DDos Distributed Denial of Service Attacks by Mark Schuchter
Overview Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows)
Introduction limited and consumable resources (memory, processor cycles, bandwidth,...) inet security highly interdependent DDos-Attack prevent and impair computer use
Why? sub-cultural status nastiness revenge to gain access political reasons economic reasons
Timeline <1999: Point2Point (SYN flood, Ping of death,...), first distributed attack tools ( fapi ) 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or ÍRC 2001: worms include DDos-features (eg. Code Red), include time synchro., 2002: DrDos (reflected) attack tools 2003: Mydoom infects thousands of victims to attack SCO and Microsoft
How? TCP floods (various flags) ICMP echo requests (eg. Ping floods) UDP floods
SYN-Attack Handshake Attack Client Server Attacker (spoofed IP) Server SYN-ACK SYN SYN SYN-ACK SYN SYN-ACK ACK
Typical attack 1. prepare attack 2. set up network 3. communication
UNIX ( trin00 ) preparation I use stolen account (high bandwidth) for repository of: scanners attack tools (i.e. buffer overrun exploit) root kits sniffers trin00 master and daemon programm list of vulnerable host, previously compromised hosts...
UNIX ( trin00 ) preparation II scan large range of network blocks to identify potential targets (running exploitable service) list used to create script that: performs exploit sets up cmd-shell running under root that listens on a TCP port (1524/tcp) connects to this port to confirm exploit list of owned systems
UNIX ( trin00 ) network I store pre-compiled binary of trin00 daemon on some stolen account on inet script takes owned-list to automate installation process of daemon same goes for trin00 master
UNIX ( trin00 ) network II attacker attacker master master master daemon daemon daemon daemon
UNIX ( trin00 ) communication attacker controls master via telnet and a pw (port 27665/tcp) trin00 master to daemon via 27444/udp (arg1 pwd arg2) daemon to master via 31335/udp dos <pw< pw> > 192.168.0.1 triggers attack
Windows ( Sub7 ) preparation I set up the following things on your home pc: freemail kazaa trojan-toolkit toolkit IRC-client IRC-bot
Windows ( Sub7 ) preparation II assemble different trojans (GUI) define ways of communication name file
Windows ( Sub7 ) network I start spreading via email/news lists IRC P2P-Software
Windows ( Sub7 ) network II attacker client client client client
Windows ( Sub7 ) communication sub7client IRC channel 1 click to launch attack
Development High Intruder Knowledge Attack Sophistication back doors disabling audits packet spoofing denial of service sniffers distributed attack tools www attacks automated probes/scans GUI hijacking burglaries sessions exploiting known vulnerabilities password cracking binary encryption stealth / advanced scanning techniques network mgmt. diagnostics Tools Low password guessing Attackers 1980 1985 1990 1995 2001 Source: CERT/CC
Solutions statistical analyses (i.e. D-ward) D at core routers - not ready yet change awareness of people (firewalls, attachments, V-scanners,...) V
Thanks for your attention!