Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007) Introduction The rapid development of Internet and computer technologies makes it easier for the intruders to break into other people's computers. On one hand, application software becomes more and more complex and, therefore, thorough testing becomes increasingly difficult. As a result, "security holes" are unintentionally left open which are discovered and exploited by hackers. On the other hand, the computational power of computers is continuously increasing which means that a large number of computers connected on the Internet can be scanned in a short time and various security holes can be discovered quite easily. Ways of being an intermediary for another attack 1. 2. Smurf Flooding Attacks Distributed DoS attack by compromising others’ host. (ex.MafiaBoy) 1- Smurf Flooding Attacks The attacker sends a long stream of pings (ICMP echo messages) to a third party. The attacker uses IP address spoofing, making source IP address in these pings the IP address of the victim. Consequently, pinged hosts send their ICMP echo replies to the victim host, overwhelming it. For this attack to be successful, the third party being pinged must have a router that will broadcast the ping message to all hosts in the router’s attached networks. This way, a single echo request give rise to dozens or even hundreds or echo response packets that will flood the victim. Smurf Flooding Scenario Let's look at the scenario to paint a picture of the dangerous nature of this attack. Assume a co-location switched network with 100 hosts, and that the attacker has a T1. The attacker sends, say, a 768kb/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site". These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies out-bound. If you multiply the bandwidth, you'll see that 76.8 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets). Smurf Flooding DoS Attack “Innocent” Firm Echo Attacker 1.34.150.37 4. Echo Replies 2. Router with Broadcasting Enabled 1. Single ICMP Echo Message Source IP: 60.168.47.47 (Victim) Destination IP: Broadcast Victim 60.168.47.47 3. Broadcast Echo Message HOW TO DETERMINE IF YOUR NETWORK IS VULNERABLE Several sites have been established to do both active and passive scanning of networks to determine whether or not directed-broadcast is enabled. http://www.powertech.no/smurf/ is a site which will test scan your network and allow you to enter a known smurf amplifier site. How to keep your site from being an intermediary use to attack victims The perpetrators of these attacks rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service. Disable IP-directed broadcasts at your router In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of sourceaddress-spoofed packets from entering from downstream networks, or leaving for upstream networks. Disable IP-directed broadcasts at your router Additionally, router vendors have added or are currently adding options to turn off the ability to spoof IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on. Configure your operating system to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. If an intruder compromises a machine on your network, the intruder may try to launch a smurf attack from your network using you as an intermediary. In this case, the intruder would use the compromised machine to send the ICMP echo request packet to the IP broadcast address of the local network. Since this traffic does not travel through a router to reach the machines on the local network, disabling IP-directed broadcasts on your routers is not sufficient to prevent this attack. Some operating systems can be configured to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. Configuring machines so that they do not respond to these packets can prevent your machines from being used as intermediaries in this type of attack. Information for victims and how to suppress attacks Filtering ICMP echo reply packets destined for your high-profile machines at the ingress interfaces of the network border routers will then permit the packets to be dropped at the earliest possible point. However, it does not mean that the network access pipes won't fill, as the packets will still come down the pipe to be dropped at the router. It will, however, take the load off the system being attacked. Keep in mind that this also denies others from being able to ping from that machine (the replies will never reach the machine). Distributed DoS attack by compromising others’ host Intruders will frequently use compromised computers as launching pads for attacking other systems. An example of this is how distributed denial-of-service (DDoS) tools are used. The intruders install an "agent" (frequently through a Trojan horse program) that runs on the compromised computer awaiting further instructions. Then, when a number of agents are running on different computers, a single "handler" can instruct all of them to launch a denial-of-service attack on another system. Thus, the end target of the attack is not your own computer, but someone else’s -- your computer is just a convenient tool in a larger attack Installing Handler and Zombie Computers Before initiating the denial-of-service attack, the attacker first installs attack programs on the other computers. Zombie programs actually carry out the attack on the victim. Handler Programs tell the Zombie programs when to carry out attacks. Implementing the Attack Once the handler and zombie programs are in place, the attacker sends messages to the handler computers, telling them to carry out the attack. The handlers in turn tell the zombie programs under their control to carry out the attack. Difficulty in Identification The attacker’s computer, which is two steps removed from the attack, is very difficult to identify. In addition, because zombies can be spread all over the internet, the attack messages come from many different sources, making them difficult to filter out at border firewalls. Example (Mafiaboy). Distributed Denial-of-Service (DDoS) Attack Attack Command Handler Attack Command Zombie Attack Packet Attacker 1.34.150.37 Attack Packet Victim 60.168.47.47 Attack Command Attack Command Zombie Attack Packet Attack Command Handler Zombie How to avoid your host of being Compromised by attackers 4. Use anti-virus software Use firewall protection Do not open unknown e-mail attachment Disable Hidden File Extensions 5. Keep your system updated 6. 7. Disable "Mobile Code“ Backups and start-up disk 8. Consult the Experts 1. 2. 3. References Books: Corporate Computer and Network Security By: Raymond R. Panko Websites: 1. 2. 3. 4. 5. http://www.cert.org/tech_tips/home_networks.html#III-B-4 http://www.cert.org/advisories/CA-1998-01.html www.hp.com/rnd/support/manuals/pdf/release_06628_07 110/Bk2_ApixB_DoS_Protection.pdf http://www.strategic.gr/publications/InternetObservatory2 001/Makris.htm http://www.pentics.net/denial-of-service/whitepapers/smurf.cgi