NETWORK TERM PROJECT
SONY HACK OR DDOS
Prepared for:
Centennial College
CNET 124-062
Toronto, Ontario
Prepared by:
Yi Chen (300646912)
Arulnithy Suthakaran (300641636)
Artur Shamsi (300586155)
CNET 124-062 Students
Centennial College
August 5, 2011
TABLE OF CONTENTS
EXECUTIVE SUMMARY ................................................................................................. I
CONCLUSIONS.............................................................................................................. II
1.0 INTRODUCTION ....................................................................................................... 1
1.1 Background......................................................................................................... 1
1.2 Purpose of Report .............................................................................................. 1
2.0 PROBLEM FACED BY SONY .................................................................................. 2
2.1 What happened with PSN ................................................................................... 2
2.2 Result of attack ................................................................................................... 2
2.3 Method used to hack PSN .................................................................................. 2
3.0 BASICS OF DDOS ................................................................................................... 3
3.1 Understanding of DoS ....................................................................................... 3
3.2 DDoS and its characteristics ............................................................................. 3
3.3 Difference between DoS and DDoS ................................................................... 4
4.0 HISTORY AND HOW IT WORKS ............................................................................. 4
4.1 DoS attack facts .................................................................................................. 4
4.2 DDoS attack facts ............................................................................................... 5
4.3 Steps to organize DDoS ..................................................................................... 5
5.0 TOOLS TO LAUNCH DDOS ..................................................................................... 7
5.1 TRIN00 ................................................................................................................. 7
5.2 Tribe Flood Network (TFN) ................................................................................. 7
5.3 Tribe Flood Network 2000 (TFN2K) .................................................................... 8
5.4 Stackeldrant ........................................................................................................ 8
6.0 METHODS TO DEFEND ........................................................................................... 9
6.1 Why it is hard to defend ..................................................................................... 9
6.2 Pushback............................................................................................................. 9
6.3 Black hole route ................................................................................................ 10
6.4 DDoS mitigation appliances and Intrusion-detection systems (IDSs) .......... 10
6.5 Verisign DDoS Protection Services ................................................................. 11
7.0 REFERENCES ........................................................................................................ 12
EXECUTIVE SUMMARY
This report reviews the Distributed Denial of Service (DDoS) attacks that are
commonly used by hackers in order to bring down or crush web servers and
networks in such a way that their resources become unavailable to intended
users.
The report discusses the Sony Computer Entertainment and Sony Network
Entertainment (Sony) Play Station Network (PSN) hacking attack and its results.
The report defines the DDoS attack terminology and investigates tools that are
used for the attack. In addition, the report shows that DDoS attacks are very
common and there is no standard way to protect a network from attack, however
a number of tools and methods can be used to prevent or mitigate the DDoS
attack.
The report recommends that corporations such as Sony secure their networks in
advance by using modern tools and mechanisms that can decrease the
probability of denial of network services and therefore financial losses.
i
CONCLUSIONS
DDoS attack on Sony’s PSN is an example of compromising e-businesses. Due
to nature of DDoS attacks and their unpredictability the solution for absolute
network defence from such attacks cannot be simple and straightforward.
Moreover, commonly DDoS attacks use valid source addresses which make
them difficult to recognise. However, there are a number of steps that can be
taken to prevent and mitigate the attack such as network ingress and egress
filtering. Filtering itself cannot stop the attack but routers that have filters can be
instructed to block frequently incoming messages with particular patterns.
Furthermore, it is possible to prevent networks with compromised hosts that are
used as slaves for attacking the target machine from being used as slaves.
Conducting regular audits, use of special tools that can find DDoS software
installed on hosts and simple update of software can minimize risks of
compromising the network. The Sony PSN hack example shows that ebusinesses can suffer from DDoS attacks. Loss of consumers’ confidence and
company’s reputation are possible results of DDoS attacks, besides the financial
losses that can be counted in millions of dollars. Therefore, such corporations
like Sony should take security measures for preventing their networks from
possible DDoS attacks and use security tools for existing hacking techniques.
ii
1.0 INTRODUCTION
1.1 Background
Many organizations and corporations around the world build and use networks to
sell products and provide services to their customers. Commonly the customers
are invited to create their profiles through the companies’ websites in order to
make access to services easier and quicker. Besides a username and password
created by user, a customer’s profile often requires more private information such
as a full name, billing address, credit card number or other financial information.
This approach is a very frequently implemented way that allows customers to
purchase products or services online, which is also known as e-commerce.
Companies and organizations are also aware that customers’ information they
store on their servers is confidential and cannot be used by third parties without
customers’ permission that is usually negotiated in agreements between
company and customer. Because of the financial component in users’ profiles,
companies understand that access to such confidential information can be a
target for malefactors and they use different technological measures to secure
this information and prevent possible thefts. However, with growth of security the
malefactors’ level of intelligence is also rising as well as the threat of network
intrusions in order to get access to confidential information.
1.2 Purpose of Report
This report examines the type of attack against the Sony PSN in April 2011 which
is known as the DDoS attack. The report describes the incident, prehistory of the
incident and its consequences. The report is focused on dissection of DDoS’s
main features, historical facts of attack implementations and common methods
that can be used to defend companies’ networks from such attacks. In
conclusion, the report highlights the importance of considering a DDoS attack as
one that can significantly compromise company reputation in terms of security.
1
2.0 Problem faced by SONY
2.1 What happened with PSN
According to the Sr. Director, Corporate Communications & Social Media Patrick
Seybold (2011) Sony “discovered that between April 17 and April 19, 2011,
certain PlayStation Network and Qriocity service user account information was
compromised in connection with an illegal and unauthorized intrusion into our
network”. A group of hackers who call themselves Anonymous sent a message
to Sony where group’s responsibility of attacking PSN was mentioned.
Anonymous says in its message that attack was a response to the action taken
by Sony against George Hotz (Anonymous, 2011). In the beginning of 2011
George Hotz, who is famous for jail breaking the iPhone, was sued by Sony for
hacking their product Play Station 3 (PS3) “so that it could run the Linux OS” and
run his own code (McMillan, 2011). George Hotz (2011) denies his belonging to
the attack of PSN in his blog.
2.2 Result of attack
According to the Sr. Director, Corporate Communications & Social Media Patrick
Seybold (2011) as a result of the PSN attack users’ personal information
including profile information such as “purchase history and billing address” and
users’ credit cards information has been taken from PSN databases by hackers.
In addition, Martin Williams (2011) reports in his article PlayStation Network Hack
Timeline that “Sony shares dropped 4.5 percent in Tokyo” stock exchange
trading.
2.3 Method used to hack PSN
According to the article “Data breach and electronic crime: in Sony's case” by the
Global Cyber Security Center (GCSEC) (2011) the Anonymous group used
DDoS type of attack against Sony’s PSN.
2
3.0 Basics of DDoS
3.1 Understanding of DoS
Mirkovic, Dietrich, Dittrich, and Reiher (2004), defined Denial of Service (DoS)
attack as an attack that is goaled to “disrupt some legitimate activity, such as
browsing Web pages, listening to an online radio, transferring money from your
bank account, or even docking ships communicating with a naval port” (p. 2).
This definition means that DoS attacks are used to stop some services or deny
use of system by resources exhaustion. In order to achieve it the attackers use
one of three categories of DoS attacks: “consumption of bandwidth, consumption
of resources and exploitation of programming defects” as defined by American
veteran of the Information Technology and engineering fields Sean-Philip
Oriyano and American computer security specialist Michael Gregg (2010, p.
290).
3.2 DDoS and its characteristics
DDoS is an advanced type of DoS. It pursues the same goals as DoS attacks but
DDoS organizes and launches the attack from many different hosts or systems.
Any attack that is focused on denying a service for intended users can be
characterized as DoS or DDoS attack depending on the method used that is
used to launch the attack.
Sean-Philip Oriyano and Michael Gregg (2010) characterize DDoS as:
1. DDoS attacks are usually very large, they use thousands of systems to
conduct the attack.
2. DDoS has two types of victim: primary and secondary. Primary is the
actual recipient of attack and the secondary is the medium used for attack.
3. DDoS attacks can be difficult or impossible to trace back to true sources.
4. DDoS defence is extremely difficult due to number of agents used for the
attack.
3
5. Impact of the DDoS attack is much severe as it can open up holes for
other infectious attacks (Oriyano & Gregg, 2010, p. 293).
3.3 Difference between DoS and DDoS
Even though both the Dos and DDoS attacks have the same nature and goals
that make them similar to each other there is an essential difference between
DoS and DDoS that should be considered. Sean-Philip Oriyano and Michael
Gregg (2010) noted that “the difference is in implementation as DoS is generally
one system attacking another, and DDoS is many system attacking another” (p.
293).
4.0 History and how it works
4.1 DoS attack facts
Mirkovic et al. (2004) mentioned that DoS attack on Yahoo! was mainly
publicised the impact of Denial-of-Service attack. The DoS attack is used to deny
the availability of services. This type of attacks floods the attacked server with
false information requests and ultimately crashes it. The DDoS or DoS attacks
are known around for a number of decades. As defined earlier, in a denial-ofservice (DoS) attack, the hacker or the attacker attempts to prevent regular and
legitimate users from accessing the information or services provided by the host
computer or server. The most common attack documented is when the attacker
flooded with network information and stopped the host computer from functioning
on regular manner. It’s very important to note that a sudden surge in the Internet
traffic can be sometimes mistaken as DoS or DDoS attack (Mircovic et al, 2004,
p. 51).
4
4.2 DDoS attack facts
According to Kessler, G. (2000) the DDoS attacks are much newer than DoS
attacks and first seen in mid 1999s. The first documented DDoS attack appeared
using DDoS tool called Trinoo in University of Minnesota computer lab. This has
affected over 227 systems and was knocked down the lab for two days. The first
well published DDoS attack was conducted against Yahoo in February 2000
when the company was inaccessible for a few hours. Then, few other well
established corporations such as Amazon, CNN, Buy.com were also attacked.
Sony’s PS3 attack is the latest of this type (Kessler, 2000).
4.3 Steps to organize DDoS
To organize a DDoS attack both software and hardware are required. Software
tools are described in chapter 5 of this report. Hardware should commonly
consist of 3 components:
1. Master systems that launch the attack
2. Slaves (zombies, agents) systems on which necessary for attack software
is installed. These systems are fully controlled by the attacker and they
are victims themselves but not primary.
3. Primary victims system or target system.
Associate Professor and program director at Champlain College in Burlington
Gary C. Kessler provides in his paper Defenses Against Distributed Denial of
Service Attacks graphical representation of DDoS attack (image modified):
5
Figure 1
As shown in Figure 1, the IP packets come from many addresses rather than a
single address. As a matter of fact this type of attack can eye wash the
administrators and point the attacker to a different location because of the way
the Agents are set up to attack the server.
The communication with the master and the daemons are often hidden and is
difficult to locate. This leads the criminals to exploit the system knowing there is a
less risk for them to attack online than physically.
The attackers constantly develop new tools and ways to attack. Thus the method
of DDoS and its tools are newer technology in the disposal for attackers.
6
5.0 Tools to launch DDoS
5.1 TRIN00
One of the most common DDoS tools is Trin00 which is also called Trinoo. It has
its roots in the end of 1999 when it first was implemented to disable several
university networks. The idea behind Trin00 is to send a huge number of UDP
packets from one source port on attacker computer to different source ports on
the target addresses within a specified period of attacking time. The flood of UDP
messages then make target host to respond with ICMP port unreachable
messages. These responses continue until resources are exhausted and the
system is brought down. David Leon Clark (2002) clearly describes the flow of
the UDP flooding process. Clark underlines the connectionless nature of UDP
which is used as core of the Trin00 as follows: “UDP does not initialize any
ports, and when a host isn't expecting UDP packets, ICMP intervenes, as it
should” (p. 157).
5.2 Tribe Flood Network (TFN)
Richard Deal (2004) mentioned that “TFN program was developed in 1999 by
German hacker” (p. 242). Besides UDP flooding TFN can generate a variety of
attacks. Among them are a TCP SYN flood, ICMP echo request flood and Smurf
attack. The idea of SYN flood is to make destination address and the source
address the same. It means that when a synchronize packet is sent to the
receiving host it responds with SYN-ACK to itself, which cannot be implemented.
ICMP echo request flood is a continuous usage of ping utility for sending
7
requests to the target host in order to receive an ICMP echo reply that eventually
can slow down the network connectivity. Smurf attack is implemented by creating
the false ping packet source of which is recognized by receivers as a target
source. Such ping is sent to the broadcast IP of the intermediate network that
starts to respond from its every host to the victim machine. If the attacker repeats
such requests to many third party networks then the victim’s system eventually
slows down and becomes overwhelmed.
5.3 Tribe Flood Network 2000 (TFN2K)
TFN2K is an advanced TFN tool. It has all the features that TFN has but
moreover it has other features that are developed to make the attack difficult to
recognise. In addition, TFN2K allows an attacker to run commands remotely and
to spoof the source addresses. It also differs from TFN in the way of
communication between master and agents because of encryption usage.
5.4 Stackeldrant
A German word stackeldrant stands for barbed wire. This DDoS tool contains
features of Trin00 and TFN. David Leon Clark (2002) distinguishes Stackeldrant
from other DDoS tools as following: “In contrast to Trinoo and TFN, which uses
UDP, Stacheldraht uses TCP and ICMP to accommodate communications
between master and daemon” (p. 155). He underlines that communication
between master and daemon and communication between attacker machine and
master are held on different TCP ports. In both cases communication is
encrypted, which makes it difficult to determine. Additionally, Stackeldrant has
8
more advanced futures that allow it to manipulate DDoS attack. These features
are beyond the scope of this report.
6.0 Methods to defend
6.1 Why it is hard to defend
Mirkovic et al. (2004) point to a number of reasons that make defence against
DDoS attack difficult:

Simplicity: DDoS tools are available for downloading from the Internet and
can be used by inexperienced attackers.

Traffic variety, IP spoofing and high-volume traffic: it is almost impossible
to distinguish attack traffic from the legitimate traffic and legitimate users,
especially at high traffic load.

Numerous agent machines: use of great numbers of machines for attack
allows to group them and to divide the time of attack, which makes difficult
to trace the sources (Mirkovic et al., 2004, p. 103).
There is no definite solution or design for protecting or preventing mechanism
against DDoS attacks because they are not predictable and there are no
standards for analyzing them. However, simple steps like regular auditing and
software updates together with traffic filtering and rate limiting at border routers
can help to decrease the level of DDoS attack. Some of the mechanisms are
described below:
6.2 Pushback
The researcher at AT&T Labs Jon Ioannidis and professor at Columbia
University Steven M. Bellovin (2002) describe in details the architecture of
Pushback mechanism in their work “Implementing Pushback: Router-Based
Defense Against DDoS Attacks as a method for protection”. They state that
“DDoS attacks are treated as a congestion-control problem, but because most
9
such congestion is caused by malicious hosts not obeying traditional end-to-end
congestion control, the problem must be handled by the routers” (Ioannidis &
Bellovin, 2002, p. 1). What the authors want to say is that some routers with
special secure functions can detect the unusual congestion. For example, if
suddenly there are a lot of requests of TCP connection shown on the Internet, it
is probably the DDoS attack and the router can change the settings to prevent
the “flood”.
6.3 Black hole route
This approach doesn’t only block attacking traffic, it also drops legitimate traffics.
However, it prevents a DDoS attack. Richard Deal (2004) explains the function of
black hole rote as “forwarding unwanted or undesirable traffic into a black hole”
(p. 456). By black hole route he means a special logical interface (null interface)
that is used to create a black hole. It allows to filter and to route traffic without
affecting router performance.
6.4 DDoS mitigation appliances and Intrusion-detection systems (IDSs)
Additional hardware such as DDoS mitigation appliances and Intrusion-detection
systems can be also used in order to secure network and prevent attacks. Senior
Engineer in the Security and VPN Solutions TAC Group Omar Santos (2007)
describes two Cisco solutions for DDoS mitigating: Cisco Traffic Anomaly
Detector (TAD) XT and Cisco Guard XT (p. 127). The idea behind these
appliances lays in use of special Multiverification Process (MVP) mechanism that
involves filtering, recognition of legitimate traffic and other protecting features. In
addition, Santos defines IDSs as “devices that in promiscuous mode detect
malicious activity within the network” (p. 131). What he means by this is that
these devices are used to detect whether the attacker tries to obtain
unauthorized access to a network. The downside of IDSs is that they are not
always very efficient, because most of attacks use valid packets today.
10
6.5 Verisign DDoS Protection Services
VeriSign, Inc. (2011) illustrates the defence mechanism against DDoS attacks:
Figure 2
The VeriSign DDoS Protection is a cloud based protection approach that can be
used by any site. This outsourcing approach can reduce risk of DDoS attack by
using the filtering and identifying malicious traffic that causes interruption to the
Internet services. The suspected malicious traffics will be redirected from the
customers before it disrupts the Internet services.
VeriSign is a world class trusted leader in the Internet Security and it uses the
following approaches to protect the Internet Services:
1. Monitoring & Mitigation
2. Filtering Traffic (Off ramping/On Ramping)
3. Detailed Analysis of Traffic
4. Profiling Traffic
11
7.0 REFERENCES
Anonymous. (2011). AnonNews - Everything Anonymous. Retrieved July 11,
2011, from http://anonnews.org/?p=press&a=item&i=787.
Clark, D. (2002). Enterprise security: The manager's defense guide. Boston:
Pearson.
Deal, R. (2004). Cisco router firewall security. Indianapolis: Cisco Press.
Global Cyber Security Center. (May, 19, 2011). Data breach and electronic
crime: The Sony's case. GlobalCyberSecurityCenter's blog. Retrieved
July 10, 2010, from http://www.gcsec.org/blog/data-breach-andelectronic-crime-sonys-case.
Hotz, G. (April 28, 2011). Recent News. Retrieved on July 10, 2011, from
http://geohotgotsued.blogspot.com/2011/04/recent-news.html.
Ioannidi, J., & Bellovin, S. (2002). Implementing pushback: router-based defense
against DDoS attacks. Academiccommons.columbia.edu. Retrieved July
23, 2011, from
http://academiccommons.columbia.edu/catalog/ac:126886.
Kessler, G. (2000). Defenses against distributed denial of service attacks.
Retrieved July 12, 2011, from
http://www.garykessler.net/library/ddos.html.
McMillan, R. (April 28, 2011). PlayStation hacker: Sony has only itself to blame
for breach. Security news. Retrieved July 10, 2011, from
http://www.pcworld.com/businesscenter/article/226603/playstation_hacke
r_sony_has_only_itself_to_blame_for_breach.html.
12
Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005). Internet denial of
service: attack and defense mechanisms. Upper Saddle River, N.J.:
Prentice Hall Professional Technical Reference.
Oriyano, S., & Gregg, M. (2010). Hacker techniques, tools, incident handling.
Sudbury, MA: Jones & Bartlett Learning.
Santos, O. (2007). End-to-end network security: Defense-in-depth. Indianapolis:
Cisco Press.
Seybold, P. (April 26, 2011). Update on PlayStation network and Qriocity.
Playstation.Blog. Retrieved July 10, 2011, from
http://blog.us.playstation.com/2011/04/26/update-on-playstation-networkand-qriocity/.
VeriSign, Inc. (2011). DDoS protection services overview. Verisign. Retrieved
July 8, 2011, from www.verisigninc.com/assets/datasheet-internetdefense-network.pdf
Williams, M. (May 1, 2011). PlayStation network hack timeline. Security.
Retrieved July 10, 2011, from
http://www.pcworld.com/article/226802/playstation_network_hack_timelin
e.html.
13