dos attacks

DoS AttacksDoS Attacks

SECURITY INNOVATION ©20032

What is it?What is it?

By definition a DoS attack is an attack By definition a DoS attack is an attack on a system or network(s) that renders on a system or network(s) that renders the system or network(s) incapable of the system or network(s) incapable of performing the function it was performing the function it was designed to do, or to make the designed to do, or to make the systems services unavailable to systems services unavailable to subscribed users. Attacks my be in the subscribed users. Attacks my be in the form of intense CPU usage, system form of intense CPU usage, system reboots, or entire network failure(!)reboots, or entire network failure(!)


Why do DoS attacks Why do DoS attacks exist?exist?• There is sometimes nothing you can do to protect There is sometimes nothing you can do to protect

yourselfyourself• They are They are easy…really easy. easy…really easy. Anyone can attack a Anyone can attack a

system with great successsystem with great success• To gain 1) access, and 2) statusTo gain 1) access, and 2) status• Appear to be damaging but not THAT damagingAppear to be damaging but not THAT damaging• Political, economical, social commentsPolitical, economical, social comments• They are exploits of They are exploits of protocolprotocol by nature by nature• People are bored and nasty at the same timePeople are bored and nasty at the same time

There are more DoS attacks than any otherThere are more DoS attacks than any other


How bad can it be?How bad can it be?(pretty bad!)(pretty bad!)

• ISP can offer NO service to your subscribers ISP can offer NO service to your subscribers (Panix, WorldNET, M$)(Panix, WorldNET, M$)

• Critical networks points stop working (firewalls, Critical networks points stop working (firewalls, routers, gateways, databases)routers, gateways, databases)

• Remote users cannot connect to officeRemote users cannot connect to office• You cannot get information to your customers - You cannot get information to your customers -

customers go elsewherecustomers go elsewhere• Soldiers in the field have no contact with HQ - Soldiers in the field have no contact with HQ -

you have no control for troop movementyou have no control for troop movement

Your information stops movingYour information stops moving


The Attacks (external and The Attacks (external and internal)internal)

•Fat Ping Attack - Solaris x86, HP, Novell, etc.•SYN flooding (Neptune, flood) •Data/Service bombs (UDP, ICMP, finger)•Service loops (chargen, echo), OOB data•OS specific bombing (time, memory leaks)•High port overflows; server fills; SPAMMING•Hostile Applets (Ungr8ful, Downtime) •Mailbombing (UpYours, Avalanche, Unibomb, DnD)•Virus, Physical access, Spammming, subscription•DNS corruption, server corruption, RAM misuse•Microsoft, Microsoft, Microsoft


Mail BombingMail Bombing• Pretty lame, but VERY effective!Pretty lame, but VERY effective!• Mass multiple mailings to victim using an Mass multiple mailings to victim using an

intermediate bounce pointintermediate bounce point• Anonymous remailers allow for TOTAL anonymityAnonymous remailers allow for TOTAL anonymity• Look for RFC comlpliant products (routers, Look for RFC comlpliant products (routers,

firewalls, gateways)firewalls, gateways)• Good for mail, list subscriptions, passing blame, Good for mail, list subscriptions, passing blame,

insultinginsulting• Problems result in BIGGER disk usage, then the Problems result in BIGGER disk usage, then the

failure comesfailure comes


Mail Bombing - SolutionMail Bombing - Solution

• Sadly, there may not always be oneSadly, there may not always be one• If you have a Firewall, take advantage of a If you have a Firewall, take advantage of a

DMZ and try a not-so friendly mailer DMZ and try a not-so friendly mailer (/dev/null)(/dev/null)

• Use mail mappingsUse mail mappings• Learn the Learn the signaturessignatures of the bombs and be of the bombs and be

aware of themaware of them• Make sure your mail server stamps your Make sure your mail server stamps your

domain on all maildomain on all mail• Don’t panic!Don’t panic!


The DNS IssuesThe DNS Issues

• DNS is very critical to your success, thus it DNS is very critical to your success, thus it is a great target for attackers. is a great target for attackers. Capture the Capture the DNS, capture youDNS, capture you..

• Cache corruptionCache corruption• Packet flooding (SYN)Packet flooding (SYN)• Query overflowQuery overflow• Garbage…lots of garbage.Garbage…lots of garbage.

Attacks may be specific to DNS portsAttacks may be specific to DNS ports


Cache CorruptionCache Corruption• Based on servers handling recursive queries• Add an ‘A’ record to the DNS of victim.com to resolve

www.anotherhost.com to 127.0.0.1• Capturing dns.victim.com packets to dns.attacker.com

allows retreival of qid0 (query ID) of dns.victim.com• Send query to dns.victim.com asking for

www.anotherhost.com using next qid• Flood dns.victim.com with spoofed replies from

dns.anotherhost.com saying that www.anotherhost.com is 127.0.0.1

NOTE: ANY IP ADDRESS CAN BE USED instead of 127.0.0.1


Cache corruption - Cache corruption - SolutionSolution

• Use an updated version of BIND for your Use an updated version of BIND for your DNS, keep abreast of issuesDNS, keep abreast of issues

• Keep caching to a minimum, perhaps Keep caching to a minimum, perhaps setting some timeoutssetting some timeouts

• Ask yourself: Do you Ask yourself: Do you really really need to do need to do recursive queries?recursive queries?

• Will a Firewall help or make matters Will a Firewall help or make matters worse?worse?


Floods and StormsFloods and Storms

• SYN flooding, Ping flooding, ACK stormsSYN flooding, Ping flooding, ACK storms• Out Of Ban (OOB) attacks, WinPOPup Out Of Ban (OOB) attacks, WinPOPup

data stormstrue exploits of TCP/IP not of data stormstrue exploits of TCP/IP not of any one systemany one system

• Neptune, Flood, PoseidenNeptune, Flood, Poseiden• Ping of Death, Fat Ping attack , etc…Ping of Death, Fat Ping attack , etc…


SYN floodingSYN flooding

• Manipulation of the primary 3-way hand Manipulation of the primary 3-way hand shakeshake

• Gaining the connection of an Gaining the connection of an unsuspecting partyunsuspecting party

• replace the true IP address (src) with an replace the true IP address (src) with an existing but non-reachable IPexisting but non-reachable IP

• exhaust TCB in victim.comexhaust TCB in victim.com


SYN flooding - SolutionSYN flooding - Solution

• Incoming log of recent packets is compared on a Incoming log of recent packets is compared on a regular basisregular basis

• Increase connection queueIncrease connection queue• Decrease time-out wait for handshakeDecrease time-out wait for handshake• ‘‘N’ amount of SYN trigger server to capture minimal N’ amount of SYN trigger server to capture minimal

amount of state information for comparisonamount of state information for comparison• netstat -a -f (look for SYN_RECVD)netstat -a -f (look for SYN_RECVD)• Router/Firewall with SYN protection. CAUTION: Router/Firewall with SYN protection. CAUTION:

Make sure it is Make sure it is good good protectionprotection• Don’t allow someone from YOUR network to initiate Don’t allow someone from YOUR network to initiate

a SYN flood from your sitea SYN flood from your site


Ping FloodingPing Flooding

• From DOS: ping -l 65510 victim.comFrom DOS: ping -l 65510 victim.com• see www.sophist.demon.co.uksee www.sophist.demon.co.uk• Thanks to M$, we can create a massive Thanks to M$, we can create a massive

ICMP packet that, upon reassembly, will ICMP packet that, upon reassembly, will trash the targettrash the target

• ping -f victim.comping -f victim.com


Ping flooding - SolutionPing flooding - Solution

• Try something other than Microsoft Try something other than Microsoft products for your serversproducts for your servers

• Get the fixes and updates/patches from the Get the fixes and updates/patches from the vendorsvendors

• Disable ICMP for your system, it is a Disable ICMP for your system, it is a diagnostic tool after all.diagnostic tool after all.

• Try and set filters to watch for massive ping Try and set filters to watch for massive ping packets and grab the time signature to packets and grab the time signature to block it out…if the attacker is not using block it out…if the attacker is not using TOSSERTOSSER


Ping flooding - SolutionPing flooding - Solution


OOB attacksOOB attacks• The incredible ability to The incredible ability to

crash/trash/BSOD an NT/Win95 Machinecrash/trash/BSOD an NT/Win95 Machine• attacks NetBIOS (usually 139) and attacks NetBIOS (usually 139) and

causes numerous event log entriescauses numerous event log entries• MS issued a “hot-fix” that was broken, MS issued a “hot-fix” that was broken,

and this exploit still remains common to and this exploit still remains common to WinNT 3.51, 4.0, Win95, and WFWG WinNT 3.51, 4.0, Win95, and WFWG 3.113.11

• Mac friendlyMac friendly


Win NukeWin Nuke


OOB attacks - SolutionOOB attacks - Solution• Block access to port 139 at the Block access to port 139 at the

gateway!gateway!• If you can do without NT calling the If you can do without NT calling the

sharing and printers, turn off the serversharing and printers, turn off the server• Take off drivers for Win95 or block Take off drivers for Win95 or block

traffic to local machinestraffic to local machines• Find Winnuke, muerte.exe, Find Winnuke, muerte.exe,

Bitchslap.exe and try it out for yourselfBitchslap.exe and try it out for yourself


Older NT DoS attacksOlder NT DoS attacks

• The “../..” bug for WinNT with IISThe “../..” bug for WinNT with IIS• telnet to port 135 and send random junktelnet to port 135 and send random junk• telnet to port 6558 and type anythingtelnet to port 6558 and type anything• NT4.0 will trash its DNS if it is sent a NT4.0 will trash its DNS if it is sent a

response it never asked for (very creepy)response it never asked for (very creepy)

SOLUTION: Update your NT or lose it SOLUTION: Update your NT or lose it totallytotally


Hostile Applets (Black Hostile Applets (Black Widows)Widows)

• Applets a perfect avenue for DoS attacksApplets a perfect avenue for DoS attacks• Nothing in the language that says threads Nothing in the language that says threads

have to be closed; comment out stopshave to be closed; comment out stops• Endless sound files, looping gifs, windows Endless sound files, looping gifs, windows

opening, hidden attacksopening, hidden attacks• JAVA can execute anything the user can, JAVA can execute anything the user can,

thus leading to kernal panics, obscure thus leading to kernal panics, obscure system calls, big hangssystem calls, big hangs

• see http://www.gatech.edu/~mladuesee http://www.gatech.edu/~mladue


Hostile Applets - Hostile Applets - SolutionSolution

• Don’t allow Java (ActiveX for that Don’t allow Java (ActiveX for that matter)matter)

• Stop the applets at the firewallStop the applets at the firewall• Policy, policy, policyPolicy, policy, policy


Router AttacksRouter Attacks• hinges on sending a barrage of requests for hinges on sending a barrage of requests for

UDP diagnostic servicesUDP diagnostic services• routers have several diagnostic ports (by routers have several diagnostic ports (by

design) that cause CPU usage when design) that cause CPU usage when connected to (echo, chargen, discard)connected to (echo, chargen, discard)

• Multiple connections from fake Ips cause Multiple connections from fake Ips cause failurefailure

• Taking out the router is one of the most (if Taking out the router is one of the most (if not THE most) effective ways to halt a not THE most) effective ways to halt a networknetwork


Router attacks - Router attacks - solutionssolutions

• consider global configurations:consider global configurations:– Cisco: Cisco: no service udp-small-serversno service udp-small-servers

– no service tcp-small-serversno service tcp-small-servers

• stop becoming a source of attacksstop becoming a source of attacks– access-list 111 permit ip whatever.ip.it.is 0.0.255.255 anyaccess-list 111 permit ip whatever.ip.it.is 0.0.255.255 any– access-list 111 deny ip any any logaccess-list 111 deny ip any any log


Key Server AttacksKey Server Attacks

• First generation technology remains First generation technology remains RIPE for attackRIPE for attack

• Find key servers (Firewalls) and Find key servers (Firewalls) and bombard them with requests for keysbombard them with requests for keys

• Cookie technology may only make Cookie technology may only make matters worse, process overloadmatters worse, process overload

• Massive amounts of packets with Massive amounts of packets with correct header information but garbage correct header information but garbage data - server must try to authenticatedata - server must try to authenticate


Denial of ServiceDenial of ServiceCombination AttacksCombination Attacks

• Access attacks and IP spoofingAccess attacks and IP spoofing• Social engineering and critical informationSocial engineering and critical information• Network access attacks; service misuseNetwork access attacks; service misuse• Sniffing, browser data theftSniffing, browser data theft

There will ALWAYS be DoS attacks There will ALWAYS be DoS attacks as long as there is connectivityas long as there is connectivity

dos attacks

Documents

ping flooding solution

dos attacks

syn flooding neptune

storms syn flooding

syn flooding manipulation

mail server

attacks external

dns issues dns