DDos

1
DDos

• Distributed Denial of Service Attacks

by Mark Schuchter
2
Overview

• Introduction
• Why?
• Timeline
• How?
• Typical attack (UNIX)
• Typical attack (Windows)

3
Introduction
limited and consumable resources(memory,
processor cycles, bandwidth, ...)
inet security highly interdependent
DDos-Attack
prevent and impair computer use
4
Why?
sub-cultural status
nastiness
revenge
to gain access
economic reasons
political reasons
5
Timeline
lt1999 Point2Point (SYN flood, Ping of death,
...), first distributed attack tools (fapi)
1999 more robust tools (trinoo, TFN,
Stacheldraht), auto-update, added encryption
2000 bundled with rootkits, controlled with talk
or ÍRC
2001 worms include DDos-features (i.e. Code
Red), include time synchro.,
2002 DrDos (reflected) attack tools, (179/TCP
BGPBorder Gateway Protocol)
2003 Mydoom infects thousands of victims to
attack SCO and Microsoft
6
How?
TCP floods(various flags)
ICMP echo requests(i.e.. Ping floods)
UDP floods
7
SYN-Attack
Handshake
Attack
8
Typical attack
2. set up network
3. communication
1. prepare attack
9
UNIX (trin00) preparation I

• use stolen account (high bandwidth) for
  repository of
• scanners
• attack tools (i.e. buffer overrun exploit)
• root kits
• sniffers
• trin00 master and daemon program
• list of vulnerable host, previously compromised
  hosts...

10
UNIX (trin00) preparation II

• scan large range of network blocks to identify
  potential targets (running exploitable service)
• list used to create script that
• performs exploit
• sets up cmd-shell running under root that listens
  on a TCP port (1524/tcp)
• connects to this port to confirm exploit
• ? list of owned systems

11
UNIX (trin00) network I

• store pre-compiled binary of trin00 daemon on
  some stolen account on inet
• script takes owned-list to automate
  installation process of daemon
• same goes for trin00 master

12
UNIX (trin00) network II
attacker
attacker
master
master
master
daemon
daemon
daemon
daemon
13
UNIX (trin00) communication

• attacker controls master via telnet and a pw
  (port 27665/tcp)
• trin00 master to daemon via 27444/udp (arg1 pwd
  arg2)
• daemon to master via 31335/udp
• dos ltpwgt 192.168.0.1 triggers attack

14
Windows (Sub7) preparation I

• set up the following things on your home pc
• freemail
• kazaa
• trojan-toolkit
• IRC-client
• IRC-bot

15
Windows (Sub7) preparation II

• assemble different trojans (GUI)
• define ways of communication
• name
• file

16
Windows (Sub7) network I

• start spreading via
• email/news lists
• IRC
• P2P-Software

17
Windows (Sub7) network II
attacker
client
client
client
client
18
Windows (Sub7) communication

• sub7client
• IRC channel
• 1 click to launch attack

19
Development
20
Solutions

• statistical analyses (i.e. D-ward) at core
  routers -not ready yet
• change awareness of people (firewalls,
  attachments, V-scanners,...)

21
Thanks for your attention!