DoS Suite and Raw Socket Programming

Download Report

Transcript DoS Suite and Raw Socket Programming 

DoS Suite and
Raw Socket Programming
Group 16
Thomas Losier
Paul Obame
Motivation
 “We are not teaching you to be script kiddies in
this class” Henry Owen
 Give the students a better understanding of:
 Raw Socket programming
 Coding
 Modifying
 Understanding
 DoS Attacks
 Dangers
 Defenses
Raw Socket Programming
 “Raw socket is a computer networking term
used to describe a socket that allows access
to packet headers on incoming and outgoing
packets. Raw sockets are usually used at the
transport or network layers.” wikipedia.org
 The ability to craft packet headers is a
powerful tool that allows hackers to do
many nefarious things
Lab Structure
 Expand knowledge on Particular DoS attack
and IP protocols
 Edit/Develop code based on understanding
of previous section and given resources
 Compile and Execute attack
 Gather data
 Analyze and implement defenses
IP Headder
What we are trying to create:
Figure 1: IP Packet Diagram (www.h3c.com)
Creation of an IP headder
using Raw Sockets
void addIP(unsigned char *buf, struct pktInfo *pktInfo, int offset)
{
struct ip* ip = (struct ip*) (buf + offset); //ip points to some place in the buffer
ip->ip_v = 4; //ipv4
ip->ip_hl = 5; //4 * 5 = 20 bytes
ip->ip_tos = 0; //didn't specify any special type of service
ip->ip_len = htons(pktInfo->pktSize); //total packet size
ip->ip_src.s_addr = pktInfo->srcAddr; //4 byte source IP address
ip->ip_dst.s_addr = pktInfo->destAddr; //4 byte destinfation IP address
ip->ip_id = rand(); //random id
ip->ip_off = 0; //mainly used for reassembly of fragmented IP datagrams.
ip->ip_ttl = 255; //Time to live is the amount of hops before the packet is discarded
ip->ip_p = pktInfo->protocol; //protocol used: TCP, UDP, etc
ip->ip_sum = 0; //zero out the checksum field before computing the checksum
ip->ip_sum = in_chksum((unsigned short *) ip, IPHEADER); //compute the
checksum
}
Denial of Service (DoS)
 The Internet was designed for easy
connectivity and scalability
 Not designed to support authentication
schemes
 Attempt to occupy all resources of a system
 Two general types of DoS attack
DoS Suite
 First type attack
 ICMP Reset attack
 Second type attack
 TCP syn attack
 UPD flood attack
 Ping Request (smurf) attack
Using the DoS Suite
ICMP Reset Attack
 By spoofing a Hard ICMP error message a
hacker can kill any running TCP connection
 Requires the four-tuple
 Determine the four-tuple using a packet sniffer
 Guessing the four-tuple
 By gathering information of the operating systems
being used and the communication method in use.
ICMP reset packets can be sent over a range of port
addresses killing a connection you can not sniff.
ICMP Reset Attack (Lab)
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
ICMP Reset Attack
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
TCP SYN Attack
 When a server receives a SYN it stores the
connection information in memory and
sends back a SYN-ACK
 Because the IP Address is spoofed it will
never get a response and the information
will stay until timeout
 If packets are send fast enough they will fill
the buffer and no new requests will be able
to be processed
SYN Attack (Lab)
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
SYN Attack
SYN Attack (Summary)
UDP Flood Attack
 The premise of the UDP attack is similar to
the SYN however when using UDP the
client does not set aside memory for the
connection information
 If packets are send fast enough they will fill
the network card buffer and no new requests
will be able to be processed
UDP Flood Attack (Lab)
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
UDP Flood Attack
UDP Attack (Summary)
ICMP Ping (smurf) Attack
 DDoS attack
 Using a network of machines a lot more
information can be sent at once
 Send ping requests to a network of
machines with a return address of the
“victim” machine
 If packets are send fast enough they will fill
the buffer and no new requests will be able
to be processed
ICMP Ping Attack (Lab)
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
ICMP Ping Attack
ICMP Attack (Summary)
DoS Defenses
 SYN Cookies
 Configure your firewall (refer to lab4)
 IPtables
 CiscoPIX
 Real Secure