Network Forensics (DDoS/Distributed Denial of Service Attack)

Transcription

1 GITG342 Network Forensics (DDoS/Distributed Denial of Service Attack) Hyundo Park

2 Index DDoS attacks DDoS attacks taxonomy Types of DDoS attacks Current DDoS Attacks DDoS attacks tools DDoS countermeasures Research process 2 GITG342

3 DDoS Attacks DoS attacks An attack on a computer or network that prevents legitimate use of its resources. Examples of DoS include Flooding a network Disrupting connections between machines Disrupting a service DDoS attacks Many machine are involved in the attack against one or more victim(s) DDoS attackers motivation Financial/economical gain Revenge Ideological belief Intellectual Challenge Cyberwarfare 3 GITG342

4 DDoS Attacks DDoS Timeline 4 GITG342

5 DDoS Attacks Direct DDoS attack Send control traffic directly to the zombie to attack the victim host Attacker Zombie Zombie Zombie Indirect DDoS attack Send control traffic indirectly to the zombie to compromise the target host Reflectors are non-compromised systems that exclusively send replies to a request Attacker Victim Zombie Zombie Zombie Reflector Reflector Reflector Reflector Victim 5 GITG342

6 DDoS Attacks Taxonomy DDoS attack taxonomy DDoS Attack Bandwidth Depletion Resource Depletion Flood Attack Amplification Attack Protocol Exploit Attack Malformed Packet attack ICMP UDP Smruf Fraggle TCP SYN PUSH+ACK Random Port Same Port Direct Loop IP address IP Packet Options 6 GITG342

7 Types of DDoS Attacks UDP flood attack In In UDP Flood attack attacker sends large number of UDP packets to a victim system, due to which there is saturation of the network and the depletion of available bandwidth for legitimate service requests to the victim system. A UDP Flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports of the victim, the system will go down. 7 GITG342

8 Types of DDoS Attacks ICMP flood attack ICMP Flood attacks exploit the ICMP(Internet Control Message Protocol), which enables users to send an echo packet to a remote host to check whether it s alive. More specifically during a DDoS ICMP flood attack the agents send large volumes of ICMP_ECHO_ REPLY packets ( ping ) to the victim. These packets request reply from the victim and this results in saturation of the bandwidth of the victim s network connection. During an ICMP flood attack the source IP address may be spoofed. 8 GITG342

9 Types of DDoS Attacks SYN flood attack In a SYN Flood attack, the victim is flooded with Half open connections. Client server communication The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. 9 GITG342

10 Types of DDoS Attacks SYN flood attack half-open connection The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. 10 GITG342

11 Types of DDoS Attacks Smurf attack In a smurf attack, the victim is flooded with ICMP "echo-reply" packets. On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. In the "smurf" attack, attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. When the attackers create these packets, they do not use the IP address of their own machine as the source address. Instead, they create forged packets that contain the spoofed source address of the attacker s intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable. 11 GITG342

12 Types of DDoS Attacks Ping of Death attack In Ping of Death attacks, the attacker creates a packet that contains more than 65,536 bytes, which is the limit that the IP protocol defines. This packet can cause different kinds of damage to the machine that receives it, such as crashing and rebooting. ping -l victim.org Land attack The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. The reason a LAND attack works is because it causes the machine to reply to itself continuously. Land attacks have been found in services like SNMP(Simple Network Management Protocol) and Windows 88/tcp (kerberos/global services) which were caused by design flaws where the devices accepted requests on the wire appearing to be from themselves and causing replies repeatedly. 12 GITG342

13 Types of DDoS Attacks Teardrop attack This type of denial of service attack exploits the way that the IP(Internet Protocol) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash. 13 GITG342

14 Current DDoS Attacks DDoS trends The most obvious trend seen at the end of 2013 and in 2014 was the increased use of amplification attacks DDoS attack traffic seen by Symantec s global intelligence network in GITG342

15 Current DDoS Attacks DDoS as a service trends The price range from US $5 to over $1,000 Depending on the attack s duration and size The generated traffic seen is usually around 20 40Gbps 15 GITG342

16 DDoS Attacks Tools Trinoo(Trin00) Trinoo was the first DDoS tool to be discovered Found in the wild (binary form) on Solaris 2.x systems compromised by buffer overrun bug in RPC(Remote Procedure Call) services: statd, cmsd, ttdbserverd rpc.statd: CVE , CVE rpc.cmsd: CVE rpc.ttdbserverd: CVE , CVE , CVE Trinoo daemons were UDP based password protected remote command shells running on compromised systems. 16 GITG342

17 DDoS Attacks Tools Trinoo communication Attacker to master: 27665/TCP The attacker must supply the correct password Master to daemons: 27444/TCP Command lines are of form: arg1 password arg2 and the default password for commands is 144asdl Only commands with 144 substring are run Daemon to Master: 31335/UDP When daemon starts up, it sends a HELLO to the master Master adds this daemon to its list Master sends PING to daemon on 27444/UDP, daemon replies PONG on 31335/UDP This way, the master knows daemon is still alive 17 GITG342

18 DDoS Attacks Tools Trinoo password protection Used to prevent sysadmins or other hackers from hijacking the trinoo network Used in symmetric fashion Encrypted password string is compiled into the server and used to compare with cleartext password using the crypt() function Wrong password = program exits Password protected daemon commands 144asdl Trinoo daemon password G0rave Trinoo master server startup Betaalmostdone Master remote I/F password Killme Master password for mdie command 18 GITG342

19 DDoS Attacks Tools Some Trinoo master command Die shut down master Quit log off the master Mtimer N set DoS timer to N seconds Dos IP daemons to DoS the target IP address Mdie pass disable all Bcast hosts Mping send Ping to every active Bcast host Mdos ip1:ip2:ip3 send multiple DoS command to each Bcast host Some Trinoo daemon commands Aaa pass IP DoS the IP address Bbb pass N sets time limit for DoS attacks Shi pass send HELLO to master lists Png pass send PONG to the master D1e kill the Trinoo daemon 19 GITG342

20 DDoS Attacks Tools Trinoo defense Monitor packets for PING, PONG, HELLO Ineffective for switched semnets Tcpdump signatures Source port is the same, destination ports are random and target address is the same Strings can show encrypted password string and you can run CRACK on it Daemon password is cleartext Once the daemon is found, you have a list of IP addresses of its masters Once a master found, the daemon list is in a file on it Shut down the r-commands 20 GITG342

21 DDoS Attacks Tools TFN(Tribe Flood Network) Improved on some of the weaknesses of trinoo by adding different types of attacks that could be mounted against the victim site. Structured like trinoo with attackers, clients(masters) and daemons. Initial system compromise allows the TFN programs to be installed. It can implement Smurf, SYN flood, UDP flood, and ICMP flood attacks. TFN communication Communication can be done by UDP based client/server shells, ICMP based client server shells (Loki, etc.) or normal telnet. No password is needed but an IP list of daemons is required. ICMP_ECHOREPLY packets are used to talk to TFN clients & daemons. No TCP/UDP because most IDS don t look for ICMP. TFN defenses Hard to do because you have to block all ICMP_ECHO traffic. Can id TFN clients and daemons by srings command: tfn, td. Monitor RCP connections (514/TCP) 21 GITG342

22 DDoS Attacks Tools TFN2K(Tribe Flood Network 2000) Aimed at Solaris, Linux and Windows NT. 2 component system: command driven client on the master and daemon operating on an agent. Master instructs its agents to attack a list of designated targets. Agents flood targets with packet barrage. Master/agent encrypted communications TFN2K communication Commands are sent via TCP/UDP/ICMP or all 3 at random. Uses TCP/SYN, UDP, ICMP/PING, smurf attacks against victims. Can randomly alternate between all of them. Master/Agent packet headers are randomized. ICMP always uses ICMP_ECHOREPLY type code. TFN2K doesn t ack commands 22 GITG342

23 DDoS Attacks Tools TFN2K UDP packet length (defined in the UDP header) is 3 bytes longer than actual length. TCP header length is always 0. Should never be this way. Hard to detect because all control communication is unidirectional, uses TCP,UDP, ICMP randomly Multiple protocol packets with same payload. TFN2K detection Scan for files tfn (the client) and td (the daemon). Examine incoming traffic for unsolicited ICMP_ECHOREPLY packets containing sequence of 0x41 in their trailing bytes. Verify all other payload bytes are ASCIIprintable characters in the 2B, 2F-39, 0x41-0x5A or 0x61-0x7A range 23 GITG342

24 DDoS Attacks Tools Stacheldracht Combines features of trinoo and original TFN. Adds encryption of communications between attackers and masters. Adds automatic update of the agents. Components: attackers, masters (handlers),daemon (agent, bcast) Victims are compromised with buffer overflow attack on RPC services: statd, ttdbserverd, cmsd. Could mount ICMP, UDP, SYN floods & Smurf. Encrypts the connection between attacker and master unlike TFN Stacheldracht communication Client to handler: 16660/TCP Handler to/from agent: 65000/TCP,ICMP_ECHOREPLY Uses both ICMP and TCP. Stacheldracht network control is via symmetric key encryption. Client accepts a single argument: its handler address 24 GITG342

25 DDoS Attacks Tools Stacheldracht commands.distro user server agent installs and runs a new copy of itself using rcp on server using account user..killall kills all active agents.maddip1:ip2:ipn add IP to list of victims.mdos start the DoS attack.mlist list the IPs of hosts being attacked.msadd add new master server.mudpip1:ip2:ipn start UDP flood against IP.showalive show all active agents (bcasts) Stacheldracht Block all ICMP_ECHO traffic Search for strings: skillz, spoofworks, sicken\n, niggahbitch, ficken in the DATA portion of the ICMP_ECHOREPLY packets. Search for ID values: 666, 667, 668, 669, 1000 Monitor rcp(514/tcp) 25 GITG342

26 DDoS Attacks Tools Mstream Based on stream2.c, a point-point DoS attack tool. Most primitive of DDOS Tools Handler: master.c Agent: server.c Similar network control model / Attacker->handler->agent Mstream communication Attacker handler communication via unencrypted TCP 6723/TCP, 12754/TCP, 15104/TCP Handler agent communication via cleartext UDP 7983/UDP, 6838/UDP Agent to Handler(s) 9325/UDP, 6838/UDP Handler expects commands to be contained entirely in the data field of a single TCP packet. 26 GITG342

27 DDoS Attacks Tools Mstream handler commands No command entered in 40 seconds, the connection is closed. Stream stream attack Servers print all servers Ping ping all servers Who who s logged in Mstream let you stream more than 1 IP at a time Ping identify remaining active agents Stream host seconds attack host for second duration Mstream ip1:ip2:ipn seconds attack multiple IP addresses for specified duration. Mstream agent commands String based commands in the data portion of UDP packets. Ping send pong back to sender Stream/IP/Seconds attack IP for seconds Mstream/IP/Second similar to handler mstream command. 27 GITG342

28 DDoS Attacks Tools Shaft From the same DDOS family Has the ability to switch handler servers and ports on the fly. Makes IDS harder. Has ticket mechanism to link transactions PASSWDS, TICKET # S must match for agent to execute the request. Has some interest in packet statistics Client -> handler -> agent structure Shaft communication Attacker uses a telnet program, client to talkto handlers. Client to handler: 20432/TCP Handler to agent: 18753/UDP Agent to handler: 20433/UDP 28 GITG342

29 DDoS Attacks Tools Shaft agent command Size <size> -size of the flood packets Type type of DoS to run, 0 UDP, 1 TCP, 2 UDP/TCP/ICMP, 3 ICMP Time <length> length of DoS attack (sec) Own <victim> add victim to agent list Switch <handler> <port> switch to new handler and port New <password> -new agent reporting in Pktres<password> <sock> <ticket> <packets sent> -packet sent to the host identified by <ticket> number. Shaft detection Scan for open port may reveal the presence of a handler. Sending alive messages with the default password to all nodes on a network at port18753/udp. Flooding occurs in bursts of 100 packets/host with the SRC/DEST ports randomized 29 GITG342

30 DDoS Countermeasures IP traceback IP Traceback is a method to find the source of a DoS attack link testing Start from the router closest to the victim and interactively test its upstream links until they determine which one is used to carry the attackers traffic. This technique assumes that an attack remains active until the completion of a trace. logging Log packets at key routers and then use data mining techniques to determine the path that the packet traversed. Advantage: It can trace an attack long after the attack has completed. Disadvantage: Needs enormous resources. ICMP-based traceback Sample some of the packets with low probability and copy the contents into a special ICMP traceback message. packet marking This scheme is based on the idea that routers mark packets that pass through th em with their addresses or a part of their addresses This scheme is aimed primarily at DoS and DDoS attacks as it needs many attack packets to reconstruct the full path. 30 GITG342

31 DDoS Countermeasures IP traceback ICMP-based traceback Logging Link testing Packet marking 31 GITG342

32 DDoS Countermeasures Network Ingress Filtering Discard all packets that contain source IP addresses that do not match t he valid range of the customer s known IP addresses Router 1 ISP B Router 2 ISP A ISP C ISP D /24 attacker Router 3 IF packet's source address from within /24 THEN forward as appropriate IF packet's source address is anything else THEN deny packet 32 GITG342

33 DDoS Countermeasures Intrusion Detection Systems HIDS(Host-based Intrusion Detection System) The HIDS reside on a particular computer and provide protection for a specific computer system HIDS can be installed on many different types of machines servers, workstations and Laptops HIDS allows for remote monitoring, remote storage of events logs and ability to PUSH agents to new or existing hosts 33 GITG342

34 DDoS Countermeasures Intrusion Detection Systems NIDS(Network-based Intrusion Detection System) NIDS captures network traffic packets (TCP, UDP) and analyzes the content against a set of rules or signatures to determine if a possible event took place NIDS can also be installed on active network elements, for example on routers 34 GITG342

35 DDoS Countermeasures Intrusion Detection Systems NIDS(Network-based Intrusion Detection System) Proactive defense mechanisms Instead of detecting the attacks by using signatures (attack pattern) or anomaly behavior, this mechanism try to improve the reliability of the global Internet infrastructure by adding extra functionality to Internet components to prevent attacks and vulnerability exploitation Reactive defense mechanisms using available IDS If the IDS system can detect the DDoS attack packets accurately, filtering mechanism are used, which can filter out the attack stream completely, even at the source network. If the IDS cannot detect the attack stream accurately, rate limiting is used. Post attack analysis The purpose of post attack analysis is to either look for attack patterns that will be used by IDS or identify attackers using packet tracing. The goal of packet tracing is to trace Internet traffic back to the true source. Trace back mechanism can help to identify zombies, however, it is impractical to defend against DDoS attacks for the following reasons. First, during a DDoS attack, the attacker will control thousands of zombies. Second, it would be difficult to determine who would be responsible for providing trace back information 35 GITG342

36 DDoS Countermeasures Firewall Often a firewall is also referred to as a packet filter. The basic task of a firewall is to control traffic between different zones of trust and/or administrative authorities. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). Firewall can protect internal network from the external network by accept/deny the traffic according to the rules specified in the list. 36 GITG342

37 DDoS Countermeasures Firewall Advantages of Firewalls They can stop incoming requests to inherently insecure services, e.g. you can disallow rlogin, or RPC services such as NFS. They can control access to other services e.g. bar callers from certain IP addresses, filter the service operations (both incoming and outgoing) 27 They are more cost effective than securing each host on the corporate network since there are often only one or a few firewall systems to concentrate on. Disadvantages of Firewalls They may restrict legitimate users from accessing valuable services, for example, corporate users may not be let out onto the Web, or when working away from home a corporate user may not have full access to the organization s network. They can be a bottleneck to throughput, since all connections must go via the firewall system. The biggest disadvantage of a firewall is that it gives no protection against the inside attacker. Since most corporate computer crime is perpetrated by internal users, a firewall offers little protection against this threat. 37 GITG342

38 Research process Finding characteristics of flash event and DDoS attack 38 GITG342

39 FE vs. DDoS An exhaustion of network or server resources By a Flash Event Caused by legitimate users By Distributed Denial of Service (DDoS) attacks Caused by attackers Flash Event DDoS attack 39 GITG342

40 Characteristics of FE and DDoS characteristics of FE and DDoS to distinguish between them [1] FE DDoS Traffic volumes High High Distribution of clusters among clients Cluster contribution to requests The number of clusters are much smaller than the number of clients Follows the Pareto-law (skewed / predictable) The number of clients and clusters are very similar Does not follow the Pareto-law (randomly distributed / unpredictable) [1] J. Jung, B. Krishnamurthy and M. Rabinovich, Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites, in World Wide Web, May GITG342

41 Simulation and Analysis of Real Traffic Traffic volumes FE01: published many pictures and java scripts to decorate websites FE02: a Microsoft Windows update website MBC: the biggest private broad cast company in Korea DOS01 & DoS02: obtained from two trans-pacific T-3 links connecting the United states and a Korean Internet gateway. Non source-spoofed DDoS: generated a non-source-spoofed DDoS attack traces with the normal web requests as background traffic using NS-2 41 GITG342

42 Simulation and Analysis of Real Traffic The number of clusters among clients FE01: published many pictures and java scripts to decorate websites FE02: a Microsoft Windows update website MBC: the biggest private broad cast company in Korea DOS01 & DoS02: obtained from two trans-pacific T-3 links connecting the United states and a Korean Internet gateway. Non source-spoofed DDoS: generated a non-source-spoofed DDoS attack traces with the normal web requests as background traffic using NS-2 42 GITG342

43 Simulation and Analysis of Real Traffic Distribution of clusters to requests FE01: published many pictures and java scripts to decorate websites FE02: a Microsoft Windows update website MBC: the biggest private broad cast company in Korea DOS01 & DoS02: obtained from two trans-pacific T-3 links connecting the United states and a Korean Internet gateway. Non source-spoofed DDoS: generated a non-source-spoofed DDoS attack traces with the normal web requests as background traffic using NS-2 43 GITG342

44 Traffic matrix construction Place of an incoming request in matrix construction Process of matrix construction Initialized with zero in all entries For each incoming request, overwritten the content of the entry with the value 1 using one bit Clustering clients with IP 2 and IP 3 There are many unused or unallocated IP address in the Internet. So, we do not use IP 1 44 GITG342

45 Benefits of Randomness Check with Matrix Easy to apply on the network if we define the method to construct traffic matrix and it s size Providing fixed threshold not depend on the network traffic environment Easy to apply operations, such as XOR, AND and others, between continuative matrix The XOR operation deletes normal traffic The AND operation remains normal traffic M t-1 M t M t 45 GITG342

46 Applying the XOR and AND operation Apply XOR and AND operation between matrices of the current and the previous time units XOR and AND operation M t is the traffic matrix, generated at time t Delete or remain traffic on the matrix using the XOR and AND operation After XOR After AND 46 GITG342

47 Checking randomness Randomness check Apply Gaussian elimination Check the rank value, the number of leading ones The probability of a rank value of a mxn random matrix Calculation of the threshold Apply log 2 function then, we can get the equation, If we assume P is 0.01%(a value near to zero), we will get 252 as the biggest value to be the threshold, when the value of m is GITG342

48 Evaluation Randomness check on FE and DDoS traces 48 GITG342

49 Conclusion FDD, a simple yet effective mechanism, distinguish flash event and DDoS attacks using randomness check Our trace-driven evaluation results show that FDD distinguishes between FE and DDoS attacks with high accuracy and low memory usage 49 GITG342

50 Thank you 50 GITG342