Transcript A Brief History of Distributed Denial of Service Attacks

A Brief History of Distributed
Denial of Service Attacks
Uniforum Chicago
August 22, 2000
Viki Navratilova
Security Architect, BlueMeteor, Inc.
Tonight’s Talk
•
•
•
•
•
•
•
What is DDoS?
Famous DDoS incidents
Brief History of DDoS tools
What’s new in DDoS tools
Where to get more info on DDoS tools
<break>
How to keep DDoS from getting you down
Denial of Service (DOS)
• An attack to suspend
• Network DOS –
the availability of a
modern times
service
• Prevent a Network• Early DOS – smashing
based service from
computer with sledge
doing its job
hammer
• Can be as easy as
pulling the network
plug
What is DDoS?
• Distributed Denial of Service
• Many “zombie” computers ganging up on
one computer, directed by one “master”,
which is controlled by the attacker
The Week of Famous DDoS
Attacks
• February 7-11 2000
• CNN, Yahoo, E-Bay, Datek taken down for
several hours at a time due to traffic
flooding
• Underadministrated computers at California
college used as the slave attack computers
• Trinoo, Tribal Flood Network, TFN2K, and
Stacheldraht suspected tools used in attacks
Early DDoS Tools
(c. 1990? – 1997)
• Simple 1-tier attacks –
computer with bigger
bandwidth wins, kicks
loser off modem/irc
channel
• Ping flood
• SYN flood
• UDP flood
• Smurf Attack – early
2-tier attack
• Attacker machine
imitates victim, gets
everyone to flood real
victim
• Ping flood
Smurf Attack
(2-tier)
Broadcast Pings
slaves
Ping Replies
victim
31337!
Modern DDoS Tools
• Once sites blocked broadcast pings, attackers
found new ways to accomplish same things
• DDoS tools gave new way to communicate across
networks to slave attack computers
• Attacker has to infiltrate several slave computers
with DDoS slave client
• Master client sometimes found on ISP’s name
server – unlikely to be taken off network
DDoS Attacks (3-tier)
D00d!
Master
Slave
Slave
Victim
Slave
Why DDoS Tools Suck for Your
Network
• Hard to Trace to original culprit
• Difficult to cut off flow of traffic attacking
you because it’s coming from everywhere
• Difficult to catch pre-attack
communications between master and slave
machines
Trinoo – First Publicly Available
DDoS Tool (c. 1997)
• Attacker, Master, Slave Communications
via unencrypted UDP
• Easy to detect communications and
passwords
• Attack Method : UDP Flood
• Solaris & Linux machines
Tribe Flood Network (TFN)
(c. 1998)
• Attacker & Master communicate via unencrypted
TCP, UDP, SSH, ICMP, telnet
• No password required to run commands
• Commands are sent as pre-determined 16-bit
binary numbers
• Master & Slaves talk ICMP
• DOS Attacks available : ICMP, SYN, UDP,
&Smurf-style Floods
• Linux & Solaris
TFN2K (1999)
• Builds on TFN
• Decoy packets & other measures make
traffic difficult to identify & filter
• Fakes source address of communications
• New attacks include malformed packet
floods – greater devastation in fewer
packets
• Available for Unix & NT Systems
Stacheldraht “Barbed Wire”
Fine German Engineering (late 1999)
• Master – Slave communications require passwords
• telnet-like encrypted connections over TCP and
ICMP
• Only way to prevent communications is to block
all ICMP traffic (undesirable)
• Ability to upgrade master & slave software via rcp
– increases client functionality
• Several DOS attacks like TFN
• Solaris & Linux
What’s New in DDoS Tools
(since February 2000)
• Shaft (Nov 1999) – modeled after Trinoo
–
–
–
–
Attacker-master : password : tcp / master-zombie : udp
Can switch master servers and ports on the fly
Uses ticket system to match zombies with their masters
Keeps zombie packet statistics
• Mstream (April 2000)
– Still in development
– Attacker to master commands sent in one packet over
unencrypted TCP – password protected
– Master and zombies talk over udp
– All logged in users (attackers) are notified of access
attempts
Where to Find More Info on
DDoS Tools
• Dave Dittrich’s White Papers
http://staff.washington.edu/dittrich/misc/ddos
• Packetstorm’s Distributed Attack Tools
http://packetstorm.security.com/distributed
• CERT Coordination Center
http://www.cert.org
Break
How to Keep DDoS Tools from
Getting You Down
• Pay attention to your machines!
• Egress filter your network, i.e. make sure
whatever comes out of your network only has
source addresses that belong to you
• Ingress filter – confirm that packets coming to you
have source addresses that aren’t on your inside
network
• Use tcpdump on Solaris or Linux to capture logs,
and report incident to law enforcement (NIPC)
tcpdump –i interface –s 1500 –w capture_file
snoop –d interface –o capture_file –s 1500
Cisco Router Configuration
Options
• Ip verify unicast reverse-path : confirms packets that
arrive should be going back on same interface, otherwise
drops
• Rate limit ICMP and SYN packets
• Filter non-routable address space:
Interface xy
ip access-group 101 in
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip any any
Tools to Help Detect DDoS Tools
• NIPC Tools – locates installations on hard drive
by scanning file contents
http://www.nipc.gov
• Zombie Zapper – puts Trinoo, TFN, Stacheldraht,
and Shaft zombies “to sleep” when flooding
http://razor.bindview.com
• Remote Intrusion Detector (RID) : Locates Trinoo,
Stacheldraht, TFN on network
http://www.theorygroup.com/Software/RID/
Q&A
Thank you