Attacks/Breaches
10/3/2007
08:16 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How to Trace a DDOS Attack

ISPs, researchers outline steps to sleuth the sources of increasingly dangerous distributed denial-of-service attacks

At most any time of the day, there's a distributed denial-of-service (DDOS) attack underway somewhere on the Internet.

Yes, it's still true, despite reports that some ISPs have experienced fewer DDOS attacks overall during the last six months. It's a matter of quality, not quantity: "When DDOSes do occur, they are done with much greater purpose than they used to be," says Rodney Joffe, senior vice president and senior technologist for Neustar, a directory services and clearinghouse provider for Internet industry. "They are usually to obscure what's [really] happening in the background."

Phishing and pharming are more lucrative for cybercriminals, he says. "So they are using DDOS strategically" instead of as the main attack mode, he says.

ISPs consider DDOS attacks -- where an attacker floods network connections, Websites, or systems with packets -- one of their biggest threats. Most of these attacks are being waged by botnets -- some as large as tens of thousands of bot machines, according to a recent survey of ISPs by Arbor Networks. Arbor found an average of 1,200 DDOS attacks each day across 38 ISP networks. On 220 of the last 365 days, there has been at least one DDOS attack of one million packets per second, says Danny McPherson, chief research officer for Arbor Networks. (See Report: Attacks on ISP Nets Intensifying.)

Just like botnets, DDOS attacks have become stealthier and tougher to trace than ever, with layers of bot armies disguising the original source. "Tracing a DDOS is a particularly vexing problem, with the whole notion of obfuscation and onion routing [techniques]," says Steve Bannerman, vice president of marketing and product management for Narus. (See ISPs Try on Anti-Botnet Services Model.)

And finding the origin of the attack is becoming more important than ever. Some DDOSes won't die if you don't really get to the source. "It's critical to ID the source in some cases -- not just because [you] want to know who's behind it, but [you] can't actually stop the attack" until you do, Joffe says.

But finding the source isn't as simple as identifying the IP addresses of the actual bots that sent the packets. "In a large-scale DDOS, you don't initially ID the source, because it's often innocent," he says. "It tells you these 25,000 machines worldwide are the source of this attack, but it's a giant problem to track the owners of all those machines and get them to stop. Almost without exception, they are innocent owners who have no idea -- and would not know how to turn [the attack] off."

There are three main stages of mitigating a DDOS attack. The key is for ISPs to stop the damage, while at the same time carefully peeling back the layers of the attack to be sure they actually get to the root of it.

Stage 1: The First Five Minutes

Like any attack, it's the first few minutes that are the most crucial to minimizing the damage -- and getting the victim organization back online if the attack has overwhelmed its connection. "This requires a well-oiled group to react -- to spot it and push mitigation in place in real-time," Joffe says.

Devices like Arbor Networks's IPS can filter out the bad traffic at the edge. "This allows you to push the attack back upstream through the major backbone providers, where you can once again begin to operate" normally, he says.

It's in this phase that the ISP can trace the direct attackers, usually the clueless, infected bots that launched the packets at the victim. But these decoys are just the first layer of the attack. "How do you contact those 35,000 machine owners somewhere in the world? That would take a few weeks," he says. "But the problem is in the first five minutes."

That's if you can trace the bots at all: Many sophisticated botnet operators hijack so-called "darknet" IP addresses -- the unused IP address space held by ISPs -- to make them more untraceable. "When you try to trace it back, you find the addresses were hijacked, so you don't know who the attacker is," Narus's Bannerman says. So Narus's system monitors traffic for so-called "hijacked prefixes," he says.

Still, the priority of the enterprise under siege isn't identifying the bad guy -- it's ending the attack. "They are less concerned about the source of the attack and taking any other [investigative] actions -- which lead into forensics and legal, which may be futile," says Cecil Adams, senior product manager for Verizon Business, which offers a DDOS service. "They look to us to stop the attack... We make sure all the links are not congested with it."

That means filtering out the malicious traffic, and also working with other ISPs. Verizon can identify if an attack is spoofed, or if it originated from another provider or a third party, Adams says. "Then we can close out the botnets generating the traffic," he says.

Stage 2: The First Hour

Once the attacking packets have been blocked and the victim is recovering, it's time to trace the command and control infrastructure behind the DDOS-attacking botnet. "This is not as easy as it used to be," Neustar's Joffe says. Botnets are increasingly using encrypted links and peer-to-peer connections rather than the more conspicuous Internet Relay Chat (IRC) channels that are often used for nefarious purposes.

"This [stage] requires a lot more resources, cooperation, and knowledge," he says.

It's in this stage that ISPs and researchers look at things from the point of view of the target of the DDOS. Who might be a logical attacker? A competitor? A crime ring that's been waging these attacks regularly?

Neustar lurks in underground chat sites to check for any hints or intelligence on the attacks or who might be behind them. And it tries to track how the bots are getting their orders, and over what communications channel.

"If we can disrupt that particular channel, it may have the ability to stop the attack more easily than trying to shut down 35,000 bot machines," he says. And that means going after the second layer of the command and control infrastructure. "They tend not to use their own machines in any part other than at the initial site to communicate," he says. "Ten or 15 machines actually operate as the controllers... We can contact those owners and ISPs can block those machines. That's more manageable."

Stage 3: The Investigation

Putting a face to the bad guys behind the attack is the stage where most ISPs prefer to defer to law enforcement and security researchers. They cooperate with law enforcement, but must be mindful of NDAs and privacy concerns with their customers.

"A lot of this doesn't get reported," Arbor's McPherson says. "Most of the time, network operators don't want to be party to that [law enforcement investigation]. ISPs typically aren't the actual target, and they [have to protect] customer data. And the victims don't want to report an attack because it could damage their reputation."

Not only that, but there's not one central place to report a DDOS attack, he says.

And even in the aftermath of a DDOS, it can take hours or days to determine the real objective of the attack, which is typically a diversion for a backdoor and a more dangerous targeted attack. "More often than not, you discover that what looked like the target really wasn't the end target," Joffe says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Arbor Networks Inc.
  • NeuStar Inc. (NYSE: NSR)
  • Narus Inc.
  • Verizon Business

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Marilyn Cohodas
    50%
    50%
    Marilyn Cohodas,
    User Rank: Strategist
    4/8/2014 | 9:38:36 AM
    Re: well this is not what we are looking for
    @AcurizerF154. The article you are viewing is seven years old. We have much more recent content that I think will be more useful. Just search on "DDoS attack." Here's one by Dave Piscitello, VP Security, ICANN, that I think has some excellant advice. 

    DDoS Attack! Is Regulation The Answer?

    Four security experts weigh in on why there's been little progress in combating DDoS attacks and how companies can start fighting back.

     
    AcurizerF154
    50%
    50%
    AcurizerF154,
    User Rank: Apprentice
    4/8/2014 | 9:20:33 AM
    well this is not what we are looking for
    ITS FUNNEY AS HELL THAT THIS DOENT TELL HOW TO TRACE A DDOS ATTACK ONLY FEEDS US A LINE OF BULLSHIT
    Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Dark Reading, September 16, 2014
    Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2012-1032
    Published: 2014-09-17
    Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

    CVE-2012-1417
    Published: 2014-09-17
    Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

    CVE-2012-1506
    Published: 2014-09-17
    SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

    CVE-2012-1507
    Published: 2014-09-17
    Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

    CVE-2012-2583
    Published: 2014-09-17
    Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

    Best of the Web
    Dark Reading Radio