Denial of Service Attacks
Lesson 15
Types of DoS Attacks
Bandwidth Consumption
Attackers consume all available bandwidth on a
particular network.
Often an issue of who has the larger “pipe”
Resource Starvation
Focuses on consuming resources for a target system
as opposed to the network as a whole.
Programming Flaws
Failure of system to handle exceptional conditions or
input.
Routing and DNS attacks
Attackers attempt to manipulate routing table entries
to deny service to legitimate systems or networks.
Denial of Service (DoS)
Different ways to categorize them
Nature of attack
Poisoned traffic
malformed or invalid data that can’t be properly handled
Brute-force resource
simply use up all available capacity
Stateful resource
take advantage of client/server relationship in protocols
“target” of attack
Operating system attacks
target flaws in specific operating systems
Networking attacks
exploit inherent limitations of networking
Sources of the Attack
Can come from many (any) places in the network
An attacker can hide the source of an attack
through IP spoofing
Attackers can also hide their identity by enslaving
unwitting victims.
“owned” or “zombie” agents
When an attacker uses many zombie agents
together simultaneously the result is a Distributed
Denial of Service (DDoS) attack
Generic DoS Attacks
Attacks that are capable of affecting different types
of systems are known as generic attacks.
Generally these fall into the bandwidth consumption
category.
One example would be email-bombing
Smurf attack (aka ICMP Storm, Ping flooding)
Takes advantage of directed broadcasts on networks
Will send an ICMP ECHO request to broadcast address on
network with spoofed from address making it seem as if
it came from the target system.
All systems on the network will respond to this address
Thus with one request you can have up to 254 responses
Variation on this is a fraggle attack which uses UDP
instead of ICMP.
More Attacks
SYN Flood
Exploits TCP 3-way handshake
System A sends SYN packet to specific listening port on System
B.
System B will send a SYN/ACK packet to System A
System A responds with ACK, connection established
In the attack
Attacker sends SYN packet with spoofed from address
Target tries to respond to address given, waits for ACK, its
SYN/ACK goes off to “never-never land”
Attacker repeats until queue is filled
Queue may be as small as 10 available connection
requests. Timeout generally anywhere from 75 seconds
to over 20 minutes.
Attack used in trusted host exploitation as well as DoS
Countermeasures: bigger queue, shorter waits, detection
Remote DoS Attacks
Premise of these attacks is the sending of
specific packet or sequence of packets to the
target system to exploit specific programing
flaws.
IP Fragmentation Overlap
teardrop and similar attacks (boink, syndrop)
exploit vulnerabilities in packet-reassembly code
As packets travel through different networks they may
get broken into different fragments. Fragments should
not overlap.
Teardrop takes advantage of the fact that some older
programs didn’t handle overlapping fragments.
Other Attacks
SMBdie
Released in 2002, takes advantage of a flaw in
Mircrosoft’s implementation of TCP/IP causing the
system to “blue screen”. Works against NT/2K/XP
Buffer Overflow in IIS FTP Server
Buffer overflow in list command in FTP server, but only
available to users after authentication, but if you allow
anonymous users…
Will result in server crashing
Stream and Raped attacks
Resource-starvation attacks, results in high CPU usage.
stream sends TCP ACK packets to a series of ports with
random sequence numbers and random source IPs
raped sends TCP ACK packets with spoofed source IP
Distributed Denial of Service
Difference between DDoS and DoS is one-to-one
versus many-to-one.
First DDoS attacks hit the Internet in Feb 2000,
affected eBay, Buy.com, CNN, Yahoo!
First step is to target and gain administrative
access on as many systems as possible (zombies).
Normally a customized attack used for this
Once access is obtained, attackers upload and run their
DDoS software.
Software waits for attack message which will provide
information on the target.
Once attack message sent to zombies they launch the
specific attack against the identified target.
DDoS Attack
tribal flood network (TFN) DDoS
TFN is made up of client and daemon programs,
which implement a distributed network denial of
service tool capable of waging ICMP flood, SYN flood,
UDP flood, and Smurf style attacks.
Remote control of a TFN is accomplished via
command line execution of the client program, using
any of a number of connection methods (e.g., remote
shell bound to a TCP port, UDP based client/server
remote shells, ICMP based client/server shells, or
normal "telnet" TCP terminal sessions.
Communication from the TFN client to daemons is
accomplished via ICMP_ECHOREPLY (why?) packets.
There is no TCP or UDP based communication
between the client and daemons at all.
TFN2K is the successor to TFN, allows for randomized
communication on ports (thus port blocking harder)
trinoo DDoS
A trinoo network of at least 227 systems was used on Aug
17, 1999 to flood a single system at the University of
Minnesota.
The attacker(s) control one or more “master”servers, each
of which can control many daemons.
Remote control of the master is accomplished via a TCP
connection to port 27665, after which the user must
authenticate with a password.
Communication between the master to daemons is via
UDP packects on port 27444.
When the daemon starts, it initially sends a “hello”
message to the master which maintains a list of active
daemons it controls.
The daemons send UDP packets to random (0-64K) UDP
ports on the target for a period of time (120 seconds
default)
Stacheldraht (barbed wire) DDoS
Combines features of the trinoo and the
original TFN and adds encryption of
communication between attacker and masters
and automated updating of agents.
Can do ICMP flood, SYN flood, UDP flood,
and smurf style attacks.
There is a limit of 1000 agents for each
master
Used TCP and ICMP for communication
between master and agents (trinoo used UDP,
TFN used ICMP)
Summary
What is the importance and significance of
this material?
DoS and DDoS attacks can be devastating on
network resources. Can prevent authorized use of
systems/networks.
How does this topic fit into the subject of
“Security Risk Analysis”?
We will most likely not be called upon to conduct
DoS or DDoS attacks, but we must know how they
work so we can help clients protect against them
as much as possible.