Transcript DDos
DDos Distributed Denial of Service Attacks by Mark Schuchter Overview Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows) Introduction limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent DDos-Attack prevent and impair computer use Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Why? sub-cultural status nastiness revenge to gain access economic reasons political reasons Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Timeline <1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’) 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or ÍRC 2001: worms include DDos-features (i.e. Code Red), include time synchro., 2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol) 2003: Mydoom infects thousands of victims to attack SCO and Microsoft Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk How? TCP floods (various flags) ICMP echo requests (i.e.. Ping floods) UDP floods Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk SYN-Attack Handshake Attack SYN-ACK Client Attacker (spoofed IP) Server SYN Server SYN SYN-ACK SYN SYN-ACK ACK Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Typical attack 1. prepare attack Introduction Why? 2. set up network Timeline How? 3. communication Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – preparation I use stolen account (high bandwidth) for repository of: scanners attack tools (i.e. buffer overrun exploit) root kits sniffers trin00 master and daemon program list of vulnerable host, previously compromised hosts... Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – preparation II scan large range of network blocks to identify potential targets (running exploitable service) list used to create script that: performs exploit sets up cmd-shell running under root that listens on a TCP port (1524/tcp) connects to this port to confirm exploit list of owned systems Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – network I store pre-compiled binary of trin00 daemon on some stolen account on inet script takes ‘owned-list’ to automate installation process of daemon same goes for trin00 master Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – network II attacker attacker master daemon Introduction master daemon Why? Timeline master daemon How? daemon Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – communication attacker controls master via telnet and a pw (port 27665/tcp) trin00 master to daemon via 27444/udp (arg1 pwd arg2) daemon to master via 31335/udp ‘dos <pw> 192.168.0.1’ triggers attack Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – preparation I set up the following things on your home pc: freemail kazaa trojan-toolkit IRC-client IRC-bot Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – preparation II assemble different trojans (GUI) define ways of communication name file Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – network I start spreading via email/news lists IRC P2P-Software Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – network II attacker client Introduction client Why? client Timeline client How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – communication sub7client IRC channel 1 click to launch attack Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Development binary encryption “stealth” / advanced scanning techniques High Tools packet spoofing denial of service distributed attack tools www attacks automated probes/scans GUI sniffers Intruder Knowledge back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions exploiting known vulnerabilities Attack Sophistication password cracking Attackers password guessing Low 1980 1985 1990 1995 2001 : Source CERT/CC Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Solutions statistical analyses (i.e. D-ward) at core routers not ready yet change awareness of people (firewalls, attachments, V-scanners,...) Thanks for your attention!