NETWORK TERM PROJECT SONY HACK OR DDOS Prepared for: Centennial College CNET 124-062 Toronto, Ontario Prepared by: Yi Chen (300646912) Arulnithy Suthakaran (300641636) Artur Shamsi (300586155) CNET 124-062 Students Centennial College August 5, 2011 TABLE OF CONTENTS EXECUTIVE SUMMARY ................................................................................................. I CONCLUSIONS.............................................................................................................. II 1.0 INTRODUCTION ....................................................................................................... 1 1.1 Background......................................................................................................... 1 1.2 Purpose of Report .............................................................................................. 1 2.0 PROBLEM FACED BY SONY .................................................................................. 2 2.1 What happened with PSN ................................................................................... 2 2.2 Result of attack ................................................................................................... 2 2.3 Method used to hack PSN .................................................................................. 2 3.0 BASICS OF DDOS ................................................................................................... 3 3.1 Understanding of DoS ....................................................................................... 3 3.2 DDoS and its characteristics ............................................................................. 3 3.3 Difference between DoS and DDoS ................................................................... 4 4.0 HISTORY AND HOW IT WORKS ............................................................................. 4 4.1 DoS attack facts .................................................................................................. 4 4.2 DDoS attack facts ............................................................................................... 5 4.3 Steps to organize DDoS ..................................................................................... 5 5.0 TOOLS TO LAUNCH DDOS ..................................................................................... 7 5.1 TRIN00 ................................................................................................................. 7 5.2 Tribe Flood Network (TFN) ................................................................................. 7 5.3 Tribe Flood Network 2000 (TFN2K) .................................................................... 8 5.4 Stackeldrant ........................................................................................................ 8 6.0 METHODS TO DEFEND ........................................................................................... 9 6.1 Why it is hard to defend ..................................................................................... 9 6.2 Pushback............................................................................................................. 9 6.3 Black hole route ................................................................................................ 10 6.4 DDoS mitigation appliances and Intrusion-detection systems (IDSs) .......... 10 6.5 Verisign DDoS Protection Services ................................................................. 11 7.0 REFERENCES ........................................................................................................ 12 EXECUTIVE SUMMARY This report reviews the Distributed Denial of Service (DDoS) attacks that are commonly used by hackers in order to bring down or crush web servers and networks in such a way that their resources become unavailable to intended users. The report discusses the Sony Computer Entertainment and Sony Network Entertainment (Sony) Play Station Network (PSN) hacking attack and its results. The report defines the DDoS attack terminology and investigates tools that are used for the attack. In addition, the report shows that DDoS attacks are very common and there is no standard way to protect a network from attack, however a number of tools and methods can be used to prevent or mitigate the DDoS attack. The report recommends that corporations such as Sony secure their networks in advance by using modern tools and mechanisms that can decrease the probability of denial of network services and therefore financial losses. i CONCLUSIONS DDoS attack on Sony’s PSN is an example of compromising e-businesses. Due to nature of DDoS attacks and their unpredictability the solution for absolute network defence from such attacks cannot be simple and straightforward. Moreover, commonly DDoS attacks use valid source addresses which make them difficult to recognise. However, there are a number of steps that can be taken to prevent and mitigate the attack such as network ingress and egress filtering. Filtering itself cannot stop the attack but routers that have filters can be instructed to block frequently incoming messages with particular patterns. Furthermore, it is possible to prevent networks with compromised hosts that are used as slaves for attacking the target machine from being used as slaves. Conducting regular audits, use of special tools that can find DDoS software installed on hosts and simple update of software can minimize risks of compromising the network. The Sony PSN hack example shows that ebusinesses can suffer from DDoS attacks. Loss of consumers’ confidence and company’s reputation are possible results of DDoS attacks, besides the financial losses that can be counted in millions of dollars. Therefore, such corporations like Sony should take security measures for preventing their networks from possible DDoS attacks and use security tools for existing hacking techniques. ii 1.0 INTRODUCTION 1.1 Background Many organizations and corporations around the world build and use networks to sell products and provide services to their customers. Commonly the customers are invited to create their profiles through the companies’ websites in order to make access to services easier and quicker. Besides a username and password created by user, a customer’s profile often requires more private information such as a full name, billing address, credit card number or other financial information. This approach is a very frequently implemented way that allows customers to purchase products or services online, which is also known as e-commerce. Companies and organizations are also aware that customers’ information they store on their servers is confidential and cannot be used by third parties without customers’ permission that is usually negotiated in agreements between company and customer. Because of the financial component in users’ profiles, companies understand that access to such confidential information can be a target for malefactors and they use different technological measures to secure this information and prevent possible thefts. However, with growth of security the malefactors’ level of intelligence is also rising as well as the threat of network intrusions in order to get access to confidential information. 1.2 Purpose of Report This report examines the type of attack against the Sony PSN in April 2011 which is known as the DDoS attack. The report describes the incident, prehistory of the incident and its consequences. The report is focused on dissection of DDoS’s main features, historical facts of attack implementations and common methods that can be used to defend companies’ networks from such attacks. In conclusion, the report highlights the importance of considering a DDoS attack as one that can significantly compromise company reputation in terms of security. 1 2.0 Problem faced by SONY 2.1 What happened with PSN According to the Sr. Director, Corporate Communications & Social Media Patrick Seybold (2011) Sony “discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network”. A group of hackers who call themselves Anonymous sent a message to Sony where group’s responsibility of attacking PSN was mentioned. Anonymous says in its message that attack was a response to the action taken by Sony against George Hotz (Anonymous, 2011). In the beginning of 2011 George Hotz, who is famous for jail breaking the iPhone, was sued by Sony for hacking their product Play Station 3 (PS3) “so that it could run the Linux OS” and run his own code (McMillan, 2011). George Hotz (2011) denies his belonging to the attack of PSN in his blog. 2.2 Result of attack According to the Sr. Director, Corporate Communications & Social Media Patrick Seybold (2011) as a result of the PSN attack users’ personal information including profile information such as “purchase history and billing address” and users’ credit cards information has been taken from PSN databases by hackers. In addition, Martin Williams (2011) reports in his article PlayStation Network Hack Timeline that “Sony shares dropped 4.5 percent in Tokyo” stock exchange trading. 2.3 Method used to hack PSN According to the article “Data breach and electronic crime: in Sony's case” by the Global Cyber Security Center (GCSEC) (2011) the Anonymous group used DDoS type of attack against Sony’s PSN. 2 3.0 Basics of DDoS 3.1 Understanding of DoS Mirkovic, Dietrich, Dittrich, and Reiher (2004), defined Denial of Service (DoS) attack as an attack that is goaled to “disrupt some legitimate activity, such as browsing Web pages, listening to an online radio, transferring money from your bank account, or even docking ships communicating with a naval port” (p. 2). This definition means that DoS attacks are used to stop some services or deny use of system by resources exhaustion. In order to achieve it the attackers use one of three categories of DoS attacks: “consumption of bandwidth, consumption of resources and exploitation of programming defects” as defined by American veteran of the Information Technology and engineering fields Sean-Philip Oriyano and American computer security specialist Michael Gregg (2010, p. 290). 3.2 DDoS and its characteristics DDoS is an advanced type of DoS. It pursues the same goals as DoS attacks but DDoS organizes and launches the attack from many different hosts or systems. Any attack that is focused on denying a service for intended users can be characterized as DoS or DDoS attack depending on the method used that is used to launch the attack. Sean-Philip Oriyano and Michael Gregg (2010) characterize DDoS as: 1. DDoS attacks are usually very large, they use thousands of systems to conduct the attack. 2. DDoS has two types of victim: primary and secondary. Primary is the actual recipient of attack and the secondary is the medium used for attack. 3. DDoS attacks can be difficult or impossible to trace back to true sources. 4. DDoS defence is extremely difficult due to number of agents used for the attack. 3 5. Impact of the DDoS attack is much severe as it can open up holes for other infectious attacks (Oriyano & Gregg, 2010, p. 293). 3.3 Difference between DoS and DDoS Even though both the Dos and DDoS attacks have the same nature and goals that make them similar to each other there is an essential difference between DoS and DDoS that should be considered. Sean-Philip Oriyano and Michael Gregg (2010) noted that “the difference is in implementation as DoS is generally one system attacking another, and DDoS is many system attacking another” (p. 293). 4.0 History and how it works 4.1 DoS attack facts Mirkovic et al. (2004) mentioned that DoS attack on Yahoo! was mainly publicised the impact of Denial-of-Service attack. The DoS attack is used to deny the availability of services. This type of attacks floods the attacked server with false information requests and ultimately crashes it. The DDoS or DoS attacks are known around for a number of decades. As defined earlier, in a denial-ofservice (DoS) attack, the hacker or the attacker attempts to prevent regular and legitimate users from accessing the information or services provided by the host computer or server. The most common attack documented is when the attacker flooded with network information and stopped the host computer from functioning on regular manner. It’s very important to note that a sudden surge in the Internet traffic can be sometimes mistaken as DoS or DDoS attack (Mircovic et al, 2004, p. 51). 4 4.2 DDoS attack facts According to Kessler, G. (2000) the DDoS attacks are much newer than DoS attacks and first seen in mid 1999s. The first documented DDoS attack appeared using DDoS tool called Trinoo in University of Minnesota computer lab. This has affected over 227 systems and was knocked down the lab for two days. The first well published DDoS attack was conducted against Yahoo in February 2000 when the company was inaccessible for a few hours. Then, few other well established corporations such as Amazon, CNN, Buy.com were also attacked. Sony’s PS3 attack is the latest of this type (Kessler, 2000). 4.3 Steps to organize DDoS To organize a DDoS attack both software and hardware are required. Software tools are described in chapter 5 of this report. Hardware should commonly consist of 3 components: 1. Master systems that launch the attack 2. Slaves (zombies, agents) systems on which necessary for attack software is installed. These systems are fully controlled by the attacker and they are victims themselves but not primary. 3. Primary victims system or target system. Associate Professor and program director at Champlain College in Burlington Gary C. Kessler provides in his paper Defenses Against Distributed Denial of Service Attacks graphical representation of DDoS attack (image modified): 5 Figure 1 As shown in Figure 1, the IP packets come from many addresses rather than a single address. As a matter of fact this type of attack can eye wash the administrators and point the attacker to a different location because of the way the Agents are set up to attack the server. The communication with the master and the daemons are often hidden and is difficult to locate. This leads the criminals to exploit the system knowing there is a less risk for them to attack online than physically. The attackers constantly develop new tools and ways to attack. Thus the method of DDoS and its tools are newer technology in the disposal for attackers. 6 5.0 Tools to launch DDoS 5.1 TRIN00 One of the most common DDoS tools is Trin00 which is also called Trinoo. It has its roots in the end of 1999 when it first was implemented to disable several university networks. The idea behind Trin00 is to send a huge number of UDP packets from one source port on attacker computer to different source ports on the target addresses within a specified period of attacking time. The flood of UDP messages then make target host to respond with ICMP port unreachable messages. These responses continue until resources are exhausted and the system is brought down. David Leon Clark (2002) clearly describes the flow of the UDP flooding process. Clark underlines the connectionless nature of UDP which is used as core of the Trin00 as follows: “UDP does not initialize any ports, and when a host isn't expecting UDP packets, ICMP intervenes, as it should” (p. 157). 5.2 Tribe Flood Network (TFN) Richard Deal (2004) mentioned that “TFN program was developed in 1999 by German hacker” (p. 242). Besides UDP flooding TFN can generate a variety of attacks. Among them are a TCP SYN flood, ICMP echo request flood and Smurf attack. The idea of SYN flood is to make destination address and the source address the same. It means that when a synchronize packet is sent to the receiving host it responds with SYN-ACK to itself, which cannot be implemented. ICMP echo request flood is a continuous usage of ping utility for sending 7 requests to the target host in order to receive an ICMP echo reply that eventually can slow down the network connectivity. Smurf attack is implemented by creating the false ping packet source of which is recognized by receivers as a target source. Such ping is sent to the broadcast IP of the intermediate network that starts to respond from its every host to the victim machine. If the attacker repeats such requests to many third party networks then the victim’s system eventually slows down and becomes overwhelmed. 5.3 Tribe Flood Network 2000 (TFN2K) TFN2K is an advanced TFN tool. It has all the features that TFN has but moreover it has other features that are developed to make the attack difficult to recognise. In addition, TFN2K allows an attacker to run commands remotely and to spoof the source addresses. It also differs from TFN in the way of communication between master and agents because of encryption usage. 5.4 Stackeldrant A German word stackeldrant stands for barbed wire. This DDoS tool contains features of Trin00 and TFN. David Leon Clark (2002) distinguishes Stackeldrant from other DDoS tools as following: “In contrast to Trinoo and TFN, which uses UDP, Stacheldraht uses TCP and ICMP to accommodate communications between master and daemon” (p. 155). He underlines that communication between master and daemon and communication between attacker machine and master are held on different TCP ports. In both cases communication is encrypted, which makes it difficult to determine. Additionally, Stackeldrant has 8 more advanced futures that allow it to manipulate DDoS attack. These features are beyond the scope of this report. 6.0 Methods to defend 6.1 Why it is hard to defend Mirkovic et al. (2004) point to a number of reasons that make defence against DDoS attack difficult: Simplicity: DDoS tools are available for downloading from the Internet and can be used by inexperienced attackers. Traffic variety, IP spoofing and high-volume traffic: it is almost impossible to distinguish attack traffic from the legitimate traffic and legitimate users, especially at high traffic load. Numerous agent machines: use of great numbers of machines for attack allows to group them and to divide the time of attack, which makes difficult to trace the sources (Mirkovic et al., 2004, p. 103). There is no definite solution or design for protecting or preventing mechanism against DDoS attacks because they are not predictable and there are no standards for analyzing them. However, simple steps like regular auditing and software updates together with traffic filtering and rate limiting at border routers can help to decrease the level of DDoS attack. Some of the mechanisms are described below: 6.2 Pushback The researcher at AT&T Labs Jon Ioannidis and professor at Columbia University Steven M. Bellovin (2002) describe in details the architecture of Pushback mechanism in their work “Implementing Pushback: Router-Based Defense Against DDoS Attacks as a method for protection”. They state that “DDoS attacks are treated as a congestion-control problem, but because most 9 such congestion is caused by malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the routers” (Ioannidis & Bellovin, 2002, p. 1). What the authors want to say is that some routers with special secure functions can detect the unusual congestion. For example, if suddenly there are a lot of requests of TCP connection shown on the Internet, it is probably the DDoS attack and the router can change the settings to prevent the “flood”. 6.3 Black hole route This approach doesn’t only block attacking traffic, it also drops legitimate traffics. However, it prevents a DDoS attack. Richard Deal (2004) explains the function of black hole rote as “forwarding unwanted or undesirable traffic into a black hole” (p. 456). By black hole route he means a special logical interface (null interface) that is used to create a black hole. It allows to filter and to route traffic without affecting router performance. 6.4 DDoS mitigation appliances and Intrusion-detection systems (IDSs) Additional hardware such as DDoS mitigation appliances and Intrusion-detection systems can be also used in order to secure network and prevent attacks. Senior Engineer in the Security and VPN Solutions TAC Group Omar Santos (2007) describes two Cisco solutions for DDoS mitigating: Cisco Traffic Anomaly Detector (TAD) XT and Cisco Guard XT (p. 127). The idea behind these appliances lays in use of special Multiverification Process (MVP) mechanism that involves filtering, recognition of legitimate traffic and other protecting features. In addition, Santos defines IDSs as “devices that in promiscuous mode detect malicious activity within the network” (p. 131). What he means by this is that these devices are used to detect whether the attacker tries to obtain unauthorized access to a network. The downside of IDSs is that they are not always very efficient, because most of attacks use valid packets today. 10 6.5 Verisign DDoS Protection Services VeriSign, Inc. (2011) illustrates the defence mechanism against DDoS attacks: Figure 2 The VeriSign DDoS Protection is a cloud based protection approach that can be used by any site. This outsourcing approach can reduce risk of DDoS attack by using the filtering and identifying malicious traffic that causes interruption to the Internet services. The suspected malicious traffics will be redirected from the customers before it disrupts the Internet services. VeriSign is a world class trusted leader in the Internet Security and it uses the following approaches to protect the Internet Services: 1. Monitoring & Mitigation 2. Filtering Traffic (Off ramping/On Ramping) 3. Detailed Analysis of Traffic 4. Profiling Traffic 11 7.0 REFERENCES Anonymous. (2011). AnonNews - Everything Anonymous. Retrieved July 11, 2011, from http://anonnews.org/?p=press&a=item&i=787. Clark, D. (2002). Enterprise security: The manager's defense guide. Boston: Pearson. Deal, R. (2004). Cisco router firewall security. Indianapolis: Cisco Press. Global Cyber Security Center. (May, 19, 2011). Data breach and electronic crime: The Sony's case. GlobalCyberSecurityCenter's blog. Retrieved July 10, 2010, from http://www.gcsec.org/blog/data-breach-andelectronic-crime-sonys-case. Hotz, G. (April 28, 2011). Recent News. Retrieved on July 10, 2011, from http://geohotgotsued.blogspot.com/2011/04/recent-news.html. Ioannidi, J., & Bellovin, S. (2002). Implementing pushback: router-based defense against DDoS attacks. Academiccommons.columbia.edu. Retrieved July 23, 2011, from http://academiccommons.columbia.edu/catalog/ac:126886. Kessler, G. (2000). Defenses against distributed denial of service attacks. Retrieved July 12, 2011, from http://www.garykessler.net/library/ddos.html. McMillan, R. (April 28, 2011). PlayStation hacker: Sony has only itself to blame for breach. Security news. Retrieved July 10, 2011, from http://www.pcworld.com/businesscenter/article/226603/playstation_hacke r_sony_has_only_itself_to_blame_for_breach.html. 12 Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005). Internet denial of service: attack and defense mechanisms. Upper Saddle River, N.J.: Prentice Hall Professional Technical Reference. Oriyano, S., & Gregg, M. (2010). Hacker techniques, tools, incident handling. Sudbury, MA: Jones & Bartlett Learning. Santos, O. (2007). End-to-end network security: Defense-in-depth. Indianapolis: Cisco Press. Seybold, P. (April 26, 2011). Update on PlayStation network and Qriocity. Playstation.Blog. Retrieved July 10, 2011, from http://blog.us.playstation.com/2011/04/26/update-on-playstation-networkand-qriocity/. VeriSign, Inc. (2011). DDoS protection services overview. Verisign. Retrieved July 8, 2011, from www.verisigninc.com/assets/datasheet-internetdefense-network.pdf Williams, M. (May 1, 2011). PlayStation network hack timeline. Security. Retrieved July 10, 2011, from http://www.pcworld.com/article/226802/playstation_network_hack_timelin e.html. 13