12.3 Unix Denial-of-Service Attacks

Overall, these attacks are easy to prevent. However, their power should not be underestimated ”attackers who have gained root privileges can do whatever they want to the system, and the boring /bin/rm -rf / does much more damage than any kind of fancy network packet manipulation. Sometimes bugs in programs can give attackers the ability to cause damage without having root privileges. For example, a buffer overflow attack might crash the service, and abusing SUID binaries can corrupt root-owned files such as /etc/passwd or /etc/shadow . In the case of buffer overflows, if the shell code is incorrect or not used at all, the attack will crash the application without giving the attacker any additional access rights. Some of the resource starvation attacks covered later in this chapter, such as filling the /tmp partition, prevent applications from starting or cause Unix to crash. Also, sometimes bugs in systems (such as the well-known process-kill bug in Linux) allow users to kill the processes owned by others.

Buggy applications are known to crash without any malicious influence. However, with a little help from creative intruders, they do it much more willingly. Examples of this are plentiful; for example, using a device name (such as /dev/null ) in certain contexts causes some versions of Netscape browsers to crash. Other applications, and even the entire system, can also be frozen. For example, cat /dev/urandom is reported to cause crashes.

12.3.1.2 Resource exhaustion

Rogue processes can consume the resources of a computer system. Using too much memory, disk space, and CPU cycles and filling kernel process tables and other data structures severely hinders the operation of a Unix system.

Classic resource attacks include the following examples:

Disk overflow

While Unix partitions often have 10% of emergency space available only to root, the attacker can cause the disk to overflow by making a root-owned process fill the disk for him. For instance, sending too many faked syslog messages makes syslog fill the /var partition. If Unix is installed in one partition (admittedly, not a recommended best practice, but the one often followed by novice users), the system can thus be rendered unusable.

In fact, it might not be necessary to fill the entire disk. Simply creating a large number of files exhausts all the inodes and renders the filesystem unusable. A famous attack script that creates recursive directories uses this principle. These directories occupy little space, but because there are so many of them, the partition fills.

Memory overflow

Simply making a user program allocate a generous chunk of memory can cause problems. While a well-configured Unix system will not crash because of this, other applications might run slowly, especially if both physical memory and swap space (virtual memory on a disk drive) are exhausted. This attack is sometimes referred to as a "malloc bomb," due to the name of the system call that allocates memory.

CPU hogging

It is extremely difficult for a program to hog CPU resources because of the preemptive multitasking used by modern Unix-based operating systems. However, some of us are old enough to remember playing a game called Rogue (later usurped by Nethack) on university PDP-1170 and VAX systems running Berkeley distributions from the early 1980s. Rogue was a graphical Unix equivalent of the Dungeons and Dragons ¢ fantasy game, and it was highly addictive . Unfortunately, simply by playing Rogue, a nonprivileged user could thrash an entire university system by consuming 95% of processor time. We fondly remember the network administrator jumping up and down, cursing like a sailor and swearing to God that we had hacked his root ”which of course we had not. So, excusing the pun, Rogue was the ultimate example of a rogue application.

12.3.1.3 Filling kernel data structures

Another way to attack a Unix system is to fill the kernel data structures. The famous "fork bomb" (which can be written in many languages, from C to shell script) is an example of this strategy. Example 12-2 shows the shortest fork bomb known (in bash shell script). It's a fork bomb bash from http://www.voltronkru.com/library/fork.html. Recursive directory creation can be used to disable or slow down the system just as effectively. It uses up all available inodes (usually defined at kernel compile time).

Example 12-2. An elegant shell script fork bomb

:(  ){ ::&};:

    int main(  )

{

while(1)

{

fork(  );

}

}

while : ;

mkdir .xxx

cd .xxx

done

Unix is often not configured by default to withstand resource starvation attacks. However, using resource limits (available in many Unix flavors), you can build an effective defense against users attempting to access all available resources. Disk quotas, memory limits, and file limits can go a long way toward preventing these attacks. It is worth noting, however, that these imposed limits most likely will not stop a resource allocation attack launched by root.

One last class of attack we'd like to mention here involves using the security measures of the system owners . While Unix is rarely configured with account expiration (unlike Windows NT), if such a feature is enabled it can be used to lock the user out of the system just by trying incorrect username/password combinations.

12.3.2 Network Attacks

The field of network DoS is extremely rich and varied, ranging from the now common SYN floods to sophisticated distributed denial-of-service attacks. Since examples of classic network DoS attacks are covered extensively elsewhere in the security literature, we concentrate on the mechanics of the attacks themselves .

Network attacks can be loosely categorized as application crashing or resource consumption . However, in the case of network attacks, the attacker can consume both host and network resources. SYN flooding is an example of the former, while UDP or ICMP flooding is an example of the latter.

Consuming network resources simply involves flooding the network pipe; i.e., sending the victim so much extra traffic that normal traffic cannot get through. Any kind of IP packet can be used to fill the pipe. In addition, the source addresses of the packets are often spoofed. Sometimes third parties also add to the flood ”below, we consider reflexive DoS attacks in which the attacker sends traffic to some systems that in turn flood the victim (usually without violating any TCP/IP standards). The smurf or ICMP broadcast attack is the simplest example of a reflexive DoS attack.

Consuming host resources sometimes requires more ingenuity than just sending enough traffic. A SYN flood sent over a relatively slow line can bring the victim system to a crawl. Host resources can rapidly be consumed if the system has to perform an expensive operation for each connection or even for each arriving packet, i.e., an operation that requires a lot of CPU, memory, or some kernel data structure resources). SYN flooding, for instance, requires the system to keep a table entry for each arrived SYN packet, since it potentially indicates the beginning of a new connection. Unix OS vendors currently use various tricks to mitigate the effects of SYN floods, such as Linux's SYN-cookies.

Reassembling packet fragments is another operation that puts a heavy load on the victim computer. If IP datagrams are sent in fragmented form, the system has to reassemble them before passing them on to higher levels in the stack (such as to the TCP or UDP layer). Another group of resource consumption attacks works due to a particular quirk in certain TCP/IP stack implementations. Some systems, especially those with substandard networking, have been known to crash or overload upon receiving abnormal network packets.

The majority of DoS attacks are in the category of remote OS or application crashing . Application-level network DoS attacks could involve mail bombing or web flooding. The former consists simply of sending many large email messages to the target email address, thus overloading email servers, storage, and network pipes. Web flooding is a relative newcomer to the DoS party. Recently, the World Economic Forum web site was brought down by hacktivists who simultaneously reloaded web pages using their browsers, running one version of a malicious applet. On the other side of the DoS spectrum, remotely sending spoofed syslog messages can cause a disk overflow and (for a badly configured systems) a subsequent crash.

In the rest of this section, we'll briefly outline some of the popular network DoS attacks seen on the Internet.

Smurfing saturates the network connection of a victim by recruiting the help of multiple machines willing to respond to a broadcast. To successfully smurf, one has to find a network willing to amplify the attack through misconfiguration. However, similar attacks are possible via any network system that can send a response larger than a request (i.e., can work as an amplifier). Acting as an amplifier involves trusting the IP address of the sending party to send a request back ”i.e., to be vulnerable to IP spoofing.

Even DNS queries are reported to cause denial-of-service conditions if the requests are spoofed with a victim's address. The intermediate DNS server happily responds to the victim, thereby flooding it. If many DNS servers are queried, the result is a reflexive DoS attack , a relatively new breed that is extremely difficult to defend against. More information on those and other attacks are provided in the next section.

The land attack , which is only of historic interest, consists of sending a packet with an identical source and destination. It used to crash many TCP/IP stacks, especially in early Windows versions.

IP fragmentation abuse is represented by the teardrop attack . Fragments with a corrupted offset sent by the attacker are used to crash Linux and Windows machines. A variety of DoS attacks with names such as bonk , boink , and newtear also use improper fragmentation handling.

The ping of death is the granddaddy of many network DoS attacks. The ping of death is simply an oversized ping packet (65,536 bytes instead of the normal 28 bytes) that used to crash very old Unix TCP stack implementations. A buffer overflow in the stack source code was to blame for this once lethal attack.

Many other DoS tools exist, from plain TCP flooders to more exotic ones such as puke (which sends ICMP unreachable packets, thus attempting to reset connections of the target host) and jolt (which kills windows machines by sending deformed and fragmented packets). Even peaceful Internet Gateway Message Protocol (IGMP) packets have been recruited for network warfare ; tools exist to send oversized IGMP packets that can crash Windows.

The ultimate creations of the point-to-point (i.e., nondistributed) DoS are the multiDoS kits such as spike , 7plagues , targa , or datapool . A kit combines various DoS attacks that can be launched against multiple addresses in random order. The datapool tool (with 106 attacks packaged together) actually remembers which attacks worked against a host and next time only runs those, saving some bandwidth for the attacker.

Network DoS attacks are by no means a thing of the past; there are still enough vulnerable machines deployed on the Internet for the attackers to have their share of "fun," and new exploits arise every day.

12.3.3 Distributed Denial-of-Service Attacks

The road to fame for distributed denial-of-service (DDoS) attacks started in 1999, when the first rumors of massive "attack zombie" deployments appeared. However, it was not until February 2000 that DDoS became a household word. On February 6 and 7 of 2000, floods of packets from multiple sources hit many popular sites such as Yahoo!, eBay, Amazon, and CNN. The floods overloaded the sites and they either became unavailable or slowed to a crawl.

Dave Dittrich from Washington University has analyzed most of the DDoS tools that have surfaced so far. Here we present a short overview of DDoS toolkits seen in the "wide wild web."

Trinoo is an early DDoS kit that consists of a set of zombies that are deployed on multiple machines, usually hacked via some exploit. A master program controlled by an attacker commands the zombies. The master sends commands to the zombies in order to start flooding the victim with (in the case of Trinoo) UDP packets. Trinoo did not used source spoofing; thus, the zombies are easy to find.

TFN (Tribal Flood Network) is a similar tool that can flood in UDP and TCP SYN ( causing a SYN flood, which is more damaging to the victim than a UDP flood) or ICMP echo flood (also dangerous). Its ICMPs can also send to broadcast addresses, thus enhancing the attack with smurf amplification. The kit does have some bugs that limit its control functionality. However, the tools use spoofed source addresses. Thus, the zombies are relatively safe, since the UDP packets seem to originate elsewhere.

TFN2K (a newer version of TFN) sends all the above attacks at once, with spoofed sources. In this toolkit, the authors first implemented an encrypted control channel that uses TCP, UDP, or ICMP to give commands to the zombies. While the commands were found to have a unique signature that simplified detection, the encrypted communication is more stable than the plain-text one.

Stacheldraht (German for barbed wire) is another tool with features similar to TFN2K. Newer versions have added several more attacks, such as TCP ACK flood (only the ACK bit is set, so it might pass through a badly configured firewall), TCP NUL flag (no flags set), and improved ICMP flooding with smurf support. Also, the author has worked on quality control and the software has fewer bugs than its predecessors. It also uses spoofed packets in all protocols. However, by the time the tool appeared, the techniques to trace spoofed floods had been perfected and the zombies could be found quickly. Such tracing usually involves hop-by-hop tracing from ISP to higher-level ISP, until the source is found.

Several other tools have been found as well. Shaft , for example, can send a mix of UDP, TCP SYN, and ICMP floods. Mstream is designed to send an ACK flood with spoofed addresses. The reason that ACK floods are more effective than, say, UDP floods is that they elicit multiple responses, thus increasing bandwidth consumption and stress on the host resources.

12.3.3.1 Coordinated and reflexive denial-of-service attacks

In addition to "regular" distributed DoS, there are two DoS variations called coordinated denial of service and reflexive denial of service . Coordinated DoS simply involves a great many people simultaneously doing something otherwise considered nonmalicious, such as pressing the Refresh button on their browsers (as in the previously described attack on the WEF web site). This causes software to request the pages from the server. If many people do it at the same time, the server gets overloaded and might crash or slow down. The attack is virtually impossible to differentiate from normal traffic that has peaked for whatever benign reasons.

In a reflexive DoS attack, a mild DoS flood is sent toward an intermediate victim with the spoofed source address of the true victim. The responses go straight to the victim. If several (or as many as available) hosts start to respond to the victim via an otherwise harmless protocol, a flood occurs and eats up all of the victim's available bandwidth. Reflexive Dos is difficult to trace. Basically, reflexive DoS attacks can be traced to its origin, in a manner similar to tracing a spoofed DDos attack. However, the search will lead not to a zombie, but to a machine that is simply doing its job by responding to requests.

12.3.3.2 Application-level denial-of-service attacks

Unix applications can be used for denial-of-service attacks as well. Mail bombing, which originated on Unix, is still a threat. If someone decided to send a number of multimegabyte attachments to your unfiltered server, it might block your email service, block other network services, or even cause the system to crash (especially if the same partition is used for /tmp , where the system often expects to see some free space, and /var , where the mail is stored). Coordinated DoS using a web browser is another example of a web application DoS.