Denial of Service Denial of Service WORLDS ATTAKS WORLDS ATTAKS

Prepared by: Mohammed Mahmoud HussainPrepared by: Mohammed Mahmoud HussainSupervised by : Dr. Lo’ai TawalbehSupervised by : Dr. Lo’ai TawalbehNYIT-winter 2007NYIT-winter 2007

Good News / Bad Good News / Bad NewsNews

The Internet and Networks give us The Internet and Networks give us better connectivitybetter connectivity– Share informationShare information– Collaborate (a)synchronouslyCollaborate (a)synchronously

The Internet and Networks give us The Internet and Networks give us better connectivitybetter connectivity– Viruses can spread easierViruses can spread easier– ““The bad guys” now have easier access The bad guys” now have easier access

to your information as wellto your information as well

Why do I want to be Why do I want to be secure?secure?(What’s in it for me?)(What’s in it for me?)

You can ensure private You can ensure private information is kept privateinformation is kept private– Some things are for certain eyes Some things are for certain eyes

only and you probably want to keep only and you probably want to keep them that waythem that way

– Is someone looking over your Is someone looking over your shoulder (physically or virtually)?shoulder (physically or virtually)?

The 3 Main Forms of Bad The 3 Main Forms of Bad GuysGuys

Virus/WormVirus/Worm TrojanTrojan Denial of ServiceDenial of Service

Viruses / WormsViruses / Worms Most widely known – thanks to press Most widely known – thanks to press

coveragecoverage What is it?What is it?

– Computer programs written byComputer programs written bybad guys ( ) to do malicious things often bad guys ( ) to do malicious things often triggered by a specific eventtriggered by a specific event

– Example – Word Macro Virus that sends out Example – Word Macro Virus that sends out junk email when word document is openedjunk email when word document is opened

Trojan horseTrojan horse Most dangerous of allMost dangerous of all What is it?What is it?

– Computer programs often written by good guys but used by bad guys ( Computer programs often written by good guys but used by bad guys ( ) to give them a back door to intended computer ) to give them a back door to intended computer

– Example – Remote Management application that runs in background Example – Remote Management application that runs in background – and allows the bad guys to “get in” and allows the bad guys to “get in” – and use your computer as they wishand use your computer as they wish

Typically can not beTypically can not besafely removed – must start safely removed – must start from working backup or from working backup or scratchscratch

BecauseBecause– Deleting/modifying data files is one of Deleting/modifying data files is one of

their goalstheir goals– Stealing personal information also Stealing personal information also – Interrupting/destroying business Interrupting/destroying business

processes (contingency plan)processes (contingency plan)

Denial of service ( DOS Denial of service ( DOS ))

- Too many requests for a particular web site Too many requests for a particular web site “clog the pipe” so that no one else can “clog the pipe” so that no one else can access the siteaccess the site

- Also the using of land attackAlso the using of land attack

Possible impacts:Possible impacts: -May reboot your computer -May reboot your computer -Slows down computers-Certain -Slows down computers-Certain sites sites -applications become inaccessible -applications become inaccessible **you are off **you are off..

Where are youWhere are you

Every one has to Every one has to know that they know that they come from 3 come from 3 placesplaces– New Files”New Files”– ““Viewed Content”Viewed Content”– ““Exposed Exposed

ServicesServices

Where they come fromWhere they come from Unwanted email with Unwanted email with

attachments you weren’t attachments you weren’t expectingexpecting

Downloaded programs from Downloaded programs from the internet that come from the internet that come from less than trustworthy less than trustworthy locationslocations

File Sharing Programs (P2P)File Sharing Programs (P2P)

Websites that will Websites that will “install” things for you“install” things for you

The more open doors The more open doors

your computer has, the your computer has, the more chance of more chance of someone coming insomeone coming in

What is Denial of Service What is Denial of Service AttackAttack??

““Attack in which the primary goal Attack in which the primary goal is to deny the victim(s) access to is to deny the victim(s) access to a particular resource.”a particular resource.”

A "denial-of-service" attack is A "denial-of-service" attack is characterized by an explicit characterized by an explicit attempt by attackers to prevent attempt by attackers to prevent legitimate users of a service from legitimate users of a service from using that service. using that service.

How to take down a How to take down a restaurantrestaurant

Saboteur

Restauranteur

Saboteur vs. Saboteur vs. RestauranteurRestauranteur

Saboteur

RestauranteurTable for fourat 8 o’clock. Name of Mr. Smith.

O.K.,Mr. Smith

Saboteur

Restauranteur

No More Tables!

Denial-of-service attacks are Denial-of-service attacks are most frequently executed most frequently executed against network connectivity. against network connectivity. The goal is to prevent hosts or The goal is to prevent hosts or networks from communicating networks from communicating on the network. An example of on the network. An example of this type of attack is the "SYN this type of attack is the "SYN flood" attackflood" attack

Categories of DOS attackCategories of DOS attack Bandwidth attacks Bandwidth attacks Protocol exceptions Protocol exceptions Logic attacks Logic attacks

A bandwidth attack is the oldest and A bandwidth attack is the oldest and most common DoS attack. In this most common DoS attack. In this approach, the malicious hacker approach, the malicious hacker saturates a network with data traffic. saturates a network with data traffic. A vulnerable system or network is A vulnerable system or network is unable to handle the amount of traffic unable to handle the amount of traffic sent to it and subsequently crashes or sent to it and subsequently crashes or slows down, preventing legitimate slows down, preventing legitimate access to users.access to users.

A protocol attack is a trickier A protocol attack is a trickier approach, but it is becoming quite approach, but it is becoming quite popular. Here, the malicious popular. Here, the malicious attacker sends traffic in a way attacker sends traffic in a way that the target system never that the target system never expected, such as when an expected, such as when an attacker sends a flood of SYN attacker sends a flood of SYN packets.packets.

The third type of attack is a logic attack. The third type of attack is a logic attack. This is the most advanced type of attack This is the most advanced type of attack because it involves a sophisticated because it involves a sophisticated understanding of networking. A classic understanding of networking. A classic example of a logic attack is a LAND example of a logic attack is a LAND attack, where an attacker sends a forged attack, where an attacker sends a forged packet with the same source and packet with the same source and destination IP address. Many systems are destination IP address. Many systems are unable to handle this type of confused unable to handle this type of confused activity and subsequently crash.activity and subsequently crash.

TypesTypes Types of DoS AttacksTypes of DoS Attacks

The infos here introduce the The infos here introduce the common types of DoS attacks, common types of DoS attacks, many of which can be done as a many of which can be done as a DDoS attack.DDoS attack.

PING OF DEATHPING OF DEATH A Ping of Death attack uses Internet A Ping of Death attack uses Internet

Control Message Protocol (ICMP) ping Control Message Protocol (ICMP) ping messages. Ping is used to see if a host is messages. Ping is used to see if a host is active on a network. It also is a valuable active on a network. It also is a valuable tool for troubleshooting and diagnosing tool for troubleshooting and diagnosing problems on a network. As the following problems on a network. As the following picture, a normal ping has two messages:picture, a normal ping has two messages:

BUTBUT With a Ping of Death attack, an echo packet is sent that is With a Ping of Death attack, an echo packet is sent that is

larger than the maximum allowed size of 65,536 bytes. The larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot.handle such abnormalities either crash or reboot.

You can perform a Ping of Death from within Linux by typing You can perform a Ping of Death from within Linux by typing ping –f –s 65537. Note the use of the –f switch. This switch ping –f –s 65537. Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to traffic, but the rapid rate at which packets are being sent to a target.a target.

Tools:-Tools:- -Jolt -SPing-ICMP Bug -IceNewk -Jolt -SPing-ICMP Bug -IceNewk

Smurf and FraggleSmurf and Fraggle

A Smurf attack is another DoS attack A Smurf attack is another DoS attack that uses ICMP. Here, an request is sent that uses ICMP. Here, an request is sent to a network broadcast address with the to a network broadcast address with the target as the spoofed source. When target as the spoofed source. When hosts receive the echo request, they hosts receive the echo request, they send an echo reply back to the target. send an echo reply back to the target. sending multiple Smurf attacks directed sending multiple Smurf attacks directed at a single target in a distributed at a single target in a distributed fashion might succeed in crashing it. fashion might succeed in crashing it.

If the broadcast ping cannot be sent If the broadcast ping cannot be sent to a network, a Smurf amplifier is to a network, a Smurf amplifier is instead. A Smurf amplifier is a network instead. A Smurf amplifier is a network that allows the hacker to send that allows the hacker to send broadcast pings to it and sends back a broadcast pings to it and sends back a ping response to his target host on a ping response to his target host on a different network. NMap provides the different network. NMap provides the capability to detect whether a network capability to detect whether a network can be used as a Smurf amplifier. can be used as a Smurf amplifier.

A variation of the Smurf attack is a A variation of the Smurf attack is a Fraggle attack, which uses User Datagram Fraggle attack, which uses User Datagram Protocol (UDP) instead of ICMP. Fraggle Protocol (UDP) instead of ICMP. Fraggle attacks work by using the CHARGEN and attacks work by using the CHARGEN and ECHO UDP programs that operate on UDP ECHO UDP programs that operate on UDP ports 19 and 7. Both of these applications ports 19 and 7. Both of these applications are designed to operate much like ICMP are designed to operate much like ICMP pings; they are designed to respond to pings; they are designed to respond to requesting hosts to notify them that they requesting hosts to notify them that they are active on a network. are active on a network.

LAND AttackLAND Attack In a LAND attack, a TCP SYN packet is sent with In a LAND attack, a TCP SYN packet is sent with

the same source and destination address and the same source and destination address and port number. When a host receives this port number. When a host receives this abnormal traffic, it often either slows down or abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate comes to a complete halt as it tries to initiate communication with itself in an infinite loop. communication with itself in an infinite loop. Although this is an old attack (first reportedly Although this is an old attack (first reportedly discovered in 1997), both Windows XP with discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are service pack 2 and Windows Server 2003 are vulnerable to this attack.vulnerable to this attack.

HPing can be used to craft packets with the HPing can be used to craft packets with the same spoofed source and destination address.same spoofed source and destination address.

Synchronous floodSynchronous flood A SYN flood is one of the A SYN flood is one of the

oldest and yet still most oldest and yet still most effective DoS attacks. As a effective DoS attacks. As a review of the three-way review of the three-way handshake, TCP handshake, TCP communication begins with a communication begins with a SYN, a SYN-ACK response, and SYN, a SYN-ACK response, and then an ACK response. When then an ACK response. When the handshake is complete, the handshake is complete, traffic is sent between two traffic is sent between two hosts.hosts.

but in our case the using of the syn flood but in our case the using of the syn flood for the 3 way handshaking is taking for the 3 way handshaking is taking another deal, that is the attacker host will another deal, that is the attacker host will send a flood of syn packet but will not send a flood of syn packet but will not respond with an ACK packet.The TCP/IP respond with an ACK packet.The TCP/IP stack will wait a certain amount of time stack will wait a certain amount of time before dropping the connection, a syn before dropping the connection, a syn flooding attack will therefore keep the flooding attack will therefore keep the syn_received connection queue of the syn_received connection queue of the target machine filled.target machine filled.

With a SYN flood attack, these rules are With a SYN flood attack, these rules are violated. Instead of the normal three-way violated. Instead of the normal three-way handshake, an attacker sends a packet from a handshake, an attacker sends a packet from a spoofed address with the SYN flag set but does spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK not respond when the target sends a SYN-ACK response. A host has a limited number of half-response. A host has a limited number of half-open (embryonic) sessions that it can maintain open (embryonic) sessions that it can maintain at any given time. After those sessions are used at any given time. After those sessions are used up, no more communication can take place untilup, no more communication can take place until

the half-open sessions are cleared the half-open sessions are cleared out. This means that no users can out. This means that no users can communicate with the host while communicate with the host while the attack is active. SYN packets the attack is active. SYN packets are being sent so rapidly that are being sent so rapidly that even when a half-open session is even when a half-open session is cleared out, another SYN packet cleared out, another SYN packet is sent to fill up the queue again.is sent to fill up the queue again.

SYN floods are still successful today for three SYN floods are still successful today for three reasons:reasons:

1) SYN packets are part of normal, everyday traffic, 1) SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of so it is difficult for devices to filter this type of attack. attack.

2) SYN packets do not require a lot of bandwidth to 2) SYN packets do not require a lot of bandwidth to launch an attack because they are relatively small. launch an attack because they are relatively small.

3) SYN packets can be spoofed because no response 3) SYN packets can be spoofed because no response needs to be given back to the target. As a result, needs to be given back to the target. As a result, you can choose random IP addresses to launch the you can choose random IP addresses to launch the attack, making filtering difficult for security attack, making filtering difficult for security administrators. administrators.

An example: TCP SYN An example: TCP SYN floodingflooding

“TCP connection, please.”

“O.K. Please send ack.”

“TCP connection, please.”

“O.K. Please send ack.”

Buffer

Now we may categorize the DOS Now we may categorize the DOS in to 3 parts depending on the in to 3 parts depending on the number of characters.number of characters.

Direct Single-tier DoS Direct Single-tier DoS AttacksAttacks

– Straightforward 'point-to-point' Straightforward 'point-to-point' attackattack, that means we have 2 actors , that means we have 2 actors hacker and victim.hacker and victim.

– ExamplesExamples Ping of DeathPing of Death SYN floodsSYN floods Other malformed packet attacksOther malformed packet attacks

Direct Dual-tier DoS Direct Dual-tier DoS AttacksAttacks

– More complex attack modelMore complex attack model– Difficult for victim to trace and Difficult for victim to trace and

identify attackeridentify attacker– ExamplesExamples

SmurfSmurf

Direct Triple-tier DDoS Direct Triple-tier DDoS AttacksAttacks

– Highly complex attack model, known as Highly complex attack model, known as Distributed Denial of Service (DDoS).Distributed Denial of Service (DDoS).

– DDoS exploits vulnerabilities in the very DDoS exploits vulnerabilities in the very fabric of the Internet, making it virtually fabric of the Internet, making it virtually impossible to protect your networks impossible to protect your networks against this level of attack.against this level of attack.

– ExamplesExamples TFN2KTFN2K StacheldrahtStacheldraht MstreamMstream

The Components of a DDoS The Components of a DDoS Flood NetworkFlood Network

– AttackerAttacker Often a hacker with good networking and Often a hacker with good networking and

routing knowledge.routing knowledge.– Master serversMaster servers

Handful of backdoored machines running Handful of backdoored machines running DDoS master software, controlling and DDoS master software, controlling and keeping track of available zombie hosts.keeping track of available zombie hosts.

– Zombie hostsZombie hosts Thousands of backdoored hosts over the Thousands of backdoored hosts over the

worldworld

Distributed Denial of Service Distributed Denial of Service Attack (DDoS)Attack (DDoS)

In and around early 2001 a new type of DoS attack became rampant, called a Distributed Denial of Service attack, or DDoS. In this case multiple comprised systems are used to attack a single target. The flood of incoming traffic to the target will usually force it to shut down. Like a DoS attack, In a DDoS attack the legitimate requests to the affected system are denied. Since a DDoS attack it launched from multiple sources, it is often more difficult to detect and block than a DoS attack.

Results expectedResults expected Denial-of-service attacks can essentially Denial-of-service attacks can essentially

disable your computer or your network. disable your computer or your network. Depending on the nature of your enterprise.Depending on the nature of your enterprise.

Some denial-of-service attacks can be Some denial-of-service attacks can be executed with limited resources against a executed with limited resources against a large, sophisticated site. This type of attack large, sophisticated site. This type of attack is sometimes called an "asymmetric is sometimes called an "asymmetric attack." For example, an attacker with an attack." For example, an attacker with an old PC and a slow modem may be able to old PC and a slow modem may be able to disable much faster and more sophisticated disable much faster and more sophisticated machines or networks. machines or networks.

FormsForms

– attempts to "flood" a network, thereby attempts to "flood" a network, thereby preventing legitimate network traffic preventing legitimate network traffic

– attempts to disrupt connections attempts to disrupt connections between two machines, thereby between two machines, thereby preventing access to a service preventing access to a service

– attempts to prevent a particular attempts to prevent a particular individual from accessing a service individual from accessing a service

– attempts to disrupt service to a specific attempts to disrupt service to a specific system or person system or person

DefenseDefense

Internet Service ProvidersInternet Service Providers Deploy source address anti-spoof filters Deploy source address anti-spoof filters

((very important!very important!).). Turn off directed broadcasts.Turn off directed broadcasts. Develop security relationships with Develop security relationships with

neighbor ISPs.neighbor ISPs. Set up mechanism for handling Set up mechanism for handling

customer security complaints.customer security complaints. Develop traffic volume monitoring Develop traffic volume monitoring

techniques.techniques.

High loaded machinesHigh loaded machines Look for too much traffic to a particular Look for too much traffic to a particular

destination.destination. Learn to look for traffic to that Learn to look for traffic to that

destination at your border routers destination at your border routers (access routers, peers, exchange (access routers, peers, exchange points, etc.).points, etc.).

Can we automate the tools – too many Can we automate the tools – too many queue drops on an access router will queue drops on an access router will trigger source detection? (bl..trigger source detection? (bl..

Disable and filter out Disable and filter out all unused UDP services.all unused UDP services.

AlsoAlso

Routers, machines, and all other Routers, machines, and all other Internet accessible equipment should Internet accessible equipment should be periodically checked to verify that be periodically checked to verify that all security patches all security patches have been installedhave been installed

System should be checked periodically System should be checked periodically for presence of malicious software for presence of malicious software (Trojan horses, viruses, worms, back (Trojan horses, viruses, worms, back doors, etc.)doors, etc.)

Train your system and network administratorsTrain your system and network administrators Read security bulletins like: Read security bulletins like:

www.cert.orgwww.cert.org, , www.sans.orgwww.sans.org, , www.eEye.comwww.eEye.com From time to time From time to time

listen on to attacker community listen on to attacker community to be informed about their latest achievementsto be informed about their latest achievements

Be in contact with your ISP. Be in contact with your ISP. In case that your network is being attacked, In case that your network is being attacked, this can save a lot of timethis can save a lot of time

Can both do better some Can both do better some dayday ICMP Traceback message.ICMP Traceback message. Warning –this technique is Warning –this technique is

untested idea practically. untested idea practically.

ICMPICMP It’s a message that usually used to indicate It’s a message that usually used to indicate

for errors at the net, request not complete, for errors at the net, request not complete, router not reachable.router not reachable.

While in TCP and UDP it has different story, While in TCP and UDP it has different story, it used mainly to check the communication it used mainly to check the communication between nodes, goes as echo message between nodes, goes as echo message request (ping) to determine:-request (ping) to determine:-

1-host is reachable.1-host is reachable. 2-how long packets it takes long to get 2-how long packets it takes long to get and from the host.and from the host.

ICMP TracebackICMP Traceback It’s the way that we determine the real It’s the way that we determine the real

source attacker specially in the dos source attacker specially in the dos attack and it’s kinds, so we are going to attack and it’s kinds, so we are going to the original point in backtracking way.the original point in backtracking way.

there is 2 methods:-there is 2 methods:- 1-IP logging .1-IP logging . 2-IP marking .2-IP marking .

ICMP TracebackICMP Traceback In IP logging we have an log In IP logging we have an log

information that is stored at the information that is stored at the routers in tables, at each router, when routers in tables, at each router, when we traceback we get all the table and we traceback we get all the table and finally get the source.finally get the source.

While in the IP marking we each router While in the IP marking we each router used to add an traffic and defining info used to add an traffic and defining info to each packet then it has the real to each packet then it has the real source.source.

ICMP TracebackICMP Traceback For a very few packets (about 1 in For a very few packets (about 1 in

20,000), each router will send the 20,000), each router will send the destination a new ICMP message destination a new ICMP message indicating the indicating the previousprevious hop for that hop for that packet.packet.

Net traffic increase at endpoint is Net traffic increase at endpoint is about .1% -- probably acceptable.about .1% -- probably acceptable.

Issues: authentication, loss of Issues: authentication, loss of traceback packets, load on routers.traceback packets, load on routers.

OverviewOverview

What happens these What happens these days ondays on

Throw away requestsThrow away requests

Buffer

Server

Problem: Legitimate clients must keep retrying

Client“Hello?”

“Hello?”“Hello?”

Request

IP Tracing (or IP Tracing (or Syncookies)Syncookies)

Buffer

Server

•Can be evaded, particularly on, e.g., EthernetProblems:

Client

Hi. My name is 10.100.16.126.

Digital signaturesDigital signatures

Buffer

Server

•Requires carefully regulated PKI•Does not allow for anonymity

Problems:

Client

Connection timeoutConnection timeout

Problem: Hard to achieve balance between security and latency demands

Server

A Solution: client puzzleA Solution: client puzzle

by Juels and Brainardby Juels and Brainardwith improvement by Wang and with improvement by Wang and

ReiterReiter

IntuitionIntuitionTable for fourat 8 o’clock. Name of Mr. Smith.

Please solve thispuzzle.O.K.,

Mr. SmithO.K.

A puzzle takes an hour to solveA puzzle takes an hour to solve There are 40 tables in restaurantThere are 40 tables in restaurant Reserve at most one day in Reserve at most one day in

advanceadvance

IntuitionIntuitionSuppose:

The client puzzle The client puzzle protocolprotocol

Buffer

ServerClient Service request R

O.K.

What does a puzzle look What does a puzzle look like?like?

hash

image Y

Puzzle basis: Puzzle basis: partial hash partial hash inversioninversion

pre-image X160 bits

?

Pair (X’, Y) is k-bit-hard puzzle

partial-image X’ ?k bits

Puzzle constructionPuzzle construction

Client

Service request R

Server

Secret S

Puzzle constructionPuzzle constructionServer computes:

secret S time T request R

hash

pre-image X

hash

image Y

Puzzle

Puzzles cannot always Puzzles cannot always be usedbe used The attack may be performed on The attack may be performed on Phones, SMS,MMS or physical e-Phones, SMS,MMS or physical e-

mailmail It may not be possible to add It may not be possible to add

puzzles puzzles Sometimes, the adversary will be Sometimes, the adversary will be

more powerful than normal users more powerful than normal users (e.g., computer vs. cell phone.)(e.g., computer vs. cell phone.)

referencesreferences [.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html

Article by Christopher Klaus, including a "solution". Article by Christopher Klaus, including a "solution". [.2.] http://jya.com/floodd.txt[.2.] http://jya.com/floodd.txt2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane[.3.] http://www.fc.net/phrack/files/p48/p48-14.html[.3.] http://www.fc.net/phrack/files/p48/p48-14.htmlIP-spoofing Demystified by daemon9 / route / infinityIP-spoofing Demystified by daemon9 / route / infinityfor Phrack Magazine for Phrack Magazine

[.4.][.4.]http://www.gao.gov/new.items/d011073t.pdfhttp://www.gao.gov/new.items/d011073t.pdf [.5.]http://www.cl.cam.ac.uk/~rc277/[.5.]http://www.cl.cam.ac.uk/~rc277/

[.6.][.6.]http://www.cert.org/reports/dsit_workshop.pdfhttp://www.cert.org/reports/dsit_workshop.pdf

[.7.][.7.]http://staff.washington.edu/dittrich/misc/tfn.analysishttp://staff.washington.edu/dittrich/misc/tfn.analysis

Presented to Dr Loa’e Al-TawalbehPresented to Dr Loa’e Al-Tawalbeh Executed by Mohammed HussainExecuted by Mohammed Hussain Course intrusion detection and Course intrusion detection and

hacker exploitshacker exploits Winter jan-2007Winter jan-2007