Undead Attack

1,038 views

Published on

Talk that I delivered during the What the Hack! conference.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,038
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Undead Attack

  1. 1. Diego Protta Casati Leandro Spínola Rodrigues
  2. 2. Quem somos nós?
  3. 3. Como surgiu? ● Criar um Hackathon em Santa Rita do Sapucaí/MG ● 1° Hackathon: 07/03/2004 ● Análise de pacotes TCP, utilizando OpenBSD, FreeBSD e Windows XP, na tentativa de encerrar uma conexão de Telnet
  4. 4. Uma breve explicação da falha O que descobrimos? ● Condição anormal na pilha do TCP/IP ● Estado não previsto na implementação da pilha Qual o problema disso? ● Aumento do consumo de CPU ● Queda de performance da rede Quem esta vulnerável???
  5. 5. Sistemas Afetados Microsoft Windows XP Professional SP2 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows XP Professional SP1 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows XP Professional Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows XP Home SP2 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows XP Home SP1 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows XP Home Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows 98SE Microsoft Windows Server 2003 Web Edition Microsoft Windows 2000 Server SP4 Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows 2000 Server SP3 Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows 2000 Server SP2 Microsoft Windows Server 2003 Standard Edition Microsoft Windows 2000 Server SP1 Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows 2000 Server Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1 + Avaya DefinityOne Media Servers Microsoft Windows Server 2003 Enterprise Edition 64-bit + Avaya IP600 Media Servers Microsoft Windows Server 2003 Enterprise Edition SP1 + Avaya S3400 Message Application Server Microsoft Windows Server 2003 Enterprise Edition + Avaya S8100 Media Servers Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1 Microsoft Windows 2000 Professional SP4 Microsoft Windows Server 2003 Datacenter Edition 64-bit Microsoft Windows 2000 Professional SP3 Microsoft Windows Server 2003 Datacenter Edition SP1 Microsoft Windows 2000 Professional SP2 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows 2000 Professional SP1 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows 2000 Professional Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Server 4.0 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6
  6. 6. Microsoft Windows NT Terminal Server 4.0 SP6a Linux kernel 2.6.9 Linux kernel 2.6 Microsoft Windows NT Terminal Server 4.0 SP6 Linux kernel 2.6.8 rc3 Linux kernel 2.4.30 rc3 Microsoft Windows NT Terminal Server 4.0 SP5 Linux kernel 2.6.8 rc2 Linux kernel 2.4.30 rc2 Microsoft Windows NT Terminal Server 4.0 SP4 Linux kernel 2.6.8 rc1 Linux kernel 2.4.30 Microsoft Windows NT Terminal Server 4.0 SP3 + Ubuntu Ubuntu Linux 4.1 ia32 Linux kernel 2.4.29 -rc2 Microsoft Windows NT Terminal Server 4.0 SP2 + Ubuntu Ubuntu Linux 4.1 ia64 Linux kernel 2.4.29 -rc1 Microsoft Windows NT Terminal Server 4.0 SP1 + Ubuntu Ubuntu Linux 4.1 ppc Linux kernel 2.4.29 Microsoft Windows NT Terminal Server 4.0 Linux kernel 2.6.8 Linux kernel 2.4.28 Microsoft Windows 2000 Datacenter Server SP4 Linux kernel 2.6.7 rc1 Linux kernel 2.4.27 -pre5 Microsoft Windows 2000 Datacenter Server SP3 Linux kernel 2.6.7 Linux kernel 2.4.27 -pre4 Microsoft Windows 2000 Datacenter Server SP2 Linux kernel 2.6.6 rc1 Linux kernel 2.4.27 -pre3 Microsoft Windows 2000 Datacenter Server SP1 Linux kernel 2.6.6 Linux kernel 2.4.27 -pre2 Microsoft Windows 2000 Datacenter Server Linux kernel 2.6.5 Linux kernel 2.4.27 -pre1 Microsoft Windows 2000 Advanced Server SP4 Linux kernel 2.6.4 Linux kernel 2.4.27 Microsoft Windows 2000 Advanced Server SP3 Linux kernel 2.6.3 Linux kernel 2.4.26 Microsoft Windows 2000 Advanced Server SP2 Linux kernel 2.6.2 Linux kernel 2.4.25 Microsoft Windows 2000 Advanced Server SP1 Linux kernel 2.6.1 -rc2 Linux kernel 2.4.24 -ow1 Microsoft Windows 2000 Advanced Server Linux kernel 2.6.1 -rc1 Linux kernel 2.4.24 Linux kernel 2.6.11 .6 Linux kernel 2.6.1 Linux kernel 2.4.23 -pre9 Linux kernel 2.6.11 .5 Linux kernel 2.6 .10 Linux kernel 2.4.23 -ow2 Linux kernel 2.6.11 -rc4 Linux kernel 2.6 -test9-CVS Linux kernel 2.4.23 Linux kernel 2.6.11 -rc3 Linux kernel 2.6 -test9 Linux kernel 2.4.22 Linux kernel 2.6.11 -rc2 Linux kernel 2.6 -test8 + Devil-Linux Devil-Linux 1.0.4 Linux kernel 2.6.11 Linux kernel 2.6 -test7 + Devil-Linux Devil-Linux 1.0.5 Linux kernel 2.6.10 rc2 Linux kernel 2.6 -test6 + MandrakeSoft Linux Mandrake Linux kernel 2.6.10 Linux kernel 2.6 -test5 9.2 + RedHat Fedora Core2 Linux kernel 2.6 -test4 + MandrakeSoft Linux Mandrake + RedHat Fedora Core3 Linux kernel 2.6 -test3 9.2 amd64 + Ubuntu Ubuntu Linux 5.0 4 amd64 Linux kernel 2.6 -test2 + RedHat Fedora Core1 + Ubuntu Ubuntu Linux 5.0 4 i386 Linux kernel 2.6 -test11 + Slackware Linux 9.1 + Ubuntu Ubuntu Linux 5.0 4 powerpc Linux kernel 2.6 -test10 Linux kernel 2.6 -test1
  7. 7. Linux kernel 2.4.21 pre7 Linux kernel 2.4.19 Linux kernel 2.4.6 Linux kernel 2.4.21 pre4 Linux kernel 2.4.18 pre-8 Linux kernel 2.4.5 + MandrakeSoft Linux Mandrake 9.1 Linux kernel 2.4.18 pre-7 + Slackware Linux 8.0 + MandrakeSoft Linux Mandrake 9.1 ppc Linux kernel 2.4.18 pre-6 Linux kernel 2.4.4 Linux kernel 2.4.21 pre1 Linux kernel 2.4.18 pre-5 Linux kernel 2.4.3 Linux kernel 2.4.21 Linux kernel 2.4.18 pre-4 Linux kernel 2.4.2 + Conectiva Linux 9.0 Linux kernel 2.4.18 pre-3 Linux kernel 2.4.1 + MandrakeSoft Linux Mandrake 9.1 Linux kernel 2.4.18 pre-2 Linux kernel 2.4 .0-test9 + MandrakeSoft Linux Mandrake 9.1 ppc Linux kernel 2.4.18 pre-1 Linux kernel 2.4 .0-test8 + RedHat Desktop 3.0 Linux kernel 2.4.18 x86 Linux kernel 2.4 .0-test7 + RedHat Enterprise Linux AS 3 Linux kernel 2.4.18 Linux kernel 2.4 .0-test6 + RedHat Enterprise Linux ES 3 Linux kernel 2.4.17 Linux kernel 2.4 .0-test5 + RedHat Enterprise Linux WS 3 Linux kernel 2.4.16 Linux kernel 2.4 .0-test4 + S.u.S.E. Linux Enterprise Server 8 Linux kernel 2.4.15 Linux kernel 2.4 .0-test3 + S.u.S.E. Linux Personal 9.0 Linux kernel 2.4.14 Linux kernel 2.4 .0-test2 + S.u.S.E. Linux Personal 9.0 x86_64 Linux kernel 2.4.13 Linux kernel 2.4 .0-test12 Linux kernel 2.4.20 + Caldera OpenLinux Server 3.1.1 Linux kernel 2.4 .0-test11 + CRUX CRUX Linux 1.0 + Caldera OpenLinux Workstation 3.1.1 Linux kernel 2.4 .0-test10 + Gentoo Linux 1.2 Linux kernel 2.4.12 Linux kernel 2.4 .0-test1 + Gentoo Linux 1.4 + Conectiva Linux 7.0 Linux kernel 2.4 + RedHat Linux 9.0 i386 Linux kernel 2.4.11 + Slackware Linux 9.0 Linux kernel 2.4.10 + WOLK WOLK 4.4 s Linux kernel 2.4.9 Linux kernel 2.4.19 -pre6 Linux kernel 2.4.8 Linux kernel 2.4.19 -pre5 Linux kernel 2.4.7 Linux kernel 2.4.19 -pre4 + RedHat Linux 7.2 Linux kernel 2.4.19 -pre3 + S.u.S.E. Linux 7.1 Linux kernel 2.4.19 -pre2 + S.u.S.E. Linux 7.2 Linux kernel 2.4.19 -pre1 Referência: www.securityfocus.com/bid/13215
  8. 8. Sistemas Não Afetados .... OpenBSD Único sistema operacional testado que não é afetado até o momento
  9. 9. Últimas Descobertas ● Mac OS X Tiger ● NetBSD 2.0 ● FreeBSD 6.0 Beta ● Linux 2.6.13RC3 Descobertos durante o What the Hack!
  10. 10. Advisories
  11. 11. http://nvd.nist.gov/nvd.cfm?cvename=CAN-2005-1184
  12. 12. www.securityfocus.com/bid/13215
  13. 13. Princípios básicos
  14. 14. Pacote Ethernet * Tamanho [Bytes]
  15. 15. Pacote IP * Tamanho [ bits]
  16. 16. Pacote TCP * Tamanho [bits]
  17. 17. Three Way Handshake A B Conexão estabelecida
  18. 18. Encerramento de conexão A B Conexão encerrada
  19. 19. TCP Keep Alive A B Cenário anterior TCP Keep Alive concluído
  20. 20. O Ataque
  21. 21. O Ataque A B Detecta-se uma conexão TCP Z Enxurrada de pacotes TCP ACK
  22. 22. Undead Attack A B Cenário anterior Z Enxurrada de pacotes TCP ACK
  23. 23. Cenários de Ataque
  24. 24. Cenário I Denial of Service (DDoS) Zumbi Alvo
  25. 25. Cenário II Distributed Denial of Service (DDoS) Alvo Zumbi Zumbi Zumbi Zumbi Zumbi
  26. 26. Como defender? Pacote forjado é perfeitamente aceito pelo receptor!
  27. 27. Screenshots
  28. 28. Windows 98 – Second Edition
  29. 29. Windows 2000 Server
  30. 30. Windows XP – Service Pack 2
  31. 31. Windows 2003 Server
  32. 32. Microsoft “... At this point, we have completed our initial investigation of this issue and have determined that the most apropriate ship vehicle to fix this issue is a Service Pack for the affected suported plataforms. This decision was arrived at after weighing the seriousness of the vulnerability as well as the likelihood of exploitability. ...”
  33. 33. Referências TCP/IP Illustrated – W. Richard Stevens [Advisory] http://www.securityfocus.com/bid/13215 [Exploit] http://www.securityfocus.com/data/vulnerabilities/exploits/storm.c [What the Hack] http://wiki.whatthehack.org/index.php?title=Undead_Attack
  34. 34. Segurança é um processo e não um produto Bruce Schneier Criador do Blowfish
  35. 35. E-mails Diego Protta Casati diego-casati@inatel.br Leandro Spínola Rodrigues leandro-rodrigues@inatel.br

×