1 Gaurav Gupta CMSC 681 Abstract A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing Denial of Service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. This paper covers different tools used for the attacks and then briefs about how to prevent a system from these attacks. Introduction A denial of service is characterized by an explicit attempt by an attacker to prevent legitimate users from using resources. An attacker may attempt to flood a network and thus reduce a legitimate user s bandwidth, prevent access to a service, or disrupt service to a specific system or a user. Denial of Service attacks does not involve breaking into a system, but rather are aimed at making that system or network unusable. Denial of service attacks can be local or network-based, and have always been difficult to defend against. The recent spate of denial of service attacks that blocked network access to prominent e-commerce sites such as Amazon, CNN, Yahoo and others involved hundreds of attacking systems. A firewall can't prevent or neutralize all of these attacks. Some of these attacks are outside the firewall and they are all difficult to distinguish from normal traffic. A firewall can, however, prevent you from becoming an attack source. It can also prevent the invasion from harming your protected network. This new era of attacks is called Distributed Denial Of service attack. Types of DoS attacks DoS attacks can be roughly divided into OS-related attacks and networkingelated attacks. The vendors provide patches for their vulnerable OS. For networking-related attacks, there are many security holes, which an adversary can exploit to launch a DoS attack. SYN flooding is a good example. Given below is a list of common DoS attacks: Bonk/boink/newtear/teardrop2 is an attack resulting in blue screen freeze and crash. Ping of Death is an attack taking advantage of a known bug in TCP/IP implementation. The attacker uses the ping system utility to make up an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. Systems may crash or reboot when they received such an oversized packet Teardrop is an attack exploiting a weakness in the reassembly of IP packet fragments. The attacker creates a sequence of IP fragments with overlapping offset fields. Some systems will crash or reboot when they are trying to reassemble the malformed fragments.
2 SYN flooding is an attack exploiting the three-way handshaking of TCP. The attacker sends the targeted system a flood of SYN packets with spoofed source address, until the targeted system uses up all slots in its backlog queue Land is very similar to SYN flooding. The adversary floods SYN packets into the network with a spoofed source IP address of the targeted system Snork is an attack against Windows NT RPC service. It allows an adversary with minimal resources to cause a remote NT system to consume 100% CPU Usage for an indefinite period of time Characteristics of DDOS A denial of service attack is characterized by an explicit attempt by an attacker to prevent legitimate users of a service from using the desired resources. Examples of denial of service attacks include: Attempts to flood a network, thereby preventing legitimate network traffic Attempts to disrupt connections between two machines, thereby preventing access to a service Attempts to prevent a particular individual from accessing a service Attempts to disrupt service to a specific system or person The distributed format adds the many to one dimension that makes these attacks more difficult to prevent. A distributed denial of service attack is composed of four elements, as shown in Figure 1. First, it involves a victim, i.e., the target host that has been chosen to receive the brunt of the attack. Second, it involves the presence of the attack daemon agents. These are agent programs that actually conduct the attack on the target victim. Attack daemons are usually deployed in host computers. These daemons affect both the target and the host computers. The task of deploying these attack daemons requires the attacker to gain access and infiltrate the host computers. The third component of a distributed denial of service attack is the control master program. Its task is to coordinate the attack. Finally, there is the real attacker, the mastermind behind the attack. By using a control master program, the real attacker can stay behind the scenes of the attack. The following steps take place during a distributed attack: 1. The real attacker sends an execute message to the control master program. 2. The control master program receives the execute message and propagates the command to the attack daemons under its control. 3. Upon receiving the attack command, the attack daemons begin the attack on the victim. Although it seems that the real attacker has little to do but sends out the execute command, he actually has to plan the execution of a successful distributed denial of service attack. The attacker must infiltrate all the host computers and networks where the daemon attackers are to be deployed. The attacker must study the target s network topology and search for bottlenecks and vulnerabilities that can
3 be exploited during the attack. Because of the use of attack daemons and control master programs, the real attacker is not directly involved during the attack, which makes it difficult to trace who spawned the attack. There are four known versions of distributed denial of service attack tools: 1. Trinoo 2. TFN 3. TFN2K 4. Stacheldraht Fig1. Distributed Denial of Service Attack The attacker use either telnet or a special client to connect to a master server. The attacker then sends commands to the master, which relays the commands to daemons, or zombies. These systems are compromised ahead of time and have the daemon software loaded and running before the attack begins. Depending on the command, the daemons may then flood a particular target. The number of daemons controlled by a master depends on the configuration. Other master commands control which IP addresses are targeted, the size of flood packets, types of packets sent, duration of attack, and sometimes, the ability to execute commands. One of the most important aspects of these attacks is that a single attacker can, through the master, control hundreds of daemons. Each daemon can then send a flood of packets at one or more victims. Most of these tools support source address spoofing, so that the victim is flooded with packets that do not bear the real source address, making them difficult to trace. The flood itself, of course, has left the victim unable to use their Internet connection. A single command from an attacker can result in gigabits in attack data every second, a multiplication factor not seen in any other form of denial of service attack. The first well-known distributed denial of service occurred in August of The Trinoo attack tool was used to flood an Internet Relay Chat server at the University of Minnesota. This attack went on for two days, with thousands of systems running agents used in the attack. At one point, there were 214 systems simultaneously flooding a single server at the University. Malicious packets were traced back to their sources, aided by the fact that the Trinoo tool does not spoof source addresses. Security managers and system administrators at the University worked at contacting the owners of the systems running the daemons. As quickly as the defenders could find the daemons, the attackers would bring more daemons online. Disabling the daemons is initially as simple as disconnecting the network connection. But then each system must be cleaned up, removing all traces of the daemons, any supporting software, and the vulnerability on the system patched so it cannot be abused again. The attackers often used rootkits, tools
4 designed to hide traces of an attacker s presence and provide backdoors to make it easy to break back into the system again. David Dittrich of the University of Washington has written several thorough analyses of Trinoo, TFN, and Stacheldraht. Other analysts have published analyses of TFN2K, a more recent variant of TFN. Dittrich s experience comes from being a system administrator at the University of Washington, one of the sites where daemons were installed and used in the University of Minnesota attack. According to information provided by Dittrich, as well as information provided by David Brumley, a security administrator who works at Stanford University in California, these attacks begin with finding and exploiting vulnerable systems. The first phases of a distributed denial of service attack involves finding as many vulnerable systems as possible to host the daemons. The attacker uses a tool, such as sscan, to search thousands of Internet addresses, gathering information on a short list of vulnerabilities. The scanner is run from a system that the attacker has already compromised, so that if the scan is discovered, the attacker s identity will still be unknown. Once the attacker has a list of vulnerable systems ready, he moves to another compromised system. This system hosts an automated attack script that runs through the list of vulnerable systems. For each system in the list, the script runs an exploit setting up a backdoor on the vulnerable system, uploads the daemon program, installs the daemon and starts it. The attacker now moves to yet another compromised system, and installs the master. The master is provided with the list of systems where the daemons have been installed, so that it knows which IP addresses to communicate with. In the attacks to date, mainly Solaris and Linux systems have been used as masters and daemons. The TFN2K distributed denial of service attack tool also supports NT 4, but there have yet to be reports of NT 4 being used as either a master or a daemon host. Any network with a properly configured firewall easily blocks the first stage in this sequence. Firewalls should prevent network scans from succeeding. The WatchGuard Firebox will detect network scans, and automatically block a site from which a scan is detected. Also, you can configure the monitoring system to notify you whenever a system has been site blocked, thus putting you on the alert for malicious activity. Difference in Attack Tools The four known tools do not work exactly the same. They differ in the ability to spoof source addresses, commands used, types of attacks used, communication techniques, and the presence of backdoors or self-upgrade capability. Trinoo is the simplest of these tools. Trinoo daemons have only one attack, sending floods of UDP
5 packets to the victim. The source addresses of these packets are not spoofed, so the attack source(s) is easy to determine. The attacker uses telnet to connect to the master, and must enter a password before the master can be used. The master and daemons communicate using UDP packets, and the commands in these packets are not encrypted. Even though Trinoo is simpler than the other tools, this was the tool used to flood the University of Minnesota s network for two days. That network has two OC3 s for connecting to the Internet. TFN (Tribe Flood Network) was actually written before Trinoo. The confessed author of TFN and TFN2K is Mixter, a well-known German hacker. TFN daemons can generate a variety of floods: ICMP flood, SYN flood, UDP flood, and Smurf style attacks. The tool also includes a backdoor that provides root access to the daemon s host system. The attacker can use several means of communicating with the master program, depending on installation. No password is required, but the attacker must have the list of daemons on hand if the master is to be used successfully. The master communicates with daemons using ICMP ECHO REPLY packets. This unusual mechanism was designed to make master-daemon communication more difficult to detect. Also, many firewalls will block incoming ICMP ECHO REQUESTs, but not the replies, which are assumed to be the result of legitimate requests. The commands themselves are based on numeric codes, and are not encrypted. Mixter published an updated version of his program in late 1999, named TFN2K. The updated version adds encryption to the communication link, as well as one way spoofed communication to the daemons. Instead of communicating directly with the daemons, commands are sent to the network in which the daemon is running and the daemon sniffs the commands from the network. No responses are sent back to the master, so each command is sent twenty times, to be certain that the daemons have received the commands. Both TFN and TFN2K include backdoors for root access and command execution on the compromised servers. Stacheldraht, German for barbed wire, represents a hybrid of Trinoo and TFN. Like TFN, Stacheldraht supports ICMP flood, SYN flood, UDP flood, and Smurf style attacks. Unlike TFN, it uses an encrypted link for sending commands Stacheldraht also has a built-in mechanism for self-updates. The master can send a command that causes the daemon to download, install, and execute an updated version of itself. Smurf attack Smurf is a simple yet effective DDoS attack technique that takes advantage of the ICMP (Internet Control Message Protocol). ICMP is normally used on the Internet for error handling and for passing control messages. One of its capabilities is to contact a host to see if it is "up" by sending an "echo request" packet. The common "ping" program uses this functionality. Smurf is installed on a computer using a stolen account, and then it continuously "pings" one or more networks of computers using a forged source address. This causes all the computers to respond to a different computer than actually sent the packet. The forged source address, which is the actual target of the attack, is then
6 overwhelmed by response traffic. The computer networks that respond to the forged ("spoofed") packet serve as unwitting accomplices to the attack. The first step in fending off a Smurf attack is to analyze the traffic filling your link to determine whether it is incoming or outgoing. If the traffic flood is incoming, then the attack is being directed at you. If it is a Smurf, the attacking packets will originate from hundreds of different points on the Internet, and there is very little you can do to stop the attacks from the source. Your ISP will be able to block these packets at their router if you ask them to do so. If the traffic flood is outgoing, there is a simple solution. Turn off "directed broadcast" in all your routers and switches. This will prevent other people from directing packets to broadcast addresses within your network and using it to attack others. There are two types of misconfigured networks involved in a Smurf attack, the staging area and the amplifier. The staging area is used to send out ping packets with a forged source address of the target victim s network. If you filter out all source addresses that are not in your assigned IP address space, your network cannot be used as a staging area. This also reduces the risk of hacker attacks, since one reason hackers break into a server is to use it as a staging area for other attacks. The ping packets with forged source addresses are directed at amplifier networks that do not have directed broadcasts turned off. The amplifier network will broadcast the ping packets on its internal Ethernet, and every machine on that Ethernet will respond to the ping. These amplified responses are sent to the victim, whose source address was forged on the original ping packets. Detection and Prevention The most important aspect of these distributed attacks is that the attacker needs compromised computer systems to carry out the attack. If the Internet, as a community, were to make sure that each of its subnets were secure, there would be no place for the hackers to place their tools. This includes making sure all systems are secure and fully patched and unneeded services are turned off. To enhance computer security, enforce the use of strong password rules by all users since hackers use weak passwords to gain unauthorized access. One of the stealth techniques that these tools use is to forge the source IP address in the header of the IP packets. A forged source address prevents the target site from knowing where that attack is coming from. Routers can be configured so that packets will not route if their source address is not from within the subnet served by the router. This would not stop all of the packets from getting out, but would allow them to be traced to the attack machine. There are presently three tools on the Internet that will helps discover if the handlers and agents are on your system. The first is by the National Infrastructure Protection Center (NIPC) called find_ddosv31. It runs on Solaris version 2.5.1, 2.6, and 7 for the Sparc and Intel platforms as well as Linux on Intel platforms. The tool detects TFN2K client, TFN2K agent, Trinoo agent, Trinoo handler, TFN agent, TFN client,
7 Stacheldraht handler, Stacheldraht client, Stacheldraht demon and TFN-rush client. It detects these agents and handlers by searching the hard drive for known strings in the binary of the attack tools. It is a program that needs to be run locally on each host to detect the presence of the attack tools. David Dittrich has developed a tool called ddos_scan. It scans for the Trinoo agent, TFN agent, and Stacheldraht agent. It does not detect TFN2K at this time. The tool works by scanning the network with handler agent communication packets and then watches the return packets for certain strings. This utility scans a complete subnet from a single node on that subnet. If the attack tools source code were modified to accept communications from a different port or the default passwords were changed, then this tool would not be successful. David Brumley wrote a remote detector for Trinoo agent, TFN agent, and Stacheldraht agent called rid. It also looks for the default ports and passwords used by these attack tools. Rid searches an entire subnet from a single node as well as searches hosts from a list. Rid also uses a configuration file to change the ports and strings it looks for and the hosts it scans. This file can be modified easily in the event an attack tool is discovered by other means. The ports and passwords can be entered in to the configuration file, adding to the search list. Defenses Against Attacks Many observers have stated that there are currently no successful defenses against a fully distributed denial of service attack. This may be true. Nevertheless, there are numerous safety measures that a host or network can perform to make the network and neighboring networks more secure. These measures include: Filtering Routers: Filtering all packets entering and leaving the network protects the network from attacks conducted from neighboring networks, and prevents the network itself from being an unaware attacker. This measure requires installing ingress and egress packet filters on all routers. Disabling IP Broadcasts: By disabling IP broadcasts, host computers can no longer be used as amplifiers in ICMP Flood and Smurf attacks. However, to defend against this attack, all neighboring networks need to disable IP Broadcasts. Applying Security Patches: To guard against denial of service attacks, host computers must be updated with the latest security patches and techniques. For example, in the case of the SYN Flood attack, there are three steps that the host computers can take to guard themselves from attacks: increase the size of the connection queue, decrease the time-out waiting for the three-way handshake, and employ vendor software patches to detect and circumvent the problem. Disabling Unused Services: If UDP echo or chargen services are not required, disabling them will help to defend against the attack. In general, if network services are unneeded or unused, the services should be disabled to prevent tampering and attacks.
8 Performing Intrusion Detection: By performing intrusion detection, a host computer and network are guarded against being a source for an attack, as while as being a victim of an attack. Network monitoring is a very good preemptive way of guarding against denial of service attacks. By monitoring traffic patterns, a network can determine when it is under attack, and can take the required steps to defend itself. By inspecting host systems, a host can also prevent it from hosting an attack on another network. Configure Network Traffic Controls: Sites can use rate-limiting caps to limit bandwidth of particular packet types, such as ICMP and SYN packets. If possible, when setting any rate limits do not set the threshold so low as to either trigger a series of false positives or completely block legitimate packets.icmp_echorequest and ICMP_ECHOREPLY are blocked at boundary network devices. While this is a reasonable suggestion, this will affect some network applications that depend on this traffic, such as ping. If possible, consider using redundant network connections and load-balanced server arrays. This helps distribute the increased load among a series of machines. This step will not eliminate a DOS attack, but it helps to reduce its impact. Follow up on Scanning Activity: For a significant period of time incident response teams have noticed a significant increase the number of sites being scanned for vulnerabilities. There has been a noticeable increase in overall reports from Australian and New Zealand academic institutions since December 1999, and from Australian and New Zealand commercial sites in February This increase is due mostly to an increased number of reports of scans. It is believed that this widespread scanning is closely linked to DDOS attacks that have already been executed or are planned. These tools provide valuable intelligence for attackers, and some tools can be configured to mount attacks if the user desires. In the current environment, sites are strongly encouraged to look for signs of scanning and confirm whether this activity is likely to have uncovered any local vulnerabilities or attacks Summary In an ordinary network-based denial of service attack, an attacker uses a tool to send packets to the target system. These packets are designed to disable or overwhelm the target system, often forcing a reboot. Often, the source address of these packets is spoofed, making it difficult to locate the real source of the attack. In the DDoS attack, there might still be a single attacker, but the effect of the attack is greatly multiplied by the use of attack servers known as agents called daemons in trinoo and servers in TFN, these agents are remotely controllable by the hacker. Over 1,000 systems were used at different times in a concerted attack on a single server at the University of Minnesota. The attack not only disabled that server but denied access to a very large university network. Before an attacker can launch a DDoS attack, he or she does have some work to do, including gaining root or
9 administrator access to as many systems as possible. To gain access, scanning tools like sscan are used to probe for systems with specific vulnerabilities. With a list of these systems ready, the attacker uses a script to break into each of them and install the server software. References p.pdf dtables/ddos/ddos.htm enial_of_service_attacks.shtml ddossamp.html ng/academic/thesis/node32.html ials/distributed_denial_of_service.html os_wp.pdf pers/smc00_edited.pdf