Download Denial of Service Attacks

Document related concepts

Asynchronous Transfer Mode wikipedia , lookup

Computer security wikipedia , lookup

Computer network wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Airborne Networking wikipedia , lookup

Net bias wikipedia , lookup

Network tap wikipedia , lookup

Zero-configuration networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript
Denial of Service
Attacks
Dr. John R. Durrett
ISQS 6342
Spring 2003
Dipen Joshi
Outline







Introduction to Denial of Service attacks
Modes of DoS attacks
Stopping Services and Exhausting Resources
Distributed Denial of Service (DDoS) attacks
Types of DDoS attacks
Tools to launch DDoS attacks
How to fight DDoS attacks
Meaning of DoS Attacks
In Denial of Service (DoS) attacks, a computer
bombards another system with floods of packets.

The goal of a DoS attack is to prevent legitimate
users from accessing the target host or network.

Hackers sometimes use DoS attacks to provide a
cover for other hacking activities.

HOW DOS WORKS
Why DoS attacks





Motive of frustration
Personal or political vendettas
Windows NT/95/98 systems
“Point and click”
Requires very little technical skill to run
Examples
An attacker can attempt to • “Flood" a network, thereby preventing
legitimate network traffic
• Disrupt connections between two machines,
thereby preventing access to a service
• Prevent a particular individual from accessing
a service
• Disrupt service to a specific system or
person
IMPACT of DoS Attacks
Disable your computer or your network.
 Can effectively disable your organization.
 Some denial-of-service attacks can be
executed with limited resources against a
large, sophisticated site. This type of attack
is sometimes called an "asymmetric attack."

Modes of Attacks
There are three basic types of attack:
1) Consumption of scarce, limited, or
non-renewable resources
2) Destruction or alteration of
configuration information
3) Physical destruction or alteration of
network components
Consumption of Scarce
Resources
a)
Network Connectivity – Attacker begins the
process of establishing a connection to the
victim machine, but does it in such a way as
to prevent the ultimate completion of the
connection. In the meantime, the victim
machine has reserved one of a limited
number of data structures required to
complete the impending connection. The
result is that legitimate connections are
denied while the victim machine is waiting to
complete bogus "half-open" connections.
Consumption of Scarce
Resources
b) Using Your Own Resources Against You –
In this attack, the intruder uses forged UDP
packets to connect the echo service on one
machine to the charge service on another
machine. The result is that the two services
consume all available network bandwidth
between them. Thus, the network
connectivity for all machines on the same
networks as either of the targeted machines
may be affected.
Consumption of Scarce
Resources
c) Bandwidth Consumption - An intruder may
also be able to consume all the available
bandwidth on your network by generating a
large number of packets directed to your
network. Typically, these packets are ICMP
ECHO packets, but in principle they may be
anything. Further, the intruder need not be
operating from a single machine; he may be
able to coordinate or co-opt several
machines on different networks to achieve
the same effect.
Destruction or Alteration of
Configuration Information
An improperly configured computer may not
perform well or may not operate at all. An
intruder may be able to alter or destroy
configuration information that prevents you
from using your computer or network.
For example, if an intruder can change the
routing information in your routers, your
network may be disabled. If an intruder is able
to modify the registry on a Windows NT
machine, certain functions may be unavailable.
Physical Destruction or
Alteration of Network
Components
The primary concern with this type of attack is
physical security. You should guard against
unauthorized access to computers, routers,
network wiring closets, network backbone
segments, power and cooling stations, and any
other critical components of your network.
Physical security is a prime component in
guarding against many types of attacks in
addition to denial of service.
Categories of DoS Attacks
STOPPING SERVICES
L
O
C
A
L
L
Y
R
E
M
O
T
E
L
Y
EXHAUSTING RESOURCES
• Process Killing
• System reconfiguring
• Process crashing
• Forking processes to fill the
process table
• Filling up the whole file system
• Malformed packet attacks (eg
Land, Teardrop, etc)
• Packet floods (e.g. SYN Flood,
Smurf, Distributed Denial of
Service)
Stopping Local Service
Process Killing
An attacker with sufficient privileges
(such as root on a UNIX system or
administrator on a Windows machine)
can simply kill local processes in a DoS
attack. When the process, such as a
Web or DNS server, isn’t running, it
cannot service user’s requests.
Stopping Local Service
System Reconfiguration
An attacker with sufficient privileges can
reconfigure a system so that it doesn’t offer
the service anymore or filters specific users
from the machine.
E.g. On a Windows NT file server, the attacker
could configure the machine simply by
stopping the sharing of files across the
network, preventing legitimate users from
remotely accessing their valuable data on
the file server.
Stopping Local Service
Process Crashing
 Even if the attackers don’t have super-user
privileges on a machine, they may be able to
crash processes by exploiting vulnerabilities in the
system.
 E.g. An attacker could exploit a stack-based
buffer overflow by inputing arbitrarily large
amounts of random data into a local process.
(Because the return pointer pushed on the stack
during this overflow attack is random, the target
process will simply crash, denying user access.)
Defenses from Local Stopping
Service
Keep your system patched, applying the
relevant security bug fixes, so that the
attacker cannot exploit and crash
vulnerable local programs.
 Carefully dole out privileges to users on
your system. When assigning privileges,
follow the Principle of Least Privileges.
 Run integrity-checking programs, such as
Tripwire, to make sure that critical system
files are not altered.

Locally Exhausting Resources




Filling up the process table
An attacker could write program that simply forks
another process to run a copy of itself.
This recursive program would run, forking off
another process to run the same program again.
Using this program, the attacker could create
processes as fast as the system could fork them for
the user.
Eventually, the process table on the machine could
become filled, preventing other users from running
processes and denying them access.
Locally Exhausting Resources
Filling up the file system
 Continuously writing an enormous
amount of data to the file system
 Attacker could fill up every available
byte on the disk partition, preventing
other users from being able to write
files and potentially just crashing the
system altogether.
Locally Exhausting Resources
Sending outbound traffic that fills up the
communications link
 Write a program that sends bogus network
traffic from the target system, consuming
the processor and link bandwidth.
 If the attacker’s program generates enough
packets, legitimate users will not be able to
send traffic to or from the system.
Defenses from Locally
Exhausting Resources
When assigning privileges, follow the
Principle of Least Privileges.
 Make sure that the sensitive systems have
adequate resources, including memory,
processor speed, and communication link
bandwidth.
 Consider deploying host-based Intrusion
Detection Systems or other system
monitoring tools that can warn you when
your system resources are getting low.

Remotely Stopping Services
Remote DoS attacks are more prevalent.
 They do not require the attacker to have a local
account on the machine
 Can be launched from the attacker’s own system.
 Most common method is malformed packet attack.

– Such attacks exploit an error in the TCP/IP stack of the
target machine by sending one or more unusually
formatted packets to the target.
– It will crash the target machine possibly shutting down a
specific process, all network communication, or causing
operating system to halt.
Remotely Stopping Services
Malformed packet attacks.
Exploits –
– Land
– Latierra
– Ping of Death
– Jolt2
– Teardrop, Newtear, Bonk, Syndrop
– Winnuke
Exploits
Land
The program sends a TCP SYN packet (a
connection initiation), giving the target
host's address as both source and
destination, and using the same port on the
target host as both source and destination.
 Windows systems, various UNIX types,
routers, printers, etc.

Exploits
Ping of Death
The program sends an oversized ping
packet. Older TCP/IP stacks cannot properly
handle a ping packet greater than 64
kilobytes and crash when one arrives.
 Windows, many UNIX variants, printers, etc.

Exploits
Teardrop
Various tools that send overlapping IP packet
fragments. The fragment offset values in the
packet headers are set to incorrect values, so
that the fragments do not align properly
when reassembled. Some TCP/IP stacks
crash when they receive such overlapping
fragments.
 Windows 95, 98, NT and Linux machines.

Remotely Exhausting
Services
Most popular technique.
 Remotely tying up all of the resources of the
target, particularly the bandwidth of the
communications links.
 Using flood of packets.
 SYN flood, Smurf attacks, DDoS attacks

SYN Flood
Attacker’s goal is to overwhelm the
destination machine with SYN packets.
 Exploit’s the TCP three-way handshake.
 Sends many SYN packets to the victim.
 When target receives more SYN packets
than it can handle, other legitimate traffic
will not be able to reach the victim.
 Two methods

TCP Three-Way
Handshake
Client connecting to a TCP port
Client
initiates
request
SYN
Client wishes to establish connection
SYN-ACK
Connection
is now
half-open
Server agrees to connection request
Client
connection
Established
ACK
Client finishes handshake
Server
connection
Established
SYN Flood
Client SYN Flood
Client
spoofs
request
S
S
S
S
S
S
half-open
half-open
half-open
Queue filled
Queue filled
Queue filled
SA
SYN flood – 1st method
Fill the connection queue with half-open
connections while target machine waits for third
part of handshake
 Send more SYN packets
 Target machine will allocate a small amount of
resources to remember each SYN packet as it is
transmitted

– Filling up the queue with SYN packets will not allow
other incoming traffic

Best to use a Spoofed IP address that are
unresponsive on the Internet
SYN flood – 2st method
Attacker must have a communication link
bigger than the target machines
communication link.
 Attacker must have more bandwidth than
the victim machine and the ability to
generate packets to fill that bandwidth.
 SYN flood will just squeeze out other traffic.

Smurf Attacks
In the "smurf" attack, attackers use ICMP
echo request packets directed to IP
broadcast addresses from remote locations
to generate denial-of-service attacks.
 There are three parties in these attacks:

– the attacker,
– the intermediary,
– the victim (note that the intermediary can also
be a victim).
Smurf Attacks
The intermediary receives an ICMP echo
request packet directed to the IP broadcast
address of their network.
 If the intermediary does not filter ICMP
traffic directed to IP broadcast addresses,
many of the machines on the network will
receive this ICMP echo request packet and
send an ICMP echo reply packet back.
 When (potentially) all the machines on a
network respond to this ICMP echo request,
the result can be severe network
congestion or outages .

Smurf Attacks
The attackers do not use the IP address of
their own machine as the source address.
They create forged packets that contain the
spoofed source address of the attacker's
intended victim.
 The result is that when all the machines at
the intermediary's site respond to the ICMP
echo requests, they send replies to the
victim's machine.
 The victim is subjected to network
congestion that could potentially make the
network unusable.

Smurf Attacks
Attackers send these attacks to multiple
intermediaries at the same time, causing all
of the intermediaries to direct their
responses to the same victim.
 Attackers look for network routers that do
not filter broadcast traffic and networks
where multiple hosts respond. These
networks can then subsequently be used as
intermediaries in attacks
 The Fraggle attack is a similar attack to the
Smurf except that it uses UDP echo packets
instead of ICMP echos.

Smurf Attack
ICMP Echo
Request
Attacker
spoofs
address
Src: target
Dest: 10.255.255.255
Amplifier:
Every host
replies
10.1.1.1
10.1.1.2
10.1.1.3
10.1.1.4
Smurf Attack
HOW TO DETERMINE IF YOUR
NETWORK IS VULNERABLE
http://www.powertech.no/smurf/
is a site which will test scan your network
and allow you to enter a known smurf
amplifier site.
 http://www.netscan.org/
is a site which actively scans the IPv4
address space and mails network contacts
with information on how to disable them.

Distributed Denial of Service
attacks (DDoS)
In the summer of 1999, a new breed of
attack has been developed called Distributed
Denial of Service (DDoS) attack.
 A Distributed Denial of Service attack uses
multiple machines operating in concert to
attack a network or site.
 The nature of these attacks cause so much
extra network traffic that it is difficult for
legitimate traffic to reach your site while
blocking the forged attacking packets.

DDoS
February 2000, DDoS attack launched
against Yahoo, Amazon, E*Trade, eBay,
Buy.com, and others.
 Estimated losses were “several millions”

DDoS
In order to facilitate DDoS, the attackers
need to have several hundred to several
thousand compromised hosts.
 Harnesses the distributed nature of the
internet.
 It requires a large number of victim
machines (Zombies).
 The process of compromising a host and
installing the tool is automated. The process
can be divided into the following steps 
HOW DDoS WORKS
1.
2.
3.
4.
Initiate a scan phase in which a large
number of hosts (on the order of 100,000
or more) are probed for a known
vulnerability.
Compromise the vulnerable hosts to gain
access.
Install the tool on each host.
Use the compromised hosts for further
scanning and compromises.
HOW DDoS WORKS
Because an automated process is used,
attackers can compromise and install the tool
on a single host in under 5 seconds. In other
words, several thousand hosts can be
compromised in under an hour.
 Enlisting numerous computers in a DDoS
assault makes it both more devastating and
harder to stop due to its distributed nature. It
also makes tracing the original source of the
attack virtually impossible.

HOW DDoS WORKS
To launch a successful DDoS assault, an
attacker needs to create a force of agents –
often referred to as “zombie” computers.
 Once the zombie forces have been
established, the attacker needs only to select
a web site to attack. The attack itself can be
initiated from a single computer, a central
“command console” which can activate
zombies located anywhere in the world.

HOW DDoS WORKS
Tools to launch DDOS
attacks
1)
2)
3)
4)
Trinoo
TFN
TFN2K
Stacheldraht
Trinoo
A distributed tool used to launch
coordinated DoS attacks from many sources.
 A Trinoo network consists of a small
number of servers (masters) and a large
number of clients (daemons)
 An attacker connecting to a Trinoo master
and instructing that master to launch a DoS
attack against one or more IP addresses
carries out a DoS attack utilizing a Trinoo
network.

Trinoo
The Trinoo master then communicates
with the daemons giving instructions to
attack one or more IP addresses for a
specified period of time. Requires a UNIXbased operating system.

TFN-Tribe Flood Network &
TFN2K
The next generation of attack tools after
Trinoo – can initiate several DDoS attacks,
including ICMP, TCP SYN, UDP and a variation
of Smurf.
 TFN2K improves on TFN by adding decoy
packets and other measures to make it difficult
to identify and filter TFN2K traffic. The master
can also fake its source address to avoid
detection. TFN2K is a version of Tribal Flood
that was ported to the Microsoft® Windows®
operating system.

Stacheldraht
German for “barbed wire” – Difficult to
detect and block, Stacheldraht commands use
passwords and are sent over an encrypted
communications medium.
 Like TFN, Stacheldraht can perform several
different kinds of DoS attacks, including PING
floods and spoofed-source attacks.

Sub7
A powerful DDoS and remote-admin kit.
Detected by most anti-virus software. Able
to generate large PING packets. Able to
command armies of Sub7 zombies via IRC
(Internet Relay Chat) control mechanism.
Sub7 is currently native to the Windows
OS.

HOW TO FIGHT DDOS
ATTACKS
Zombie Zapper tool
 Implement router filters
 Install patches to guard against TCP SYN
flooding
 Disable any unused or unneeded network
services
 Observe your system performance and
establish baselines for ordinary activity
 Routinely examine your physical security with
respect to your current needs

HOW TO FIGHT DDOS
ATTACKS

Invest in and maintain "hot spares"
–machines that can be placed into service quickly
in the event that a similar machine is disabled
Invest in redundant and fault-tolerant
network configurations
 Establish and maintain regular backup
schedules and policies
 Establish and maintain appropriate
password policies

References
Counter Hack – Ed Skoudis
 http://www.cert.org/tech_tips/denial_of_service.htm
 http://www.captusnetworks.com/_art/pdf/TLIDSWhitePaper.pdf
 http://www.riverhead.com/library/ddos.html
 http://www.usenix.org/events/sec01/invitedtalks/oliver.pdf
 http://www.cert.org/advisories/CA-1998-01.html
 http://www.trinitysecurity.com/reference/DDOS-Protecting-CriticalSystems.pdf

THANK YOU