Your counsel on defeating DDOS Attacks

[AlanPaller@aol.com]

The CVE board consists of many of the thought leaders in information
security.  If possible, would you have a few minutes to look over a document
that CERT and CERIAS and SANS and Mudge and Northcutt and major ISPs and
security vendors (and a bunch of others)  are putting together as an
important part of the action plan to follow up the meeting with President
Clinton yesterday.  The idea is to have a community-wide consensus roadmap
that includes the thinking of the best and brightest minds in security.
Hence this note to you.

Could you take a look at the draft below and send us any and all criticisms
you might level at it and changes you would suggest in it.  The plan is to
have the document presented to the larger community at the Partnership for
Critical Infrastructure Security meeting at the US Chamber of Commerce in
Washington on Tuesday and it will be the topic of the security panel at the
Virtual Government conference of Federal CIOs on Wednesday.

With all that visibility, we really out to make it right.  So please be as
critical as you can.  There's such a hunger for this document that there's
lots of credit to share.
Anything you can get back to me by Friday would be much appreciated.

Alan

============
Defeating Distributed Denial of Service Attacks


Version .89, February 16, 2000

Prepared Cooperatively by:
CERT/CC at Carnegie Mellon University,
The SANS Institute, and
The Center for Education & Research in Information Assurance & Security
(CERIAS) at Purdue University
With the active participation on more than (xx - now 11) leading Internet and
security vendors and major users Internet technology.


Last week's distributed denial of service attacks illuminated several
security weaknesses in hosts and software used in the Internet that put
electronic commerce at risk.  These attacks also highlight the results of
recent trends and serve as a warning for the kinds of high impact attacks
that we may see in the near future.  This document outlines key trends and
other factors that have exacerbated these Internet security problems,
summarizes near-term activities that can be taken to help reduce the threat,
and suggests research and development directions that will be required to
manage the emerging risks and keep them within tolerable bounds.  For each of
the problems described, activities are listed for user organizations,
Internet service providers, network manufacturers, and system software
providers.



Key Trends
----------------

The recent attacks against e-commerce sites demonstrate the opportunities
that attackers now have because of several Internet trends and related
factors:

·   Attack technology is developing in an open-source environment and is
evolving rapidly.  Technology producers, system administrators, and users are
improving their ability to react to emerging problems, but we are behind and
significant damage to our systems and infrastructure can occur before
effective defenses can be implemented.  As long as our strategies are
reactionary, this trend will get worse.

·   At any point in time there are hundreds of thousands of systems on the
Internet with weak security.  Attackers are now compromising these machines
and building attack networks.  Attack technology takes advantage of the power
of the Internet to exploit its own weaknesses.

·   Newly emerging problems cannot be eliminated by changing any particular
piece of technology; broad community action is required.  While point
solutions can help dampen the effects of attacks, robust solutions will only
come with concentrated effort over several years.

·   The explosion in use of the Internet is straining our scarce technical
talent.  The average level of system administrator technical competence has
decreased dramatically in the last 5 years as non-technical people are
pressed into service as system administrators. Additionally, there has been
little organized support of higher education programs that can train and
produce new scientists and educators with meaningful experience in this
emerging discipline.

·   Geography and national boundaries play no role in the evolution of attack
technology or the deployment of attack tools; solutions must be international
in scope.

·   The rapid increase of direct-connect homes, schools, libraries, and other
venues without trained system administration and security staff is increasing
the number of vulnerable systems and will allow attackers to continue to add
these systems to their arsenal of captured weapons.


Immediate steps to reduce risk and dampen the effects of attacks
---------------------------------------------
There are several steps that can be taken immediately by user organizations,
Internet service providers, network manufacturers, and system software
providers to reduce risk and decrease the impact of attacks. We hope that
major users, including the government will lead the user community by setting
an example - taking the necessary steps to protect their computers.  And we
hope industry and government will cooperate to educate the community of users
- about threats and potential courses of action --- through public
information campaigns and technical education programs.

·   Problem 1: Spoofing
The current version of the Internet Protocol (IP) in common use allows
attackers to hide the identity of their machines in an attack. They do this
by falsifying the source address of their message packets.   This hides their
identity and sometimes shifts attention onto innocent third parties. Solving
this problem will not stop attacks, but will dramatically shorten the time
need to trace the attack back to their origins.

·   Solutions: User organizations and Internet service providers can stop
nearly all spoofed traffic by allowing outgoing traffic only if its "return
address" is permitted. In other words, no packets leave a site unless they
came from a legitimate location inside that site. They should also ensure
that no traffic from "unroutable addresses" listed in RFC 1918 are sent from
their sites. This activity is often called egress filtering. Users should
take the lead in stopping this traffic because they have the capacity on
their routers to handle the load.  ISPs can provide backup to pick up spoofed
traffic that is not caught by user filers.  ISPs may also be able to stop
spoofing by accepting traffic (and passing it along) only if it comes from
authorized sources. That is often called ingress filtering.

·   Problem 2: Broadcast Amplification
In a common attack, the malicious user generates packets with a source
address of the site he wishes to attack (site A) (using spoofing as described
in problem 1) and then sends a series of network packets to an organization
with lots of computers (Site B), using a special address that broadcasts the
packet to every machine at site B. Unless precautions have been taken, every
machine at Site B will respond to the packets and send data to the
organization (Site A) that was the target of the attack. The target will be
flooded and people at Site A may blame the people at Site B. The attack goes
by the name Smurf.

·   Solution: User organizations should block traffic sent to "broadcast"
addresses so that their systems cannot be used to amplify these Smurf attacks.

·   Problem 3: Dial-Up User Spoofing

Dial up users are the source of many attacks. Stopping spoofing by these
users is an important step.

·   Solution: ISPs, universities, libraries and others that serve dial up
users should ensure that proper filters are in place to prevent those dial-in
connections from passing falsified addresses.  Some vendors support a
"NO_IP_SPOOFING" option, and others should.   Thus option should be enabled
when available.

·   Problem 4. Unprotected Computers

Many user organizations allow their computers to be vulnerable to take-over
for distributed denial of service attacks. When those computers are used in
attacks, the carelessness of their owners is instantly converted to major
costs, headaches, and embarrassment for the owners of computers being
attacked.  Furthermore, once a computer has been compromised, the data may be
copied, altered or destroyed, programs changed, and the system disabled.

Solutions:

·   User organizations should check their systems to learn whether they have
been infected with DDOS Trojans and remove the infestation.

·   User organizations should reduce the vulnerability of their systems by:
a. installing firewalls with rule sets that deny traffic (in and out) unless
given specific instructions to allow it; b. verifying that all recommended
security patches have been installed on each system that they connect to the
Internet; c. Sun users should ensure that rpc traffic is allowed only from
management systems.

·   Users and vendors should cooperate to create "system-hardening" scripts
that can be used by less sophisticated users to close known holes and tighten
settings to make their systems more secure. Users should use them.

·   System software vendors should ship systems where security defaults are
set to the highest level of security rather than the lowest level of
security.  These "secure out-of -the-box" configurations will greatly aid
novice uses and system administrators and give them a fighting chance of
securing their systems.

·   System administrators should deploy "best practice" tools including
firewalls (as described above), intrusion detection systems, virus detection,
and software to detect unauthorized changes to files. This will reduce the
risk and increase the confidence in the correct functioning of the systems.



Long term efforts to provide adequate safeguards
--------------------------------------------
The steps listed above are needed now to allow us to begin to move away from
the extremely vulnerable state we are in now.  While these steps will help,
they will not adequately reduce the risk given the trends listed above. These
trends hint at new security requirements that will only be met if information
technology on the Internet is changed in fundamental ways. In addition,
research is needed in the area of policy and law to enable us to deal with
aspects of the problem that technology improvements will not be able to
address.  The following are some of the items that should be considered.

·   Accelerate the adoption of Internet Protocol Version 6 and Secure Domain
Name Service.
·   Increase the emphasis on security in the research and development of
Internet II.
·   Sponsor research in network protocols and infrastructure to implement
real-time flow analysis and flow control.
·   Test deployment and continue research in anomaly-based, and other forms
of intrusion detection
·   Sponsor research in policy that leads to uniform security policy to
protect systems and outline security responsibilities of network operators,
Internet service providers, and Internet users.
·   Sponsor research and development of a secure communications
infrastructure that can be used by network operators and Internet service
providers to enable real-time collaboration when dealing with attacks.
·   Sponsor research and development leading to next generation operating
systems that are at least an order of magnitude easier to secure and manage.
·   Sponsor research into survivable systems that are better able to resist,
recognize, and recover from attacks while still providing critical
functionality.
·   Sponsor research into better forensic tools and methods to trace and
apprehend malicious users without forcing the adoption of privacy-invading
monitoring.
·   Provide meaningful infrastructure support for centers of excellence in
infosec education and research to produce a new generation of leaders in the
field.
·   Consider changes in Federal policy to consider security and safety rather
than simply cost when acquiring information systems, and to hold managers
accountable for poor security