1. THE DOS ATTACK- CLOUD COMPUTING
PROJECT REPORT
Submitted by
AMEYA VASHISHTH (2013-311-009)
AMIR KHAN (2013-311-010)
in partial fulfillment for the award of the degree of
BACHELOR OF TECHNOLOGY (IT)
Under the supervision of
Prof. AFSHAR ALAM
Department of Computer Science
JAMIA HAMDARD
(Hamdard University)
New Delhi-110062
(2016)
2. DECLARATION
I, Mr.Ameya vashishth and Amir Khan students of
(B.tech(IT)),(Enrolment No: 2013-311-009) hereby declare that the Minor
Project entitled“THE DOS ATTACK IN CLOUD COMPUTING” which is
being submitted by us to the Department of Computer Science, Jamia
Hamdard, New Delhi in partial fulfillment of the requirement for the
award of the degree of Bachelor of technology (IT), is our original work
and has not been submitted anywhere else for the award of any Degree,
Diploma, Associateship, Fellowship or other similar title or recognition.
3. ABSTRACT
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS
attack) is an attempt to make a computer resource unavailable to its intended users.
Although the means to carry out, motives for, and targets of a DoS attack may vary, it
generally consists of the concerted efforts of a person or people to prevent an Internet site
or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of
DoS attacks typically target sites or services hosted on high-profile web servers such as
banks, credit card payment gateways, and even root nameservers. The term is generally
used with regards to computer networks, but is not limited to this field, for example, it is
also used in reference to CPU resource management. There are two general forms of DoS
attacks: those that crash services and those that flood services.
One common method of attack involves saturating the target machine with external
communications requests, such that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered effectively unavailable. In general terms, DoS attacks are
implemented by either forcing the targeted computer to reset, or consuming its resources
so that it can no longer provide its intended service or obstructing the communication
media between the intended users and the victim so that they can no longer communicate
adequately.
.
4. TABLE OF CONTENTS
1 INTRODUCTION 5-6
2 IP SPOOFING 07
3 TYPES OF DOS ATTACK 08-17
4 REAL LIFE EXAMPLES 18-20
5 DDOS ATTACK 21-22
6 RECOMMENDED TOOLS TO PERFORM DOS ATTACK 23-26
7 COUNTERMEASURES 27-28
8 DENIAL OF SERVICE ATTACK AND LAW 29
9 CONCLUSION 30
10 REFERENCES 31
5. LIST OF FIGURES
1 DOS ATTACK 06
2 IP SPOOFING 07
3 PING OF DEATH 08
4 TEAR DROP ATTACK 11
5 SYN FLOODING ATTACK 12
6 SMURF ATTACK 14
7 DDOS ATTACK 22
6. CHAPTER-1
INTRODUCTION
DOS Attacks or Denial Of Services Attack have become very common amongst Hackers
who use them as a path to fame and respect in the underground groups of the Internet.
Denial of Service Attacks basically means denying valid Internet and Network users from
using the services of the target network or server. It basically means, launching an attack,
which will temporarily make the services, offered by the Network unusable by legitimate
users.
In others words one can describe a DOS attack, saying that a DOS attack is one in which
you clog up so much memory on the target system that it cannot serve legitimate users.
Or you send the target system data packets, which cannot be handled by it and thus causes
it to either crash, reboot or more commonly deny services to legitimate users.
DOS Attacks are of the following different types-:
1. Those that exploit vulnerabilities in the TCP/IP protocols suite.
2. Those that exploit vulnerabilities in the Ipv4 implementation.
3. There are also some brute force attacks, which try to use up all resources of the
target system and make the services unusable.
Symptoms and Manifestations
The United States Computer Emergency Response Team defines symptoms of denial-of-
service attacks to include:
Unusually slow network performance (opening files or accessing web sites)
Unavailability of a particular web site
Inability to access any web site
Dramatic increase in the number of spam emails received—(this type of DoS
attack is considered an e-mail bomb)
7. Denial-of-service attacks can also lead to problems in the network 'branches' around the
actual computer being attacked. For example, the bandwidth of a router between the
Internet and a LAN may be consumed by an attack, compromising not only the intended
computer, but also the entire network.
If the attack is conducted on a sufficiently large scale, entire geographical regions of
Internet connectivity can be compromised without the attacker's knowledge or intent by
incorrectly configured or flimsy network infrastructure equipment.
Before I go on with DOS attacks, let me explain some vulnerabilities in TCP/IP itself. Some
common vulnerabilities are Ping of Death, Teardrop, SYN attacks and Land Attacks.
DOS Attack
8. CHAPTER-2
IP SPOOFING
A technique used to gain unauthorized access to computers, whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming from a
trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to
find an IP address of a trusted host and then modify the packet headers so that it appears
that the packets are coming from that host.
Newer routers and firewall arrangements can offer protection against IP spoofing.
IPSPOOFING
9. CHAPTER -3
TYPES OF DDOS ATTACK
Ping of Death
This vulnerability is quite well known and was earlier commonly used to hang remote
systems (or even force them to reboot) so that no users can use its services. This exploit
no longer works, as almost all system administrators would have upgraded their systems
making them safe from such attacks. In this attack, the target system is pinged with a data
packet that exceeds the maximum bytes allowed by TCP/IP, which is 65 536. This would
have almost always caused the remote system to hang, reboot or crash. This DOS attack
could be carried out even through the command line, in the following manner: The
following Ping command creates a giant datagram of the size 65540 for Ping. It might
hang the victim's computer:
C:windows>ping -l 65540
Ping of Death
How to test if you're vulnerable
Unfortunately, this bug is really easy to exploit. Users are already trying it out "just to see
if it worked". So, to test if your machine is in danger, find a Windows '95 or NT box (3.51
or 4), and run the following command:
ping -l 65550 your.host.ip.address
10. How to prevent people from breaking your system
If no patch is available, and your main concern are pings from users outside your network, it
would seem the best quick-fix solution is to block ping at the firewall. This is not a long-term
solution. If you have any services listening on any ports at all, they are vulnerable. Be assured
that sooner or later someone will come out with a program which sends invalid packets to a
web server, an ftp port. The only solution is to patch your operating system.
By blocking ping, you prevent people from pinging you at all. This could possibly break
some things that rely on.
A better solution than blocking all pings is to block only fragmented pings. This will allow
your common-or-garden 64 byte ping through on almost all systems, while blocking any
bigger than the MTU size of your link. (This varies, but about 1k is a good bet).
Ping flood
A ping flood is a simple denial-of-service attack where the attacker overwhelms the
victim with ICMP Echo Request (ping) packets. It only succeeds if the attacker has more
bandwidth than the victim (for instance an attacker with a DSL line and the victim on a
dial-up modem). The attacker hopes that the victim will respond with ICMP Echo Reply
packets, thus consuming outgoing bandwidth as well as incoming bandwidth. If the target
system is slow enough, it is possible to consume enough of its CPU cycles for a user to
notice a significant slowdown. There are two general forms of DoS attacks: those that
crashes services and those that flood services.
11. Teardrop
The Teardrop attack exploits the vulnerability present in the reassembling of data packets.
Whenever data is being sent over the Internet, it is broken down into smaller fragments at
the source system and put together at the destination system. Say you need to send 4000
bytes of data from one system to the other, then not all of the 4000 bytes is sent at one go.
This entire chunk of data is first broken down into smaller parts and divided into a
number of packets, with each packet carrying a specified range of data. For Example, say
4000 bytes is divided into 3 packets, then:
The first Packet will carry data from 1 byte to 1500 bytes
The second Packet will carry data from 1501 bytes to 3000 bytes
The third packet will carry data from 3001 bytes to 4000 bytes
These packets have an OFFSET field in their TCP header part. This Offset field specifies
from which byte to which byte does that particular data packet carries data or the range of
data that it is carrying. This along with the sequence numbers helps the destination system
to reassemble the data packets in the correct order. Now in this attack, a series of data
packets are sent to the target system with overlapping Offset field values. As a result, the
target system is not able to reassemble the packets and is forced to crash, hang or reboot.
Say for example, consider the following scenario-: (Note: _ _ _ = 1 Data Packet)
Normally a system receives data packets in the following form, with no overlapping
Offset values.
_ _ _
_ _ _
_ _ _
(1 to 1500 bytes)
(1501 to 3000 bytes)
(3001 to 4500 bytes)
Now in a Teardrop attack, the data packets are sent to the target computer in the following
format:
_ _ _
12. _ _ _
_ _ _
(1 to 1500 bytes)
(1500 to 3000 bytes)
(1001 to 3600 bytes)
When the target system receives something like the above, it simply cannot handle it and
will crash or hang or reboot.
Tear drop Attack
13. SYN Flooding Attack
The SYN attack exploits TCP/IP's three-way handshake. Thus, in order to understand as
to how SYN Attacks works, you need to first know how TCP/IP establishes a connection
between two systems. Whenever a client wants to establish a connection with a host, then
three steps take place. These three steps are referred to as the three-way handshake. In a
normal three way handshake, what happens is that, the client sends a SYN packet to the
host, the host replies to this packet with a SYN ACK packet. Then the client responds
with a ACK (Acknowledgement) packet. This will be clearer after the following depiction
of these steps-:
TCP header
Client Server
SYN_SENT
Spoofed Targeted (Active open) SYN J
SYN_RCVDSource Destination
addr addr
SYN H (Passive
SYN L
open)
SYN k ACK SYN N
Keep waiting
for
Lost or SYN Q ACK H+1
. acknowledgemUnreached
SYN . ent
R ACK .
.
SYN Flooding Attack
1. Client- --- --- -SYN Packet--------------à Host
In the first step the client sends a SYN packet to the host, with whom it wants to
establish a three-way connection.
The SYN packet requests the remote system for a connection. It also contains the
Initial Sequence Number or ISN of the client, which is needed by the host to put
back the fragmented data in the correct sequence.
14. 2. Host- - ---- --- --- -SYN/ACK Packet----------à Client
In the second step, the host replies to the client with a SYN/ACK packet. This
packet acknowledges the SYN packet sent by the client and sends the client its
own ISN.
3. Clie n t- --- --- --- --- - A C K-----------------------à H o s t
In the last step the client acknowledges the SYN/ACK packet sent by the host by replying
with a ACK packet. These three steps together are known as the 3-way handshake and
only when they are completed is a complete TCP/IP connection established.
In a SYN attack, several SYN packets are sent to the server but all these SYN packets
have a bad source IP Address. When the target system receives these SYN Packets with
Bad IP Addresses (spoofed ip), it tries to respond to each one of them with a SYN ACK
packet. But the reply goes to the spoofed ip not at all to the attacker ip. Now the target
system waits for an ACK message to come from the bad IP address. However, as the bad
IP does not actually exist, the target system never actually receives the ACK packet. It
thus queues up all these requests until it receives an ACK message. The requests are not
removed unless and until, the remote target system gets an ACK message. Thus in all
cases only 2 steps is executed not the 3rd
process at all. Hence these requests take up or
occupy valuable resources of the target machine. To actually affect the target system, a
large number of SYN bad IP packets have to be sent. As these packets have a Bad Source
IP, they queue up, use up resources and memory or the target system and eventually
crash, hang or reboot the system.
But since these spoofed ip might not exist and the hence the packets is likely to move
through the network until its TTL values.
15. Land Attacks
A Land attack is similar to a SYN attack, the only difference being that instead of a bad
IP Address, the IP address of the target system itself is used. This creates an infinite loop
between the target system and the target system itself. However, almost all systems have
filters or firewalls against such attacks.
Smurf Attacks
Smurf Attack
A Smurf attack is a sort of Brute Force DOS Attack, in which a huge number of Ping
Requests are sent to a system (normally the router) in the Target Network, using Spoofed IP
Addresses from within the target network. As and when the router gets a PING message, it
will route it or echo it back, in turn flooding the Network with Packets, and jamming the
traffic. If there are a large number of nodes, hosts etc in the Network, then it can easily clog
the entire network and prevent any use of the services provided by it.
16. The two main components to the smurf denial-of-service attack are the use of forged
ICMP echo request packets and the direction of packets to IP broadcast addresses.
The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control
messages. ICMP can be used to determine if a machine on the Internet is responding. To do
this, an ICMP echo request packet is sent to a machine. If a machine receives that packet, that
machine will return an ICMP echo reply packet. A common implementation of this process is
the "ping" command, which is included with many operating systems and network software
packages. ICMP is used to convey status and error information including notification of
network congestion and of other network transport problems. ICMP can also be a valuable
tool in diagnosing host or network problems.
On IP networks, a packet can be directed to an individual machine or broadcast to an entire
network. When a packet is sent to an IP broadcast address from a machine on the local
network, that packet is delivered to all machines on that network. When a packet is sent to
that IP broadcast address from a machine outside of the local network, it is broadcast to all
machines on the target network (as long as routers are configured to pass along that traffic).
IP broadcast addresses are usually network addresses with the host portion of the address
having all one bits. For example, the IP broadcast address for the network 10.0.0.0 is
10.255.255.255. If you have subnetted your class A network into 256 subnets, the IP
broadcast address for the 10.50 subnet would be 10.50.255.255. Network addresses with
all zeros in the host portion, such as 10.50.0.0, can also produce a broadcast response.
In the "smurf" attack, attackers are using ICMP echo request packets directed to IP
broadcast addresses from remote locations to generate denial-of-service attacks. There are
three parties in these attacks: the attacker, the intermediary, and the victim (note that the
intermediary can also be a victim).
The intermediary receives an ICMP echo request packet directed to the IP broadcast
address of their network. If the intermediary does not filter ICMP traffic directed to IP
broadcast addresses, many of the machines on the network will receive this ICMP echo
request packet and send an ICMP echo reply packet back. When (potentially) all the
17. machines on a network respond to this ICMP echo request, the result can be severe
network congestion or outages.
When the attackers create these packets, they do not use the IP address of their own
machine as the source address. Instead, they create forged packets that contain the
spoofed source address of the attacker's intended victim. The result is that when all the
machines at the intermediary's site respond to the ICMP echo requests, they send replies
to the victim's machine. The victim is subjected to network congestion that could
potentially make the network unusable. Even though we have not labeled the intermediary
as a "victim," the intermediary can be victimized by suffering the same types of problem
that the "victim" does in these attacks.
Attackers have developed automated tools that enable them to send these attacks to
multiple intermediaries at the same time, causing all of the intermediaries to direct their
responses to the same victim. Attackers have also developed tools to look for network
routers that do not filter broadcast traffic and networks where multiple hosts respond.
These networks can the subsequently be used as intermediaries in attacks.
Solution
Disable IP-directed broadcasts at your router.
One solution to prevent your site from being used as an intermediary in this attack is to
disable IP-directed broadcasts at your router. By disabling these broadcasts, you configure
your router to deny IP broadcast traffic onto your network from other networks. In almost
all cases, IP-directed broadcast functionality is not needed.
This network management best practice is described in more detail in the following
document authored by Daniel Senie of Amaranth Networks Inc.:
You should disable IP-directed broadcasts on all of your routers. It is not sufficient to
disable IP-directed broadcasts only on the router(s) used for your external network
connectivity. For example, if you have five routers connecting ten LANs at your site, you
should turn off IP-directed broadcasts on all five routers.
18. 1. Configure your operating system to prevent the machine from responding to
ICMP packets sent to IP broadcast addresses.
If an intruder compromises a machine on your network, the intruder may try to launch
a smurf attack from your network using you as an intermediary. In this case, the
intruder would use the compromised machine to send the ICMP echo request packet
to the IP broadcast address of the local network. Since this traffic does not travel
through a router to reach the machines on the local network, disabling IP-directed
broadcasts on your routers is not sufficient to prevent this attack.
Some operating systems can be configured to prevent the machine from
responding to ICMP packets sent to IP broadcast addresses. Configuring machines
so that they do not respond to these packets can prevent your machines from being
used as intermediaries in this type of attack.
UDP Flooding
This kind of flooding is done against two target systems and can be used to stop the
services offered by any of the two systems. Both of the target systems are connected to
each other, one generating a series of characters for each packet received or in other
words, requesting UDP character generating service while the other system, echoes all
characters it receives. This creates an infinite non-stopping loop between the two systems,
making them useless for any data exchange or service provision.
Loop back flooding attack
It is one of oldest type of dos attack.
19. CHAPTER-4
REAL LIFE EXAMPLES
Updates on the status of the Twitter service on Aug 6, 2009
Thursday August 6
Ongoing denial-of-service attack 1 year ago
We are defending against a denial-of-service attack, and will update status again shortly.
Update: the site is back up, but we are continuing to defend against and recover from this
attack.
Update (9:46a): As we recover, users will experience some longer load times and
slowness. This includes timeouts to API clients. We’re working to get back to 100% as
quickly as we can.
Update (4:14p): Site latency has continued to improve, however some web requests
continue to fail. This means that some people may be unable to post or follow from the
website.
Other examples are following
The first major attack involving DNS servers as reflectors occurred in January
2001. The target was Register.com. This attack, which forged requests for the MX
records of AOL.com (to amplify the attack) lasted about a week before it could be
traced back to all attacking hosts and shut off. It used a list of tens of thousands of
DNS records that were a year old at the time of the attack.
In February, 2001, the Irish Government's Department of Finance server was hit
by a denial of service attack carried out as part of a student campaign from NUI
Maynooth. The Department officially complained to the University authorities and
a number of students were disciplined.
20. In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that
was analyzed turned out to be yet another DDoS agent, which implemented
several DNS related attacks, including an optimized form of a reflection attack.
On two occasions to date, attackers have performed DNS Backbone DDoS Attacks
on the DNS root servers. Since these machines are intended to provide service to
all Internet users, these two denial of service attacks might be classified as
attempts to take down the entire Internet, though it is unclear what the attackers'
true motivations were. The first occurred in October 2002 and disrupted service at
9 of the 13 root servers. The second occurred in February 2007 and caused
disruptions at two of the root servers.
In February 2007, more than 10,000 online game servers in games such as Return to
Castle Wolfenstein, Halo, Counter-Strike and many others were attacked by the
hacker group RUS. The DDoS attack was made from more than a thousand computer
units located in the republics of the former Soviet Union, mostly from Russia,
UzbekistanandBelarus. Minor attacks are still continuing to be made today.
In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack
directed at Georgian government sites containing the message:
"win+love+in+Rusia" effectively overloaded and shut down multiple Georgian
servers. Websites targeted included the Web site of the Georgian president,
Mikhail Saakashvili, rendered inoperable for 24 hours, and the National Bank of
Georgia. While heavy suspicion was placed on Russia for orchestrating the attack
through a proxy, the St. Petersburg-based criminal gang known as the Russian
Business Network, or R.B.N, the Russian government denied the allegations,
stating that it was possible that individuals in Russia or elsewhere had taken it
upon themselves to start the attacks.
During the 2009 Iranian election protests, foreign activists seeking to help the
opposition engaged in DDoS attacks against Iran's government. The official website of
the Iranian government (ahmedinejad.ir) was rendered inaccessible on several
occasions. Critics claimed that the DDoS attacks also cut off internet access for
protesters inside Iran; activists countered that, while this may have been true, the
21. attacks still hindered President Mahmoud Ahmadinejad's government enough to
aid the opposition.
On June 25, 2009, the day Michael Jackson died, the spike in searches related to
Michael Jackson was so big that Google News initially mistook it for an automated
attack. As a result, for about 25 minutes, when some people searched Google News
they saw a "We're sorry" page before finding the articles they were looking for.
June 2009 the P2P site The Pirate Bay was rendered inaccessible due to a DDoS
attack. This was most likely provoked by the recent sellout to Global Gaming
Factory X AB, which was seen as a "take the money and run" solution to the
website's legal issues. In the end, due to the buyers' financial troubles, the site was
not sold.
Multiple waves of July 2009 cyber attacks targeted a number of major websites in
South Korea and the United States. The attacker used botnet and file update through
internet is known to assist its spread. As it turns out, a computer trojan was coded to
scan for existing MyDoom bots. MyDoom was a worm in 2004, and in July around
20,000-50,000 were present. MyDoom has a backdoor, which the DDoS bot could
exploit. Since then, the DDoS bot removed itself, and completely formatted the hard
drives. Most of the bots originated from China, and North Korea.
On August 6, 2009 several social networking sites, including Twitter, Facebook,
Livejournal, and Google blogging pages were hit by DDoS attacks, apparently aimed
at Georgian blogger "Cyxymu". Although Google came through with only minor set-
backs, these attacks left Twitter crippled for hours and Facebook did eventually
restore service although some users still experienced trouble. Twitter's Site latency has
continued to improve, however some web requests continue to fail.
In July and August, 2010, the Irish Central Applications Office server was hit by a
denial of service attack on four separate occasions, causing difficulties for
thousands of Second Level students who are required to use the CAO to apply for
University and College places. The attack is currently subject to a Garda
investigation.
22. CHAPTER-5
DISTRIBUTED DOS ATTACKS
DOS attacks are not new; in fact they have been around for a long time. However there
has been a recent wave of Distributed Denial of Services attacks which pose a great threat
to Security and are on the verge of overtaking Viruses/Trojans to become the deadliest
threat to Internet Security. Now you see, in almost all of the above TCP/IP vulnerabilities,
which are being exploited by hackers, there is a huge chance of the target's system
administrator or the authorities tracing the attacks and getting hold of the attacker.
Now what is commonly being done is, say a group of 5 Hackers join and decide to bring a
Fortune 500 company's server down. Now each one of them breaks into a smaller less
protected network and takes over it. So now they have 5 networks and supposing there are
around 20 systems in each network, it gives these Hackers, around 100 systems in all to
attack from. So they sitting on there home computer, connect to the hacked less protected
Network, install a Denial of Service Tool on these hacked networks and using these
hacked systems in the various networks launch Attacks on the actual Fortune 500
Company. This makes the hackers less easy to detect and helps them to do what they
wanted to do without getting caught. As they have full control over the smaller less
protected network they can easily remove all traces before the authorities get there.
Not even a single system connected to the Internet is safe from such DDOS attacks. All
platforms including Unix, Windows NT are vulnerable to such attacks. Even MacOS has
not been spared, as some of them are being used to conduct such DDOS attacks.
Typical DDoS Attacks
In a typical DDoS attack, the army of the attacker consists of master zombies and slave
zombies. The hosts of both categories are compromised machines that have arisen during the
scanning process and are infected by malicious code. The attacker coordinates and orders
master zombies and they, in turn, coordinate and trigger slave zombies. More specifically, the
attacker sends an attack command to master zombies and activatesall
23. attack processes on those machines, which are in hibernation, waiting for the appropriate
command to wake up and start attacking. Then, master zombies, through those processes,
send attack commands to slave zombies, ordering them to mount a DDoS attack against
the victim. In that way, the agent machines (slave zombies) begin to send a large volume
of packets to the victim, flooding its system with useless load and exhausting its
resources. Figure 4 shows this kind of DDoS attack.
DDOSATTACK
24. CHAPTER-6
RECOMMENDED TOOLS TO PERFORM DDOS ATTACK
These tools are easily available on the internet and can be downloaded to use :
Tribal flood network or TFN DDOS attacking tool
Trinoo
Babbed wire – best tool combining the feature of both.
Mstring
Shaft
Win trinoo is a windows based trinoo tool
The above all tools are available, but all you require a unix system, except of course
the win trinoo tools.
The DDos attack relies on the covert existence of certain program tools on
compromised machines. These tools enable an attacker to formulate, prepare and
implement a DDos attack. The current report collates information on two common and
related DDos attack tools: trinoo, a Unix based tool, and wintrinoo, a recent Windows
based tool. To this end, details are provided of the attack anatomy, the tool structure
and function, and possible lines of defence. Although details pertain directly to the
(win)trinoo tools, certain generalities can be extracted that provide a coherent view of
all DDos attacks (such as the TFN, TFN2K, Stacheldraht, and Smurf Attacks).
Trinoo
Trinoo (also known as trin00) was the first well known DDos attack used against the
University of Minnesota in August 1999. This two day attack involved flooding servers with
UDP packets originating from thousands of machines. Source addresses were not spoofed, so
systems running the offending daemons were contacted. However, the attacker responded
simply by introducing new daemon machines into the attack. Trinoo was first found as a
binary daemon on a number of compromised Solaris 2.x systems. Malicious
code had been introduced through exploitation of buffer over-run bugs in the remote
Page23
Division Of Computer Engineering, SOE, CUSAT
25. procedure call (RPC) services ‘statd’, ‘cmsd’ and ‘ttdbserverd’.
The trinoo DDos formulation begins with the attacker compromising one of many master
systems. These systems are set-up with vulnerability scanning tools, root kits (to conceal
malicious programs, files and connections), the master and trinoo daemon programs, and
a list of vulnerable hosts (which are potential daemon systems). DDos attack preparation
involves the master(s) scanning for systems exhibiting the vulnerabilities described above
(typically Solaris 2.x and Linux systems). A list of vulnerable systems is then passed to an
exploit script that compromises each system, sets up and connects a listening shell (tcp
port 1524), and compiles a list of successful compromises – or ‘owned’ systems. The list
of ‘owned’ systems is passed to another script that installs the trinoo daemon and a root
kit via the open tcp port 1524 – completing the construction of the ‘trinoo network’.
The DDos attack begins when the attacker connects (to masters) via telnet to tcp port
27665 and enters a password (the password was "betaalmostdone" in the case examined
by Dittrich). Masters then pass command lines to daemons via UDP port 27444. These
commands are password protected and are of the form: arg1 password arg2. Daemons
respond to masters on UDP port 31335. Masters form a list of alive daemons by listening
for the text "*HELLO*" in the data portion of UDP packets originating from daemons.
Attackers can send a number of commands to masters. Examples are:
quit
- to logoff from the master
dos IP
- to launch a DDos attack against the address IP
mdos
- to launch a multiple DDos attack
bcast
26. - to form a list of started daemons
Masters can send commands to daemons according to what the attacker has ordered. For
example:
aaa password IP
- Dos attack address IP by sending UDP packets to random (0-65534) UDP ports.
bbb password N
- Period of time in seconds to run Dos attack.
rsz N
- Set size of UDP packets to N bytes.
d1e
- Shutdown the daemon
Trinoo programs can be detected if active on the master and daemon systems unless root
kits have been installed. The command: netstat -a --inet will show tcp port 27665 and
UDP port 27444 open on the master, and UDP port 31335 open on the daemon.
Wintrinoo
The addition of Windows machines to the pool of potential zombies increases the overall
threat and destructive capability of DDos attacks. Wintrinoo is a Windows version of
trinoo that was first reported to CERT on February 16th 2000 (CERT IN-2000-01). (Note
that TFN2K, derived from TFN, also runs on NT and appeared in December 1999). In the
wintrinoo case, zombies are formed by machines that run the program
service.exe
. Typically, this program comes to be executed in a number of ways:
users run the program when it arrives as an e-mail attachment
27. it is executed by document macros
it is installed and run via Back Orifice.
When executed,
service.exe
installs a copy of itself to windowssystem and adds a registry entry making it restart
when the system restarts. The pertinent key is:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/
CurrentVersion/Run
When running,
service.exe
will appear in the Windows task-list and it can be ended.
However, service.exe
will restart unless the registry entry is deleted. It must be noted
that service.exe
is distinct from the
normal services.exe
.
service.exe
is approximately 23kB in size and will run on Windows NT4, 95 and 98. It differs from
the trinoo daemon in that it listens for masters on UDP port 34555 and passes information
to the masters on UDP port 35555. As with trinoo, this can be observed using the
command: netstat -an.
service.exe
has been found on systems concurrently infected with Back Orifice suggesting that this
trojan horse may have been the method of entry. (Gary Flynn, 2000).
28. CHAPTER-7
COUNTER MEASURES
The best defence against DDoS attacks is to prevent initial system compromises. Generally,
this involves installing patches, antivirus software, using a firewall and monitoring for
intruders. However, even vigilant hosts can become targets because of lesser prepared, less
security aware hosts (especially if these hosts have always-on high-speed internet
connections). Many systems are compromised because patches for vulnerabilities reported
and fixed months beforehand were never installed. Similarly, such systems have anti-virus
software that are not update hence cause this attack to prevail or causing a loophole.
It is difficult to specifically defend against becoming the ultimate target of a DDos attack
but protection against being used as a daemon or master system is more easily attainable.
To this end, the following measures should be met:
Check for frequent patches and subscribe to automatic vendor notifications
Attempt to understand the vulnerabilities in your software and configuration
Disable unnecessary network software
Only accept program files from trusted sources (or at least be cautious)
For Unix operators:
Limit accessibility with network access control tools e.g. TCP Wrappers
Use file system integrity checks e.g. Tripwire
Download programs to test for common DDos attacks. For example:
http://www.fbi.gov/nipc/trinoo.htm for Sun and Linux boxes
http://www.theorygroup.com/Software/RID for all unix platforms. (Remote
Intrusion Detector for detecting trinoo, TFN and stacheldraht DDos tools).
29. For Windows operators:
Keep anti-virus (e.g. Norton) and anti-trojan (e.g. BOClean) software up to date
Disable scripting on browsers and e-mail clients
Run a desktop firewall
Download Wtrinscan.exe which scans for wintrinoo
The system administrator should compartmentalize critical services such as
separate section for ftp servers, mail servers, web servers, etc so that if one servers
is goes down by attackers, other should not got affected. However it is expensive
but for the security purpose it outweighs the cost matters.
Always buy more bandwidth than normally requires to counter the sudden traffic,
suppose for example you it’s a requirement of handling 1 million users than you
should buy the bandwidth for 2 million users
It is also good practice to filter out malicious traffic as early as possible, this can
only be done if you work closely with your ISPs, for example you may need to
block out sudden range of bad ip by seeing the statistics provided by your ISPs
Disable publicly available services
Balance the traffic load on a set of different servers, for example the google has 4
nameservers etc.
You must update your system frequently by looking at the vendors
IP sec: ip security is not implemented commercially if implemented it will provide
proper authentication.
You must have measures which can detect DDOS tools and daemons.
30. CHAPTER-8
DENIAL-OF-SERVICE ATTACKS AND THE LAW
In the Police and Justice Act 2006, the United Kingdom specifically outlawed denial-of-
service attacks and set a maximum penalty of 10 years in prison.
In the US, they can be a serious federal crime under the National Information
Infrastructure Protection Act of 1996 with penalties that include years of imprisonment,
and many countries have similar laws.
A U.K. law has been passed that makes it an offense to launch denial-of-service attacks,
which experts had previously called "a legal gray area."
Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on
Wednesday, is a clause that makes it an offense to impair the operation of any computer
system. Other clauses prohibit preventing or hindering access to a program or data held
on a computer, or impairing the operation of any program or data held on a computer.
The maximum penalty for such cybercrimes has also been increased from 5 years to 10
years.
31. CHAPTER-9
CONCLUSION
DDos attack tools are readily available and any internet host is targetable as either a
zombie or the ultimate DDos focus. These attacks can be costly and frustrating and are
difficult, if not impossible to eradicate. The best defence is to hinder attackers through
vigilant system administration. Applying patches, updating anti-malicious software
programs, system monitoring, and reporting incidents go further than retarding DDos
attacks – these defences also protect against other attacks.
The Internet is not stable—it reforms itself rapidly. This means that DDoS
countermeasures quickly become obsolete. New services are offered through the Internet,
and new attacks are deployed to prevent clients from accessing these services. However,
the basic issue is whether DDoS attacks represent a network problem or an individual
problem—or both. If attacks are mainly a network problem, a solution could derive from
alterations in Internet protocols. Specifically, routers could filter malicious traffic,
attackers could not spoof IP addresses, and there would be no drawback in routing
protocols. If attacks are mostly the result of individual system weaknesses, the solution
could derive from an effective IDS system, from an antivirus, or from an invulnerable
firewall. Attackers then could not compromise systems in order to create a "zombies"
army. Obviously, it appears that both network and individual hosts constitute the problem.
Consequently, countermeasures should be taken from both sides. Because attackers
cooperate in order to build the perfect attack methods, legitimate users and security
developers should also cooperate against the threat. The solution will arise from
combining both network and individual countermeasures.
32. REFERENCES
[1] CIS 659 "Introduction to Network Security – Fall 2003,"
http://www.cis.udel.edu/~sunshine/F03/CIS659/class15.pdf
[2] Kevin Tsui, "Tutorial-Virus (Malicious Agents)," University of Calgary, October 2001.
[3] Nicholas Weaver, "Warhol Worms: The Potential for Very Fast Internet
Plagues," http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
[4] Nicholas Weaver, U.C. Berkeley BRASS group, "Potential Strategies for High
Speed Active Worms: A Worst Case Analysis," February 2002
[5] David Moore and Colleen Shannon, "The Spread of the Code Red Worm (crv2)," July
2001, http://www.caida.org/analysis/security/codered/coderedv2_analysis.xml#animations
[6] "A Chronology of CERT Coordination Center Involvement with Distributed Denial-
of-Service Tools," http://www.cdt.org/security/dos/000229senatehouse/chron.html
[7] "Analyzing Distributed Denial Of Service Tools: The Shaft Case," Sven Dietrich, NASA
Goddard Space Flight Center; Neil Long, Oxford University; David Dittrich, University of
Washington, http://www.usenix.org/events/lisa2000/full_papers/dietrich/dietrich_html/
[8] http://staff.washington.edu/dittrich
[9] http://www.panix.com/press/synattack.html