A Note On Distributed Coordinated Attacks

Background

Top - Help
Copyright(c), 1996 - Management Analytics - All Rights Reserved


Late in 1995, an article relating to Internet [RFC1011] World Wide Web security [Cohen] claimed that a Web server could contain code that directed a browser reading that code to attack other sites and that this sort of attack would bypass current firewall technologies. ( See for example, Cheswick and Bellovin, "Firewalls and Internet Security", Addison Welsley, 1994 In late February of 1995, an on-line report from the University of California at Berkeley Ian Goldberg at Berkeley first published this on the Internet on or about March 1st from UC Berkeley showed that a Universal Resource Locator (URL) [RFC1738] [RFC1630] could be used to launch such an attack. (e.g., gopher://all.net:25/0[code for sendmail attack] can be used to cause the browser to attack the SMTP port. This attack is particularly interesting because it is essentially a Trojan horse forced on the innocent Web user whose computer automatically runs the attacking program (e.g., the program gopher) [RFC1436] in this example attacks the SMTP [RFC821] with inputs provided by the attacker.

On or about 00:45 EST (GMT+5) on March 13, 1996, someone at a site in California chose to combine this attack mechanism with the automatic loading of background patterns provided by many modern Web browsers to cause users at thousands of sites across the Internet to automatically, without the users' knowledge or consent, and in the background, attempt to telnet [RFC854] into our site (all.net). As each user viewed the malicious Web page, their computer was forced to attempt a telnet into our site. The net effect was that about 1500 telnet attempts were originated from sites all over the Internet in a few hours. This would have continued indefinitely if we didn't track down the original source of the attack.

It is also important to note that the particular Web site that launched this attack only had a few thousand visitors per day. There are Web sites on the Internet which fill more than 100,000 service requests per day, and the volume of traffic is increasing rapidly. If a high-volume site were used for an attack of this sort, the sheer volume of traffic generated would be enough to disable many Internet sites. Slight enhancements of this sort of attack might be used to support a wide range of other threats.

In order to better understand the issues underlying this sort of attack, we introduce and discuss a new class of attacks that we call Distributed Coordinated Attacks (DCAs). We begin with an informal definition and a range of examples that show how DCAs can be used to the attackers' advantage. We then discuss limitations of current defenses against DCAs and characteristics of DCAs, and present a formal structure for considering DCAs. Next we describe the all.net incident involving a DCA and show audit trails indicative of several different sorts of DCAs. Finally, we summarize results, draw conclusions, and describe further work.