Denial of Service Denial of Service attacksattacks

Types of DoS attacksTypes of DoS attacks Bandwidth consumption

attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

attackers amplify their bandwidth engaging other computers to attack victim with higher bandwidth, e.g. 100 56Kbps attack a T1

Resource starvation: consumes system resources like CPU, memory, disk space on the victim machine.

Program flaws: exploit inability of programs to handle exceptions (vulnerabilities).

Routing and DNS attacks: manipulate routing tables routing protocols RIP v1 and BGP v4 have no, or weak

authentication change routing tables to route to attacker’s net or black

hole. attack to DNS servers, again route to attackers or black hole.

Generic attacks: like the Melissa virus which shutdown mail servers

Generic attacksGeneric attacks Smurf

1. Attacker sends sustained ICMP Echo packets to broadcast address of the amplifying network xxx.255, with source address is forged to read the victim’s IP address

2. Since traffic was sent to broadcast address all hosts in the amplifying LAN will answer to

the victim’s IP address Fraggle

similar to Smurf, but sends UDP packets to port 7 (echo) of the broadcast address.

Countermeasures Prevent being an amplifying LAN: disable

directed broadcast functionality at the border router and set OS firewall to not respond to broadcast ECHO requests (see book for specific OS commands)

Victim sites: limit ICMP requests at the border router and contact ISP to do the same, when under attack.

1

2

attacker

victim

amplifying LAN

Generic attacks (2)Generic attacks (2) Syn flood

1. attacker sends SYN packet to victim forging non-existent IP address

2. victim replies with Syn/Ack but neither receives Ack nor RST from non-existent IP address

3. victim keeps potential connection in a queue in Syn_Recv state, but the queue is small and takes some time to timeout and flush the queue, e.g 75 seconds

4. If a few SYN packets are sent by the attacker every 10 seconds, the victim will never clear the queue and stops to respond.

Countermeasures: (1) Increase size of queue, (2) decrease the timeout period, (3) apply patches to OS to protect from Syn attacks, and (4) use IDS, which can respond to the Syn attack by providing RST responses.

DNS attacks primarily an UNIX /Linux problem. Go to the

BIND site and download the latest version which fixes it.

Syn packet

attacker

victim

UNIX and NT DoS/DDoSUNIX and NT DoS/DDoS IP fragmentation overlap: IP packets may need to be broken in

parts (fragments) in route and put together by the destination OS which may have a flaw: teardrop (Linux), syndrop.c, boink.c (Windows) countermeasures: Linux kernels 2.0 and above, NT use SP6a.

Stream and raped attacks (UNIX/NT): resource starvation, making the CPU run up to 100%, preventing access to the NET and stopping/slowing other jobs stream.c: sends TCP Ack packets to a series of ports with random

sequence numbers and random source IP addresses raped.c attacks: sends TCP Ack packets with spoofed IP addresses countermeasures: in practice, none (unless you can change your IP

address).

DDoS attacks: first attacks in February of 200 --> Yahoo, E*TRADE, eBay, Buy.com, CNN.com, etc. Attacks have three stages:

attack systems and gain administration privileges (hunting grounds: @Home, DSL providers, etc).

Upload DDoS software (server) in the slaves (zombies) and run it (listen).

When there are enough slaves command them to attack victim. Examples: GRC.COM: a case example and press coverage of other attacks.

DDoS attacksDDoS attacks TFN - Tribe Flood Network: install server in slaves and with client

send attack command. attacks available: ICMP, Smurf, UDP & SYN floods, see more here. Countermeasures

detection: DDOSPing, Zombie Zapper and find_ddos. Prevention: apply patches, firewall blocks to prevent hackers to

gain admin privileges, and block ICMP inbound traffic (not all that practical, but necessary under attack).

Trinoo and WinTrinoo: install server in slaves and masters, and with client send instruction to the master which tells the slaves to attack. The hierarchy is needed because of the large scale of the attacks, see more here.

Countermeasures: same as TFN, including the above detection software.

WinTrinoo: the trojan is the file service .exe (not services) and anti-virus software can find it.

Stacheldraht (barbed wire): combines the features of TFN with Trinoo and encrypt telnet connections between master and slave, preventing IDSs to respond.

attacks available: ICMP, Smurf, UDP & SYN floods, see more here. Countermeasures: same as TFN, including the above detection

software.

DDoS attacks (2)DDoS attacks (2) TFN2K: TFN 2000: Upgrade of original TFN, using randomized

ports (preventing port blocking at router), and encryption (preventing IDS to respond). See more here.

Attacks: SYN, UDP, ICMP, Smurf and randomly switch between them.

Countermeasures: again use the same detection software and protect your machines, the best remedy (don’t become a zombie!).

DDoS trends CERT recent report: automation of propagation and router attacks. NIPC recent advisory: DDoS to increase.

DDoS defense FedCIRC - Defense Tactics for Distributed Denial of Service Attacks. SANS - Consensus Roadmap for Defeating Distributed Denial of

Service Attacks. Alerts and Advisories:

CERT - incidents and fixes NIPC - Warnings Securityteam.com - NT and UNIX.

Denial of Service (DoS) Attack Resources page.