Denial of services : limiting the threat

INFO SEC AFRICA

Limiting the threat of Denial

of Service Attacks

February 2001

© charl van der waltwww.sensepost.com

Denial of Service:

Limiting the Threat

Denial of Service:

Limiting the Threat

INFO SEC AFRICA


of Service Attacks

February 2001


1. CASE STUDYWake up call February 2000

2. THE BASICSUnderstanding the ‘Net

Understanding DoS

3. THE NEW KID ON THE BLOCK - HELLO DDoSIntroducing Co-ordinated Distributed Attacks

Profile of a typical attack

Common DDoS attack tools

4. DEFENDING YOURSELF & YOUR FRIENDSStrategies for availability

Join the team - global defense efforts

Getting greasy

5. RESPONDING TO DoS ATTACKSWhat to do when your number’s up

6. THE BOTTOM LINEQuestions & Conclusions

AGENDAAGENDAAGENDAAGENDA

INFO SEC AFRICA


of Service Attacks

February 2001


Hi! All about me.

INFO SEC AFRICA


of Service Attacks

February 2001


IntroductionIntroductionIntroductionIntroduction

• About me

• SensePost

• Objective

• Approach

• References:– http://www.sensepost.com

– [email protected]

– [email protected]

discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850

discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850

INFO SEC AFRICA


of Service Attacks

February 2001


Ooh! Die bang-maak goed

INFO SEC AFRICA


of Service Attacks

February 2001


February FunFebruary FunFebruary FunFebruary Fun

INFO SEC AFRICA


of Service Attacks

February 2001


February FunFebruary FunFebruary FunFebruary Fun

• Major attack launched between February 7 and 14 2000

• Approximately 1,200 sites affected

• Including a number of high profile sites:– CNN.com, Yahoo, eBay, Amazon, Dell, Buy.com

• Simple bandwidth usage

• Yahoo! Attack lasted from about 10:30 a.m. till 1 p.m.

– requests totaled roughly 1 gigabit per second

• Canadian teen “Mafiaboy” arrested in April– pleads guilty to 55 charges in Montreal, November

2000

– Faces 2 years & US$650

INFO SEC AFRICA


of Service Attacks

February 2001


February Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermath

• FBI estimates that DoS attacks during

February 2000 cost $1.2 billion

• eBay‘s share price fell 25% the day after its

Website was taken down costing them a total

of US1,2bn. They reportedly spent US$ 100

000 in securing their site against further

attacks.

INFO SEC AFRICA


of Service Attacks

February 2001


Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001

Peter G. NeumannSRI International

We are likely to see some organized, possibly collaborative, attacks that do some real damage, perhaps to our critical infrastructures, perhaps to our financial systems, perhaps to government systems all of which have significant vulnerabilities.

INFO SEC AFRICA


of Service Attacks

February 2001



Bruce MoultonFidelity Investments

Hactivism and other cyber attacks emanating from countries with weak or non-existent legal sanctions and investigative capabilities will escalate. This is likely to be the root of at least one headline-grabbing cyber incident (much bigger than DDOS or LoveBug) that will send a loud wake-up call to the commercial sector.

INFO SEC AFRICA


of Service Attacks

February 2001



Marcus H. SachsUS Department of Defense

2001 will also see continued development of distributed denial of service attack networks.These attack networks will no longer rely on manual establishment by the attacker, but willautomatically establish themselves through the use of mobile code and html scripting.

INFO SEC AFRICA


of Service Attacks

February 2001


The Nuts & Bolts Stuff

INFO SEC AFRICA


of Service Attacks

February 2001


Understanding the ‘NetUnderstanding the ‘NetUnderstanding the ‘NetUnderstanding the ‘Net

INFO SEC AFRICA


of Service Attacks

February 2001


Understanding DoSUnderstanding DoSUnderstanding DoSUnderstanding DoS

An attack that causes a service not to function as expected thus denying the

legitimate owner fair return on investment

„The real requirement is not quick recovery but the absence of outages“

„The real requirement is not quick recovery but the absence of outages“

„We talk today of 'Internet Time'; the Internet does not allow for delays“

„We talk today of 'Internet Time'; the Internet does not allow for delays“

Steven J. Ross, Information Systems Control, March 2000Steven J. Ross, Information Systems Control, March 2000

INFO SEC AFRICA


of Service Attacks

February 2001


Why do DoS?Why do DoS?Why do DoS?Why do DoS?

• Vandalism

• Revenge

• Political

• Economic

• Means of access– Crashed system in unpredictable state

– As part of a spoofing attack

– Some application may have holes at startup

• Firewalls

– Keep the goog guys out

– Get stuff to run under Windows

– Exploit startup services

• bootp or boot-from-NIC

INFO SEC AFRICA


of Service Attacks

February 2001


How DoS worksHow DoS worksHow DoS worksHow DoS works

• Resource consumption– Local or remote

• Disk space• Swap space• RAM• CPU• Bandwidth• Kernel space• Cache

• System crash– Application error– Out of bound values

• input, traffic etc• divide by zero

– Resource over-utilization

• Physical DoS

INFO SEC AFRICA


of Service Attacks

February 2001


Classical DoS examplesClassical DoS examplesClassical DoS examplesClassical DoS examples

• Endless loops– Directory creation or Nose-to-tail processes

• Virus & worms

• Email bombing

• FTP malformed user

• IIS 3.0 „Get //“

• Eeye buffer overflow oops

• Flood ping

• SYN Flood

• Ping of Death

• Winnuke

• Teardrop

INFO SEC AFRICA


of Service Attacks

February 2001


DoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURF

check:www.netscan.org

INFO SEC AFRICA


of Service Attacks

February 2001


Revisiting SYN floodsRevisiting SYN floodsRevisiting SYN floodsRevisiting SYN floods

• TCP connection is established via a 3-way handshake– SYN

– SYN/ACK

– ACK

• SYN flood is based on an incomplete handshake– SYN but not ACK

• TCP/IP stack adds an entry in a table in kernel memory for each SYN received.– Wait a while before deleting entry

– Can‘t accept connections when aleady full

• A heavy flood can prevent legitimate connections.

INFO SEC AFRICA


of Service Attacks

February 2001


New Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoS

INFO SEC AFRICA


of Service Attacks

February 2001


Profile of a typical attackProfile of a typical attackProfile of a typical attackProfile of a typical attack

• Initiate a scan phase in which a large number of hosts (100,000 or more) are probed for a known vulnerability.

• Compromise the vulnerable hosts to gain access.

• Rootkit

• Install the tool on each host.

• Use the compromised hosts for further scanning and compromises.

• Via automated processes a single host can be compromised in under 5 seconds

INFO SEC AFRICA


of Service Attacks

February 2001


Building an attack networkBuilding an attack networkBuilding an attack networkBuilding an attack network

• August 1999, a trinoo network of 2,200 systems used against the University of Minnessota and others

• Assuming 3 to 6 seconds for each host, pre-selection of the target systems, gives 2 - 4 hours to set up

INFO SEC AFRICA


of Service Attacks

February 2001


Common DDoS toolsCommon DDoS toolsCommon DDoS toolsCommon DDoS tools

• Trin00Trin00– First generation

– UDP flood attack

– Hardcoded password on daemon (no crypto)

– 1524 & 27665 tcp, 27444 & 31335 udp

– Ported to Windows

– Cannot spoof (couldn‘t)

• Tribal Flood Network (TFN)Tribal Flood Network (TFN)– UDP flood, SYN Flood, Ping Flood, SMURF

– Capable of using spoofed source Ips• Random

– Recent versions use Blowfish encryption on config files

– ICMP ECHO and ICMP ECHO REPLY packets for communications

INFO SEC AFRICA


of Service Attacks

February 2001


Common DDoS toolsCommon DDoS toolsCommon DDoS toolsCommon DDoS tools

• Stacheldraht Stacheldraht – Evolved system– Combines TFN & Trinoo– Encrypted comms & auto-update– 16660 & 65000 tcp– ICMP ECHO & ICMP ECHO REPLY

• AlsoAlso:– Stacheldraht v 2.666– TFN2K – shaft – mstream

• http://packetstorm.securify.com/distributed/

INFO SEC AFRICA


of Service Attacks

February 2001


The challenge of DDoSThe challenge of DDoSThe challenge of DDoSThe challenge of DDoS

• You may be down• Spoofed addresses

– Technically difficult to trace

• Diverse network ownership– You don’t control the infrastructure

– Neither does your ISP

• Different Time Zones– Hello, is that Singapore?

• Language– Sprechen Sie Deutsch?

• National boundaries• Differing legislation• Protecting legitimate users

– You can’t block 196.4.160.0/16

INFO SEC AFRICA


of Service Attacks

February 2001


Boom! Assesing the impact

INFO SEC AFRICA


of Service Attacks

February 2001


• Loss in productivity

• Human resources

– Internal & external

• Loss of reputation

• Lost confidence

– in your service & in e-business in general

• Lost transaction revenue

• Lost customer base

• Share price manipulation

– Share holders, staff, working capital

• Liability costs

What me worry?! What me worry?! What me worry?! What me worry?!

INFO SEC AFRICA


of Service Attacks

February 2001


• JSE-listed NetActive reportedly experienced

two attacks in April 2000

• The Edcon group reportedly lost R1bn when a

disgrunteled programmer brought down 600

stores for a whole day

• irc.posix.co.za

– January 2001

– Classic SMURF

– Killed the server

– Effected all POSIX clients

RSADDoS (in the motherland)RSADDoS (in the motherland)RSADDoS (in the motherland)RSADDoS (in the motherland)

INFO SEC AFRICA


of Service Attacks

February 2001


Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!

icsa.net, February 2000:

„The Internet has now taken a drastic "hit" to its reliability and integrity due to the recent DDoS attacks. It is only through the cooperation and unification of all Internet users that we will find the solution-and stop DDoS from taking the Internet out from under our commerce, education, communities, and individuals.“

But has it really been all that bad?

INFO SEC AFRICA


of Service Attacks

February 2001


Pow! Fighting back

INFO SEC AFRICA


of Service Attacks

February 2001


DoS defense strategiesDoS defense strategiesDoS defense strategiesDoS defense strategies

• Think global• Plan for disaster• Clean up your act:

– Broadcasts – Ingress & Egress Filtering– Host Security– Scanning & IDS– Logging

• Put pressure on your ISP:– Ingress & Egress filtering– Policies & Procedures– Logging

• Defend yourself• Be honest

– Share your experiences

INFO SEC AFRICA


of Service Attacks

February 2001


Ingress FilteringIngress FilteringIngress FilteringIngress Filtering

• RFC 2267• Filter on the ‚input‘ device of a router• Eliminates source address spoofing

– Enables us to trace the attacker• Restrict traffic to legitimate downstream

networks• Should be implemented at all levels

– CORE– ISP– Border

• Issues:– Special network services:

• Mobile IP• Layer 2 Tunneling• IPSec• Special source addresses

INFO SEC AFRICA


of Service Attacks

February 2001


Egress FilteringEgress FilteringEgress FilteringEgress Filtering

• RFC 1918• Outbound interface

• Spoofed IPs (Ingress)

• Implemented on border router

• Deny Private & Reserved Source IP Addresses

• Disable directed broadcasts

INFO SEC AFRICA


of Service Attacks

February 2001


Planning for disasterPlanning for disasterPlanning for disasterPlanning for disaster

• Be convinced that the Internet is not a friendly place

• Be prepared to detect of failure (malicious or accidental)

• Mirror critical resources

– geographically remote from the original

• Create transparent alternative entry points

• Implement switching in the case of failure

– Must be considered during the design phase

• Analyse, plan, communicate, test

INFO SEC AFRICA


of Service Attacks

February 2001


DDoS - Defending yourselfDDoS - Defending yourselfDDoS - Defending yourselfDDoS - Defending yourself

• Sufficient bandwidth• Redundant design

– BGP4 routing• Filters @ ISP• Filter @ home

– ACL– Rate Limiting– Stack buffering

• Load balance• Resilient Platform• Platform optimization

– Line speed– Disk space– Swap space– Kernel Tables

• Service Optimization• Monitors & IDS

INFO SEC AFRICA


of Service Attacks

February 2001


Protecting web servers from DoSProtecting web servers from DoSProtecting web servers from DoSProtecting web servers from DoS

• Have redundant servers

• Bandwidth & Redundant Routing– Consider fronting at an ISP

• Consider a redirection site as a front-end– Easily move your servers around

• Assign multiple IP addresses

• Dynamically move requests to different IP addresses.

INFO SEC AFRICA


of Service Attacks

February 2001


Responding to a DoS attackResponding to a DoS attackResponding to a DoS attackResponding to a DoS attack

• Implement your plan

• Shut down unneccesary services

• Generate logs

• Communicate– ISP– Security Community– Law enforcement

• Implement filters

• Try different responses– ICMP reject, host not available, redirect, source

quench

• Shun via your ISP• Contact the middleman• Share your experience

INFO SEC AFRICA


of Service Attacks

February 2001


Getting Greasy

INFO SEC AFRICA


of Service Attacks

February 2001


Configuration Examples - CISCOConfiguration Examples - CISCOConfiguration Examples - CISCOConfiguration Examples - CISCO

• Use ip verify unicast reverse-path command

– checks that there is a route back to the source via the same interface on which it arrives

– may be effective against spoofing in simple environments (like POPs)

• Filter all RFC1918 address space using access control lists

• Apply ingress and egress filtering using ACL– See RFC 2267

– Can also be done with RPF under CEF

• Use CAR to rate limit ICMP packets

• Configure rate limiting for SYN packets

INFO SEC AFRICA


of Service Attacks

February 2001


Interesting other stuff

INFO SEC AFRICA


of Service Attacks

February 2001


Things to considerThings to considerThings to considerThings to consider

• The Internet is probably not your main income generator

• There’s more then one way to skin a cat– Physical attacks on infrastructure

– Hardware theft

– DNS & other upstream services

– Viruses & other content born attack

– Get "Slashdotted"

• Who’s responsible for your family jewels?

• It could get worse:– Imagine MS-based worm attack– http://www.hackernews.com/bufferoverflow/99/nitmar/nitmar1.html

INFO SEC AFRICA


of Service Attacks

February 2001


Other possible tricksOther possible tricksOther possible tricksOther possible tricks

• IPv6– Should make it possible

• Enhancements to IPv4

– ICMP traceback message?• For selected packets Router sends packet indicating the

previous hop for that packet

– Congestion control techniques• Too many packet drops on a particular line triggers

message to upstream host.

– Use hashed 'cookies' instead of a connection table

– Randomly drop pending connections when the table gets full

• IPSec?• ISP injects HTTP redirects on the net on

upstream paths to combat attacks

INFO SEC AFRICA


of Service Attacks

February 2001


• The Lainsburg DOS attack:

– Flood all Telkom manholes with water.

• The Johnnie Walker DOS attack

– Bribe a Telkom techie with some whiskey to

disconnect a circuit.

• The Big Boss DOS attack

– Get a well connected person to organise a lightning

strike on a Telkom DP

• The Ford F4 DOS attack

– Drive over a streetbox at high speed

DoS the SA wayDoS the SA wayDoS the SA wayDoS the SA way

INFO SEC AFRICA


of Service Attacks

February 2001


THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE

1. DDoS is a global problem

2. DDoS requires a global solution

3. A fight on three fonts- Source- Middleman- Victim

4. Keep your nose clean

5. Plan for the worst

6. Let’s do it to them before they do it to

us

INFO SEC AFRICA


of Service Attacks

February 2001


questions?

Date post:	13-Nov-2014
Category:	Technology
Upload:	sensepost
View:	883 times
Download:	1 times

Denial of services : limiting the threat

Technology