Denial of Service WORLDS ATTAKS Prepared by: Mohammed Mahmoud Hussain Supervised by : Dr. Lo’ai Tawalbeh NYIT-winter 2007 Good News / Bad News The Internet and Networks give us better connectivity – Share information – Collaborate (a)synchronously The Internet and Networks give us better connectivity – Viruses can spread easier – “The bad guys” now have easier access to your information as well Why do I want to be secure? (What’s in it for me?) You can ensure private information is kept private – Some things are for certain eyes only and you probably want to keep them that way – Is someone looking over your shoulder (physically or virtually)? The 3 Main Forms of Bad Guys Virus/Worm Trojan Denial of Service Viruses / Worms Most widely known – thanks to press coverage What is it? – Computer programs written by bad guys ( ) to do malicious things often triggered by a specific event – Example – Word Macro Virus that sends out junk email when word document is opened Trojan horse Most dangerous of all What is it? – Computer programs often written by good guys but used by bad guys ( ) to give them a back door to intended computer – Example – Remote Management application that runs in background – and allows the bad guys to “get in” – and use your computer as they wish Typically can not be safely removed – must start from working backup or scratch Because – Deleting/modifying data files is one of their goals – Stealing personal information also – Interrupting/destroying business processes (contingency plan) Denial of service ( DOS ) - Too many requests for a particular web site “clog the pipe” so that no one else can access the site - Also the using of land attack Possible impacts: -May reboot your computer -Slows down computers-Certain sites -applications become inaccessible **you are off. Where are you Every one has to know that they come from 3 places – New Files” – “Viewed Content” – “Exposed Services Where they come from Unwanted email with attachments you weren’t expecting Downloaded programs from the internet that come from less than trustworthy locations File Sharing Programs (P2P) Websites that will “install” things for you The more open doors your computer has, the more chance of someone coming in What is Denial of Service Attack? “Attack in which the primary goal is to deny the victim(s) access to a particular resource.” A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. How to take down a restaurant Saboteur Restauranteur Table for four at 8 o’clock. Name of Mr. Smith. Saboteur Saboteur vs. Restauranteur O.K., Mr. Smith Restauranteur Restauranteur Saboteur No More Tables! Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attack is the "SYN flood" attack Categories of DOS attack Bandwidth attacks Protocol exceptions Logic attacks A bandwidth attack is the oldest and most common DoS attack. In this approach, the malicious hacker saturates a network with data traffic. A vulnerable system or network is unable to handle the amount of traffic sent to it and subsequently crashes or slows down, preventing legitimate access to users. A protocol attack is a trickier approach, but it is becoming quite popular. Here, the malicious attacker sends traffic in a way that the target system never expected, such as when an attacker sends a flood of SYN packets. The third type of attack is a logic attack. This is the most advanced type of attack because it involves a sophisticated understanding of networking. A classic example of a logic attack is a LAND attack, where an attacker sends a forged packet with the same source and destination IP address. Many systems are unable to handle this type of confused activity and subsequently crash. Types Types of DoS Attacks The infos here introduce the common types of DoS attacks, many of which can be done as a DDoS attack. PING OF DEATH A Ping of Death attack uses Internet Control Message Protocol (ICMP) ping messages. Ping is used to see if a host is active on a network. It also is a valuable tool for troubleshooting and diagnosing problems on a network. As the following picture, a normal ping has two messages: BUT With a Ping of Death attack, an echo packet is sent that is larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot. You can perform a Ping of Death from within Linux by typing ping –f –s 65537. Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to a target. Tools:-Jolt -SPing-ICMP Bug -IceNewk Smurf and Fraggle A Smurf attack is another DoS attack that uses ICMP. Here, an request is sent to a network broadcast address with the target as the spoofed source. When hosts receive the echo request, they send an echo reply back to the target. sending multiple Smurf attacks directed at a single target in a distributed fashion might succeed in crashing it. If the broadcast ping cannot be sent to a network, a Smurf amplifier is instead. A Smurf amplifier is a network that allows the hacker to send broadcast pings to it and sends back a ping response to his target host on a different network. NMap provides the capability to detect whether a network can be used as a Smurf amplifier. A variation of the Smurf attack is a Fraggle attack, which uses User Datagram Protocol (UDP) instead of ICMP. Fraggle attacks work by using the CHARGEN and ECHO UDP programs that operate on UDP ports 19 and 7. Both of these applications are designed to operate much like ICMP pings; they are designed to respond to requesting hosts to notify them that they are active on a network. LAND Attack In a LAND attack, a TCP SYN packet is sent with the same source and destination address and port number. When a host receives this abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate communication with itself in an infinite loop. Although this is an old attack (first reportedly discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are vulnerable to this attack. HPing can be used to craft packets with the same spoofed source and destination address. Synchronous flood A SYN flood is one of the oldest and yet still most effective DoS attacks. As a review of the three-way handshake, TCP communication begins with a SYN, a SYN-ACK response, and then an ACK response. When the handshake is complete, traffic is sent between two hosts. but in our case the using of the syn flood for the 3 way handshaking is taking another deal, that is the attacker host will send a flood of syn packet but will not respond with an ACK packet.The TCP/IP stack will wait a certain amount of time before dropping the connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled. With a SYN flood attack, these rules are violated. Instead of the normal three-way handshake, an attacker sends a packet from a spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK response. A host has a limited number of half-open (embryonic) sessions that it can maintain at any given time. After those sessions are used up, no more communication can take place until the half-open sessions are cleared out. This means that no users can communicate with the host while the attack is active. SYN packets are being sent so rapidly that even when a halfopen session is cleared out, another SYN packet is sent to fill up the queue again. SYN floods are still successful today for three reasons: 1) SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of attack. 2) SYN packets do not require a lot of bandwidth to launch an attack because they are relatively small. 3) SYN packets can be spoofed because no response needs to be given back to the target. As a result, you can choose random IP addresses to launch the attack, making filtering difficult for security administrators. An example: TCP SYN flooding “TCP “TCPconnection, connection,please.” please.” “O.K.Please Pleasesend sendack.” ack.” “O.K. Buffer Now we may categorize the DOS in to 3 parts depending on the number of characters. Direct Single-tier DoS Attacks – Straightforward 'point-to-point' attack, that means we have 2 actors hacker and victim. – Examples Ping of Death SYN floods Other malformed packet attacks Direct Dual-tier DoS Attacks – More complex attack model – Difficult for victim to trace and identify attacker – Examples Smurf Direct Triple-tier DDoS Attacks – Highly complex attack model, known as Distributed Denial of Service (DDoS). – DDoS exploits vulnerabilities in the very fabric of the Internet, making it virtually impossible to protect your networks against this level of attack. – Examples TFN2K Stacheldraht Mstream The Components of a DDoS Flood Network – Attacker Often a hacker with good networking and routing knowledge. – Master servers Handful of backdoored machines running DDoS master software, controlling and keeping track of available zombie hosts. – Zombie hosts Thousands of backdoored hosts over the world Distributed Denial of Service Attack (DDoS) In and around early 2001 a new type of DoS attack became rampant, called a Distributed Denial of Service attack, or DDoS. In this case multiple comprised systems are used to attack a single target. The flood of incoming traffic to the target will usually force it to shut down. Like a DoS attack, In a DDoS attack the legitimate requests to the affected system are denied. Since a DDoS attack it launched from multiple sources, it is often more difficult to detect and block than a DoS attack. Results expected Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise. Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack." For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks. Forms – attempts to "flood" a network, thereby preventing legitimate network traffic – attempts to disrupt connections between two machines, thereby preventing access to a service – attempts to prevent a particular individual from accessing a service – attempts to disrupt service to a specific system or person Defense Internet Service Providers Deploy source address anti-spoof filters (very important!). Turn off directed broadcasts. Develop security relationships with neighbor ISPs. Set up mechanism for handling customer security complaints. Develop traffic volume monitoring techniques. High loaded machines Look for too much traffic to a particular destination. Learn to look for traffic to that destination at your border routers (access routers, peers, exchange points, etc.). Can we automate the tools – too many queue drops on an access router will trigger source detection? (bl.. Disable and filter out all unused UDP services. Also Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, back doors, etc.) Train your system and network administrators Read security bulletins like: www.cert.org, www.sans.org, www.eEye.com From time to time listen on to attacker community to be informed about their latest achievements Be in contact with your ISP. In case that your network is being attacked, this can save a lot of time Can both do better some day ICMP Traceback message. Warning –this technique is untested idea practically. ICMP It’s a message that usually used to indicate for errors at the net, request not complete, router not reachable. While in TCP and UDP it has different story, it used mainly to check the communication between nodes, goes as echo message request (ping) to determine:1-host is reachable. 2-how long packets it takes long to get and from the host. ICMP Traceback It’s the way that we determine the real source attacker specially in the dos attack and it’s kinds, so we are going to the original point in backtracking way. there is 2 methods:1-IP logging . 2-IP marking . ICMP Traceback In IP logging we have an log information that is stored at the routers in tables, at each router, when we traceback we get all the table and finally get the source. While in the IP marking we each router used to add an traffic and defining info to each packet then it has the real source. ICMP Traceback For a very few packets (about 1 in 20,000), each router will send the destination a new ICMP message indicating the previous hop for that packet. Net traffic increase at endpoint is about .1% -- probably acceptable. Issues: authentication, loss of traceback packets, load on routers. Overview What happens these days on Throw away requests Server Client “Hello?” Buffer Problem: Legitimate clients must keep retrying IP Tracing (or Syncookies) Client Server Hi. My name is Request 10.100.16.126. Buffer Problems: •Can be evaded, particularly on, e.g., Ethernet Digital signatures Client Server Buffer Problems: •Requires carefully regulated PKI •Does not allow for anonymity Connection timeout Server Problem: Hard to achieve balance between security and latency demands A Solution: client puzzle by Juels and Brainard with improvement by Wang and Reiter Intuition Table for four at 8 o’clock. Name of Mr. Smith. Please solve this puzzle. O.K.,O.K. Mr. Smith Intuition Suppose: A puzzle takes an hour to solve There are 40 tables in restaurant Reserve at most one day in advance The client puzzle protocol Client Service request R Server Buffer O.K. What does a puzzle look like? Puzzle basis: partial hash inversion ? X’ X ? pre-image partial-image k bits 160 bits hash image Y Pair (X’, Y) is k-bit-hard puzzle Puzzle construction Client Server Service request R Secret S Puzzle construction Server computes: secret S time T request hash pre-image hash image Y R Puzzle X Puzzles cannot always be used The attack may be performed on Phones, SMS,MMS or physical e-mail It may not be possible to add puzzles Sometimes, the adversary will be more powerful than normal users (e.g., computer vs. cell phone.) references [.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html Article by Christopher Klaus, including a "solution". [.2.] http://jya.com/floodd.txt 2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane [.3.] http://www.fc.net/phrack/files/p48/p48-14.html IP-spoofing Demystified by daemon9 / route / infinity for Phrack Magazine [.4.]http://www.gao.gov/new.items/d011073t.pdf [.5.]http://www.cl.cam.ac.uk/~rc277/ [.6.]http://www.cert.org/reports/dsit_workshop.pdf [.7.]http://staff.washington.edu/dittrich/misc/tfn.analysis Presented to Dr Loa’e Al-Tawalbeh Executed by Mohammed Hussain Course intrusion detection and hacker exploits Winter jan-2007