DENIAL OF SERVICE(DOS)

Prepared By: Ram Chandra Bhushan

M.Tech(ICT)

10IT61B07

IIT Kharagpur

1

Presentation Overview

• INTRODUCTION– Attack– Where it lies?

• Overview of DoS– Symptoms and manifestations– Background Information: Denial of Service Attacks– Classification of Denial of Service Attacks– Countermeasures for Denial of Service Attacks– Denial of Service Attacks Shortfalls

• DDoS (Distributed Denial of service)– Distributed Denial of Service Attacks– Distributed Denial of Service Attack Architecture– Widely Used Distributed Denial of Service Tools

• Trinoo• TFN/TFN2K• Stacheldraht

• Trinoo

– How it’s done?– Password protection

2

Presentation Overview(Contd..)

– Login to Master– Master and Deamon – Master Commands– Deamon Commands• DDoS Case Study: GRC.com

• GRC.com Network• Difficulty in getting help• GRC’s Infiltration• GRC’s Infiltration Network

• GRC.COM Attack Network Setup

• GRC.COM Attack Network Attacking

• Defending Against DDoS Attacks

• Three Lines of Defence

• Attack: Detection and filtering

• Attack: Source Trace back

• Conclusion

• Notes and References

3

ATTACK

• Is anything which Causes Harm.

• As an asset information needs to be secured from attacks.

• To be secured we need three things to happen– Confidentiality

Hidden from unauthorized access

– IntegrityProtected from unauthorized changes

– AvailabilityAvailable when it is needed

4

Where it lies?

• Attacks broadly categorized in two distinct types:– Cryptanalytic attacks

• Applies mathematical techniques to obtain the key better than a brute force search(try all possibilities)

– Non-cryptanalytic attacks

5

Symptoms and manifestations

• The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service attacks to include:– Unusually slow network performance (opening files or

accessing web sites)– Unavailability of a particular web site– Inability to access any web site– Dramatic increase in the number of spam emails

received—(this type of DoS attack is considered an e-mail bomb)

6

Background Information: Denial of Service Attacks

• Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources.

• Flooding-based• Traditional DOS

– One attacker

• Distributed DOS– Countless attackers

• DoS Attacks Affect:– Software Systems

– Network Routers/Equipments

– Servers and End-User PCs

7

Classification of DoS Attacks

Attack Affected Area Example DescriptionNetwork Level Device Routers, IP Switches,

FirewallsAscend Kill II,“Christmas Tree Packets”

Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug.

OS Level Equipment Vendor OS, End-User Equipment.

Ping of Death,ICMP Echo Attacks,Teardrop

Attack takes advantage of the way operating systems implement protocols.

Application Level Attacks Finger Bomb Finger Bomb,Windows NT RealServer G2 6.0

Attack a service or machine by using an application attack to exhaust resources.

Data Flood (Amplification, Oscillation, Simple Flooding)

Host computer or network Smurf Attack (amplifier attack)UDP Echo (oscillation attack)

Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources.

Protocol Feature Attacks Servers, Client PC, DNS Servers

SYN (connection depletion) Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.

8

Countermeasures for DoS AttacksAttack Countermeasure

OptionsExample Description

Network Level Device

Software patches, packet filtering

Ingress and Egress Filtering

Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network.

OS Level SYN Cookies, drop backlog connections, shorten timeout time

SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks.

Application Level Attacks

Intrusion Detection System

GuardDog, other vendors.

Software used to detect illicit activity.

Data Flood (Amplification, Oscillation, Simple Flooding)

Replication and Load Balancing

Akami/Digital Island provide content distribution.

Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks.

Protocol Feature Attacks

Extend protocols to support security

ITEF standard for itrace, DNSSEC

Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.

9

DoS Shortfalls

• New distributed server architecture makes it harder for one DoS to take down an entire site.

• New software protections neutralize existing DoS attacks quickly

• Service Providers know how to prevent these attacks from effecting their networks.

• Most current IDS’s detect the current generation of tools.

10

Distributed Denial of Service Attacks

• attack uses many computers to launch a coordinated DoS attack against one or more targets(victim’s n/w).

• a DDoS master program is installed on one computer using a stolen account

• Use many sources (“daemons”) for attacking traffic.

• master program communicates to any number of "agent" programs, installed on computers anywhere on the internet

• “master” machines to control the daemon or agents attackers

• The agents, when they receive the command, initiate the attack

11

DDoS Architecture

12

Widely Used DDoS Programs

• Trinoo– attacker uses TCP; masters and daemons use UDP; password

authentication

• Tribe Flood Network– attacker uses shell to invoke master; masters and daemons use

ICMP ECHOREPLY

• TFN2K• stacheldraht (barbed wire)

– attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update.

13

Trinoo

• Discovered in August 1999

• First DDoS Tool widely available.

• Daemons found on Solaris 2.x systems

• Attack a system in University of Minnesota

• Victim unusable for 2 days

• Uses UDP flooding attack strategy .

• TCP connectivity between master and hosts .

• UDP connectivity between master and agents.

• Trinoo is famous for allowing attackers to leave a message in a folder called cry_baby. The file is self replicating and is modified on a regular basis as long as port 80 is active.

14

How it's done?• Using a compromised host, attacker compiles a list of machines that

can be compromised.

• As soon as the list of machines that can be compromised has been compiled, scripts are run to compromise them and convert them into the Trinoo Masters or Daemons.

• A new script is written to automatically install the trinoo daemon on the selected systems. Some systems will fail to install, but all successful installations create the attacking network

• One Master can control multiple Daemons.

• The Daemons are the compromised hosts that launch the actual UDP floods against the victim machine.

• The DDoS attack is launched when the attacker issues a command on the Master hosts. The Masters instruct every Daemon to start a DoS attack against the IP address specified in the command.

15

How it's done? (Contd..)

• Remote control to the master is set up via TCP port 27665. The master system can communicate with the agents via UDP on port 27444 and the agents send responses to the master on UDP port 31335.

• Master and Agents are password protected.

• Commands are three bit letters in binary won’t show up as strings

16

Attacker Master Daemon

Port 27665

TCP UDP

UDP Port 27444

Port 31335

Password protection

• Password used to prevent administrators or other hackers to take control

• Encrypted password compiled into master and daemon using crypt()

• Default passwords– “l44adsl” – trinoo daemon password

– “gOrave” – trinoo master server startup

– “betaalmostdone” – trinoo master remote interface password

– “killme” – trinoo master password to control “mdie” command

17

Login to master

• Telnet to port 27665 of the host with master

• Enter password “betaalmostdone”

• Warn if others try to connect the master

• Commands and execution:[root@r2 root]# telnet r1 27665

Trying 192.168.249.201...

Connected to r1.router (192.168.249.201).

Escape character is '^]'.

betaalmostdone

trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>

18

Master and daemon

• Communicate by UDP packets• Command line format

– arg1 password arg2

• Default password is “l44adsl”• When daemon starts, it sends “HELLO” to master• Master maintains list of daemon

19

Master commands• dos IP

– DoS the IP address specified

– “aaa l44adsl IP” sent to each daemon

• mdos <ip1:ip2:ip3>

– DoS the IPs simultaneously

• mtimer N

– Set attack period to N seconds• bcast

– List all daemons’ IP• mdie password

– Shutdown all daemons• killdead

– Invite all daemons to send “HELLO” to master– Delete all dead daemons from the list

20

Daemon commands

• Not directly used; only used by master to send commands to daemons

• Consist of 3 letters

– Avoid exposing the commands by using Unix command “strings” on the binary

• aaa password IP

– DoS specified IP

• bbb password N

– Set attack period to N seconds

• rsz password N

– Set attack packet size to N bytes

21

DDoS Case Study: GRC.com

• Gibson Research Corporation• Provides free internet security testing software:

Shields Up, LeakTest, etc.• Attacked in May 2001 by a DDoS attack.• May 4, 2001, GRC.COM Dropped Off of the

Internet.• GRC identified that it was the victim of a DoS Attack• GRC Firewall and Router were able to stop flood

traffic from affecting GRC equipment, but lines were completely used up.

22

GRC.com Network

Verio Router

Internet

Internet

GRC.COM

FirewallRouter100Mbps

100Mbps

Difficulty in Getting Help Stopping DDoS Attacks

• GRC contacts Earthlink but receives no help.• GRC contact @Home (over 100 @Home PCs

were identified as hosts for the attack). @Home however did not want to help.

• FBI unable to help GRC either.• GRC then receives an anonymous e-mail in

their web-based Spyware drop box which contains the “Zombie” (DDoS Daemon).

24

GRC.COM Case Study: GRC’s Infiltration

• GRC sets up “Sitting Duck” dummy computer running DDoS daemon to see what happens (see next slide).

• “Sitting Duck” successfully connects to IRC chat server, gets instructions to attack a system in Finland.

• GRC disables the packet generation feature of “Sitting Duck” so no malicious packets will be sent.

• GRC writes an IRC chat Zombie to enter IRC servers where hackers communicate/trade Zombie DDoS tools.

• GRC communicates with hackers to “lay off”.

25

GRC’s Infiltration Network

26

GRC.COM Attack Network Setup

27

GRC.COM Attack Network Attacking

28

Verio Router

T1 Trunk

T1 Trunk

Internet

IRC ServersAttacker

1. Attacker issues command to attack GRC.COM

2. Each DDoS daemon begins to attack the selected website.

GRC.COM

Defending Against DDoS Attacks

• The biggest barrier in defending against DDoS attacks is the lack of economic incentives for Internet users to cooperate. Sample research by icsa.net shows that less than 15 percent of all corporate users are filtering source IP addresses. An even smaller percentage of Internet service providers – less than 8 percent – are doing this type of filtering.

• Improving the security of all relevant devices

• User-level traffic control

• Block certain types of packets:

• Block packets by source address:

• Derive attack signatures for the harmful packets

• IP Tracing

• Server level traffic Monitor and Class Based Queuing29

Three lines of defense:

1. Attack prevention- before the attack

2. Attack detection and filtering- during the attack

3. Attack source traceback- during and after the attack

Attack prevention• Protect hosts from installation of masters and agents by attackers

• Scan hosts for symptoms of agents being installed

• Monitor network traffic for known message exchanges among attackers, masters, agents

• Inadequate and hard to deploy

30

Attack detection and filtering

• Detection– Identify DDoS attack and attack packets

• Filtering– Classify normal and attack packets

– Drop attack packets

• Can be done in 4 places– Victim’s network– Victim’s ISP network– Further upstream ISP network– Attack source networks

31

Attack source trace back

• Identify actual origin of packet

• Without relying on source IP of packet

• 2 approaches– Routers record info of packets

– Routers send additional info of packets to destination

• Source traceback cannot stop ongoing DDoS attack– Cannot trace origins behind firewalls, NAT (network address

translators)

– More to do for reflector attack (attack packets from legitimate sources)

32

Conclusion

• DDoS attacks are complex and serious problem- affecting not only a victim but the victim’s legitimate clients

• DDoS defense approaches are numerous- need to learn how to combine the approaches to completely solve the problem

• Internet community must cooperate to counter threat- global deployment of defense mechanisms

33

References

1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.

2. Kargl, Frank, Joern Maier, and Michael Weber. Protecting Web Servers from Distributed Denial of Service Attacks. WWW10, May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005.

3. Stein, Lincoln. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002. http://www.s3.org/security/faq/ - visited on October 1, 2002.

4. Dittrich, David. The DoS Project’s “trinoo” Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002

5. Dittrich, David. The “Tribe Flood Network” Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002

6. Dittrich, David. The “stacheldraht” Distributed Denial of Service Attack Tool. University of Washington, December 31, 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt – visited on October 1, 2002

7. Gibson, Steve. The Strange Tale of the Denial of Service Attacks Against GRC.com. Gibson Research Corporation, March 5, 2002. http://grc.com/dos/grcdos.htm

8. Daniels, Thomas E. and Eugene H. Spafford. Network Traffic Tracking Systems: Folly in the Large? Center for Education and Research in Information Assurance and Security (CERIAS). Lafayette, IN, ©2001.

9. R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002

34

Thank You

35