DDosDDos

Distributed Denial of Service AttacksDistributed Denial of Service Attacks

by Mark Schuchter

OverviewOverview

nn IntroductionIntroductionnn Why? Why? nn TimelineTimelinenn How?How?nn Typical attack (UNIX)Typical attack (UNIX)nn Typical attack (Windows)Typical attack (Windows)

IntroductionIntroduction

DDos-Attack

prevent and impair computer use

limited and consumable resources(memory, processor cycles, bandwidth, ...) inet security highly interdependent

Why?Why?

sub-cultural status

to gain access

political reasonseconomic reasons

revenge

nastiness

TimelineTimeline

1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption

2000: bundled with rootkits, controlled with talk or ÍRC

2002: DrDos (reflected) attack tools

2001: worms include DDos-features (eg. Code Red), include time synchro.,

<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)

2003: Mydoom infects thousands of victims to attack SCO and Microsoft

How?How?

TCP floods(various flags)

ICMP echo requests(eg. Ping floods)

UDP floods

SYNSYN--AttackAttack

SYN-ACK

SYN

ACK

ClientServer

SYN-ACK

SYN

Attacker(spoofed IP) Server

SYN SYN-ACK

Handshake Attack

Typical attackTypical attack

1. prepare attack 2. set up network 3. communication

UNIX (‘trin00’) UNIX (‘trin00’) –– preparation Ipreparation I

nn use stolen account (high bandwidth) for use stolen account (high bandwidth) for repository of:repository of:nn scannersscannersnn attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit)nn root kitsroot kitsnn snifferssniffersnn trin00 master and daemon trin00 master and daemon programmprogrammnn list of vulnerable host, previously compromised list of vulnerable host, previously compromised

hosts...hosts...

UNIX (‘trin00’) UNIX (‘trin00’) –– preparation IIpreparation II

nn scan large range of network blocks to identify scan large range of network blocks to identify potential targets (running exploitable service)potential targets (running exploitable service)

nn list used to create script that:list used to create script that:nn performs exploitperforms exploitnn sets up sets up cmdcmd--shell running under root that listens on shell running under root that listens on

a TCP port (1524/tcp)a TCP port (1524/tcp)nn connects to this port to confirm exploitconnects to this port to confirm exploit

àà list of owned systemslist of owned systems

UNIX (‘trin00’) UNIX (‘trin00’) –– network Inetwork I

nn store prestore pre--compiled binary of trin00 daemon on compiled binary of trin00 daemon on some stolen account on some stolen account on inetinet

nn script takes ‘ownedscript takes ‘owned--list’ to automate installation list’ to automate installation process of daemonprocess of daemon

nn same goes for trin00 mastersame goes for trin00 master

UNIX (‘trin00’) UNIX (‘trin00’) –– network IInetwork II

attacker attacker

master master master

daemon daemon daemon daemon

UNIX (‘trin00’) UNIX (‘trin00’) –– communicationcommunication

nn attacker controls master via telnet and a attacker controls master via telnet and a pwpw(port 27665/tcp)(port 27665/tcp)

nn trin00 master to daemon via 27444/udp (arg1 trin00 master to daemon via 27444/udp (arg1 pwdpwd arg2)arg2)

nn daemon to master via 31335/udpdaemon to master via 31335/udp

nn ‘dos <‘dos <pwpw> 192.168.0.1’ triggers attack> 192.168.0.1’ triggers attack

Windows (‘Sub7’) Windows (‘Sub7’) –– preparation Ipreparation I

nn set up the following things on your home pc:set up the following things on your home pc:nn freemailfreemailnn kazaakazaann trojantrojan--toolkittoolkitnn IRCIRC--clientclientnn IRCIRC--botbot

Windows (‘Sub7’) Windows (‘Sub7’) –– preparation IIpreparation II

nn assemble different assemble different trojanstrojans (GUI)(GUI)nn define ways of communicationdefine ways of communicationnn namenamenn filefile

Windows (‘Sub7’) Windows (‘Sub7’) –– network Inetwork I

nn start spreading viastart spreading viann email/news listsemail/news listsnn IRCIRCnn P2PP2P--SoftwareSoftware

Windows (‘Sub7’) Windows (‘Sub7’) –– network IInetwork II

attacker

client client client client

Windows (‘Sub7’) Windows (‘Sub7’) –– communicationcommunication

nn sub7clientsub7clientnn IRC channelIRC channelnn 1 click to launch attack1 click to launch attack

DevelopmentDevelopment

High

Low1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling auditsback doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC

SolutionsSolutions

nn statistical analyses (i.e. Dstatistical analyses (i.e. D--ward) at core routers ward) at core routers --not ready yetnot ready yet

nn change awareness of people (firewalls, change awareness of people (firewalls, attachments, Vattachments, V--scanners,...)scanners,...)

Thanks for your attention!Thanks for your attention!