Transcript Lesson 15

Denial of Service (DoS) and
Distributed Denial of Service (DDoS)
Lesson 15
Email Flooding/bombing
• A form of denial of service attack.
• From the CERT web page:
• Email "bombing" is characterized by abusers repeatedly sending an
identical email message to a particular address.
• Email "spamming" is a variant of bombing; it refers to sending email to
hundreds or thousands of users (or to lists that expand to that many users).
Email spamming can be made worse if recipients reply to the email,
causing all the original addressees to receive the reply. It may also occur
innocently, as a result of sending a message to mailing lists and not
realizing that the list explodes to thousands of users, or as a result of an
incorrectly set-up responder message (such as vacation(1)).
• Email bombing/spamming may be combined with email "spoofing"
(which alters the identity of the account sending the email), making it
more difficult to determine who the email is actually coming from.
Email Flooding
Attacker sends 100’s or
1000’s of emails to target
Attacker
Target user’s box fills or
target system can go
down.
Effectiveness as means to attack a system depends on the
relative size of the systems and the “pipes”.
Email Spoofing and bombing
-----Original Message----From: [email protected] [mailto:[email protected]]
Sent: Monday, October 15, 2001 9:07 PM
To: [email protected]
Subject: Congratulation!
Dr. White: Congratulation upon becomming a full time faculty at UTSA.
Well, I am obviously not President Bush. This is a program I wrote last
semester for my project in Ecommerce class. Is this also considered
spoofing based on your definition Dr. White? I know I do need to send a
spoofing email using Linux. This's only my little game. Thank you.
Sincerely,
What happens if the email announced a contest, or contained
something designed to anger folks to have them respond?
Email Flooding
Systems return email to system that
appears to have sent emails.
Target system goes
down under load of
too many emails.
Attacker sends spoofed email
with error to 100’s of systems
Attacker
Email Bombing example
Email Flooding
What can you do?
• From the CERT web page:
• A.Detection
• If your system suddenly appears sluggish (email is slow or doesn't appear to be
sent or received), the reason may be that your mailer is trying to process a large
number of messages.
• B.Reaction
• Identify the source of the email bomb/spam and configure your router (or have
your Network Service Provider configure the router) to prevent incoming
packets from that address. Review email headers to determine the true origin of
the email. Review the information related to the email bomb/spam following
relevant policies and procedures of your organization.
• Follow up with the site(s) you identified in your review to alert them to the
activity. Contact them to alert them to the activity. NOTE: When contacting
these sites, keep in mind that the abuser may be trying to hide their identity.
• Ensure you are up to date with the most current version of email delivery
daemon (sendmail, for example) and increase logging capabilities as necessary
to detect or alert you to such activity.
Denial of Service Attacks
Denial of Service Attacks
Denial of Service (DoS)
• Attacks that deny legitimate users service and access to
information resources.
• Different ways to categorize them
• Nature of attack
• Poisoned traffic
– malformed or invalid data that can’t be properly handled
• Brute-force resource
– simply use up all available capacity
• Stateful resource
– take advantage of client/server relationship in protocols
• “target” of attack
• Operating system attacks
– target flaws in specific operating systems
• Networking attacks
– exploit inherent limitations of networking
Sources of the Attack
• Can come from many places (any place) in the
network
• An attacker can hide the source of an attack
through IP spoofing
• Attackers can also hide their identity by enslaving
unwitting victims.
• “owned” or “zombie” agents
• When an attacker uses many zombie agents
together simultaneously the result is a Distributed
Denial of Service (DDoS) attack
IIS Attack
• Operating System/Poisoned Traffic attack
• Worked against NT 4.0 running Microsoft’s
Internet Information Server version 3.0
• All that was required was for the user to
request a document with a very long name
from the server to halt it.
• e.g. http://victim.com/?something=xxxxxx…
• A patch for this bug was issued by MS
Ping of Death (POD)
• Normal Ping utility used to determine whether
another machine on the network is up.
• Accomplished by sending an Internet Control Message
Protocol (ICMP) “echo” or “ping” packet to the target.
• The target replies if it is operating
• POD accomplished by sending packet > 64K
• Buffer overflow ensues causing reboot or crash
• Patches issued to address this attack
ICMP Packet
• Considered part of IP layer
• Communicates error messages and other
conditions that require attention.
• ICMP messages are usually acted on by either
the IP layer or the higher layer protocol.
• ICMP messages are transmitted within IP
datagrams as shown:
IP Header
20 bytes
ICMP Message
ICMP packet
8-bit type
8-bit code
16-bit checksum
(contents depends on type and code)
ICMP Messages
Type
0
3
4
5
8
13
code
0
0
1
2
3
0
0
1
0
0
Description
echo reply
destination unreachable
network unreachable
host unreachable
protocol unreachable
port unreachable
source quench (flow control)
redirect
redirect for network
redirect for host
echo request
timestamp request
Query Error
x
x
x
x
x
x
x
x
x
x
Smurf/ping flooding/ICMP storm
• Another attack that exploits the ping utility
• Attacker sends a large stream of spoofed ping packets to a
broadcast address (an IP address that services a network of
computers)
• All of the packets have as their source address the target’s IP
address.
• Broadcast host will relay request to all hosts on network.
• Hosts reply to the victim
• Amount of data sent to victim is multiplied by a factor of
the number of hosts in network
• If multiple requests sent to broadcast host, target will be
overloaded with replies
• A Network/Brute-force attack
ICMP Flooding
Multiple Ping replies
Multiple Ping requests
System or network
becomes overloaded
Broadcast request
Attacker
Ping
Broadcast request
SYN flooding
• Exploits the synchronization protocol used to initiate connections
• Normal process is:
• Initiator sends synchronization (SYN) packet
• Target replies with a SYN/ACK (acknowledgement)
• Initiator sends ACK, two machines are now ready
• In SYN flooding, attacker sends SYN packets with phony source
address
• target replies with SYN/ACK but it goes nowhere
• target waits for ACK, eventually gives up but…
• if enough SYN’s received, space will fill up
• Network/Stateful Resource attack
SYN Flooding
SYN Attacks
• Syn_Flooder an example of SYN Flooding attack
• Land is a specialized version of SYN attack
• From CERT Advisory CA-97.28 - Teardrop_Land
• Some implementations of TCP/IP are vulnerable to packets that are
crafted in a particular way (a SYN packet in which the source
address and port are the same as the destination--i.e., spoofed).
Land is a widely available attack tool that exploits this
vulnerability. Any remote user that can send spoofed packets to a
host can crash or "hang" that host.
• Operating System/Poisoned traffic attack
• A patch to fix this problem is available from vendors
Other DoS Attacks - Teardrop
• Teardrop
• From CERT Advisory CA-97.28 - Teardrop_Land
• Some implementations of the TCP/IP IP fragmentation reassembly code do not properly handle overlapping IP
fragments. Teardrop is a widely available attack tool that
exploits this vulnerability. Any remote user can crash a
vulnerable machine.
• Operating System/Poisoned traffic
• Patch to prevent is available from vendors
• Note similarity with previous exploit.
Other DoS Attacks - Bonk
• A variant of Teardrop aimed at W95 and NT
• From www.attrition.org/security/denial/w/bonk.dos.html
• Based On: teardrop.c by route|daemon9 & klepto
Crashes
*patched* win95/(NT?) machines. Basically, we set the frag
offset > header length (teardrop reversed). There are many
theories as to why this works, however i do not have the
resources to perform extensive testing.
• Operating System/Poisoned traffic
• Patch to prevent is available from vendors
• For fun, check out
http://www.attrition.org/security/denial/
Other DoS Attacks - WinNuke
• Affects Window 95/3.1/NT
• Caused “Blue Screen of Death”
• Computer recovers but Internet connection hosed,
requires reboot
• uses Out of Band (OOB) data sent to an
established connection.
• Windows doesn’t handle OOB well and goes into a
panic.
• Operating System/Poisoned traffic attack
DDoS Attack
tribal flood network (TFN) DDoS
• TFN is made up of client and daemon programs, which
implement a distributed network denial of service tool capable
of waging ICMP flood, SYN flood, UDP flood, and Smurf style
attacks.
• Remote control of a TFN is accomplished via command line
execution of the client program, using any of a number of
connection methods (e.g., remote shell bound to a TCP port,
UDP based client/server remote shells, ICMP based client/server
shells, or normal "telnet" TCP terminal sessions.
• Communication from the TFN client to daemons is
accomplished via ICMP_ECHOREPLY (why?) packets. There
is no TCP or UDP based communication between the client and
daemons at all.
trinoo DDoS
• A trinoo network of at least 227 systems was used on Aug 17,
•
•
•
•
•
1999 to flood a single system at the University of Minnesota.
The attacker(s) control one or more “master”servers, each of
which can control many daemons.
Remote control of the master is accomplished via a TCP
connection to port 27665, after which the user must authenticate
with a password.
Communication between the master to daemons is via UDP
packects on port 27444.
When the daemon starts, it initially sends a “hello” message to
the master which maintains a list of active daemons it controls.
The daemons send UDP packets to random (0-64K) UDP ports
on the target for a period of time (120 seconds default)
Stacheldraht (barbed wire) DDoS
• Combines features of the trinoo and the original TFN
and adds encryption of communication between
attacker and masters and automated updating of
agents.
• Can do ICMP flood, SYN flood, UDP flood, and
smurf style attacks.
• There is a limit of 1000 agents for each master
• Used TCP and ICMP for communication between
master and agents (trinoo used UDP, TFN used
ICMP)
Protection from DoS and DDoS
• Best way would seem to be to stop the attack
before it happens
• Detect and Remove Trojans from servers, use fileintegrity checking programs
• Block “marching orders”
• e.g. one method to send the “attack” order is to send an
unsolicited ICMP ping response -- firewalls should be
set to block this. Broadcasts should not send ping
requests. Limit ability to spoof.
• Block the attack at the source
Mitigating the Effects of DoS
•
•
•
•
Acknowledges that we can’t stop DoS
Harden the network
Avoid putting “all of your eggs in one basket”
Use Load balancers
• can employ “delayed binds” which drop sessions
• can also drop “Silent” TCP sessions
• Adjust state limits (e.g. wait time)