Denial of Service Attack Index Here is a comprehensive index of recent and old DoS attacks; each is fully documented. The fields provided and their significance are as follows: Filename. The filename provided is the one by which the attack is most well known. However, as folks distribute exploit code, different people name the file different things. There are various reasons for this, but the most common is to obscure the exploit code from system administrators. Since system administrators generally know the filenames of such tools, crackers rename them. Author. In this field, you often see aliases or email addressed, instead of real names. In the index, I have made every good faith effort to obtain the name, email address, or alias of each program's original author. If you authored one of the following programs and credit has erroneously been given to some other party, please contact Sams and let them know. Location. This is the location of the source code for the exploit. From this URL, you can download the source and test it on your own machine. Background. The Background field denotes locations where further documentation can be found. This usually points to an article or mailing list posting that details the attack's chief characteristics. Build Operating System. This field indicates either what platform the attack code was written on or which operating system will successfully run the code. Target Operating System. This field indicates what platform can be successfully attacked using the source code found at the Location. Impact. This field briefly describes the effect of an attack using the source code. Fix. This field points to URLs that hold patches or workarounds. Recent DoS Attacks Smurf Filename: smurf.c Author: TFreak Location: http://www.rootshell.com and search for "smurf" Background: http://www.cert.org/advisories/CA-1998-01.html Build Operating System: UNIX Target Operating System: Any system that responds to ICMP data. Impact: Causes denial of service via spoofed ICMP echo requests to a network broadcast address. Fix: Disable IP directed broadcasts on the router and configure operating systems not to respond to packets sent to IP broadcast addresses. Fraggle Filename: fraggle.c Author: TFreak Location: http://www.rootshell.com and search for "fraggle" Background: Smurf with a UDP twist, see the rootshell entry. Build Operating System: UNIX Target Operating System: Any system that responds to UDP data. Impact: Causes denial of service by making systems send UDP network data to a spoofed target. Fix: Disallow unused ports on the firewall and configure network equipment and operating systems not to respond to UDP broadcasts. The following flood attacks are general mechanisms that are still common today, although the technology has been available for quite some time. ICMP Flood Filename: pingflood.c Author: Various Location: http://www.rootshell.com and search for "pingflood" Background: http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm Build Operating System: UNIX Target Operating System: Various Impact: Denial of service via network bandwidth overutiliziation. Fix: Block ICMP traffic at the firewall and at the operating system. Monitor the network for attack signatures. SYN Flood Filename: synflood.c Author: Various Location: http://www.rootshell.com and search for "synflood" Background: http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm and http://www.niksula.cs.hut.fi/~dforsber/synflood/result.html Build Operating System: UNIX Target Operating System: Various Impact: Denial of service as the target system exceeds its maximum number of half-open/queued connections. Fix: Configure the operating system to allow a higher number of open connections. Monitor the network for attack signatures. UDP Flood Filename: udpflood.tgz Author: Various Location: http://www.rootshell.com and search for "udpflood" Background: http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm Build Operating System: UNIX Target Operating System: Various Impact: Denial of service as the target system receives more traffic than it is capable of handling at one time. Fix: Disallow UDP traffic and services on the firewall and operating systems. Monitor the network for attack signatures. Historical List of Well-Known DoS Attacks The following attacks are early, well-known and well-documented denial of service attacks. The vulnerabilities allowing most of these attacks to succeed have been solved in newer versions of operating systems, but many organizations still have older and unpatched systems around. If you are responsible for securing a network, make sure you cover these bases. Fixes are available for all of these attacks and should be understood and implemented. Take a moment now to run through the following attacks to see if you're vulnerable. Most are easily fixed. For more information about past and present denial of service attacks organized by operating system, software and device, see "The DoS Database," http://www.attrition.org/security/denial/. Teardrop Filename: teardrop.c Author: Route@infonexus.com Location: http://www.rootshell.com and search for "teardrop" Background: See the source and comments. Build Operating System: UNIX Target Operating System: Windows 95 and Windows NT Impact: IP fragment attack will lock up the target. Fix: Search for "teardrop" in the knowledge base at http://support.microsoft.com/ Teardrop was an early denial of service attack that spawned several variants. This set the stage for many new denial of service attacks and approaches to denial of service tool creation. Bonk, Boink Attacks Filename: bonk.c, boink.c Author: The people at ROOTSHELL.COM Location: http://rootshell.com/ and search for "bonk" or "boink" Background: See source. Build Operating System: UNIX Target Operating System: Windows 95 and Windows NT. Patched and later versions are unaffected. Impact: This utility will crash any Windows 95 or NT box, and it is basically a modified version of code previously written by route@infonexus.com. The malformed packet has a fragment offset that is greater than the header length. Newtear Attack Filename: newtear.c Author: Route@infonexus.com (Michael Schiffman) Location: http://www.rootshell.com/ and search for "newtear" Background: See source. Build Operating System: Linux, BSD Target Operating System: Windows 95 or Windows NT < SP3. Windows 2000 is not affected. Impact: A variation of Teardrop that results in blue screen. The system crashes as a result. Fix: Search for "modified teardrop" in the Knowledge Base at http://support.microsoft.com/. INETINFO.EXE Attack Filename: inetinfo, inetinfo.c, inetinfo.pl Author: Bob Beck. Also by Chris Bayly and Evan L. Carew Location: http://www.rootshell.com and search for "inetinfo" Background: http://support.microsoft.com/support/kb/articles/q160/5/71.asp Build Operating System: UNIX, others Target Operating System: Windows NT 4.0. SP >2 and 2000 are unaffected. Impact: Arbitrary text targeting ports 135 and 1031 will kill IIS. Jolt Filename: jolt.c Author: Jeff W. Roberson Location: http://www.rootshell.com and search for "jolt" Background: http://www.rootshell.com Build Operating System: UNIX Target Operating System: Windows 95. 98/NT/2000 is unaffected. Impact: Varying results; Windows 95 freeze or blue-screen. Fix: http://support.microsoft.com Tip The patch for Jolt only works if you also install the VTCPUPD patch, which is available at http://support.microsoft.com/. Jolt was reportedly derived from older DoS attacks for POSIX and SYSV systems. As a side note, its author reports that some systems will blue screen when attacked. Jolt2 Filename: jolt2.c Author: Phonix (phonix@moocow.org) Location: http://www.rootshell.com and search for "jolt2" Background: http://www.rootshell.com Build Operating System: UNIX Target Operating System: Windows 98/NTsp5/NTsp6/2000. Impact: 100% CPU utilization. Fix: http://support.microsoft.com/ LAND Filename: land.c Author: The people at http://www.rootshell.com Location: http://www.rootshell.com and search for "land" Background: http://www.cisco.com/warp/public/770/land-pub.shtml. Build Operating System: UNIX Target Operating System: Many networked operating systems, including older versions of BSD, Linux, Solaris, Digital UNIX, HP-UX and Windows 95, Cisco IOS. Impact: Connects request packets specifying source and destination as the same lock up the target. Fix: http://support.microsoft.com/ The LAND attack sent tremors through the Internet community, primarily because of the sheer number of systems affected. In particular, it was learned that certain network hardware was also vulnerable to the attack, including routers. Note Only certain hardware was vulnerable to LAND. It is known that NCD X Terminals, Catalyst LAN switches (Series 5000 and Series 2900), and Cisco IOS/700 were all vulnerable. If you fear that your router is vulnerable, I suggest compiling and using land.c as a test. You should contact your vendor regarding fixes. It can take time to route out all LAND variations because so many mutations have cropped up. One version crashes Windows 95 and NT, even with Service Pack 3 installed. Windows NT is currently up to service pack 6a. If your systems are current, this attack does not pose a threat. Workarounds for Cisco hardware can be found at http://www.securityfocus.com. Otherwise, contact your respective vendor. If your operating system is Windows 95, get the patch for the original LAND attack as well as several mutations. That patch can be found by searching for "land" under the Windows 95 knowledge base at http://support.microsoft.com/. Pong Filename: pong.c Author: FA-Q Location: http://www.ludat.lth.se/~dat92jni/dat/pong/pong.c Background: See source code. Build Operating System: Linux Target Operating System: Windows 95, but can affect most other network OSes. Impact: Targets are flooded with spoofed ICMP echo requests to the network broadcast address. Flood caused Windows 95 to crash. Fix: Configure routers and network equipment to disallow traffic to broadcast addresses. The Pentium Bug Filename: pentium_bug.c Author: Whiz (whizpig@tir.com) Location: http://www.rootshell.comand search for "pentium" Background: http://support.intel.com/support/processors/pentium/ppiie/descrip.htm Build Operating System: Any Pentium Target Operating System: None; this is firmware bug. Impact: The target locks up. Fix: http://support.intel.com/support/processors/pentium/ppiie/descrip.htm#Workaround This hole affects early Pentium processors up to the Pentium II. It allows malicious users with physical access to issue illegal instructions that cause the system to function improperly, often triggering a system crash. This form of attack demonstrates that denial of service is not limited to network-based attacks. Keep in mind the physical access component of computing, and be sure to be attentive to its security. Winnuke Filename: winnuke.c Author: _eci Location: http://www.rootshell.com and search for "nuke" Background: See the source code. Build Operating System: Linux, BSDI Target Operating System: Windows 95 and Windows NT. 98/2000 are not affected. Impact: Windows 95 and NT failed to react properly to packets with the Out-of-band (OOB) flag set. Often caused a system panic requiring reboot. Fix: http://support.microsoft.com/ Winnuke will kill any unpatched Windows 95 or Windows NT box, forcing a reboot. This attack has gone through several mutations and is available for many build operating systems. The "nukenabber" tool helps to identify the presence of this tool on a network. Nukenabber is a small, compact port sniffer written by puppet@earthling.net. The program listens on ports 139, 138, 137, 129, and 53. These are all ports on which DoS attacks have been implemented in the past. Nukenabber notifies you when your machine is under Winnuke attack. The program is available here: http://www.dynamsol.com/puppet/nukenabber.html Ping of Death Filename: pingexploit.c, win95ping.c Author: Bill Fenner (fenner@freebsd.org) Location: http://www.rootshell.com and search for "ping" Background: See the source code. Build Operating System: BSD UNIX, other ports are available. Target Operating System: Windows 95 and Windows NT 3.51. Windows 98/NT4/2000 are not affected. Impact: Oversized ICMP echo request packets (> 64k) were not handled appropriately, causing a system crash. Fix: http://support.microsoft.com/ DNSKiller DNSKiller will kill a Windows NT 4.0 box's DNS server. The source was written for a Linux environment. However, it can also well run on BSD-ish platforms. For more information, see http://archives.neohapsis.com/archives/bugtraq/1997_1/0152.html. arnudp100.c arnudp100.c is a program that forges UDP packets and can be used to implement a denial of service attack on UDP ports 7, 13, 19, and 37. To understand the attack, I recommend examining the following paper: Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks by Cisco Systems. Another good source for this information is CERT Advisory CA-96.01. Cisco Systems'Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks can be found online at http://cio.cisco.com/warp/public/707/3.html. Distributed Denial of Service Attacks In early 2000, the Internet community saw a new method of attack unleashed upon several popular Web sites including CNN, E*Trade, Datek, Amazon.com, Yahoo!, and Buy.com that caused them to be unreachable for several hours. These attacks were unlike normal denial of service attacks in that the flood of network traffic appeared to come from many different systems, simultaneously, Network administrators and security personnel scrambled to identify the causes and sources of the attacks, as well as to find methods to stop them and bring their crawling Web sites back into service. Rumors spread about a coordinated underground cracking community conspiring to attack simultaneously. The reality soon became known, that a new form of attack the distributed denial of service (DDoS) attack would become a nightmare for Web sites and businesses. Distributed denial of service attacks, as the name implies, occur when a several systems, from a handful to thousands, simultaneously attack a specified target. Some of the well-known and analyzed attack forms are: Trinoo (or Trin00), Tribe Flood Network (TFN), TFN2k (an updated version of TFN), and Stacheldraht (German for "barbed wire"). These attacks function via a master and slave mechanism. The master is the controlling station where the attacker defines the target and method of attack. The slave stations are remote systems that have been compromised and have had the attack tool installed. The master signals the slave stations to launch the attack. The attack is also stopped by another signal from the master system. A good general overview of distributed denial of service attacks can be found in Distributed Denial of Service Attacks, by Bennett Todd, at http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html. This section provides an index of distributed denial of service attack tools. The background information includes full analyses of the attack methods and source code. Trinoo (Trin00) Filename: trinoo.tgz Author: Project DoS Location: http://packetstorm.securify.com/distributed/ Background: http://staff.washington.edu/dittrich/misc/trinoo.analysis Build Operating System: UNIX Target Operating System: UNIX Impact: Denial of service until the attack is stopped. Fix: Patch systems to prevent compromise, monitor UDP traffic for trinoo fingerprints, and run DDoS scanner tools such as RID (available at http://packetstorm.securify.com/distributed/) to detect the presence of the program on your network. Blocking UDP traffic on high numbered ports might stop the problem, but might also cause other network applications not to work. Tribe Flood Network (TFN) Filename: tfn.tgz Author: Mixter Location: http://packetstorm.securify.com/distributed/ Background: http://staff.washington.edu/dittrich/misc/tfn.analysis Build Operating System: UNIX Target Operating System: UNIX Impact: Denial of service until the attack is stopped. Fix: Use RID (see trinoo entry) to scan for the presence of the software on your network, block all ICMP echo traffic. (This might not be possible depending on network needs of the organization.) TFN2k Filename: tfn2k.tgz Author: Mixter Location: http://packetstorm.securify.com/distributed/ Background: http://packetstorm.securify.com/distributed/TFN2k_Analysis.htm Build Operating System: UNIX Target Operating System: UNIX, Windows NT/2000 Impact: Denial of service until the attack is stopped. Fix: Disallow unnecessary TCP, UDP, and ICMP network traffic. Protect systems against compromise by frequent monitoring and updating. Use application proxies to prevent the attack. Stachledraht Filename: satchel.tgz Author: Unknown Location: http://packetstorm.securify.com/distributed/ Background: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis Build Operating System: Linux, Solaris Target Operating System: Linux, Solaris Impact: Denial of service until the attack is stopped. Fix: Use RID (see link in trinoo entry) to scan for the presence of the software on your network, and block all ICMP echo traffic. (This might not be possible depending on network needs of the organization.) |