Denial of Service attacks

1
Denial of Service attacks
2
Types of DoS attacks

• Bandwidth consumption
• attackers have more bandwidth than victim, e.g T3
  (45Mpbs) attacks T1 (1.544 Mbps).
• attackers amplify their bandwidth engaging other
  computers to attack victim with higher bandwidth,
  e.g. 100 56Kbps attack a T1
• Resource starvation consumes system resources
  like CPU, memory, disk space on the victim
  machine.
• Program flaws exploit inability of programs to
  handle exceptions (vulnerabilities).
• Routing and DNS attacks manipulate routing
  tables
• routing protocols RIP v1 and BGP v4 have no, or
  weak authentication
• change routing tables to route to attackers net
  or black hole.
• attack to DNS servers, again route to attackers
  or black hole.
• Generic attacks like the Melissa virus which
  shutdown mail servers

3
Generic attacks

• Smurf
• 1. Attacker sends sustained ICMP Echo packets to
  broadcast address of the amplifying network
  xxx.255, with source address is forged to read
  the victims IP address
• 2. Since traffic was sent to broadcast address
  all hosts in the amplifying LAN will answer to
  the victims IP address
• Fraggle
• similar to Smurf, but sends UDP packets to port 7
  (echo) of the broadcast address.
• Countermeasures
• Prevent being an amplifying LAN disable directed
  broadcast functionality at the border router and
  set OS firewall to not respond to broadcast ECHO
  requests (see book for specific OS commands)
• Victim sites limit ICMP requests at the border
  router and contact ISP to do the same, when under
  attack.

attacker
amplifying LAN
victim
4
Generic attacks (2)

• Syn flood
• 1. attacker sends SYN packet to victim forging
  non-existent IP address
• 2. victim replies with Syn/Ack but neither
  receives Ack nor RST from non-existent IP address
• 3. victim keeps potential connection in a queue
  in Syn_Recv state, but the queue is small and
  takes some time to timeout and flush the queue,
  e.g 75 seconds
• 4. If a few SYN packets are sent by the attacker
  every 10 seconds, the victim will never clear the
  queue and stops to respond.
• Countermeasures (1) Increase size of queue, (2)
  decrease the timeout period, (3) apply patches to
  OS to protect from Syn attacks, and (4) use IDS,
  which can respond to the Syn attack by providing
  RST responses.
• DNS attacks
• primarily an UNIX /Linux problem. Go to the BIND
  site and download the latest version which fixes
  it.

5
UNIX and NT DoS/DDoS

• IP fragmentation overlap IP packets may need to
  be broken in parts (fragments) in route and put
  together by the destination OS which may have a
  flaw
• teardrop (Linux), syndrop.c, boink.c (Windows)
• countermeasures Linux kernels 2.0 and above, NT
  use SP6a.
• Stream and raped attacks (UNIX/NT) resource
  starvation, making the CPU run up to 100,
  preventing access to the NET and
  stopping/slowing other jobs
• stream.c sends TCP Ack packets to a series of
  ports with random sequence numbers and random
  source IP addresses
• raped.c attacks sends TCP Ack packets with
  spoofed IP addresses
• countermeasures in practice, none (unless you
  can change your IP address).
• DDoS attacks first attacks in February of 200
  --gt Yahoo, ETRADE, eBay, Buy.com, CNN.com, etc.
  Attacks have three stages
• attack systems and gain administration privileges
  (hunting grounds _at_Home, DSL providers, etc).
• Upload DDoS software (server) in the slaves
  (zombies) and run it (listen).
• When there are enough slaves command them to
  attack victim.
• Examples GRC.COM a case example and press
  coverage of other attacks.

6
DDoS attacks

• TFN - Tribe Flood Network install server in
  slaves and with client send attack command.
• attacks available ICMP, Smurf, UDP SYN floods,
  see more here.
• Countermeasures
• detection DDOSPing, Zombie Zapper and
  find_ddos.
• Prevention apply patches, firewall blocks to
  prevent hackers to gain admin privileges, and
  block ICMP inbound traffic (not all that
  practical, but necessary under attack).
• Trinoo and WinTrinoo install server in slaves
  and masters, and with client send instruction to
  the master which tells the slaves to attack. The
  hierarchy is needed because of the large scale of
  the attacks, see more here.
• Countermeasures same as TFN, including the above
  detection software.
• WinTrinoo the trojan is the file service .exe
  (not services) and anti-virus software can find
  it.
• Stacheldraht (barbed wire) combines the features
  of TFN with Trinoo and encrypt telnet
  connections between master and slave, preventing
  IDSs to respond.
• attacks available ICMP, Smurf, UDP SYN floods,
  see more here.
• Countermeasures same as TFN, including the above
  detection software.

7
DDoS attacks (2)

• TFN2K TFN 2000 Upgrade of original TFN, using
  randomized ports (preventing port blocking at
  router), and encryption (preventing IDS to
  respond). See more here.
• Attacks SYN, UDP, ICMP, Smurf and randomly
  switch between them.
• Countermeasures again use the same detection
  software and protect your machines, the best
  remedy (dont become a zombie!).
• DDoS trends
• CERT recent report automation of propagation and
  router attacks.
• NIPC recent advisory DDoS to increase.
• DDoS defense
• FedCIRC - Defense Tactics for Distributed Denial
  of Service Attacks.
• SANS - Consensus Roadmap for Defeating
  Distributed Denial of Service Attacks.
• Alerts and Advisories
• CERT - incidents and fixes
• NIPC - Warnings
• Securityteam.com - NT and UNIX.
• Denial of Service (DoS) Attack Resources page.