BACKGROUND INFORMATION ON DENIAL OF SERVICE ATTACKS
By Camillo Sars, F-Secure Crypto Research
Denial of Service (DoS) Attacks are attacks on computer systems that
aim to disrupt or terminate services provided by the systems. On the
Internet, this usually means (repeatedly) crashing services or
exhausting some limited resource. DoS attacks can often be performed
over the network, and exploit security flaws that exist in the
Typical DoS attacks are:
- Exhausting the network bandwith of a site.
- Exhausting the [inbound] network connections of a service.
- Crashing a service using some security flaw.
- Crashing the computer running a service using some security flaw.
Recently heavy DoS attacks have been described [1,2]. These attacks
use a network of computers to distribute the attack sources over
several network locations. These attacks are known as Distributed
Denial of Service Attacks.
The most known Distributed DoS attack tools to date are called
"trin00"[3,4] and "Tribe Flood Network" (TFN).
The attack tools for Distributed DoS attacks use a master-slave
configuration. The slave processes are installed on a large number of
compromised Internet hosts, where they report their successfull
installation to their master process. The master process thus
collects a list of many compromised hosts running the slave process.
The resulting master-slave network may include a large number of hosts
in widely different network locations.
The slaves carry one or several DoS routines that can be invoked remotely
by the master process. The master process can also control the
targets and parameters for the attack. Some of the commands are
password protected to prevent unauthorized activation or deactivation
of the attacks.
Slave processes can be installed on virtually any suitable system, as
the loss of a single slave process has very little effect on the
overall performance of the network.
The master process can poll the status of its slave processes and
keeps a list of known slaves. When the attacker connects to the
master, a password is required before access is allowed. Once the
correct password has been supplied, the attacker can issue commands to
the master. The commands direct all the active slaves of the master
process, so large-scale attacks can be launched and terminated very
Master processes are often carefully protected and installed on
systems where detection is unlikely because of bad administration
practices or heavy user activity.
An attacker can connect to a master process from virtually any
internet host, as the master accepts standard telnet-type connections.
A single attacker may control several DoS master processes, giving
instant access to huge numbers of slave processes.
Attacked systems will notice a huge increase in network traffic.
Depending on the attack, the traffic may come from valid internet
addresses or from random addresses created by the slave processes.
If the attacked system is directly vulnerable to any DoS attacks
performed by the slave processes, the system will crash or malfunction
and cannot be reactivated without immediately crashing again.
If the attacked system does not crash from the attacks, its network
capacity will quickly be exhausted. Reports indicate attack rates of
several gigabits per second, which far exceed the capacity of most
If you are the target of a large distributed DoS attack, there are no
good ways to defend yourself. Several well-known internet sites have
been completely cut off by DoS attacks recently, including Yahoo.com
If your systems have been compromised and attackers are running
masters or slaves on your systems, you must take immediate action to
fix the security holes that were used to compromise your system .
Your systems may be actively participating in DoS attacks as long as
the processes exist.
The only way to completely eliminate this kind of attacks is to
decrease the number of systems that can be compromised to a level that
is too low for attackers to set up large distributed DoS networks.
Acknowledgements and References
The information in this document is based on several sources, but most
notably on information from the Incidents mailing list. This document
is intended for informational purposes only.
 Incidents Mailing List <INCIDENTS@SecurityFocus.com>. Send message
containing "QUERY INCIDENTS" to <LISTSERV@LISTS.SECURITYFOCUS.COM>.
 "CERT Incident Note IN-99-07", The CERT Coordination Center, 1999.
 David Dittrich <email@example.com>, "The DoS Project's
"trinoo" distributed denial of service attack tool", University of
 ISS X-Force, "Denial of Service Attack using the trin00 and Tribe
Flood Network programs", Internet Security Systems Inc., 1999.
 CNET News.com, "How a basic attack crippled