Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Denial of services : limiting the threat


Published on

Presentation by Charl van der Walt at INFO SEC Africa 2001.

The presentation begins with a case study of a DoS attack launched on a number of high profile sites by the canadian teen "Mafiaboy". An explanation of DoS and DDoS given. The impact of DDoS in South Africa is also discussed. The presentation ends with a series of discussions on DDoS countermeasures.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Denial of services : limiting the threat

  1. 1. Denial of Service: Limiting the Threat
  2. 2. <ul><li>1. CASE STUDY </li></ul><ul><li>Wake up call February 2000 </li></ul><ul><li>2. THE BASICS </li></ul><ul><li>Understanding the ‘Net </li></ul><ul><li>Understanding DoS </li></ul><ul><li>3. THE NEW KID ON THE BLOCK - HELLO DDoS </li></ul><ul><li>Introducing Co-ordinated Distributed Attacks </li></ul><ul><li>Profile of a typical attack </li></ul><ul><li>Common DDoS attack tools </li></ul><ul><li>4. DEFENDING YOURSELF & YOUR FRIENDS </li></ul><ul><li>Strategies for availability </li></ul><ul><li>Join the team - global defense efforts </li></ul><ul><li>Getting greasy </li></ul><ul><li>5 . RESPONDING TO DoS ATTACKS </li></ul><ul><li>What to do when your number’s up </li></ul><ul><li>6. THE BOTTOM LINE </li></ul><ul><li>Questions & Conclusions </li></ul>AGENDA
  3. 3. Hi! All about me.
  4. 4. Introduction <ul><li>About me </li></ul><ul><li>SensePost </li></ul><ul><li>Objective </li></ul><ul><li>Approach </li></ul><ul><li>References: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention - Charles Tomlinson - Rudimentary Treatise on the Construction of Locks - 1850
  5. 5. Ooh! Die bang-maak goed
  6. 6. February Fun
  7. 7. February Fun <ul><li>Major attack launched between February 7 and 14 2000 </li></ul><ul><li>Approximately 1,200 sites affected </li></ul><ul><li>Including a number of high profile sites: </li></ul><ul><ul><li>, Yahoo, eBay, Amazon, Dell, </li></ul></ul><ul><li>Simple bandwidth usage </li></ul><ul><li>Yahoo! Attack lasted from about 10:30 a.m. till 1 p.m. </li></ul><ul><ul><li>requests totaled roughly 1 gigabit per second </li></ul></ul><ul><li>Canadian teen “Mafiaboy” arrested in April </li></ul><ul><ul><li>pleads guilty to 55 charges in Montreal, November 2000 </li></ul></ul><ul><ul><li>Faces 2 years & US$650 </li></ul></ul>
  8. 8. February Fun - the aftermath <ul><li>FBI estimates that DoS attacks during February 2000 cost $1.2 billion </li></ul><ul><li>eBay‘s share price fell 25% the day after its Website was taken down costing them a total of US1,2bn. They reportedly spent US$ 100 000 in securing their site against further attacks. </li></ul>
  9. 9. Future Imperfect - predictions 2001 Peter G. Neumann SRI International We are likely to see some organized, possibly collaborative, attacks that do some real damage, perhaps to our critical infrastructures, perhaps to our financial systems, perhaps to government systems all of which have significant vulnerabilities.
  10. 10. Future Imperfect - predictions 2001 Bruce Moulton Fidelity Investments Hactivism and other cyber attacks emanating from countries with weak or non-existent legal sanctions and investigative capabilities will escalate. This is likely to be the root of at least one headline-grabbing cyber incident (much bigger than DDOS or LoveBug) that will send a loud wake-up call to the commercial sector.
  11. 11. Future Imperfect - predictions 2001 Marcus H. Sachs US Department of Defense 2001 will also see continued development of distributed denial of service attack networks. These attack networks will no longer rely on manual establishment by the attacker, but will automatically establish themselves through the use of mobile code and html scripting.
  12. 12. The Nuts & Bolts Stuff
  13. 13. Understanding the ‘Net
  14. 14. <ul><li>An attack that causes a service not to function as expected thus denying the legitimate owner fair return on investment </li></ul>Understanding DoS „ The real requirement is not quick recovery but the absence of outages“ „ We talk today of 'Internet Time'; the Internet does not allow for delays“ Steven J. Ross, Information Systems Control, March 2000
  15. 15. <ul><li>Vandalism </li></ul><ul><li>Revenge </li></ul><ul><li>Political </li></ul><ul><li>Economic </li></ul><ul><li>Means of access </li></ul><ul><ul><li>Crashed system in unpredictable state </li></ul></ul><ul><ul><li>As part of a spoofing attack </li></ul></ul><ul><ul><li>Some application may have holes at startup </li></ul></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul><ul><ul><li>Keep the goog guys out </li></ul></ul><ul><ul><li>Get stuff to run under Windows </li></ul></ul><ul><ul><li>Exploit startup services </li></ul></ul><ul><ul><ul><li>bootp or boot-from-NIC </li></ul></ul></ul>Why do DoS?
  16. 16. <ul><li>Resource consumption </li></ul><ul><ul><li>Local or remote </li></ul></ul><ul><ul><ul><li>Disk space </li></ul></ul></ul><ul><ul><ul><li>Swap space </li></ul></ul></ul><ul><ul><ul><li>RAM </li></ul></ul></ul><ul><ul><ul><li>CPU </li></ul></ul></ul><ul><ul><ul><li>Bandwidth </li></ul></ul></ul><ul><ul><ul><li>Kernel space </li></ul></ul></ul><ul><ul><ul><li>Cache </li></ul></ul></ul><ul><li>System crash </li></ul><ul><ul><li>Application error </li></ul></ul><ul><ul><li>Out of bound values </li></ul></ul><ul><ul><ul><li>input, traffic etc </li></ul></ul></ul><ul><ul><ul><li>divide by zero </li></ul></ul></ul><ul><ul><li>Resource over-utilization </li></ul></ul><ul><li>Physical DoS </li></ul>How DoS works
  17. 17. <ul><li>Endless loops </li></ul><ul><ul><li>Directory creation or Nose-to-tail processes </li></ul></ul><ul><li>Virus & worms </li></ul><ul><li>Email bombing </li></ul><ul><li>FTP malformed user </li></ul><ul><li>IIS 3.0 „Get //“ </li></ul><ul><li>Eeye buffer overflow oops </li></ul><ul><li>Flood ping </li></ul><ul><li>SYN Flood </li></ul><ul><li>Ping of Death </li></ul><ul><li>Winnuke </li></ul><ul><li>Teardrop </li></ul>Classical DoS examples
  18. 18. DoS using Amplifiers - SMURF check:
  19. 19. <ul><li>TCP connection is established via a 3-way handshake </li></ul><ul><ul><li>SYN </li></ul></ul><ul><ul><li>SYN/ACK </li></ul></ul><ul><ul><li>ACK </li></ul></ul><ul><li>SYN flood is based on an incomplete handshake </li></ul><ul><ul><li>SYN but not ACK </li></ul></ul><ul><li>TCP/IP stack adds an entry in a table in kernel memory for each SYN received. </li></ul><ul><ul><li>Wait a while before deleting entry </li></ul></ul><ul><ul><li>Can‘t accept connections when aleady full </li></ul></ul><ul><li>A heavy flood can prevent legitimate connections. </li></ul>Revisiting SYN floods
  20. 20. New Kid on the block - DDoS
  21. 21. Profile of a typical attack <ul><li>Initiate a scan phase in which a large number of hosts (100,000 or more) are probed for a known vulnerability. </li></ul><ul><li>Compromise the vulnerable hosts to gain access. </li></ul><ul><li>Rootkit </li></ul><ul><li>Install the tool on each host. </li></ul><ul><li>Use the compromised hosts for further scanning and compromises. </li></ul><ul><li>Via automated processes a single host can be compromised in under 5 seconds </li></ul>
  22. 22. Building an attack network <ul><li>August 1999, a trinoo network of 2,200 systems used against the University of Minnessota and others </li></ul><ul><li>Assuming 3 to 6 seconds for each host, pre-selection of the target systems, gives 2 - 4 hours to set up </li></ul>
  23. 23. Common DDoS tools <ul><li>Trin00 </li></ul><ul><ul><li>First generation </li></ul></ul><ul><ul><li>UDP flood attack </li></ul></ul><ul><ul><li>Hardcoded password on daemon (no crypto) </li></ul></ul><ul><ul><li>1524 & 27665 tcp, 27444 & 31335 udp </li></ul></ul><ul><ul><li>Ported to Windows </li></ul></ul><ul><ul><li>Cannot spoof (couldn‘t) </li></ul></ul><ul><li>Tribal Flood Network (TFN) </li></ul><ul><ul><li>UDP flood, SYN Flood, Ping Flood, SMURF </li></ul></ul><ul><ul><li>Capable of using spoofed source Ips </li></ul></ul><ul><ul><ul><li>Random </li></ul></ul></ul><ul><ul><li>Recent versions use Blowfish encryption on config files </li></ul></ul><ul><ul><li>ICMP ECHO and ICMP ECHO REPLY packets for communications </li></ul></ul>
  24. 24. Common DDoS tools <ul><li>Stacheldraht </li></ul><ul><ul><li>Evolved system </li></ul></ul><ul><ul><li>Combines TFN & Trinoo </li></ul></ul><ul><ul><li>Encrypted comms & auto-update </li></ul></ul><ul><ul><li>16660 & 65000 tcp </li></ul></ul><ul><ul><li>ICMP ECHO & ICMP ECHO REPLY </li></ul></ul><ul><li>Also : </li></ul><ul><ul><li>Stacheldraht v 2.666 </li></ul></ul><ul><ul><li>TFN2K </li></ul></ul><ul><ul><li>shaft </li></ul></ul><ul><ul><li>mstream </li></ul></ul><ul><li> </li></ul>
  25. 25. The challenge of DDoS <ul><li>You may be down </li></ul><ul><li>Spoofed addresses </li></ul><ul><ul><li>Technically difficult to trace </li></ul></ul><ul><li>Diverse network ownership </li></ul><ul><ul><li>You don’t control the infrastructure </li></ul></ul><ul><ul><li>Neither does your ISP </li></ul></ul><ul><li>Different Time Zones </li></ul><ul><ul><li>Hello, is that Singapore? </li></ul></ul><ul><li>Language </li></ul><ul><ul><li>Sprechen Sie Deutsch? </li></ul></ul><ul><li>National boundaries </li></ul><ul><li>Differing legislation </li></ul><ul><li>Protecting legitimate users </li></ul><ul><ul><li>You can’t block </li></ul></ul>
  26. 26. Boom! Assesing the impact
  27. 27. <ul><li>Loss in productivity </li></ul><ul><li>Human resources </li></ul><ul><ul><li>Internal & external </li></ul></ul><ul><li>Loss of reputation </li></ul><ul><li>Lost confidence </li></ul><ul><ul><li>in your service & in e-business in general </li></ul></ul><ul><li>Lost transaction revenue </li></ul><ul><li>Lost customer base </li></ul><ul><li>Share price manipulation </li></ul><ul><ul><li>Share holders, staff, working capital </li></ul></ul><ul><li>Liability costs </li></ul>What me worry?!
  28. 28. <ul><li>JSE-listed NetActive reportedly experienced two attacks in April 2000 </li></ul><ul><li>The Edcon group reportedly lost R1bn when a disgrunteled programmer brought down 600 stores for a whole day </li></ul><ul><li> </li></ul><ul><ul><li>January 2001 </li></ul></ul><ul><ul><li>Classic SMURF </li></ul></ul><ul><ul><li>Killed the server </li></ul></ul><ul><ul><li>Effected all POSIX clients </li></ul></ul>RSADDoS (in the motherland)
  29. 29. Whoah Cowboy!, February 2000: „ The Internet has now taken a drastic &quot;hit&quot; to its reliability and integrity due to the recent DDoS attacks. It is only through the cooperation and unification of all Internet users that we will find the solution-and stop DDoS from taking the Internet out from under our commerce, education, communities, and individuals.“ But has it really been all that bad?
  30. 30. Pow! Fighting back
  31. 31. DoS defense strategies <ul><li>Think global </li></ul><ul><li>Plan for disaster </li></ul><ul><li>Clean up your act: </li></ul><ul><ul><li>Broadcasts </li></ul></ul><ul><ul><li>Ingress & Egress Filtering </li></ul></ul><ul><ul><li>Host Security </li></ul></ul><ul><ul><li>Scanning & IDS </li></ul></ul><ul><ul><li>Logging </li></ul></ul><ul><li>Put pressure on your ISP: </li></ul><ul><ul><li>Ingress & Egress filtering </li></ul></ul><ul><ul><li>Policies & Procedures </li></ul></ul><ul><ul><li>Logging </li></ul></ul><ul><li>Defend yourself </li></ul><ul><li>Be honest </li></ul><ul><ul><li>Share your experiences </li></ul></ul>
  32. 32. Ingress Filtering <ul><li>RFC 2267 </li></ul><ul><li>Filter on the ‚input‘ device of a router </li></ul><ul><li>Eliminates source address spoofing </li></ul><ul><ul><li>Enables us to trace the attacker </li></ul></ul><ul><li>Restrict traffic to legitimate downstream networks </li></ul><ul><li>Should be implemented at all levels </li></ul><ul><ul><li>CORE </li></ul></ul><ul><ul><li>ISP </li></ul></ul><ul><ul><li>Border </li></ul></ul><ul><li>Issues: </li></ul><ul><ul><li>Special network services: </li></ul></ul><ul><ul><ul><li>Mobile IP </li></ul></ul></ul><ul><ul><ul><li>Layer 2 Tunneling </li></ul></ul></ul><ul><ul><ul><li>IPSec </li></ul></ul></ul><ul><ul><ul><li>Special source addresses </li></ul></ul></ul>
  33. 33. Egress Filtering <ul><li>RFC 1918 </li></ul><ul><li>Outbound interface </li></ul><ul><li>Spoofed IPs (Ingress) </li></ul><ul><li>Implemented on border router </li></ul><ul><li>Deny Private & Reserved Source IP Addresses </li></ul><ul><li>Disable directed broadcasts </li></ul>
  34. 34. Planning for disaster <ul><li>Be convinced that the Internet is not a friendly place </li></ul><ul><li>Be prepared to detect of failure (malicious or accidental) </li></ul><ul><li>Mirror critical resources </li></ul><ul><ul><li>geographically remote from the original </li></ul></ul><ul><li>Create transparent alternative entry points </li></ul><ul><li>Implement switching in the case of failure </li></ul><ul><ul><li>Must be considered during the design phase </li></ul></ul><ul><li>Analyse, plan, communicate, test </li></ul>
  35. 35. DDoS - Defending yourself <ul><li>Sufficient bandwidth </li></ul><ul><li>Redundant design </li></ul><ul><ul><li>BGP4 routing </li></ul></ul><ul><li>Filters @ ISP </li></ul><ul><li>Filter @ home </li></ul><ul><ul><li>ACL </li></ul></ul><ul><ul><li>Rate Limiting </li></ul></ul><ul><ul><li>Stack buffering </li></ul></ul><ul><li>Load balance </li></ul><ul><li>Resilient Platform </li></ul><ul><li>Platform optimization </li></ul><ul><ul><li>Line speed </li></ul></ul><ul><ul><li>Disk space </li></ul></ul><ul><ul><li>Swap space </li></ul></ul><ul><ul><li>Kernel Tables </li></ul></ul><ul><li>Service Optimization </li></ul><ul><li>Monitors & IDS </li></ul>
  36. 36. Protecting web servers from DoS <ul><li>Have redundant servers </li></ul><ul><li>Bandwidth & Redundant Routing </li></ul><ul><ul><li>Consider fronting at an ISP </li></ul></ul><ul><li>Consider a redirection site as a front-end </li></ul><ul><ul><li>Easily move your servers around </li></ul></ul><ul><li>Assign multiple IP addresses </li></ul><ul><li>Dynamically move requests to different IP addresses. </li></ul>
  37. 37. Responding to a DoS attack <ul><li>Implement your plan </li></ul><ul><li>Shut down unneccesary services </li></ul><ul><li>Generate logs </li></ul><ul><li>Communicate </li></ul><ul><ul><li>ISP </li></ul></ul><ul><ul><li>Security Community </li></ul></ul><ul><ul><li>Law enforcement </li></ul></ul><ul><li>Implement filters </li></ul><ul><li>Try different responses </li></ul><ul><ul><li>ICMP reject, host not available, redirect, source quench </li></ul></ul><ul><li>Shun via your ISP </li></ul><ul><li>Contact the middleman </li></ul><ul><li>Share your experience </li></ul>
  38. 38. Getting Greasy
  39. 39. Configuration Examples - CISCO <ul><li>Use ip verify unicast reverse-path command </li></ul><ul><ul><li>checks that there is a route back to the source via the same interface on which it arrives </li></ul></ul><ul><ul><li>may be effective against spoofing in simple environments (like POPs) </li></ul></ul><ul><li>Filter all RFC1918 address space using access control lists </li></ul><ul><li>Apply ingress and egress filtering using ACL </li></ul><ul><ul><li>See RFC 2267 </li></ul></ul><ul><ul><li>Can also be done with RPF under CEF </li></ul></ul><ul><li>Use CAR to rate limit ICMP packets </li></ul><ul><li>Configure rate limiting for SYN packets </li></ul>
  40. 40. Interesting other stuff
  41. 41. Things to consider <ul><li>The Internet is probably not your main income generator </li></ul><ul><li>There’s more then one way to skin a cat </li></ul><ul><ul><li>Physical attacks on infrastructure </li></ul></ul><ul><ul><li>Hardware theft </li></ul></ul><ul><ul><li>DNS & other upstream services </li></ul></ul><ul><ul><li>Viruses & other content born attack </li></ul></ul><ul><ul><li>Get &quot;Slashdotted&quot; </li></ul></ul><ul><li>Who’s responsible for your family jewels? </li></ul><ul><li>It could get worse: </li></ul><ul><ul><li>Imagine MS-based worm attack </li></ul></ul><ul><ul><li> </li></ul></ul>
  42. 42. Other possible tricks <ul><li>IPv6 </li></ul><ul><ul><li>Should make it possible </li></ul></ul><ul><li>Enhancements to IPv4 </li></ul><ul><ul><li>ICMP traceback message? </li></ul></ul><ul><ul><ul><li>For selected packets Router sends packet indicating the previous hop for that packet </li></ul></ul></ul><ul><ul><li>Congestion control techniques </li></ul></ul><ul><ul><ul><li>Too many packet drops on a particular line triggers message to upstream host. </li></ul></ul></ul><ul><ul><li>Use hashed 'cookies' instead of a connection table </li></ul></ul><ul><ul><li>Randomly drop pending connections when the table gets full </li></ul></ul><ul><li>IPSec? </li></ul><ul><li>ISP injects HTTP redirects on the net on upstream paths to combat attacks </li></ul>
  43. 43. <ul><li>The Lainsburg DOS attack: </li></ul><ul><ul><li>Flood all Telkom manholes with water. </li></ul></ul><ul><li>The Johnnie Walker DOS attack </li></ul><ul><ul><li>Bribe a Telkom techie with some whiskey to disconnect a circuit. </li></ul></ul><ul><li>The Big Boss DOS attack </li></ul><ul><ul><li>Get a well connected person to organise a lightning strike on a Telkom DP </li></ul></ul><ul><li>The Ford F4 DOS attack </li></ul><ul><ul><li>Drive over a streetbox at high speed </li></ul></ul>DoS the SA way
  44. 44. THE BOTTOM LINE <ul><li>1. DDoS is a global problem </li></ul><ul><li>2. DDoS requires a global solution </li></ul><ul><li>3. A fight on three fonts </li></ul><ul><li>- Source </li></ul><ul><li>- Middleman </li></ul><ul><li>- Victim </li></ul><ul><li>4. Keep your nose clean </li></ul><ul><li>5. Plan for the worst </li></ul><ul><li>6. Let’s do it to them before they do it to us </li></ul>
  45. 45. questions?