The Early Days: 2001-2003
Attackers across this period increasingly switched from being script kiddies fooling around like Mafiaboy to being part of a criminal organization. The implications for taking down a business network became increasingly clear, in turn heightening the attraction of DDoS attacks. Worms began to be employed, taking DDoS to a new level of attack. Worms aggressively scan host machines for exploits in order to infect them. Rootkits were also used to start the scanning and infection process immediately once again. Some of the techniques being used were far more sophisticated than anything used previously. Security specialists had to accordingly step up their game.
Code Red Worm in 2001 scanned and infected over 350,000 Microsoft Information Server (IIS) servers in under 9 hours. It resulted in a massive spike of traffic, crashing networks. The payload of the worm included the modification of the affected website to display: “HELLO! Welcome to http://www.worm.com! Hacked by Chinese!” The attack lasted for a month, including the launch of DoS attacks against the White House server.
eEye Digital Security employees, Marc Maiffret and Ryan Permeh, were the first to discover the Code Red worm; along with Riley Hassell, who identified the vulnerability which the worm exploited. The researchers named it “Code Red” based on the fact they were drinking Code Red Mountain Dew at the time of discovery. Kenneth D. Eichman was the first to discover how to block the worm from spreading. It did so by deploying a buffer overflow, using a long string of the repeated letter ‘N’ to overflow a buffer, enabling the worm to execute arbitrary code and infect the host machine. Eichman was invited to the White House because of his discovery. The FBI had previously deemed Code Red so dangerous that it could bring down the entire Internet due to the increased traffic from its cans. It infected between 1-2M computers.
In 2002, in what were dubbed the Smurf Attacks, all 13 DNS root servers were targeted. The attack lasted only for an hour, but traffic over that time reached 900 mb/sec. It was done via ICMP requests (ping-flooding) the root servers. Nine of the 13 servers crashed, impacting the availability of numerous sites. It had a fairly minimal impact, but the FBI and Homeland Security Department took it seriously enough to launch an investigation.
The name is still used now even though this type of attack is far less common. The name comes from the notion of small, but multiple, attackers (smurfs) overwhelming a large opponent. Today, administrators can make a network immune to such abuse by configuring individual hosts and routers to not respond to ICMP requests or broadcasts; or configuring routers to not forward packets directed to broadcast addresses. Another potential solution is network
ingress filtering, which rejects the attacking packets as a result of their having spoofed IP source addresses.
A similar attack took place in 2003, known as the Slammer or Sapphire attacks, which again targeted the 13 DNS root servers, taking down 5 of them. Despite a smaller number of root servers being knocked offline, it impacted systems ranging from air traffic control to ATM systems. Slammer infected the majority of its 75,000 victims within ten minutes of launch.
Mitigation methods across this time changed in fundamental ways in response to the scale and sophistication of attacks. Defenses based on filtering traffic became less effective as consolidation of protocols and ports made traffic appear to be more alike. Security services instead focused on intelligent mitigation i.e. looking inside packets and application behavior to mount robust defenses.