Denial of Service
Attacks:
Methods, Tools, and
Defenses
Prof. Mort Anvari
Strayer University at Arlington
Introduction
Basic types of DoS attacks
Evolution of DoS tools
Overview of DoS tools
Defenses
2
What is Denial of Service
Attack?
“Attack in which the primary goal is to
deny the victim(s) access to a particular
resource.” (CERT/CC)
Very vide definition,
covers lots of cases
This tutorial covers only
subset of all DoS attacks
3
Modes of
Denial of Service Attack
Consumption of limited resources



Network connectivity
Bandwidth consumption
Other resources:



Processing time
Disk space
Lockout of an account
Alteration of configuration information
4
DoS Attacks - Statistics
There are more than 4000 attacks per week
During 2000,
27% of security professionals
detected DoS attack
against their system
In February 2000 attacks,
stream going to one of affected sites
was about 800Mb/s
5
DoS Attacks - Statistics
Overall Internet performance degradation
during February 2000 attacks
Date
Feb. 7th
PPW
5.66
PAW
5.98
CPW
+5.7%
Feb. 8th
Feb. 9th
Feb 10th
5.53
5.26
4.97
5.96
6.67
4.86
+7.8%
+26.8%
-2.2%
PPW – Performance in previous week
PAW – Performance in attacking week
Source:
Keynote Systems
CPW – Change from previous week
6
DoS Attacks - Basics
Prof. Mort Anvari
Strayer University at Arlington
DoS Attacks - Basics
Attack has two phases:
Installation of DoS tools
Committing an attack
8
DoS Attacks - Basics
Installation of DoS tools:
Finding a suitable machine:
Unprotected ports
 Vulnerable services
 Errors in operating systems
 Trojan horses and worms

Installation of the tool itself
Installation of a root-kit
9
DoS Attacks - Basics
Ping of Death
Maximum size of TCP/IP packet
is 65536 bytes
Oversized packet may
crash, freeze, reboot system
Obsolete
10
DoS Attacks - Basics
Teardrop
IP packet can be broken
Broken packet is reassembled
using offset fields
11
DoS Attacks Basics
Teardrop
Overlapping offset fields
Obsolete
12
DoS Attacks - Basics
Client
Syn flood attack
TCP Syn handshake
Server
Finite length
of backlog queue
Lots of
half-open connections
Partially solved
13
DoS Attacks - Basics
Victim
UDP flood
Spoofed
Request
Victim
Attacker
UDP echo service
UDP chargen service
Spoofed address
Easy prevention
Brute force approach
if this one doesn’t work
14
DoS Attacks - Basics
Attacker
Intermediate
Systems
Smurf attack
ICMP packets
Broadcast request
Spoofed address
Two victims
Cannot be
easily prevented
Victim
15
Evolution of
DoS Attacks
Defenses were improved
Technology was improved, as well
Attackers had to improve their
techniques for attacks
16
Evolution of
DoS Attacks
Packet processing rate
is more limiting than bandwidth
CPU can be a limit in SYN flood attack
“Reflected” attacks
Intermediate
Attacker
Bad packet
Victim
ICMP Reply
17
(R)evolution of
DoS Attacks
Distributed DoS tools and networks
Client-Server architecture
Open-source approach
Several layers
Difficulties in tracking back the attacker
18
Evolution of
DoS Attacks
All of the systems are compromised
Terminology:
Client
 Handler
 Agent

19
Evolution of
DoS Attacks
Implications of DDoS network:
One or two attackers
Small number of clients
Several handlers
Huge number of agents
Humongous traffic
20
DoS Attacks - Tools
Prof. Mort Anvari
Strayer University at Arlington
DoS Attacks - Tools
History of DoS tools:
IRC disable tools
Single attack method tools
Distributed tools,
with possibility of selecting
the type of attack
22
DoS Attacks - Tools
Trinoo
Distributed
UDP flood (brute force)
Menu operated
Agent passwords are sent in plain text form
(not encrypted)
23
DoS Attacks - Tools
TFN (Tribal Flood Network)
Multi-type attack
UDP flood
SYN flood
ICMP_ECHOREPLY flood
Smurf
Handler keeps track of its agents
in “Blowfish” encrypted file
24
DoS Attacks - Tools
TFN2K
Improved version of TFN
Agent can randomly alternate
between the types of attack
Agent is completely silent - handler
sends the same command several times,
hoping that agent will receive at least one)
25
DoS Attacks - Tools
TFN2K
All communication is encrypted
Random source IP address and port number
Decoy packets (sent to non-target networks)
26
DoS Attacks - Tools
Stacheldraht
Several levels of protection:
Hard-coded password in client
 Password is needed
to take control over handler
 Encrypted communication
between handler and agent

27
DoS Attacks - Tools
Stacheldraht
Automated update of agents
TCP is used for communication
between client and handler,
and ICMP_ECHOREPLY for communication
between handler and agent
28
DoS Attacks - Tools
Stacheldraht
ICMP_ECHOREPLY packets
are difficult to stop
Each agent has a list of its handlers
(Blowfish encrypted)
and in case that there is no such list,
agent uses several hard-coded IP addresses
Agent tests for a possibility
of spoofing the source address
29
DoS Attacks - Tools
Stacheldraht
Weakness: it uses rpc command for
update
Listening on this port
can lead to detection of an agent.
Drawback is in fact that
this can generate a lot of false alarms
(rpc is used by legitimate users too)
30
Defenses
Defenses
There is no universal solution
There are some preventions
that can help in minimizing the damage:
Prevention of becoming
the source of an attack
 Preparations for defending
against an attack

32
Defenses
Disable and filter out
chargen and echo services
Disable and filter out
all unused UDP services.
Good practice is to
block all UDP ports below 900
(excluding some specific ports
like DNS)
33
Defenses
Install a filtering router
to disable following cases:


Do not allow packet to pass through
if it is coming to your network
and has a source address from your network
Do not allow packet to pass through
if it comes from your network
and has a source address that
doesn’t belong to your network
34
Defenses
Network administrators
should log all information
on packets that are dropped
If you are providing external UDP services,
monitor them for signs of misuse
35
Defenses
The following networks
are defined as reserved private networks,
and no traffic should ever be received from
or transmitted to these networks
through a router:





10.0.0.0 to 10.255.255.255 (reserved)
127.0.0.0 to 127.255.255.255 (loopback)
172.16.0.0 to 172.31.255.255 (reserved)
192.168.0.0 to 192.168.255.255 (reserved)
0.0.0.0 and 255.255.255.255 (broadcasts)
36
Defenses
Routers, machines, and
all other Internet accessible equipment
should be periodically checked
to verify that all security patches
have been installed
System should be checked periodically
for presence of malicious software
(Trojan horses, viruses,
worms, root-kits, back doors, etc.)
37
Defenses
Train your system and network administrators
Read security bulletins like:
www.cert.org, www.sans.org, www.eEye.com
From time to time
listen on to attacker community
to be informed about their latest achievements
Be in contact with your ISP.
In case that your network is being attacked,
this can save a lot of time
38
Conclusion
Several examples of large scale DoS attacks
(yahoo, eBuy, CERT, FBI, Amazon)
Increased number of consumers
with high bandwidth technologies,
but with poor knowledge of network security
Easy accessible,
easy to use DoS attack tools
No final solution for attacks
39
This tutorial is based on research paper
done for isitworking.com
Isitworking is part of Biopop company,
Charlotte, NC, USA
So far, it was presented on:
SSGRR 2002w, L’Aquila, Italy
 YU-INFO 2002, Kopaonik, Serbia

40
Denial of Service
Attacks:
Methods, Tools, and
Defenses
Prof. Mort Anvari
Strayer University at Arlington