Professional Documents
Culture Documents
Outline
Outline
• Definition
• Point-to-point network denial of service
– Smurf
• Distributed denial of service attacks
• TCP SYN Flooding and Detection
Objectives
• Understand the concept of DoS attacks and
its current threat trends
• Understand the SYN flooding attacks and be
able to detect at the network level and
defense them (SYN cookie)
Denial of Service Attack Definition
DoS
gateway DoS
Source Target
BadGuy
Unidirectional commands
Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent
Attack traffic
Victim
Can you find source of attack?
• Hard to find BadGuy
– Originator of attack compromised the handlers
– Originator not active when DDOS attack occurs
• Can try to find agents
– Source IP address in packets is not reliable
– Need to examine traffic at many points, modify
traffic, or modify routers
Attack using Trin00
• In August 1999, network of > 2,200 systems
took University of Minnesota offline for 3 days
– scan for known vulnerabilities, then attack with UDP
traffic
– once host compromised, script the installation of the
DDoS master agents
– According to the incident report, took about 3
seconds to get root access
Targets of Attack
• End hosts
• Critical servers (disrupt C/S network)
– Web, File, Authentication, Update
– DNS
• Infrastructure
– Routers within org
– All routers in upstream path
The DDoS Landscape
Attack Tools Over Time
binary encryption
“stealth” / advanced Tools
scanning techniques
High
packet spoofing denial of service
sniffers distributed
attack tools
Intruder www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
password guessing
Attackers
Low
1980 1985 1990 1995 2001
Source: CERT/CC
(D)DoS Tools Over Time
• 1996 - Point-to-point
• 1997 – Combined w/ multiple tools
• 1998 - Distributed (small, C/S)
• 1999 - Add encryption, covert channel comms, shell
features, auto-update, bundled w/rootkit
– trin00, Stacheldraht, TFN, TFN2K
• 2000 - Speed ups, use of IRC for C&C
• 2001 - Added scanning, IRC channel hopping, worms include
DDoS features
– Code Red (attacked www.whitehouse.gov)
– Linux “lion” worm (TFN)
• 2002 - Added reflection attack
• 2003 – IPv6 DDoS
Outline
• Definition
• Point-to-point network denial of service
– Smurf
• Distributed denial of service attacks
– Trin00, TFN, Stacheldraht, TFN2K
• TCP SYN Flooding and Detection/Defense
SYN Flooding Attack
C S
SYNC Listening
Store data
SYNS, ACKC
Wait
ACKS
Connected
TCP segment structure
32 bits
URG: urgent data counting
(generally not used) source port # dest port #
by bytes
sequence number of data
ACK: ACK #
valid acknowledgement number (not segments!)
head not
PSH: push data now len used
UA P R S F Receive window
(generally not used) # bytes
checksum Urg data pnter
rcvr willing
RST, SYN, FIN: to accept
Options (variable length)
connection estab
(setup, teardown
commands)
application
Internet data
checksum (variable length)
(as in UDP)
SYN Flooding
C S
SYNC1 Listening
SYNC2
Store data
SYNC3
SYNC4
SYNC5
SYN Flooding Explained
• Attacker sends many connection requests with spoofed
source addresses
• Victim allocates resources for each request
– New thread, connection state maintained until timeout
– Fixed bound on half-open connections
• Once resources exhausted, requests from legitimate
clients are denied
• This is a classic denial of service attack
– Common pattern: it costs nothing to TCP initiator to send a
connection request, but TCP responder must spawn a thread
for each request - asymmetry!
Flood Detection System on
Router/Gateway
• Can we maintain states for each connection flow?
• Stateless, simple detection system on edge (leaf)
routers desired
• Placement: First/last mile leaf routers
– First mile – detect large DoS attacker
– Last mile – detect DDoS attacks that first mile would miss
timed wait
ACK
SYNC
Listening…
sequence # = cookie
– Combined attacks
• Targa
– bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke
• Rape
– teardrop v2, newtear, boink, bonk, frag, fucked, troll icmp,
troll udp, nestea2, fusion2, peace keeper, arnudp, nos,
nuclear, sping, pingodeth, smurf, smurf4, land, jolt, pepsi
1998
• fapi (May 1998)
– UDP, TCP (SYN and ACK), ICMP Echo, "Smurf" extension
– Runs on Windows and Unix
– UDP comms
– One client spoofs src, the other does not
– Built-in shell feature
– Not designed for large networks (<10)
– Not easy to setup/control network
• IPv6 DDoS
– 4to6 (doesn’t require IPv6 support)
Single host in DDoS
2001
• Worms include DDoS features
– Code Red (attacked www.whitehouse.gov)
– Linux “lion” worm (TFN)
• Added scanning, BNC, IRC channel hopping (“Blended
threats” term coined in 1999 by AusCERT)
– “Power” bot
– Modified “Kaiten” bot
• Include time synchronization (?!!)
– Leaves worm
Power bot
foo: oh damn, its gonna own shitloads
foo: and it will take them 24 hours to scan the whole ip range
...
bar: cool
2002
• Distributed reflected attack tools
– d7-pH-orgasm
– drdos (reflects NBT, TCP SYN :80, ICMP)
• Reflected DNS attacks, steathly (NVP protocol) and
encoded covert channel comms, closed port back door
– Honeynet Project Reverse Challenge binary
http://project.honeynet.org/reverse/results/project/020601-Analysis-IP-
Proto11-Backdoor.pdf
2003
• Slammer worm (effectively a DDoS on local
infrastructure)
• Windows RPC DCOM insertion vector for “blended
threat” (CERT reports “thousands”)
• More IPv6 DoS (requires IPv6 this time)
– ipv6fuck, icmp6fuck