ddos handout
TRANSCRIPT
-
7/31/2019 DDos Handout
1/21
DDosDDos
Distributed Denial of Service AttacksDistributed Denial of Service Attacks
by Mark Schuchter
-
7/31/2019 DDos Handout
2/21
OverviewOverview
nn IntroductionIntroduction
nn Why?Why?
nn
TimelineTimelinenn How?How?
nn Typical attack (UNIX)Typical attack (UNIX)
nn Typical attack (Windows)Typical attack (Windows)
-
7/31/2019 DDos Handout
3/21
IntroductionIntroduction
DDos-Attack
prevent and impair computer use
limited and consumable resources(memory, processor cycles, bandwidth, ...) inet security highly interdependent
No matter how secure your site is. If you get attacked or not depends on the security of others.
-
7/31/2019 DDos Handout
4/21
Why?Why?
sub-cultural status
to gain access
political reasonseconomic reasons
revenge
nastiness
using DDos to crash firewall
attack competitor to gain business advantages
i.e. former employee
i.e. Bush attacking Kelly's homepage
initiation to hacker szene (allthough
thought blunt by many hackers)
-
7/31/2019 DDos Handout
5/21
-
7/31/2019 DDos Handout
6/21
How?How?
TCP floods(various flags)
ICMP echo requests(eg. Ping floods)
UDP floods
Those 3 are the most frequently used ones, because, it is hardest to differentiate between an actual attack or normal traffic.
-
7/31/2019 DDos Handout
7/21
SYNSYN --AttackAttack
SYN-ACK
SYN
ACK
Client Server
SYN-ACK
SYN
Attacker
(spoofed IP) Server
SYN SYN-ACK
Handshake Attack
This is a normal client-server handshake to open a connection (i.e. a http request)
An attacker with a spoofed (=forged IP) can use half open connections to claim buffer space and to
deny legitimate requests the service.
-
7/31/2019 DDos Handout
8/21
Typical attackTypical attack
1. prepare attack 2. set up network 3. communication
all the things the attacker has to prepare before he starts.
the steps he needs to undertake to infect the client-machines and to set up the distributed network
ways of communicating with the client-machines to issue commands.
-
7/31/2019 DDos Handout
9/21
UNIX (trin00)UNIX (trin00) preparation Ipreparation I
nn use stolen account (high bandwidth) foruse stolen account (high bandwidth) forrepository of:repository of:
nn scannersscanners
nn attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit)nn root kitsroot kits
nn snifferssniffers
nn trin00 master and daemontrin00 master and daemon programmprogrammnn list of vulnerable host, previously compromisedlist of vulnerable host, previously compromised
hosts...hosts...
they try to exploit various vulnerabilities to gain root access
-
7/31/2019 DDos Handout
10/21
UNIX (trin00)UNIX (trin00) preparation IIpreparation II
nn scan large range of network blocks to identifyscan large range of network blocks to identify
potential targets (running exploitable service)potential targets (running exploitable service)
nn list used to create script that:list used to create script that:
nn performs exploitperforms exploit
nn sets upsets up cmdcmd--shell running under root that listens onshell running under root that listens on
a TCP port (1524/ tcp)a TCP port (1524/ tcp)
nn connects to this port to confirm exploitconnects to this port to confirm exploit
list of owned systemslist of owned systems
-
7/31/2019 DDos Handout
11/21
UNIX (trin00)UNIX (trin00) network Inetwork I
nn store prestore pre--compiled binary of trin00 daemon oncompiled binary of trin00 daemon on
some stolen account onsome stolen account on inetinet
nn script takes ownedscript takes owned--list to automate installationlist to automate installation
process of daemonprocess of daemon
nn same goes for trin00 mastersame goes for trin00 master
-
7/31/2019 DDos Handout
12/21
UNIX (trin00)UNIX (trin00) network IInetwork II
attacker attacker
master master master
daemon daemon daemon daemon
-
7/31/2019 DDos Handout
13/21
UNIX (trin00)UNIX (trin00) communicationcommunication
nn attacker controls master via telnet and aattacker controls master via telnet and a pwpw
(port 27665/ tcp)(port 27665/ tcp)
nn trin00 master to daemon via 27444/ udp (arg1trin00 master to daemon via 27444/ udp (arg1
pwdpwd arg2)arg2)
nn daemon to master via 31335/ udpdaemon to master via 31335/ udp
nn dos 192.168.0.1 triggers attack> 192.168.0.1 triggers attack
-
7/31/2019 DDos Handout
14/21
Windows (Sub7)Windows (Sub7) preparation Ipreparation I
nn set up the following things on your home pc:set up the following things on your home pc:
nn freemailfreemail
nn kazaakazaa
nn trojantrojan--toolkittoolkit
nn IRCIRC--clientclient
nn IRCIRC--botbot
-
7/31/2019 DDos Handout
15/21
Windows (Sub7)Windows (Sub7) preparation IIpreparation II
nn assemble differentassemble different trojanstrojans (GUI)(GUI)
nn define ways of communicationdefine ways of communication
nn namename
nn filefile
-
7/31/2019 DDos Handout
16/21
Windows (Sub7)Windows (Sub7) network Inetwork I
nn start spreading viastart spreading via
nn email/ news listsemail/ news lists
nn IRCIRC
nn P2PP2P--SoftwareSoftware
-
7/31/2019 DDos Handout
17/21
Windows (Sub7)Windows (Sub7) network IInetwork II
attacker
client client client client
-
7/31/2019 DDos Handout
18/21
Windows (Sub7)Windows (Sub7) communicationcommunication
nn sub7clientsub7client
nn IRC channelIRC channel
nn
1 click to launch attack1 click to launch attack
-
7/31/2019 DDos Handout
19/21
DevelopmentDevelopment
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking
sessions
sniffers
packet spoofing
GUI
automated probes/scans
denial of service
www attacks
Tools
Attackers
Intruder
Knowledge
Attack
Sophistication
stealth / advanced
scanning techniques
burglaries
network mgmt. diagnostics
distributed
attack tools
binary encryption
Source: CERT/CC
-
7/31/2019 DDos Handout
20/21
SolutionsSolutions
nn statistical analyses (i.e. Dstatistical analyses (i.e. D--ward) at core routersward) at core routers --not ready yetnot ready yet
nn change awareness of people (firewalls,change awareness of people (firewalls,
attachments, Vattachments, V--scanners,...)scanners,...)
these techniques analyse the 'normal' network traffic over a certain amount of time and then use this pattern to filter out 'unusual' trafficProblem: too often the legitimate traffic gets filtered out too
-
7/31/2019 DDos Handout
21/21
Thanks for your attention!Thanks for your attention!