ddos distributed denial of service attacks by mark schuchter

DDosDDos

Distributed Denial of Service Distributed Denial of Service AttacksAttacks

by Mark Schuchter

OverviewOverview

IntroductionIntroduction Why? Why? TimelineTimeline How?How? Typical attack (UNIX)Typical attack (UNIX) Typical attack (Windows)Typical attack (Windows)

IntroductionIntroduction

DDos-Attack

prevent and impair computer use

limited and consumable resources(memory, processor cycles, bandwidth, ...)

inet security highly interdependent

Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk

Why?Why?

sub-cultural status

to gain access

political reasonseconomic reasons

revenge

nastiness


TimelineTimeline

1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption

2000: bundled with rootkits, controlled with talk or ÍRC

2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol)

2001: worms include DDos-features (i.e. Code Red), include time synchro.,

<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)

2003: Mydoom infects thousands of victims to attack SCO and Microsoft


How?How?

TCP floods(various flags)

ICMP echo requests(i.e.. Ping floods)

UDP floods


SYN-AttackSYN-Attack

SYN-ACK

SYN

ACK

ClientServer

SYN-ACK

SYN

Attacker(spoofed IP) Server

SYNSYN-ACK


Handshake Attack

Typical attackTypical attack

1. prepare attack 2. set up network 3. communication


UNIX (‘trin00’) – UNIX (‘trin00’) – preparation Ipreparation I

use stolen account (high bandwidth) use stolen account (high bandwidth) for repository of:for repository of: scannersscanners attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit) root kitsroot kits snifferssniffers trin00 master and daemon programtrin00 master and daemon program list of vulnerable host, previously list of vulnerable host, previously

compromised hosts...compromised hosts...


UNIX (‘trin00’) – UNIX (‘trin00’) – preparation IIpreparation II

scan large range of network blocks scan large range of network blocks to identify potential targets (running to identify potential targets (running exploitable service)exploitable service)

list used to create script that:list used to create script that: performs exploitperforms exploit sets up cmd-shell running under root sets up cmd-shell running under root

that listens on a TCP port (1524/tcp)that listens on a TCP port (1524/tcp) connects to this port to confirm exploitconnects to this port to confirm exploit

list of owned systemslist of owned systemsIntroduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk

UNIX (‘trin00’) – network UNIX (‘trin00’) – network II

store pre-compiled binary of trin00 store pre-compiled binary of trin00 daemon on some stolen account on daemon on some stolen account on inetinet

script takes ‘owned-list’ to automate script takes ‘owned-list’ to automate installation process of daemoninstallation process of daemon

same goes for trin00 mastersame goes for trin00 master


UNIX (‘trin00’) – network UNIX (‘trin00’) – network IIII

attacker attacker

master master master

daemon daemon daemon daemon


UNIX (‘trin00’) – UNIX (‘trin00’) – communicationcommunication

attacker controls master via telnet attacker controls master via telnet and a pw (port 27665/tcp)and a pw (port 27665/tcp)

trin00 master to daemon via trin00 master to daemon via 27444/udp (arg1 pwd arg2)27444/udp (arg1 pwd arg2)

daemon to master via 31335/udpdaemon to master via 31335/udp

‘‘dos <pw> 192.168.0.1’ triggers dos <pw> 192.168.0.1’ triggers attackattack


Windows (‘Sub7’) – Windows (‘Sub7’) – preparation Ipreparation I

set up the following things on your set up the following things on your home pc:home pc: freemailfreemail kazaakazaa trojan-toolkittrojan-toolkit IRC-clientIRC-client IRC-botIRC-bot


Windows (‘Sub7’) – Windows (‘Sub7’) – preparation IIpreparation II

assemble different trojans (GUI)assemble different trojans (GUI) define ways of communicationdefine ways of communication namename filefile


Windows (‘Sub7’) – Windows (‘Sub7’) – network Inetwork I

start spreading viastart spreading via email/news listsemail/news lists IRCIRC P2P-SoftwareP2P-Software


Windows (‘Sub7’) – Windows (‘Sub7’) – network IInetwork II

attacker

client client client client


Windows (‘Sub7’) – Windows (‘Sub7’) – communicationcommunication

sub7clientsub7client IRC channelIRC channel 1 click to launch attack1 click to launch attack


DevelopmentDevelopment


High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC

SolutionsSolutions

statistical analyses (i.e. D-ward) at statistical analyses (i.e. D-ward) at core routers -not ready yetcore routers -not ready yet

change awareness of people change awareness of people (firewalls, attachments, V-(firewalls, attachments, V-scanners,...)scanners,...)

Thanks for your Thanks for your attention!attention!

ddos distributed denial of service attacks by mark schuchter

Documents

attack tools

introduction ddosattack

windows atk slide

unix atktyp

timeline timeline

mark schuchter slide

interdependent introductionwhy

robust tools trinoo