ddos - cs.bham.ac.ukmdr/teaching/modules03/security/students/ss… · using ddos to crash firewall....
TRANSCRIPT
![Page 1: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/1.jpg)
DDosDDos
Distributed Denial of Service AttacksDistributed Denial of Service Attacks
by Mark Schuchter
![Page 2: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/2.jpg)
OverviewOverview
nn IntroductionIntroductionnn Why? Why? nn TimelineTimelinenn How?How?nn Typical attack (UNIX)Typical attack (UNIX)nn Typical attack (Windows)Typical attack (Windows)
![Page 3: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/3.jpg)
IntroductionIntroduction
DDos-Attack
prevent and impair computer use
limited and consumable resources(memory, processor cycles, bandwidth, ...) inet security highly interdependent
![Page 4: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/4.jpg)
Why?Why?
sub-cultural status
to gain access
political reasonseconomic reasons
revenge
nastiness
![Page 5: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/5.jpg)
TimelineTimeline
1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption
2000: bundled with rootkits, controlled with talk or ÍRC
2002: DrDos (reflected) attack tools
2001: worms include DDos-features (eg. Code Red), include time synchro.,
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)
2003: Mydoom infects thousands of victims to attack SCO and Microsoft
![Page 6: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/6.jpg)
How?How?
TCP floods(various flags)
ICMP echo requests(eg. Ping floods)
UDP floods
![Page 7: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/7.jpg)
SYNSYN--AttackAttack
SYN-ACK
SYN
ACK
ClientServer
SYN-ACK
SYN
Attacker(spoofed IP) Server
SYN SYN-ACK
Handshake Attack
![Page 8: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/8.jpg)
Typical attackTypical attack
1. prepare attack 2. set up network 3. communication
![Page 9: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/9.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– preparation Ipreparation I
nn use stolen account (high bandwidth) for use stolen account (high bandwidth) for repository of:repository of:nn scannersscannersnn attack tools (i.e. buffer overrun exploit)attack tools (i.e. buffer overrun exploit)nn root kitsroot kitsnn snifferssniffersnn trin00 master and daemon trin00 master and daemon programmprogrammnn list of vulnerable host, previously compromised list of vulnerable host, previously compromised
hosts...hosts...
![Page 10: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/10.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– preparation IIpreparation II
nn scan large range of network blocks to identify scan large range of network blocks to identify potential targets (running exploitable service)potential targets (running exploitable service)
nn list used to create script that:list used to create script that:nn performs exploitperforms exploitnn sets up sets up cmdcmd--shell running under root that listens on shell running under root that listens on
a TCP port (1524/tcp)a TCP port (1524/tcp)nn connects to this port to confirm exploitconnects to this port to confirm exploit
àà list of owned systemslist of owned systems
![Page 11: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/11.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– network Inetwork I
nn store prestore pre--compiled binary of trin00 daemon on compiled binary of trin00 daemon on some stolen account on some stolen account on inetinet
nn script takes ‘ownedscript takes ‘owned--list’ to automate installation list’ to automate installation process of daemonprocess of daemon
nn same goes for trin00 mastersame goes for trin00 master
![Page 12: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/12.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– network IInetwork II
attacker attacker
master master master
daemon daemon daemon daemon
![Page 13: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/13.jpg)
UNIX (‘trin00’) UNIX (‘trin00’) –– communicationcommunication
nn attacker controls master via telnet and a attacker controls master via telnet and a pwpw(port 27665/tcp)(port 27665/tcp)
nn trin00 master to daemon via 27444/udp (arg1 trin00 master to daemon via 27444/udp (arg1 pwdpwd arg2)arg2)
nn daemon to master via 31335/udpdaemon to master via 31335/udp
nn ‘dos <‘dos <pwpw> 192.168.0.1’ triggers attack> 192.168.0.1’ triggers attack
![Page 14: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/14.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– preparation Ipreparation I
nn set up the following things on your home pc:set up the following things on your home pc:nn freemailfreemailnn kazaakazaann trojantrojan--toolkittoolkitnn IRCIRC--clientclientnn IRCIRC--botbot
![Page 15: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/15.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– preparation IIpreparation II
nn assemble different assemble different trojanstrojans (GUI)(GUI)nn define ways of communicationdefine ways of communicationnn namenamenn filefile
![Page 16: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/16.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– network Inetwork I
nn start spreading viastart spreading viann email/news listsemail/news listsnn IRCIRCnn P2PP2P--SoftwareSoftware
![Page 17: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/17.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– network IInetwork II
attacker
client client client client
![Page 18: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/18.jpg)
Windows (‘Sub7’) Windows (‘Sub7’) –– communicationcommunication
nn sub7clientsub7clientnn IRC channelIRC channelnn 1 click to launch attack1 click to launch attack
![Page 19: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/19.jpg)
DevelopmentDevelopment
High
Low1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling auditsback doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
![Page 20: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/20.jpg)
SolutionsSolutions
nn statistical analyses (i.e. Dstatistical analyses (i.e. D--ward) at core routers ward) at core routers --not ready yetnot ready yet
nn change awareness of people (firewalls, change awareness of people (firewalls, attachments, Vattachments, V--scanners,...)scanners,...)
![Page 21: DDos - cs.bham.ac.ukmdr/teaching/modules03/security/students/SS… · using DDos to crash firewall. attack competitor to gain business advantages. i.e. former employee. i.e. Bush](https://reader034.vdocuments.net/reader034/viewer/2022042313/5edf329bad6a402d666a8c57/html5/thumbnails/21.jpg)
Thanks for your attention!Thanks for your attention!