dos suite and raw socket programming
DESCRIPTION
DoS Suite and Raw Socket Programming. Group 16 Thomas Losier Paul Obame. Motivation. “We are not teaching you to be script kiddies in this class” Henry Owen Give the students a better understanding of: Raw Socket programming Coding Modifying Understanding DoS Attacks Dangers - PowerPoint PPT PresentationTRANSCRIPT
DoS Suite and Raw Socket Programming
DoS Suite and Raw Socket Programming
Group 16
Thomas Losier
Paul Obame
Group 16
Thomas Losier
Paul Obame
MotivationMotivation
“We are not teaching you to be script kiddies in this class” Henry Owen
Give the students a better understanding of: Raw Socket programming
Coding Modifying Understanding
DoS Attacks Dangers Defenses
“We are not teaching you to be script kiddies in this class” Henry Owen
Give the students a better understanding of: Raw Socket programming
Coding Modifying Understanding
DoS Attacks Dangers Defenses
Raw Socket ProgrammingRaw Socket Programming
“Raw socket is a computer networking term used to describe a socket that allows access to packet headers on incoming and outgoing packets. Raw sockets are usually used at the transport or network layers.” wikipedia.org
The ability to craft packet headers is a powerful tool that allows hackers to do many nefarious things
“Raw socket is a computer networking term used to describe a socket that allows access to packet headers on incoming and outgoing packets. Raw sockets are usually used at the transport or network layers.” wikipedia.org
The ability to craft packet headers is a powerful tool that allows hackers to do many nefarious things
Lab StructureLab Structure
Expand knowledge on Particular DoS attack and IP protocols
Edit/Develop code based on understanding of previous section and given resources
Compile and Execute attack Gather data Analyze and implement defenses
Expand knowledge on Particular DoS attack and IP protocols
Edit/Develop code based on understanding of previous section and given resources
Compile and Execute attack Gather data Analyze and implement defenses
IP HeadderIP Headder
What we are trying to create:
Figure 1: IP Packet Diagram (www.h3c.com)
Creation of an IP headderCreation of an IP headder
void addIP(unsigned char *buf, struct pktInfo *pktInfo, int offset){
struct ip* ip = (struct ip*) (buf + offset); //ip points to some place in the bufferip->ip_v = 4; //ipv4ip->ip_hl = 5; //4 * 5 = 20 bytesip->ip_tos = 0; //didn't specify any special type of serviceip->ip_len = htons(pktInfo->pktSize); //total packet sizeip->ip_src.s_addr = pktInfo->srcAddr; //4 byte source IP addressip->ip_dst.s_addr = pktInfo->destAddr; //4 byte destinfation IP addressip->ip_id = rand(); //random idip->ip_off = 0; //mainly used for reassembly of fragmented IP datagrams.ip->ip_ttl = 255; //Time to live is the amount of hops before the packet is discardedip->ip_p = pktInfo->protocol; //protocol used: TCP, UDP, etcip->ip_sum = 0; //zero out the checksum field before computing the checksumip->ip_sum = in_chksum((unsigned short *) ip, IPHEADER); //compute the checksum
}
void addIP(unsigned char *buf, struct pktInfo *pktInfo, int offset){
struct ip* ip = (struct ip*) (buf + offset); //ip points to some place in the bufferip->ip_v = 4; //ipv4ip->ip_hl = 5; //4 * 5 = 20 bytesip->ip_tos = 0; //didn't specify any special type of serviceip->ip_len = htons(pktInfo->pktSize); //total packet sizeip->ip_src.s_addr = pktInfo->srcAddr; //4 byte source IP addressip->ip_dst.s_addr = pktInfo->destAddr; //4 byte destinfation IP addressip->ip_id = rand(); //random idip->ip_off = 0; //mainly used for reassembly of fragmented IP datagrams.ip->ip_ttl = 255; //Time to live is the amount of hops before the packet is discardedip->ip_p = pktInfo->protocol; //protocol used: TCP, UDP, etcip->ip_sum = 0; //zero out the checksum field before computing the checksumip->ip_sum = in_chksum((unsigned short *) ip, IPHEADER); //compute the checksum
}
using Raw Sockets
Denial of Service (DoS)Denial of Service (DoS) The Internet was designed for easy
connectivity and scalability Not designed to support authentication
schemes Attempt to occupy all resources of a system Two general types of DoS attack
The Internet was designed for easy connectivity and scalability
Not designed to support authentication schemes
Attempt to occupy all resources of a system Two general types of DoS attack
DoS SuiteDoS Suite
First type attack ICMP Reset attack
Second type attack TCP syn attack UPD flood attack Ping Request (smurf) attack
First type attack ICMP Reset attack
Second type attack TCP syn attack UPD flood attack Ping Request (smurf) attack
Using the DoS SuiteUsing the DoS Suite
ICMP Reset AttackICMP Reset Attack By spoofing a Hard ICMP error message a
hacker can kill any running TCP connection Requires the four-tuple
Determine the four-tuple using a packet sniffer Guessing the four-tuple
By gathering information of the operating systems being used and the communication method in use. ICMP reset packets can be sent over a range of port addresses killing a connection you can not sniff.
By spoofing a Hard ICMP error message a hacker can kill any running TCP connection
Requires the four-tuple Determine the four-tuple using a packet sniffer Guessing the four-tuple
By gathering information of the operating systems being used and the communication method in use. ICMP reset packets can be sent over a range of port addresses killing a connection you can not sniff.
ICMP Reset Attack (Lab)ICMP Reset Attack (Lab)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
ICMP Reset AttackICMP Reset Attack
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
TCP SYN AttackTCP SYN Attack When a server receives a SYN it stores the
connection information in memory and sends back a SYN-ACK
Because the IP Address is spoofed it will never get a response and the information will stay until timeout
If packets are send fast enough they will fill the buffer and no new requests will be able to be processed
When a server receives a SYN it stores the connection information in memory and sends back a SYN-ACK
Because the IP Address is spoofed it will never get a response and the information will stay until timeout
If packets are send fast enough they will fill the buffer and no new requests will be able to be processed
SYN Attack (Lab)SYN Attack (Lab)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
SYN AttackSYN Attack
SYN Attack (Summary)SYN Attack (Summary)
UDP Flood AttackUDP Flood Attack The premise of the UDP attack is similar to
the SYN however when using UDP the client does not set aside memory for the connection information
If packets are send fast enough they will fill the network card buffer and no new requests will be able to be processed
The premise of the UDP attack is similar to the SYN however when using UDP the client does not set aside memory for the connection information
If packets are send fast enough they will fill the network card buffer and no new requests will be able to be processed
UDP Flood Attack (Lab)UDP Flood Attack (Lab)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
UDP Flood AttackUDP Flood Attack
UDP Attack (Summary)UDP Attack (Summary)
ICMP Ping (smurf) AttackICMP Ping (smurf) Attack DDoS attack Using a network of machines a lot more
information can be sent at once Send ping requests to a network of
machines with a return address of the “victim” machine
If packets are send fast enough they will fill the buffer and no new requests will be able to be processed
DDoS attack Using a network of machines a lot more
information can be sent at once Send ping requests to a network of
machines with a return address of the “victim” machine
If packets are send fast enough they will fill the buffer and no new requests will be able to be processed
ICMP Ping Attack (Lab)ICMP Ping Attack (Lab)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
ICMP Ping AttackICMP Ping Attack
ICMP Attack (Summary)ICMP Attack (Summary)
DoS DefensesDoS Defenses
SYN Cookies Configure your firewall (refer to lab4)
IPtables CiscoPIX Real Secure
SYN Cookies Configure your firewall (refer to lab4)
IPtables CiscoPIX Real Secure