Denial of Service Tools and Techniques

1
Denial of Service Tools and Techniques

• Presented by David DeBaecke

2
Denial of Service background

• A Denial of Service (DoS) Attack is an explicit
  attempt by attackers to prevent legitimate users
  of a service from using that service.
• Logic attacks
• Software flaws exploited
• Resource attacks (cpu, memory)
• Brute-force method of DoS attack
• Large number of packets sent in the hopes of
  overwhelming victim
• From http//www.cert.org/tech_tips/denial_of_se
  rvice.html

3
DoS Attack Types
4
Passive Fingerprinting

• method of determining characteristics of
  attackers through analysis of specific header
  elements.
• TTL -Time to Live
• Limit of time some data can exist before being
  dropped.
• Window Size
• Amount of bytes the sender is willing to receive.
• DF - Dont Fragment
• 1 of 3 bits found in the 3-bit flag field of
  the IP Header.
• If set to 1, packet must be fragmented.
• TOS - Type of Service
• Allow for difference service types to be
  requested.
• Protocol used determines value of TOS more than
  O/S in use.

5
CAIDA

• CAIDA
• Cooperative Association for Internet Data
  Analysis
• A collaborative undertaking among organizations
  in the commercial, government, and research
  sectors aimed at promoting greater cooperation in
  the engineering and maintenance of a robust,
  scalable global Internet infrastructure.
• Network Telescope
• A portion of routed IP address space on which
  little or no legitimate traffic exist.
• Allows viewing of attacks
• Backscatter
• A result of an attack where the attacker uses
  spoofing.
• An attacker sends a victim machine packets with
  spoofed source IP addresses. The victim acts
  normally by sending a response to the
  (unknowingly to it) spoofed IP address.
• The Backscatter are the response packets.
• From http//www.caida.org/home/about/

6
Tools and Techniques

• Ethereal
• Tcpdump
• Snort
• Gnuplot
• Homemade Tools

7
Ethereal (WireShark)

• Network Protocol Analyzer
• First release 1998
• by Gerald Combs (and others!)
• Ethereal Suite
• ethereal (GUI)
• tethereal (command line)
• dumpcap
• mergecap
• editcap
• text2pcap
• WireShark
• http//www.wireshark.org/

8
Ethereal Filters

• tcp only tcp
• udp only udp
• ip ip.addr 255.255.255.255
• source-only ip ip.src 255.255.255.255
• destination-only ip ip.dst 255.255.255.255
• Negate with !
• ip.addr ! 255.255.255.255
• Logic
• AND or and
• OR or or
• ex (ip.src 255.255.255.255 or ip.dst
  1.2.3.4) and tcp

9
Ethereal Filters (cont.)

• Time
• Relative 142.1218623
• Absolute Nov 26, 2005 08.01.42.1218623
• Delta 0.000234241 seconds
• frame.time_relative gt 142
• frame.time gt Nov 26, 2005 0801421218623

10
Ethereal Graphs

• StatisticsgtIO Graphs
• StatisticsgtSummary

11
tethereal

• command-line version of Ethereal
• record, read, and filter traffic

12
tcpdump

• Unix/Linux command line packet capture and
  analyzing tool
• Similar to tethereal
• Windump port for Windows
• -C number caps filesize in Megabytes
• -r FILENAME.pcap reads a pcap file
• -R FILTER reads a filter
• -w FILENAME writes to a file

13
Snort

• Open-source Network IDS (Intrusion Detection
  System)
• Provides real-time analysis of incoming traffic
• System of content searching/pattern matching
• Logs data in tcpdump format
• Ability to filter traffic
• Can read pre-recorded pcap files

14
(No Transcript)
15

• snort alert (log)

16
Gnuplot

• A command line data and function plotting utility
• set main command
• set autoscale
• set terminal ltterminal typegt
• windows to display on screen
• png create a png file
• set output filename.png
• plot afile.dat
• plot filename.txt using 12 with dots,
  otherfile.txt using 13 with lines,
  filename.txt using 14 with points

109.782917 14700 61077 32743 261 109.782941 14699
61077 32742 260 109.783047 14717 61077 32760
278 109.783057 14718 61077 32761 279 109.783486
14742 61077 32785 303 109.783497 14741 61077
32784 302 109.783621 14755 61077 32798
316 109.783632 14756 61077 32799 317 109.783769
14782 61077 32825 343 109.783780 14781 61077
32824 342 109.783792 14788 61077 32831
349 109.783916 14795 61077 32838 356 109.783927
14796 61077 32839 357
17
(No Transcript)
18
Handmade Tools

• ttp

19
ttp code
20
Parser.pl and partest.pl

• Parse and manipulate pcap (ethereal) formatted
  text files
• Parser.pl
• reads csv formatted text
• counts and displays number of packets with
  signature present
• partest.pl
• based off of Parser.pl
• counts number of packets with signature present
• reads tethereal formatted text
• also functional on files with absolute time

21

• partest.pl

22
Results

• CAIDA Trace Data, Interesting Findings
• 202.103.178.133
• In the November 27, 2005 CAIDA Trace, packets
  with the source IP 202.103.178.133 contain an
  interesting signature of the Acknowledgement
  value subtracted by the Destination Port equaling
  a fixed value for all packets in each attack
  spike.
• For instance, Ack 20047 Dest. Port 19428 equals
  a value of 619. The next packet in the flow
  could have Ack 20046 Dest. Port 19427 also
  equalling a value of 619.
• However, for the same source IP, we also see the
  beginning of other spikes where the Seq. number
  is fixed at other values.
• Further, the Window Size and IP Ident. number on
  ALL packets (where source IP is 202.103.178.133)
  is fixed at 0.
• Further activity from this IP source is found in
  the November 26, 2005 CAIDA trace.
• Each of the spikes found is (roughly) between
  7000 and 9000 packets in size. The attack on
  Nov. 27, 2005 lasts just over 18 hours in total!
• 202.103.178.29
• In the November 27, 2005 CAIDA Trace, we also see
  source IP 202.103.178.29 exhibiting a similar
  behavior of Ack. Minus the Dest. Port equaling a
  fixed values for all packets in its flow (fixed
  value is -9637). However, the Seq. number varies
  for each packet unlike the packets associated
  with 202.103.178.133 IP address.
• Both 202.103.178.133 and 202.103.178.29 IP
  addresses are located in the Guangdong province
  of China.

23
Results (cont.)

• 61.129.15.93
• For source IP, 61.129.15.93, the Sq number
  varies, yet Ack-Dest. port 15739
• This address is located in China and is a part of
  the Data Communications Division of China
  Telecom.
• In both 61.153.35.105 and 67.15.121.40 we dont
  see these patterns, however there is an
  considerable amount of traffic from these IP
  addresses.
• 61.153.35.105 is located in China and is listed
  as owned by the Jinhua Daily Newspaper through a
  whois command, while 67.15.121.40 is located in
  Houston, Texas and is owned by Everyones
  Internet.
• After performing a filtering of the packets in
  the Nov. 27, 2005 data with IP Source
  202.178.103.133, several of the spikes were
  examined through Gnuplot.
• The Sequence Number, Acknowledgement Value,
  Destination Port, and the decimal form of the
  last two octets (bytes) of the Destination IP
  Address for each packet in several spikes were
  fed into Gnuplot.
• The resultant plots showed some interesting
  findings (see next slide)

24
Sequence number fixed, represented as a straight
horizontal line.
Acknowledgement value
New thread starts before older thread ends
Destination Port
Last 2 octets of Destination IP
25
Whats next?

• Next possible actions
• Re-run the CAIDA trace files through SNORT using
  the latest fingerprint definitions.
• Examine all days in the trace week for other
  signs of the Ack-Dport signature.
• Discover tools and reason for this attack
  (appears to me as a scan) as well as other
  interesting events.
• Other thoughts
• Remember, we are the paleontologists of the CS
  field. We examine fossils and bones (in the
  form of recorded trace files) for hints about the
  past. Knowing about this past could help us
  protect ourselves in the future!

26

• Links

• http//umdrive.memphis.edu/ddebaeck/public
• http//www.caida.org
• http//www.cert.org
• http//doc.bughunter.net
• http//staff.washington.edu/dittrich/misc/ddos
• http//packetstorm.linuxsecurity.com
• http//www.wireshark.org
• http//www.gnuplot.info