Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trends in Denial of Service Attack Technology -or – Oh, please, they arent smart enough to do that… Presentation to CERT-Polska November 2001 Rob Thomas,

Published byKaylee Bond Modified over 10 years ago

Similar presentations

Presentation on theme: "Trends in Denial of Service Attack Technology -or – Oh, please, they arent smart enough to do that… Presentation to CERT-Polska November 2001 Rob Thomas,"— Presentation transcript:

1 Trends in Denial of Service Attack Technology -or – Oh, please, they arent smart enough to do that… Presentation to CERT-Polska November 2001 Rob Thomas, robt@cymru.com

2 Credit Where Credit is Due! Presentation and paper by Kevin Houle, George Weaver, Neil Long, and Rob Thomas – a global- ish study of a global problem! Portions originally presented by Kevin Houle at NANOG 23, October 2001. Paper located at http://www.cert.org/archive/pdf/DoS_trends.pdf

3 Agenda – Keeping up with Rob Some history. Gift giving for all occasions. Target selection – ready, FIRE, aim. Methods of control. Trends in use and methods. What we are not seeing.

4 BP (Before Pain) - Pre-1999 DoS Tools: Single-source, single target tools IP source address spoofing Packet amplification (e.g., smurf) Deployment: Widespread scanning and exploitation via scripted tools Hand-installed tools and toolkits on compromised hosts (unix) Use: Hand executed on source host

5 The danger grows - 1999 DoS Tools: Multiple-source, single target tools Distributed attack networks (handler/agent) DDoS attacks Deployment: Hand-selected, hard-coded handlers Scripted agent installation (unix) Use: Custom, obfuscated control channels –intruder handlers –handlers agents

6 The bubble bursts - 2000 02-2000 : Infamous DDoS attacks 04-2000 : DNS amplification attacks, mstream DDoS tool 05-2000 : VBS/Loveletter, t0rnkit 07-2000 : Hybris 08-2000 : Trinity IRC-based DDoS tool (unix) 11-2000 :Multiple IRC-based DDoS tools (Windows)

7 The fun continues - 2001 01-2001 :Ramen worm 02-2001 :VBS/OnTheFly (Anna Kournikova), erkms worm, 1i0n worm 04-2001 :Adore/Red worm, carko DDoS tool 05-2001 :cheese worm, w0rmkit worm, sadmind/IIS worm 06-2001 :Maniac worm 07-2001 :W32/Sircam, Leaves, Code Red worm, various telnetd worms, various IRC-based DDoS tools (knight, kaiten) 09-2001 : Nimda worm

8 Methods of gift giving - The deployment of malware Greater degree of automation –Self-propagating worms Central source propagation Back channel propagation Autonomous propagation

9 Central Source Propagation central-source attackervictims next-victims 1 - exploit 2 – copy code 3 - repeat Example: 1i0n worm

10 Back Channel Propagation attackervictims next-victims 1 - exploit 2 – copy code 3 - repeat Example: Ramen worm

11 Autonomous Propagation attackervictims next-victims 1 – exploit & copy code2 - repeat Examples: Code Red, Code Red II

12 Trends Matrix Degree of Blind Targeting Selective Targeting AutomationVery high Low high Vulnerability- specificity Very high Low high Other criteriaLowVery high Targeting Systems: Blind vs. Selective Targeting

13 Blind Targeting –Social Engineering W32/Sircam Anti-virus software –Specific vulnerabilities sadmind/IIS worm - UNIX/IIS Code Red, Code Red II - IIS Nimda - Windows/IIS Various telnetd worms – UNIX Activity tends to follow vulnerability lifecycles

14 Selective Targeting – Malware Makes House Calls –Windows end-users increasingly targeted less technically sophisticated less protected difficult to contact en mass slow response to security alerts/events well-known netblocks widespread broadband connectivity increase in home networking exploit technology base is maturing CERT® Tech Tip - Home Network Security http://www.cert.org/tech_tips/home_networks.html

15 Selective Targeting – Routers Arent Unkown Anymore –Routers increasingly targeted Source for recon/scanning Proxy to IRC networks Source for packet flooding attacks Compromise via weak/default passwords Routers sometimes reconfigured –public guides are available Increased threat of routing protocol attacks –discussions at DefCon and Black Hat Briefings

16 Control Infrastructure – The Old Way Control Infrastructure – The classic DDoS model intruder handler agent victim

17 Control Infrastructure – The Older Way is the New Way –Increased use of IRC networks and protocols IRC server replaces the handler –common, legit service ports (e.g., 6667/tcp) –commands are buried in legit traffic –no agent listeners; outbound connections only More survivable infrastructure –reduction in address lists maintained –disposable, easy to obtain agents –makes use of public IRC networks –private servers are also used

18 Why IRC? Agent redirection / update is easier –everyone change to a new channel –everyone change to a new IRC server –everyone download this updated module floating domains used to direct agents –bogus WHOIS data, stolen credit cards –A record modification redirects hard-wired agents

19 Trends in Use – Keep it simple, keep it legit –Less emphasis on forged packet characteristics size and distribution of DDoS makes response difficult –overwhelming number of sources in DDoS attack –sources often cross multiple AS boundaries –high bandwidth consumption is easy; no need for fancy packets increase in attacks using legitimate traffic –mixes with other traffic –harder to filter/limit

20 Trends in Impact – The blast radius grows –Increase in collateral damage backup systems impacted by sharp increases in log volumes financial impact on sites with measured usage circuits multiple sites impacted in shared data centers arp storms impacting locally infected networks –Highly automated deployments are themselves causing denial of service conditions

21 What We Are Not Seeing Changes in fundamental conditions that enable denial of service attacks –Over-consumption of finite resources Processing cycles Memory resources Network bandwidth –Interdependency of security on the Internet The exposure to DoS attack of SiteA depends on the security of SiteB There are huge numbers of SiteBs

22 What We Are Not Seeing (2) Advances in DoS attack payload –Seeing the same common packet stream types –Known attacks work, there is little incentive to improve TCP (SYN|ACK|FIN|RST) flood UDP flood ICMP echo request/reply flood Amplification attacks Source IP address spoofing

23 What We Are Not Seeing (3) Reductions in launch-point availability –Vendors are still producing insecure products –Administrators and users are still deploying and operating systems insecurely –Vulnerability life cycle is still lengthy (2-3 years)

24 What We Are Not Seeing (4) A decrease in pages for Rob. An increase in sleep for Rob. Hey, wait, this describes us ALL!

25 Questions? Feedback is always welcome! Questions are always welcome! Suggestions are always welcome! http://www.cert.org http://www.cymru.com/~robt robt@cymru.com

26 Thank you for your time! Thanks to CERT-Polska for the invitation!

Download ppt "Trends in Denial of Service Attack Technology -or – Oh, please, they arent smart enough to do that… Presentation to CERT-Polska November 2001 Rob Thomas,"

Similar presentations

60 Days of Basic Naughtiness

60 Days of Basic Naughtiness
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.

Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of.

CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA The CERT Coordination Center is part of.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Similar presentations

Ads by Google