Denial of Service Attacks Dr. John R. Durrett ISQS 6342 Spring 2003 Dipen Joshi

Outline Introduction to Denial of Service attacks Introduction to Denial of Service attacks Modes of DoS attacks Modes of DoS attacks Stopping Services and Exhausting Resources Stopping Services and Exhausting Resources Distributed Denial of Service (DDoS) attacks Distributed Denial of Service (DDoS) attacks Types of DDoS attacks Types of DDoS attacks Tools to launch DDoS attacks Tools to launch DDoS attacks How to fight DDoS attacks How to fight DDoS attacks

Meaning of DoS Attacks In Denial of Service (DoS) attacks, a computer bombards another system with floods of packets. In Denial of Service (DoS) attacks, a computer bombards another system with floods of packets. The goal of a DoS attack is to prevent legitimate users from accessing the target host or network. The goal of a DoS attack is to prevent legitimate users from accessing the target host or network. Hackers sometimes use DoS attacks to provide a cover for other hacking activities. Hackers sometimes use DoS attacks to provide a cover for other hacking activities.

HOW DOS WORKS HOW DOS WORKS

Why DoS attacks Motive of frustration Motive of frustration Personal or political vendettas Personal or political vendettas Windows NT/95/98 systems Windows NT/95/98 systems “ Point and click ” “ Point and click ” Requires very little technical skill to run Requires very little technical skill to run

Examples An attacker can attempt to - “ Flood" a network, thereby preventing legitimate network traffic “ Flood" a network, thereby preventing legitimate network traffic Disrupt connections between two machines, thereby preventing access to a service Disrupt connections between two machines, thereby preventing access to a service Prevent a particular individual from accessing a service Prevent a particular individual from accessing a service Disrupt service to a specific system or person Disrupt service to a specific system or person

IMPACT of DoS Attacks Disable your computer or your network. Disable your computer or your network. Can effectively disable your organization. Can effectively disable your organization. Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack." Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack."

Modes of Attacks There are three basic types of attack: 1) Consumption of scarce, limited, or non-renewable resources 2) Destruction or alteration of configuration information 3) Physical destruction or alteration of network components

Consumption of Scarce Resources Consumption of Scarce Resources a) Network Connectivity – Attacker begins the process of establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate completion of the connection. In the meantime, the victim machine has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections.

Consumption of Scarce Resources b) Using Your Own Resources Against You – In this attack, the intruder uses forged UDP packets to connect the echo service on one machine to the charge service on another machine. The result is that the two services consume all available network bandwidth between them. Thus, the network connectivity for all machines on the same networks as either of the targeted machines may be affected.

c) Bandwidth Consumption - An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect. Consumption of Scarce Resources

Destruction or Alteration of Configuration Information An improperly configured computer may not perform well or may not operate at all. An intruder may be able to alter or destroy configuration information that prevents you from using your computer or network. For example, if an intruder can change the routing information in your routers, your network may be disabled. If an intruder is able to modify the registry on a Windows NT machine, certain functions may be unavailable.

Physical Destruction or Alteration of Network Components The primary concern with this type of attack is physical security. You should guard against unauthorized access to computers, routers, network wiring closets, network backbone segments, power and cooling stations, and any other critical components of your network. Physical security is a prime component in guarding against many types of attacks in addition to denial of service.

Categories of DoS Attacks Process Killing System reconfiguring Process crashing Forking processes to fill the process table Filling up the whole file system Malformed packet attacks (eg Land, Teardrop, etc) Packet floods (e.g. SYN Flood, Smurf, Distributed Denial of Service) LOCALLYLOCALLY REMOTELYREMOTELY STOPPING SERVICESEXHAUSTING RESOURCES

Stopping Local Service Process Killing An attacker with sufficient privileges (such as root on a UNIX system or administrator on a Windows machine) can simply kill local processes in a DoS attack. When the process, such as a Web or DNS server, isn’t running, it cannot service user’s requests.

Stopping Local Service System Reconfiguration An attacker with sufficient privileges can reconfigure a system so that it doesn’t offer the service anymore or filters specific users from the machine. E.g. On a Windows NT file server, the attacker could configure the machine simply by stopping the sharing of files across the network, preventing legitimate users from remotely accessing their valuable data on the file server.

Stopping Local Service Process Crashing Even if the attackers don’t have super-user privileges on a machine, they may be able to crash processes by exploiting vulnerabilities in the system. Even if the attackers don’t have super-user privileges on a machine, they may be able to crash processes by exploiting vulnerabilities in the system. E.g. An attacker could exploit a stack-based buffer overflow by inputing arbitrarily large amounts of random data into a local process. (Because the return pointer pushed on the stack during this overflow attack is random, the target process will simply crash, denying user access.) E.g. An attacker could exploit a stack-based buffer overflow by inputing arbitrarily large amounts of random data into a local process. (Because the return pointer pushed on the stack during this overflow attack is random, the target process will simply crash, denying user access.)

Defenses from Local Stopping Service Keep your system patched, applying the relevant security bug fixes, so that the attacker cannot exploit and crash vulnerable local programs. Keep your system patched, applying the relevant security bug fixes, so that the attacker cannot exploit and crash vulnerable local programs. Carefully dole out privileges to users on your system. When assigning privileges, follow the Principle of Least Privileges. Carefully dole out privileges to users on your system. When assigning privileges, follow the Principle of Least Privileges. Run integrity-checking programs, such as Tripwire, to make sure that critical system files are not altered. Run integrity-checking programs, such as Tripwire, to make sure that critical system files are not altered.

Locally Exhausting Resources Filling up the process table An attacker could write program that simply forks another process to run a copy of itself. An attacker could write program that simply forks another process to run a copy of itself. This recursive program would run, forking off another process to run the same program again. This recursive program would run, forking off another process to run the same program again. Using this program, the attacker could create processes as fast as the system could fork them for the user. Using this program, the attacker could create processes as fast as the system could fork them for the user. Eventually, the process table on the machine could become filled, preventing other users from running processes and denying them access. Eventually, the process table on the machine could become filled, preventing other users from running processes and denying them access.

Locally Exhausting Resources Filling up the file system Continuously writing an enormous amount of data to the file system Continuously writing an enormous amount of data to the file system Attacker could fill up every available byte on the disk partition, preventing other users from being able to write files and potentially just crashing the system altogether. Attacker could fill up every available byte on the disk partition, preventing other users from being able to write files and potentially just crashing the system altogether.

Locally Exhausting Resources Sending outbound traffic that fills up the communications link Write a program that sends bogus network traffic from the target system, consuming the processor and link bandwidth. Write a program that sends bogus network traffic from the target system, consuming the processor and link bandwidth. If the attacker’s program generates enough packets, legitimate users will not be able to send traffic to or from the system. If the attacker’s program generates enough packets, legitimate users will not be able to send traffic to or from the system.

Defenses from Locally Exhausting Resources When assigning privileges, follow the Principle of Least Privileges. When assigning privileges, follow the Principle of Least Privileges. Make sure that the sensitive systems have adequate resources, including memory, processor speed, and communication link bandwidth. Make sure that the sensitive systems have adequate resources, including memory, processor speed, and communication link bandwidth. Consider deploying host-based Intrusion Detection Systems or other system monitoring tools that can warn you when your system resources are getting low. Consider deploying host-based Intrusion Detection Systems or other system monitoring tools that can warn you when your system resources are getting low.

Remotely Stopping Services Remote DoS attacks are more prevalent. Remote DoS attacks are more prevalent. They do not require the attacker to have a local account on the machine They do not require the attacker to have a local account on the machine Can be launched from the attacker’s own system. Can be launched from the attacker’s own system. Most common method is malformed packet attack. Most common method is malformed packet attack. –Such attacks exploit an error in the TCP/IP stack of the target machine by sending one or more unusually formatted packets to the target. –It will crash the target machine possibly shutting down a specific process, all network communication, or causing operating system to halt.

Remotely Stopping Services Malformed packet attacks. Exploits – –Land –Latierra –Ping of Death –Jolt2 –Teardrop, Newtear, Bonk, Syndrop –Winnuke

Exploits Land The program sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination. The program sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination. Windows systems, various UNIX types, routers, printers, etc. Windows systems, various UNIX types, routers, printers, etc.

Exploits Ping of Death The program sends an oversized ping packet. Older TCP/IP stacks cannot properly handle a ping packet greater than 64 kilobytes and crash when one arrives. The program sends an oversized ping packet. Older TCP/IP stacks cannot properly handle a ping packet greater than 64 kilobytes and crash when one arrives. Windows, many UNIX variants, printers, etc. Windows, many UNIX variants, printers, etc.

Exploits Teardrop Various tools that send overlapping IP packet fragments. The fragment offset values in the packet headers are set to incorrect values, so that the fragments do not align properly when reassembled. Some TCP/IP stacks crash when they receive such overlapping fragments. Various tools that send overlapping IP packet fragments. The fragment offset values in the packet headers are set to incorrect values, so that the fragments do not align properly when reassembled. Some TCP/IP stacks crash when they receive such overlapping fragments. Windows 95, 98, NT and Linux machines. Windows 95, 98, NT and Linux machines.

Remotely Exhausting Services Most popular technique. Most popular technique. Remotely tying up all of the resources of the target, particularly the bandwidth of the communications links. Remotely tying up all of the resources of the target, particularly the bandwidth of the communications links. Using flood of packets. Using flood of packets. SYN flood, Smurf attacks, DDoS attacks SYN flood, Smurf attacks, DDoS attacks

SYN Flood Attacker’s goal is to overwhelm the destination machine with SYN packets. Attacker’s goal is to overwhelm the destination machine with SYN packets. Exploit’s the TCP three-way handshake. Exploit’s the TCP three-way handshake. Sends many SYN packets to the victim. Sends many SYN packets to the victim. When target receives more SYN packets than it can handle, other legitimate traffic will not be able to reach the victim. When target receives more SYN packets than it can handle, other legitimate traffic will not be able to reach the victim. Two methods Two methods

SYN Client wishes to establish connection SYN-ACK Server agrees to connection request ACK Client finishes handshake Client initiates request Connection is now half-open Client connection Established Server connection Established Client connecting to a TCP port TCP Three-Way Handshake

SYN Flood Client spoofs request half-open S S S Queue filled S S S SA Client SYN Flood

SYN flood – 1 st method Fill the connection queue with half-open connections while target machine waits for third part of handshake Fill the connection queue with half-open connections while target machine waits for third part of handshake Send more SYN packets Send more SYN packets Target machine will allocate a small amount of resources to remember each SYN packet as it is transmitted Target machine will allocate a small amount of resources to remember each SYN packet as it is transmitted –Filling up the queue with SYN packets will not allow other incoming traffic Best to use a Spoofed IP address that are unresponsive on the Internet Best to use a Spoofed IP address that are unresponsive on the Internet

SYN flood – 2 st method Attacker must have a communication link bigger than the target machines communication link. Attacker must have a communication link bigger than the target machines communication link. Attacker must have more bandwidth than the victim machine and the ability to generate packets to fill that bandwidth. Attacker must have more bandwidth than the victim machine and the ability to generate packets to fill that bandwidth. SYN flood will just squeeze out other traffic. SYN flood will just squeeze out other traffic.

Smurf Attacks In the "smurf" attack, attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. In the "smurf" attack, attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. There are three parties in these attacks: There are three parties in these attacks: –the attacker, –the intermediary, –the victim (note that the intermediary can also be a victim).

Smurf Attacks The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.

Smurf Attacks The attackers do not use the IP address of their own machine as the source address. They create forged packets that contain the spoofed source address of the attacker's intended victim. The attackers do not use the IP address of their own machine as the source address. They create forged packets that contain the spoofed source address of the attacker's intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable. The victim is subjected to network congestion that could potentially make the network unusable.

Smurf Attacks Attackers send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can then subsequently be used as intermediaries in attacks Attackers look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can then subsequently be used as intermediaries in attacks The Fraggle attack is a similar attack to the Smurf except that it uses UDP echo packets instead of ICMP echos. The Fraggle attack is a similar attack to the Smurf except that it uses UDP echo packets instead of ICMP echos.

Smurf Attack ICMP Echo Request Src: target Dest: Attacker spoofs address Amplifier: Every host replies

Smurf Attack

HOW TO DETERMINE IF YOUR NETWORK IS VULNERABLE is a site which will test scan your network and allow you to enter a known smurf amplifier site. is a site which will test scan your network and allow you to enter a known smurf amplifier site is a site which actively scans the IPv4 address space and mails network contacts with information on how to disable them. is a site which actively scans the IPv4 address space and mails network contacts with information on how to disable them.

Distributed Denial of Service attacks (DDoS) In the summer of 1999, a new breed of attack has been developed called Distributed Denial of Service (DDoS) attack. In the summer of 1999, a new breed of attack has been developed called Distributed Denial of Service (DDoS) attack. A Distributed Denial of Service attack uses multiple machines operating in concert to attack a network or site. A Distributed Denial of Service attack uses multiple machines operating in concert to attack a network or site. The nature of these attacks cause so much extra network traffic that it is difficult for legitimate traffic to reach your site while blocking the forged attacking packets. The nature of these attacks cause so much extra network traffic that it is difficult for legitimate traffic to reach your site while blocking the forged attacking packets.

February 2000, DDoS attack launched against Yahoo, Amazon, E*Trade, eBay, Buy.com, and others. February 2000, DDoS attack launched against Yahoo, Amazon, E*Trade, eBay, Buy.com, and others. Estimated losses were “several millions” Estimated losses were “several millions” DDoS

DDoS In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. Harnesses the distributed nature of the internet. Harnesses the distributed nature of the internet. It requires a large number of victim machines (Zombies). It requires a large number of victim machines (Zombies). The process of compromising a host and installing the tool is automated. The process can be divided into the following steps - The process of compromising a host and installing the tool is automated. The process can be divided into the following steps -

1. Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability. 2. Compromise the vulnerable hosts to gain access. 3. Install the tool on each host. 4. Use the compromised hosts for further scanning and compromises. HOW DDoS WORKS

Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour. Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour. Enlisting numerous computers in a DDoS assault makes it both more devastating and harder to stop due to its distributed nature. It also makes tracing the original source of the attack virtually impossible. Enlisting numerous computers in a DDoS assault makes it both more devastating and harder to stop due to its distributed nature. It also makes tracing the original source of the attack virtually impossible. HOW DDoS WORKS

To launch a successful DDoS assault, an attacker needs to create a force of agents – often referred to as “ zombie ” computers. To launch a successful DDoS assault, an attacker needs to create a force of agents – often referred to as “ zombie ” computers. Once the zombie forces have been established, the attacker needs only to select a web site to attack. The attack itself can be initiated from a single computer, a central “ command console ” which can activate zombies located anywhere in the world. Once the zombie forces have been established, the attacker needs only to select a web site to attack. The attack itself can be initiated from a single computer, a central “ command console ” which can activate zombies located anywhere in the world. HOW DDoS WORKS

Tools to launch DDOS attacks 1) Trinoo 2) TFN 3) TFN2K 4) Stacheldraht

Trinoo  A distributed tool used to launch coordinated DoS attacks from many sources.  A Trinoo network consists of a small number of servers (masters) and a large number of clients (daemons)  An attacker connecting to a Trinoo master and instructing that master to launch a DoS attack against one or more IP addresses carries out a DoS attack utilizing a Trinoo network.

 The Trinoo master then communicates with the daemons giving instructions to attack one or more IP addresses for a specified period of time. Requires a UNIX-based operating system. Trinoo

TFN-Tribe Flood Network & TFN2K  The next generation of attack tools after Trinoo – can initiate several DDoS attacks, including ICMP, TCP SYN, UDP and a variation of Smurf.  TFN2K improves on TFN by adding decoy packets and other measures to make it difficult to identify and filter TFN2K traffic. The master can also fake its source address to avoid detection. TFN2K is a version of Tribal Flood that was ported to the Microsoft ® Windows ® operating system.

Stacheldraht  German for “ barbed wire ” – Difficult to detect and block, Stacheldraht commands use passwords and are sent over an encrypted communications medium.  Like TFN, Stacheldraht can perform several different kinds of DoS attacks, including PING floods and spoofed-source attacks.

Sub7  A powerful DDoS and remote-admin kit. Detected by most anti-virus software. Able to generate large PING packets. Able to command armies of Sub7 zombies via IRC (Internet Relay Chat) control mechanism. Sub7 is currently native to the Windows OS.

HOW TO FIGHT DDOS ATTACKS Zombie Zapper tool Zombie Zapper toolZombie Zapper toolZombie Zapper tool Implement router filters Implement router filters Install patches to guard against TCP SYN flooding Install patches to guard against TCP SYN flooding Disable any unused or unneeded network services Disable any unused or unneeded network services Observe your system performance and establish baselines for ordinary activity Observe your system performance and establish baselines for ordinary activity Routinely examine your physical security with respect to your current needs Routinely examine your physical security with respect to your current needs

HOW TO FIGHT DDOS ATTACKS Invest in and maintain "hot spares" Invest in and maintain "hot spares" –machines that can be placed into service quickly in the event that a similar machine is disabled Invest in redundant and fault-tolerant network configurations Invest in redundant and fault-tolerant network configurations Establish and maintain regular backup schedules and policies Establish and maintain regular backup schedules and policies Establish and maintain appropriate password policies Establish and maintain appropriate password policies

References Counter Hack – Ed Skoudis Counter Hack – Ed Skoudis Systems.pdf Systems.pdf

THANK YOU