Denial of Service: Some Anatomy

Download Report

Transcript Denial of Service: Some Anatomy 

Denial of Service: First Hand
OR: Now I know why I always hated the Smurfs
Alan Whinery
University of Hawaii ITS Telecom
August 10, 1999
[email protected]
The Event
Beginning on July 9, 1998, Internet
connectivity was interrupted to the
University of Hawaii, Hawaii State
Government, and Honolulu and Maui
County governments for a period of 27
hours,
probably because someone didn’t like
SPAM.
Denial of Service
• Attacker intends to:
– affect the availability of a service to a user
– affect the availability of a host
– affect the availability of a network
• Can affect large numbers of users
• Often is an act of retribution
Some Denial of Service Types
• TCP SYN -- uses up system resources
• ICMP FLOOD -- leveraged bandwidth attack (smurf)
• UDP FLOOD -- leveraged bandwidth attack (fraggle)
• NETBIOS Out-Of-Band -- send unknowns to Windows
File Sharing
• TEARDROP -- Windows TCP/IP -- wrong size packet
(Teardrop, Bonk, Boink)
• LAND -- Windows TCP/IP -- packets from self
• ICMP Unreachable -- Spoofs connection failure
Some Denial of Service Types
• TCP SYN -- uses up system resources
• ICMP FLOOD -- leveraged bandwidth attack (smurf)
• UDP FLOOD -- leveraged bandwidth attack (fraggle)
• NETBIOS Out-Of-Band -- send unknowns to Windows
File Sharing
• TEARDROP -- Windows TCP/IP -- wrong size packet
(Teardrop, Bonk, Boink)
• LAND -- Windows TCP/IP -- packets from self
• ICMP Unreachable -- Spoofs connection failure
ICMP FLOOD
• Very easy to detect
• Very hard to trace
• Can’t be stopped with a firewall
• Involves 3 groups
– the attacker(s)
– intermediate sites
– the victim and everyone nearby
Internet Control Message
Protocol (ICMP)
• Used to send info about packet delivery
– network unreachable
– host unreachable
– port unreachable
• Used to verify connectivity
– echo request, echo reply
• Also other stuff
IP addresses
• Every Internet host has at least one
• A number that routers use to deliver data
to the right machine
• Special addresses
– broadcast
– multicast
IP Broadcast address
• An IP address that denotes every host in
a network (i.e Subnet, LAN)
• For example: 128.171.6.255 would reach
every host on the 128.171.6.X/24
network
• AKA: 128.171.6.0, 255.255.255.0
IP Broadcast address
Caution: You can’t necessarily identify an
IP address as a broadcast by looking at
it. Not all addresses that end in “255” are
broadcasts. Not all broadcasts end in
“255”.
To identify an address as broadcast, you
need the network mask.
PING (ICMP Echo)
Broadcast PING
(Source) IP address spoofing
• Def. -- sending packets with some other host’s IP
address
• Source addresses are not examined by routing
equipment
• Easy to stop with source-side access-control lists
(ACL)
Smurf
The Players
• UH ITS Network staff
• Our ISP
• 2500 hosts on 37 networks in North
America, South America, and Europe
• A bulk e-mail marketer
• A neophyte mail administrator
• The ugly, smelly perpetrator
The Tools (1)
• Traffic Graphs
The Tools (2)
• tcpdump
– Unix software that allows watching traffic
– Runs on SunOS, Solaris, Linux, FreeBSD
– Esoteric but versatile
The Tools (3,4,5,6)
• whois (Internic, ARIN)
• nslookup
• An off-site e-mail account
• A telephone
• breakfast
October 1997
• The first “smurf” attack on UH occurs
• ISP informs us that they will not act
without an order from the FBI
• The FBI is called; they do not call back
November 1997
• ISP informs us that we are among the
intermediate sites in a “smurf” attack
against one of their customers. They
threaten to disconnect us if we don’t
make it stop.
July 8, 1998
• A Unix host on the UH network is used to
forward unsolicited email advertisements,
also called “SPAM”
July 9, 1998
• 10:00 AM: All user traffic to and from the
mainland stops
• 10:15:
– Attack is identified
– samples of offending traffic are saved for
analysis
• 10:30:
– Offending packets are blocked at the local
Internet gateway restoring local network
function
July 9, 1998 (cont’d)
• 10:45: anlaysis of the traffic and
continued monitoring indicates that the
attacker is not on the UH network
• The UH target host is identified as the
same one that forwarded SPAM the day
before
• 11:00: ISP is notified. They don’t
understand what we’re talking about
July 9, 1998 (cont’d)
• Calls begin to come in from intermediate
sites. Most are threatening litigation
unless we stop pinging them.
• We identify all intermediate sites from
the traffic samples
• We begin emailing and faxing
intermediates, providing an explanation
of the attack and instructions for
broadcast suppression and filtering for
Cisco routers.
July 9, 1998
July 10, 1998
• 7:00 AM: Our local Internet gateway
router begins to reboot every couple of
minutes
• 11:00 AM: After dozens of conversations
with the ISP, we have a conversation
with an ISP employee who understands
the problem and acts immediately to
filter the traffic upstream
• Internet access continues to be slow, due
to the high load on the upstream router
July 10, 1998
• The attack, though filtered, continues for
at least two more days
July 10, 1998
Investigation
• Since the attacker forged the source
addresses, finding him would require
packet-level analysis on each link from
the intermediate site to the attacker
• Since the offending echo request stream
is much smaller than the echo reply
stream, it does not provide a high-traffic
signature to trace the path to the
attacker
Investigation
• Available “trace evidence”
– list of recipients of the SPAM message
probably includes the attacker
– Some of the intermediate machines were on
the same network as the attacker, since they
had 10.X.X.X addresses
– Finding the network with the 10.X.X.X
addresses that were responding would
provide a geographical subset of the SPAM
recipients that might include the perpetrator
Prevention is source-side
• Baseline normal network behavior
• Avoid being an intermediate site by
configuring all routers to ignore echo
requests to broadcast
• Prevent the forwarding of SPAM
• Prevent outbound IP spoofing
• Actively seek out vulnerable hosts
and deal with them
Issues
• A large number of contact records at
ARIN and Internic do not include
useful contact information
• The average site or network
administrator does not command
basic concepts necessary to effect
security
Questions?
• ???