DDosDDos
Distributed Denial of Service AttacksDistributed Denial of Service Attacks
by Mark Schuchter
OverviewOverview
nn IntroductionIntroductionnn Why? Why? nn TimelineTimelinenn How?How?nn Typical attack (UNIX)Typical attack (UNIX)nn Typical attack (Windows)Typical attack (Windows)
IntroductionIntroduction
DDos-Attack
prevent and impair computer use
limited and consumable resources(memory, processor cycles, bandwidth, ...) inet security highly interdependent
Why?Why?
sub-cultural status
to gain access
political reasonseconomic reasons
revenge
nastiness
TimelineTimeline
1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption
2000: bundled with rootkits, controlled with talk or ÍRC
2002: DrDos (reflected) attack tools
2001: worms include DDos-features (eg. Code Red), include time synchro.,
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)
2003: Mydoom infects thousands of victims to attack SCO and Microsoft
How?How?
TCP floods(various flags)
ICMP echo requests(eg. Ping floods)
UDP floods
SYNSYN--AttackAttack
SYN-ACK
SYN
ACK
ClientServer
SYN-ACK
SYN
Attacker(spoofed IP) Server
SYN SYN-ACK
Handshake Attack
Typical attackTypical attack
1. prepare attack 2. set up network 3. communication
UNIX (‘trin00’) UNIX (‘trin00’) –– preparation Ipreparation I
nn use stolen account (high bandwidth) for use stolen account (high bandwidth) for repository of:repository of:nn scannersscannersnn attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit)nn root kitsroot kitsnn snifferssniffersnn trin00 master and daemon trin00 master and daemon programmprogrammnn list of vulnerable host, previously compromised list of vulnerable host, previously compromised
hosts...hosts...
UNIX (‘trin00’) UNIX (‘trin00’) –– preparation IIpreparation II
nn scan large range of network blocks to identify scan large range of network blocks to identify potential targets (running exploitable service)potential targets (running exploitable service)
nn list used to create script that:list used to create script that:nn performs exploitperforms exploitnn sets up sets up cmdcmd--shell running under root that listens on shell running under root that listens on
a TCP port (1524/tcp)a TCP port (1524/tcp)nn connects to this port to confirm exploitconnects to this port to confirm exploit
àà list of owned systemslist of owned systems
UNIX (‘trin00’) UNIX (‘trin00’) –– network Inetwork I
nn store prestore pre--compiled binary of trin00 daemon on compiled binary of trin00 daemon on some stolen account on some stolen account on inetinet
nn script takes ‘ownedscript takes ‘owned--list’ to automate installation list’ to automate installation process of daemonprocess of daemon
nn same goes for trin00 mastersame goes for trin00 master
UNIX (‘trin00’) UNIX (‘trin00’) –– network IInetwork II
attacker attacker
master master master
daemon daemon daemon daemon
UNIX (‘trin00’) UNIX (‘trin00’) –– communicationcommunication
nn attacker controls master via telnet and a attacker controls master via telnet and a pwpw(port 27665/tcp)(port 27665/tcp)
nn trin00 master to daemon via 27444/udp (arg1 trin00 master to daemon via 27444/udp (arg1 pwdpwd arg2)arg2)
nn daemon to master via 31335/udpdaemon to master via 31335/udp
nn ‘dos <‘dos <pwpw> 192.168.0.1’ triggers attack> 192.168.0.1’ triggers attack
Windows (‘Sub7’) Windows (‘Sub7’) –– preparation Ipreparation I
nn set up the following things on your home pc:set up the following things on your home pc:nn freemailfreemailnn kazaakazaann trojantrojan--toolkittoolkitnn IRCIRC--clientclientnn IRCIRC--botbot
Windows (‘Sub7’) Windows (‘Sub7’) –– preparation IIpreparation II
nn assemble different assemble different trojanstrojans (GUI)(GUI)nn define ways of communicationdefine ways of communicationnn namenamenn filefile
Windows (‘Sub7’) Windows (‘Sub7’) –– network Inetwork I
nn start spreading viastart spreading viann email/news listsemail/news listsnn IRCIRCnn P2PP2P--SoftwareSoftware
Windows (‘Sub7’) Windows (‘Sub7’) –– network IInetwork II
attacker
client client client client
Windows (‘Sub7’) Windows (‘Sub7’) –– communicationcommunication
nn sub7clientsub7clientnn IRC channelIRC channelnn 1 click to launch attack1 click to launch attack
DevelopmentDevelopment
High
Low1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling auditsback doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
SolutionsSolutions
nn statistical analyses (i.e. Dstatistical analyses (i.e. D--ward) at core routers ward) at core routers --not ready yetnot ready yet
nn change awareness of people (firewalls, change awareness of people (firewalls, attachments, Vattachments, V--scanners,...)scanners,...)
Thanks for your attention!Thanks for your attention!