Denial of Service AttacksDenial of Service Attacks

Lesson 12

Email Flooding/bombingEmail Flooding/bombing A form of denial of service attack. From the CERT web page:

Email "bombing" is characterized by abusers repeatedly sending an identical email message to a particular address. Email "spamming" is a variant of bombing; it refers to sending email to hundreds or thousands of users (or to lists that expand to that many users). Email spamming can be made worse if recipients reply to the email, causing all the original addressees to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists and not realizing that the list explodes to thousands of users, or as a result of an incorrectly set-up responder message (such as vacation(1)).Email bombing/spamming may be combined with email "spoofing" (which alters the identity of the account sending the email), making it more difficult to determine who the email is actually coming from.

Email FloodingEmail Flooding

AttackerAttacker

Attacker sends 100’s or1000’s of emails to target

Target user’s box fills ortarget system can godown.

Effectiveness as means to attack a system depends on therelative size of the systems and the “pipes”.

Email Flooding

AttackerAttacker

Attacker sends spoofed emailwith error to 100’s of systems

Systems return email to system thatappears to have sent emails.

Target system goesdown under load oftoo many emails.

Email Bombing exampleEmail Bombing example

Email FloodingWhat can you do?Email FloodingWhat can you do?

From the CERT web page:A.Detection

– If your system suddenly appears sluggish (email is slow or doesn't appear to be sent or received), the reason may be that your mailer is trying to process a large number of messages.

B.Reaction– Identify the source of the email bomb/spam and configure your router (or have your

Network Service Provider configure the router) to prevent incoming packets from that address. Review email headers to determine the true origin of the email. Review the information related to the email bomb/spam following relevant policies and procedures of your organization.

– Follow up with the site(s) you identified in your review to alert them to the activity. Contact them to alert them to the activity. NOTE: When contacting these sites, keep in mind that the abuser may be trying to hide their identity.

– Ensure you are up to date with the most current version of email delivery daemon (sendmail, for example) and increase logging capabilities as necessary to detect or alert you to such activity.

Denial of Service AttacksDenial of Service Attacks

Denial of Service AttacksDenial of Service Attacks

Denial of Service (DoS) Attacks that deny legitimate users service and access to information

resources. Different ways to categorize them

Bandwidth Consumption– attackers will consume all available bandwidth to a particular network

Resource Starvation– focuses on consuming system resources rather than network resources (e.g. CPU

utilization, memory, file-system quotas)

Programming Flaws– failures of an application, or operating system to handle exceptional conditions (normally

result when a user sends unintended data to the vulnerable element)

Routing and DNS attacks– involves attackers manipulating routing table entries to deny service to legitimate

systems or networks.

Denial of Service (DoS)Denial of Service (DoS) Different ways to categorize them

Nature of attack– Poisoned traffic

malformed or invalid data that can’t be properly handled– Brute-force resource

simply use up all available capacity– Stateful resource

take advantage of client/server relationship in protocols

“target” of attack– Operating system attacks

target flaws in specific operating systems– Networking attacks

exploit inherent limitations of networking

Sources of the AttackSources of the Attack Can come from many (any) places in the network An attacker can hide the source of an attack

through IP spoofing Attackers can also hide their identity by enslaving

unwitting victims.“owned” or “zombie” agents

When an attacker uses many zombie agents together simultaneously the result is a Distributed Denial of Service (DDoS) attack

IIS AttackIIS Attack Internet Information Services: a MS web server Operating System/Poisoned Traffic attack Worked against NT 4.0 running Microsoft’s Internet

Information Server version 3.0 All that was required was for the user to request a

document with a very long name from the server to halt it.

e.g. http://victim.com/?something=xxxxxx… A patch for this bug was issued by MS

Ping of Death (POD)Ping of Death (POD) Normal Ping utility used to determine whether another

machine on the network is up.Accomplished by sending an Internet Control Message Protocol (ICMP) “echo” or “ping” packet to the target.The target replies if it is operating

POD accomplished by sending packet > 64KBuffer overflow ensues causing reboot or crash

Patches issued to address this attack

ICMP PacketICMP Packet Considered part of IP layer Communicates error messages and other conditions

that require attention. ICMP messages are usually acted on by either the IP

layer or the higher layer protocol. ICMP messages are transmitted within IP datagrams

as shown:

ICMP MessageIP Header20 bytes

ICMP packetICMP packet

8-bit type 8-bit code 16-bit checksum

(contents depends on type and code)

ICMP MessagesICMP MessagesType code Description Query Error0 0 echo reply x3 destination unreachable

0 network unreachable x1 host unreachable x2 protocol unreachable x3 port unreachable x

4 0 source quench (flow control) x5 redirect

0 redirect for network x1 redirect for host x

8 0 echo request x13 0 timestamp request x

Smurf/ping flooding/ICMP stormSmurf/ping flooding/ICMP storm Another attack that exploits the ping utility Attacker sends a large stream of spoofed ping packets to a broadcast

address (an IP address that services a network of computers)All of the packets have as their source address the target’s IP address.

Broadcast is “heard” (relayed) by all hosts on network. Hosts reply to the victim Amount of data sent to victim is multiplied by a factor of the number of

hosts in network If multiple requests sent to broadcast host, target will be overloaded

with replies A Network/Brute-force attack

ICMP FloodingICMP Flooding

Attacker

Broadcast request

PingBroadcast request

Multiple Ping requests

Multiple Ping replies

System or networkbecomes overloaded

DNS Cache poisoningDNS Cache poisoning

Attacker’s web server

Internet

Microsoft’s DNS server

Web Server www.microsoft.com

Client’s PC

1. Client PC requests to go to Microsoft web site,

browser tries to resolve the name

Attacker’s web server

2. DNS server’s cache has been poisoned by

attacker, returns address of attacker’s

web server

3. Attacker’s system now fraudulently poses as www.microsoft.com

From: Hacking Exposed 2ed

But what if we send folks for a high volume site to a target system instead?

SYN floodingSYN flooding Exploits the synchronization protocol used to initiate connections Normal process is:

Initiator sends synchronization (SYN) packetTarget replies with a SYN/ACK (acknowledgement)Initiator sends ACK, two machines are now ready

In SYN flooding, attacker sends SYN packets with phony source addresstarget replies with SYN/ACK but it goes nowheretarget waits for ACK, eventually gives up but…– if enough SYN’s received, space will fill up

Network/Stateful Resource attack

SYN FloodingSYN Flooding

SYN AttacksSYN Attacks

Syn_Flooder an example of SYN Flooding attack Land is a specialized version of SYN attack

From CERT Advisory CA-97.28 - Teardrop_Land– Some implementations of TCP/IP are vulnerable to packets that are crafted

in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed). Land is a widely available attack tool that exploits this vulnerability. Any remote user that can send spoofed packets to a host can crash or "hang" that host.

Operating System/Poisoned traffic attackA patch to fix this problem is available from vendors

Resource Starvation attackResource Starvation attack

One method utilizes two UDP servicesEcho: the server returns whatever the client sendsChargen: The server sends a datagram containing a random number of characters each time the client sends a datagram.

Now, an intruder will spoof a packet and connects the Echo service on one machine to the chargen service on another.

Other DoS Attacks - TeardropOther DoS Attacks - Teardrop Teardrop

From CERT Advisory CA-97.28 - Teardrop_Land– Some implementations of the TCP/IP IP fragmentation re-assembly

code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability. Any remote user can crash a vulnerable machine.

– Operating System/Poisoned traffic– Patch to prevent is available from vendors

Bytes 1-1500 Bytes 1501-3000 Bytes 3001-4500Normal reassembled IP Packets

Bytes 1-1500 Bytes 1200-3200 Bytes 3001-4500Abnormally reassembled IP Packets

Other DoS Attacks - BonkOther DoS Attacks - Bonk A variant of Teardrop aimed at W95 and NT

From www.attrition.org/security/denial/w/bonk.dos.html– Based On: teardrop.c by route|daemon9 & klepto

Crashes *patched* win95/(NT?) machines. Basically, we set the frag offset > header length (teardrop reversed). There are many theories as to why this works, however i do not have the resources to perform extensive testing.

– Operating System/Poisoned traffic– Patch to prevent is available from vendors

For fun, check out http://www.attrition.org/security/denial/

Other DoS Attacks - WinNukeOther DoS Attacks - WinNuke Affects Windows 95/3.1/NT Causes “Blue Screen of Death”

Computer recovers but Internet connection hosed, requires reboot

uses Out of Band (OOB) data sent to an established connection.

Windows doesn’t handle OOB well and goes into a panic. Operating System/Poisoned traffic attack

DDoS AttackDDoS Attack

tribal flood network (TFN) DDoStribal flood network (TFN) DDoS

TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks.

Remote control of a TFN is accomplished via command line execution of the client program, using any of a number of connection methods (e.g., remote shell bound to a TCP port, UDP based client/server remote shells, ICMP based client/server shells, or normal "telnet" TCP terminal sessions.

Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY (why?) packets. There is no TCP or UDP based communication between the client and daemons at all.

trinoo DDoStrinoo DDoS

A trinoo network of at least 227 systems was used on Aug 17, 1999 to flood a single system at the University of Minnesota.

The attacker(s) control one or more “master”servers, each of which can control many daemons.

Remote control of the master is accomplished via a TCP connection to port 27665, after which the user must authenticate with a password.

Communication between the master to daemons is via UDP packects on port 27444.

When the daemon starts, it initially sends a “hello” message to the master which maintains a list of active daemons it controls.

The daemons send UDP packets to random (0-64K) UDP ports on the target for a period of time (120 seconds default)

Stacheldraht (barbed wire) DDoSStacheldraht (barbed wire) DDoS Combines features of the trinoo and the original TFN

and adds encryption of communication between attacker and masters and automated updating of agents.

Can do ICMP flood, SYN flood, UDP flood, and smurf style attacks.

There is a limit of 1000 agents for each master Used TCP and ICMP for communication between

master and agents (trinoo used UDP, TFN used ICMP)

Code RedCode Red Three phases

Propagation phase: day 1-19 of the month– Scan systems on TCP port 80 and send special HTTP GET request that exploited an

overflow in IIS. If successful, worm ran in RAM and spawned 99 threads to attack a relatively random set of IP addresses. If web site was in English, then also left defaced message up for 10 hours.

Flood phase: days 20-28 of the month. Between 8:00 and 11:59 pm send 100KB packets to IP address for what was www.whitehouse.gov.Termination Phase: days 28-31 of the month. The worm became dormant.

To remove, reboot system (to eliminate from RAM) and install patch from Microsoft to prevent reinfection.

Not all systems on network are computers, if Code Red sent packet to HP JetDirect devices or Cisco 600 DSL router they would crash.

BlasterBlaster Targeted Windows 2000 and Windows XP Downloads and runs “msblast.exe” Attempted to infect other machines

40% of time generated IP address A.B.C.* where A.B.C. was the same as the infected machine60% of time generated completely random address

If month was Sept-Dec, or date was 16- 31 of Jan-Aug, attempted to perform DoS attack on Windows Update site to keep folks from being able to download fix.

Protection from DoS and DDoSProtection from DoS and DDoS

Best way would seem to be to stop the attack before it happens

Detect and Remove Trojans/zombies from servers, use file-integrity checking programs

Block “marching orders”e.g. one method to send the “attack” order is to send an unsolicited ICMP ping response -- firewalls should be set to block this. Broadcasts should not send ping requests. Limit ability to spoof.

Block the attack at the source

Block DoS attacks at sourceBlock DoS attacks at source

Mitigating the Effects of DoSMitigating the Effects of DoS Acknowledges that we can’t stop DoS Harden the network Avoid putting “all of your eggs in one basket” Use Load balancers

can employ “delayed binds” which drop sessionscan also drop “Silent” TCP sessions

Adjust state limits (e.g. wait time)

Methods to keep from becoming a zombieMethods to keep from becoming a zombie

Keep abreast of vulnerabilities for your HW & SW Use a firewall Monitor system & test for vulnerabilities (to ensure they are

patched), check what TCP/UDP ports are open. Monitor logs and check for suspicious activity Audit system files to make sure no changes have been made Don’t run SW if you can’t trust it/don’t know where it came from Follow recommendations and guidelines from CERT, SANS…

IOW, do those things you should be doing to avoid intrusions, becausethat’s how you become a zombie.

SummarySummary

What is the Importance and Significance of this material?

How does this topic fit into the subject of “Voice and Data Security”?