1 / 21

DDos

DDos. Distributed Denial of Service Attacks. by Mark Schuchter. Overview. Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows). Introduction. Why?. Timeline. How?. Typ. UNIX atk. Typ. Windows atk. Introduction.

betty_james
Download Presentation

DDos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DDos Distributed Denial of Service Attacks by Mark Schuchter

  2. Overview • Introduction • Why? • Timeline • How? • Typical attack (UNIX) • Typical attack (Windows)

  3. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Introduction limited and consumable resources(memory, processor cycles, bandwidth, ...) inet security highly interdependent DDos-Attack prevent and impair computer use

  4. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Why? sub-cultural status nastiness revenge to gain access economic reasons political reasons

  5. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Timeline <1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’) 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or ÍRC 2001: worms include DDos-features (i.e. Code Red), include time synchro., 2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol) 2003: Mydoom infects thousands of victims to attack SCO and Microsoft

  6. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk How? TCP floods(various flags) ICMP echo requests(i.e.. Ping floods) UDP floods

  7. SYN-ACK Attacker(spoofed IP) Client Server Server SYN SYN SYN-ACK SYN SYN-ACK ACK Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk SYN-Attack Handshake Attack

  8. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Typical attack 2. set up network 3. communication 1. prepare attack

  9. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – preparation I • use stolen account (high bandwidth) for repository of: • scanners • attack tools (i.e. buffer overrun exploit) • root kits • sniffers • trin00 master and daemon program • list of vulnerable host, previously compromised hosts...

  10. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – preparation II • scan large range of network blocks to identify potential targets (running exploitable service) • list used to create script that: • performs exploit • sets up cmd-shell running under root that listens on a TCP port (1524/tcp) • connects to this port to confirm exploit  list of owned systems

  11. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – network I • store pre-compiled binary of trin00 daemon on some stolen account on inet • script takes ‘owned-list’ to automate installation process of daemon • same goes for trin00 master

  12. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – network II attacker attacker master master master daemon daemon daemon daemon

  13. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk UNIX (‘trin00’) – communication • attacker controls master via telnet and a pw (port 27665/tcp) • trin00 master to daemon via 27444/udp (arg1 pwd arg2) • daemon to master via 31335/udp • ‘dos <pw> 192.168.0.1’ triggers attack

  14. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – preparation I • set up the following things on your home pc: • freemail • kazaa • trojan-toolkit • IRC-client • IRC-bot

  15. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – preparation II • assemble different trojans (GUI) • define ways of communication • name • file

  16. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – network I • start spreading via • email/news lists • IRC • P2P-Software

  17. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – network II attacker client client client client

  18. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Windows (‘Sub7’) – communication • sub7client • IRC channel • 1 click to launch attack

  19. binary encryption Tools “stealth” / advanced scanning techniques High denial of service packet spoofing distributed attack tools sniffers Intruder Knowledge www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking Attackers password guessing Low 2001 1980 1985 1990 1995 Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Source: CERT/CC Development

  20. Solutions • statistical analyses (i.e. D-ward) at core routers -not ready yet • change awareness of people (firewalls, attachments, V-scanners,...)

  21. Thanks for your attention!

More Related