Denial of Service Attacks

Document Sample
Denial of Service Attacks Powered By Docstoc
					Denial of Service
       Dr. John R. Durrett
            ISQS 6342
           Spring 2003

Dipen Joshi
 Introduction to Denial of Service attacks
 Modes of DoS attacks
 Stopping Services and Exhausting Resources
 Distributed Denial of Service (DDoS) attacks
 Types of DDoS attacks
 Tools to launch DDoS attacks
 How to fight DDoS attacks
    Meaning of DoS Attacks
 In Denial of Service (DoS) attacks, a computer
bombards another system with floods of packets.

 The goal of a DoS attack is to prevent legitimate
users from accessing the target host or network.

 Hackers sometimes use DoS attacks to provide a
cover for other hacking activities.
     Why DoS attacks
 Motive of frustration
 Personal or political vendettas
 Windows NT/95/98 systems
 “Point and click”
 Requires very little technical skill to run
An attacker can attempt to -
• “Flood" a network, thereby preventing
legitimate network traffic
• Disrupt connections between two machines,
thereby preventing access to a service
• Prevent a particular individual from accessing
a service
• Disrupt service to a specific system or
    IMPACT of DoS Attacks
  Disable your computer or your network.
 Can effectively disable your organization.
 Some denial-of-service attacks can be
executed with limited resources against a
large, sophisticated site. This type of attack
is sometimes called an "asymmetric attack."
     Modes of Attacks
There are three basic types of attack:
1) Consumption of scarce, limited, or
   non-renewable resources
2) Destruction or alteration of
   configuration information
3) Physical destruction or alteration of
   network components
       Consumption of Scarce
a)   Network Connectivity – Attacker begins the
     process of establishing a connection to the
     victim machine, but does it in such a way as
     to prevent the ultimate completion of the
     connection. In the meantime, the victim
     machine has reserved one of a limited
     number of data structures required to
     complete the impending connection. The
     result is that legitimate connections are
     denied while the victim machine is waiting to
     complete bogus "half-open" connections.
  Consumption of Scarce
b) Using Your Own Resources Against You –
   In this attack, the intruder uses forged UDP
   packets to connect the echo service on one
   machine to the charge service on another
   machine. The result is that the two services
   consume all available network bandwidth
   between them. Thus, the network
   connectivity for all machines on the same
   networks as either of the targeted machines
   may be affected.
   Consumption of Scarce
c) Bandwidth Consumption - An intruder may
    also be able to consume all the available
    bandwidth on your network by generating a
    large number of packets directed to your
    network. Typically, these packets are ICMP
    ECHO packets, but in principle they may be
    anything. Further, the intruder need not be
    operating from a single machine; he may be
    able to coordinate or co-opt several
    machines on different networks to achieve
    the same effect.
Destruction or Alteration of
Configuration Information
An improperly configured computer may not
perform well or may not operate at all. An
intruder may be able to alter or destroy
configuration information that prevents you
from using your computer or network.
For example, if an intruder can change the
routing information in your routers, your
network may be disabled. If an intruder is able
to modify the registry on a Windows NT
machine, certain functions may be unavailable.
   Physical Destruction or
    Alteration of Network
The primary concern with this type of attack is
physical security. You should guard against
unauthorized access to computers, routers,
network wiring closets, network backbone
segments, power and cooling stations, and any
other critical components of your network.
Physical security is a prime component in
guarding against many types of attacks in
addition to denial of service.
    Categories of DoS Attacks

L   • Process Killing                • Forking processes to fill the
O   • System reconfiguring           process table
C   • Process crashing               • Filling up the whole file system

    • Malformed packet attacks (eg   • Packet floods (e.g. SYN Flood,
    Land, Teardrop, etc)             Smurf, Distributed Denial of
   Stopping Local Service
            Process Killing
An attacker with sufficient privileges
 (such as root on a UNIX system or
 administrator on a Windows machine)
 can simply kill local processes in a DoS
 attack. When the process, such as a
 Web or DNS server, isn’t running, it
 cannot service user’s requests.
     Stopping Local Service
           System Reconfiguration
An attacker with sufficient privileges can
  reconfigure a system so that it doesn’t offer
  the service anymore or filters specific users
  from the machine.
E.g. On a Windows NT file server, the
  attacker could configure the machine simply
  by stopping the sharing of files across the
  network, preventing legitimate users from
  remotely accessing their valuable data on
  the file server.
      Stopping Local Service
                 Process Crashing
 Even if the attackers don’t have super-user
  privileges on a machine, they may be able to
  crash processes by exploiting vulnerabilities in the
 E.g. An attacker could exploit a stack-based
  buffer overflow by inputing arbitrarily large
  amounts of random data into a local process.
  (Because the return pointer pushed on the stack
  during this overflow attack is random, the target
  process will simply crash, denying user access.)
    Defenses from Local Stopping
 Keep your system patched, applying the
  relevant security bug fixes, so that the
  attacker cannot exploit and crash
  vulnerable local programs.
 Carefully dole out privileges to users on
  your system. When assigning privileges,
  follow the Principle of Least Privileges.
 Run integrity-checking programs, such as
  Tripwire, to make sure that critical system
  files are not altered.
    Locally Exhausting Resources
              Filling up the process table
   An attacker could write program that simply forks
    another process to run a copy of itself.
   This recursive program would run, forking off
    another process to run the same program again.
   Using this program, the attacker could create
    processes as fast as the system could fork them for
    the user.
   Eventually, the process table on the machine could
    become filled, preventing other users from running
    processes and denying them access.
Locally Exhausting Resources
         Filling up the file system
 Continuously writing an enormous
  amount of data to the file system
 Attacker could fill up every available
  byte on the disk partition, preventing
  other users from being able to write
  files and potentially just crashing the
  system altogether.
  Locally Exhausting Resources
Sending outbound traffic that fills up the
              communications link
 Write a program that sends bogus network
  traffic from the target system, consuming
  the processor and link bandwidth.
 If the attacker’s program generates enough
  packets, legitimate users will not be able to
  send traffic to or from the system.
      Defenses from Locally
      Exhausting Resources
 When assigning privileges, follow the
  Principle of Least Privileges.
 Make sure that the sensitive systems have
  adequate resources, including memory,
  processor speed, and communication link
 Consider deploying host-based Intrusion
  Detection Systems or other system
  monitoring tools that can warn you when
  your system resources are getting low.
     Remotely Stopping Services
 Remote DoS attacks are more prevalent.
 They do not require the attacker to have a local
  account on the machine
 Can be launched from the attacker’s own system.
 Most common method is malformed packet attack.
    – Such attacks exploit an error in the TCP/IP stack of the
      target machine by sending one or more unusually
      formatted packets to the target.
    – It will crash the target machine possibly shutting down a
      specific process, all network communication, or causing
      operating system to halt.
   Remotely Stopping Services
Malformed packet attacks.
Exploits –
  – Land
  – Latierra
  – Ping of Death
  – Jolt2
  – Teardrop, Newtear, Bonk, Syndrop
  – Winnuke
 The program sends a TCP SYN packet (a
  connection initiation), giving the target
  host's address as both source and
  destination, and using the same port on the
  target host as both source and destination.
 Windows systems, various UNIX types,
  routers, printers, etc.
Ping of Death
 The program sends an oversized ping
  packet. Older TCP/IP stacks cannot properly
  handle a ping packet greater than 64
  kilobytes and crash when one arrives.
 Windows, many UNIX variants, printers, etc.
 Various tools that send overlapping IP packet
  fragments. The fragment offset values in the
  packet headers are set to incorrect values,
  so that the fragments do not align properly
  when reassembled. Some TCP/IP stacks
  crash when they receive such overlapping
 Windows 95, 98, NT and Linux machines.
        Remotely Exhausting
 Most popular technique.
 Remotely tying up all of the resources of the
  target, particularly the bandwidth of the
  communications links.
 Using flood of packets.
 SYN flood, Smurf attacks, DDoS attacks
                SYN Flood
 Attacker’s goal is to overwhelm the
  destination machine with SYN packets.
 Exploit’s the TCP three-way handshake.
 Sends many SYN packets to the victim.
 When target receives more SYN packets
  than it can handle, other legitimate traffic
  will not be able to reach the victim.
 Two methods
             TCP Three-Way
               Client connecting to a TCP port

  Client                     SYN
 request       Client wishes to establish connection   Connection
                                                         is now
                         SYN-ACK                        half-open
               Server agrees to connection request

   Client                    ACK                         Server
connection                                             connection
Established         Client finishes handshake          Established
          SYN Flood
          Client SYN Flood

 Client         S
spoofs                        half-open
request         S                           SA
                             Queue filled
                             Queue filled
                             Queue filled
         SYN flood – 1st method
 Fill the connection queue with half-open
  connections while target machine waits for third
  part of handshake
 Send more SYN packets
 Target machine will allocate a small amount of
  resources to remember each SYN packet as it is
    – Filling up the queue with SYN packets will not allow
      other incoming traffic
   Best to use a Spoofed IP address that are
    unresponsive on the Internet
     SYN flood – 2st method

 Attacker must have a communication link
  bigger than the target machines
  communication link.
 Attacker must have more bandwidth than
  the victim machine and the ability to
  generate packets to fill that bandwidth.
 SYN flood will just squeeze out other traffic.
               Smurf Attacks
 In the "smurf" attack, attackers use ICMP
  echo request packets directed to IP
  broadcast addresses from remote locations
  to generate denial-of-service attacks.
 There are three parties in these attacks:
    – the attacker,
    – the intermediary,
    – the victim (note that the intermediary can also
      be a victim).
           Smurf Attacks
 The intermediary receives an ICMP echo
  request packet directed to the IP broadcast
  address of their network.
 If the intermediary does not filter ICMP
  traffic directed to IP broadcast addresses,
  many of the machines on the network will
  receive this ICMP echo request packet and
  send an ICMP echo reply packet back.
 When (potentially) all the machines on a
  network respond to this ICMP echo request,
  the result can be severe network
  congestion or outages .
            Smurf Attacks
 The attackers do not use the IP address of
  their own machine as the source address.
  They create forged packets that contain the
  spoofed source address of the attacker's
  intended victim.
 The result is that when all the machines at
  the intermediary's site respond to the ICMP
  echo requests, they send replies to the
  victim's machine.
 The victim is subjected to network
  congestion that could potentially make the
  network unusable.
            Smurf Attacks
 Attackers send these attacks to multiple
  intermediaries at the same time, causing all
  of the intermediaries to direct their
  responses to the same victim.
 Attackers look for network routers that do
  not filter broadcast traffic and networks
  where multiple hosts respond. These
  networks can then subsequently be used as
  intermediaries in attacks
 The Fraggle attack is a similar attack to the
  Smurf except that it uses UDP echo packets
  instead of ICMP echos.
           Smurf Attack
               ICMP Echo

Attacker       Src: target         Amplifier:
 spoofs                            Every host
address     Dest:




Smurf Attack
  is a site which will test scan your network
  and allow you to enter a known smurf
  amplifier site.
  is a site which actively scans the IPv4
  address space and mails network contacts
  with information on how to disable them.
    Distributed Denial of Service
           attacks (DDoS)
 In the summer of 1999, a new breed of
attack has been developed called Distributed
Denial of Service (DDoS) attack.
 A Distributed Denial of Service attack uses
multiple machines operating in concert to
attack a network or site.
 The nature of these attacks cause so much
extra network traffic that it is difficult for
legitimate traffic to reach your site while
blocking the forged attacking packets.
 February 2000, DDoS attack launched
against Yahoo, Amazon, E*Trade, eBay,, and others.
 Estimated losses were “several millions”
 In order to facilitate DDoS, the attackers
need to have several hundred to several
thousand compromised hosts.
 Harnesses the distributed nature of the
 It requires a large number of victim
machines (Zombies).
 The process of compromising a host and
installing the tool is automated. The process
can be divided into the following steps -
1.   Initiate a scan phase in which a large
     number of hosts (on the order of 100,000
     or more) are probed for a known
2.   Compromise the vulnerable hosts to gain
3.   Install the tool on each host.
4.   Use the compromised hosts for further
     scanning and compromises.
 Because an automated process is used,
attackers can compromise and install the tool
on a single host in under 5 seconds. In other
words, several thousand hosts can be
compromised in under an hour.
 Enlisting numerous computers in a DDoS
assault makes it both more devastating and
harder to stop due to its distributed nature. It
also makes tracing the original source of the
attack virtually impossible.
 To launch a successful DDoS assault, an
attacker needs to create a force of agents –
often referred to as “zombie” computers.
 Once the zombie forces have been
established, the attacker needs only to select
a web site to attack. The attack itself can be
initiated from a single computer, a central
“command console” which can activate
zombies located anywhere in the world.
     Tools to launch DDOS
1)   Trinoo
2)   TFN
3)   TFN2K
4)   Stacheldraht
 A distributed tool used to launch
coordinated DoS attacks from many sources.
 A Trinoo network consists of a small
number of servers (masters) and a large
number of clients (daemons)
 An attacker connecting to a Trinoo master
and instructing that master to launch a DoS
attack against one or more IP addresses
carries out a DoS attack utilizing a Trinoo

 The Trinoo master then communicates
with the daemons giving instructions to
attack one or more IP addresses for a
specified period of time. Requires a UNIX-
based operating system.
    TFN-Tribe Flood Network &
 The next generation of attack tools after
Trinoo – can initiate several DDoS attacks,
including ICMP, TCP SYN, UDP and a variation
of Smurf.
 TFN2K improves on TFN by adding decoy
packets and other measures to make it difficult
to identify and filter TFN2K traffic. The master
can also fake its source address to avoid
detection. TFN2K is a version of Tribal Flood
that was ported to the Microsoft® Windows®
operating system.
  German for “barbed wire” – Difficult to
detect and block, Stacheldraht commands use
passwords and are sent over an encrypted
communications medium.
 Like TFN, Stacheldraht can perform several
different kinds of DoS attacks, including PING
floods and spoofed-source attacks.
 A powerful DDoS and remote-admin kit.
Detected by most anti-virus software. Able
to generate large PING packets. Able to
command armies of Sub7 zombies via IRC
(Internet Relay Chat) control mechanism.
Sub7 is currently native to the Windows
  Zombie Zapper tool
 Implement router filters
 Install patches to guard against TCP SYN
 Disable any unused or unneeded network
 Observe your system performance and
establish baselines for ordinary activity
 Routinely examine your physical security with
respect to your current needs
   Invest in and maintain "hot spares"
    –machines that can be placed into service quickly
    in the event that a similar machine is disabled
 Invest in redundant and fault-tolerant
network configurations
 Establish and maintain regular backup
schedules and policies
 Establish and maintain appropriate
password policies
 Counter Hack – Ed Skoudis