Transcript dos - Goodie Domain Service

Internet Threats
Denial Of Service
Attacks
The Internet And Information
Security
“The wonderful thing about the
Internet is that you’re connected to
everyone else. The terrible thing
about the Internet is that you’re
connected to everyone else.”
Vint Cerf
Denial Of Service Attack Specifics
Denial Of Service Problems
• Exploding in popularity
– No skill required
• High juvenile ratio
– High availability of menu-driven programs
available, on multiple platforms
• Up and ruining in minutes
• Unix, NT, Win95, etc
• Programs available via the Internet within HOURS of the
identified exploit
– Often requires assistance across multiple ISPs
• Coordination efforts impossible at best
Denial Of Service Problems
• Tracing
– Source is almost always hidden, or forged
• Need to trace in real time, router by router to
find Bad_Guy
– High packet rates
• Sometimes victims can’t use Internet to
complain about or trace the attack
– Group accounts or throw-away accounts
used
• School Labs, piracy dialup, hacked systems
DOS Types
“Revenge of the Nerds”
•
•
•
•
SYN Floods
Mail Bombs
Smurf Attacks
Many, many others
Syn Floods
• TCP Handshake required to set up communication
– Send- HELLO! (TCP_SYN)
– Recv- Yea, What? (TCP_SYN_ACK)
– Send- Let’s Talk! (TCP_ACK)
• SYN Flood exploits Handshake
– Bad_Guy sends TCP_SYN from forged source that
doesn’t exist
– Victim tries to send a TCP_SYN_ACK, but can’t
find the source, so it queues the message
– Message is queued for ~75 seconds
– Bad-Guy fills up SYN Queue
– Victim can’t communicate
DoS Packet Flow
SYN Attack
Victim
SYN packet from
Bad_Guy
Bad_Guy
Where do I send data?
Mail Bombs
• Large amounts of email to victim
– “FROM” address randomly created
– Mail trail is often relayed through several
relay systems
• Difficult to track origination
• One Word: SPAM
– Explosion of tools available from
Spamming organizations to make this
point-and-click, and professionally difficult
to trace
Smurf Attacks
• Most Recent Attack, also called a “Broadcast Ping
Attack”
• Broadcast ping
– Send a “broadcast_ping_request” to a
network/subnet, and everyhost in that
network/subnet replies with a “ping_reply”
> ping 166.45.1.255
166.45.1.1 is alive
166.45.1.2 is alive
166.45.1.3 is alive
….
166.45.1.255 is alive
Smurf Attacks
• Attack
– Bad_Guy sends a “broadcast_ping_request”, that looks like
it came from “Victim”, and sends it to “Innocent 3rd Party”
– Every host on “Innocent 3rd Party”’s network/subnet sends a
“broadcast_ping_reply” to the victim
– Victim gets hit with a massive ping attack
– Good_guy traces the Attack to the “Innocent 3rd Party”
• Compensators
– Disable Broadcast Ping Replies on your routers
• “no ip directed broadcasts”
– Deploy monitoring software
– Call your ISP
– Filter ICMP
Tools available to initiate attacks
• How they are being developed so quickly
– Hackers are subscribing to “bug lists” used to
discuss product bugs
– Public Domain Testing software becoming
widely available, being used maliciously
– Template code to create TCP/IP Packets exist
• Their availability and dissemination
– Ever try YAHOO?
– IRC #DOS channel
– Available within hours after bug is reported
• Professionally created, updated, etc
Impacts to ISPS
– Bandwidth saturation
• Dos Attacks affect links that belong to ISPS
• Affects multiple customers
– T1 backbone ISPs still exist!
• Hackers can do much damage on a 28.8 dialup
• T3 connected shell accounts in high demand
– IRC #shells
– Resources required to trace are intense
• Educating customer
• Tracing attack
– Time sensitive issue
MCI’S DosTracker
• Reactive
– Victim calls in for assistance
– DoSTracker installed on Victim Border
router
• (their connection to our Network)
• Proactive
– DosTracker installed on Victim router, and “waits”
for Attack to come in. Alerts when identified
• Not typically used, due to resource issues
MCI’S DoSTracker
– DoSTracker watches packets going to
Victim, and analyzes them for “DoS
Characteristics”
• Forged source address
• Smurf Attack
• Large packet sources
– DoSTracker traces identified DoS Packets
router by router, interface by interface until
it reaches an “edge” (customer or another
network).
DoS Path
NET B
Customer
NET C
NET A
Migration of attacks
• What can we expect for future attacks?
– Automation
• DoS Engines/Clients
– Protocol exposures
• Streaming protocols
– CUSeeMe, Multi-Cast, UseNet
• DNS
– Reduction of detection capability
• Services being deployed much too quickly for
security analysis, compensators and monitoring
can be deployed and integrated.
– We’ll always be one-two steps behind
Contact
Dale Drew
internetMCI Security Engineering
703/715-7058
[email protected]
http://www.security.mci.net
http://www.security.mci.net/check.html