Escolar Documentos
Profissional Documentos
Cultura Documentos
Operating System Concepts 1.1
Outline
■ Background on DDoS
✦ Attack mechanism
✦ Ways to defend
■ The attack tool – Trinoo
✦ Introduction
✦ Attack scenario
✦ Symptoms and defense
✦ Weaknesses and next evolution
Operating System Concepts 1.2
Background on DDoS
Attack mechanism
Operating System Concepts 1.3
Denial-Of-Service
■ Flooding-based
■ Send packets to victims
✦ Network resources
✦ System resources
■ Traditional DOS
✦ One attacker
■ Distributed DOS
✦ Countless attackers
Operating System Concepts 1.4
Attack Mechanism
■ Reflector Attack
V
A
TCP SYN, ICMP, UDP.. With
V’s Address as source IP address.
R
TCP SYN-ACK, TCP RST, ICMP,
V UDP..
Operating System Concepts 1.5
Attack Architecture
A
A TCP SYN,
ICMP,
Masters (handlers) UDP..
Masters (handlers) (with V’s
address as
Agents (Daemons or Zombies)
the source
Agents (Daemons or Zombies) IP
addresses)
Reflectors
Operating System Concepts 1.6
Attack Methods
Attack packets Reply packets
Operating System Concepts 1.7
BackScatter Analysis (Moore et al.)
Operating System Concepts 1.8
Background on DDoS
Ways to defend
Operating System Concepts 1.9
Strategy
Operating System Concepts 1.10
Attack prevention
Operating System Concepts 1.11
Attack prevention
Operating System Concepts 1.12
Attack source traceback
Operating System Concepts 1.13
Attack source traceback
Operating System Concepts 1.14
Attack detection and filtering
■ Detection
✦ Identify DDoS attack and attack
packets
■ Filtering
✦ Classify normal and attack packets
✦ Drop attack packets
Operating System Concepts 1.15
Attack detection and filtering
Operating System Concepts 1.16
Attack detection and filtering
Further upstream
ISP networks
Victim’s network
Victim
Operating System Concepts 1.17
Attack detection and filtering
■ Detection
✦ Easy at victim’s network – large amount of
attack packets
✦ Difficult at individual agent’s network – small
amount of attack packets
■ Filtering
✦ Effective at agents’ networks – less likely to
drop normal packets
✦ Ineffective at victim’s network – more normal
packets are dropped
Operating System Concepts 1.18
D&F at agent’s network
Operating System Concepts 1.19
D&F at victim’s network
Operating System Concepts 1.20
D&F at victim’s upstream ISP
Operating System Concepts 1.21
D&F at further upstream ISP
■ Backpressure approach
■ Victim detects DDoS attack
■ Upstream ISPs filter attack packets
Operating System Concepts 1.22
The attack tool – Trinoo
Introduction
Operating System Concepts 1.23
Introduction
Operating System Concepts 1.24
Attack type
■ UDP flooding
■ Default size of UDP packet: 1000 bytes
✦ malloc() buffer of this size and send
uninitialized content
■ Default period of attack: 120 seconds
■ Destination port: randomly chosen from 0 –
65534
Operating System Concepts 1.25
The attack tool – Trinoo
Attack scenario
Operating System Concepts 1.26
Installation
1. Hack an account
✦ Acts as repository
✔ Scanning tools, attack tools, Trinoo
daemons, Trinoo maters, etc.
✦ Requirements
✔ High bandwidth connection
✔ Large number of users
✔ Little administrative oversight
Operating System Concepts 1.27
Installation
1. Compromise systems
✦ Look for vulnerable systems
✔ Unpatched Sun Solaris and Linux
✦ Remote buffer overflow exploitation
✔ Set up root account
✔ Open TCP ports
✦ Keep a `friend list`
Operating System Concepts 1.28
Installation
1. Install daemons
✦ Use “netcat” (“nc”) and “trin.sh”
Operating System Concepts 1.29
Installation
■ trin.sh
Operating System Concepts 1.30
Architecture
Attacker Direct
Attack
Masters (handlers)
Victim
Operating System Concepts 1.31
Communication ports
Operating System Concepts 1.32
Password protection
Operating System Concepts 1.33
Password protection
■ Default passwords
✦ “l44adsl” – trinoo daemon password
✦ “gOrave” – trinoo master server startup
✦ “betaalmostdone” – trinoo master remote
interface password
✦ “killme” – trinoo master password to
control “mdie” command
Operating System Concepts 1.34
Login to master
trinoo>
Operating System Concepts 1.35
Master and daemon
Operating System Concepts 1.36
Master commands
■ dos IP
✦ DoS the IP address specified
✦ “aaa l44adsl IP” sent to each daemon
■ mdos <ip1:ip2:ip3>
✦ DoS the IPs simultaneously
■ mtimer N
✦ Set attack period to N seconds
Operating System Concepts 1.37
Master commands
■ bcast
✦ List all daemons’ IP
■ mdie password
✦ Shutdown all daemons
■ killdead
✦ Invite all daemons to send “HELLO” to
master
✦ Delete all dead daemons from the list
Operating System Concepts 1.38
Daemon commands
Operating System Concepts 1.39
Daemon commands
■ aaa password IP
✦ DoS specified IP
■ bbb password N
✦ Set attack period to N seconds
■ rsz password N
✦ Set attack packet size to N bytes
Operating System Concepts 1.40
The attack tool – Trinoo
Operating System Concepts 1.41
Symptoms
■ Masters
✦ Crontab
✦ Friend list
✔… * * * * * /usr/sbin/rpc.listen
✔ …-b
# ls -l ... ...-b
-rw------- 1 root root 25 Sep 26 14:46 ...
-rw------- 1 root root 50 Sep 26 14:30 ...-b
Operating System Concepts 1.42
Symptoms
■ Masters (Con’t)
✦ Socket status
# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:27665 *:* LISTEN
...
udp 0 0 *:31335 *:*
...
Operating System Concepts 1.43
Symptoms
■ Masters (Con’t)
✦ File status
# lsof -p 1292
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
master 1292 root cwd DIR 3,1 1024 14356 /tmp/...
master 1292 root rtd DIR 3,1 1024 2 /
master 1292 root txt REG 3,1 30492 14357 /tmp/.../master
master 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so
master 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so
Operating System Concepts 1.44
Symptoms
■ Daemons
✦ Socket status
# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
...
udp 0 0 *:1024 *:*
udp 0 0 *:27444 *:*
...
Operating System Concepts 1.45
Symptoms
■ Daemons (Con’t)
✦ File status
# lsof -p 1316
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ns 1316 root cwd DIR 3,1 1024 153694 /tmp/...
ns 1316 root rtd DIR 3,1 1024 2 /
ns 1316 root txt REG 3,1 6156 153711 /tmp/.../ns
ns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so
ns 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-
2.1.1.so
ns 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so
Operating System Concepts 1.46
Defenses
Operating System Concepts 1.47
The attack tool – Trinoo
Operating System Concepts 1.48
Weaknesses
Operating System Concepts 1.49
Weaknesses
Operating System Concepts 1.50
Weaknesses
Operating System Concepts 1.51
Uproot a Trinoo network
■ Locate a daemon
■ Use “strings” to obtain IPs of masters
■ Contact sites with master installed
■ Those sites check list of daemons
✦ By inspecting file “…” or get master login password
and use “bcast” command
✦ Get “mdie” password
✦ Use “mdie” to shut down all daemons
✦ “mdie” periodically as daemons restarted by crontab
Operating System Concepts 1.52
Next evolution
Operating System Concepts 1.53
References
Operating System Concepts 1.54