Denial of Service Attacks Lesson 14

Types of DoS Attacks Bandwidth Consumption Resource Starvation Attackers consume all available bandwidth on a particular network. Often an issue of who has the larger “pipe” Resource Starvation Focuses on consuming resources for a target system as opposed to the network as a whole. Programming Flaws Failure of system to handle exceptional conditions or input. Routing and DNS attacks Attackers attempt to manipulate routing table entries to deny service to legitimate systems or networks.

Denial of Service (DoS) Different ways to categorize them Nature of attack Poisoned traffic malformed or invalid data that can’t be properly handled Brute-force resource simply use up all available capacity Stateful resource take advantage of client/server relationship in protocols “target” of attack Operating system attacks target flaws in specific operating systems Networking attacks exploit inherent limitations of networking

Sources of the Attack Can come from many (any) places in the network An attacker can hide the source of an attack through IP spoofing Attackers can also hide their identity by enslaving unwitting victims. “owned” or “zombie” agents When an attacker uses many zombie agents together simultaneously the result is a Distributed Denial of Service (DDoS) attack

Generic DoS Attacks Attacks that are capable of affecting different types of systems are known as generic attacks. Generally these fall into the bandwidth consumption category. One example would be email-bombing Smurf attack (aka ICMP Storm, Ping flooding) Takes advantage of directed broadcasts on networks Will send an ICMP ECHO request to broadcast address on network with spoofed from address making it seem as if it came from the target system. All systems on the network will respond to this address Thus with one request you can have up to 254 responses Variation on this is a fraggle attack which uses UDP instead of ICMP.

More Attacks SYN Flood Exploits TCP 3-way handshake In the attack System A sends SYN packet to specific listening port on System B. System B will send a SYN/ACK packet to System A System A responds with ACK, connection established In the attack Attacker sends SYN packet with spoofed from address Target tries to respond to address given, waits for ACK, its SYN/ACK goes off to “never-never land” Attacker repeats until queue is filled Queue may be as small as 10 available connection requests. Timeout generally anywhere from 75 seconds to over 20 minutes. Attack used in trusted host exploitation as well as DoS Countermeasures: bigger queue, shorter waits, detection

Remote DoS Attacks Premise of these attacks is the sending of specific packet or sequence of packets to the target system to exploit specific programing flaws. IP Fragmentation Overlap teardrop and similar attacks (boink, syndrop) exploit vulnerabilities in packet-reassembly code As packets travel through different networks they may get broken into different fragments. Fragments should not overlap. Teardrop takes advantage of the fact that some older programs didn’t handle overlapping fragments.

Other Attacks SMBdie Buffer Overflow in IIS FTP Server Released in 2002, takes advantage of a flaw in Mircrosoft’s implementation of TCP/IP causing the system to “blue screen”. Works against NT/2K/XP Buffer Overflow in IIS FTP Server Buffer overflow in list command in FTP server, but only available to users after authentication, but if you allow anonymous users… Will result in server crashing Stream and Raped attacks Resource-starvation attacks, results in high CPU usage. stream sends TCP ACK packets to a series of ports with random sequence numbers and random source IPs raped sends TCP ACK packets with spoofed source IP

Distributed Denial of Service Difference between DDoS and DoS is one-to-one versus many-to-one. First DDoS attacks hit the Internet in Feb 2000, affected eBay, Buy.com, CNN, Yahoo! First step is to target and gain administrative access on as many systems as possible (zombies). Normally a customized attack used for this Once access is obtained, attackers upload and run their DDoS software. Software waits for attack message which will provide information on the target. Once attack message sent to zombies they launch the specific attack against the identified target.

DDoS Attack

tribal flood network (TFN) DDoS TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks. Remote control of a TFN is accomplished via command line execution of the client program, using any of a number of connection methods (e.g., remote shell bound to a TCP port, UDP based client/server remote shells, ICMP based client/server shells, or normal "telnet" TCP terminal sessions. Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY (why?) packets. There is no TCP or UDP based communication between the client and daemons at all. TFN2K is the successor to TFN, allows for randomized communication on ports (thus port blocking harder) Data inserted into echoreply packet because if sent in echo request then the daemons would all reply with echoreply thus performing a DoS on itself.

trinoo DDoS A trinoo network of at least 227 systems was used on Aug 17, 1999 to flood a single system at the University of Minnesota. The attacker(s) control one or more “master”servers, each of which can control many daemons. Remote control of the master is accomplished via a TCP connection to port 27665, after which the user must authenticate with a password. Communication between the master to daemons is via UDP packects on port 27444. When the daemon starts, it initially sends a “hello” message to the master which maintains a list of active daemons it controls. The daemons send UDP packets to random (0-64K) UDP ports on the target for a period of time (120 seconds default)

Stacheldraht (barbed wire) DDoS Combines features of the trinoo and the original TFN and adds encryption of communication between attacker and masters and automated updating of agents. Can do ICMP flood, SYN flood, UDP flood, and smurf style attacks. There is a limit of 1000 agents for each master Used TCP and ICMP for communication between master and agents (trinoo used UDP, TFN used ICMP)

Summary What is the importance and significance of this material? DoS and DDoS attacks can be devastating on network resources. Can prevent authorized use of systems/networks. How does this topic fit into the subject of “Security Risk Analysis”? We will most likely not be called upon to conduct DoS or DDoS attacks, but we must know how they work so we can help clients protect against them as much as possible.