DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and...
Transcript of DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and...
![Page 1: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/1.jpg)
DDosDDos
Distributed Denial of Service AttacksDistributed Denial of Service Attacks
by Mark Schuchter
![Page 2: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/2.jpg)
OverviewOverview
nn IntroductionIntroductionnn Why? Why? nn TimelineTimelinenn How?How?nn Typical attack (UNIX)Typical attack (UNIX)nn Typical attack (Windows)Typical attack (Windows)
![Page 3: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/3.jpg)
IntroductionIntroduction
DDos-Attack
prevent and impair computer use
limited and consumable resources(memory, processor cycles, bandwidth, ...) inet security highly interdependent
![Page 4: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/4.jpg)
Why?Why?
sub-cultural status
to gain access
political reasonseconomic reasons
revenge
nastiness
![Page 5: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/5.jpg)
TimelineTimeline
1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption
2000: bundled with rootkits, controlled with talk or ÍRC
2002: DrDos (reflected) attack tools
2001: worms include DDos-features (eg. Code Red), include time synchro.,
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)
2003: Mydoom infects thousands of victims to attack SCO and Microsoft
![Page 6: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/6.jpg)
How?How?
TCP floods(various flags)
ICMP echo requests(eg. Ping floods)
UDP floods
![Page 7: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/7.jpg)
SYNSYN--AttackAttack
SYN-ACK
SYN
ACK
ClientServer
SYN-ACK
SYN
Attacker(spoofed IP) Server
SYN SYN-ACK
Handshake Attack
![Page 8: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/8.jpg)
Typical attackTypical attack
1. prepare attack 2. set up network 3. communication
![Page 9: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/9.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– preparation Ipreparation I
nn use stolen account (high bandwidth) for use stolen account (high bandwidth) for repository of:repository of:nn scannersscannersnn attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit)nn root kitsroot kitsnn snifferssniffersnn trin00 master and daemon trin00 master and daemon programmprogrammnn list of vulnerable host, previously compromised list of vulnerable host, previously compromised
hosts...hosts...
![Page 10: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/10.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– preparation IIpreparation II
nn scan large range of network blocks to identify scan large range of network blocks to identify potential targets (running exploitable service)potential targets (running exploitable service)
nn list used to create script that:list used to create script that:nn performs exploitperforms exploitnn sets up sets up cmdcmd--shell running under root that listens on shell running under root that listens on
a TCP port (1524/tcp)a TCP port (1524/tcp)nn connects to this port to confirm exploitconnects to this port to confirm exploit
àà list of owned systemslist of owned systems
![Page 11: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/11.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– network Inetwork I
nn store prestore pre--compiled binary of trin00 daemon on compiled binary of trin00 daemon on some stolen account on some stolen account on inetinet
nn script takes ‘ownedscript takes ‘owned--list’ to automate installation list’ to automate installation process of daemonprocess of daemon
nn same goes for trin00 mastersame goes for trin00 master
![Page 12: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/12.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– network IInetwork II
attacker attacker
master master master
daemon daemon daemon daemon
![Page 13: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/13.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– communicationcommunication
nn attacker controls master via telnet and a attacker controls master via telnet and a pwpw(port 27665/tcp)(port 27665/tcp)
nn trin00 master to daemon via 27444/udp (arg1 trin00 master to daemon via 27444/udp (arg1 pwdpwd arg2)arg2)
nn daemon to master via 31335/udpdaemon to master via 31335/udp
nn ‘dos <‘dos <pwpw> 192.168.0.1’ triggers attack> 192.168.0.1’ triggers attack
![Page 14: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/14.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– preparation Ipreparation I
nn set up the following things on your home pc:set up the following things on your home pc:nn freemailfreemailnn kazaakazaann trojantrojan--toolkittoolkitnn IRCIRC--clientclientnn IRCIRC--botbot
![Page 15: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/15.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– preparation IIpreparation II
nn assemble different assemble different trojanstrojans (GUI)(GUI)nn define ways of communicationdefine ways of communicationnn namenamenn filefile
![Page 16: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/16.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– network Inetwork I
nn start spreading viastart spreading viann email/news listsemail/news listsnn IRCIRCnn P2PP2P--SoftwareSoftware
![Page 17: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/17.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– network IInetwork II
attacker
client client client client
![Page 18: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/18.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– communicationcommunication
nn sub7clientsub7clientnn IRC channelIRC channelnn 1 click to launch attack1 click to launch attack
![Page 19: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/19.jpg)
DevelopmentDevelopment
High
Low1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling auditsback doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
![Page 20: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/20.jpg)
SolutionsSolutions
nn statistical analyses (i.e. Dstatistical analyses (i.e. D--ward) at core routers ward) at core routers --not ready yetnot ready yet
nn change awareness of people (firewalls, change awareness of people (firewalls, attachments, Vattachments, V--scanners,...)scanners,...)
![Page 21: DDos - University of Birmingham · DDos-Attack prevent and impair computer use limited and consumable resources (memory, processor cycles, bandwidth, ...) inet security highly interdependent.](https://reader031.fdocuments.us/reader031/viewer/2022041711/5e48198345566f076910b94c/html5/thumbnails/21.jpg)
Thanks for your attention!Thanks for your attention!