Distributed DoS, Botnets, and Worms


This chapter has discussed some of the effects of attack activity and how to use some tools to identify and mitigate those attacks. In the spirit of Sun Tzu, however, you have to know your enemy to emerge victorious from battles. This section discusses some of the tools attackers use, which provides you with knowledge of how this enemy operates.

An attacker's goal is to disrupt normal network service, because he or she enjoys creating havoc. A common type of attack is the TCP SYN flood, which has grown in its variations and complexity. This attack seeks to tie up system resources by sending large numbers of connection requests, which the attacked host must deal with and reply to.

Attacks have changed focus from selected hosts to routers servicing multiple hosts to generating large amounts of traffic across the entire network to attacking routing protocols, management traffic, and the underlying transport protocols of all these higher-level protocols. In fact, all these types of attacks are continuously in progress on the Internet at any given moment.

This section examines some further DDoS attack techniques, how they can be implemented by attackers using botnets, and what worms are and their mitigation techniques.

Anatomy of a DDoS Attack

DDoS attacks can target (among other things) resources such as bandwidth (large packets), CPU (small packets), buffers, and protocol exhaustion (such as SYN floods and crafted packets to kill machine processes). These can be directed toward an enterprise, a provider, or the core of the Internet. As described previously, the attack can come in the form of spurious traffic generated by lots of compromised hosts, attacks on transport protocols such as TCP (SYN or RST attacks), internal buffers on routers, or any other part of the infrastructure.

Note

Cisco offers a feature called TCP Intercept to specifically address the SYN class of attacks. More details can be found at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htm.


The effect of the DDoS attacks can be amplified by using multiple machines at differing locations, as shown in Figure 7-14.

Figure 7-14. DDoS Architecture


Hackers typically follow this type of process for a DDoS attack:

  1. Crack a large number of unsuspecting hosts attached to the network using well-known vulnerabilities within the operating systems. Typically, these are unprotected home-user PCs that do not get regular security patches applied.

  2. After the hacker recruits his army of compromised hosts, a Trojan (a program that runs as an invisible process on a compromised machine) is installed on each host with an apparently innocent control channel.

    The control channel can be something like commands to the Trojan that contain what look like ICMP packets, which can be used to initiate on-demand DDoS activity.

  3. After this is all set up, the hacker can direct an attack from all these innocent host machines as desired.

One of the earliest forms of DDoS is described at http://www.cert.org/advisories/CA-1996-21.html. Although it's an early form, the process is still the same as that used by attacks today. It defines the use of multiple zombies to initiate TCP connections to a target host with the intention of exhausting kernel resources on the host machine. As soon as no response from the host requesting a TCP connection has been received for 120 seconds (because the zombies use spoofed source addresses), kernel resources are freed; however, this is a long time to wait. When the connection queue is full, no more connections are accepted, and the attacked host is out of service. Many more DDoS attack types are listed at CERT. Attack types now extend up the OSI stack to include URL-based attacks. These attacks are similar in concept to the TCP SYN attack, but they use repeated requests or refreshes from a random URL to tie up resources on the attacked host.

Botnets

From a hacker's perspective, the next question is how all this can be automated to ease the task of recruiting lots of unsuspecting machines to become zombies willing to receive commands and launch DDoS attacks on demand. The tool of choice has become the botnet. When you're constructing security schemes, it is worth understanding how botnets operate to keep your machines from becoming attack initiators, potentially allowing them to mitigate attacks from these entities.

Bots were created for valid reasons in the Internet Relay Chat (IRC) environment. http://www.irc101.org/ provides updates if you're interested in this service, which was originally defined in RFC 1459. The first bot, Eggdrop Bot (available at http://www.eggheads.org), was used to protect IRC channels in their owner's absence. To run IRC, you need an IRC client on the host, the IP address of the IRC server you want to connect to, and the IRC channel name. The first people on a channel became the channel operators, and they controlled the channel; however, because they would lose this status if they disconnected, bots were created to keep this connection open and preserve the channel's status even though the channel operator was absent.

Today, IRC is still the primary mechanism to distribute Trojans. It is true that e-mail attachments have become more popular recently, but there is still a long way to go for them to catch up with IRC as a distribution vehicle for these nefarious programs. Bots are really just a way of automating things to make life easier for the human user. The problems start when that human owner is a miscreant set on wreaking havoc on user services.

By grouping many IRC bots, a botnet is created. It can have one of the following architectures:

  • Hub/leaf architecture In this architecture, a single hub uses a specific channel to communicate with many leaf nodes. These architectures have been seen to scale to the thousands of leaf nodes.

  • Channel botnet A more scalable architecture that is controlled by posting commands to an IRC channel, which leverages the scaling properties of IRC itself.

The miscreant's goal is to create a botnet under his or her control that can launch attacks from many locations as desired. To do this, an attacker takes advantage of host vulnerabilities and installs bots on many machines, thus creating a botnet. Whether the miscreant uses IRC or mail to lure users to unwittingly install the bot, the process is the same. Human nature is exploited by advertising enticing material that, instead of delivering something of interest, infects the machine. Interestingly, after a miscreant compromises a host, the vulnerability is usually patched to stop other miscreants from accessing it. Two basic processes are followed to install the bot:

  • Scan hosts for open ports that are associated with known vulnerabilities.

  • Entice someone to download a self-installing bot.

Note

Miscreants tend to pick on Microsoft products more than other products purely because of their pervasiveness and because more miscreants are familiar with Microsoft product operation.


Either process can create a large botnet that can be used for things such as distributing pirated software and creating DDoS attacks. Or the botnet can be sold to other miscreants who want to enter into these illegal activities. The question network managers face is what to do about these things. Apart from the obvious solutions of applying patches to operating systems, closing nonessential ports, and having up-to-date virus-scanning software, a lot needs to be done. A new security loophole will always appear, so you must be prepared for how to mitigate it. It will, in all probability, get on your network. You may have the best edge security firewalls, IDS, and so on, but all it takes is for one laptop user to get infected from an unprotected Internet access point at home or at a coffee shop hotspot. You potentially have a compromised network when that machine is brought back to the network and connected inside the firewall/IDS protection.

The best process to protect your network is based on constant vigilance. There are tools to detect botnet activity on your network. There are also defense and reaction techniques, but all of them are based on having security personnel trained and in place. They must have knowledge of normal network activity and the ability to identify anomalous behavior, sinkholes, and black-hole filtering to let you restore partial service and investigate the attack further. The message is this: Botnets are real, and they evolve new ways to get installed all the time. The best defense is preparing yourself and your network to deal with DDoS attacks spawned from botnets when they occur.

Tools to Identify Botnets

Many tools exist to detect bots and remove them from your network. This way, you are not contributing to the spread of DDoS attacks. Here are the URLs to visit if you'd like to download these tools:

  • Spybot http://security.kolla.de/

  • Swat It http://www.swatit.org

  • TDS3, the Trojan Defense Suite http://tds.diamondcs.com.au/

  • TrojanHunter http://www.misec.net/trojanhunter

  • The Cleaner http://www.moosoft.com/

For a discussion of bot operation, ports used, and so on, visit http://www.swatit.org/bots/.


The next section looks at how to mitigate worm infection should a new infection break through your existing defenses.

Worm Mitigation

Similar to the concept of botnets and Trojan processes are Internet worms. Worms are programs that look for vulnerable machines on the network, install themselves on the vulnerable machines, and then use them as a base to seek out other vulnerable machines and replicate to them. It is like a combination a self-directed bot and a set of instructions for the bot to follow.

Note

The summer of 2003 marked a watershed in the pervasiveness of the Internet worm. Descriptions of the most high-profile worms launched (nachi, sobig, nimda, and so on) can be found at http://www.microsoft.com/technet/security/topics/virus/default.mspx.


In this case, our enemy uses a four-step process. It looks for a vulnerable host (for example, the Blaster worm scanned for an open TCP port 135), installs itself, propagates by the same means, and then executes a payload to steal data or launch attacks. It does all this without miscreant intervention after the worm is released. The question is how to prepare to mitigate this threat. The answer is to have a strong process that includes ongoing update work and utilization of security tools, such as those discussed in this chapter (NetFlow, black-hole filtering, and so on).

The first step to protecting your network from Internet worms is to limit the possible ways a worm can exploit a host by closing the known vulnerabilities. The Cisco solution for this is the Cisco Security Agent. This is a piece of software installed on each PC that monitors the activity of computer programs trying to install anything on the host and alerts the user to this activity.

Should that fail, or if you are under attack from traffic generated by infected hosts on connected networks, identifying abnormal traffic is the best solution. You must deploy NetFlow and a collector, such as the Arbor product, to analyze and report anomalous traffic on your network. The network should have a physical topology and network addressing scheme that makes it simple to compartmentalize the network during times of stress. This simplifies the implementation of containment filters applied after the worm activity is apparent.

Note

You can find resources that expand on these ideas at http://www.cisco.com/warp/public/707/21.html and http://www.cisco.com/go/SAFE/.


Dealing with worms is the same as dealing with any other attack. The only difference is that the number of sources is greater in worm-related infections. This can seriously affect your best tool for identifying and classifying these attacksNetFlow. In many cases, worms randomize some part of the header, which creates a new NetFlow entry each time a new flow is detected, which can overwhelm some route processors. The way to mitigate this is to use sampled NetFlow. As long as NetFlow is not being used for other applications such as billing, this is perfectly acceptable.

Starting from the basis of having a security team in place with NetFlow, a NetFlow Collector, tools like a sinkhole, and the ability to black-hole filter, here is the recommended procedure to follow when you are infected with (or under attack from) a worm:

Step 1.

Identification and classificationThe baseline studies and anomaly detection tools are most useful. After you detect anomalous network behavior, you must identify the characteristics of the attack packets, such as protocol and port numbers used, packet characteristics of unique length, and so on.

Step 2.

ContainmentThings such as ACLs are used to keep clean areas of the network from being infected, so the outbreak of the worm is contained as much as possible.

Step 3.

InoculationThis is applied in parallel with subsequent phases. Inoculation means patching all systems to protect them from the vulnerability exploited by the worm. This does not stop the worm from operating; it just keeps cleaned hosts from being re-infected.

Step 4.

QuarantineEntails disconnecting infected hosts from the network while they are repaired.

Step 5.

TreatmentCleaning all the infected hosts.

Step 6.

ReviewExamine how the procedure worked and what could be improved for the next time.

Every person who is expected to participate in the mitigation of worm incidents needs to understand what is done in each phase, what tools and procedures are available in your network to deal with worms, and what his or her responsibility is. The precise nature of the activities in each phase varies from network to network and organization to organization, but the essential elements are the same.




Selecting MPLS VPN Services
Selecting MPLS VPN Services
ISBN: 1587051915
EAN: 2147483647
Year: 2004
Pages: 136

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net