DENIAL OF SERVICE(DOS)
Prepared By: Ram Chandra Bhushan
M.Tech(ICT)
10IT61B07
IIT Kharagpur
1
Presentation Overview
• INTRODUCTION– Attack– Where it lies?
• Overview of DoS– Symptoms and manifestations– Background Information: Denial of Service Attacks– Classification of Denial of Service Attacks– Countermeasures for Denial of Service Attacks– Denial of Service Attacks Shortfalls
• DDoS (Distributed Denial of service)– Distributed Denial of Service Attacks– Distributed Denial of Service Attack Architecture– Widely Used Distributed Denial of Service Tools
• Trinoo• TFN/TFN2K• Stacheldraht
• Trinoo
– How it’s done?– Password protection
2
Presentation Overview(Contd..)
– Login to Master– Master and Deamon – Master Commands– Deamon Commands• DDoS Case Study: GRC.com
• GRC.com Network• Difficulty in getting help• GRC’s Infiltration• GRC’s Infiltration Network
• GRC.COM Attack Network Setup
• GRC.COM Attack Network Attacking
• Defending Against DDoS Attacks
• Three Lines of Defence
• Attack: Detection and filtering
• Attack: Source Trace back
• Conclusion
• Notes and References
3
ATTACK
• Is anything which Causes Harm.
• As an asset information needs to be secured from attacks.
• To be secured we need three things to happen– Confidentiality
Hidden from unauthorized access
– IntegrityProtected from unauthorized changes
– AvailabilityAvailable when it is needed
4
Where it lies?
• Attacks broadly categorized in two distinct types:– Cryptanalytic attacks
• Applies mathematical techniques to obtain the key better than a brute force search(try all possibilities)
– Non-cryptanalytic attacks
5
Symptoms and manifestations
• The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service attacks to include:– Unusually slow network performance (opening files or
accessing web sites)– Unavailability of a particular web site– Inability to access any web site– Dramatic increase in the number of spam emails
received—(this type of DoS attack is considered an e-mail bomb)
6
Background Information: Denial of Service Attacks
• Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources.
• Flooding-based• Traditional DOS
– One attacker
• Distributed DOS– Countless attackers
• DoS Attacks Affect:– Software Systems
– Network Routers/Equipments
– Servers and End-User PCs
7
Classification of DoS Attacks
Attack Affected Area Example DescriptionNetwork Level Device Routers, IP Switches,
FirewallsAscend Kill II,“Christmas Tree Packets”
Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug.
OS Level Equipment Vendor OS, End-User Equipment.
Ping of Death,ICMP Echo Attacks,Teardrop
Attack takes advantage of the way operating systems implement protocols.
Application Level Attacks Finger Bomb Finger Bomb,Windows NT RealServer G2 6.0
Attack a service or machine by using an application attack to exhaust resources.
Data Flood (Amplification, Oscillation, Simple Flooding)
Host computer or network Smurf Attack (amplifier attack)UDP Echo (oscillation attack)
Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources.
Protocol Feature Attacks Servers, Client PC, DNS Servers
SYN (connection depletion) Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.
8
Countermeasures for DoS AttacksAttack Countermeasure
OptionsExample Description
Network Level Device
Software patches, packet filtering
Ingress and Egress Filtering
Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network.
OS Level SYN Cookies, drop backlog connections, shorten timeout time
SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks.
Application Level Attacks
Intrusion Detection System
GuardDog, other vendors.
Software used to detect illicit activity.
Data Flood (Amplification, Oscillation, Simple Flooding)
Replication and Load Balancing
Akami/Digital Island provide content distribution.
Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks.
Protocol Feature Attacks
Extend protocols to support security
ITEF standard for itrace, DNSSEC
Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.
9
DoS Shortfalls
• New distributed server architecture makes it harder for one DoS to take down an entire site.
• New software protections neutralize existing DoS attacks quickly
• Service Providers know how to prevent these attacks from effecting their networks.
• Most current IDS’s detect the current generation of tools.
10
Distributed Denial of Service Attacks
• attack uses many computers to launch a coordinated DoS attack against one or more targets(victim’s n/w).
• a DDoS master program is installed on one computer using a stolen account
• Use many sources (“daemons”) for attacking traffic.
• master program communicates to any number of "agent" programs, installed on computers anywhere on the internet
• “master” machines to control the daemon or agents attackers
• The agents, when they receive the command, initiate the attack
11
DDoS Architecture
12
Widely Used DDoS Programs
• Trinoo– attacker uses TCP; masters and daemons use UDP; password
authentication
• Tribe Flood Network– attacker uses shell to invoke master; masters and daemons use
ICMP ECHOREPLY
• TFN2K• stacheldraht (barbed wire)
– attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update.
13
Trinoo
• Discovered in August 1999
• First DDoS Tool widely available.
• Daemons found on Solaris 2.x systems
• Attack a system in University of Minnesota
• Victim unusable for 2 days
• Uses UDP flooding attack strategy .
• TCP connectivity between master and hosts .
• UDP connectivity between master and agents.
• Trinoo is famous for allowing attackers to leave a message in a folder called cry_baby. The file is self replicating and is modified on a regular basis as long as port 80 is active.
14
How it's done?• Using a compromised host, attacker compiles a list of machines that
can be compromised.
• As soon as the list of machines that can be compromised has been compiled, scripts are run to compromise them and convert them into the Trinoo Masters or Daemons.
• A new script is written to automatically install the trinoo daemon on the selected systems. Some systems will fail to install, but all successful installations create the attacking network
• One Master can control multiple Daemons.
• The Daemons are the compromised hosts that launch the actual UDP floods against the victim machine.
• The DDoS attack is launched when the attacker issues a command on the Master hosts. The Masters instruct every Daemon to start a DoS attack against the IP address specified in the command.
15
How it's done? (Contd..)
• Remote control to the master is set up via TCP port 27665. The master system can communicate with the agents via UDP on port 27444 and the agents send responses to the master on UDP port 31335.
• Master and Agents are password protected.
• Commands are three bit letters in binary won’t show up as strings
16
Attacker Master Daemon
Port 27665
TCP UDP
UDP Port 27444
Port 31335
Password protection
• Password used to prevent administrators or other hackers to take control
• Encrypted password compiled into master and daemon using crypt()
• Default passwords– “l44adsl” – trinoo daemon password
– “gOrave” – trinoo master server startup
– “betaalmostdone” – trinoo master remote interface password
– “killme” – trinoo master password to control “mdie” command
17
Login to master
• Telnet to port 27665 of the host with master
• Enter password “betaalmostdone”
• Warn if others try to connect the master
• Commands and execution:[root@r2 root]# telnet r1 27665
Trying 192.168.249.201...
Connected to r1.router (192.168.249.201).
Escape character is '^]'.
betaalmostdone
trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]
trinoo>
18
Master and daemon
• Communicate by UDP packets• Command line format
– arg1 password arg2
• Default password is “l44adsl”• When daemon starts, it sends “HELLO” to master• Master maintains list of daemon
19
Master commands• dos IP
– DoS the IP address specified
– “aaa l44adsl IP” sent to each daemon
• mdos <ip1:ip2:ip3>
– DoS the IPs simultaneously
• mtimer N
– Set attack period to N seconds• bcast
– List all daemons’ IP• mdie password
– Shutdown all daemons• killdead
– Invite all daemons to send “HELLO” to master– Delete all dead daemons from the list
20
Daemon commands
• Not directly used; only used by master to send commands to daemons
• Consist of 3 letters
– Avoid exposing the commands by using Unix command “strings” on the binary
• aaa password IP
– DoS specified IP
• bbb password N
– Set attack period to N seconds
• rsz password N
– Set attack packet size to N bytes
21
DDoS Case Study: GRC.com
• Gibson Research Corporation• Provides free internet security testing software:
Shields Up, LeakTest, etc.• Attacked in May 2001 by a DDoS attack.• May 4, 2001, GRC.COM Dropped Off of the
Internet.• GRC identified that it was the victim of a DoS Attack• GRC Firewall and Router were able to stop flood
traffic from affecting GRC equipment, but lines were completely used up.
22
GRC.com Network
Verio Router
Internet
Internet
GRC.COM
FirewallRouter100Mbps
100Mbps
Difficulty in Getting Help Stopping DDoS Attacks
• GRC contacts Earthlink but receives no help.• GRC contact @Home (over 100 @Home PCs
were identified as hosts for the attack). @Home however did not want to help.
• FBI unable to help GRC either.• GRC then receives an anonymous e-mail in
their web-based Spyware drop box which contains the “Zombie” (DDoS Daemon).
24
GRC.COM Case Study: GRC’s Infiltration
• GRC sets up “Sitting Duck” dummy computer running DDoS daemon to see what happens (see next slide).
• “Sitting Duck” successfully connects to IRC chat server, gets instructions to attack a system in Finland.
• GRC disables the packet generation feature of “Sitting Duck” so no malicious packets will be sent.
• GRC writes an IRC chat Zombie to enter IRC servers where hackers communicate/trade Zombie DDoS tools.
• GRC communicates with hackers to “lay off”.
25
GRC’s Infiltration Network
26
GRC.COM Attack Network Setup
27
GRC.COM Attack Network Attacking
28
Verio Router
T1 Trunk
T1 Trunk
Internet
IRC ServersAttacker
1. Attacker issues command to attack GRC.COM
2. Each DDoS daemon begins to attack the selected website.
GRC.COM
Defending Against DDoS Attacks
• The biggest barrier in defending against DDoS attacks is the lack of economic incentives for Internet users to cooperate. Sample research by icsa.net shows that less than 15 percent of all corporate users are filtering source IP addresses. An even smaller percentage of Internet service providers – less than 8 percent – are doing this type of filtering.
• Improving the security of all relevant devices
• User-level traffic control
• Block certain types of packets:
• Block packets by source address:
• Derive attack signatures for the harmful packets
• IP Tracing
• Server level traffic Monitor and Class Based Queuing29
Three lines of defense:
1. Attack prevention- before the attack
2. Attack detection and filtering- during the attack
3. Attack source traceback- during and after the attack
Attack prevention• Protect hosts from installation of masters and agents by attackers
• Scan hosts for symptoms of agents being installed
• Monitor network traffic for known message exchanges among attackers, masters, agents
• Inadequate and hard to deploy
30
Attack detection and filtering
• Detection– Identify DDoS attack and attack packets
• Filtering– Classify normal and attack packets
– Drop attack packets
• Can be done in 4 places– Victim’s network– Victim’s ISP network– Further upstream ISP network– Attack source networks
31
Attack source trace back
• Identify actual origin of packet
• Without relying on source IP of packet
• 2 approaches– Routers record info of packets
– Routers send additional info of packets to destination
• Source traceback cannot stop ongoing DDoS attack– Cannot trace origins behind firewalls, NAT (network address
translators)
– More to do for reflector attack (attack packets from legitimate sources)
32
Conclusion
• DDoS attacks are complex and serious problem- affecting not only a victim but the victim’s legitimate clients
• DDoS defense approaches are numerous- need to learn how to combine the approaches to completely solve the problem
• Internet community must cooperate to counter threat- global deployment of defense mechanisms
33
References
1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.
2. Kargl, Frank, Joern Maier, and Michael Weber. Protecting Web Servers from Distributed Denial of Service Attacks. WWW10, May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005.
3. Stein, Lincoln. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002. http://www.s3.org/security/faq/ - visited on October 1, 2002.
4. Dittrich, David. The DoS Project’s “trinoo” Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002
5. Dittrich, David. The “Tribe Flood Network” Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002
6. Dittrich, David. The “stacheldraht” Distributed Denial of Service Attack Tool. University of Washington, December 31, 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt – visited on October 1, 2002
7. Gibson, Steve. The Strange Tale of the Denial of Service Attacks Against GRC.com. Gibson Research Corporation, March 5, 2002. http://grc.com/dos/grcdos.htm
8. Daniels, Thomas E. and Eugene H. Spafford. Network Traffic Tracking Systems: Folly in the Large? Center for Education and Research in Information Assurance and Security (CERIAS). Lafayette, IN, ©2001.
9. R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002
34
Thank You
35