Академический Документы
Профессиональный Документы
Культура Документы
by Mark Schuchter
Overview
n n n n n n
Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows)
Introduction
limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent
No matter how secure your site is. If you get attacked or not depends on the security of others.
DDos-Attack
Why?
sub-cultural status
initiation to hacker szene (allthough thought blunt by many hackers)
nastiness revenge
i.e. former employee
to gain access
using DDos to crash firewall
political reasons
i.e. Bush attacking Kelly's homepage
economic reasons
attack competitor to gain business advantages
Timeline
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (fapi) 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or RC
2001: worms include DDos-features (eg. Code Red), include time synchro., 2002: DrDos (reflected) attack tools 2003: Mydoom infects thousands of victims to attack SCO and Microsoft
How?
TCP floods
(various flags)
UDP floods
Those 3 are the most frequently used ones, because, it is hardest to differentiate between an actual attack or normal traffic.
SYN-Attack
Handshake Attack
An attacker with a spoofed (=forged IP) can use half open connections to claim buffer space and to deny legitimate requests the service.
Typical attack
1. prepare attack
all the things the attacker has to prepare before he starts.
2. set up network
the steps he needs to undertake to infect the client-machines and to set up the distributed network
3. communication
ways of communicating with the client-machines to issue commands.
scan large range of network blocks to identify potential targets (running exploitable service) list used to create script that:
performs exploit n sets up cmd-shell running under root that listens on a TCP port (1524/tcp) n connects to this port to confirm exploit
n
store pre-compiled binary of trin00 daemon on some stolen account on inet script takes owned-list to automate installation process of daemon same goes for trin00 master
master
master
master
daemon
daemon
daemon
daemon
attacker controls master via telnet and a pw (port 27665/tcp) trin00 master to daemon via 27444/udp (arg1 pwd arg2) daemon to master via 31335/udp dos <pw> 192.168.0.1 triggers attack
client
client
client
client
Development
High
Intruder Knowledge back doors disabling audits binary encryption stealth / advanced scanning techniques packet spoofing denial of service sniffers distributed attack tools www attacks automated probes/scans GUI
Tools
Attack Sophistication
hijacking burglaries sessions exploiting known vulnerabilities password cracking password guessing
Low
1980
Source : CERT/CC
Attackers
1990 1995 2001
1985
Solutions
n