DoS Suite and Raw Socket Programming

DoS Suite and Raw Socket Programming

Group 16

Thomas Losier

Paul Obame

Group 16

Thomas Losier

Paul Obame

MotivationMotivation

“We are not teaching you to be script kiddies in this class” Henry Owen

Give the students a better understanding of: Raw Socket programming

Coding Modifying Understanding

DoS Attacks Dangers Defenses

“We are not teaching you to be script kiddies in this class” Henry Owen

Give the students a better understanding of: Raw Socket programming

Coding Modifying Understanding

DoS Attacks Dangers Defenses

Raw Socket ProgrammingRaw Socket Programming

“Raw socket is a computer networking term used to describe a socket that allows access to packet headers on incoming and outgoing packets. Raw sockets are usually used at the transport or network layers.” wikipedia.org

The ability to craft packet headers is a powerful tool that allows hackers to do many nefarious things

“Raw socket is a computer networking term used to describe a socket that allows access to packet headers on incoming and outgoing packets. Raw sockets are usually used at the transport or network layers.” wikipedia.org

The ability to craft packet headers is a powerful tool that allows hackers to do many nefarious things

Lab StructureLab Structure

Expand knowledge on Particular DoS attack and IP protocols

Edit/Develop code based on understanding of previous section and given resources

Compile and Execute attack Gather data Analyze and implement defenses

Expand knowledge on Particular DoS attack and IP protocols

Edit/Develop code based on understanding of previous section and given resources

Compile and Execute attack Gather data Analyze and implement defenses

IP HeadderIP Headder

What we are trying to create:

Figure 1: IP Packet Diagram (www.h3c.com)

Creation of an IP headderCreation of an IP headder

void addIP(unsigned char *buf, struct pktInfo *pktInfo, int offset){

struct ip* ip = (struct ip*) (buf + offset); //ip points to some place in the bufferip->ip_v = 4; //ipv4ip->ip_hl = 5; //4 * 5 = 20 bytesip->ip_tos = 0; //didn't specify any special type of serviceip->ip_len = htons(pktInfo->pktSize); //total packet sizeip->ip_src.s_addr = pktInfo->srcAddr; //4 byte source IP addressip->ip_dst.s_addr = pktInfo->destAddr; //4 byte destinfation IP addressip->ip_id = rand(); //random idip->ip_off = 0; //mainly used for reassembly of fragmented IP datagrams.ip->ip_ttl = 255; //Time to live is the amount of hops before the packet is discardedip->ip_p = pktInfo->protocol; //protocol used: TCP, UDP, etcip->ip_sum = 0; //zero out the checksum field before computing the checksumip->ip_sum = in_chksum((unsigned short *) ip, IPHEADER); //compute the checksum

}

void addIP(unsigned char *buf, struct pktInfo *pktInfo, int offset){

struct ip* ip = (struct ip*) (buf + offset); //ip points to some place in the bufferip->ip_v = 4; //ipv4ip->ip_hl = 5; //4 * 5 = 20 bytesip->ip_tos = 0; //didn't specify any special type of serviceip->ip_len = htons(pktInfo->pktSize); //total packet sizeip->ip_src.s_addr = pktInfo->srcAddr; //4 byte source IP addressip->ip_dst.s_addr = pktInfo->destAddr; //4 byte destinfation IP addressip->ip_id = rand(); //random idip->ip_off = 0; //mainly used for reassembly of fragmented IP datagrams.ip->ip_ttl = 255; //Time to live is the amount of hops before the packet is discardedip->ip_p = pktInfo->protocol; //protocol used: TCP, UDP, etcip->ip_sum = 0; //zero out the checksum field before computing the checksumip->ip_sum = in_chksum((unsigned short *) ip, IPHEADER); //compute the checksum

}

using Raw Sockets

Denial of Service (DoS)Denial of Service (DoS) The Internet was designed for easy

connectivity and scalability Not designed to support authentication

schemes Attempt to occupy all resources of a system Two general types of DoS attack

The Internet was designed for easy connectivity and scalability

Not designed to support authentication schemes

Attempt to occupy all resources of a system Two general types of DoS attack

DoS SuiteDoS Suite

First type attack ICMP Reset attack

Second type attack TCP syn attack UPD flood attack Ping Request (smurf) attack

First type attack ICMP Reset attack

Second type attack TCP syn attack UPD flood attack Ping Request (smurf) attack

Using the DoS SuiteUsing the DoS Suite

ICMP Reset AttackICMP Reset Attack By spoofing a Hard ICMP error message a

hacker can kill any running TCP connection Requires the four-tuple

Determine the four-tuple using a packet sniffer Guessing the four-tuple

By gathering information of the operating systems being used and the communication method in use. ICMP reset packets can be sent over a range of port addresses killing a connection you can not sniff.

By spoofing a Hard ICMP error message a hacker can kill any running TCP connection

Requires the four-tuple Determine the four-tuple using a packet sniffer Guessing the four-tuple

By gathering information of the operating systems being used and the communication method in use. ICMP reset packets can be sent over a range of port addresses killing a connection you can not sniff.

ICMP Reset Attack (Lab)ICMP Reset Attack (Lab)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

ICMP Reset AttackICMP Reset Attack

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

TCP SYN AttackTCP SYN Attack When a server receives a SYN it stores the

connection information in memory and sends back a SYN-ACK

Because the IP Address is spoofed it will never get a response and the information will stay until timeout

If packets are send fast enough they will fill the buffer and no new requests will be able to be processed

When a server receives a SYN it stores the connection information in memory and sends back a SYN-ACK

Because the IP Address is spoofed it will never get a response and the information will stay until timeout

If packets are send fast enough they will fill the buffer and no new requests will be able to be processed

SYN Attack (Lab)SYN Attack (Lab)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

SYN AttackSYN Attack

SYN Attack (Summary)SYN Attack (Summary)

UDP Flood AttackUDP Flood Attack The premise of the UDP attack is similar to

the SYN however when using UDP the client does not set aside memory for the connection information

If packets are send fast enough they will fill the network card buffer and no new requests will be able to be processed

The premise of the UDP attack is similar to the SYN however when using UDP the client does not set aside memory for the connection information

If packets are send fast enough they will fill the network card buffer and no new requests will be able to be processed

UDP Flood Attack (Lab)UDP Flood Attack (Lab)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

UDP Flood AttackUDP Flood Attack

UDP Attack (Summary)UDP Attack (Summary)

ICMP Ping (smurf) AttackICMP Ping (smurf) Attack DDoS attack Using a network of machines a lot more

information can be sent at once Send ping requests to a network of

machines with a return address of the “victim” machine

If packets are send fast enough they will fill the buffer and no new requests will be able to be processed

DDoS attack Using a network of machines a lot more

information can be sent at once Send ping requests to a network of

machines with a return address of the “victim” machine

If packets are send fast enough they will fill the buffer and no new requests will be able to be processed

ICMP Ping Attack (Lab)ICMP Ping Attack (Lab)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

ICMP Ping AttackICMP Ping Attack

ICMP Attack (Summary)ICMP Attack (Summary)

DoS DefensesDoS Defenses

SYN Cookies Configure your firewall (refer to lab4)

IPtables CiscoPIX Real Secure

SYN Cookies Configure your firewall (refer to lab4)

IPtables CiscoPIX Real Secure