Outline

1
Outline

• Definition
• Point-to-point network denial of service
• Smurf
• Distributed denial of service attacks
• Trin00, TFN, Stacheldraht, TFN2K
• TCP SYN Flooding and Detection

2
Denial of Service Attack Definition

• An explicit attempt by attackers to prevent
  legitimate users of a service from using that
  service
• Threat model taxonomy from CERT
• Consumption of network connectivity and/or
  bandwidth
• Consumption of other resources, e.g. queue, CPU
• Destruction or alternation of configuration
  information
• Malformed packets confusing an application, cause
  it to freeze
• Physical destruction or alternation of network
  components

3
Status

• DoS attacks increasing in frequency, severity and
  sophistication
• 32 respondents detected DoS attacks (1999
  CSI/FBI survey)
• Yahoo, Amazon, eBay and MicroSoft DDoS attacked
• About 4,000 attacks per week in 2000
• Internet's root DNS servers attacked on
• Oct. 22, 2002, 9 out of 13 disabled for about an
  hour
• Feb. 6, 2007, one of the servers crashed, two
  reportedly "suffered badly", while others saw
  "heavy traffic
• An apparent attempt to disable the Internet itself

4
Two General Classes of Attacks

• Flooding Attacks
• Point-to-point attacks TCP/UDP/ICMP flooding,
• Smurf attacks
• Distributed attacks hierarchical structures
• Corruption Attacks
• Application/service specific
• Eg, polluting P2P systems

5
Smurf DoS Attack

• Send ping request to brdcst addr (ICMP Echo Req)
• Lots of responses
• Every host on target network generates a ping
  reply (ICMP Echo Reply) to victim
• Ping reply stream can overload victim

1 ICMP Echo ReqSrc Dos Target Dest brdct addr
3 ICMP Echo ReplyDest Dos Target
gateway
DoSTarget
DoSSource
Prevention reject external packets to brdcst
address.
6
DDOS
BadGuy
Unidirectional commands
Handler
Handler
Handler
Coordinating communication
Agent
Agent
Agent
Agent
Agent
Agent
Agent
Agent
Agent
Agent
Attack traffic
Victim
7
Attack using Trin00

• In August 1999, network of gt 2,200 systems took
  University of Minnesota offline for 3 days
• scan for known vulnerabilities, then attack with
  UDP traffic
• once host compromised, script the installation of
  the DDoS master agents
• According to the incident report, took about 3
  seconds to get root access

8
Can you find source of attack?

• Hard to find BadGuy
• Originator of attack compromised the handlers
• Originator not active when DDOS attack occurs
• Can try to find agents
• Source IP address in packets is not reliable
• Need to examine traffic at many points, modify
  traffic, or modify routers

9
Source Address Validity

• Spoofed Source Address
• random source addresses in attack packets
• Subnet Spoofed Source Address- random address
  from address space assigned to the agent
  machines subnet
• En Route Spoofed Source Address- address spoofed
  en route from agent machine to victim
• Valid Source Address- used when attack strategy
  requires several request/reply exchanges between
  an agent and the victim machine- target specific
  applications or protocol features

10
Attack Rate Dynamics

• Agent machine sends a stream of packets to the
  victim
• Constant Rate- Attack packets generated at
  constant rate, usually as many as resources allow
• Variable Rate
• Delay or avoid detection and response
• Increasing Rate- gradually increasing rate
  causes a slow exhaustion of the victims
  resources
• Fluctuating Rate- occasionally relieving the
  effect- victim can experience periodic service
  disruptions

11
The DDoS Landscape
12
Attack Tools Over Time
binary encryption
Tools
stealth / advanced scanning techniques
High
denial of service
packet spoofing
distributed attack tools
sniffers
Intruder Knowledge
www attacks
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
Attackers
password guessing
Low
2001
1980
1985
1990
1995
Source CERT/CC
13
(D)DoS Tools Over Time

• 1996 - Point-to-point
• 1997 - Combined
• 1998 - Distributed (small, C/S)
• 1999 - Add encryption, covert channel comms,
  shell features, auto-update, bundled w/rootkit
• 2000 - Speed ups, use of IRC for CC
• 2001 - Added scanning, BNC, IRC channel hopping
• 2002 - Added reflection attack, closed port back
  door, Worms include DDoS features
• 2003 - IPv6 (back to 1996)

14
Outline

• Definition
• Point-to-point network denial of service
• Smurf
• Distributed denial of service attacks
• Trin00, TFN, Stacheldraht, TFN2K
• TCP SYN Flooding and Detection

15
SYN Flooding Attack

• 90 of DoS attacks use TCP SYN floods
• Streaming spoofed TCP SYNs
• Takes advantage of three way handshake
• Server start half-open connections
• These build up until queue is full and all
  additional requests are blocked

16
TCP Overview RFCs 793, 1122, 1323, 2018, 2581

• point-to-point
• one sender, one receiver
• reliable, in-order byte steam
• no message boundaries
• pipelined
• TCP congestion and flow control set window size
• send receive buffers

• full duplex data
• bi-directional data flow in same connection
• MSS maximum segment size
• connection-oriented
• handshaking (exchange of control msgs) inits
  sender, receiver state before data exchange
• flow controlled
• sender will not overwhelm receiver

17
TCP segment structure
URG urgent data (generally not used)
counting by bytes of data (not segments!)
ACK ACK valid
PSH push data now (generally not used)
bytes rcvr willing to accept
RST, SYN, FIN connection estab (setup,
teardown commands)
Internet checksum (as in UDP)
18
TCP Connection Management

• Three way handshake
• Step 1 client host sends TCP SYN segment to
  server
• specifies initial seq
• no data
• Step 2 server host receives SYN, replies with
  SYNACK segment
• server allocates buffers
• specifies server initial seq.
• Step 3 client receives SYNACK, replies with ACK
  segment, which may contain data

• Recall TCP sender, receiver establish
  connection before exchanging data segments
• initialize TCP variables
• seq. s
• buffers, flow control info (e.g. RcvWindow)
• client connection initiator
• server contacted by client

19
TCP Handshake
C
S
SYNC
Listening
Store data
SYNS, ACKC
Wait
ACKS
Connected
20
SYN Flooding
C
S
SYNC1
Listening
SYNC2
Store data
SYNC3
SYNC4
SYNC5
21
TCP Connection Management Closing

• Step 1 client end system sends TCP FIN control
  segment to server
• Step 2 server receives FIN, replies with ACK.
  Closes connection, sends FIN.
• Step 3 client receives FIN, replies with ACK.
• Enters timed wait - will respond with ACK to
  received FINs
• Step 4 server, receives ACK. Connection closed.

client
server
closing
FIN
ACK
closing
FIN
ACK
timed wait
closed
closed
22
Flood Detection System on Router/Gateway

• Can we maintain states for each connection flow?
• Stateless, simple detection system on edge (leaf)
  routers desired
• Placement First/last mile leaf routers
• First mile detect large DoS attacker
• Last mile detect DDoS attacks that first mile
  would miss

23
Detection Methods (I)

• Utilize SYN-FIN pair behavior
• Or SYNACK FIN
• Can be both on client or server side
• However, RST violates SYN-FIN behavior
• Passive RST transmitted upon arrival of a packet
  at a closed port (usually by servers)
• Active RST initiated by the client to abort a
  TCP connection (e.g., Ctrl-D during a telnet
  session)
• Often queued data are thrown away
• So SYN-RSTactive pair is also normal

24
SYN FIN Behavior
25
SYN FIN Behavior

• Generally every SYN has a FIN
• We cant tell if RST is active or passive
• Consider 75 active

26
Vulnerability of SYN-FIN Detection

• Send out extra FIN or RST with different IP/port
  as SYN
• Waste half of its bandwidth

27
Detection Method II

• SYN SYN/ACK pair behavior
• Hard to evade for the attacking source
• Problems
• Need to sniff both incoming and outgoing traffic
• Only becomes obvious when really swamped

28
False Positive Possibilities

• Many new online users with long-lived TCP
  sessions
• More SYNs coming in than FINs
• An overloaded server would result in 3 SYNs to a
  FIN or SYN-ACK
• Because clients would retransmit the SYN

29
Backup Slides
30
Up to 1996

• Point-to-point (single threaded)
• SYN flood
• Fragmented packet attacks
• Ping of Death
• UDP kill

31
1997

• Combined attacks
• Targa
• bonk, jolt, nestea, newtear, syndrop, teardrop,
  winnuke
• Rape
• teardrop v2, newtear, boink, bonk, frag, fucked,
  troll icmp, troll udp, nestea2, fusion2, peace
  keeper, arnudp, nos, nuclear, sping, pingodeth,
  smurf, smurf4, land, jolt, pepsi

32
1998

• fapi (May 1998)
• UDP, TCP (SYN and ACK), ICMP Echo, "Smurf"
  extension
• Runs on Windows and Unix
• UDP comms
• One client spoofs src, the other does not
• Built-in shell feature
• Not designed for large networks (lt10)
• Not easy to setup/control network
• fuck_them (ADM Crew, June 1998)
• Agent written in C Handler is a shell script
• ICMP Echo Reply flooder
• Control traffic uses UDP
• Can randomize source to R.R.R.R(where 0ltRlt255)

33
1999

• More robust and functional tools
• trin00, Stacheldraht, TFN, TFN2K
• Multiple attacks (TCP SYN flood, TCP ACK flood,
  UDP flood, ICMP flood, Smurf)
• Added encryption to CC
• Covert channel
• Shell features common
• Auto-update

34
2000

• More floods (ip-proto-255, TCP NULL flood)
• Pre-convert IP addresses of 16,702 smurf
  amplifiers
• Stacheldraht v1.666
• Bundled into rootkits (tornkit includes
  stacheldraht)http//www.cert.org/incident_notes/I
  N-2000-10.html
• Full control (multiple users, by nick, with talk
  and stats)
• Omegav3
• Use of IRC for CC
• Knight
• Kaiten
• IPv6 DDoS
• 4to6 (doesnt require IPv6 support)

35
Single host in DDoS
36
2001

• Worms include DDoS features
• Code Red (attacked www.whitehouse.gov)
• Linux lion worm (TFN)
• Added scanning, BNC, IRC channel hopping
  (Blended threats term coined in 1999 by
  AusCERT)
• Power bot
• Modified Kaiten bot
• Include time synchronization (?!!)
• Leaves worm

37
Power bot

• foo oh damn, its gonna own shitloads
• foo on start of the script it will erase
  everything that it has
• foo then scan over
• foo they only reboot every few weeks anyways
• foo and it will take them 24 hours to scan the
  whole ip range
• foo !scan status
• Scanner24SCANStatus IP
  XX.X.XX.108Port 80Found 319
• Scanner208SCANStatus IP
  XXX.X.XXX.86Port 80Found 320
• . . .
• foo almost 1000 and we aren't even close
• foo we are gonna own more than we thought
• foo i bet 100thousand
• 11 hours later
• Scanner129 SCANStatus IP
  XXX.X.XXX.195Port 80Found 34
• Scanner128 SCANStatus IP
  XXX.X.XXX.228Port 80Found 67
• Scanner24 SCANStatus IP
  XX.XX.XX.42Port 80Found 3580
• Scanner208 SCANStatus IP
  XXX.XXX.XXX.156Port 80Found 3425
• Scanner65 SCANStatus IP
  XX.XX.XXX.222Port 80Found 3959
• bar cool

38
2002

• Distributed reflected attack tools
• d7-pH-orgasm
• drdos (reflects NBT, TCP SYN 80, ICMP)
• Reflected DNS attacks, steathly (NVP protocol)
  and encoded covert channel comms, closed port
  back door
• Honeynet Project Reverse Challenge
  binaryhttp//project.honeynet.org/reverse/results
  /project/020601-Analysis-IP-Proto11-Backdoor.pdf

39
2003

• Slammer worm (effectively a DDoS on local
  infrastructure)
• Windows RPC DCOM insertion vector for blended
  threat (CERT reports thousands)
• More IPv6 DoS (requires IPv6 this time)
• ipv6fuck, icmp6fuck