DDos. Distributed Denial of Service Attacks. by Mark Schuchter

Transcription

1 DDos Distributed Denial of Service Attacks by Mark Schuchter

2 Overview Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows)

3 Introduction limited and consumable resources (memory, processor cycles, bandwidth,...) inet security highly interdependent DDos-Attack prevent and impair computer use

4 Why? sub-cultural status nastiness revenge to gain access political reasons economic reasons

5 Timeline <1999: Point2Point (SYN flood, Ping of death,...), first distributed attack tools ( fapi ) 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or ÍRC 2001: worms include DDos-features (eg. Code Red), include time synchro., 2002: DrDos (reflected) attack tools 2003: Mydoom infects thousands of victims to attack SCO and Microsoft

6 How? TCP floods (various flags) ICMP echo requests (eg. Ping floods) UDP floods

7 SYN-Attack Handshake Attack Client Server Attacker (spoofed IP) Server SYN-ACK SYN SYN SYN-ACK SYN SYN-ACK ACK

8 Typical attack 1. prepare attack 2. set up network 3. communication

9 UNIX ( trin00 ) preparation I use stolen account (high bandwidth) for repository of: scanners attack tools (i.e. buffer overrun exploit) root kits sniffers trin00 master and daemon programm list of vulnerable host, previously compromised hosts...

10 UNIX ( trin00 ) preparation II scan large range of network blocks to identify potential targets (running exploitable service) list used to create script that: performs exploit sets up cmd-shell running under root that listens on a TCP port (1524/tcp) connects to this port to confirm exploit list of owned systems

11 UNIX ( trin00 ) network I store pre-compiled binary of trin00 daemon on some stolen account on inet script takes owned-list to automate installation process of daemon same goes for trin00 master

12 UNIX ( trin00 ) network II attacker attacker master master master daemon daemon daemon daemon

13 UNIX ( trin00 ) communication attacker controls master via telnet and a pw (port 27665/tcp) trin00 master to daemon via 27444/udp (arg1 pwd arg2) daemon to master via 31335/udp dos <pw< pw> > triggers attack

14 Windows ( Sub7 ) preparation I set up the following things on your home pc: fre kazaa trojan-toolkit toolkit IRC-client IRC-bot

15 Windows ( Sub7 ) preparation II assemble different trojans (GUI) define ways of communication name file

16 Windows ( Sub7 ) network I start spreading via /news lists IRC P2P-Software

17 Windows ( Sub7 ) network II attacker client client client client

18 Windows ( Sub7 ) communication sub7client IRC channel 1 click to launch attack

19 Development High Intruder Knowledge Attack Sophistication back doors disabling audits packet spoofing denial of service sniffers distributed attack tools www attacks automated probes/scans GUI hijacking burglaries sessions exploiting known vulnerabilities password cracking binary encryption stealth / advanced scanning techniques network mgmt. diagnostics Tools Low password guessing Attackers Source: CERT/CC

20 Solutions statistical analyses (i.e. D-ward) D at core routers - not ready yet change awareness of people (firewalls, attachments, V-scanners,...) V

21 Thanks for your attention!