2.2.5 Stacheldraht Attack

A Stacheldraht (German for "barbed wire") attack combines many features from different types of attacks. It can even include an encrypted communication link between the attackers and the master controller, which is a program that activates agents residing on multiple compromised machines. This provides for updated instructions as to targets and attacks. Both TFN and Stacheldraht attacks require an initial intrusion phase where automated tools compromise large numbers of systems to use in an attack. The initial intrusion phase is followed by the actual attack.

A few different things can be done to defend against the Stacheldraht attack and other DDos attacks where “zombie” computers are used. A zombie computer is one that has been secretly taken over by an attacker. The attacker accesses the zombie computer through the Internet or other network and sets up programs that execute without zombie knowledge. Perhaps the most important aspect for defense is to ensure that a modern firewall, or intrusion detection system, is in place that can detect this type of attack. It is also important that these devices are able to determine if the attack is originating from zombie computers on your own network. In this case, the firewall should be able to limit any packets leaving your network to only the traffic that should be leaving your network. When large numbers of packets are being transmitted during the attack, it is important to have physical access to devices on the perimeter of the network since remote communication with these devices will most likely not be possible. The idea here is to access the devices that are passing the packets into and out of the network in order to determine the source of the attack. Once the source has been discovered, the devices can drop the packets originating from the offending addresses. When dealing with mission critical data, unplugging the network is done only as a last resort.

A perimeter router can be used to drop packets either inbound or outbound of the network through the use of access control lists. Typically, the access control list is used to let the router know where to send packets when they meet certain criteria. During an attack, the access control list should be configured to drop packets originating from the IP address being used to launch the attack. This will not stop the attack, but it should free up enough bandwidth to allow any computers or services that have been compromised or crashed by the attack to be repaired.

On a network where a firewall is being used, rules that drop packets from the offending computers, much like the access control list on the router, should be enforced. It is important to remember that whether using a router, firewall, or intrusion detection system, logging should be limited while the attack is taking place. These logs can slow down the devices being used to defend against the attack, increase bandwidth on the network, and fill up hard drive space very quickly.

It is also recommended that the ISP is contacted about the attack. The ISP should be able to help filter packets in an effort to free up bandwidth. The ISP can also block addresses that are flooding the network. Keep in mind that it may take some time for the ISP to respond to a complaint or request. This is valuable time which can be used to bring servers and services back online within your own network.

Software packages designed specifically for Stacheldraht and other DDoS attacks are available. One such utility is Zombie-Zapper. This free tool is used to tell an attacking computer to stop flooding packets. It is important to note that this and other software like it may rely on default configurations of the attacking machines to still be configured with the defaults. An attacker familiar with the tools that can be used against it will have most likely changed these defaults.