ddos distributed denial of service attacks by mark schuchter
Post on 22-Dec-2015
235 views
TRANSCRIPT
DDosDDos
Distributed Denial of Service Distributed Denial of Service AttacksAttacks
by Mark Schuchter
OverviewOverview
IntroductionIntroduction Why? Why? TimelineTimeline How?How? Typical attack (UNIX)Typical attack (UNIX) Typical attack (Windows)Typical attack (Windows)
IntroductionIntroduction
DDos-Attack
prevent and impair computer use
limited and consumable resources(memory, processor cycles, bandwidth, ...)
inet security highly interdependent
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Why?Why?
sub-cultural status
to gain access
political reasonseconomic reasons
revenge
nastiness
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
TimelineTimeline
1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption
2000: bundled with rootkits, controlled with talk or ÍRC
2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol)
2001: worms include DDos-features (i.e. Code Red), include time synchro.,
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)
2003: Mydoom infects thousands of victims to attack SCO and Microsoft
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
How?How?
TCP floods(various flags)
ICMP echo requests(i.e.. Ping floods)
UDP floods
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
SYN-AttackSYN-Attack
SYN-ACK
SYN
ACK
ClientServer
SYN-ACK
SYN
Attacker(spoofed IP) Server
SYNSYN-ACK
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Handshake Attack
Typical attackTypical attack
1. prepare attack 2. set up network 3. communication
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
UNIX (‘trin00’) – UNIX (‘trin00’) – preparation Ipreparation I
use stolen account (high bandwidth) use stolen account (high bandwidth) for repository of:for repository of: scannersscanners attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit) root kitsroot kits snifferssniffers trin00 master and daemon programtrin00 master and daemon program list of vulnerable host, previously list of vulnerable host, previously
compromised hosts...compromised hosts...
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
UNIX (‘trin00’) – UNIX (‘trin00’) – preparation IIpreparation II
scan large range of network blocks scan large range of network blocks to identify potential targets (running to identify potential targets (running exploitable service)exploitable service)
list used to create script that:list used to create script that: performs exploitperforms exploit sets up cmd-shell running under root sets up cmd-shell running under root
that listens on a TCP port (1524/tcp)that listens on a TCP port (1524/tcp) connects to this port to confirm exploitconnects to this port to confirm exploit
list of owned systemslist of owned systemsIntroduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
UNIX (‘trin00’) – network UNIX (‘trin00’) – network II
store pre-compiled binary of trin00 store pre-compiled binary of trin00 daemon on some stolen account on daemon on some stolen account on inetinet
script takes ‘owned-list’ to automate script takes ‘owned-list’ to automate installation process of daemoninstallation process of daemon
same goes for trin00 mastersame goes for trin00 master
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
UNIX (‘trin00’) – network UNIX (‘trin00’) – network IIII
attacker attacker
master master master
daemon daemon daemon daemon
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
UNIX (‘trin00’) – UNIX (‘trin00’) – communicationcommunication
attacker controls master via telnet attacker controls master via telnet and a pw (port 27665/tcp)and a pw (port 27665/tcp)
trin00 master to daemon via trin00 master to daemon via 27444/udp (arg1 pwd arg2)27444/udp (arg1 pwd arg2)
daemon to master via 31335/udpdaemon to master via 31335/udp
‘‘dos <pw> 192.168.0.1’ triggers dos <pw> 192.168.0.1’ triggers attackattack
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Windows (‘Sub7’) – Windows (‘Sub7’) – preparation Ipreparation I
set up the following things on your set up the following things on your home pc:home pc: freemailfreemail kazaakazaa trojan-toolkittrojan-toolkit IRC-clientIRC-client IRC-botIRC-bot
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Windows (‘Sub7’) – Windows (‘Sub7’) – preparation IIpreparation II
assemble different trojans (GUI)assemble different trojans (GUI) define ways of communicationdefine ways of communication namename filefile
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Windows (‘Sub7’) – Windows (‘Sub7’) – network Inetwork I
start spreading viastart spreading via email/news listsemail/news lists IRCIRC P2P-SoftwareP2P-Software
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Windows (‘Sub7’) – Windows (‘Sub7’) – network IInetwork II
attacker
client client client client
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Windows (‘Sub7’) – Windows (‘Sub7’) – communicationcommunication
sub7clientsub7client IRC channelIRC channel 1 click to launch attack1 click to launch attack
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
DevelopmentDevelopment
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
SolutionsSolutions
statistical analyses (i.e. D-ward) at statistical analyses (i.e. D-ward) at core routers -not ready yetcore routers -not ready yet
change awareness of people change awareness of people (firewalls, attachments, V-(firewalls, attachments, V-scanners,...)scanners,...)