Recommendations for the Protection against Distributed Denial-of-Service
Attacks in the Internet
The following recommendations should be regarded as a guideline for improving
protection against distributed Denial-of-Service (DoS) attacks. At the
same time, it serves as a basis of discussion for concrete realisation
of measures in the areas server operator, network agents, content providers
and end-users. The reason is the observance in February of intensified
DoS attacks on renowned Internet providers.
Here, the attackers had created access to hundreds of computers in the
Internet on which they installed the programs for the DoS attacks. From
a separate computer, they synchronised these attack programs in such a
manner that the effectiveness of the attack was appreciably increased
through the large number of simultaneously attacking computers. This type
of attack is designated as Distributed Denial-of-Service (DDoS).
The observed attacks were based on two main weak points. Firstly, the
sender addresses of the "attacking" data packet had been forged (IP spoofing),
and secondly, unauthorised programs were installed - before the attacks
on selected large computers on a large number of further, inadequately
protected Internet computers which, remote-controlled, were able to send
data packets en masse. The particular feature of these DDoS attacks is
that they were able for this reason to hit those who have otherwise protected
themselves in an optimum manner against intruders from the Internet (for
the recognition and treatment of attacks cf. appendix or http://www.bsi.de/literat/cebit99/angriff.htm).
This means that computers on which not even the so-called basic protection
measures have been implemented, are not only a danger for the operator
concerned, but also for all other computers in the Internet. For this
reason, the preparations for the attacks which became known recently were
only possible through the fact that various safety "holes" which had been
known for a long period had not been eliminated.
Effective measures against distributed Denial-of-Service Attacks must
be taken at many points in the existing complex Internet structure in
a concerted campaign. Server operators in the Internet which were the
object of the stated attacks can resort to a number of meaningful measures
without solving the DoS problem completely. Rather, different target groups
(content providers, server providers, network agents and end-users) -
each in his own sector - must act. Only jointly can the Internet be made
safer with respect to the endangerment through DoS attacks, the execution
of Denial-of-Service Attacks made more difficult and subsequent pursuit
of the originators of these attacks alleviated.
By means of the recommendations for measures stated below, the following
target groups are supported in their task of protecting the Internet against
- End-users: operators of private and work
computers which serve for retrieving information in the Internet, processing
it and returning it to the network.
- Network agents: operators of the network
infrastructure (e.g. network node computers, routers)
- Server operators: companies entrusted with
the administration and configuration of servers. The servers offer services
and information in the Internet ( WWW servers, DNS servers, MTAs, proxy
- Content providers: producers of editorial
content which, for example, are provided by server operators on the
Diagram: In the diagram, the target groups used in the paper
(the content providers are not separated here from the server operators)
are stated with respect to the communication structure in the Internet.
The numbers describe which measures should be observed in the components
concerned. The measures 4 and 13-15 are valid for all components and for
this reason are not included in the drawing.
Through direct implementation and adherence to the recommendations and
through the own further immediate programs, the target groups addressed
can make a decisive contribution to the common objective of structuring
the internet safely being achieved. A particular part is played here by
the network agents who normally do not take over a protective function
for the server operators. For the IP spoofing used for the DoS attacks,
the network agents are the ones who can effectively recognise and prevent
false packets already on being fed into the Internet (see below).
The following measures are structured with respect to the target groups
whereby the first five measures assist in the defence or limitation of
damage of DDoS attacks as they intervene on the transmission paths in
the Internet. The other measures refer to the selection, configuration
and maintenance of the end systems in the Internet and hinder the preparation
of a DDoS attack, i.e. intrusion into a large number of computers and
the installation of attack programs on them.
Residue risk will, however, remain even after implementation of the measures
which is the reason why ordered reporting systems for attacks in the Internet
should be developed.
Measures for Network agents
The network agents take over a central part in the prevention of DoS.
Although the network agents are themselves seldom the object of DoS attacks,
they profit indirectly from a secure Internet as the confidence of all
users and thus their number grows.
Measure I: Prevention of IP Spoofing
Many DoS attacks use forged IP sender addresses. This makes the attacks
possible on the one hand, on the other hand, the search for the originators
is hindered. Through appropriate technical rules (RFC 2267 of January
1998) in the network infrastructure of the network agents, the network
operators can restrict this possibility appreciably so that falsified
packets can no longer be distributed to the Internet. An organisation
which is connected to a network operator has a certain IP address area
at its disposal. Each IP packet which is sent from this organisation must
have an IP sender address from the area. If this is not the case, it concerns
a forged address and the IP packet should not be passed on by the network
agent, i.e. packet filtering of sender addresses on feeding in
of the packets into the Internet should be carried out. Although IP spoofing
is still possible within the allowed address area of the organisation,
the circle of possible originators to the organisation is limited. A normal
home access into the Internet has only one authorised IP address so that,
through such selective accesses, IP spoofing would no longer be possible.
Measure 2: Use of Packet Filters for Network agents
Servers are often only connected to the network agent through a single
network connection. Even if the servers are resistant against DoS attacks,
this network connection is restricted itself in its capacity and can be
fully occupied by an attacker so that the servers can no longer be reached
from the Internet. For this reason, network agents should consider to
shield the network connection of the server operators against DoS attacks
by the use of packet filters, i.e. a packet filtering should be carried
on target addresses when the packets leave the Internet. This is in particular
very effective when, in co-operation with an attack recognition system
with the server operator, the packet filter can be adapted dynamically
to the attack which happens to be running. (In addition, the network agent
can, in co-ordination with the server operator, configure the packet filter
in such a manner that measure 3 is also supplemented on the part of the
Measures for Server Operators
The computers of the server operators do not only come into question
as victims of the DoS attack. Because of their efficient connection to
the Internet, they are also potential outlet platforms. For this reason
these computers must be prevented from being misused as starting point
for attacks on other computers.
Measure 3: Packet filtering
Normally, servers should only offer few services and be configured correspondingly.
On the incoming router, packet filter rules should be implemented which
only allow those protocols to pass which belong to and, for example, block
off security-critical services or directed broadcasts (RFC 2644). In the
case of an attack, these routers can be re-configured in such a manner
that the queries from suspicious individual IP addresses or address sectors
are rejected. (In addition, the server operator should configure the packet
filter additionally so that from his network IP spoofing is not possible
and in this way measure 1 is supported. The settings to be carried out
for this are described in the system administrator manuals of the routers).
Measure 4: Automatic Attack recognition
Normally, DoS attacks distinguish themselves through the fact that they
occupy the server abnormally. For this reason typical characteristics
(memory occupancy, stacks, network occupancy, ...) should be monitored
constantly. Automatic alarm then enables the initiation of quick reaction
(host-based attack recognition).For this suitable, additional products
are possibly to be used.
Additional information about Intrusion Detection Systems can be
found, for example, under http://www.bsi.de/literat/studien/ids/ids-stud.htm.
Measure 5:Establishment of a contingency plan.
In the event of an attack, a rapid response is of central importance.
This is the only way to take effective countermeasures, possibly to identify
the attacker and to restore normal operation within a short period. This
is why an escalation procedure should be laid down in a contingency plan.
Necessary information inter alia includes contact persons, persons in
charge, alternative communication channels, instructions for action and
the place where resoursrces that may be needed (such as magnetic tapes)
are stored. More detailed information for handling attacks from the Internet
may be found under http://bsi.de/literat/cebit99/angriff.htm.
Measure 6: Secure Configuration of the Servers
The servers of the server operators can be misused as agents of a DoS
attack. For this, the attacker installs damaging software using the known
weak points. For this reason, the operators of the servers must configure
the servers meticulously and securely. Network services which are not
required are to be deactivated and those required secured, sufficient
password and access protection and alteration of (in particular pre-set)
passwords must be guaranteed in good time. Closer information can be found,
for example, under http://www bsi.de/bsi-cert/webserv.htm.
Measure 7: Restrictive Granting of Rights and Recording
Through manipulation on servers, an attacker can misuse these as agents
or restrict their efficiency. For this reason, all alterations and all
access to the server must be recorded. Attention must be paid to restrictive
granting of access rights to the users, to use the system resources made
available and to increased care in alterations to the configuration. At
regular intervals, the file system is to be checked for integrity. If
only static data is required, a manipulation-proof, read-only data medium
can be used.
Measure 8: Use of Open Source Products
For the case that weak points are discovered for the first time which
enable or alleviate a DoS attack, it is important that these can be eliminated
quickly. Usually, such weak points in open-source software are eliminated
appreciably more quickly than in products the source code of which has
not been published. Often, the alterations in the source code can be carried
out by yourself. For this reason, open-source products should be preferred
if the efficiency is similar ( see http://linux.kbst.bund.de/).
Measures for Content Providers
Measure 9: Selection of suitable and IT safety-conscious server operators
The content providers should, through the selection of their server operator,
work to the effect that the operator regards security and availability
as a central feature of service. For this reason they should select a
server operator who can demonstrate corresponding experience in the required
Internet platforms and verify his efforts in the area of IT security,
e.g. by means of an IT security concept.
Measure 10: Prevention of active Content:
Many WWW pages in the Internet are at present only usable when settings
are carried out in the browsers from the security point of view. This
can be misused by an attacker. Through conscious avoidance of security-critical
techniques (e.g. active content), content providers can make a contribution
towards no insecure settings being existent on the clients.
Measure 11: Daily checking of files for viruses and attack programs
Many content providers provide programs and documents on their WWW pages
for downloading. If the attacker succeeds in introducing a Trojan horse,
he is in a position to hope for great spread within a short period. Such
procedure is in particular for DDoS attacks enticing for attackers as
a large number of computers is required for an effective attack. The content
providers should therefore check daily with special search programs as
to whether programs with damage functions (viruses, Trojan horses, DoS
programs) exist on his pages (for the search for DDoS programs, see, for
Measures for End-users
Computers of end-users are normally not the object of DoS attacks. However,
these computers can be used for the purpose that, in a first step, an
attacker installs a program on them which then, remote-controlled, enables
a DoS attack on any desired computer. For this reason, end-users can also
make a contribution towards protection against DoS attacks.
Measure 12: Protection against Damage Programs
Computers of end-users can be misused as agents for attacks. Agents can
be installed on the individual computers most easily through viruses,
Trojan horses or through active content (in particular ActiveX). For this
reason, a reliable and current virus protection and the switching off
of active content in the browser is strongly recommended. Under certain
circumstances, the use of auxiliary programs for on-line protection of
the client (for example PC-Firewalls) can be considered. Further recommendations
are made on the WWW pages of the BSI (http://www.bsi.de) and the initiative
Security in the Internet (http://www.sicherheit -im-internet,de).
Measures for all target groups
The measures recommended here are standard measures. Practice shows,
however, that they are often not implemented for various reasons.
Measure 13: IT basic protection for computers with Internet connection
Computers which possess an Internet connection should reach a reasonable
level of security through consistent implementation of the IT basic protection
measures contained in sections 6.1, 6.2, and 6.4 of the basic IT protection
manual for networked Unix systems or Windows NT. This guarantees that
typical dangers can be counteracted. The basic IT protection manual can
be inspected under (http://www.bsi.de/gshb) and acquired cost-free on
CD-ROM under (email@example.com).
Measure 14: Quick transfer of security updates
New security-relevant weak points are discovered in the operating systems
and server software again and again which a little later can be eliminated
through updates (patches) of the manufacturer. To be able to react quickly,
it is necessary to subscribe to and evaluate the mailing lists of the
Computer Emergency Response Team (CERT) under http://www.cert.org and
of the manufacturer. The relevant updates are to be transferred as quickly
as possible to eliminate the weak points which have become known.
Measure 15: Use of tools and training of staff
To protect a computer against risks and dangers, partly appreciable know-how
is necessary for working out an effective IT security configuration. Administrators
have therefore to be adequately trained and further trained. to support
the administration tasks. Security tools should be used in addition. Particularly
suitable for this is the BSI tool USEIT (in the Internet under http://www.bsi.de/aufgaben/projekte/useitool/useit.htm),
which makes it possible to find weak points in the installation and configuration
of Unix computers.
© Copyright by Bundesamt für Sicherheit in der Informationstechnik
Source : http://www.bsi.de/ddos_en.htm