ddos handout

7/31/2019 DDos Handout

1/21

DDosDDos

Distributed Denial of Service AttacksDistributed Denial of Service Attacks

by Mark Schuchter


2/21

OverviewOverview

nn IntroductionIntroduction

nn Why?Why?

nn

TimelineTimelinenn How?How?

nn Typical attack (UNIX)Typical attack (UNIX)

nn Typical attack (Windows)Typical attack (Windows)


3/21

IntroductionIntroduction

DDos-Attack

prevent and impair computer use

limited and consumable resources(memory, processor cycles, bandwidth, ...) inet security highly interdependent

No matter how secure your site is. If you get attacked or not depends on the security of others.


4/21

Why?Why?

sub-cultural status

to gain access

political reasonseconomic reasons

revenge

nastiness

using DDos to crash firewall

attack competitor to gain business advantages

i.e. former employee

i.e. Bush attacking Kelly's homepage

initiation to hacker szene (allthough

thought blunt by many hackers)


5/21


6/21

How?How?

TCP floods(various flags)

ICMP echo requests(eg. Ping floods)

UDP floods

Those 3 are the most frequently used ones, because, it is hardest to differentiate between an actual attack or normal traffic.


7/21

SYNSYN --AttackAttack

SYN-ACK

SYN

ACK

Client Server

SYN-ACK

SYN

Attacker

(spoofed IP) Server

SYN SYN-ACK

Handshake Attack

This is a normal client-server handshake to open a connection (i.e. a http request)

An attacker with a spoofed (=forged IP) can use half open connections to claim buffer space and to

deny legitimate requests the service.


8/21

Typical attackTypical attack

1. prepare attack 2. set up network 3. communication

all the things the attacker has to prepare before he starts.

the steps he needs to undertake to infect the client-machines and to set up the distributed network

ways of communicating with the client-machines to issue commands.


9/21

UNIX (trin00)UNIX (trin00) preparation Ipreparation I

nn use stolen account (high bandwidth) foruse stolen account (high bandwidth) forrepository of:repository of:

nn scannersscanners

nn attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit)nn root kitsroot kits

nn snifferssniffers

nn trin00 master and daemontrin00 master and daemon programmprogrammnn list of vulnerable host, previously compromisedlist of vulnerable host, previously compromised

hosts...hosts...

they try to exploit various vulnerabilities to gain root access


10/21

UNIX (trin00)UNIX (trin00) preparation IIpreparation II

nn scan large range of network blocks to identifyscan large range of network blocks to identify

potential targets (running exploitable service)potential targets (running exploitable service)

nn list used to create script that:list used to create script that:

nn performs exploitperforms exploit

nn sets upsets up cmdcmd--shell running under root that listens onshell running under root that listens on

a TCP port (1524/ tcp)a TCP port (1524/ tcp)

nn connects to this port to confirm exploitconnects to this port to confirm exploit

list of owned systemslist of owned systems


11/21

UNIX (trin00)UNIX (trin00) network Inetwork I

nn store prestore pre--compiled binary of trin00 daemon oncompiled binary of trin00 daemon on

some stolen account onsome stolen account on inetinet

nn script takes ownedscript takes owned--list to automate installationlist to automate installation

process of daemonprocess of daemon

nn same goes for trin00 mastersame goes for trin00 master


12/21

UNIX (trin00)UNIX (trin00) network IInetwork II

attacker attacker

master master master

daemon daemon daemon daemon


13/21

UNIX (trin00)UNIX (trin00) communicationcommunication

nn attacker controls master via telnet and aattacker controls master via telnet and a pwpw

(port 27665/ tcp)(port 27665/ tcp)

nn trin00 master to daemon via 27444/ udp (arg1trin00 master to daemon via 27444/ udp (arg1

pwdpwd arg2)arg2)

nn daemon to master via 31335/ udpdaemon to master via 31335/ udp

nn dos 192.168.0.1 triggers attack> 192.168.0.1 triggers attack


14/21

Windows (Sub7)Windows (Sub7) preparation Ipreparation I

nn set up the following things on your home pc:set up the following things on your home pc:

nn freemailfreemail

nn kazaakazaa

nn trojantrojan--toolkittoolkit

nn IRCIRC--clientclient

nn IRCIRC--botbot


15/21

Windows (Sub7)Windows (Sub7) preparation IIpreparation II

nn assemble differentassemble different trojanstrojans (GUI)(GUI)

nn define ways of communicationdefine ways of communication

nn namename

nn filefile


16/21

Windows (Sub7)Windows (Sub7) network Inetwork I

nn start spreading viastart spreading via

nn email/ news listsemail/ news lists

nn IRCIRC

nn P2PP2P--SoftwareSoftware


17/21

Windows (Sub7)Windows (Sub7) network IInetwork II

attacker

client client client client


18/21

Windows (Sub7)Windows (Sub7) communicationcommunication

nn sub7clientsub7client

nn IRC channelIRC channel

nn

1 click to launch attack1 click to launch attack


19/21

DevelopmentDevelopment

High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking

sessions

sniffers

packet spoofing

GUI

automated probes/scans

denial of service

www attacks

Tools

Attackers

Intruder

Knowledge

Attack

Sophistication

stealth / advanced

scanning techniques

burglaries

network mgmt. diagnostics

distributed

attack tools

binary encryption

Source: CERT/CC


20/21

SolutionsSolutions

nn statistical analyses (i.e. Dstatistical analyses (i.e. D--ward) at core routersward) at core routers --not ready yetnot ready yet

nn change awareness of people (firewalls,change awareness of people (firewalls,

attachments, Vattachments, V--scanners,...)scanners,...)

these techniques analyse the 'normal' network traffic over a certain amount of time and then use this pattern to filter out 'unusual' trafficProblem: too often the legitimate traffic gets filtered out too


21/21

Thanks for your attention!Thanks for your attention!

ddos handout

Documents