Denial of Service and

Distributed Denial of Service

Protection

503162-001 06/05
Introduction
The degraded service and lost business from a Denial of Service (DoS) attack can lead to
staggering costs both during and after an attack. For an e-commerce site like eBay or
Buy.com, one day of downtime due to a DoS attack can cost in the tens of millions of dollars in
lost revenue. The SQL Slammer worm, a DoS attack that made mission-critical Microsoft SQL
servers inaccessible, cost corporations billions of dollars worldwide. Beyond worms, targeted
DoS attacks are on the rise. According to the 2004 CSI/FBI Computer Crime and Security
Survey, targeted DoS attacks were the most expensive computer threat last year, causing over
$26M in damages for the 250 companies included in the survey,
more than double in any other category. Beyond the immediate “DoS attacks were the
costs, the lasting effects of a successful DoS attack include lost most expensive
computer crime last
customers, loss of faith in the service’s dependability, and damage to
year, more than double
the corporate brand. any other category.”
2004 CSI/FBI Computer
A recent trend in DDoS attacks reveals a new twist in the spiraling Crime and Security
costs to companies and organizations. The evolution of Denial of Survey
Service attacks began with hackers that targeted larger websites for
“Denial of Service (DoS)
the thrill of hacking.1 However, as the opportunities increase, attacks are on the rise.
organized crime has set their sights on companies with more to lose Denial of Service
in their businesses and reputations, such as online banks, lenders, protection is a natural
and service providers. extension for intrusion
prevention systems
because they are in-line
Organized crime syndicates extort money from online companies by and have the ability to
demanding money to keep them from receiving severe DDoS deeply inspect and
attacks. If a company does not meet the demands, the attackers classify traffic, then take
bombard the company’s systems with constant and overwhelming action accordingly.”
Richard Stiennon,
DDoS attacks from thousands of zombies, placing their eCommerce
Gartner Research Vice
businesses into gridlock. President

What is a Denial of Service Attack?

Denial of Service (DoS) attacks are network-based attacks that prevent access to a service.
DoS attacks disable a network service by flooding connections, crashing servers or programs
running on the servers, exhausting server resources, or otherwise preventing legitimate clients
from accessing the network service.

DoS attacks range from single packet attacks that crash servers to coordinated packet floods
from multiple hosts. In single packet attacks, a carefully crafted packet that exploits a known
operating system or application vulnerability is sent through the network to disable a server
and/or any associated services it performs. The Slammer worm exploited one such
vulnerability.

In a flood attack, server or network resources are corrupted or exhausted by a flood of

packets. Since a single site launching a flood can be identified and isolated fairly easily, a

1
Naftali Bennett, chief executive officer of U.S. Internet security company Cyota, quoted by Robin Arnfield in
“Credit-Card Processor Hit by DDoS Attack” for NewsFactor

Page 2
more sophisticated approach, called a Distributed DoS (DDoS) attack, is the tool of choice for
many flood attacks.

In a DDoS attack, an attacker uses multiple machines to assault a target. Some attacks are
simple in design, such as sending a relentless stream of data to flood the network connection
to the server. Other attacks, such as SYN floods, use carefully crafted packets to exhaust
critical server resources in order to prevent legitimate clients from connecting to the server.

Regardless of the specifics, a DDoS attack utilizes a significant number of machines in a

coordinated manner. These machines, known as zombies, are machines that have been
previously compromised and are under the attackers control. Hackers often boast about the
number of zombies that they have under their control. By sending commands to the zombies
over covert communication channels, hackers can stage large coordinated attacks. Because
the attack is originating from a large number of PCs spread across a wide network, simple
identification and isolation techniques do not work. In many cases, it is extremely difficult to
separate legitimate traffic from attack traffic.

As more PCs gain broadband access from homes, the field of potential zombies increases.
Experts estimate that 1/3 of home user PCs on the Internet have been compromised. The
sophistication required and barrier to launching these DDoS attacks has been greatly reduced
through the availability of packaged tools (e.g., Tribe Flood Network and Stacheldracht) that
are freely available on the Internet.

TippingPoint’s Solution
In response to the evolving nature of DoS and DDoS attacks, TippingPoint has developed an
arsenal of protection mechanisms corresponding to the methods attackers employ. The
TippingPoint Intrusion Prevention System (IPS) operates in-line to protect a network and the
hosts connected to it by examining every bit of traffic that passes through it and filtering out
unwanted traffic.

TippingPoint has two primary classes of protection: Standard DoS protection and Advanced
DDoS protection. Standard DoS protection provides a base level of protection against
vulnerabilities, attack tools, and traffic anomalies. Advanced DDoS protection guards against
SYN flood, established connection flood, and connections per second flood attacks.

TippingPoint provides Standard DoS Protection in all its IPS products:

• Vulnerability Protection — Protects against DoS attacks that crash servers by

exploiting known vulnerabilities.
• Zombie Recruitment Protection — Protects against Zombie recruitment of systems
through Trojan programs.
• Attack Tool Protection — Blocks the covert channels used by well-known DDoS
attack programs including TFN, Loki, and Stacheldraht.
• Bandwidth Protection — Protects against packet floods like ICMP, TCP or UDP that
can consume network bandwidth or server resources causing legitimate packets to be

Page 3
 dropped. These filters baseline and throttle traffic when it goes beyond a set
percentage.

Advanced DDoS Protection provides the following additional protection:

• SYN Proxy — An attacker floods a server with malicious connection requests (TCP
SYNs) with spoofed source IP addresses, preventing legitimate clients from accessing
the server.
• Connection Per Second (CPS) Flood — An attacker uses a Zombie army to
repeatedly request resources, such as Web pages, from a server. The resulting load
makes the server sluggish or inaccessible.
• Established Connection Flood — An attacker uses a Zombie army establish a large
number - potentially millions - of malicious TCP connections to a server, preventing it
from accepting new requests from legitimate clients.

Standard and Advanced DoS/DDoS protection work together to stop surgical and brute force
DoS attacks and prevent the recruitment of new zombies.

Seven Common DoS Attack Methods

Hackers have an arsenal of methods to enact Denial of Service (DoS) attacks. The following
seven sections highlight the extent of the dilemma faced by organizations trying to combat the
DoS threat. TippingPoint provides solutions to combat these common methods of DDoS
attacks:
• Vulnerabilities
• Zombie Recruitment
• Attack Tools
• Bandwidth Attacks
• SYN Floods
• Established Connection Floods
• Connections-Per-Second Floods

Method 1 — Vulnerabilities
Attackers can attempt to crash a service or underlying operating system directly through a
network. These attacks disable services by exploiting buffer overflows and other
implementation loopholes that exist in unprotected servers. Vulnerability attacks do not require
extensive resources or bandwidth to perpetrate; attackers only need to know of the existence
of a vulnerability to be able to exploit it and cause extensive damage.

Once an attacker has control of a vulnerable service, application, or operating system, they
abuse the opening to disable systems and ultimately crash an entire network from within.

The TippingPoint Solution for Vulnerabilities

TippingPoint provides a powerful engine that detects and blocks attempts to exploit
vulnerabilities for all incoming and outgoing traffic. The TippingPoint security team
simultaneously develops attack filters to address discovered vulnerabilities in network services
and operating systems and incorporates these filters into Digital Vaccines. Digital Vaccines are

Page 4
delivered to customers every week, or immediately when critical vulnerabilities emerge, and
can be deployed automatically without user interaction for automatic protection.

Method 2 — Zombie Recruitment To perpetrate an attack

using a large number of
The same vulnerabilities used to crash a server allow hackers to hosts that attack
transform vulnerable PCs into DDoS zombies. Once the hacker simultaneously,
exploits the vulnerability to gain control of the system, they plant a attackers infect hosts
backdoor into the system for later use in perpetrating DDoS with a “zombie” or agent
attacks. The Trojan or similar infection provides a path into the program, which connects
to a pre-defined master
system. Once the attacker has the path, they remotely control the host. Once connected,
network, making the server a “Zombie” that waits for the given the attacker can send
attack command. Using these zombies, attackers can send a the command across the
multitude of DoS and DDoS attacks with anonymity. entire zombie network.

Viruses can also be used for Zombie recruitment. For instance, the TippingPoint protects
against Zombie attacks
MyDoom virus was designed to convert PCs into Zombies that by detecting and
attacked SCO and Microsoft at a predetermined time programmed blocking the viruses
into the virus. Other viruses install backdoors that allow hackers to used to introduce the
launch coordinated attacks, increasing the distribution of the Zombie agent.
attacks across networks around the globe.

The following figures detail how attackers create and launch these attacks against a network.

The attacker builds a pool of zombies by compromising unprotected computers.

Page 5
 The attacker launches an attack against a server/network using zombie computers. The attack cripples
performance and blocks the network from receiving legitimate traffic.

The TippingPoint Solution for Zombie Recruitment

In addition to the previously described vulnerability protection, the TippingPoint IPS includes
filters to detect and block viruses. The combined effects of virus and vulnerability filters make it
virtually impossible for hackers to recruit new zombies.

Method 3 — Attack Tools

Through zombie recruitment, hackers use covert communication channels to contact and
control their zombie army. They can select from hundreds of off-the-shelf backdoor programs
and custom tools from websites. These tools and programs initiate these attacks to infiltrate
and control networks as zombie armies to enact further attacks from within. Once they have
the zombie systems, they can use other tools to send a single command to all zombies
simultaneously. In some cases, commands are carried in ICMP or UDP packets that can
bypass firewalls. In other cases, the zombie “phones home” by creating a TCP connection to
the master. Once the connection is created, the master can control the Zombie.

Page 6
The tools used to attack and control systems include:

• Tribe Flood Network (TFN) — Focuses on Smurf, UDP, SYN, and ICMP echo
request floods.
• Tribe Flood Network 2000 (TFN2K) — The updated version of TFN.
• Trinoo — Focuses on UDP floods. Sends UDP packets to random destination ports.
The size is configurable.
• Stacheldraht — Software tool that focuses on TCP, ACK, TCP NULL, HAVOC, DNS
floods, and TCP packet floods with random headers.

DDoS tools are maturing both in terms of covert channel implementation and in DDoS
flooding techniques. New tools utilize arbitrary port numbers or work across IRC. Further,
smarter tools intelligently disguise flooding packets as legitimate service requests and/or
introduce a high degree of randomness. These enhancements make it increasingly difficult
for a port-filtering device to separate attack packets from legitimate traffic.

The TippingPoint Solution for DDoS Tools

TippingPoint offers hundreds of filters that accurately detect and block the covert
communication channels, disrupting the command and control network of the hackers DDoS
army. When combined with virus and vulnerability protection, TippingPoint prevents
recruitment of new zombies, blocks communications to existing zombies, and gives the
administrator detailed information needed to clean the infected system.

Method 4 — Bandwidth Attacks

When a DDoS attack is launched, it can often be detected as a significant change in the
statistical composition of the network traffic. For example, a typical network might consist of
80 percent TCP and a 20 percent mix of UDP and ICMP. A change in the statistical mix can
be a signal of a new attack. For instance, the Slammer worm resulted in a surge of UDP
packets, whereas the Welchi worm created a flood of ICMP packets. Such surges can be
DDoS attacks or so-called zero-day attacks – attacks that exploit undisclosed vulnerabilities.

The TippingPoint Solution for Bandwidth Attacks

The TippingPoint IPS provides statistical anomaly filters to detect To provide greater
packet floods and rate-shaping to mitigate their effects. protection of a network,
TippingPoint provides both protocol and application traffic threshold The UnityOne
incorporates advanced
filters. Protocol traffic threshold filters can be created for TCP, traffic pattern monitoring
UDP, ICMP, and other IP protocols. Application traffic threshold and filters to watch for
filters monitor traffic to specific TCP and UDP ports. Both types of and react to possible
statistical anomaly filters create a baseline of normal levels for one traffic anomalies. These
traffic type and alert if the traffic of that type surges above a user- sudden changes in traffic
could indicate an attack.
defined level. For example, you can create a protocol traffic With these advanced
threshold filter that creates a baseline of the normal level for ICMP features, the UnityOne
traffic and alerts if the ICMP traffic levels exceed 300% of normal. provides the best
protection of an
organization’s assets.

Page 7
In addition to alerting, the TippingPoint IPS can prevent the monitored traffic from exceeding
or consuming more than a preset amount of network bandwidth. For example, if ICMP traffic
exceeds 500% of normal, it can be rate-limited so that it uses no more than 3 Mbps. This
powerful capability controls excessive bandwidth consumption of non-mission critical
applications and ensures bandwidth availability for mission critical traffic. The aggressive
propagation traffic produced by recent worms has resulted in DoS attacks against routers,
firewalls, and other network infrastructure elements. Limiting this traffic to a capped
bandwidth keeps the network running and stifles the attack.

Traffic threshold filters are edge-triggered. These filters fire when the threshold is exceeded
and again when the threshold is no longer being exceeded. These triggers provide
information on the duration of each change in traffic patterns.

Method 5 — SYN Flood

One of the most common types of DoS attacks is the SYN Flood. SYN Floods are one of the
This attack can be launched from one or more attacker machines oldest DoS attacks in
to disable access to a target server. The attack exploits the existence. Any
knowledgeable person can
mechanism used to establish a TCP connection. Every TCP
launch a TCP SYN flood,
connection requires the completion of a three-way handshake making this attack one of
before it can pass data: the most common. Without
proper protection, SYN
• Connection Request — First packet (SYN) sent from the floods can place an entire
organization at risk.
requester to the server, starting the three-way handshake
• Request Acknowledgement — Second packet As DoS attacks bombard a
(SYN+ACK) sent from the server to the requester network, the requests
• Connection Complete — Third packet (ACK) sent from quickly fill up the
connection table of most
the requester back to the server, completing the three-way network security devices.
handshake
TippingPoint 100E removes
The attack consists of a flood of invalid SYN packets with spoofed DoS attack traffic from the
source IP addresses. The spoofed source address causes the network—the TippingPoint
100E drops the requests
target server to respond to the SYN with a SYN-ACK to an immediately from the
unsuspecting or nonexistent source machine. The target then connection table, as in the
waits for an ACK packet from the source to complete the case of a TCP SYN flood.
connection. The ACK never comes and ties up the connection
table with a pending connection request that never completes. The table will quickly fill up
and consume all available resources with invalid requests. While the number of connection
entries may vary from one server to another, tables may fill up with only hundreds or
thousands of requests. The result is a denial of service since, once a table is full, the target
server is unable to service legitimate requests.

The difficulty with SYN attacks is that each request in isolation looks benign. An invalid
request is very difficult to distinguish from a legitimate one.

Page 8
Figure 1: SYN Flood Attack

The SYN flood attack using spoofed IPs prevents a valid requester
from accessing a server due to lack of connections.

Figure 2: Mitigating SYN Flood Attacks with Proxy Server

TippingPoint 100E

The addition of a TippingPoint 100E with Advanced DDoS Protection (including SYN Proxy filters) prevents
the SYN flood attack from consuming all TCP connections on the server.
A valid request can complete a three-way handshake.

Page 9
The TippingPoint Solution for SYN Floods
The TippingPoint 100E uses advanced methods to detect and When TippingPoint
detects a DoS attack, it
protect enterprise networks against SYN Flood. The IPS acts as a enacts a series of
proxy, synthesizing and sending the SYN/ACK packet back to the actions and notifications
originator, waiting for the final ACK packet. After the IPS receives according to customized
the ACK packet from the originator, the IPS "replays" the three-step settings. Administrators
sequence to the receiver. can set the system to
block, permit, or
generate notifications for
The full attack and response scenario is as follows. the system, users and
1. The attacker sends a SYN packet to the target. The logs.
TippingPoint 100E intercepts the SYN and determines if the
TippingPoint IPS protects the target. Every filter in the IPS
provides protection
2. If so, the IPS generates SYN-ACK on behalf of the target. against a wide variety of
3. If the IPS receives the final ACK of the 3-way handshake, the attacks. Network
IPS validates the ACK by utilizing advanced algorithms to administrators can
verify that this packet is in response to a SYN-ACK customize the settings
generated by the IPS. If so, the IPS creates a connection for filters, including the
following:
with the target.
4. Once both connections are established, TippingPoint ƒ Actions for attack
maintains the data and connection, ensuring safe traffic. If responses
the originator of the attack does not complete the 3-way ƒ Notification contacts
handshake, no packets are sent to the target and no state is for alert messages
maintained on the TippingPoint IPS. ƒ Exceptions for specific
IP addresses
In the case of a SYN flood, respondent is fully protected from the
attack as the TippingPoint 100E scans, detects, and block the SYN flood.

TippingPoint allows the user to designate clients as trusted.

Established connection
Connections from trusted sources are never proxied. Flood attacks can be
some of the most difficult
Method 6 — Established Connection Flood to detect and block.
An Established Connection Flood is an evolution of the SYN Flood These attacks originate
from an IP address that
attack that employs a multiplicity of zombies to perpetrate a DDoS is checked and accepted
attack on a target. Zombies establish seemingly legitimate by a proxy server
connections to the target server. By using a large number of through a complete
zombies, each creating a large number of connections to the target, three-way handshake.
an attacker can create so many connections that the target is no
Once an Established
longer able to accept to legitimate connection requests. For
Connection Flood attack
example, if a thousand zombies create a thousand connections to a enters a network, it
target server, the server must manage a million open connections. strikes against the proxy
The effect is similar to a SYN Flood attack in that it consumes server, intending to
server resources, but is even more difficult to detect. crash it. Once the proxy
crashes, access to
systems and servers
behind the proxy server
is blocked.

Page 10
The TippingPoint Solution for Established Connection Floods
TippingPoint Established Connection Flood filters track the number of connections each
source has made to a protected server. When a source attempts to create more than a
specified number of connections to a protected server, new connections are blocked until the
source closes some connections. For example, TippingPoint can ensure that no single
source can create more than 10 open connections to a server. Thus, a thousand zombies
can create no more than ten thousand connections to a protected server.

Method 7 — Connections Per Second Floods

Connections Per Second (CPS) Flood attacks flood servers with a high rate of connections
from a seemingly valid source. In these attacks, an attacker or army of zombies attempts to
exhaust server resources by quickly setting up and tearing down TCP connections, possibly
initiating a request on each connection. For example, an attacker might use his zombie army
to repeatedly fetch the home page from a target web server. The resulting load makes the
server extremely sluggish.

The TippingPoint Solution for CPS Floods

TippingPoint enables network administrators to create Connections Connections Per Second
Per Second (CPS) filters. Each filter limits the average number of Flood filters working in
conjunction with
connections that a client may open to a particular server per second. Established Connection
Each filter includes a threshold setting of the calculated average Flood filters and SYN
number of connections per second to allow from a particular client. Proxy filters can provide
The network administrator can create a CPS filter for both port A ->B dynamic and powerful
and port B->A traffic. The flexible settings allow customizations for in- protection for your
network traffic.
coming and outgoing traffic and attack detection based on network
traffic needs.

TippingPoint computes the average of a ten second window to allow for normal fluctuations of
traffic. A common traffic pattern is a web browser that opens 10 connections to download a
complex page, then sits idle while the user reads. To accommodate this pattern, the filters
scan and detect against the amount of new connections averaged over a ten second period.
For example, if a filter specifies a maximum of 3.5 connections per second, browsers can
open up to 35 connections in a second. However, after making these connections, the
browser is unable to open any new connections for 9 more seconds. As a result, over the 10-
second period, the browser has averaged 3.5 connections permitted per second. Used in
conjunction with Established Connection filters, CPS Flood protection can provide powerful
detection and protection of a network.

Case Study – eNom

Founded in 1997, eNom, Inc. is one of the largest ICANN accredited domain name registrars
with over four million names. The company suffered from continual DoS attacks against their
servers and customers. According to eNom, their systems suffered DDoS attacks 15 days a
month for each month, January to August 2004. In reviewing their network traffic, the eNom
servers received 6000 to 7000 attack SYNs/second. Peak attacks against the systems
included approximately 40,000 attack SYNs/sec.

Page 11
 To protect their customers and network systems, the company sought an Intrusion Prevention
System to detect and block attacks without interrupting legitimate traffic. Facing a difficult and
costly problem, eNom sought out a group of vendors of IPS systems powered with Denial of
Service protection. The following list includes the vendors they considered for their company’s
network protection and security:

• TippingPoint
• Radware
• Top Layer
• NAI
• Netscreen
“In our evaluation of the
eNom evaluated the TippingPoint 100E IPS system with
leading DoS products,
Advanced Denial of Service (DoS) Protection. The enhanced TippingPoint’s
DoS protection coupled with best-of-breed network protection, TippingPoint has
Digital Vaccine updates, and outstanding technical support performed the best and
provided the solution they needed to ensure continued service for has already blocked
several DoS attacks
their customers. The Advanced DoS Protection blocked a variety
targeting our
of DoS and Distributed Denial of Service (DDoS) attacks including network.”
SYN floods, connection floods, packet floods, and difficult-to- Jim Beaver, VP
detect attacks originating from spoofed and non-spoofed sources. Operations, eNom

IPS “Must Haves”

For the most comprehensive protection for networks, an IPS solution should have a core set of
capabilities. The following table details these attributes according to Intrusion Protection
System companies. Of these must have categories, TippingPoint provides them all with
award-winning products and service.

Attributes
Custom ASICs Y 8 Celerons software software Y Y
50Mbps - 5 Gbps 5 Gbps 2Gbps 1Gbps 500M 3Gbps 2Gbps
Switch-like latency Y N N N Y Y
Inline Attack Blocking 1 1 Limited Limited
Y Y Y Y
Bandwidth Management Y N N N Y N
DDoS SYN Flood Protection Y N N Y Y Y
DDoS Connection Rate Limits Y N N N N Y
Filter Method: Signature Y Y Y Y Y N
Filter Method: Protocol Y Y Y Y N Limited
Filter Method: Vulnerability Y Y Y Limited N N
Filter Method: Traffic Anomaly Y Y N N N Limited
VoIP Protection Y N N N N N
1 Rarely deployed inline, usually as IDS

Page 12
Conclusion
To obtain full protection for DoS attacks, organizations typically need to purchase multiple
proxy servers, network security devices, intrusion preventions systems, as well as software
packages, updates, and expanded licenses as an organization grows.

TippingPoint provides the answer in a single system. The TippingPoint IPS is an easy,
affordable, and scalable solution, equipped with a broad range of protection mechanisms
including, application anomaly filters, protocol anomaly filters, exploit signature filters,
statistical traffic anomaly filters, threshold rate-shaping filters, and advanced DoS/DDoS
filters for detecting and blocking attacks.

Attacks continue to evolve and increase in sophistication. The flexibility of TippingPoint’s

platform offers state-of-the-art protection against current attacks and the power to protect
against future ones.

Copyright © 2005 3Com Corporation. 3Com, 3Com logo, TippingPoint Technologies, the TippingPoint logo and Digital Vaccine are
registered trademarks and Exercise Choice is a trademark of 3Com Corporation. All other company and product names may be trademarks
of their respective holders.

Page 13