Digital Undercurrents

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: DDoS Attacks.

A Distributed Denial of Service Attack, often referred to as a DDoS Attack or simply a DDoS, is a more advanced version of a classic Denial of Service (DoS) attack. To explain what it is and how it works, it might be helpful to look at an analogous situation using the telephone network.

Imagine that you have a single phone line for your business, which is used to answer customer questions and take orders. Now imagine that someone has decided to render that phone line useless by calling it over and over again, and then hanging up when the call is answered. The phone is always ringing, but there is nothing useful on the other end. And worse, legitimate customers cannot get through to talk to you. The customer service provided by the phone line is being denied. Hence, denial of service attack.

Something similar is done in the IP world. A publicly accessible web server that provides information and ordering capabilities to your customers can be attacked by a rogue computer. Using a variety of techniques – I won’t get into the nitty-gritty technical details here, both because there are many different attacks and because they require some in-depth networking knowledge to understand – that server can be flooded with traffic that appears to be legitimate but is not. That means that genuine customer traffic is squeezed out; an actual customer cannot place an order, because the web server is inaccessible to him.

A classic DoS like this is pretty easy to mitigate. With the phone example, you would contact your telephone service provider and tell them to block the number that keeps calling you. Similarly, with the IP networking example, you would contact your web hosting provider or, if you’re hosting your own server, your Internet service provider and tell them to block all traffic from the IP address that is flooding your web server. The nefarious traffic, in either case, is blocked before it gets to your phone or your web server, and customers can connect again.

A Distributed Denial of Service Attack, on the other hand, is not so easy to cut off. (Just ask the people at WordPress, who got smacked with one a few days ago.)  The “Distributed” part of the name is the important distinction; rather than coming from a single source, this traffic is coming from all directions.

To go back to the phone example, imagine that your business phone is ringing off the hook – but that each call is coming from a completely different area code and phone number. The phone company will have great difficulty blocking the calls, especially in light of the fact that there is no way to do so without risking a block of legitimate calls as well.

In the IP networking world, a DDoS means that the traffic is coming from multiple sources simultaneously. This both makes it more difficult to block, as in the phone example, but more importantly it means that the hostile traffic is aggregated. Being attacked by a hundred compromised cable modem clients at 10Mb/s each means that there is a 1 Gb/s flood of traffic hitting your web server. An average botnet – that is, a centrally controllable group of compromised machines, often used to launch an attack like this – numbers in the tens of thousands to hundreds of thousands of computers. That’s a lot of traffic.

So how do you deal with a DDoS against a business resource? The first thing to do is make sure that you have some idea of the capabilities of your ISP or hosting provider – you should have, in writing, their policy on DDoS mitigation. There are steps that can be taken upstream to block this traffic, but the capability to do so varies by provider and is often closely correlated with price. You also want to make sure that your infrastructure is being properly monitored using an IDS or a SIEM or something similar, so that you are aware when a DDoS begins. And you need to have a backup plan for what happens if your web site or other Internet resource is unavailable for a short period. Maybe taking orders by phone isn’t completely antiquated after all.

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Exploits.

Many times, when reading security alerts on a mailing list like bugtraq, you will see the word “exploit”. What exactly is an exploit, and why is it important?

It’s important to remember that many of the security vulnerabilities that are discovered by third party researchers, particularly in the open source world, are theoretical. That is, a particular piece of code may appear to have a security hole because of the way that it is written, but that does not necessarily mean that the security hole can be taken advantage of by an adversary. If that piece of code is never exposed to the adversary, or if it has some other routine protecting it, or if the means of taking advantage of it cannot actually happen, then the hole remains theoretical.

For example, imagine a piece of software that controls an industrial metal router in a factory. It is entirely possible that the software requires an old version of Microsoft Windows, and that updating Windows will cause the metal router to stop working. That version of Windows may have a security vulnerability when exposed to a hostile network. But if the computer running the metal router is never attached to a network, then there is no way to take advantage of the vulnerability. It ceases to be a problem.

(I know that this sounds like some metaphysical tree-falling-in-the-forest stuff. Is a vulnerability that can’t be attacked still a vulnerability? I’ll leave that to the philosophers – I have enough on my plate worrying about the systems that are exposed to pontificate on those that aren’t.)

On the other hand, if a security vulnerability can be taken advantage of, and if it can be done in a reliable, repeatable fashion, then the  code that attacks it is referred to as an “exploit”.

For example, take a look at this posting on the bugtraq list from two days ago. The poster has identified a Cross-Site Request Forgery (CSRF) vulnerability in a particular model of Linksys home router. In addition to discovering the flaw, he has also included exploit code in the form of an HTML snippet that takes advantage of the vulnerability – this can be used to add an administrative user to the Linksys router configuration, under certain conditions, without the user being aware of the addition. And since all of the traffic on a home or small business network passes through this router, it’s probably not a great place for your adversary to have administrative privileges.

So, to put it succinctly, an exploit is a piece of software or an explanation of how to take advantage of, or exploit, a security hole.

Other terms that you might run across:

Proof of Concept (PoC) Exploit – This is a crude exploit intended to demonstrate that a security vulnerability exists, but is not as reliable or as professionally produced as a normal exploit. You will often see these in environments like bugtraq, where the author doesn’t want to provide something that can be “weaponized” and used to attack systems but still wants to prove the existence of a bug.

Zero-Day Exploit – This is an exploit for a security vulnerability that the vendor has not yet released a patch for. A newly discovered hole in Microsoft Windows 7, which is still present even when all vendor patches are applied, would be a zero-day exploit. Here is an example of a zero-day in the Cisco Secure Desktop product.

Metasploit – The Metasploit Framework is a penetration testing tool that provides a plugin architecture for running multiple exploits. Generally speaking, each exploit is its own little program; with Metasploit, they are all launchable from a common command shell. This is a boon for both penetration testers and computer criminals, both of whom make a business of taking advantage of security vulnerabilities.