Denial of Service Attacks:Methods, Tools, and

Defenses

Prof. Mort AnvariStrayer University at Arlington

2

Introduction

Basic types of DoS attacksEvolution of DoS toolsOverview of DoS toolsDefenses

3

What is Denial of Service Attack?

“Attack in which the primary goal is to deny the victim(s) access to a particular resource.” (CERT/CC)Very vide definition, covers lots of casesThis tutorial covers only subset of all DoS attacks

4

Modes of Denial of Service Attack

Consumption of limited resources Network connectivity Bandwidth consumption Other resources:

Processing time Disk space Lockout of an account

Alteration of configuration information

5

DoS Attacks - StatisticsThere are more than 4000 attacks per weekDuring 2000, 27% of security professionals detected DoS attack against their systemIn February 2000 attacks, stream going to one of affected sites was about 800Mb/s

6

DoS Attacks - StatisticsOverall Internet performance degradation

during February 2000 attacksDate PPW PAW CPWFeb. 7th 5.66 5.98 +5.7%Feb. 8th 5.53 5.96 +7.8%Feb. 9th 5.26 6.67 +26.8%Feb 10th 4.97 4.86 -2.2%PPW – Performance in previous week

PAW – Performance in attacking week

CPW – Change from previous week

Source:Keynote Systems

DoS Attacks - Basics

Prof. Mort AnvariStrayer University at Arlington

8

DoS Attacks - BasicsAttack has two phases:

Installation of DoS tools Committing an attack

9

DoS Attacks - BasicsInstallation of DoS tools: Finding a suitable machine:

Unprotected ports Vulnerable services Errors in operating systems Trojan horses and worms

Installation of the tool itself Installation of a root-kit

10

DoS Attacks - BasicsPing of Death

Maximum size of TCP/IP packet is 65536 bytes

Oversized packet may crash, freeze, reboot system

Obsolete

11

DoS Attacks - BasicsTeardrop

IP packet can be broken Broken packet is reassembled

using offset fields

12

DoS Attacks BasicsTeardrop

Overlapping offset fields

Obsolete

13

DoS Attacks - BasicsSyn flood attack

TCP Syn handshake

Finite length of backlog queue

Lots of half-open connections

Partially solved

SYN

ACK

SYNACK

Client

Server

14

DoS Attacks - BasicsUDP flood

UDP echo service UDP chargen service Spoofed address Easy prevention Brute force approach

if this one doesn’t work

Victim

AttackerVictim

SpoofedRequest

chargenecho

15

DoS Attacks - BasicsSmurf attack

ICMP packets Broadcast request Spoofed address Two victims Cannot be

easily prevented

Victim

IntermediateSystems

Attacker

16

Evolution of DoS Attacks

Defenses were improvedTechnology was improved, as wellAttackers had to improve their techniques for attacks

17

Evolution of DoS Attacks

Packet processing rate is more limiting than bandwidthCPU can be a limit in SYN flood attack“Reflected” attacks

Bad packet ICMP Reply

VictimAttacker Intermediate

18

(R)evolution of DoS Attacks

Distributed DoS tools and networks

Client-Server architecture Open-source approach Several layers Difficulties in tracking back the attacker

19

Evolution of DoS Attacks

All of the systems are compromised

Terminology: Client Handler Agent

20

Evolution of DoS Attacks

Implications of DDoS network:

One or two attackers

Small number of clients

Several handlers Huge number of agents

Humongous traffic

DoS Attacks - Tools

Prof. Mort AnvariStrayer University at Arlington

22

DoS Attacks - ToolsHistory of DoS tools:

IRC disable tools Single attack method tools Distributed tools,

with possibility of selecting the type of attack

23

DoS Attacks - ToolsTrinoo

Distributed UDP flood (brute force) Menu operated Agent passwords are sent in plain text form

(not encrypted)

24

DoS Attacks - ToolsTFN (Tribal Flood Network)

Multi-type attack UDP flood SYN flood ICMP_ECHOREPLY flood Smurf

Handler keeps track of its agents in “Blowfish” encrypted file

25

DoS Attacks - Tools

Improved version of TFNAgent can randomly alternate between the types of attackAgent is completely silent - handler sends the same command several times, hoping that agent will receive at least one)

TFN2K

26

DoS Attacks - Tools

All communication is encryptedRandom source IP address and port numberDecoy packets (sent to non-target networks)

TFN2K

27

DoS Attacks - Tools

Several levels of protection:Hard-coded password in client Password is needed

to take control over handlerEncrypted communication

between handler and agent

Stacheldraht

28

DoS Attacks - ToolsStacheldraht

Automated update of agents TCP is used for communication

between client and handler, and ICMP_ECHOREPLY for communication between handler and agent

29

DoS Attacks - Tools

ICMP_ECHOREPLY packets are difficult to stopEach agent has a list of its handlers (Blowfish encrypted) and in case that there is no such list, agent uses several hard-coded IP addressesAgent tests for a possibility of spoofing the source address

Stacheldraht

30

DoS Attacks - Tools

Weakness: it uses rpc command for updateListening on this port can lead to detection of an agent. Drawback is in fact that this can generate a lot of false alarms (rpc is used by legitimate users too)

Stacheldraht

Defenses

32

DefensesThere is no universal solutionThere are some preventions that can help in minimizing the damage:Prevention of becoming

the source of an attackPreparations for defending

against an attack

33

DefensesDisable and filter out chargen and echo servicesDisable and filter out all unused UDP services. Good practice is to block all UDP ports below 900 (excluding some specific ports like DNS)

34

DefensesInstall a filtering router to disable following cases: Do not allow packet to pass through

if it is coming to your network and has a source address from your network

Do not allow packet to pass through if it comes from your network and has a source address that doesn’t belong to your network

35

DefensesNetwork administrators should log all information on packets that are droppedIf you are providing external UDP services, monitor them for signs of misuse

36

DefensesThe following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: 10.0.0.0 to 10.255.255.255 (reserved) 127.0.0.0 to 127.255.255.255 (loopback) 172.16.0.0 to 172.31.255.255 (reserved) 192.168.0.0 to 192.168.255.255

(reserved) 0.0.0.0 and 255.255.255.255 (broadcasts)

37

DefensesRouters, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installedSystem should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, root-kits, back doors, etc.)

38

DefensesTrain your system and network administratorsRead security bulletins like: www.cert.org, www.sans.org, www.eEye.comFrom time to time listen on to attacker community to be informed about their latest achievementsBe in contact with your ISP. In case that your network is being attacked, this can save a lot of time

39

ConclusionSeveral examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon)Increased number of consumers with high bandwidth technologies, but with poor knowledge of network securityEasy accessible, easy to use DoS attack toolsNo final solution for attacks

40

This tutorial is based on research paper done for isitworking.comIsitworking is part of Biopop company, Charlotte, NC, USASo far, it was presented on:SSGRR 2002w, L’Aquila, ItalyYU-INFO 2002, Kopaonik, Serbia

Denial of Service Attacks:Methods, Tools, and

Defenses

Prof. Mort AnvariStrayer University at Arlington