be regarded as a guideline for improving protection against distributed Denial-of-Service (DoS) attacks. At the same time, it serves as a basis of discussion for concrete realisation of measures in the areas server operator, network agents, content providers and end-users. The reason is the observance in February of intensified DoS attacks on renowned Internet providers.
Here, the attackers had created access to hundreds of computers in the Internet on which they installed the programs for the DoS attacks. From a separate computer, they synchronised these attack programs in such a manner that the effectiveness of the attack was appreciably increased through the large number of simultaneously attacking computers. This type of attack is designated as Distributed Denial-of-Service (DDoS).
The observed attacks were based on two main weak points. Firstly, the sender addresses of the "attacking" data packet had been forged (IP spoofing), and secondly, unauthorised programs were installed – before the attacks on selected large computers on a large number of further, inadequately protected Internet computers which, remote-controlled, were able to send data packets en masse. The particular feature of these DDoS attacks is that they were able for this reason to hit those who have otherwise protected themselves in an optimum manner against intruders from the Internet (for the recognition and treatment of attacks cf. appendix. This means that computers on which not even the so-called basic protection measures have been implemented, are not only a danger for the operator concerned, but also for all other computers in the Internet. For this reason, the preparations for the attacks which became known recently were only possiblethrough the fact that various safety "holes" which had been known for a long period had not been eliminated.
Effective measures against distributed Denial-of-Service Attacks must be taken at many points in the existing complex Internet structure in a concerted campaign. Server operators in the Internet which were the object of the stated attacks can resort to a number of meaningful measures without solving the DoS problem completely. Rather, different target groups (content providers, server providers, network agents and end-users) – each in his own sector – must act. Only jointly can the Internet be made safer with respect to the endangerment through DoS attacks, the execution of Denial-of-Service Attacks made more difficult and subsequent pursuit of the originators of these attacks alleviated.
By means of the recommendations for measures stated below, the following target groups are supported in their task of protecting the Internet against DoS attacks:
Diagram: In the diagram, the target groups used in the paper (the content providers are not separated here from the server operators) are stated with respect to the communication structure in the Internet. The numbers describe which measures should be observed in the components concerned. The measures 4 and 13-15 are valid for all components and for this reason are not included in the drawing.
Through direct implementation and adherence to the recommendations and through the own further immediate programs, the target groups addressed can make a decisive contribution to the common objective of structuring the internet safely being achieved. A particular part is played here by the network agents who normally do not take over a protective function for the server operators. For the IP spoofing used for the DoS attacks, the network agents are the ones who can effectively recognise and prevent false packets already on being fed into the Internet (see below).
The following measures are structured with respect to the target groups whereby the first five measures assist in the defence or limitation of damage of DDoS attacks as they intervene on the transmission paths in the Internet. The other measures refer to the selection, configuration and maintenance of the end systems in the Internet and hinder the preparation of a DDoS attack, i.e. intrusion into a large number of computers and the installation of attack programs on them.
Residue risk will, however, remain even after implementation of the measures which is the reason why ordered reporting systems for attacks in the Internet should be developed.
The network agents take over a central part in the prevention of DoS. Although the network agents are themselves seldom the object of DoS attacks, they profit indirectly from a secure Internet as the confidence of all users and thus their number grows.
Many DoS attacks use forged IP sender addresses. This makes the attacks possible on the one hand, on the other hand, the search for the originators is hindered. Through appropriate technical rules (RFC 2267 of January 1998) in the network infrastructure of the network agents, the network operators can restrict this possibility appreciably so that falsified packets can no longer be distributed to the Internet. An organisation which is connected to a network operator has a certain IP address area at its disposal. Each IP packet which is sent from this organisation must have an IP sender address from the area. If this is not the case, it concerns a forged address and the IP packet should not be passed on by the network agent, i.e. packet filtering of sender addresses on feeding in of the packets into the Internet should be carried out. Although IP spoofing is still possible within the allowed address area of the organisation, the circle of possible originators to the organisation is limited. A normalhome access into the Internet has only one authorised IP address so that, through such selective accesses, IP spoofing would no longer be possible.
Servers are often only connected to the network agent through a single network connection. Even if the servers are resistant against DoS attacks, this network connection is restricted itself in its capacity and can be fully occupied by an attacker so that the servers can no longer be reached from the Internet. For this reason, network agents should consider to shield the network connection of the server operators against DoS attacks by the use of packet filters, i.e. a packet filtering should be carried on target addresses when the packets leave the Internet. This is in particular very effective when, in co-operation with an attack recognition system with the server operator, the packet filter can be adapted dynamically to the attack which happens to be running. (In addition, the network agent can, in co-ordination with the server operator, configure the packet filter in such a manner that measure 3 is also supplemented on the part of the network agent).
The computers of the server operators do not only come into question as victims of the DoS attack. Because of their efficient connection to the Internet, they are also potential outlet platforms. For this reason these computers must be prevented from being misused as starting point for attacks on other computers.
Normally, servers should only offer few services and be configured correspondingly. On the incoming router, packet filter rules should be implemented which only allow those protocols to pass which belong to and, for example, block off security-critical services or directed broadcasts (RFC 2644). In the case of an attack, these routers can be re-configured in such a manner that the queries from suspicious individual IP addresses or address sectors are rejected. (In addition, the server operator should configure the packet filter additionally so that from his network IP spoofing is not possible and in this way measure 1 is supported. The settings to be carried out for this are described in the system administrator manuals of the routers).
Normally, DoS attacks distinguish themselves through the fact that they occupy the server abnormally. For this reason typical characteristics (memory occupancy, stacks, network occupancy, …) should be monitored constantly. Automatic alarm then enables the initiation of quick reaction (host-based attack recognition).For this suitable, additional products are possibly to be used.
Additional information about Intrusion Detection Systems can be found, for example, BSI-study "Intrusion-Detection-Systemen (IDS)".
In the event of an attack, a rapid response is of central importance. This is the only way to take effective countermeasures, possibly to identify the attacker and to restore normal operation within a short period. This is why an escalation procedure should be laid down in a contingency plan. Necessary information inter alia includes contact persons, persons in charge, alternative communication channels, instructions for action and the place where resoursrces that may be needed (such as magnetic tapes) are stored. More detailed information for handling attacks from the Internet may be found under http:/www./bsi.bund.de/.
The servers of the server operators can be misused as agents of a DoS attack. For this, the attacker installs damaging software using the known weak points. For this reason, the operators of the servers must configure the servers meticulously and securely. Network services which are not required are to be deactivated and those required secured, sufficient password and access protection and alteration of (in particular pre-set) passwords must be guaranteed in good time. Closer information can be found, for example, under http://www bsi.de/certbund/webserv.htm.
Through manipulation on servers, an attacker can misuse these as agents or restrict their efficiency. For this reason, all alterations and all access to the server must be recorded. Attention must be paid to restrictive granting of access rights to the users, to use the system resources made available and to increased care in alterations to the configuration. At regular intervals, the file system is to be checked for integrity. If only static data is required, a manipulation-proof, read-only data medium can be used.
For the case that weak points are discovered for the first time which enable or alleviate a DoS attack, it is important that these can be eliminated quickly. Usually, such weak points in open-source software are eliminated appreciably more quickly than in products the source code of which has not been published. Often, the alterations in the source code can be carried out by yourself. For this reason, open-source products should be preferred if the efficiency is similar ( see http://linux.kbst.bund.de/).
The content providers should, through the selection of their server operator, work to the effect that the operator regards security and availability as a central feature of service. For this reason they should select a server operator who can demonstrate corresponding experience in the required Internet platforms and verify his efforts in the area of IT security, e.g. by means of an IT security concept.
Many WWW pages in the Internet are at present only usable when settings are carried out in the browsers from the security point of view. This can be misused by an attacker. Through conscious avoidance of security-critical techniques (e.g. active content), content providers can make a contribution towards no insecure settings being existent on the clients.
Many content providers provide programs and documents on their WWW pages for downloading. If the attacker succeeds in introducing a Trojan horse, he is in a position to hope for great spread within a short period. Such procedure is in particular for DDoS attacks enticing for attackers as a large number of computers is required for an effective attack. The content providers should therefore check daily with special search programs as to whether programs with damage functions (viruses, Trojan horses, DoS programs) exist on his pages (for the search for DDoS programs, see, for example http://foia.fbi.gov/nipc/trinoo.htm).
Computers of end-users are normally not the object of DoS attacks. However, these computers can be used for the purpose that, in a first step, an attacker installs a program on them which then, remote-controlled, enables a DoS attack on any desired computer. For this reason, end-users can also make a contribution towards protection against DoS attacks.
Computers of end-users can be misused as agents for attacks. Agents can be installed on the individual computers most easily through viruses, Trojan horses or through active content (in particular ActiveX). For this reason, a reliable and current virus protection and the switching off of active content in the browser is strongly recommended. Under certain circumstances, the use of auxiliary programs for on-line protection of the client (for example PC-Firewalls) can be considered. Further recommendations are made on the BSI-WWW pages and the initiative Security in the Internet (http://www.sicherheit -im-internet.de).
The measures recommended here are standard measures. Practice shows, however, that they are often not implemented for various reasons.
Computers which possess an Internet connection should reach a reasonable level of security through consistent implementation of the IT basic protection measures contained in sections 6.1, 6.2, and 6.4 of the basic IT protection manual for networked Unix systems or Windows NT. This guarantees that typical dangers can be counteracted. The basic IT protection manual can be inspected here.
New security-relevant weak points are discovered in the operating systems and server software again and again which a little later can be eliminated through updates (patches) of the manufacturer. To be able to react quickly, it is necessary to subscribe to and evaluate the mailing lists of the Computer Emergency Response Team (CERT) under http://www.cert.org and of the manufacturer. The relevant updates are to be transferred as quickly as possible to eliminate the weak points which have become known.
To protect a computer against risks and dangers, partly appreciable know-how is necessary for working out an effective IT security configuration. Administrators have therefore to be adequately trained and further trained. to support the administration tasks. Security tools should be used in addition.