DDos

Distributed Denial of Service Attacks

by Mark Schuchter

Overview
n n n n n n

Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows)

Introduction
limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent
No matter how secure your site is. If you get attacked or not depends on the security of others.

DDos-Attack

prevent and impair computer use

Why?
sub-cultural status
initiation to hacker szene (allthough thought blunt by many hackers)

nastiness revenge
i.e. former employee

to gain access
using DDos to crash firewall

political reasons
i.e. Bush attacking Kelly's homepage

economic reasons
attack competitor to gain business advantages

Timeline
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (fapi) 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or RC

2001: worms include DDos-features (eg. Code Red), include time synchro., 2002: DrDos (reflected) attack tools 2003: Mydoom infects thousands of victims to attack SCO and Microsoft

How?

TCP floods
(various flags)

ICMP echo requests (eg. Ping floods)

UDP floods

Those 3 are the most frequently used ones, because, it is hardest to differentiate between an actual attack or normal traffic.

SYN-Attack
Handshake Attack

SYN-ACK Client SYN Server Attacker (spoofed IP) SYN Server

SYN-ACK SYN ACK SYN-ACK

This is a normal client-server handshake to open a connection (i.e. a http request)

An attacker with a spoofed (=forged IP) can use half open connections to claim buffer space and to deny legitimate requests the service.

Typical attack

1. prepare attack
all the things the attacker has to prepare before he starts.

2. set up network
the steps he needs to undertake to infect the client-machines and to set up the distributed network

3. communication
ways of communicating with the client-machines to issue commands.

UNIX (trin00) preparation I

n

use stolen account (high bandwidth) for repository of:

scanners n attack tools (i.e. buffer overrun exploit) various n root kits they try to exploitgain root access vulnerabilities to n sniffers n trin00 master and daemon programm n list of vulnerable host, previously compromised hosts...
n

UNIX (trin00) preparation II

n

scan large range of network blocks to identify potential targets (running exploitable service) list used to create script that:
performs exploit n sets up cmd-shell running under root that listens on a TCP port (1524/tcp) n connects to this port to confirm exploit
n

list of owned systems

UNIX (trin00) network I

n

store pre-compiled binary of trin00 daemon on some stolen account on inet script takes owned-list to automate installation process of daemon same goes for trin00 master

UNIX (trin00) network II

attacker attacker

master

master

master

daemon

daemon

daemon

daemon

UNIX (trin00) communication

n

attacker controls master via telnet and a pw (port 27665/tcp) trin00 master to daemon via 27444/udp (arg1 pwd arg2) daemon to master via 31335/udp dos <pw> 192.168.0.1 triggers attack

Windows (Sub7) preparation I

n

set up the following things on your home pc:

freemail n kazaa n trojan-toolkit n IRC-client n IRC-bot
n

Windows (Sub7) preparation II

n

assemble different trojans (GUI)

define ways of communication n name n file
n

Windows (Sub7) network I

n

start spreading via

email/news lists n IRC n P2P-Software
n

Windows (Sub7) network II

attacker

client

client

client

client

Windows (Sub7) communication

n n n

sub7client IRC channel 1 click to launch attack

Development
High
Intruder Knowledge back doors disabling audits binary encryption stealth / advanced scanning techniques packet spoofing denial of service sniffers distributed attack tools www attacks automated probes/scans GUI

Tools

network mgmt. diagnostics

Attack Sophistication

hijacking burglaries sessions exploiting known vulnerabilities password cracking password guessing

Low
1980
Source : CERT/CC

Attackers
1990 1995 2001

1985

Solutions
n

statistical analyses (i.e. D-ward) at core routers not ready yet

these techniques analyse the 'normal' network traffic over a certain amount of time and then use this pattern to filter out 'unusual' traffic Problem: too often the legitimate traffic gets filtered out too

change awareness of people (firewalls, attachments, V-scanners,...)

Thanks for your attention!