Yesterday, on the 30th of December, a post on Bugtraq introduced the public to a new DDoS toolkit called Stacheldraht. The name is German for "barbed wire". The tool was authored, according to the analysis, by a member of the Austrian hacker group TESO.
This is the third major distributed-attack toolkit to appear in 1999, after Trinoo and TFN. It is also visibly the most sophisticated. I want to write about it briefly, on the second-last day of the year, because the timing is in itself a useful punctuation mark.
What Stacheldraht is
The architecture is similar to its predecessors: an attacker controls one or more masters; the masters control hundreds of agents; the agents flood a target. The novelties are mostly in operational discipline:
The control channel uses Blowfish encryption. Master-to-agent communication is encrypted with a configurable key. Snort signatures cannot be written against the cleartext payload because there is no cleartext payload.
The agent has automatic update. Agents can be commanded to fetch new versions of themselves from a designated host and replace themselves in place. This means the deployed daemon population can be upgraded without recompromising hosts.
The agent is portable. The original Trinoo and TFN ran on Linux. Stacheldraht supports both Linux and Solaris in the same binary, with the right one selected at runtime. The compromised-host pool is correspondingly larger.
The agent supports multiple flood types. ICMP flood, UDP flood, SYN flood, Smurf attack — the union of TFN's repertoire plus a few more, all in one binary.
The agent supports source-address spoofing. Floods can use either the agent's real address (for cases where some traffic must look legitimate) or randomised spoofed addresses. The choice is per-attack.
Authentication is in place. Master-to-agent commands are not just encrypted — they are also authenticated, so an attacker who somehow intercepts the protocol cannot inject commands without the key.
In short, Stacheldraht is what TFN would be if its developers had read all the analyses of Trinoo and TFN and engineered around every weakness identified in those analyses. Which they have.
What it tells us about the trajectory
The shape of the year's DDoS evolution has been:
- June 1999: Trinoo. First public tool. Basic architecture, weak operational discipline.
- August 1999: TFN. More flood types, slightly better architecture. ICMP control rather than UDP.
- November 1999: TFN evolution with encryption, decoy traffic, and stealth installation.
- December 1999: Stacheldraht. Encrypted, authenticated, multi-platform, with automatic update.
Six months. From "first public tool" to "professionally engineered command-and-control infrastructure". The improvement at each step has been roughly the response to the defensive measures from the previous step. The pace has not slowed.
This is the offensive engineering response to the defensive community's analysis cycle. Each Dittrich analysis of a tool produces, within months, a successor that addresses the analysis's findings. The defenders are, in effect, providing free QA for the offensive side.
This is uncomfortable to write down but it is the honest characterisation. The cycle will continue as long as the analyses continue, and the analyses continuing is essential for any defensive response at all. The asymmetry is real and durable.
What this implies for early 2000
A few predictions, in my year-end discipline of writing them down so I can score them.
The first major commercial site DDoS will happen in the first quarter of 2000. Stacheldraht-class tools are now in the wild. The agent populations being assembled now will be large enough to overwhelm well-resourced sites by January or February. By March, I expect at least one outage of a household-name site that is in mainstream news.
The defensive response will be commercially-driven. The dollar value of being offline will produce dollar value going into mitigation. Specialised DDoS-mitigation services will appear as a real product category over 2000 and 2001. The first iteration will be capacity-based — "absorb the flood by being upstream of the bottleneck" — and will work imperfectly at first.
The protocol-level conversation will accelerate. BCP 38 deployment will go from a quiet operational best practice to a more visible policy conversation. Some of the largest carriers will start enforcing it more publicly. Adoption will still be patchy. The trend line will start to bend.
Stacheldraht itself will be patched, again. The published analysis will describe specific aspects of the protocol. Within a few months, those aspects will be modified. The cycle continues.
A small note on the meta-pattern
The pattern visible in 1999's DDoS evolution is, I think, a microcosm of the larger pattern in computer security. Defenders document. Attackers read the documentation and respond. The documentation is essential for defence; the documentation is also the input to the next attack iteration; the cycle is structurally unbalanced because the offensive response is faster than the defensive deployment.
This is the coordination problem at the heart of the field. Individual operators cannot solve it. Individual researchers cannot solve it. Even individual large operators cannot solve it on their own. The solution requires structural changes to the network — protocol-level enforcement, standardised inter-operator coordination, automated detection-and-response infrastructure that operates at internet scale rather than per-host.
None of those exist yet. They are years from existing in any deployed form. Stacheldraht is the year-end punctuation mark on the question of whether they need to.
They do.
What I am doing about it personally
Nothing new. I have already applied the defensive measures within my reach. My infrastructure is not Stacheldraht-resistant in any meaningful sense — at my scale, no individual operator's infrastructure is. What I can do is contribute to not being part of the problem: my hosts are not compromised; my egress filtering is in place; my structured logs would catch a daemon installation; my periodic compromise audits check for the obvious indicators.
This is the unglamorous shape of defensive contribution: each operator, doing the basic hygiene that prevents their hosts from being added to the attack pool. None of this stops Stacheldraht. The aggregate of many operators doing this consistently does shrink the attack pool slowly. The shrinkage is the only thing that, eventually, makes the attacks structurally harder.
Writing this on the 30th of December, with one day left in the year, with the year's trajectory clearly visible. The new year is going to be busy. I will be at the keyboard tomorrow night, watching the rollover, and the day after that I will start writing about the new year's threat landscape.
It will not be quiet.