Computer Crime Research Center

staff/gva2.jpg

DoS attacks: crime without penalty

Date: March 16, 2005
Source: Computer Crime Research Center
By: Vladimir Golubev

Page 1 2
... While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder.

Computer Emergency Response Team (CERT) proposes the following steps on Prevention and Response of DoS attacks.

Denial-of-service attacks can result in significant loss of time and money for many organizations. We strongly encourage sites to consider the extent to which their organization could afford a significant service outage and to take steps commensurate with the risk.

We encourage you to consider the following options with respect to your needs:
-Implement router filters as described in Appendix A of CA-96.21.tcp_syn_flooding, referenced above. This will lessen your exposure to certain denial-of-service attacks. Additionally, it will aid in preventing users on your network from effectively launching certain denial-of-service attacks.
-If they are available for your system, install patches to guard against TCP SYN flooding as described in CA-96.21.tcp_syn_flooding, referenced above. This will substantially reduce your exposure to these attacks but may not eliminate the risk entirely.
-Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack.
-Enable quota systems on your operating system if they are available. For example, if your operating system supports disk quotas, enable them for all accounts, especially accounts that operate network services. In addition, if your operating system supports partitions or volumes (i.e., separately mounted file systems with independent attributes) consider partitioning your file system so as to separate critical functions from other activity.
-Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic.
-Routinely examine your physical security with respect to your current needs. Consider servers, routers, unattended terminals, network access points, wiring closets, environmental systems such as air and power, and other components of your system.
-Use Tripwire or a similar tool to detect changes in configuration information or other files. For more information, see

http://www.cert.org/tech_tips/security_tools.html

-Invest in and maintain "hot spares" - machines that can be placed into service quickly in the event that a similar machine is disabled.
-Invest in redundant and fault-tolerant network configurations.
-Establish and maintain regular backup schedules and policies, particularly for important configuration information.
-Establish and maintain appropriate password policies, especially access to highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator.

Many organizations can suffer financial loss as a result of a denial-of-service attack and may wish to pursue criminal or civil charges against the intruder. For legal advice, we recommend that you consult with your legal counsel and law enforcement.

U.S. sites interested in an investigation of a denial-of-service attack can contact their local FBI field office for guidance and information. For contact information for your local FBI field office, please consult your local telephone directory or see the FBI's contact information web page:

http://www.fbi.gov/contactus.htm

Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.

If you are interested in determining the source of certain types of denial-of-service attack, it may require the cooperation of your network service provider and the administration of the networks involved. Tracking an intruder this way may not always be possible. If you are interested in trying do to so, contact your service provider directly. The CERT(*) Coordination Center is not able to provide this type of assistance. We do encourage you to report your experiences, however. This helps us understand the nature and scope of security incidents on the Internet, and we may be able to relate your report to other activity that has been reported to us.

A curious offer has recently appeared on the Russian Internet. Cyber criminals offer to block access to an 'ordered' website only for $150 per day. Such attacks are not rare, but experts suspect that this offer to 'kill' a website may conceal a usual scam.

"We are glad to propose you a quality service of pulling websites, we can ball up any website with our DDoS attack," an ad e-mail with such offer was received by a correspondent of a Russian new agency.

According to a proposal, a six-hour downtime will cost $60, 24 hours - $150, by prepayment. "I can pull any website, say Microsoft", a hacker boasted to the correspondent, introduced as a potential client. "But someone is gonna kick my ass for that, it will be enough," he added. Therein, DoZ agreed to attack www.microsoft.com for not less than $80,000 a week. For comparison, he asked a lot less to attack www.kremlin.ru , an official website of Russian President Vladimir Putin -- $2,000 a week, and then even lowered the price to $1,000.

DoZ even provided contacts of his clients who agreed to recommend him.

"Yes he will cope, I am currently working with him", his client rejoices. "www.spamzone.net , a project of my competitors has been down for already a month." "It is a pity to pay such $4000 at once, but at the same time you have no competitors," another customer agrees.

A police officer, who wanted to remain unnamed, believes that in this case we may speak about a usual scam. "One person can get tens of nicknames in the Net. It's all rubbish [offer to DDoS attack by prepayment], although there is always an idiot who will believe and pay," he says. He added that nobody has ever been prosecuted for pure DDoS attacks in Russia. Criminals are, though, often nabbed for related with DDoS attacks extortion.

"There are many people who can DDoS attack, although they surely it's above their strength to 'pull Microsoft'," Igor Vlasov, ArtBureau's system architect regards. "They have no special liking of the background, although there are men of principle who attack porn sites purely." He added that anyone can find a DDoS attack executors who can block a badly protected website for $80 per day. According to Vlasov, a normal system administrator will need about 5 hours to cope with such cyber attack.

"A DDoS attack on root DNS Internet servers has become the most famous (a domain name is first purchased through a domain register, at the time you sign up for the domain, you're asked to submit your personal information, and information on 2 or more Name Servers; this information is stored on a 'root DNS server'; when someone searches for your domain on the web or using any other service that needs to get hold of details on your domain, these root servers are queried - CCRC) in November 2002," Alexander Gostev, an analyst for Kaspersky Antivirus Labs, recalls. "Then load on servers increased in dozens of times and processing of usual requests was extremely slowed or even stopped."

Last years DDoS attacks seriously trouble many websites. "The main damage to companies brought by cyber attacks lies not only in site's downtime, but in damage to reputation of the company," Christopher , KPMG's Information Risks Management Department Chief says. According to his words, clients of the company disappointed by inaccessibility of its website may turn to competitors.

On June 8, 2004 one of the CCRC websites was on “contract hit”. The attack was organized being accompanied with threats to hinder two main sites of the Internet project crime-research.ru.

On June 8, from 3pm the above-mentioned website has been temporarily unavailable, only by 7 pm the hosting ISP company managed to neutralize the sequels of attack. The main share of attacks came from the territory of Ukraine through compromised computers of usual users. The blackmail attack goal was to force the CCRC staff to put down/away one of the posted articles.

Often one of the first signs of the initiating stage of a DoS attack is an unfounded growth of traffic, it allows to carry out some additional measures to prevent the attack. Sudden increase of traffic related to violation of hosting services operations causes the ISP to block the IP of the website making it unavailable.

According to CERT, an international authority on Internet security, there is a sharp increase of DoS attacks in recent years. Criminal groups widely apply computer tools and newest information technologies.

Page 1 2


Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-11-28 21:37:57 - its nice.... it helped me with my project... kahmille
2006-10-18 02:34:52 - Auto insurance order now online Best quote auto insurance
2005-09-01 19:58:08 - Very nice Mira
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo