Trends in Denial of Service
CERT® Coordination Center
Kevin J. Houle, CERT/CC
George M. Weaver, CERT/CC
In collaboration with:
CERT and CERT Coordination Center are registered
in the U.S. Patent and Trademark Office.
Copyright 2001 Carnegie Mellon University
In November of 1999, the CERT® Coordination Center (CERT/CC) sponsored the Distributed Systems Intruder Tools (DSIT) Workshop where a group of security experts outlined the emerging threat of distributed denial of service (DDoS) attack technology. Since then, denial of service (DoS) attack technology has continued to evolve and continues to be used to attack and impact Internet infrastructures.
Advances in intruder automation techniques have led to a steady stream of new self-propagating worms in 2001, some of which have been used to deploy DoS attack technology. Windows end-users and Internet routing technology have both become more frequent targets of intruder activity. The control mechanisms for DDoS attack networks are changing to make greater use of Internet Relay Chat (IRC) technology. The impacts of DoS attacks are causing greater collateral damage, and widespread automated propagation itself has become a vehicle for causing denial of service.
While DoS attack technology continues to evolve, the circumstances enabling attacks have not significantly changed in recent years. DoS attacks remain a serious threat to the users, organizations, and infrastructures of the Internet. The goal of this paper is to highlight recent trends in the deployment, use, and impact of DoS attack technology based on intruder activity and attack tools reported to and analyzed by the CERT/CC. This paper does not propose solutions, but rather aims to serve as a catalyst to raise awareness and stimulate further discussion of DoS related issues within the Internet community.
The traditional intent and impact of DoS attacks is to prevent or impair the legitimate use of computer or network resources. Regardless of the diligence, effort, and resources spent securing against intrusion, Internet connected systems face a consistent and real threat from DoS attacks because of two fundamental characteristics of the Internet.
The Internet is comprised of limited and consumable resources The infrastructure of interconnected systems and networks comprising the Internet is entirely composed of limited resources. Bandwidth, processing power, and storage capacities are all common targets for DoS attacks designed to consume enough of a target’s available resources to cause some level of service disruption. An abundance of well-engineered resources may raise the bar on the degree an attack must reach to be
effective, but today’s attack methods and tools place even the most abundant resources in range for disruption.
Internet security is highly interdependent
DoS attacks are commonly launched from one or more points on the Internet that are external to the victim’s own system or network. In many cases, the launch point consists of one or more systems that have been subverted by an intruder via a security-related compromise rather than from the intruder’s own system or systems. As such, intrusion defense not only helps to protect Internet assets and the mission they support, but it also helps prevent the use of assets to attack other Internet-connected networks and systems. Likewise, regardless of how well defended your assets may be, your susceptibility to many types of attacks, particularly DoS attacks, depends on the state of security on the rest of the global Internet.
Defending against DoS attacks is far from an exact or complete science. Rate limiting, packet filtering, and...