DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame

Motivation  “We are not teaching you to be script kiddies in this class” Henry Owen  Give the students a better understanding of:  Raw Socket programming  Coding  Modifying  Understanding  DoS Attacks  Dangers  Defenses  “We are not teaching you to be script kiddies in this class” Henry Owen  Give the students a better understanding of:  Raw Socket programming  Coding  Modifying  Understanding  DoS Attacks  Dangers  Defenses

Raw Socket Programming  “Raw socket is a computer networking term used to describe a socket that allows access to packet headers on incoming and outgoing packets. Raw sockets are usually used at the transport or network layers.” wikipedia.org  The ability to craft packet headers is a powerful tool that allows hackers to do many nefarious things  “Raw socket is a computer networking term used to describe a socket that allows access to packet headers on incoming and outgoing packets. Raw sockets are usually used at the transport or network layers.” wikipedia.org  The ability to craft packet headers is a powerful tool that allows hackers to do many nefarious things

Lab Structure  Expand knowledge on Particular DoS attack and IP protocols  Edit/Develop code based on understanding of previous section and given resources  Compile and Execute attack  Gather data  Analyze and implement defenses  Expand knowledge on Particular DoS attack and IP protocols  Edit/Develop code based on understanding of previous section and given resources  Compile and Execute attack  Gather data  Analyze and implement defenses

IP Headder What we are trying to create: Figure 1: IP Packet Diagram (

Creation of an IP headder void addIP(unsigned char *buf, struct pktInfo *pktInfo, int offset) { struct ip* ip = (struct ip*) (buf + offset); //ip points to some place in the buffer ip->ip_v = 4; //ipv4 ip->ip_hl = 5; //4 * 5 = 20 bytes ip->ip_tos = 0; //didn't specify any special type of service ip->ip_len = htons(pktInfo->pktSize); //total packet size ip->ip_src.s_addr = pktInfo->srcAddr; //4 byte source IP address ip->ip_dst.s_addr = pktInfo->destAddr; //4 byte destinfation IP address ip->ip_id = rand(); //random id ip->ip_off = 0; //mainly used for reassembly of fragmented IP datagrams. ip->ip_ttl = 255; //Time to live is the amount of hops before the packet is discarded ip->ip_p = pktInfo->protocol; //protocol used: TCP, UDP, etc ip->ip_sum = 0; //zero out the checksum field before computing the checksum ip->ip_sum = in_chksum((unsigned short *) ip, IPHEADER); //compute the checksum } void addIP(unsigned char *buf, struct pktInfo *pktInfo, int offset) { struct ip* ip = (struct ip*) (buf + offset); //ip points to some place in the buffer ip->ip_v = 4; //ipv4 ip->ip_hl = 5; //4 * 5 = 20 bytes ip->ip_tos = 0; //didn't specify any special type of service ip->ip_len = htons(pktInfo->pktSize); //total packet size ip->ip_src.s_addr = pktInfo->srcAddr; //4 byte source IP address ip->ip_dst.s_addr = pktInfo->destAddr; //4 byte destinfation IP address ip->ip_id = rand(); //random id ip->ip_off = 0; //mainly used for reassembly of fragmented IP datagrams. ip->ip_ttl = 255; //Time to live is the amount of hops before the packet is discarded ip->ip_p = pktInfo->protocol; //protocol used: TCP, UDP, etc ip->ip_sum = 0; //zero out the checksum field before computing the checksum ip->ip_sum = in_chksum((unsigned short *) ip, IPHEADER); //compute the checksum } using Raw Sockets

Denial of Service (DoS)  The Internet was designed for easy connectivity and scalability  Not designed to support authentication schemes  Attempt to occupy all resources of a system  Two general types of DoS attack  The Internet was designed for easy connectivity and scalability  Not designed to support authentication schemes  Attempt to occupy all resources of a system  Two general types of DoS attack

DoS Suite  First type attack  ICMP Reset attack  Second type attack  TCP syn attack  UPD flood attack  Ping Request (smurf) attack  First type attack  ICMP Reset attack  Second type attack  TCP syn attack  UPD flood attack  Ping Request (smurf) attack

Using the DoS Suite

ICMP Reset Attack  By spoofing a Hard ICMP error message a hacker can kill any running TCP connection  Requires the four-tuple  Determine the four-tuple using a packet sniffer  Guessing the four-tuple  By gathering information of the operating systems being used and the communication method in use. ICMP reset packets can be sent over a range of port addresses killing a connection you can not sniff.  By spoofing a Hard ICMP error message a hacker can kill any running TCP connection  Requires the four-tuple  Determine the four-tuple using a packet sniffer  Guessing the four-tuple  By gathering information of the operating systems being used and the communication method in use. ICMP reset packets can be sent over a range of port addresses killing a connection you can not sniff.

ICMP Reset Attack (Lab)

ICMP Reset Attack

TCP SYN Attack  When a server receives a SYN it stores the connection information in memory and sends back a SYN-ACK  Because the IP Address is spoofed it will never get a response and the information will stay until timeout  If packets are send fast enough they will fill the buffer and no new requests will be able to be processed  When a server receives a SYN it stores the connection information in memory and sends back a SYN-ACK  Because the IP Address is spoofed it will never get a response and the information will stay until timeout  If packets are send fast enough they will fill the buffer and no new requests will be able to be processed

SYN Attack (Lab)

SYN Attack

SYN Attack (Summary)

UDP Flood Attack  The premise of the UDP attack is similar to the SYN however when using UDP the client does not set aside memory for the connection information  If packets are send fast enough they will fill the network card buffer and no new requests will be able to be processed  The premise of the UDP attack is similar to the SYN however when using UDP the client does not set aside memory for the connection information  If packets are send fast enough they will fill the network card buffer and no new requests will be able to be processed

UDP Flood Attack (Lab)

UDP Flood Attack

UDP Attack (Summary)

ICMP Ping (smurf) Attack  DDoS attack  Using a network of machines a lot more information can be sent at once  Send ping requests to a network of machines with a return address of the “victim” machine  If packets are send fast enough they will fill the buffer and no new requests will be able to be processed  DDoS attack  Using a network of machines a lot more information can be sent at once  Send ping requests to a network of machines with a return address of the “victim” machine  If packets are send fast enough they will fill the buffer and no new requests will be able to be processed

ICMP Ping Attack (Lab)

ICMP Ping Attack

ICMP Attack (Summary)

DoS Defenses  SYN Cookies  Configure your firewall (refer to lab4)  IPtables  CiscoPIX  Real Secure  SYN Cookies  Configure your firewall (refer to lab4)  IPtables  CiscoPIX  Real Secure