Denial of Service WORLDS ATTAKS Prepared by: Mohammed Mahmoud Hussain

advertisement
Denial of Service
WORLDS ATTAKS
Prepared by: Mohammed Mahmoud Hussain
Supervised by : Dr. Lo’ai Tawalbeh
NYIT-winter 2007
Good News / Bad News

The Internet and Networks give us better
connectivity
– Share information
– Collaborate (a)synchronously

The Internet and Networks give us better
connectivity
– Viruses can spread easier
– “The bad guys” now have easier access to your
information as well
Why do I want to be secure?
(What’s in it for me?)

You can ensure private information is
kept private
– Some things are for certain eyes only and
you probably want to keep them that way
– Is someone looking over your shoulder
(physically or virtually)?
The 3 Main Forms of Bad Guys



Virus/Worm
Trojan
Denial of Service
Viruses / Worms


Most widely known – thanks to press
coverage
What is it?
– Computer programs written by
bad guys (
) to do malicious things
often triggered by a specific event
– Example – Word Macro Virus that sends
out junk email when word document is
opened
Trojan horse


Most dangerous of all
What is it?
– Computer programs often written by good
guys but used by bad guys (
) to give
them a back door to intended computer
– Example – Remote Management
application that runs in background
– and allows the bad guys to “get in”
– and use your computer as they wish


Typically can not be
safely removed – must start
from working backup or
scratch
Because
– Deleting/modifying data files is one of their
goals
– Stealing personal information also
– Interrupting/destroying business processes
(contingency plan)
Denial of service ( DOS )
- Too many requests for a particular web
site “clog the pipe” so that no one else
can access the site
- Also the using of land attack
Possible impacts:
-May reboot your computer
-Slows down computers-Certain sites
-applications become inaccessible
**you are off.
Where are you

Every one has to
know that they
come from 3 places
– New Files”
– “Viewed Content”
– “Exposed Services
Where they come from



Unwanted email with
attachments you weren’t
expecting
Downloaded programs from
the internet that come from
less than trustworthy
locations
File Sharing Programs (P2P)
Websites that will “install”
things for you
The more open doors your
computer has, the more
chance of someone
coming in
What is Denial of Service Attack?

“Attack in which the primary goal is to
deny the victim(s) access to a
particular resource.”

A "denial-of-service" attack is
characterized by an explicit attempt by
attackers to prevent legitimate users of
a service from using that service.
How to take down a
restaurant
Saboteur
Restauranteur
Table for four
at 8 o’clock.
Name of Mr. Smith.
Saboteur
Saboteur vs.
Restauranteur
O.K.,
Mr. Smith
Restauranteur
Restauranteur
Saboteur
No More Tables!

Denial-of-service attacks are most
frequently executed against network
connectivity. The goal is to prevent
hosts or networks from
communicating on the network. An
example of this type of attack is the
"SYN flood" attack
Categories of DOS attack



Bandwidth attacks
Protocol exceptions
Logic attacks

A bandwidth attack is the oldest and
most common DoS attack. In this
approach, the malicious hacker
saturates a network with data traffic. A
vulnerable system or network is
unable to handle the amount of traffic
sent to it and subsequently crashes or
slows down, preventing legitimate
access to users.

A protocol attack is a trickier
approach, but it is becoming quite
popular. Here, the malicious attacker
sends traffic in a way that the target
system never expected, such as when
an attacker sends a flood of SYN
packets.

The third type of attack is a logic attack.
This is the most advanced type of attack
because it involves a sophisticated
understanding of networking. A classic
example of a logic attack is a LAND attack,
where an attacker sends a forged packet
with the same source and destination IP
address. Many systems are unable to handle
this type of confused activity and
subsequently crash.
Types

Types of DoS Attacks
The infos here introduce the common
types of DoS attacks, many of which
can be done as a DDoS attack.
PING OF DEATH
A Ping of Death attack uses Internet Control
Message Protocol (ICMP) ping messages. Ping is
used to see if a host is active on a network. It
also is a valuable tool for troubleshooting and
diagnosing problems on a network. As the
following picture, a normal ping has two
messages:



BUT
With a Ping of Death attack, an echo packet is sent that is larger
than the maximum allowed size of 65,536 bytes. The packet is
broken down into smaller segments, but when it is reassembled, it is
discovered to be too large for the receiving buffer. Subsequently,
systems that are unable to handle such abnormalities either crash or
reboot.
You can perform a Ping of Death from within Linux by typing ping –f
–s 65537. Note the use of the –f switch. This switch causes the
packets to be sent as quickly as possible. Often the cause of a DoS
attack is not just the size or amount of traffic, but the rapid rate at
which packets are being sent to a target.
Tools:-Jolt -SPing-ICMP Bug -IceNewk
Smurf and Fraggle
A Smurf attack is another DoS attack that
uses ICMP. Here, an request is sent to a
network broadcast address with the target
as the spoofed source. When hosts receive
the echo request, they send an echo reply
back to the target. sending multiple Smurf
attacks directed at a single target in a
distributed fashion might succeed in
crashing it.

If the broadcast ping cannot be sent
to a network, a Smurf amplifier is
instead. A Smurf amplifier is a network
that allows the hacker to send
broadcast pings to it and sends back a
ping response to his target host on a
different network. NMap provides the
capability to detect whether a network
can be used as a Smurf amplifier.

A variation of the Smurf attack is a Fraggle
attack, which uses User Datagram Protocol
(UDP) instead of ICMP. Fraggle attacks work
by using the CHARGEN and ECHO UDP
programs that operate on UDP ports 19 and
7. Both of these applications are designed to
operate much like ICMP pings; they are
designed to respond to requesting hosts to
notify them that they are active on a
network.
LAND Attack

In a LAND attack, a TCP SYN packet is sent with
the same source and destination address and port
number. When a host receives this abnormal traffic,
it often either slows down or comes to a complete
halt as it tries to initiate communication with itself
in an infinite loop. Although this is an old attack
(first reportedly discovered in 1997), both Windows
XP with service pack 2 and Windows Server 2003
are vulnerable to this attack.
HPing can be used to craft packets with the same
spoofed source and destination address.
Synchronous flood

A SYN flood is one of the oldest
and yet still most effective DoS
attacks. As a review of the
three-way handshake, TCP
communication begins with a
SYN, a SYN-ACK response, and
then an ACK response. When
the handshake is complete,
traffic is sent between two
hosts.
but in our case the using of the syn flood for
the 3 way handshaking is taking another
deal, that is the attacker host will send a
flood of syn packet but will not respond with
an ACK packet.The TCP/IP stack will wait a
certain amount of time before dropping the
connection, a syn flooding attack will
therefore keep the syn_received connection
queue of the target machine filled.
With a SYN flood attack, these rules are violated.
Instead of the normal three-way handshake, an
attacker sends a packet from a spoofed address with
the SYN flag set but does not respond when the target
sends a SYN-ACK response. A host has a limited
number of half-open (embryonic) sessions that it can
maintain at any given time. After those sessions are
used up, no more communication can take place until

the half-open sessions are cleared out.
This means that no users can
communicate with the host while the
attack is active. SYN packets are being
sent so rapidly that even when a halfopen session is cleared out, another
SYN packet is sent to fill up the queue
again.
SYN floods are still successful today for three
reasons:
1) SYN packets are part of normal, everyday traffic, so
it is difficult for devices to filter this type of attack.
2) SYN packets do not require a lot of bandwidth to
launch an attack because they are relatively small.
3) SYN packets can be spoofed because no response
needs to be given back to the target. As a result,
you can choose random IP addresses to launch the
attack, making filtering difficult for security
administrators.

An example: TCP SYN flooding
“TCP
“TCPconnection,
connection,please.”
please.”
“O.K.Please
Pleasesend
sendack.”
ack.”
“O.K.
Buffer

Now we may categorize the DOS in to
3 parts depending on the number of
characters.
Direct Single-tier DoS Attacks
– Straightforward 'point-to-point' attack,
that means we have 2 actors hacker and
victim.
– Examples
Ping of Death
 SYN floods
 Other malformed packet attacks

Direct Dual-tier DoS Attacks
– More complex attack model
– Difficult for victim to trace and identify
attacker
– Examples
 Smurf
Direct Triple-tier DDoS Attacks
– Highly complex attack model, known as
Distributed Denial of Service (DDoS).
– DDoS exploits vulnerabilities in the very fabric of
the Internet, making it virtually impossible to
protect your networks against this level of
attack.
– Examples
 TFN2K
 Stacheldraht
 Mstream
The Components of a DDoS Flood Network
– Attacker
Often a hacker with good networking and routing
knowledge.
– Master servers
 Handful of backdoored machines running DDoS
master software, controlling and keeping track of
available zombie hosts.
– Zombie hosts
 Thousands of backdoored hosts over the world

Distributed Denial of Service Attack (DDoS)
In and around early 2001 a new type of DoS
attack became rampant, called a Distributed
Denial of Service attack, or DDoS. In this case
multiple comprised systems are used to attack
a single target. The flood of incoming traffic to
the target will usually force it to shut down.
Like a DoS attack, In a DDoS attack the
legitimate requests to the affected system are
denied. Since a DDoS attack it launched from
multiple sources, it is often more difficult to
detect and block than a DoS attack.
Results expected


Denial-of-service attacks can essentially disable
your computer or your network. Depending on
the nature of your enterprise.
Some denial-of-service attacks can be executed
with limited resources against a large,
sophisticated site. This type of attack is
sometimes called an "asymmetric attack." For
example, an attacker with an old PC and a
slow modem may be able to disable much
faster and more sophisticated machines or
networks.
Forms
– attempts to "flood" a network, thereby
preventing legitimate network traffic
– attempts to disrupt connections between two
machines, thereby preventing access to a
service
– attempts to prevent a particular individual
from accessing a service
– attempts to disrupt service to a specific
system or person
Defense
Internet Service Providers





Deploy source address anti-spoof filters
(very important!).
Turn off directed broadcasts.
Develop security relationships with neighbor
ISPs.
Set up mechanism for handling customer
security complaints.
Develop traffic volume monitoring
techniques.
High loaded machines




Look for too much traffic to a particular
destination.
Learn to look for traffic to that destination
at your border routers (access routers,
peers, exchange points, etc.).
Can we automate the tools – too many
queue drops on an access router will trigger
source detection? (bl..
Disable and filter out
all unused UDP services.
Also


Routers, machines, and all other
Internet accessible equipment should
be periodically checked to verify that
all security patches
have been installed
System should be checked periodically
for presence of malicious software
(Trojan horses, viruses, worms, back
doors, etc.)




Train your system and network administrators
Read security bulletins like:
www.cert.org, www.sans.org, www.eEye.com
From time to time
listen on to attacker community
to be informed about their latest
achievements
Be in contact with your ISP.
In case that your network is being attacked,
this can save a lot of time
Can both do better some day


ICMP Traceback message.
Warning –this technique is untested
idea practically.
ICMP


It’s a message that usually used to indicate
for errors at the net, request not complete,
router not reachable.
While in TCP and UDP it has different story,
it used mainly to check the communication
between nodes, goes as echo message
request (ping) to determine:1-host is reachable.
2-how long packets it takes long to get
and from the host.
ICMP Traceback
It’s the way that we determine the real
source attacker specially in the dos
attack and it’s kinds, so we are going to
the original point in backtracking way.
there is 2 methods:1-IP logging .
2-IP marking .
ICMP Traceback


In IP logging we have an log information
that is stored at the routers in tables, at
each router, when we traceback we get all
the table and finally get the source.
While in the IP marking we each router
used to add an traffic and defining info to
each packet then it has the real source.
ICMP Traceback



For a very few packets (about 1 in
20,000), each router will send the
destination a new ICMP message
indicating the previous hop for that
packet.
Net traffic increase at endpoint is
about .1% -- probably acceptable.
Issues: authentication, loss of
traceback packets, load on routers.
Overview
What happens these days on
Throw away requests
Server
Client
“Hello?”
Buffer
Problem: Legitimate clients must keep retrying
IP Tracing (or
Syncookies)
Client
Server
Hi. My name is Request
10.100.16.126.
Buffer
Problems:
•Can be evaded, particularly on, e.g., Ethernet
Digital signatures
Client
Server
Buffer
Problems:
•Requires carefully regulated PKI
•Does not allow for anonymity
Connection timeout
Server
Problem: Hard to achieve balance between security
and latency demands
A Solution: client puzzle
by Juels and Brainard
with improvement by Wang and Reiter
Intuition
Table for four
at 8 o’clock.
Name of Mr. Smith.
Please solve this
puzzle.
O.K.,O.K.
Mr. Smith
Intuition
Suppose:



A puzzle takes an hour to solve
There are 40 tables in restaurant
Reserve at most one day in advance
The client puzzle protocol
Client
Service request
R
Server
Buffer
O.K.
What does a puzzle look like?
Puzzle basis: partial hash
inversion
? X’ X ?
pre-image
partial-image
k bits
160 bits
hash
image Y
Pair (X’, Y) is k-bit-hard puzzle
Puzzle construction
Client
Server
Service request
R
Secret S
Puzzle construction
Server computes:
secret
S
time
T
request
hash
pre-image
hash
image
Y
R
Puzzle
X
Puzzles cannot always be
used
The attack may be performed on
Phones, SMS,MMS or physical e-mail
 It may not be possible to add puzzles
 Sometimes, the adversary will be more
powerful than normal users (e.g.,
computer vs. cell phone.)

references
[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".
[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane
[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine
[.4.]http://www.gao.gov/new.items/d011073t.pdf
[.5.]http://www.cl.cam.ac.uk/~rc277/
[.6.]http://www.cert.org/reports/dsit_workshop.pdf
[.7.]http://staff.washington.edu/dittrich/misc/tfn.analysis




Presented to Dr Loa’e Al-Tawalbeh
Executed by Mohammed Hussain
Course intrusion detection and hacker
exploits
Winter jan-2007
Download