Transcript TEL 283 - Long Island University

DoS on Competitor Web Site

Phoenix has a “referral” from “Mr. Dobbs”
◦ Dobbs has threatened his girlfriend in the past
◦ Dobbs sent a “client” to Phoenix with a reminder about
his girlfriend

Client
◦ Works for a computer parts company
◦ $9B annual revenues
◦ Asking that a whistleblower organization’s web site
(www.thetruthusa.org) be down/inaccessible for a single
day
 Organization intends to splash damaging information on a
specific day (day before the earnings statement release)
 Client does not wish to have the company’s stock prices fall
just prior to the earnings release

Recon
◦ Shows the site to be amateurish
◦ Google search indicates that HS students were
allowed to get experience in designing and putting
up the website
 Phoenix hopes for poor design, maintenance/security
and lower bandwidth






Find an unprotected wireless network to
perform the hack
Use an anonymizer
Make a DDoS attack using Freak88 DDoS tool
Test the DDoS tool in lab
Infect unprotected hosts with the Server.exe
Trojan Horse
Take control of the infected hosts and launch
the DDoS on the target site

Download contains
◦ Clienttrinno.exe
◦ Server.exe
◦ Msbvm50.dll

Client controls the boxes which have the
Trojan server running on them
◦ Servers will issue to pings
◦ These boxes are referred to as “zombies”
 The more zombies in the field attacking the victim, the
better for the attacker!

Shift from email phishing attacks to web based
attacks
◦ Email filters are becoming more effective
◦ Web based attacks are more popular now because so
much is being put into “business rich” web sites and
browsers fail to handle such content
 Their primary function is to render web pages





SQL injection
Cross site scripting
Inline frames
CSS
Ping attacks might be filtered
◦ Accomplish the same effect using a web based attack





Attack #1: Test
Attack #2: The one that worked
Gain access to Pawn Web site
Lab test the hack
Modify the Pawn site

Phoenix
◦
◦
◦
◦
Sets up a victim machine
Starts up Wireshark filtering ICMP traffic
Fires up a server zombie on a machine
Fires up the client software
 Dialog box allows attacker to “stack” the IP’s and ports
of the zombie machines
 Indicates the IP of the victim
 Buttons:
 Connect, Disconnect, and “Takemout”
◦ Wireshark confirms ton of ICMP traffic

Just to be sure…
◦ Phoenix attempts to ping the webpage at
www.thetruthusa.org
 Gets Timed Out results

It turns out that the students have set up a
PIX firewall to prevent pings to the web
server!

Inline frames
◦ If small, but many, inline frames can be installed on
a web page
 Each frame can load the web page from a site
 FORCE MULTIPLIER!
 If you can constantly refresh each frame… better still


The trick is now to find a web site with lots of
bandwidth and lots of traffic
Social engineer the web design company
◦ Phoenix needs write access to the server

Modify the home page
◦ Add inline frames calling the target’s homepage
 If 10 frames are added, every time a user brings up the
unknowing accomplice’s page, 10 HTML “get” requests
are issued against the victime
 If you “refresh” the inline request every 5 seconds…

Phoenix poses as a potential client
◦ Speaks with developers and requests a
demonstration
◦ Representative shows Phoenix how quickly a page
can be added
 In doing so, the rep refers to a 3-ring binder for the
information on sites (credentials, etc)
 Phoenix notes the location of the binder

Phoenix bribes the cleaner to photocopy the
contents of the 3-ring binder
<iframe
src=http://www.thetruthusa.org
width = 0 height=0>
</iframe>
◦ Refreshing every 5 seconds
 Add a meta tag to the web page
<meta http-equiv=“refresh” content=“5”>

Phoenix downloads the Pawn’s web page
◦ Inserts the inline frames and the meta tag
◦ FTP’s the altered page to the Pawn’s server


DDoS against the victim
How long?
◦ Depends…
 If traffic is examined, requests for the page are coming from
all over
 If IP is changed, the requests are made for URL and not IP…
no effect!
◦ Someone would have to examine the pawn’s HTML
within their page to spot the inline frames
 If reported to the pawn site, they might not notify the target
that they were the unwitting accomplice
 Once the pawn replaces the modified page with the original
 Cached pages still might exist in browsers around the
world…

Phoenix could have inserted a source pointer
to a Trojan instead of the target’s URL
◦ If the pointer is to a keylogger, the pawn site could
be made to appear as if they are infecting
computers around the world
 What is the pawn company’s liability in this case?

Prevent disclosure of information via passive
means
◦ Configure DNS not to reveal information (via
registrar)
◦ Configure web server settings
◦ Don’t “advertise” information about the site or
developers that nobody requires
 Even if removed from the web, historical pages might
exist
 NETCRAFT might reveal information regardless…

ICMP
◦ Disable entry of Ping packets into the network from
outside
 If required, then script a “block” from IP’s in the event
that pings exceed a given number in a time period
 Might not be that effective in a DDoS attack…

Blocking DDoS attacks via web
◦ Create customize stack
 Costly (development and maintenance)
 Reserved for highly secured environments
◦ Rate limiting
 Bandwidth
 Connection limits
◦ Black hole filtering
 Send suspicious traffic to a nonexistent interface

These are all counter to the reason the
company site is up in the first place…


Review the web site hosting company’s
policies and security statements
Your company should authorize all changes
◦ One time passwords, maintained by your company
 Forces the developer to contact you for each
modification

Physical access to information
◦ Paper format?
◦ Put onto encrypted electronic format, and then on a
locked down workstation, which is physically
protected


Separation of duty
Principle of least privilege