Flooding Attacks

Flooding is a fairly self-explanatory denial of service attackan attacker attempts to consume all available network or system resources (bandwidth, TCP/UDP connections, and so on) so legitimate applications are unusable. Most everyone remembers the distributed denial of service (DDoS) attacks launched against eBay and Yahoo! in February of 2000, when DDoS first hit the public radar. Flooding attacks have been around for a while, but today have become commonplace on the Internet as more and more DoS tools have become available to script kiddies (for example, 200+ exploits, at last count, are available at http://www.packetstormsecurity.org/DoS/). The proliferation of botnets (see the upcoming sidebar) has also led to a large increase in DDoS attacks launched by armies of malware-infected zombie hosts . The intentions of DoS and DDoS attackers range all the way from organized crime extortion to simple juvenile fun.

Flooding attacks can impact your VoIP applications differently depending on the targets. For instance, launching a SYN flood against a VoIP phone is quite different than filling up all available bandwidth on the local network by flooding the entire local LAN. In the following sections, we'll demonstrate the impact of several types of DoS attacks on a VoIP call.

image from book
Botnets

A botnet is another name for a large army of compromised computers controlled by an attacker. Individual computers are initially infected by bot worms or super worms,   each of which will connect back to an attacker (usually through IRC or peer-to-peer networks) when a new infection takes place. The attacker can use the infected drone army to search out and infect other vulnerable hosts by exploiting vulnerabilities over the network (like worms do) or by sending virus attachments to random email recipients. One such example of a bot worm is AgoBot (http://en.wikipedia.org/wiki/Agobot).

The person who controls a large botnet is typically called a botherder . More and more law enforcement agencies in different countries are starting to crack down on botherders, with some fairly high profile arrests hitting the press. One such case involved the arrest and prosecution of 21-year-old Christopher Maxwell, who controlled a botnet to launch DDoS attacks on the U.S. Department of Defense, a California school district , and a Seattle hospital. Maxwell was sentenced to three years in jail (http://www. usdoj .gov/usao/waw/press/2006/may/maxwell.htm).

Some of the more sinister functions of a botnet include

  • Launching DDoS attacks

  • Sending spam

  • Installing spyware

  • Manipulating online ad revenue

  • Sending phishing emails

Symantec reported detecting an average of 9,163 bot-infected computers a day in their March 2006 Threat Report (http://www. symantec .com/enterprise/threatreport/index.jsp). If you refer back to the quote at the beginning of the chapter, you'll also notice a corresponding rise in the number of DDoS attacks on the Internet during the same period. Correspondingly, botnets are the leading source of DDoS attacks on the Internet today. DDoS attacks, in general, are challenging to isolate because the source IP addresses of the botnet zombie hosts can originate from all over the world and from unpredictable source addresses (such as infected home computers).

For a good summary of botnets and bot worms, take a look at the following resources:

  • http://www.honeynet.org/papers/bots/

  • http://www.niscc.gov.uk/niscc/docs/botnet_11a.pdf

  • http://www.nanog.org/mtg-0410/kristoff.html

image from book
 

Attack UDP Flooding Attacks

Popularity:

8

Simplicity:

9

Impact:

8

Risk Rating:

8

User Datagram Protocol (UDP) flooding is a preferred type of bandwidth flooding attack because UDP source addresses can be easily spoofed by the attacker. Spoofing often allows an attacker the ability to manipulate trust relationships within an organization to bypass firewalls and other filter devices (for example, by crafting a DoS stream to appear as a DNS response over UDP port 53).

Almost all SIP-capable devices support UDP, which makes it an effective choice of attack transport. Many VoIP devices and operating systems can be crippled if a raw UDP packet flood is aimed at the listening SIP port (5060) or even at random ports.

 Companion Web Site   Check out our website at http://www.hackingvoip.com for our udpflood tool. There are a variety of other UDP flooding tools freely available for download from the following sites to test the susceptibility of your applications and network:

  • http://www.foundstone.com/resources/freetooldownload.htm?file=udpfl ood.zip

  • http://packetstormsecurity.org/exploits/DoS/

Attack TCP SYN Flood Attacks

Popularity:

8

Simplicity:

9

Impact:

8

Risk Rating:

8

TCP SYN flood attacks subvert the TCP connection three-way handshake in order to overwhelm a target with connection management. See the background on TCP ping scanning in Chapter 2 for more on how TCP connections are set up. A standard TCP three-way handshake includes

  1. The TCP client sends a SYN packet to the server.

  2. The server replies with a SYN-ACK packet.

  3. The client sends an ACK packet back to the server.

The actual attack typically involves the attacker sending a flood of SYN packets with spoofed source IP addresses. The victim will then respond with a SYN-ACK to the unsuspecting or nonexistent spoofed source. To complete the TCP connection, the victim is then left waiting for a period of time for the ACK packet from the spoofed source. This is the crux of the attack because the final ACK is never sent, and subsequently the victim's connection table quickly fills up and consumes all available resources with these invalid requests . The end result is that a server, phone, or router will not be able to distinguish between bogus DoS SYNs and legitimate SYNs related to actual VoIP connections.

There are a variety of tools that can launch a simple SYN flood attack, available at http://www.packetstormsecurity.org/DoS.

Attack ICMP and Smurf Flooding Attacks

Popularity:

6

Simplicity:

9

Impact:

7

Risk Rating:

7

The Internet Control Message Protocol (ICMP) is typically allowed through most firewalls and routers for diagnostic purposes (ping, traceroute, and so on). However, ICMP also provides the capability to send large amounts of ICMP traffic through your pipe as well. A more sinister use of ICMP traffic involves spoofing the source IP address and pinging broadcast addresses of a variety of networks that allow IP directed broadcasts. This is called a smurf attack and involves a flood of legitimate ICMP responses from these networks to the victim who was spoofed. By overwhelming the victim's network bandwidth with spurious ICMP responses, most legitimate Internet applications will sputter under the attack. See http://www.cert.org/advisories/CA-1998-01.html.

Attack Established Connection Floods (or Application Flooding Attacks)

Popularity:

5

Simplicity:

8

Impact:

6

Risk Rating:

6

This type of attack is covered in much more detail in Chapter 12, which covers VoIP application-level DoS attacks in more detail. Essentially, an established connection flood is an evolution of the TCP SYN flood attack, but a full connection is made to the targeted service or device and then quickly torn down. This attack may go even further to make an actual application request to try to overwhelm the target. In the case of a target web server, this could take the form of thousands of botnet zombie hosts hammering away at a web server with legitimate GET requests. For a SIP PBX, it could take the form of thousands of REGISTER/INVITE/BYE requests received at the same time, overwhelming the incoming connection queue. Or conversely for a SIP client, this attack could take the form of thousands of bogus incoming calls rendering your phone useless.

Attack Worm and Virus Oversubscription Side Effect

Popularity:

10

Simplicity:

10

Impact:

7

Risk Rating:

9

Oversubscription simply means your applications' bandwidth needs have exceeded your network's capabilities. This can occur from any number of flooding DoS attacks or poor QoS management. However, worm and virus outbreaks within your network can easily consume all available bandwidth as a side effect of scanning for other vulnerable hosts to infect. Even just a few worm-infected machines within an organization can clog all available bandwidth with the spurious traffic spewing from the victims.

Attack QoS Manipulation with Targeted Flooding

Popularity:

2

Simplicity:

2

Impact:

6

Risk Rating:

3

A much more advanced type of flooding attack involves subverting the quality of service mechanisms within a network in order to degrade VoIP applications. Assuming that an organization's QoS technologies are configured to prioritize RTP traffic over all other traffic, this normally means that a simple internal flooding attack would be mostly ineffective . However, if an attacker can flood a phone, proxy, or PBX with legitimate-looking RTP traffic, the QoS mechanisms would be unable to determine which conversations are bogus and which ones are real and deserve network priority. Depending on the QoS mechanism being applied, it may also be necessary for the attacker to know two actively talking parties in order to spoof the proper ports and sequence numbers .

Flooding Attack Countermeasures

There are a slew of approaches to defending against the variety of DoS and DDoS flooding attacks. It's important to keep in mind that there is no one silver bullet to completely eliminate your susceptibility to DoS and DDoS attacks. Your best bet is to adopt a defense- in-depth approach to protecting your VoIP-dependent devices, network components , and servers.

Countermeasurs Quality of Service Solutions

From the variety of QoS solution approaches implemented today, the most common is called DiffServ for differentiated services. Using the DiffServ approach, network packets are tagged according to their priority generally based on the type of application they are. Network devices are then able to manage how they deliver and prioritize these incoming packets. For example, RTP packets would generally receive a higher network priority as compared to email or P2P traffic.

The packet priorities can be tagged in a couple of ways. The differentiated services code point (DSCP) is applied at the IP layer. Equally as effective and more commonly used at the MAC layer are IEEE standards 802.1P and 802.1Q. (VLAN tagging is discussed in detail in Chapter 5; also see http://standards.ieee.org/getieee802/.) 802.1P defines a scheme for prioritizing network traffic, and the 802.1Q (VLAN) header contains the 802.1P field, so you need VLANs to implement QoS with 802.1P.

Countermeasurs Anti DOS/DDoS Solutions

There is an entire security market devoted to DoS and DDoS mitigation. Most of these vendors sell appliances that can be deployed at the perimeter as well as at the core of your network. These appliances are able to detect and either block or rate-limit an active DoS or DDoS attack. Some of these vendors include

  • Arbor Networks   http://www.arbor.net

  • Captus Networks   http://www.captus.com

  • Mazu Networks   http://mazunetworks.com

  • Mirage Networks   http://www.miragenetworks.com

  • Riverhead Technologies ( acquired by Cisco)   http://www.cisco.com/en/US/netsol/ns480/networking_solutions_sub_solution_home.html

  • SecureLogix   http://www.securelogix.com

  • TippingPoint   http://www.tippingpoint.com

  • TopLayer   http://www.toplayer.com

Countermeasurs Harden the Network Perimeter

Much of your preexisting network equipment can be configured to resist the most basic DoS and DDoS techniques that attackers use. Each vendor's equipment is different, however. For some great pointers to Cisco-specific recommendations, check out "Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks" at http://www.cisco.com/warp/public/707/newsflash.html. Other vendors have similar documents and guides, most often found online in support forums. Although the guidelines in the aforementioned document are specific to Cisco devices, they generally apply to most organizations regardless of networking vendor. Some of the guidelines include such things as ingress and egress filtering, SYN rate limiting, and ICMP blocking to name a few.

Countermeasurs Hardening VoIP Phones and Servers

Hardening your VoIP phones and servers includes some very basic across-the-board recommendations regardless of the particular vendor:

  • Change the default passwords and remove all guest and nonauthenticated accounts.

  • Disable unnecessary services (telnet, HTTP, and so on).

  • Ensure the device or operation system is up-to-date with the latest patches and/or firmware.

  • Develop a strategy for keeping up-to-date with patches.

Countermeasurs VLANs

Virtual LANs (VLANs) are used to segment network domains logically on the same physical switch. Many switches support the ability to create several VLANs on the same switch, which is a helpful component for protecting your core VoIP servers and devices against the typical DoS traffic threats that plague most traditional data networks, such as worm and viruses. However, it is not feasible to segment your entire VoIP infrastructure from the traditional data network, in part because of many shared dependencies on the underlying infrastructure such as DNS, DHCP, TFTP, and so on. Softphone VoIP applications that run on a user's desktop also make it challenging to separate your VoIP applications logically from the data network because a user's desktop typically needs to able to reach most of the network resources on your traditional data network (email, file servers, and so on).



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net