Transcript DDoS - A look back from 2003 - UW Staff Web Server

DDoS
A look back from 2003
Dave Dittrich
The Information School /
Computing & Communications
University of Washington
I2 DDoS Workshop - August 6/7 2003
Overview
•
•
•
•
•
Why DoS?
How DoS?
The DDoS Landscape
Attack tools over time
Impacts on response
http://staff.washington.edu/dittrich/talks/I2-ddos.ppt
Why DoS?
• “An Introduction to Denial of Service,”
Hans Husman, 1996
http://packetstormsecurity.nl/docs/hack/denial.txt
•
•
•
•
•
•
Sub-cultural status
To gain access
Revenge
Political reasons
Economic reasons
Nastiness
Reality - Politics
• Brazilian government attacks (2000)
• India/Pakistani conflict - Yaha worm (2002)
http://www.vnunet.com/News/1133119
• Al Jazeera web site (2003)
http://www.infoworld.com/article/03/03/26/HNjazeera_1.html
Reality - Economics
• British Telecom (2000)
“This is my payback to BT for ripping this country off.”
http://www.theregister.co.uk/content/1/12097.html
• CloudNine (2001)
http://www.wired.com/news/business/0,1367,50171,00.html
Reality - Nastiness/Status/???
• Register.com reflected DNS attack (Jan. 2001)
• www.whitehouse.gov attack (May 2001)
12:21:36 202.102.14.137 GET
/scripts/../../winnt/system32/ping.exe 200
12:29:29 202.102.14.137 GET
/scripts/../../winnt/system32/ping.exe 200
• Code Red attacks www.whithouse.gov (July 2001)
• Steve Gibson “discovers” reflected DoS (Jan.
2002)
• Root DNS servers (Oct. 2002)
Reality for I2
• Sept. 9, 1999
• 40-200+ Mbps HDTV stream from UW to Stanford
(“speed record”)
http://abcnews.go.com/ABC2000/abc2000tech/internettwo991013.html
• Sept. 17, 1999
• DDoS against UMN (trin00)
• Total hosts: 2,200 up to 5,000
• Out of 227 at one point, 114 at I2 sites (37 at UW)
• New speed record?
http://stafff.washington.edu/dittrich/misc/trinoo.analysis.txt
How DoS (remotely)?
• Consume host resources
• Memory
• Processor cycles
• Network state
• Consume network resources
• Bandwidth
• Router resources (it’s a host too!)
• Exploit protocol vulnerabilities
• Poison ARP cache
• Poison DNS cache
• Etc…
Targets of attack
• End hosts
• Critical servers (disrupt C/S network)
• Web, File, Authentication, Update
• DNS
• Infrastructure
• Routers within org
• All routers in upstream path
The DDoS Landscape
Stepping Stones
Internet Relay Chat (IRC)
IRC w/Bots&BNCs
Distributed Denial of Service
(DDoS) Networks
DDoS Network
http://www.adelphi.edu/~spock/lisa2000-shaft.pdf
You are here…
Typical DDoS attack
DDoS Attack Traffic (1)
One Day Traffic Graph
DDoS Attack Traffic (2)
One Week Traffic Graph
DDoS Attack Traffic (3)
One Year Traffic Graph
Attack tools over time
binary encryption
“stealth” / advanced
scanning techniques
Tools
High
denial of service
packet spoofing
sniffers
Intruder
Knowledge
GUI
distributed
attack tools
www attacks
automated probes/scans
back doors
network mgmt. diagnostics
disabling audits
hijacking
burglaries sessions
Attack
Sophistication
exploiting known vulnerabilities
password cracking
Attackers
password guessing
Low
1980
Source: CERT/CC
1985
1990
1995
2001
(D)DoS tools over time
•
•
•
•
•
•
•
•
1996 - Point-to-point
1997 - Combined
1998 - Distributed (small, C/S)
1999 - Add encryption, covert channel comms,
shell features, auto-update, bundled w/rootkit
2000 - Speed ups, use of IRC for C&C
2001 - Added scanning, BNC, IRC channel
hopping
2002 - Added reflection attack, closed port back
door, Worms include DDoS features
2003 - IPv6 (back to 1996…)
Up to 1996
• Point-to-point (single threaded)
•
•
•
•
SYN flood
Fragmented packet attacks
“Ping of Death”
“UDP kill”
1997
• Combined attacks
• Targa
 bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke
• Rape
 teardrop v2, newtear, boink, bonk, frag, fucked, troll icmp,
troll udp, nestea2, fusion2, peace keeper, arnudp, nos,
nuclear, sping, pingodeth, smurf, smurf4, land, jolt, pepsi
1998
• fapi (May 1998)
•
•
•
•
•
•
•
UDP, TCP (SYN and ACK), ICMP Echo, "Smurf" extension
Runs on Windows and Unix
UDP comms
One client spoofs src, the other does not
Built-in shell feature
Not designed for large networks (<10)
Not easy to setup/control network
• fuck_them (ADM Crew, June 1998)
•
•
•
•
Agent written in C; Handler is a shell script
ICMP Echo Reply flooder
Control traffic uses UDP
Can randomize source to R.R.R.R
(where 0<=R<=255)
1999
• More robust and functional tools
• trin00, Stacheldraht, TFN, TFN2K
• Multiple attacks (TCP SYN flood, TCP ACK
flood, UDP flood, ICMP flood, Smurf…)
• Added encryption to C&C
• Covert channel
• Shell features common
• Auto-update
2000
• More floods (ip-proto-255, TCP NULL flood…)
• Pre-convert IP addresses of 16,702 smurf amplifiers
• Stacheldraht v1.666
• Bundled into rootkits (tornkit includes stacheldraht)
http://www.cert.org/incident_notes/IN-2000-10.html
• Full control (multiple users, by nick, with talk and stats)
• Omegav3
• Use of IRC for C&C
• Knight
• Kaiten
• IPv6 DDoS
• 4to6 (doesn’t require IPv6 support)
Single host in DDoS
2001
• Worms include DDoS features
• Code Red (attacked www.whitehouse.gov)
• Linux “lion” worm (TFN)
• Added scanning, BNC, IRC channel hopping
(“Blended threats” term coined in 1999 by
AusCERT)
• “Power” bot
• Modified “Kaiten” bot
• Include time synchronization (?!!)
• Leaves worm
Power bot
foo: oh damn, its gonna own shitloads
foo: on start of the script it will erase everything that it has
foo: then scan over
foo: they only reboot every few weeks anyways
foo: and it will take them 24 hours to scan the whole ip range
foo: !scan status
Scanner[24]:[SCAN][Status: ][IP: XX.X.XX.108][Port: 80][Found: 319]
Scanner[208]:[SCAN][Status: ][IP: XXX.X.XXX.86][Port: 80][Found: 320]
. . .
foo: almost 1000 and we aren't even close
foo: we are gonna own more than we thought
foo: i bet 100thousand
[11 hours later]
Scanner[129]: [SCAN][Status: ][IP: XXX.X.XXX.195][Port: 80][Found: 34]
Scanner[128]: [SCAN][Status: ][IP: XXX.X.XXX.228][Port: 80][Found: 67]
Scanner[24]: [SCAN][Status: ][IP: XX.XX.XX.42][Port: 80][Found: 3580]
Scanner[208]: [SCAN][Status: ][IP: XXX.XXX.XXX.156][Port: 80][Found: 3425]
Scanner[65]: [SCAN][Status: ][IP: XX.XX.XXX.222][Port: 80][Found: 3959]
bar: cool
2002
• Distributed reflected attack tools
• d7-pH-orgasm
• drdos (reflects NBT, TCP SYN :80, ICMP)
• Reflected DNS attacks, steathly (NVP protocol)
and encoded covert channel comms, closed port
back door
• Honeynet Project Reverse Challenge binary
http://project.honeynet.org/reverse/results/project/020601Analysis-IP-Proto11-Backdoor.pdf
2003
• Slammer worm (effectively a DDoS on local
infrastructure)
• Windows RPC DCOM insertion vector for
“blended threat” (CERT reports “thousands”)
• More IPv6 DoS (requires IPv6 this time)
• ipv6fuck, icmp6fuck
Types of attack traffic
• Direct
• Large packet flood (frag)
• Small packet flood
• TCP, UDP, ICMP, IGMP, ip-proto-255…
• Spoofed source
• Full 32 bits
• /24
• Reflected
• Smurf
• DNS
Types of control traffic
• Point to point
• TCP (connection oriented)
• TCP, UDP, ICMP, NVP, etc. (connectionless)
• IRC channel(s)
• Static
• Dynamic (“frequency hopping”)
• Autonomous (worms)
• Indirect
• Random or “bogus” dst w/sniffing
• Reflected?
• Time delayed?
Advanced features
•
•
•
•
More efficient
Harder to detect
Harder to analyze
“Blended threat”
Reflection
•
•
•
•
Hard to prevent (for reflectors)
Hard to filter (for victims or reflectors)
Hard to trace back
Traffic analysis necessary
Demands on Response
• “Whack a port” now common
• How to notify?
• How to shut off 800 ports?
• Wipe/re-install always common
• Fast, but provides no information
• High reccurance rate
• High bandwidth & monitoring
• Liability lawsuits any day now?
http://www.ddos-ca.org/
Creative detection
• One to many/many to many inbound
connections to new “servers”
• Many to one/many to many new outbound
connections to servers
• New service ports on many internal hosts
• New protocols or new traffic volumes on
existing protocols
• Honeynets & Honeypots
FIN
“You may have paid for the hardware, but do
you really own your network?”
• For more information:
http://packetstormsecurity.nl/distributed/
http://staff.washington.edu/dittrich/talks/core02/
http://staff.washington.edu/misc/ddos/
dittrich (at) u.washington.edu