When DDoS attacks become IRCsome
I was chatting with some employees of Tele Danmark Internet during the lunch break
at a seminar I was teaching in Denmark last month when one of them asked me what I had
heard about Trinity, a new distributed denial-of-service (DDoS) attack tool. I had
actually heard very little about it (there had been two brief mentions in Bugtraq in
August), but my questioner had heard more. I learned that Trinity uses
href="http://www.irchelp.org/irchelp/text/rfc1459.txt">Internet Relay Chat (IRC)
for its communication.
I knew that DDoS attacks had not stopped after the well-publicized attacks in
February. Dave Dittrich, during
href="http://staff.washington.edu/dittrich/talks/sec2000/history.html">the talk he
gave at the Ninth
href="http://www.usenix.org/publications/library/proceedings/sec2000/">USENIX Security
Symposium, provided a timeline for attacks that goes two years into the past, and
described continuing attacks that are failing to grab news headlines.
The Trinity v3 tool was
href="http://lists.insecure.org/incidents/2000/Aug/0228.html">first noted in
August, and has as its unique feature the use of an IRC channel for control. In all
DDoS tools until now, the master sends commands to the clients (the attack daemons)
using various forms of TCP/IP packets, sometimes encrypting the commands. Trinity
differs in that once the client is started, it tries to connect to a list of IRC
servers; it then joins a particular channel (#b3eblebr0x) and listens for commands.
What is different about this approach is that the client makes an outgoing connection
to an IRC server, providing an essentially anonymous communication channel without
requiring that the master talk directly to the individual clients. A newer version,
named Entitee,
uses different channels for communication.
A new version of stacheldraht (an older DDoS tool), mentioned in the same X-Force alert as
Entitee, includes
attacks aimed specifically at IRC channels.
The involvement of IRC in denial-of-service attacks is nothing new, but the earlier involvement took a different form. The denial-of-service attacks likely began as a way
to thwart operators of IRC channels.
First, a bit of background on IRC. When you create an IRC channel, you become the channel operator, with privileges to control the channel. However, you lose that
privilege when you leave the channel. You can give other people who join operator
privileges, but once you have done so, those new operators have the power to kick you
off the channel.
The social implications of this arrangement can be pretty interesting. Now, imagine
channels run by hackers and script kiddies. Security expert Robert Graham has written
an article
about the DDoS attacks, in which he discusses the turf wars being fought over
certain IRC channels.
Since leaving a channel causes someone to lose operator privilege, killing an
operator's client -- by crashing or rebooting the op's system or breaking its
connection to the Internet -- has the same effect. If a large number of people want to
kick an operator off a channel, they could all join together and flood the operator's
Internet connection. But with a DDoS attack, a single person, controlling many attack
daemons, can have the same effect as a large group working as a team. The use of a DDoS
tool greatly amplifies the impact a single person can have when creating a flood of
TCP/IP packets to disable an Internet connection.
When you look at DDoS this way, you begin to see that the big e-commerce sites that
were hit in February were merely a sideshow to the main event -- turf wars among IRC
users. The first well-known use of the Trinoo attack tool took down the entire
University of Minnesota network (some 50,000 systems) for almost two days as a side
effect of an attack that was supposed to disable a single IRC server (disabling the
server where operators' clients are connected kicks off those operators as well).
Certainly DDoS tools can and will be used against other targets, and attacks against
IRC servers will affect other network services as well. It's up to you to make it
harder for such attacks to succeed. Filtering outgoing traffic to block spoofed source
addresses (RFC2175) makes uncovering clients easier. By ridding attackers of convenient
systems on which to install their clients, you can help stop DDoS.
» posted by abennett
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
