|
|
|
|
|
|
|
Process killing (eg. inetd, httpd, named, sendmail) |
|
System reconfiguration (eg. Stop file sharing) |
|
Process crashing (eg. Stack-based buffer
overflow) |
|
Logic bomb |
|
|
|
|
Keep systems patched |
|
Principle of Least Privilege applied to user
accounts |
|
Run integrity-checking programs (eg.Tripwire) |
|
|
|
|
|
|
|
|
|
Filling up the process table |
|
Achieved by forking recursively |
|
Prevents other users from running new processes |
|
Filling up the file system |
|
By continuously writing lots of data to file
system |
|
Prevents other users from writing to files |
|
May causing system to crash |
|
Sending outbound traffic that fills up the
network link |
|
By running a program that constantly sends bogus
network traffic |
|
Consumes cpu cycles and network bandwidth |
|
|
|
|
|
|
|
|
|
Apply Principle of Least Privileges when
creating and maintaining user accounts |
|
Run system monitoring tools |
|
Eg. Big Brother |
|
|
|
|
|
Land attack |
|
Sends a spoofed packet to target where source IP
and port numbers are same as target IP and port numbers, causing network
services of vulnerable target to die |
|
Latierra attack |
|
Sends multiple Land attack packets to multiple
ports |
|
Ping of
Death |
|
Sends an oversized (> 65 kB) ping packet which causes network TCP/IP
stack of vulnerable machines to stop working. |
|
Jolt2 attack |
|
Sends continuous stream of packet fragments,
none of which have a fragment offset of zero. |
|
Target machine’s CPU cycle spent on packet
reassembly |
|
|
|
|
|
Teardrop, Newtear, Bonk, Syndrop |
|
Sends overlapping IP packet fragments, causing
TCP/IP stacks of vulnerable machines to crash |
|
Winnuke |
|
Sends garbage data to an open file sharing port
(TCP port 139) on a Windows machine, causing the vulnerable machine to
crash since data does not conform to SMB protocol |
|
Targa http://packetstorm/security.com/Dos/ |
|
Contains a suite of malformed packet DOS attacks |
|
ARP spoofing to poison router’s ARP cache using
DSniff |
|
|
|
|
|
|
Apply system patches to fix vulnerable TCP/IP
stacks and services |
|
Install anti-spoof filters on routers to thwart
Land attacks |
|
Use static ARP tables to thwart ARP spoofing |
|
|
|
|
|
|
|
|
SYN Flood |
|
Smurf Attacks |
|
Distributed Denial-of-Service Attacks |
|
|
|
|
Attacker sends continuous stream of SYN packets
to target |
|
Target allocates memory on its connection queue
to keep track of half-open
connections |
|
Attacker does not complete 3-way handshake,
filling up all slots on connection queue of target machine |
|
If target machine has a very large connection
queue, attacker can alternatively send sufficient amount of SYN packets to
consume target machine’s entire network bandwidth |
|
|
|
|
|
|
|
|
|
Critical servers should have adequate network
bandwidth and redundant paths |
|
Use two different ISPs for Internet connectivity |
|
Install traffic shaper to limit number of SYN
packets |
|
Increase the size of connection queue or lower
the timeout value to complete a half-open connection |
|
http://www.nationwide.net/~aleph1/FAQ |
|
Use SYN cookies on Linux systems |
|
A calculated value based on the source and
destination IP address, port numbers, time, and a secret number |
|
Calculated SYN cookie is loaded into the ISN of
SYN-ACK response |
|
no need
to remember half-open connections on the connection queue |
|
Activated via “echo 1 >
/proc/sys/net/ipv4/tcp_syncookies” |
|
|
|
|
|
|
Aka directed broadcast attacks |
|
Smurf attacks rely on an ICMP directed broadcast
to create a flood of traffic on a victim |
|
Attacker uses a spoofed source address of victim |
|
Smurf attack is a DOS that consumes network bandwidth of victim |
|
Smurf amplifier is a network that responds to
directed broadcast messages |
|
|
|
|
|
|
|
|
|
Smurf |
|
Creates ICMP floods |
|
Fraggle |
|
Uses UDP instead of ICMP |
|
Sends spoofed IP broadcast packets to a UDP port
that will respond such as UDP port 7 (echo) |
|
Papasmurf |
|
Uses both Smurf and Fraggle attacks |
|
List of
broadcast amplifiers |
|
http://www.netscan.org |
|
http://www.pulltheplug.com/broadcasts2.html |
|
Use of Nmap to find broadcast amplifiers |
|
Perform ping sweep of broadcast addresses |
|
http://packetstorm.securify.com/9901-exploits/smurf.BIP-hunting-namp.txt |
|
|
|
|
|
|
|
|
|
|
|
|
|
http://www.pentic.net/denial-of-service/white-papers/smurf.cgi |
|
Install adequate bandwidth and redundant paths |
|
Filter ICMP messages at your border router |
|
Make sure that your network cannot be used as a
Smurf amplifier |
|
Test via http://www.powertech.no/smurf |
|
Insert “no ip directed-broadcast” on Cisco
border routers |
|
|
|
|
|
|
More powerful than Smurf attacks |
|
No limitation on number of machines used to
launch attack |
|
No limitation on bandwidth that can be consumed |
|
Used against Amazon, eBay, Etrade, and Zdnet in
Feb 2000 |
|
Before
performing a DDOS flood, attack must take over a large number of victim
machines (zombies) and install zombie software |
|
Attacker communicates with client machines which
in turn send commands to zombies |
|
|
|
|
|
|
|
Tribe Flood Network |
|
TFN2K |
|
Blitznet |
|
MStream |
|
Trin00 |
|
Trinity |
|
Shaft |
|
Stacheldraht (“barbed wire”) |
|
Combines features of TFN and Trin00 |
|
http://packetstorm/securify.com/distributed |
|
http://mixter.warrior2k.com |
|
Description of DDOS tools |
|
http://www.washington.edu/People/dad/ |
|
|
|
|
|
|
|
|
|
Successor to Tribe Flood Network |
|
Allows attacker to command zombies to launch
various attacks |
|
Targa (malformed packet DoS attack |
|
UDP flood |
|
SYN flood |
|
ICMP flood |
|
Smurf attack |
|
“Mix” attack using UDP, SYN, and ICMP floods |
|
Communication from client to zombies uses ICMP
Echo Reply packets |
|
Zombies not detectable via Nmap |
|
Clients and zombies can spoof source IP address |
|
Very difficult to find attacker |
|
|
|
|
|
|
Keep systems patched up-to-date |
|
Install adequate bandwidth, redundant paths using different ISPs,
and traffic shaper |
|
Install IDS tools that can alert you when a DDoS
attack start |
|
Install egress anti-spoof filters on external
router to thwart DDoS zombie on your network from spoofing source IP
address |
|
|
|
|
|
Check for zombies via “Find DDoS” http://www.nipc.gov/warning/advisories/2000/00-44-htm |
|
Scans Linux and Solaris systems locally looking
for Tin00, TFN, TFN2K, Mstream, Stacheldraht, and Trinity |
|
Use Zombie Zapper to deactivate active zombies
configured with default ports and passwords |
|
http://razor.bindview.com/tools/ZombieZapper_form.shtml |
|
|
|
Notes
