Lead with Knowledge

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
We can prevent those distributed denial of service attacks with 'egress filtering'

THE ATTACKS THAT hobbled Web sites Yahoo, Etrade, and CNN earlier this month sounded a warning: Secure your computers or be subjected to similar attacks in the near future.

The Web attacks, technically known as distributed denial of service, or DDoS, attacks, were launched primarily from Solaris and Linux machines that had been compromised. The choice of machines was due to the fact that DDoS tools were originally developed by hackers with backgrounds in Unix. But these same tools have already been ported, so they will compromise Windows clients and NT servers. Windows-based DDoS attacks will inevitably come. If your system is used to attack other systems, you run the risk of a lawsuit.

Ironically, DDoS attacks are so technically crude that they can be almost entirely prevented by a simple change in most networks. Systems that spread the DDoS attack failed to have "egress filtering" turned on. I'll describe what this means after a brief introduction to the way February's DDoS attacks worked.

Step 1. During several months last year, hackers placed versions of DDoS tools on Internet sites for anyone to download. These tools have names such as Trinoo, TFN (Tribe Flood Network), and Stacheldraht (German for barbed wire). If you want to see what you're up against, go to and

Step 2. Using DDoS tools, the hacker created a three-tier architecture in several weeks. Tools on his workstation found servers with security weaknesses and planted software there. The servers, known as masters, talked to demon software planted on other machines, known as zombies.

Step 3. Once hundreds of zombie computers were ready, the attacker sent data packets to the masters. These instructed the zombies to flood the targeted victims. Each zombie, on a high-speed Internet connection, might send many thousands of packets. The address of the originating computer was spoofed, or falsified. This made packets arriving at the victim's Web site appear to be coming from many machines rather than a specific set of identifiable machines. The attacker is difficult to locate, because zombies are hard to find. The fact that the IP address of each packet was spoofed gives the Internet community a way to prevent such attacks. Every ISP can prevent incoming packets with false IP addresses from being passed on (this is called ingress filtering). And every corporation with an Internet connection can ensure that spoofed packets don't leave the corporate network. (This is called egress filtering. See for details.)

Either fix involves a simple change to a configuration file for a router. It imposes no performance penalty, because the system only checks that the address prefix of each packet is valid. The Internet Society provides a paper called Request for Comments 2267 that describes these procedures and other steps to take (see

In addition, firewalls are essential protection for any system with a high-speed connection to the Internet. WatchGuard Technologies, which I wrote about in several columns last fall, offers five firewall appliances scaled for small to large businesses. WatchGuard provides an excellent white paper on the latest attacks (see, particularly the Resources section).

Steve Steinke, editor at, belittled my warnings in a January 2000 editorial that said unless a PC "is configured to be a server, there's nothing a hacker can do to it except for some sort of denial of service attack, which would obviously call for an intervention by the ISP."

Todd Hooper, vice president of WatchGuard, after reading this said, "He seems to think he can call his ISP for a magic fix. The reality is, with distributed DoS [denial of service] tools like TFN and Trinoo, the ISP is powerless."

Once a DDoS attack has started, an ISP may find itself powerless. But ingress and egress filtering can eliminate the fertile ground from which DDoS attacks spring. It won't end all attacks, but it's so central that I urge you to take these steps today.


Operating Systems

SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top


Download the J.D. Edwards CRM white paper. Visit
Introducing Primus Quick Resolve. Click to download a fact sheet.
Download the J.D. Edwards CRM white paper. Visit
Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.

E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training

Copyright 2001 InfoWorld Media Group, Inc.