Flooding Attacks

Flooding is a fairly self-explanatory denial of service attackan attacker attempts to consume all available network or system resources (bandwidth, TCP/UDP connections, and so on) so legitimate applications are unusable. Most everyone remembers the distributed denial of service (DDoS) attacks launched against eBay and Yahoo! in February of 2000, when DDoS first hit the public radar. Flooding attacks have been around for a while, but today have become commonplace on the Internet as more and more DoS tools have become available to script kiddies (for example, 200+ exploits, at last count, are available at http://www.packetstormsecurity.org/DoS/). The proliferation of botnets (see the upcoming sidebar) has also led to a large increase in DDoS attacks launched by armies of malware-infected zombie hosts . The intentions of DoS and DDoS attackers range all the way from organized crime extortion to simple juvenile fun.

Flooding attacks can impact your VoIP applications differently depending on the targets. For instance, launching a SYN flood against a VoIP phone is quite different than filling up all available bandwidth on the local network by flooding the entire local LAN. In the following sections, we'll demonstrate the impact of several types of DoS attacks on a VoIP call.

Botnets

A botnet is another name for a large army of compromised computers controlled by an attacker. Individual computers are initially infected by bot worms or super worms,   each of which will connect back to an attacker (usually through IRC or peer-to-peer networks) when a new infection takes place. The attacker can use the infected drone army to search out and infect other vulnerable hosts by exploiting vulnerabilities over the network (like worms do) or by sending virus attachments to random email recipients. One such example of a bot worm is AgoBot (http://en.wikipedia.org/wiki/Agobot).

The person who controls a large botnet is typically called a botherder . More and more law enforcement agencies in different countries are starting to crack down on botherders, with some fairly high profile arrests hitting the press. One such case involved the arrest and prosecution of 21-year-old Christopher Maxwell, who controlled a botnet to launch DDoS attacks on the U.S. Department of Defense, a California school district , and a Seattle hospital. Maxwell was sentenced to three years in jail (http://www. usdoj .gov/usao/waw/press/2006/may/maxwell.htm).

Some of the more sinister functions of a botnet include

• Launching DDoS attacks

• Sending spam

• Installing spyware

• Manipulating online ad revenue

• Sending phishing emails

Symantec reported detecting an average of 9,163 bot-infected computers a day in their March 2006 Threat Report (http://www. symantec .com/enterprise/threatreport/index.jsp). If you refer back to the quote at the beginning of the chapter, you'll also notice a corresponding rise in the number of DDoS attacks on the Internet during the same period. Correspondingly, botnets are the leading source of DDoS attacks on the Internet today. DDoS attacks, in general, are challenging to isolate because the source IP addresses of the botnet zombie hosts can originate from all over the world and from unpredictable source addresses (such as infected home computers).

For a good summary of botnets and bot worms, take a look at the following resources:

• http://www.honeynet.org/papers/bots/

• http://www.niscc.gov.uk/niscc/docs/botnet_11a.pdf

• http://www.nanog.org/mtg-0410/kristoff.html

Attack UDP Flooding Attacks

User Datagram Protocol (UDP) flooding is a preferred type of bandwidth flooding attack because UDP source addresses can be easily spoofed by the attacker. Spoofing often allows an attacker the ability to manipulate trust relationships within an organization to bypass firewalls and other filter devices (for example, by crafting a DoS stream to appear as a DNS response over UDP port 53).

Almost all SIP-capable devices support UDP, which makes it an effective choice of attack transport. Many VoIP devices and operating systems can be crippled if a raw UDP packet flood is aimed at the listening SIP port (5060) or even at random ports.

 Companion Web Site   Check out our website at http://www.hackingvoip.com for our udpflood tool. There are a variety of other UDP flooding tools freely available for download from the following sites to test the susceptibility of your applications and network:

• http://www.foundstone.com/resources/freetooldownload.htm?file=udpfl ood.zip

• http://packetstormsecurity.org/exploits/DoS/

Attack TCP SYN Flood Attacks

TCP SYN flood attacks subvert the TCP connection three-way handshake in order to overwhelm a target with connection management. See the background on TCP ping scanning in Chapter 2 for more on how TCP connections are set up. A standard TCP three-way handshake includes

1. The TCP client sends a SYN packet to the server.

2. The server replies with a SYN-ACK packet.

3. The client sends an ACK packet back to the server.

The actual attack typically involves the attacker sending a flood of SYN packets with spoofed source IP addresses. The victim will then respond with a SYN-ACK to the unsuspecting or nonexistent spoofed source. To complete the TCP connection, the victim is then left waiting for a period of time for the ACK packet from the spoofed source. This is the crux of the attack because the final ACK is never sent, and subsequently the victim's connection table quickly fills up and consumes all available resources with these invalid requests . The end result is that a server, phone, or router will not be able to distinguish between bogus DoS SYNs and legitimate SYNs related to actual VoIP connections.

There are a variety of tools that can launch a simple SYN flood attack, available at http://www.packetstormsecurity.org/DoS.

Attack ICMP and Smurf Flooding Attacks

The Internet Control Message Protocol (ICMP) is typically allowed through most firewalls and routers for diagnostic purposes (ping, traceroute, and so on). However, ICMP also provides the capability to send large amounts of ICMP traffic through your pipe as well. A more sinister use of ICMP traffic involves spoofing the source IP address and pinging broadcast addresses of a variety of networks that allow IP directed broadcasts. This is called a smurf attack and involves a flood of legitimate ICMP responses from these networks to the victim who was spoofed. By overwhelming the victim's network bandwidth with spurious ICMP responses, most legitimate Internet applications will sputter under the attack. See http://www.cert.org/advisories/CA-1998-01.html.

Attack Established Connection Floods (or Application Flooding Attacks)

This type of attack is covered in much more detail in Chapter 12, which covers VoIP application-level DoS attacks in more detail. Essentially, an established connection flood is an evolution of the TCP SYN flood attack, but a full connection is made to the targeted service or device and then quickly torn down. This attack may go even further to make an actual application request to try to overwhelm the target. In the case of a target web server, this could take the form of thousands of botnet zombie hosts hammering away at a web server with legitimate GET requests. For a SIP PBX, it could take the form of thousands of REGISTER/INVITE/BYE requests received at the same time, overwhelming the incoming connection queue. Or conversely for a SIP client, this attack could take the form of thousands of bogus incoming calls rendering your phone useless.

Attack Worm and Virus Oversubscription Side Effect

Oversubscription simply means your applications' bandwidth needs have exceeded your network's capabilities. This can occur from any number of flooding DoS attacks or poor QoS management. However, worm and virus outbreaks within your network can easily consume all available bandwidth as a side effect of scanning for other vulnerable hosts to infect. Even just a few worm-infected machines within an organization can clog all available bandwidth with the spurious traffic spewing from the victims.

Attack QoS Manipulation with Targeted Flooding

A much more advanced type of flooding attack involves subverting the quality of service mechanisms within a network in order to degrade VoIP applications. Assuming that an organization's QoS technologies are configured to prioritize RTP traffic over all other traffic, this normally means that a simple internal flooding attack would be mostly ineffective . However, if an attacker can flood a phone, proxy, or PBX with legitimate-looking RTP traffic, the QoS mechanisms would be unable to determine which conversations are bogus and which ones are real and deserve network priority. Depending on the QoS mechanism being applied, it may also be necessary for the attacker to know two actively talking parties in order to spoof the proper ports and sequence numbers .