1
CHAPTER 1
DISTRIBUTED DENIAL OF SERVICE
1.1 INTRODUCTION
Internet has become the infrastructure of the modern society. The
Internet architecture focuses on functionality and not the security.
Inexperienced users leave their systems vulnerable to compromise. For
example, using the vendor supplied default passwords, leaving auto-configure
features in default settings, turning off firewalls, etc. makes it easy to gain
root or administrator access.
The Computer Emergency Response Team (CERT) coordinate
center, the center of Internet security expertise, has identified 831 key
vulnerabilities in the Internet architecture and suggests that automated tools
are being used to exploit these security holes. The magnitude of attacks
against major websites suggests that this is true. Regardless of the diligence,
effort and resources spent securing against intrusion, Internet connected
systems face a consistent and real threat from denial attacks because of two
fundamental characteristics of the Internet.
1. The Internet comprises limited and consumable resources. The
infrastructure of interconnected systems and networks
comprising the Internet is entirely composed of limited
resources. Bandwidth, processing power and storage
capacities are all common targets for attacks designed to
2
o cause
some level of service disruption. An abundance of well-
engineered resources may raise the bar on the degree an attack
tools place even the most abundant resources in range for
disruption.
2. Internet security is highly interdependent. Attacks are
commonly launched from one or more points on the Internet
many cases, the launch point consists of one or more systems
that have been subverted by an intruder via a security-related
systems. As such, intrusion defense not only helps to protect
Internet assets and the mission they support, but it also helps
prevent the use of assets to attack other Internet connected
networks and systems. Likewise, regardless of how well
defended any assets may be, its susceptibility to many types of
attacks depends on the state of security on the rest of the
global Internet.
1.2 DENIAL OF SERVICE
Denial of Service (DoS) attack is an incident in which a user or
organization is deprived of the services of a resource they would normally
expect to have. DoS attacks are capable of either, crashing the host such that it
cannot communicate properly with the rest of the network, or
legitimate users.
3
A DoS attack is an explicit attempt by attacker to overload the
server(s) or network(s) with useless traffic and results in a loss or interruption
of all network connectivity and services. A DoS attack can be perpetrated in a
number of ways. There are three basic types of attacks:
1. Consumption of computational resources (bandwidth, disk
space, CPU time)
2. Disruption of configuration information
3. Disruption of physical network components.
Traditionally, these attacks target commercial web sites, electronic
mail and Domain Name System (DNS) servers and routing devices that rely
on a constant Internet presence and availability of the service is a crucial
factor for the success of their business. The primary resources targeted in a
DoS attack are the bandwidth, processing capacity and storage capacity of the
victim and costs in terms of money and time. It does not normally result in
theft of information, damage to databases or security loss.
A successful DoS attack can overwhelm the victim yet conceal the
evolving Internet services. The attack software is powerful and does not
require extensive knowledge to deploy them. The tools for disrupting the
services are readily available in the Internet. Attacks mimic the behavior of
legitimate users and hence are much harder to detect. The stateless nature of
the Internet, dilution of locality in the flooding stream, spoofed source address
and capacity of servers to establish large volume of connections undermine
the effectiveness of traceback techniques for locating the sources.
Consequently DoS attacks are becoming simple to implement, harder to
detect and more difficult to trace.
4
1.3 DISTRIBUTED DENIAL OF SERVICE
Distributed Denial of Service (DDoS) uses DoS as the basic
building block. The key feature of DDoS includes distributing the attack
across several hosts and coordinating the attack among the hosts. As shown in
Figure 1.1 the DDoS attack involves four major components: an Attacker,
Master /Handler nodes, Daemon / Agent nodes and a Victim.
In order to facilitate DDoS, the attacker needs to have several
hundred to several thousand compromised hosts. The process of
compromising a host and installing the tool is automated. The attacker
orchestrates the attack using a single source machine. It does not directly
communicate with (or attack) the victim, but initiates a scan phase in which a
large number of machines are probed for a known vulnerability to gain
administrator access. These host machines are then compromised and the
attack tools are installed in them resulting in a network of Master / Handler
nodes under the direct control of the attacker. These Handler nodes in turn
search for vulnerable machines, which are then exploited to create Daemon /
Agent nodes. The attack software is installed on these Agent nodes and these
Agent nodes perform the actual attack.
The scan and exploit phases are totally automated processes. The
attacker can compromise and install the tool on a single host in under 5
seconds and a large attack network comprising several thousand hosts can be
constructed and deployed in under an hour. The time of the onset of the
attack, attack type, duration of the attack and victim address are
preprogrammed into the attack code.
Once the attacker controls enough systems the attack can be
launched. The victim is flooded with various types of packets from the
Daemons / Agent nodes. The ensuing massive stream of data overwhelms the
5
processing capacity of the target system or floods the network bandwidth of
the targeted victim or routers, rendering them incapable of providing any
services.
The attacker controls one or more Handler nodes which in turn
controls a number of Agent nodes. DDoS uses this distributed nature of the
attack (dilution of locality in the flooding stream), spoofed source addresses
and the stateless nature of the Internet to thwart all attempts at discovering the
origin of the attack. A successful DDoS attack is one in which the victim is
fully overwhelmed and the attacker identity eludes detection.
The components of a Distributed Denial of Service attack are
shown in Figure 1.1.
6
Figure 1.1 Components of DDoS
7
The advantages of the DDoS network structure are
1. A single hacker can command hundreds of systems to attack a
victim.
2. The attack hosts are replicated and are controlled from a central
location. Even if one station is traced and shutdown, the others
can continue the attack. This makes it difficult to eliminate or
stop an attack.
3. Multi-tiered structure makes it difficult to trace the true origin
of the attack, which is the client behind the source machine
and not the Handler or Daemons.
1.4 PHASES OF A DDoS ATTACK
The five phases of DDoS attack are summarized as below:
1. Scanning Phase The installed DDoS attack software (Bots)
scans a large number of computers for security flaws.
2. Exploitation Phase Susceptible hosts are identified and a list
of compromised hosts is recorded.
3. Deployment Phase The Handler software is installed in the
compromised hosts. It is a special program, capable of
controlling multiple Agents.
4. Propagation Phase The Handler in turn scans for vulnerable
hosts and compromises them. An Agent / Daemon is a
compromised host that is running a special program which
generates a stream of packets that is directed towards the
8
intended victim. There are three common methods of software
propagation Central Source propagation, Back Chaining
propagation and Autonomous propagation
5. Attack Phase Use multiple compromised Agent / Daemon
machines to launch / direct a coordinated attack on a target
machine, usually one or more servers, by overwhelming the
target machine with a large volume of malicious packets that
can cause all / any of the following effect:
a.
any further work from occurring.
b. Trigger errors in the target machine and force it into an
unstable state or lock up.
c. Exploits errors in the operating system to cause resource
starvation and / or thrashing, i.e. to use up all available
facilities so no real work can be accomplished.
d. Crash the operating system itself.
1.5 SCANNING
DDoS attacks tools are commonly deployed on compromised
systems. This deployment depends on the presence of exploitable
vulnerabilities on the system and the ability of the intruder to exploit those
vulnerabilities. Increase in the sophistication and use of automated tools has
caused a significant decrease in the time window from when the vulnerability
is discovered to when it is widely exploited.
9
Searching for vulnerable machines in the Internet can be done by
blind targeting or selective targeting. Blind targeting vulnerability searches
are usually highly automated and involve little human interaction during the
execution of the attack. They also tend to be highly vulnerability-specific,
often targeting systems that are vulnerable to one or a small number of
particular exploitations like vulnerabilities in the operating system platform or
software on a system.
Attacks based on selective targeting may or may not incorporate
high degrees of automation and may or may not be vulnerability-specific.
Selective targeting is generally based on using some criteria other than the
target operating system or potentially exploitable vulnerabilities to select a
target or target sector for attack. Early DDoS tools, for example, were
installed on carefully selected Unix-based hosts. Systems were often manually
tested for network connectivity, regular levels of network traffic and available
bandwidth before being used as Handlers or Agents in a DDoS network.
In order to identify vulnerable machines in the Internet and
compromise them a malicious Bot software is used. A Bot is a program that
operates automatically as an Agent for a user or another program. The three
primary characteristics of a Bot are a remote control mechanism, the
implementation of commands and a spreading mechanism to propagate it
further. The Bots can be installed on multiple computers to set up Botnets.
Botnets are a number of computers that, although their owners are unaware of
it, have been set up to forward transmissions to other computers on the
network. Botnets can be used in Distributed Denial of Service attacks to
identify vulnerable machines and compromise them. The installations
typically take about 5 seconds and allow a large number of systems to be
compromised quickly.
10
The bots enable a remote control mechanism that lets the hacker
for commands from the hacker. Typically two types of commands are
implemented over the remote control network DDoS attacks and updates.
The bots automatically scan whole network ranges for vulnerabilities,
primarily in the operating system. Complexity and various problems in the
source code make it easy to exploit and install applications. Once the
vulnerable computers are identified they are quickly infected with the Bot
software and process repeats itself.
These bots are forwarded to Handler and Agent nodes by scanning
based on either host or vulnerability. Host scanning strategy is further
classified as random, hit-list, topological, permutation and local subnet
scanning. Vulnerability scanning strategy is further classified as horizontal,
vertical, coordinated and stealthy scanning. Once a vulnerable computer is
identified the attack software automatically infects the vulnerable computers.
1.6 SOFTWARE PROPAGATION
DDoS attack toolkits are commonly deployed on compromised
systems. This deployment depends on the presence of exploitable
vulnerabilities on the system and the ability of the intruders to exploit those
vulnerabilities. The various aspects of DDoS attack propagation are
identification and compromise of vulnerable machines and copying the attack
toolkit to the compromised system (Agents / Daemons).
Once the attack toolkit is copied to a compromised system, the
scripts in the attack toolkit control the automated installation of the attack
software in the compromised Agent / Daemon. When sufficient number of
Agent/ Daemon has been created a DDoS attack can be successfully launched
on the victim machine.
11
Three popular models of automated attack toolkit propagation are
central source propagation, back chaining propagation and autonomous
propagation.
1.6.1. Central Source Propagation
As shown in Figure 1.2, in central source propagation of attack
software, attack codes reside on a central server or set of servers. In the first
step, an attacker searches for and compromises a vulnerable machine and
installs an exploit code in it. In the second step a compromised host executes
the code which has an instruction to transfer a copy of the attack toolkit from
the central server to itself creating a newly compromised Agent. File transfer
mechanisms commonly employed to copy the attack toolkit are the Remote
Procedure Call (RPC), File Transfer Protocol (FTP) and Hyper Text Transfer
Protocols (HTTP).
Figure 1.2 Central Source Propagation
12
Major disadvantage of this method is that it imposes a large burden
on the central server which is also a single point of failure. Its removal
prohibits further Agent infection.
1.6.2. Back Chaining Propagation
Figure 1.3 demonstrates the back chaining propagation of attack
software. In contrast to central source propagation the attack codes reside in
the attack machine which searches for and compromises the vulnerable
systems and installs the exploit code in it. Once a system is compromised it
executes the code which has an instruction to transfer a copy of the attack
toolkit from the attacking host itself. For this to work, the attack tools on the
attacking host include some method to accept a connection from and send a
file to the victim host. Mechanisms that implement Back Channel file copy
range from simple port listeners that copy file contents across the network,
Trivial File Transfer Protocol (TFTP), to full intruder-installed web servers.
Figure 1.3 Back Chaining Propagation
The advantage of back-chaining propagation is that it avoids single
point failure present in central source propagation and hence is more
survivable than its predecessor.
13
1.6.3. Autonomous Propagation
Figure 1.4 demonstrates the autonomous propagation of attack
software. The attack toolkit resides in the attack machine. Autonomous
propagation does not use an exploit code to copy the attack toolkit. When a
vulnerable system is identified the attack toolkit is injected directly into the
compromised host during the exploitation phase itself.
This eliminates the file retrieval step and reduces the frequency of
network traffic needed for Agent mobilization and hence reduces the chances
of attack discovery.
Figure 1.4 Autonomous Propagation
1.7 DDoS ATTACK METHODS
DDoS attack methods are broadly categorized as Flooding attack
and logical attack and combinations thereof.
Flooding attacks are achieved by the attacker sending a continuous
flood of packets to overwhelm the victims system. The high volume of traffic
consumes the resources of the targeted system, hitting the CPU cycles,
memory, and network bandwidth or packet buffers. A simple bandwidth
consumption attack can exploit the throughput limits of servers or network
equipment by sending large numbers of small packets and overwhelm the
14
available resources. These attacks can cause the system to slow down and jam
or result in a complete site shutdown.
Logic or Software attacks do not directly exploit weaknesses in
Transmission Control Protocol / Internet Protocol (TCP/IP) or network
applications. Instead, they use the expected behavior of protocols such as
Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and
Internet Control Message Protocol (ICMP) to the attacker's advantage. The
attacker sends a small number of malformed packets designed to exploit a
known software bug on the target system. These attacks can be stopped by the
installation of software patches which eliminate the vulnerabilities or by
adding specialized firewall rules which filter out malformed packets before
they reach the system.
1.7.1. Smurf Attack
A Smurf attack is a variety of DDoS attack called amplification
attack. Network traffic is amplified through compromised systems before it
reaches the victim computer. A Smurf attack accomplishes this by flooding a
victim computer with ICMP echo and reply messages.
The ping requests are forwarded to a directed broadcast request.
The source IP address is spoofed and set to the victim machine address.
Computers in the broadcast address domain will receive and reply to the
exhausting its bandwidth and bringing it to a halt. The amount of traffic sent
by the attacker is multiplied by a factor equal to the number of hosts behind
the router that reply to the ICMP echo packets. The effect can be amplified
when multiple broadcast domains are used and more computers are involved
in the attack. To defend against Smurf attacks all routers and individual hosts
15
in a network must be configured to drop ICMP echo requests to broadcast
address.
Figure 1.5 Ping Broadcast Attack.
Figure 1.5 depicts a Smurf attack in progress. The attacker sends a
stream of ICMP echo packets to the router. The attacker modifies the packets
that
replies to the echo packets will be sent to that address. The destination address
of the packets is a broadcast address of a Domain.
16
If the router is (mis-)configured to forward these broadcasts to
hosts on the other side of the router all the hosts in the Broadcast Domain will
effectively overwhelm its link bandwidth. Besides the target system, the
intermediate router is also a victim and thus also the hosts in Broadcast
Domain.
1.7.2. ICMP Floods and Ping of Death
Ping of Death was a popular DDoS attack which targeted hosts
with a weak implementation of the TCP/IP stack. The attacker sends an ICMP
Echo request packet with a size larger than 65,535 bytes, causing the buffer at
the receiver to overflow when the packet was included in the reassemble
process. Ping of Death can cause the target system to crash and / or reboot.
Older versions of Windows (95/NT4), Macintosh and Linux
operating systems and other network devices such as routers were vulnerable
to the Ping of Death. Modern operating systems and network devices safely
disregard these oversized packets.
1.7.3. Teardrop Attacks
When data are sent across a TCP/IP network, they are fragmented
into small fragments. The fragments contain an Offset field in their TCP
header that specifies where certain data start and end. In a Teardrop attack, the
attacker sends fragments with invalid overlapping values in the Offset field,
which may cause the target system to crash when it attempts to reassemble the
ack safely disregard such
invalid packets.
17
1.7.4. Bonk Attacks
The Bonk attack is similar to a Teardrop attack. Instead of sending
IP fragments with overlapping Offset values in the TCP header, the Offset
values that are too large. As with the Teardrop attack, this may cause the
target system to crash.
1.7.5. Land Attacks
During a Land attack, the attacker sends a forged TCP SYN packet
with the same source and destination IP address. This confuses systems with
outdated versions of the TCP / IP stack because it receives a TCP connection
request from itself. This may cause the target system to crash.
1.7.6. UDP Flood
This type of flood exploits the User Datagram Protocol (UDP), a
connectionless and non-adaptive protocol that provides a simple and
unreliable system for transferring data. UDP protocol does not require a
handshake mechanism to establish a connection. This makes it relatively easy
to abuse for flood attacks.
The potential attacker uses a forged source IP address to send UDP
packets to a random port on the target machine. When the victim system
receives a UDP packet, it will determine what application is waiting on the
destination port. When it realizes that there is no application that is waiting on
the port, it will generate an ICMP packet of destination unreachable to the
forged source address. If large numbers of such UDP packets are transmitted
to ports on the target system, the CPU time, memory and bandwidth required
to process these packets may cause the target to become unavailable for
legitimate users and the system may crash.
18
Packets typically contain randomly forged source address to
prevent simple filtering. To minimize the risk of a UDP flood attack, disable
all unused UDP services on hosts and block the unused UDP ports at the
firewall of the network.
1.7.7. TCP Flood
TCP floods are similar to UDP floods. Attackers use TCP packets
instead of UDP packets.
1.7.8. TCP SYN Flood
TCP Synchronous (TCP SYN) Flood attacks try to deplete the
computational resources of a server. It exploits the process used in
establishing a TCP connection known as "TCP 3 Way Handshake" which is
the foundation for every connection established using the TCP protocol. This
process requires three packets to be sent between the client and the server to
establish a TCP connection:
1. A client requests a connection by sending a SYN (synchronize)
packet to the server. The session-establishing packets include a
SYN field that identifies the sequence in the message exchange.
2. The server allocates a TCP control block and sends back a
SYN/ACK packet back to the client and awaits the client to
send an ACK (Acknowledgement) packet for the connection to
be established.
3. The client responds with an ACK and the connection is
established i.e. Open, allowing traffic from both sides (full-
duplex). The connection remains open until the client or the
19
host issues a FIN (Finish) or RST (Reset) packet, or the
connection times out.
As long as the server has not received the ACK, the connection is
in half open state, thus consuming TCP control blocks. To create such half
open connections the potential attacker can
1. Withhold the ACK from the server or
2. Send SYN packets with spoofed source IP address to the target.
The target replies in response with SYN / ACK packets that are
however, destined for an incorrect or non-existent host and thus
never receive the ACK
In both cases, the connections remain in half open state because
the target never receives the required ACK packets thus causing the target to
run out of TCP control blocks. An attacker can send a number of connection
requests very rapidly using spoofed IP address or fail to respond to the reply.
Although the packet in the buffer is dropped after a certain period of time
without a reply, the effect of many of these bogus connection requests is to
make it difficult for legitimate requests for a session to get established.
If all resources set aside for half-open connections are reserved, no
new connections (legitimate or not) can be made, resulting in denial of
service. The technology often used for allocating resources for half open TCP
connections involved a queue which was often very short with each entry of
the queue being removed upon a completed connection, or upon expiry. When
the queue was full, further connections failed. Some systems may malfunction
badly or even crash if other operating system functions are starved of
resources this way. In general, this problem requires the operating system to
20
provide correct settings or the network administrator to tune the size of the
buffer and the timeout period.
1.8 DDoS TOOLS
The DDoS attack tools are designed to bring a single or multiple
sites down by flooding the victim with large amounts of network traffic.
These amounts of network traffic originate from multiple locations and are
remotely controlled by a single client. Each of these attack tools differ in
terms of the types of attack they can support and the way the communication
is carried out between the client and the Handlers. The tools are used to
disrupt the normal network traffic to a host and not to capture data or infiltrate
a computer system.
Popular DDoS programs / software / tools include FloodNet, Tribal
Flood network (TFN), Trin00, Stacheldraht and TFN2K. These programs use
a client / server architecture to allow a single attacker to simultaneously direct
the attacks by many machines. These attack tools are readily available in the
Internet and do not need extensive knowledge to deploy them. Additionally
the software hides the break-in and subsequent activities and erases all the
evidence. It is also possible to configure the software to disable and uninstall
itself when certain conditions are met. Moreover, these tools are not easily
traceable because they forge their source addresses by using IP spoofing thus
hiding their genuine location. This makes traceback and identification
extremely difficult.
1.8.1. FloodNet
It is a Java application that inundates the target with request for
nonexistent pages and queries. It uses a form of TCP / IP flooding that attacks
21
inbound and outbound data and saturates the processing capability of the
target host and the bandwidth of the network.
FloodNet is also able to upload messages to server error logs by
intentionally asking for a non-existent Uniform Resource Locator (URL).
This
this This works because of the way many HTTP servers process
requests for web pages that do not exist. FloodNet's Java applet asks the
targeted server for a directory called, for example, "DDoS_Attacks", but since
that
or This is a unique way to
leave a message on that server.
The FloodNet program will cause the desired DDoS effect only
when thousands of users are logged in simultaneously, where all their
browsers will automatically reload targeted website and cause so much traffic
inside the server that any other user attempting to log in will not be able to
view the website.
1.8.2. Trin00
Trin00 was the first and simplest of the DDoS software. Trin00 is
essentially a Master / Slave (called Masters and Daemons) program that
coordinate with each other to launch a UDP DDoS flood against a victim
machine.
A stolen account is initially set up by the attacker as a repository
for precompiled versions of scanning tools, attack tools, rootkits and sniffers,
Trin00 Daemon and Master programs, lists of vulnerable hosts and previously
compromised hosts, etc. This would normally be a large system with many
22
users, one with little administrative oversight and on a high-bandwidth
connection for rapid file transfer.
(A rootkit is software that enables continued privileged access to a
computer while actively hiding its presence from administrators by subverting
standard operating system functionality or other applications. Typically, an
attacker installs a rootkit on a computer after first obtaining root-level access,
either by exploiting a known vulnerability or by obtaining a password. Once a
rootkit is installed, it allows an attacker to mask the ongoing intrusion and
maintain privileged access to the computer by circumventing normal
authentication and authorization mechanisms. Rootkits can primarily hide
applications that steal computing resources or passwords without the
knowledge of administrators and users of affected systems. Sniffer is a
computer program that can intercept packet passing over a digital network or
part of a network and log information about the various fields in the packet).
A scan is performed of large ranges of network blocks to identify
potential targets and a list of vulnerable systems is created. A script is then
executed that performs the exploit, sets up a command shell running under the
root account that listens on a TCP port and connects to this port to confirm the
success of the exploit. The result is a list of compromised systems ready for
setting up the Trin00 Master / Handler nodes.
The Master / Handler nodes compile a list of machines that can be
compromised. From this list of compromised systems, subsets with the
desired architecture are chosen for the Trin00 network. Scripts are run to
compromise these vulnerable machines and convert them into the Trin00
Agent / Daemon nodes.
23
The installation process is automated with each installation running
in the background for maximum multitasking. The result of this automation is
the ability for attackers to set up the attack network in a very short time frame
on widely dispersed systems whose true owners don't even know that their
systems are out of their control. Optionally, a "root kit" is installed on the
system to hide the presence of programs, files and network connections. This
is more important on the Master system, since these systems are the key to the
Trin00 network.
One Master can control multiple Daemons. The target and date of
the attack is also controlled by the Masters / Handler. The Daemons are the
compromised hosts that launch the actual UDP floods against the victim
machine. Remote control of the Trin00 Master is accomplished via a TCP
connection to port 27665 / TCP. Communication from the Trin00 Master to
Daemons is via UDP packets on port 27444 / UDP. Communication from the
Trin00 Daemons and the Master is via UDP packets on port 31335 / UDP.
The attacker uses the Handler to send commands that control the
Agents. The attacker authenticates to the Handler and sends commands to all
the Agents to launch a coordinated UDP packet based flooding attack targeted
at one or more victim systems and the attack lasts up to a predefined time.
The source address of Trin00 packets is not spoofed. Trin00 supports
commands that can change the size of packets sent, stop an attack, check the
status of an Agent and change the length of the attack.
Both the Master and Daemons are password protected to prevent
system administrators (or other hacker groups) from being able to take control
of the Trin00 network.
24
1.8.3. Tribal Flow Network (TFN)
The Tribe Flood Network (TFN) Distributed Denial of Service
attack tool is made up of client and Daemon programs, which are capable of
launching ICMP flood, SYN flood, UDP flood and Smurf attacks, as well as
providing an "on demand" root shell bound to a TCP port.
Creation of a "root shell" is an important aspect of TFN attack. On
UNIX, the "root" user has control over the machine. An exploit will attempt
to obtain a shell prompt from which any command can be entered that will
execute with root privileges. In many remote attacks, the attacker will run an
exploit script that breaks into the server and establishes a root shell bound to a
TCP connection. The attacker can then remotely enter and execute commands
in the system.
As with Trin00, the method used to install the Master/Daemon will
be the same as installing any program on a UNIX system, with all the
standard options for concealing the programs and files.
The attacker(s) control one or more Masters, each of which can
control many Daemons. The Daemons are all instructed to coordinate a packet
based attack against one or more victim systems by the Master.
Remote control of a TFN network is accomplished via command
line execution of the Master program, which can be accomplished using a
connection methods like remote shell bound to a TCP port, UDP based
client/server remote shells and ICMP based client/server shells, SSH terminal
sessions or normal "telnet" TCP terminal sessions. No password is required to
run the Master program, although it is necessary to have the IP address list of
Daemons in an "iplist" file.
25
Communication from the TFN Master to Daemons is accomplished
via ICMP_ECHOREPLY packets. There is no TCP or UDP based
communication between the Master and Daemons at all.
Both the Master and the Daemon must be run as root. The Master
program requires the iplist be available, so finding a Master will get the list of
Daemons. Recent installations of TFN Daemons have added Blowfish
encryption of the iplist file to make the task of determining the Daemons
much harder.
1.8.4. TFN2K
Similar to TFN, TFN2K is also a two-component attack system
comprising of Masters and Daemons. It can run on both Unix and Windows
NT systems and executes as the root or administrator permitting the attacker
to verify that the Master is running as well as update the Master software.
Masters exploit the resources of a number of Agents in order to
coordinate an attack against one or more designated targets. The Master
instructs its Agents to attack a list of designated targets. The Agents respond
by flooding the targets with a barrage of packets comprising TCP-SYN, UDP,
ICMP-PING, or BROADCAST PING (Smurf) packet flood. Multiple Agents,
coordinated by the Master, can work in tandem during this attack to disrupt
access to the target.
Master-to-Agent communications are encrypted and may be
intermixed with any number of decoy packets. Both Master-to-Agent
communications and the attacks themselves can be sent via randomized TCP,
UDP and ICMP packets. Additionally, the Master can spoof its IP address.
These facts significantly complicate the development of effective and efficient
countermeasures for TFN2K.
26
Packet headers between Master and Agent are randomized, with
the exception of ICMP, which always uses a type code of
ICMP_ECHOREPLY (ping response). Unlike its predecessors, the TFN2K
Daemon is completely silent; it does not acknowledge the commands it
receives. Instead, the Masters issues each command 20 times, relying on
probability that the Daemon will receive at least one. The command packets
may be interspersed with any number of decoy packets sent to random IP
addresses.
TFN2K commands are not string-based as they are in TFN and
Stacheldraht. TFN2K commands are of the form "+<id>+<data>" where <id>
is a single byte denoting a particular command and <data> represents the
command's parameters. All commands are encrypted using a key-based
CAST-256 algorithm. The key is defined at compile time and is used as a
password when running the TFN2K client. Some significant features of
TFN2K:
1. TFN2K modifies the Master and Agent process names at
compile time from one installation to the next. This allows
TFN2K to masquerade as a normal process on the Agent and
may not be readily visible to simple inspection of the process
list.
2. The UDP packet length is three bytes longer than the actual
length of the packet.
3. The TCP header length is always zero. In legitimate TCP
packets, this value is never zero.
27
1.8.5. Stacheldraht
Stacheldraht gained prominence because of its alleged involvement
in the 2000 outbreak of DDoS attacks against prominent web sites such as
Yahoo and Amazon. Stacheldraht code combines the most harmful features of
Trin00 and TFN and uses an encrypted TCP packet to connect and
communicate between attacker and Masters / Handlers and encrypted ICMP
packets to talk to the Agents / Daemons.
The Stacheldraht network is made up of one or more Handlers and
a large set of Agents. The attackers use an encrypting "telnet alike" program
to connect to and communicate with the Handlers. Each Handler can control
many Agents. Unlike Trin00, which uses UDP for communication between
Handlers and Agents, or the original Tribe Flood Network, which uses ICMP
for communication between the Handler and Agents, Stacheldraht uses TCP
and ICMP.
Remote control of a Stacheldraht network is accomplished using a
simple Agent that uses symmetric key encryption for communication between
itself and the Handler. The Agent accepts a single argument, the address of
the Handler to which it should connect. It then connects using a TCP port
(default 16660/TCP).
After connecting to the Handler, the Agent is prompted for a
password. This password is a standard crypt() encrypted password, which is
then Blowfish encrypted using the pass phrase "<authentication>" before
being sent over the network to the Handler (all communication between the
Agent and Handler is Blowfish encrypted with this pass phrase).
In addition to finding an active Handler, the Agent performs a test
to see if the network on which the Agent is running allows packets to exit
28
with forged source addresses. It does this by sending out an ICMP_ECHO
packet with a forged IP address of "3.3.3.3", an ID of 666 and the IP address
of the Agent system in the data field of the ICMP packet. The Type of Service
field is set to 7 on this particular packet, while others have a Type of Service
value of 0.
If the Master receives this packet, it replies to the IP address
embedded in the packet with an ICMP_ECHOREPLY packet containing an
ID of 1000 and the word "spoofworks" in the data field. If the Agent receives
this packet, it sets a spoof_level of 0 (can spoof all 32 bits of IP address). If it
times out before receiving a spoof reply packet, it sets a spoof_level of 3 (can
only spoof the final octet).
Stacheldraht also supports automated remote update of its Agents
via a Remote File Copy (rcp) command thus enabling the attacker to
continually change the port passwords and command values; Stacheldraht can
launch different types of attacks such as ICMP floods, UDP floods and SYN
floods. Stacheldraht also has an update feature that makes it possible to
automatically replace the Agents with new versions and start them.
(Note : rcp is a connectivity command which copies files between
a source machine and a system running the remote shell service Daemon
(rshd). The rcp command can also be used for third-party transfers. The
command can be executed from a system to copy files between two other
computers that are running the rshd).
1.9 DDoS DEFENSE
The following are some simple steps which can be taken by any
organization to effectively protect its resources against DDoS exploitation.
29
1. Limit Spoofing by configuring the firewall to disallow any
outgoing packet whose source address does not reside on the
protected network.
2. Configure the Internet Service Provider (ISP) and routers to
do egress filtering, i.e., monitor and potentially restrict the
flow of information outbound from one network to another,
to ensure that unauthorized or malicious traffic does not exit
the internal network and reach the Internet.
3. Disallow unnecessary ICMP, TCP and UDP traffic. Typically
only ICMP type 3 (Destination Unreachable) packets should
be allowed.
4. If ICMP cannot be blocked, disallow unsolicited (or all)
ICMP_ECHOREPLY packets.
5. Disallow UDP and TCP, except on a specific list of ports.
6. Take measures to ensure that systems do not allow intruders
to install DDoS attack tools in them.
Without proper planning and forethought, a sustained DDoS attack
can find an organization without the necessary resources or procedures to deal
with the attack. It is essential to ensure that the response procedures are clear
and that enough resource, both people and technology, are available to
effectively handle the attack. The resources needed to deal with an attack
should already be in place when an attack occurs. More bandwidth,
additional load balanced servers and support staff should be ready to be
deployed in the live environment when the need arises.
30
1.10 CONCLUSION
The Internet has revolutionized the way companies communicate
and conduct business. Its remarkable growth is already translating into
significant financial rewards for the Internet based business sectors. At the
same time, with every opportunity comes a measure of risk. By nature, the
Web is public, distributed, connected and highly dynamic subject to
phenomenal growth in terms of infrastructure, the number of people online, as
well as the sheer volume and types of applications running across and beyond
generation of skilled hackers armed with sophisticated tools who enjoy the
thrill of pushing security boundaries.
DDoS attacks are one of the hardest security threats to address.
They do not attempt to compromise sensitive information on servers such as
passwords, user data and credit card information, but endeavors to misuse and
tie up the transit network resources and computational resources of the target
system. Even for hardened Internet-based companies the loss of revenue due
to unavailability caused by a DDoS attack can be devastating.
The Cooperative Association for Internet Data Analysis (CAIDA)
reports that only 2% of DDoS attacks lasted greater than five hours and1% of
attacks lasted more than ten hours.90% of DDoS attacks lasted for one hour or
less, of which 50% of the attacks lasted less than ten minutes. 90% of the
attacks were TCP based attacks and around 40% reached rates of 500 packets
per second (pps) or greater.
There is no simple solution to mitigate the risk of these attacks, but
there are strategies that can help to minimize the impact of a large scale DDoS
attack. The following chapter discusses some of the mechanisms proposed by
researchers to mitigate the effects of a DDoS attack.