Drying out teardrops

A denial of service (DoS) attack is one of the most popular and rapidly growing threats to businesses on the Internet. By subverting the aging TCP/IP version 4 protocol, so-called "script kiddies" (unskilled hacker wanna-bes) are able to prevent normal users from accessing their digital resources -- web sites, email, or even some types of Virtual Private Networks (VPNs). The most common approach for a DoS attack is to flood a network with so many standard PINGs (or "are you there") messages that there's no room in the network pipe for any of the customers. Ironically, many DoS attacks are made possible by businesses themselves. "Teardrop" attacks (one form of DoS attack) take advantage of misconfigured routers on high-bandwidth corporate networks to vastly multiply the number of PINGs being sent to the victim site; this is how a hacker on a dialup modem can take down a web site on a T1.

Against sites with incredibly fat network pipes, of course, that won't work. The recent Distributed Denial of Service (DDoS) attacks against Yahoo! and other major networks in the spring of 2000 were mounted by programs like the Tribal Flood Network (TFN), an easy-to-use tool that takes over corporate and home computers and uses them to each launch teardrop attacks against a victim site.

You can close up holes that make the teardrop possible. The teardrop takes advantage of a router's multicast address, a special IP address on the router's subnet that, in many default configurations,

    Requires Free Membership to View

    Login

will forward packets to every machine on the subnet. By forging PING requests from the victim's site and sending them to a multicast address, a malicious hacker will cause the victim to be flooded with PING responses from each machine on the subnet. Therefore, corporate routers should never honor requests sent from the Internet (or anywhere else, really) to the multicast address. Using your router's configuration program, you can turn off forwarding from your multicast address.

This won't completely solve the problem, but it will help. For more discussion of the teardrop and how to fix it, see http://grc.com/r&d/NoMoreDoS2.htm, which includes a list of the networks that are the top offenders.

Barrie Sosinsky (barries@killerapps.com) is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.

This was first published in October 2000

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top