Being an Intermediary for
Another Attack
Prepared By : Muhammad Majali
Supervised By : Dr. Lo’ai Tawalbeh
New York Institute of Technology
(winter 2007)
Introduction

The rapid development of Internet and
computer technologies makes it easier for
the intruders to break into other people's
computers. On one hand, application
software becomes more and more complex
and, therefore, thorough testing becomes
increasingly difficult. As a result, "security
holes" are unintentionally left open which
are discovered and exploited by hackers.
On the other hand, the computational power
of computers is continuously increasing
which means that a large number of
computers connected on the Internet can be
scanned in a short time and various security
holes can be discovered quite easily.
Ways of being an intermediary
for another attack
1.
2.
Smurf Flooding Attacks
Distributed DoS attack by
compromising others’ host.
(ex.MafiaBoy)
1- Smurf Flooding Attacks

The attacker sends a long stream of
pings (ICMP echo messages) to a third
party. The attacker uses IP address
spoofing, making source IP address in
these pings the IP address of the
victim. Consequently, pinged hosts
send their ICMP echo replies to the
victim host, overwhelming it.

For this attack to be successful, the
third party being pinged must have a
router that will broadcast the ping
message to all hosts in the router’s
attached networks. This way, a single
echo request give rise to dozens or
even hundreds or echo response
packets that will flood the victim.
Smurf Flooding Scenario

Let's look at the scenario to paint a
picture of the dangerous nature of this
attack. Assume a co-location switched
network with 100 hosts, and that the
attacker has a T1. The attacker sends,
say, a 768kb/s stream of ICMP echo
(ping) packets, with a spoofed source
address of the victim, to the broadcast
address of the "bounce site".

These ping packets hit the bounce site's
broadcast network of 100 hosts; each of
them takes the packet and responds to it,
creating 100 ping replies out-bound. If you
multiply the bandwidth, you'll see that 76.8
Mbps is used outbound from the "bounce
site" after the traffic is multiplied. This is then
sent to the victim (the spoofed source of the
originating packets).
Smurf Flooding DoS Attack
“Innocent” Firm
Echo
Attacker
1.34.150.37
4.
Echo
Replies
2.
Router with
Broadcasting
Enabled
1.
Single ICMP Echo Message
Source IP: 60.168.47.47
(Victim) Destination IP:
Broadcast
Victim
60.168.47.47
3.
Broadcast
Echo
Message
HOW TO DETERMINE IF YOUR
NETWORK IS VULNERABLE

Several sites have been established to
do both active and passive scanning of
networks to determine whether or not
directed-broadcast is enabled.
http://www.powertech.no/smurf/ is a
site which will test scan your network
and allow you to enter a known smurf
amplifier site.
How to keep your site from being an
intermediary use to attack victims

The perpetrators of these attacks rely on the
ability to source spoofed packets to the
"amplifiers" in order to generate the traffic
which causes the denial of service.
Disable IP-directed broadcasts
at your router

In order to stop this, all networks should
perform filtering either at the edge of the
network where customers connect (access
layer) or at the edge of the network with
connections to the upstream providers, in
order to defeat the possibility of sourceaddress-spoofed packets from entering
from downstream networks, or leaving for
upstream networks.
Disable IP-directed broadcasts at
your router

Additionally, router vendors have
added or are currently adding options
to turn off the ability to spoof IP
source addresses by checking the
source address of a packet against
the routing table to ensure the return
path of the packet is through the
interface it was received on.
Configure your operating system to prevent the machine from
responding to ICMP packets sent to IP broadcast addresses.

If an intruder compromises a machine on your
network, the intruder may try to launch a smurf
attack from your network using you as an
intermediary. In this case, the intruder would use
the compromised machine to send the ICMP echo
request packet to the IP broadcast address of the
local network. Since this traffic does not travel
through a router to reach the machines on the local
network, disabling IP-directed broadcasts on your
routers is not sufficient to prevent this attack.

Some operating systems can be
configured to prevent the machine
from responding to ICMP packets sent
to IP broadcast addresses. Configuring
machines so that they do not respond
to these packets can prevent your
machines from being used as
intermediaries in this type of attack.
Information for victims and how to
suppress attacks

Filtering ICMP echo reply packets destined for your
high-profile machines at the ingress interfaces of
the network border routers will then permit the
packets to be dropped at the earliest possible point.
However, it does not mean that the network access
pipes won't fill, as the packets will still come down
the pipe to be dropped at the router. It will, however,
take the load off the system being attacked. Keep in
mind that this also denies others from being able to
ping from that machine (the replies will never reach
the machine).
Distributed DoS attack by
compromising others’ host

Intruders will frequently use compromised
computers as launching pads for attacking other
systems. An example of this is how distributed
denial-of-service (DDoS) tools are used. The
intruders install an "agent" (frequently through a
Trojan horse program) that runs on the
compromised computer awaiting further
instructions. Then, when a number of agents are
running on different computers, a single "handler"
can instruct all of them to launch a denial-of-service
attack on another system. Thus, the end target of
the attack is not your own computer, but someone
else’s -- your computer is just a convenient tool in a
larger attack
Installing Handler and Zombie
Computers


Before initiating the denial-of-service
attack, the attacker first installs attack
programs on the other computers.
Zombie programs actually carry out
the attack on the victim.
Handler Programs tell the Zombie
programs when to carry out attacks.
Implementing the Attack

Once the handler and zombie
programs are in place, the attacker
sends messages to the handler
computers, telling them to carry out the
attack. The handlers in turn tell the
zombie programs under their control to
carry out the attack.
Difficulty in Identification

The attacker’s computer, which is two
steps removed from the attack, is very
difficult to identify. In addition, because
zombies can be spread all over the
internet, the attack messages come
from many different sources, making
them difficult to filter out at border
firewalls. Example (Mafiaboy).
Distributed Denial-of-Service
(DDoS) Attack
Attack
Command
Handler
Attack
Command
Zombie
Attack Packet
Attacker
1.34.150.37
Attack Packet
Victim
60.168.47.47
Attack
Command
Attack
Command
Zombie
Attack Packet
Attack
Command
Handler
Zombie
How to avoid your host of being
Compromised by attackers
4.
Use anti-virus software
Use firewall protection
Do not open unknown e-mail attachment
Disable Hidden File Extensions
5.
Keep your system updated
6.
7.
Disable "Mobile Code“
Backups and start-up disk
8.
Consult the Experts
1.
2.
3.
References
Books:


Corporate Computer and Network Security
By: Raymond R. Panko
Websites:

1.
2.
3.
4.
5.
http://www.cert.org/tech_tips/home_networks.html#III-B-4
http://www.cert.org/advisories/CA-1998-01.html
www.hp.com/rnd/support/manuals/pdf/release_06628_07
110/Bk2_ApixB_DoS_Protection.pdf
http://www.strategic.gr/publications/InternetObservatory2
001/Makris.htm
http://www.pentics.net/denial-of-service/whitepapers/smurf.cgi