Denial of Service Attacks:Methods, Tools, and

Defenses

Prof. Mort AnvariStrayer University at Arlington

2

Introduction

Basic types of DoS attacks

Evolution of DoS tools

Overview of DoS tools

Defenses

3

What is Denial of Service Attack?

“Attack in which the primary goal is to deny the victim(s) access to a particular resource.” (CERT/CC)

Very vide definition, covers lots of cases

This tutorial covers only subset of all DoS attacks

4

Modes of Denial of Service Attack

Consumption of limited resources Network connectivity Bandwidth consumption Other resources:

Processing time Disk space Lockout of an account

Alteration of configuration information

5

DoS Attacks - Statistics

There are more than 4000 attacks per week

During 2000, 27% of security professionals detected DoS attack against their system

In February 2000 attacks, stream going to one of affected sites was about 800Mb/s

6

DoS Attacks - StatisticsOverall Internet performance degradation

during February 2000 attacksDate PPW PAW CPW

Feb. 7th 5.66 5.98 +5.7%

Feb. 8th 5.53 5.96 +7.8%

Feb. 9th 5.26 6.67 +26.8%

Feb 10th 4.97 4.86 -2.2%

PPW – Performance in previous week

PAW – Performance in attacking week

CPW – Change from previous week

Source:Keynote Systems

DoS Attacks - Basics

Prof. Mort AnvariStrayer University at Arlington

8

DoS Attacks - Basics

Attack has two phases:

Installation of DoS tools

Committing an attack

9

DoS Attacks - Basics

Installation of DoS tools:

Finding a suitable machine: Unprotected ports Vulnerable services Errors in operating systems Trojan horses and worms

Installation of the tool itself Installation of a root-kit

10

DoS Attacks - Basics

Ping of Death

Maximum size of TCP/IP packet is 65536 bytes

Oversized packet may crash, freeze, reboot system

Obsolete

11

DoS Attacks - Basics

Teardrop

IP packet can be broken

Broken packet is reassembled using offset fields

12

DoS Attacks Basics

Teardrop

Overlapping offset fields

Obsolete

13

DoS Attacks - Basics

Syn flood attack

TCP Syn handshake

Finite length of backlog queue

Lots of half-open connections

Partially solved

SYN

ACK

SYNACK

Client

Server

14

DoS Attacks - Basics

UDP flood

UDP echo service

UDP chargen service

Spoofed address Easy prevention

Brute force approach if this one doesn’t work

Victim

AttackerVictim

SpoofedRequest

chargenecho

15

DoS Attacks - Basics

Smurf attack

ICMP packets Broadcast request Spoofed address Two victims Cannot be

easily prevented

Victim

IntermediateSystems

Attacker

16

Evolution of DoS Attacks

Defenses were improved

Technology was improved, as well

Attackers had to improve their techniques for attacks

17

Evolution of DoS Attacks

Packet processing rate is more limiting than bandwidth

CPU can be a limit in SYN flood attack

“Reflected” attacks

Bad packet ICMP Reply

VictimAttacker Intermediate

18

(R)evolution of DoS Attacks

Distributed DoS tools and networks

Client-Server architecture

Open-source approach

Several layers

Difficulties in tracking back the attacker

19

Evolution of DoS Attacks

All of the systems are compromised

Terminology: Client Handler Agent

20

Evolution of DoS Attacks

Implications of DDoS network:

One or two attackers

Small number of clients

Several handlers

Huge number of agents

Humongous traffic

DoS Attacks - Tools

Prof. Mort AnvariStrayer University at Arlington

22

DoS Attacks - Tools

History of DoS tools:

IRC disable tools

Single attack method tools

Distributed tools, with possibility of selecting the type of attack

23

DoS Attacks - Tools

Trinoo

Distributed

UDP flood (brute force)

Menu operated

Agent passwords are sent in plain text form (not encrypted)

24

DoS Attacks - Tools

TFN (Tribal Flood Network)

Multi-type attack

UDP flood

SYN flood

ICMP_ECHOREPLY flood

Smurf

Handler keeps track of its agents in “Blowfish” encrypted file

25

DoS Attacks - Tools

Improved version of TFN

Agent can randomly alternate between the types of attack

Agent is completely silent - handler sends the same command several times, hoping that agent will receive at least one)

TFN2K

26

DoS Attacks - Tools

All communication is encrypted

Random source IP address and port number

Decoy packets (sent to non-target networks)

TFN2K

27

DoS Attacks - Tools

Several levels of protection:Hard-coded password in client Password is needed

to take control over handlerEncrypted communication

between handler and agent

Stacheldraht

28

DoS Attacks - Tools

Stacheldraht

Automated update of agents TCP is used for communication

between client and handler, and ICMP_ECHOREPLY for communication between handler and agent

29

DoS Attacks - Tools

ICMP_ECHOREPLY packets are difficult to stopEach agent has a list of its handlers (Blowfish encrypted) and in case that there is no such list, agent uses several hard-coded IP addressesAgent tests for a possibility of spoofing the source address

Stacheldraht

30

DoS Attacks - Tools

Weakness: it uses rpc command for updateListening on this port can lead to detection of an agent. Drawback is in fact that this can generate a lot of false alarms (rpc is used by legitimate users too)

Stacheldraht

Defenses

32

Defenses

There is no universal solution

There are some preventions that can help in minimizing the damage:Prevention of becoming

the source of an attackPreparations for defending

against an attack

33

Defenses

Disable and filter out chargen and echo servicesDisable and filter out all unused UDP services. Good practice is to block all UDP ports below 900 (excluding some specific ports like DNS)

34

Defenses

Install a filtering router to disable following cases: Do not allow packet to pass through

if it is coming to your network and has a source address from your network

Do not allow packet to pass through if it comes from your network and has a source address that doesn’t belong to your network

35

Defenses

Network administrators should log all information on packets that are dropped

If you are providing external UDP services, monitor them for signs of misuse

36

Defenses

The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: 10.0.0.0 to 10.255.255.255 (reserved) 127.0.0.0 to 127.255.255.255 (loopback) 172.16.0.0 to 172.31.255.255 (reserved) 192.168.0.0 to 192.168.255.255

(reserved) 0.0.0.0 and 255.255.255.255 (broadcasts)

37

Defenses

Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed

System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, root-kits, back doors, etc.)

38

Defenses

Train your system and network administratorsRead security bulletins like: www.cert.org, www.sans.org, www.eEye.comFrom time to time listen on to attacker community to be informed about their latest achievementsBe in contact with your ISP. In case that your network is being attacked, this can save a lot of time

39

Conclusion

Several examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon)

Increased number of consumers with high bandwidth technologies, but with poor knowledge of network security

Easy accessible, easy to use DoS attack tools

No final solution for attacks

40

This tutorial is based on research paper

done for isitworking.com

Isitworking is part of Biopop company, Charlotte, NC, USA

So far, it was presented on:SSGRR 2002w, L’Aquila, ItalyYU-INFO 2002, Kopaonik, Serbia

Denial of Service Attacks:Methods, Tools, and

Defenses

Prof. Mort AnvariStrayer University at Arlington