Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

This white paper contains information to help you understand how DDoS attacks are orchestrated, recognize programs used to facilitate DDoS attacks, apply measures to prevent the attacks, gather forensic information if you suspect an attack, and learn more about host security.

Understanding the Basics of DDoS Attacks

Refer to the following illustration:

ddos1

Behind a Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that is running a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.

Attackers have been known to use the following 4 programs to launch DDoS attacks: Trinoo, TFN, TFN2K and Stacheldraht.

In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. The process can be divided into the following steps, in which the attackers:

  1. Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability.
  2. Compromise the vulnerable hosts to gain access.
  3. Install the tool on each host.
  4. Use the compromised hosts for further scanning and compromises.

Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour.

Characteristics of Common Programs Used to Facilitate Attacks

The following are common programs that hackers use to facilitate distributed denial of services attacks:

  • Trinoo

    Communication between clients, handlers and agents use the following ports:

    1524 tcp
    27665 tcp
    27444 udp
    31335 udp

    Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.

  • TFN

    Communication between clients, handlers and agents use ICMP ECHO and ICMP ECHO REPLY packets.

  • Stacheldraht

    Communication between clients, handlers and agents use the following ports:

    16660 tcp
    65000 tcp
    ICMP ECHO
    ICMP ECHO REPLY

    Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.

  • TFN2K

    Communication between clients, handlers and agents does not use any specific port (it may be supplied on run time or it will be chosen randomly by a program) but is a combination of UDP, ICMP and TCP packets.

    For a detailed analysis of DDoS programs, read the following articles.

Note: The following links point to external web sites not maintained by Cisco Systems

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: