(c) 1999 -
Kevin Siers, North Carolina -- Editorial cartoons from the Charlotte Observer
“Hack the Planet”
Anarchy by
Denial of Service
An Overview of Attacks and Counter Strategies
By Andrew Shearman
Summary
Recent international events have drawn large media attention to the dark world of hackers. The power of an individual to do damaging attacks on large corporations, educational establishments is only just becoming understood.
The hacking establishment puts forward the argument that they are only exploiting weaknesses within the well-established protocols and software elements of the Internet and to bring to light the futile attempts of System Administrators to secure systems from determined attack.
Protocols, designed before such mischievousness was conceivable, have loopholes, or more accurately exploitable functionality. The three-way handshake being the most favoured for the hacker attack.
Traditionally a single hacker was at most an annoyance. The ability of a hacker to coordinate with others was possible via communication channels such as IRC gave a certain initiative to hacking groups but it has been the introduction of distributed tools which have made solitary hackers a large threat.
Using such distributed tools a hacker can launch multiple simultaneous attacks on unsuspecting targets. These attacks are made possible by
· Weaknesses of protocols as mentioned earlier.
· Insufficient checking of traffic on ingress links into backbone networks.
· Poor configuration of network equipment at both backbone transport sites and target sites.
· Commonly available attack tools.
Of further concern is that the available attack tools are maturing and becoming stealthier, making proactive defence, and intrusion or attack detection more difficult.
To combat this several measures need to be taken by all involved. Most of the attacks rely on the ability to forge originator IP addresses. Ingress points in the transport backbones need to verify that any traffic that is received is genuine.
Secondly, security of desirable hosts needs to be paramount – lazy administration can lead to outdated configurations of software, leaving security loop holes for the hacker to exploit and gain control of such hosts, increasing the number of hosts a hacker can employ in an attack. System administrators need to scan their networks for existence of such tools already installed on their systems.
Various experts have proposed protocol changes and network topology changes to make the tracking off attacks and attack packets easier, thus enabling not so much apprehension of hackers (as this will be left up to the law enforcement agencies) but give them the ability to locate attacking hosts and so eliminate their ability to be part of an attack.
Introduction
The world is becoming ever more interconnected. Computer systems across he world can contact and communicate with other computer systems. Much of this inter-working is hidden from view but some recent incidents have brought the vulnerabilities of computer systems to the forefront of public perception.
Mafiaboy is a name that has been on the lips of many federal agents in the US. High profile attacks were perpetrated on major computer systems for organisations such as CNN.com, eBay, Yahoo and others. Mafiaboy launched these attacks supposedly on his own, and the ability of a single individual to bring such systems to their knees is concerning.
The attack used by Mafiaboy is akin to driving to your local store and parking your car in front of the doors of the premises - and thus denying service to others. Hackers like Mafiaboy perpetrate what is known as Denial of Service attacks on target computer systems. The targeted system is flooded and cannot answer legitimate requests for service and thus - is unavailable.
These attacks may seem like some malicious prank, Mafiaboy is a 15 year old Canadian schoolchild who bragged about his "exploits", but in the case of Yahoo and eBay, who depend on their sites generating revenue through visits and advertising, the downtime cost is estimated in the region of $100,000 to $200,000.
Hackers[1] are an ingenious lot. The misguided talents of these individuals are not inconsiderable and the general availability of source code for operating systems, applications, protocol stacks and implementations offers them extreme opportunities for finding weaknesses in systems, be it hardware or software.
More often then not these technological anarchists are content to just break into systems, collecting evidence of their break-in to act like proverbial scalps when they boast to their fellow hackers. Others perform defacement of websites or tinker but the denial-of-service (DOS) attack can leave not only an Internet facing computer unavailable (e.g. a web server) but as was in the case of a targeted American University, leave the entire portal access for a network unavailable, disallowing traffic to flow either in or out of the computer networks affected.
There are a number of tools available to the hacker who wants perform a DOS attack. The knowledge to perform the attack and how to use these tools is also readily available. A search on the web or logging onto certain IRC[2] channels will soon arm a would-be hacker with SYN attack, Fraggle, Smurf and other DOS knowledge.
TCP/IP Connection Set-up Primer
The underlying protocol of the Internet is TCP/IP, which is a connection-orientated and reliable protocol.
As with most communication systems, a sequence of steps is followed to facilitate a communication session. As an example figure 1 shows the sequence of when a user accesses a website via a URL[3]. When a user selects the URL a data packet is sent to the destination server. The packet from the client is a SYN packet. The SYN packet is used to synchronise and set-up a communication channel and is a normal data packet to send. It contains information such as who the sender[4] is and other pertinent connection information.
When the server at the remote site receives the SYN packet it responds with an ACK data packet. The ACK packet is an acknowledgment to indicate to the client that the server is ready for further communication.
When the client receives this ACK packet it responds again
with a reply ACK data packet, acknowledging the “acknowledge”. Both client and server are ready to then
communicate with the necessary structures implemented at either end of the link
and the web page is transmitted. The
whole process is known as a three-way handshake.
Figure 1 - The 3-way handshake
To grant access to the TCP/IP[5] stack for multiple services such as web serving, ftp, telnet etc a port system is implemented. Different network services are accessed via different ports but common services are implemented on the same port across different platforms. For example the WWW service runs on port 80 whether you are using a Unix box, Windows box or a SunOS system. These transport layer mechanisms along with the IP addresses for a connection (sender and receiver) uniquely identify a connection.
A host system
listens on various ports of interest and creates a software structure
known as a socket for each incoming connection. A socket holds the information related to the
local end of the communications link such protocol used, state information,
addressing information, connection queues, buffers, and flags. Each of these
structures consumes a finite amount of resources available on the host and so
an inexhaustible supply of socket connections is not realisable.
Returning to the example of setting
up a connection, on an incoming request the data packet is demultiplexed up the
protocol stack (TCP/IP) until layer 4 – the transport layer
(where TCP is located). The TCP/IP
stack retrieves all its necessary information from the payload of the data
packet. Assuming everything is in order
the TCP/IP initialises the necessary data structures (creating a new socket)
within the host for the connection.
TCP/IP replies to the received SYN with the SYN/ACK message. The client that it replies to is recovered
from the IP addressing information in the payload of the incoming data packet.
It is now waiting for the return
ACK message from the client, where it will then know that the connection is
fully established. If the TCP/IP stack was
to receive a reset message (RST) whilst it is listening, it would de-allocate
the socket and memory structures for the connection. Whilst waiting for the reply
acknowledgement, the final part of the three-way handshake, the TCP/IP stack is
in the SYN_RCVD state for the socket that it set up.
If there is no response to the
SYN/ACK message the TCP/IP stack will keep trying until a timeout is reached,
whence it will then clear down the connection and recover all the resources
used.
SYN Attack
The basis for many attacks is the
SYN attack. This exploits the feature
of TCP/IP describe in the previous section.
The method is to launch multiple connection requests against the target
machine.
The attacker will send a connection
request to the target machine. The
attacker is required to perform one action only to make the attack possible –
and that is to spoof the client IP address. Spoofing is where basically the IP address is fake or
masqueraded. Further, it is not good
enough for the IP address that is being spoofed to be incorrect for the
machine that is issuing the attack. The
spoofed IP has to be an unreachable IP address.
The reason for the spoofed
IP address having to be unreachable is, that if the spoofed IP address
is that of a reachable host the SYN/ACK packets will be sent by that target
system to that IP address. The
receiving host will receive the packets from an unknown connection – it not
having established that link and will in fact reply to those packets by sending
a reset (RST) message back to the target.
The target, on reception of the RST message will then close down the
connection.
With the target host receiving SYN
packets with spoofed IP address it will attempt to reply to the
unreachable addresses. A reverse DNS
lookup will occur (RARP/ARP) but as there is no entry for the spoofed address,
the reply packets will be passed out to the upstream network. All the time the connection socket is held
active as the TCP/IP stack awaits an ACK back from the client.
If the target is flooded with such
requests it will soon use up its available number of connections. As the time out can be in the order of half
a minute or, on some systems longer, on a poorly implemented TCP/IP stack. The
service, which is listening on that port, is effectively tied up waiting
for ACK messages from non-existent or unreachable hosts. Whilst it is tied up it cannot service any
proper requests and hence the service is denied to legitimate users.
This kind of attack can be
orchestrated from a single machine, or more importantly, a single process. There is freely available source code[6],
downloadable from the Internet that will perpetrate such an attack.
The power of the attack can be
magnified by a concerted effort from many individuals, or from a single
individual who is tied in to several client systems.
ICMP Attacks
Internet Control Message Protocol
(ICMP) is a protocol that is tunnelled[7]
within TCP/IP and is used for transmission of control and error messages. Typically commands such as ping, a useful
tool to test if a host is alive and responding, issue ICMP data packets.
TCP/IP allows a maximum packet size
of 65536 bytes (or octets). The actual
makeup of a data packet is a header of at least 20 bytes and the rest of the
packet is data. Larger packets are
split up by the underlying layers of the TCP/IP stack into small packets for
transmission and which are then suitably reassembled at the destination
system. Usually packets are transmitted
much smaller than the maximum size, this is known as the MTU or message
transmission unit size – which in most cases is around about the value of 1500
bytes.
Ping, which issues ICMP_ECHO
requests is embedded within the IP packet, and by standard[8]
consists of 8 bytes of header information followed by the size of the ping
packet. This is the packet that will be
echoed by the remote host. This leaves
the maximum size of a ping packet to be 65536 – 20 (header for
TCP/IP packet) – 8 (header for ICMP_ECHO packet), which is 65507
bytes.
Data that is received from a remote
host is temporarily stored in a buffer.
The TCP/IP stack usually does not reassemble the packet until it has
received all of the fragmented packets that make up the whole packet. It knows how to reassemble the packet as the
fragments contain not only the data but also an offset of where the data
originates.
Malicious
programs can forge packets such that the offset, along with the data size of
the packet actually add up to being greater than the maximum allowed TCP/IP
packet size of 65536. As
machines usually implemented the buffer sized to the maximum size of the TCP/IP
packet it is easy to see that as the machine reassembled the original packet by
writing the data it received into the buffer, there would be overflow, as data
overwrites beyond the now undersized buffer.
In a poorly implemented TCP/IP stack this would crash the stack and
usually the kernel too. Such kinds of
programs have received the nomenclature of Ping of Death[9].
Smurf and
Fraggle Attacks
The smurf attack obtains its name
from its source program. It utilises
normal ICMP_ECHO requests, but not the kind from the ICMP attack that causes
buffer overflow. It is an extremely
powerful yet relatively simple attack to perpetrate.
The attacker spoofs their IP
address to be the address of the targeted system. The attacker then proceeds to ping the broadcast[10]
address for the network from which they are hosted on or are going to use in
their attack.
Generally all hosts will respond to
a broadcast packet and depending on the type of packet that has been received
reply with information. An example of
proper use is the DHCP service that is used for dynamic IP address allocation on
networks.
In the case of the attack, the data
packet is an ICMP_ECHO, or ping packet and the intermediary systems that have
been pinged now respond to the ping by replying with the received ping packet,
as is normal operation. As the sender’s
IP address has been spoofed with that of the target system the pings are
sent back to the target system. The
intermediary hosts are acting as amplifiers and reflectors, in that from the
one attacker station the traffic has been amplified and sent on to the target system.
Figure 2 shows this kind of attack
in operation. The number of hosts that
respond to the broadcast ping from the attacker multiplies the traffic.
Figure 2 - Smurf and Fraggle
type attack
As
an illustration consider a simple example.
An attacker sends 500Kb/s of ping packets to the intermediary network of
say 100 reflectors. The reflectors each
respond to the ping flood and respond but to the spoofed IP address of the
target who is now flooded with 100 * 500Kb/s which gives 50Mb/s of ping traffic
to the target.
Generally
there are two victims in this kind of attack, the reflector network and the
actual target site.
Smurf
is the TCP version of this kind of attack and Fraggle is the UDP version.
Coordinated and Distributed Network Based Attacks
So far we have only discussed
attacks originating from a single machine, or a coordinated group of attackers
from disparate machines. The recent
attacks discussed earlier were actually perpetrated in a much more ingenious
fashion, involving possibly thousands of hosts in the attack.
Programs that fall into this
category are Trin00, Tribe Flood Network, TFN2k
and Stacheldraht[11]. These are all programs
that have a similar modus operandi and only differ slightly[12]
in communication ports and certain other less important features.
The attack is not instantaneous. The attacker first of all has to go through a sequence of set-up steps before they are ready to attack the target system.
First of all the attacker needs to break into external hosts. Usually one is set up as the master[13] and code repository. Sniffer programs that listen in on well-known ports such as telnet or ftp will most probably have allowed the hacker access to the host. Once access to the master system has been gained various tricks may be employed to hide the existence of the new user (the attacker) by using such tools as root-kits. These tools replace the standard system tools and are set up to hide the processes that are owned by the attacker. They will most likely change programs such as ps, top, and network type commands.
Once a compromised host has been obtained the next phase starts. The attacker, using some form of remote control of the compromised master host installed with the root-kit, will then initiate a search for other desirable systems. Such systems will be those that exhibit, or are known to exhibit security loopholes, backdoors and compromises. A list is generated of discovered hosts.
The next steps start to take on level of automation. From the list generated in the previous step automated exploitation tools are used to then access these hosts. The tools include buffer overrun exploiters for network services such as ftp, RPC etc. Once the systems have been compromised agents report back to the attack master that they have succeeded.
The attacker needs to prepare (or already have prepared) suitable programs for the systems that may be a Unix type system, Linux, or other platform. There are two kinds of binaries. There are the handler binaries and the daemon or agent binaries. The actual attack programs, at the network front-line, are the daemons. Many daemons are controlled by a handler system, which in turn is controlled by a master system.
The final set-up phase of the attack happens when a script is then generated and automatically run. The script transfers the files from the master system to the handlers and other compromised hosts, readying them for an attack. Various stealth tricks may be employed by the programs to avoid detection. Such tricks include waking up, executing and then sleeping for a set period of time.
The power of this set-up phases is enormous. After the initial intrusion on the master host, the process is automated, with each captured host being used to attack further hosts, gain entry and gain control.
Figure 3 shows how a network of captured hosts would look like. Once the attacker has the systems under their control they are ready to launch multiple packet based attacks on the target host system.
Figure 3
- Distributed Denial of Service host network[14]
The methods of attack that the compromised network can initiate include all of the discussed attack strategies of ICMP_ECHO attacks (ping flood), SYN flood attacks and Smurf or Fraggle attacks.
Attacks are set off by command line at the master station (labelled client in Figure 3), which is being controlled remotely by the attacker. With a single command the target host will be flooded with masses of traffic. The agents themselves will be running software that is IP spoofing to avoid tracing of the source machines.
The Attack Software
Tribe Flood Network
A German hacker calling himself Mixter authored The Tribe Flood Network (or TFN) attack agent. TFN[15] uses stealthy like communication paths by embedding the commands into ICMP_ECHO requests that are transmitted from the master machine and the commands themselves are sent and forged to look like standard replies to the standard ping command. Often the data part of an ICMP packet is not seriously monitored by systems and so is easily overlooked.
The client control stations (master hosts) contain an IP list of controlled and compromised systems and TFN tries to hide such lists by using encryption techniques on the file. This is to hinder attempts and discerning the spread of a network should a client controller machine be discovered.
The handlers talk to the agents by using ICMP_ECHOREPLY packets, which is again another stealthy technique as it stops the downstream hosts from responding to ICMP_ECHO packets. If the downstream machine (agent or daemon) needs to reply to its handler it will use ICMP_ECHOREPLY as well.
Trin00
As with the Tribe Flood Network the
source code for Trin00 became available after investigators of other DOS
problems were witnessing an installation phase of Trin00.
The power of Trin00 was witnessed
first hand by the University of Minnesota when an attack network of 227 hosts
targeted an IRC server on campus and disabled the whole network on and off for
three days[16].
Communication between the handlers
and agents/daemons is done via both TCP and UDP on the ports[17]
1524, 27665 using TCP and 27444, 31335 for UDP. Trin00 attacks using UDP flood.
Stacheldraht
Stacheldraht is a recent addition to the DOS attack agent scene. It has a choice of attack method from ICMP flood, SYN flood, UDP flood, and Smurf style attacks. The communications path between clients and handlers is, unlike the other attack software agents, encrypted to prevent other users or hackers listening in or using sniffers to hijack the attack network the hacker has set-up.
The agent uses a mixture of TCP and ICMP for its communication network between the master/handlers and the agents. Typical ports used are 16660 and 65000 by default. Also, the agents are able to automatically upgrade themselves by doing a remote copy from a specified server cache, something that the other attack agents cannot do, making this quite a potent DOS tool as agents can mutate to have different signatures, making detection difficult.
TFN2K
TFN2K is an update done by Mixture, the German author of TFN and incorporates new stealthy techniques to fool packet filters.
Countering Cyber-warfare
The spread of such DOS tools is disturbing and their ability to bring a network site to its knees is frightening to a network user, implementer and administrator alike. The problem of countering attacks falls into a multi-layer defence strategy.
First of all some of the attack strategies or propagation methods rely on known weaknesses within OS implementation and/or TCP/IP stack implementation. It is all too easy for a system to fall behind the latest level of release and not be adequately maintained by a system maintainer. The latest patches should be applied to any/all software used. This should start to close loopholes and well known security deficiencies in many systems.
Networks should implement differing forms of IP filtering at ingress points. Many of the attacks rely on IP spoofing. Typically the spoofed address is that of a target host which is usually on a different subnet.
Figure 4 - Ingress filtering
The
above diagram shows a scenario where the attacker is on a particular subnet
(192.168 class B address scheme). If
the attacker on the given subnet spoofs an illegal address (that of the target
system which is on a completely different subnet) the router of ISP A should
detect that the IP address is incorrect.
Attacks such as Fraggle and Smurf are powerful but they
rely on spoofed IP addressing being allowed on the network. A rule something should be implemented at the
router something like:
If
Packet comes from legal
address in subnet then forward
Else
Deny
packet
If
ISP A’s router discard the erroneous packets before they have propagated onto
the network then spoofed packet entry is denied. Also if logs are maintained than evidence is retained at the ISP
site of strange behaviour on an ingress link.
Another
typical spoofing technique is to forge the IP address of packets to be
originating from the target network. So
the target’s ingress router should also be configured not to allow traffic into
the target’s subnet that is claiming to have originated from the target subnet
but is in fact coming in from say a neighbouring network.
The
two types of malicious ICMP packets, ping-of-death and the ICMP_ECHO
communication packets of the DOS agents are more difficult to counter. The
useful tools such as ping and traceroute use ICMP_ECHO packets in
their everyday use and denying access completely to such traffic would break
these tools, and no doubt some others as well.
One solution alternative to
blocking all ping like traffic is to block only fragmented pings. This will
allow the standard 64-byte test ping and disable attack from ping-of-death. Also up-to-date patching of OS’s[18]
will rectify this problem.
For the other form ICMP malicious
traffic detection and eradication becomes extremely difficult and involves
third party software. As the control
for the agents is embedded within the ICMP_ECHO packets the only clue that a system
will receive that something is amiss is the sudden rise in that type of
packet. Intrusion Detection Systems can
do this kind of traffic profiling.
Throttles could also be placed on the ingress side of a network so that
if the ICMP_ECHO traffic breaks a certain limit than those kinds of packets are
dropped. This is a tricky metric to
generate and achieve correctly. To
perform this kind of action support will probably be necessary from network
specialists from the vendor of the routing equipment.
Throttling connections will also
work for the SYN flood attack. Public
access servers have capacities, which are easily measured and figured for how
many connection attempts they should be able to handle. By throttling the SYN ingress rate the
unruly consumption of resources during a SYN attack should be decreased. Further up-to-date patching of OS’s will
also help as OS vendors have implemented such triggers in software too.
There are numerous tools that can be employed to see if a particular host has been compromised. These involve searching for fingerprints of the attack agents looking for well-known strings that are embedded in the binaries. One of these is available at http://staff.washington.edu/dittrich/misc/ddos_scan.tar and can scan for Trin00, TFN, Stacheldraht, or “gag” can be used to scan for Stacheldraht alone and is available at http://staff.washington.edu/dittrich/misc/sickenscan.tar. The FBI has a site where scanning tools can be downloaded for various platforms (but not Windows) at http://www.fbi.gov/nipc/trinoo.htm. Other tools include “lsof”, “sniffit” and “ngrep” that can be used to try and discover any daemons on local systems. These are obtainable at:
lsof - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
sniffit -
http://sniffit.rug.ac.be/sniffit/sniffit.html
ngrep - http://www.packetfactory.net/ngrep/
There is a comprehensive set of
online tools that users can use to test their computers for well-known
footprints of attack agents. These can
be seen at the Whitehats security site at http://dev.whitehats.com/scan/ddos/ddos.html.
More
long-term solutions exist, or at least have been proposed. In a recent North American Network Operators
Group[19],
Robert Stone of UUNet proposed a network overlay for IP[20]
where dubious or interesting packets can be quickly and efficiently routed to
specialist investigation routers that examine the contents of the packets. This would enable quick and simpler tracing
of attacking connections, something at the moment that is difficult to do.
Steven
Bellovin proposed via a white paper through the Internet Engineering Task Force
a new set of ICMP messages that would enable a trace-back of packets. Every so often routers would emit ICMP
packets with tracing information – similar in operation to call tracing of
malicious phone calls. This would help
identify originating hosts on a heavily used link. The traffic increase from the subnet may indicate a DOS
attack. Further information can be
found at http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt.
For
a definitive source of information readers should go to David Dittrich’s
website at the University of Washington.
He has been instrumental in analysis of recent DOS tools featured
earlier and has been worked with the CERT Coordination Centre on raising awareness
of DOS attacks. He can be found at http://staff.washington.edu/dittrich/misc/ddos/.
In Conclusion
- The Future
Denial
of service attacks and attack methods are maturing. From what started as pranks and random exploitation of security
holes has become a coordinate suite of attack tools.
The
denial of service attacks themselves are not so much “hacks” in the traditional
sense of the word, although tools like TFN etc rely on “hacking” a root account
on a host. The tools are, in fact, an
exploitation of network hardware, software and protocol weaknesses.
The
explosive growth of networking will have lead to many features such as security
not being implemented – either through non-understanding of consequences or
more than likely naivety. Who would
have thought that someone would want to spoof an IP address?
There
can be surely no doubt that the exploitation tools will mature further
incorporating more exotic attack strategies, stealth and wider more easier
propagation. Already TFN2K tries to get
around boundary IP filtering.
High
profile attacks such as those mentioned earlier can have damaging effects and
it cannot be ruled out that some attacks may be financially motivated. What is required is a thorough understanding
of the situation from anyone involved with networking.
A
parallel can be drawn to the earlier “Internet problems” of spamming[21]. First of all the spammers would send
their mail via ordinary methods – but after mass complaints many had their
email accounts and access shutdown.
They moved to more esoteric means and started to exploit weaknesses in
many mail transfer agents (MTA’s) such as sendmail. Many MTA’s would blindly forward mail from
not only their host domains but also from anyone who connected to them. Complicated set-up rules had to be changed
to stop this kind of activity – something a lot of system administrators had
difficulty with and so neglected. It
wasn’t until agencies such as The Open Relay Broadcast Organisation[22]
(Orb’s), who can be found at http://www.orbs.org, started to
automatically test and record MTA’s did the problem really get addressed. Other MTA’s could subscribe to the Orb’s
list and refuse mail from those that were open relay stations – this prompted
system administrators to change the configuration files.
Likewise
services should be implemented for network traffic. As network providers become more aware and ready to close down
the loopholes they could subscribe to, or have knowledge of networks that say
don’t adequately perform boundary IP filtering. Or if Steven Bellovin’s
proposals get implemented than any network that doesn’t provide adequate
tractability[23] could have
their traffic denied.
Network
connectivity is increasing and with the rolling out in many countries of digital
subscriber lines (DSL) the number of hosts with usable bandwidth will increase
dramatically, allowing attackers to infiltrate even home user computers that
are connected, via DSL lines, to the Internet permanently.
Mixter,
the German hacker and TFN author puts forward his future visions of DOS attacks
at http://packetstorm.securify.com/distributed/tfn3k.txt. He mentions some new thoughts and new
attack methodologies.
Other
possibilities for attack agents will also include greater use of encryption to
hide payload contents of control packets (ICMP or other) – rotating and dynamic
port usage to try and avoid long standing static connections and even logic
bombing threats such as if a client or master is discovered the program “free-falls”
into overwriting critical data.
It
is going to be a difficult time for network operators and users alike unless
rigorous guaranteed protection can be assured.
Bibliography
Internet Security Advisories, Cisco Corporation
http://www.cisco.com/warp/public/707/advisory.html
RFC2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,
http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt
DDOS Information
http://dev.whitehats.com
Free DDOS Scanning Service - Whitehats
http://dev.whitehats.com/scan/ddos/ddos.html
CERT Advisory, The CERT Coordination Centre
http://www.cert.org/incident_notes/IN-99-04.html
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
Results of the Distributed-Systems Intruder Tools Workshop, The CERT Coordination Centre
http://www.cert.org/reports/dsit_workshop.pdf
Root-Kit
FAQ
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
Trinoo
Analysis, David Dittrich
http://staff.washington.edu/dittrich/misc/trinoo.analysis
TFN Analysis, David Dittrich
http://staff.washington.edu/dittrich/misc/tfn.analysis
Project
Loki, Phrack Magazine
http://www.phrack.com