Types of Denial-of-Service Attacks

There are several general categories of DoS attacks. Some groups divide attacks into three classes: bandwidth attacks, protocol attacks, and logic attacks.

An attacker can consume bandwidth by transmitting any traffic at all on your network connection. A basic flood attack might use UDP or ICMP packets to simply consume all available bandwidth. For that matter, an attack could consist of TCP or raw IP packets, as long as the traffic is routed to your network.

A simple bandwidth-consumption attack can exploit the throughput limits of servers or network equipment by focusing on high packet rates ”sending large numbers of small packets. High-packet-rate attacks typically overwhelm network equipment before the traffic reaches the limit of available bandwidth. Routers, servers, and firewalls all have constraints on input-output processing, interrupt processing, CPU, and memory resources. Network equipment that reads packet headers to properly route traffic becomes stressed handling the high packet rate (packets per second), not the volume of the data (Mbps). In practice, denial of service is often accomplished by high packet rates, not by just traffic volume.

• teardrop (bonk, boink) exploits TCP/IP IP stacks that do not properly handle overlapping IP fragments (see http://www.cert.org/advisories/CA-1997-28.html).

• land crafts IP packets with the source address and port set to be the same as the destination address and port (see http://www.cert.org/advisories/CA-1997- 28.html).

• ping of death sends a single large ICMP ECHO REQUEST packet to the target.

• Naptha is a resource-starvation attack that exploits vulnerable TCP/IP stacks using crafted TCP packets. (See http://www.cert.org/advisories/CA-2000-21.html).

There are many variations on these common types of attacks and many varieties of attack tools to implement them.

Denial-of-service attacks may be effective because of a combination of effects. For example, an attack that does not fully consume bandwidth or overload equipment throughput may be effective because it generates enough malformed traffic to crash a particular service, such as a web server or mail server.

What is Distributed Denial of Service Attacks

• An attacker launches the attack using several machines. In this case, an attacker breaks into several machines, or coordinates with several zombies to launch an attack against a target or network at the same time.

• This makes it difficult to detect because attacks originate from several IP addresses.

• If a single IP address is attacking a company, it can block that address at its firewall. If it is 300 00 this is extremely difficult.

DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS software on them, allowing them to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.

DDoS is a combination of DoS attacks staged or carried out in concert from various hosts to penalize the target host from further serving its function. DDoS is term coined when the source of the attack is not coming from a single source, but multiple sources. DDoS cannot be eliminated with merely filtering the source IPs since it is often launched from multiple points installed with agents . Some known DDoS tools are Mstream , Trinoo, TFN2K (Tribe Flood Network), Stacheldraht and Shaft. DDoS attack is an example of a bandwidth attack.

Ping of Death

• An attacker sends a large ping packet to the victim's machine. Most OS do not know what to do with a packet that is larger than the maximum size , it causes the OS to hang or crash.

• Example: Ping of Death causes blue screen of death in Windows NT.

• Ping of Death uses ICMP to cause a denial of service attack against a given system.

When a large ICMP packet is sent by a hostile machine to a target, the target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled it is too big for the buffer and overflows it. Many operating systems did not know what to do when they received an oversized packet, so they froze, crashed, or rebooted. Ping of death attacks are particularly malicious because the identity of the attacker sending the oversized packet can be easily spoofed and also because the attacker just needs an IP address to carry out his attack.

Windows 95 and Windows NT are capable of sending such a packet. By simply typing in "ping target -165500" you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be constructed .

By the end of 1997, operating system vendors had made patches available to avoid the ping of death. However, many Web sites continue to block Internet Control Message Protocol (ICMP) ping messages at their firewalls to prevent any future variations of this kind of denial of service attack. Ping of death is also known as "long ICMP". Variations of the attack include jolt, sPING, ICMP bug, and IceNewk.

Hacking Tool: SSPing

• SSPing is a DoS tool.

• SSPing program sends the victim's computer a series of highly fragmented , oversized ICMP data packets.

• The computer receiving the data packets lock when it tries to put the fragments together.

• The result is a memory overflow which in turn causes the machine to stop responding.

• Affects Win 95/NT and Mac OS

Jolt is a program, which effectively freezes some Windows 95 or Windows NT machines. It is based on old code, which freezes old SysV and Posix implementations . Jolt works by sending a series of spoofed & highly fragmented ICMP packets to the target, which then tries to reassemble the received fragments. As a result, of Jolt Windows 95/NT ceases to function altogether.

This will affect unpatched Windows 95, Memphis and Windows NT machines, which are not behind a firewall that blocks ICMP packets. This will also affect old MacOS machines, and it is possible it is also useful against old SysV/POSIX implementations.

Hacking Tool: Land Exploit

• Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and source addresses are the same and port numbers are the same.

• When an attacker wants to attack a machine using the land exploit, he sends a packet in which the source/destination ports are the same.

• Most machines will crash or hang because they do not know how to handle it.

After receiving spoofed connection request (SYN) packets over TCP/IP, a computer running Windows 95 or Windows NT may begin to operate slowly. After about one minute, Windows returns to normal operation. Variations of this attack can cause any Windows PC to stop responding. (hang)

This behavior occurs due to "Land Attack." Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer. This makes it appear as if the host computer sent the packets to itself. Windows 95 and Windows NT operate slowly while the host computer tries to respond to itself.

Hacking Tool: Smurf

• Smurf is a DoS attack involving forged ICMP packets sent to a broadcast address.

• Attackers spoof the source address on ICMP echo requests and sending them to an IP broadcast address. This causes every machine on the broadcast network to receive the reply and respond back to the source address that was forged by the attacker.

  1. An attacker starts a forged ICMP packet-source address with broadcast as the destination.

  2. All the machines on the segment receives the broadcast and replies to the forged source address.

  3. This results in DoS due to high network traffic.

The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". There are two parties who are hurt by this attack... the intermediary (broadcast) devices--let's call them "amplifiers", and the spoofed address target, or the "victim". The victim is the target of a large amount of traffic that the amplifiers generate.

Let's look at a scenario to see the nature of this attack. Assume a co-location switched network with 250 hosts, and that the attacker has a T1. The attacker sends, say, a 234b/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site". These ping packets hit the bounce site's broadcast network of 250 hosts; each of them takes the packet and responds to it, creating 250 ping replies out-bound. If you multiply the bandwidth, 58.5 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets). The perpetrators of these attacks rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service.

In the case of the smurf or fraggle attack, each host which supports this behavior on a broadcast LAN will happily reply with an ICMP or UDP (smurf or fraggle, respectively) echo-reply packet toward the spoofed source address, the victim. The amount of bandwidth and packets per second (pps) that can be generated by this attack is quite large. Many hosts cannot process this many packets per second; many hosts are connected to 10 Mbps Ethernet LANs where more traffic than wire speed is sent. Therefore, the ability to drop these packets at the network border, or even before it flows down the ingress pipes, is desired.

SYN Flood

• SYN attack floods a targeted system with a series of SYN packets.

• Each packet causes the targeted system to issue a SYN-ACK response, while the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.

• SYN-ACKs are moved of the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the TCP three-way handshake

• Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

In the TCP/IP protocol, a three-way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally, the client responds to the SYN-ACK and the conversation is considered started.

A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existent host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up.

This is a simplified version of what exactly happens. During a SYN flood attack, the attacker sends a large number of SYN packets alone, without the corresponding ACK packet response to the victim's SYN/ACK packets. The victim's connections table rapidly fills with incomplete connections, crowding out the legitimate traffic. Because the rate of attacking SYN packets usually far exceeds that of normal traffic, even when a table entry eventually is cleared out, another attacking SYN packet rather than a legitimate connection will fill it.

But because SYN packets are a necessary part of legitimate traffic, they cannot be filtered out altogether. Second, SYN packets are relatively small, so an attacker can send large numbers of packets using relatively low-bandwidth Internet connections. Finally, because the attacker does not need to receive any data from the victim, the attacker can place random source IP addresses in the attacking packets to camouflage the actual source of the attack, and make filtering all but impossible .

Hacking Tool: WinNuke

• WinNuke works by sending a packet with "Out of band " data to port 139 of the target host. First off, port 139 is the NetBIOS port and does not accept packets unless the flag OOB is set in incoming packet.

• The OOB stands for Out Of Band. When the victim's machine accepts this packet, it causes the computer to crash a blue screen.

• Because the program accepting the packets does not know how to appropriately handle Out Of Band data, it crashes.

The blue bomb derives its name from the effect it sometimes causes on the display as the operating system is terminating - a white-on-blue error screen that is commonly known as blue screen of death. Blue bombs are sometimes sent by multi-player game participants who are about to lose or users of Internet Relay Chat (IRC) who are making a final comment. This is known as "nuking" someone. A commonly used program for causing the blue bomb is WinNuke. Many Internet service providers are filtering out the packets so they do not reach users.

WinNuke is practically an outdated attack. All the new Windows versions are immune to WinNuke.

Hacking Tool: Jolt2

• Jolt2 enables users across different networks to send IP fragment-driven denial of service attacks against NT/2000 by making victim's machine utilize 100% of its CPU when it attempts to process the illegal packets.

   c: \> jolt2 1.2.3.4 -p 80 4.5.6.7 

• The above command launches the attack from the attacker's machine with a spoofed IP address of 1.2.3.4 against the IP address 4.5.6.7

• The victim's machine CPU resources reach 100% causing the machine to lock up.

Jolt2 enables users across different networks to send IP fragment-driven denial of service attacks against NT/2000 by making victim's machine utilize 100% of its CPU when it attempts to process the illegal packets.

Usage:

 c: \> jolt2 1.2.3.4 -p 80 4.5.6.7 

The above command launches the attack from the attacker's machine with a spoofed IP address of 1.2.3.4 against the IP address 4.5.6.7

The victim's machine CPU resources reach 100% causing the machine to lock up.

Hacking Tool: Bubonic.c

• Bubonic.c is a DOS exploit that can be run against Windows 2000 machines.

• It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.

   c: \> bubonic 12.23.23.2 10.0.0.1 100 

Hacking Tool: Targa

• Targa is a program that can be used to run 8 different Denial Of Service attacks.

• The attacker has the option to either launch individual attacks or to try all the attacks until it is successful.

• Targa is a very powerful program and can do a lot of damage to a company's network.

Targa is a free software packet available in the Internet. Targa contains many of the most well known protocol or Operating System based DoS attacks. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Mainly, the Targa packet is intended to be used in Linux or BSD Unix computers. Target platforms can be any possible Operating System. However, the attacks do not have an impact on all Operating Systems.

The attacks that can be done with the Targa kit:

• Jolt by Jeff W. Roberson (modified by Mixter for overdrop effect) - discussed separately

• Land by m3lt - discussed separately

• Winnuke by _eci - discussed separately

• Nestea by humble and ttol - Nestea exploits the "off by one IP header" bug in the Linux IP packet fragmentation code. Nestea crashes Linux 2.0.33 and earlier and some Windows versions. A new and improved version of the Nestea Linux IP fragmentation is available

• Syndrop by PineKoan - Syndrop is a mixture of teardrop and a TCP SYN flooding attack. Affected platforms are Linux and Windows 95/NT.

• Teardrop by routedaemon9 - This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.

  Threat

  This bug has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. However, though non-destructive, this bug could cause possible problems if you have unsaved data in an open application when you are attacked , causing you to lose the data. There are fixes against Teardrop.

• Bonk by route daemon9 & klepto - Bonk is based on teardrop.c. Bonk crashes Windows 95 and NT operating systems. Boink is an improved version of bonk.c. Boink allows UDP port ranges and can possibly crash a patched Windows 95/NT machine. NewTear is another variant of teardrop.c, which is slightly different from bonk.c. Mainly they do the same thing just in different ways. Small changes in the code may have significant changes in the results, as you can see below.

• NewTear by route daemon9 - NewTear is another variant of teardrop.c

  Tools for running DDOS Attacks

  The main tools for running DDOS attacks are:

  1. Trinoo

  2. TFN

  3. Stacheldraht

  4. Shaft

  5. TFN2K

  6. mstream

  
   

• Trinoo

  • UDP packet flood attack

  • No source address forgery

  • Some bugs , but full control features

• TFN

  • Some bugs, limited control features

  • UDP packet flood attack ("trinoo emulation")

  • TCP SYN flood attack

  • ICMP Echo flood attack

  • Smurf attack

  • Either randomizes all 32 bits of IP source address, or just the last 8 bits

• TFN2K

  • Same attacks as TFN, but can randomly do them all at once

  • Encryption added to improve security of the DDoS network

  • Control traffic uses UDP/TCP/ICMP

  • Same source address forgery features as TFN

• Stacheldraht/StacheldrahtV4

  • Some bugs, full control features

  • Same basic attacks as TFN

  • Same source address forgery features as TFN/TFN2K

• Stacheldraht v2.666

  • Fewer bugs than original

  • Same basic attacks as Stacheldraht

  • Adds TCP ACK flood attack

  • Adds TCP NUL (no flags) flood attack

  • Adds Smurf attack with pre-compiled list of 16,702 amplifiers

  • Same source address forgery features as stacheldraht/TFN/TFN2K

• shaft

  • Some bugs, but full control features

  • Adds statistics

  • UDP flood attack

  • TCP SYN flood attack

  • ICMP flood attack

  • Randomize all three attacks

• mstream

  • Many bugs, with very limited control features

  • TCP ACK flood (very efficient)

  • Randomizes all 32 bits of IP address

DDOS - Attack Sequence

• All of the DDOS tools follow this sequence.

• Mass-intrusion Phase - automated tools identify potential systems with weaknesses; then root compromise them and install the DDOS software on them. These are the primary victims.

• DDOS Attack Phase - The compromised systems are used to run massive DOS against a victim site.

The mass-intrusion phase is followed by the actual denial of service attack phase, in which these compromised systems which constitute the handlers and agents of the distributed attack network are used to wage massive denial of service attacks against one or more sites. These are secondary victims (of denial of service).

Trinoo

• Trinoo (TrinOO) was the first DDOS tool to be discovered .

• Found in the wild (binary form) on Solaris 2.x systems compromised by buffer overrun bug in RPC services: statd, cmsd, ttdbserverd.

• Trinoo daemons were UDP based, password protected remote command shells running on compromised systems.

DDOS Structure

• The attacker controls one or more master servers by password protected remote command shells.

• The master systems control multiple daemon sysyems. Trinoo calls the daemons "Beast" hosts.

• Daemons fire packets at the target specified by the attacker.

A stolen account is set up as a repository for pre-compiled versions of scanning tools, attack (i.e. buffer overrun exploit) tools, root kits and sniffers, trinoo daemon and master programs, lists of vulnerable hosts and previously compromised hosts, etc. This would normally be a large system with many users, one with little administrative oversight, and on a high-bandwidth connection for rapid file transfer.

A scan is performed of large ranges of network blocks to identify potential targets. Targets would include systems running various services known to have remotely exploitable buffer overflow security bugs, such as wu- ftpd , RPC services for "cmsd", "statd", "ttdbserverd", "amd", etc. Operating systems being targeted appear to be primarily Sun Solaris 2.x and Linux (due to the ready availability of network sniffers and "root kits" for concealing back doors, etc.), but stolen accounts on any architecture can be used for caching tools and log files.

A list of vulnerable systems is then used to create a script that performs the exploit, sets up a command shell running under the root account that listens on a TCP port (commonly 1524/tcp, the " ingreslock " service port), and connects to this port to confirm the success of the exploit. In some cases, an electronic mail message is sent to an account at a free web based email service to confirm which systems have been compromised. The result is a list of "owned" systems ready for setting up back doors, sniffers, or the trinoo daemons or masters.

From this list of compromised systems, subsets with the desired architecture are chosen for the trinoo network. Pre-compiled binaries of the trinoo daemon are created and stored on a stolen account somewhere on the Internet.

A script is then run which takes this list of "owned" systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. Even more subtle ways of having trinoo daemons/masters lie in wait for execution at a given time are easy to envision (e.g., UDP or ICMP based client/server shells, such as LOKI, programs that wake up periodically and open a listening TCP or UDP port, etc.)

The result of this automation is the ability for attackers to set up the denial of service network, on widely dispersed systems whose true owners don't even know are out of their control, in a very short time frame.

Optionally , a "root kit" is installed on the system to hide the presence of programs, files, and network connections. This is more important on the master system, since these systems are key to the trinoo network. (It should be noted that in many cases, masters have been set up on Internet Service Providers' primary name server hosts, which would normally have extremely high packet traffic and large numbers of TCP and UDP connections, which would effectively hide any trinoo related traffic or activity, and would likely not be detected . (The fact that these are primary name servers would also tend to make the owners less likely to take the system off the Internet when reports begin to come in about suspected denial of service related activity.)

Root kits would also be used on systems running sniffers that, along with programs like "hunt" (TCP/IP session hijacking tool) are used to burrow further into other networks directly, rather than through remote buffer overrun exploits (e.g., to find sites to set up new file repositories, etc.)

Hacking Tool: Trinoo

• Trinoo is a DDOS attack tool. It uses the following TCP Ports:

   Attacker to master: 27665/tcp Master to daemon: 27444/udp Daemon to master: 31335/udp 

• Daemons reside on the systems that launch that the attack, and masters control the daemon systems.

• Since Trinoo uses TCP, it can be easily detected and disabled.

The Client: The client is not part of the trinoo package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target. (The master and broadcast are described later in this section.)

The Master: The master is contained in the file master.c in the trinoo package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "?" prompt, waiting for a password. The password is "gOrave".

The Broadcast (or Beast): The broadcast is the code in trinoo that performs the actual flooding. It is ns.c in the trinoo package. When the broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood.

There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "l44adsl". These are the six commands the client sends to the master:

- - mtimer:

Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb l44adsl 300" when observed on the network.

- - dos:

Performs a Denial of Service attack on a machine. The attack used is explained below. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa l44adsl 10.1.1.1" when observed on the network.

- - mdie:

Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known (the password is unknown as of this writing), but an attacker can send their own UDP packet with the master-broadcast password ("l44adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e l44adsl" when observed on the network.

- - mping:

Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl".

- - mdos:

This command performs a Denial of Service attack on a list of machines. The master sends a "xyz" command to each broadcast. The packet looks like "xyz l44adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:".

- - msize:

This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz l44adsl 300".

The DoS attack that trinoo broadcasts use is a UDP flood. Trinoo sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left.

There is no reliable way to tell the difference between a trinoo flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages.

TFN

• Could be thought of as 'son of trinoo'

• Improved on some of the weaknesses of trinoo by adding different types of attacks that could be mounted against the victim site.

• Structured like trinoo with attackers, clients (masters) and daemons.

• Initial system compromise allows the TFN programs to be installed.

• To initiate TFN, the attacker accesses the master program and sends it the IP address of one or more targets. The master program proceeds to communicate with all of the agent programs, instructing them to initiate the attack.

  • Communications between TFN master programs and agent programs use ICMP echo reply packets, where the actual instruction to be carried out is embedded in the 16-bit ID field in binary format. The use of ICMP (Internet Control Message Protocol) makes packet protocol filtering possible.

    • TFN agents can be defeated by configuring your router or intrusion detection system to disallow all ICMP echo and echo reply packets onto your network. However, this will break all internet programs (such as "ping") that utilize these functions.

  • The TFN master program reads a list of IP addresses containing the locations of the agents programs. This list of addresses may be encrypted, using " Blowfish " encryption.

    • If it is not encrypted, then the agents can be identified from the list.

  • The TFN agent programs have been found on systems with the filename td and the master programs with the name tfn. They can be positively identified by running the UNIX strings command.

    • TFN agents do not check where the ICMP echo reply packets come from. Therefore, it is possible to forge ICMP packets to flush out these processes.

TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an "on demand" root shell bound to a TCP port. The TFN network is made up of a tribe client program ("tribe.c") and the tribe daemon ("td.c"). The attacker(s) control one or more clients, each of which can control many daemons. The daemons are all instructed to coordinate a packet based attack against one or more victim systems by the client. Remote control of a TFN network is accomplished via command line execution of the client program, which can be accomplished using any of a number of connection methods (e.g., remote shell bound to a TCP port, UDP based client/server remote shells, ICMP based client/server shells such as LOKI, SSH terminal sessions, or normal "telnet" TCP terminal sessions.)

No password is required to run the client, although it is necessary to have the list of daemons at hand in an "iplist" file. Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY packets. There is no TCP or UDP based communication between the client and daemons at all.

While the client is not password protected, per se, each "command" to the daemons is sent in the form of a 16 bit binary number in the id field of an ICMP_ECHOREPLY packet. (The sequence number is a constant 0x0000, which would make it look like the response to the initial packet sent out by the "ping" command.)

The values of these numbers, as well as macros that change the name of the running process as seen by PS (1) are defined by the file "config.h". As with trinoo, the method used to install the client/daemon will be the same as installing any program on a UNIX system, with all the standard options for concealing the programs and files.

Both the client and the daemon must be run as root, as they both open an AF_INET socket in SOCK_RAW mode. The client program requires the iplist be available. Recent installations of TFN daemons have included strings that indicate the author is (or has) added Blowfish encryption of the iplist file. This will make the task of determining the daemons much harder.

Detecting trinoo/TFN related attacks: Several conventional attacks are known to be related to trinoo/TFN compromises. Machines that are compromised using the following list of attacks should be checked for trinoo/TFN daemons:

- - rpc.ttdbserver

- - amd

- - rpc.cmsd

- - rpc. mountd

- - rpc.statd

Hacking Tool: TFN2K

http://packetstorm.security.com/distributed

• TFN2K is a DDOS program which runs in distributed mode. There are two parts to the program: client and server.

• The server (also known as zombies) runs on a machine in listening mode and waits for commands from the client.

   Running the server #td Running the client #tn -h 23.4.56.4 -c8 -i 56.3.4.5 

This command starts an attack from 23.4.56.4 to the victim's computer 56.3.4.5

The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded.

The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program.

The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time.

TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms.

Hacking Tool: Stacheldraht

• Stacheldraht combines the features of TFN and Trinoo but adds encryption layer between daemons.

• Stacheldraht uses TCP and ICMP on the following ports:

  • Client to Handler: 16660 TCP

  • Handler to and from agents: 65000 ICMP

The Client:

The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.

The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client.

The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth.

Stacheldraht (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents.

One of the weaknesses of TFN was that the attacker's connection to the master(s) that control the network was in clear-text form, and was subject to standard TCP attacks (session hijacking, RST sniping, etc.) Stacheldraht deals with this by adding an encrypting "telnet alike" (stacheldraht term) client. The attacker(s) control one or more handlers using encrypting clients. Each handler can control many agents (up to 1000 agents). The agents are all instructed to coordinate a packet-based attack against one or more victim systems by the handler.

Unlike trinoo, which uses UDP for communication between handlers and agents, or the original Tribe Flood Network, which uses ICMP for communication between the handler and agents, stacheldraht uses TCP and ICMP. Client to handler(s): 16660/tcp and Handler to/from agent(s): 65000/tcp, ICMP_ECHOREPLY. Remote control of a stacheldraht network is accomplished using a simple client that uses symmetric key encryption for communication between itself and the handler.

After connecting to the handler using the client program, the attacker is prompted for a password. This password (default "sicken") is a standard crypt() encrypted password, which is then Blowfish encrypted using the passphrase "authentication" before being sent over the network to the handler. One feature of stacheldraht not shared by trinoo or TFN is the ability to upgrade the agents on demand. This feature employs the Berkeley "rcp" command (514/tcp), using a stolen account at some site as a cache. On demand, all agents are instructed to delete the current program image, go out and get a new copy (either Linux- or Solaris-specific binary) from a site/account using "rcp", start running this new image with "nohup", and then exit.

When each agent starts up, it attempts to read a master server configuration file to learn which handler(s) may control it. This file is a list of IP addresses, encrypted using Blowfish, with a passphrase of "randomsucks". Failing to find a configuration file, there are one or more default handler IP addresses compiled into the program. Once the agent has determined a list of potential handlers, it then starts at the beginning of the list of handlers and sends an ICMP_ECHOREPLY packet with an ID field containing the value 666 and data field containing the string "skillz". If the master gets this packet, it sends back an ICMP_ECHOREPLY packet with an ID field containing the value 667 and data field containing the string "ficken".

In addition to finding an active handler, the agent performs a test to see if the network on which the agent is running allows packets to exit with forged source addresses. It does this by sending out an ICMP ECHO packet with a forged IP address of "3.3.3.3", an ID of 666, and the IP address of the agent system (obtained by getting the hostname, then resolving this to an IP address) in the data field of the ICMP packet.

If the master receives this packet, it replies to the IP address embedded in the packet with an ICMP_ECHOREPLY packet containing an ID of 1000 and the word "spoofworks" in the data field. If the agent receives this packet, it sets a spoof_level of zero (can spoof all 32 bits of IP address). If it times out before receiving a spoof reply packet, it sets a spoof_level of 3 (can only spoof the final octet). ^[1]

Preventing DoS Attacks

You could do the following things to minimize the DoS attack:

1. Effective robust design

2. Bandwidth limitations

3. Keep systems patched

4. Run the least amount of services

5. Allow only necessary traffic

6. Block IP addresses

Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.

• Timely application of patches and system updates, especially to potentially exposed machines. For example, update and maintain a current build of BIND on DNS servers.

• Deployment of only strictly necessary network services

• Intrusion detection systems

• Firewalls

• Anti-virus software

• Good password policies

• Use of Tripwire or other similar tools to detect changes in configuration information or other important files

• Paying heed to "Top 20" vulnerability lists provided by the information security community and evaluating these risks against one's environment

• Establishment and maintenance of regular backup schedules and policies

• As a network is only as secure as its weakest link, protection of mobile and remote machines with personal firewall/intrusion detection software

However, in mitigating DoS or DDoS attacks, it requires good network design to be able to control the point of entry or the gateway. As for mitigating new attacks, it is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution from suppliers to be applied to the devices. Applying all known patches and fixes to all devices in the network to prevent known attacks is necessary. Finally, it is important to have the relevant referrals in the policy and legislations to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies .

Preventing the DDoS

1. Keep the network secure

2. Install IDS (Intrusion Detection System)

3. Use scanning tools

4. Run zombie tools

   IDS pattern matching technologies have a database of signatures. When it finds packets that have a given pattern, it sets off an alarm.

The bandwidth used in DDoS attacks is important. Therefore, there should be proper coordination with the ISP and the ISP with the upstream providers. To prevent SYN flooding attacks, set up the TCP interception feature. Details about this can be found at http://www.cisco.com. Block the UDP and ICMP messages that are not required by the network. Especially permitting outgoing ICMP unreachable messages could multiply the impact of a packet flooding attack. Deny all traffic that is not explicitly needed for the servers run. Adopt multi-homing as a best practice.

If attacked, start countermeasures as soon as possible. The response should be to determine origins of spoofed DoS attacks. This should be done quickly as the router entries that allow traffic backtracking will expire a short time after the flood is halted. Be updated. Check exploits databases, for example at securityfocus.com, or packetstorm.Com, to make sure that the versions of server software are not proven vulnerable. Learn sufficiently enough about how the system and server software operates, and review configuration and the security measures that are applied frequently. Set up a system that generates cryptographic signatures of all binary and other trusted system files, and compare the changes to those files periodically. Additionally, using a system where you store the actual checksums on a different machine or removable media, to which a remote attacker cannot have access, is strongly recommended. If you detect an attack emerging from your networks or hosts, or if you are being contacted because of this, you must immediately shut down your systems, or at least disconnect any of the systems from any network. If such attacks are being run on your hosts, it means that the attacker has almost-full control of the machines. They should be analyzed , and then reinstalled.

Common IDS systems

1. Shareware

2. Snort

3. Shadow

4. Courtney

5. Commercial

6. ISS RealSecure

7. Axent NetProwler

8. Cisco Secure ID (Net Ranger)

9. Network Flight Recorder

10. Network Security Wizard's Dragon

An Intrusion Detection System (abbreviated as IDS) is a defense system, which detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress including reconnaissance/data collection phases that involve for example, port scans .

One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the thread posed by hackers).

Once an intrusion has been detected, IDS issues alerts notifying administrators of this fact. The next step is undertaken either by the administrators or the IDS itself, by taking advantage of additional countermeasures (specific block functions to terminate sessions, backup systems, routing connections to a system trap, legal infrastructure etc.) - following the organization's security policy.

There are two kinds of DDOS-generated traffic, control traffic (between DDOS client and servers) and flood traffic (between DDOS servers and DDOS victim).

Anomaly 0: This is not real "DDOS" traffic, but it can be a viable method of determining the origin of DDOS attacks. As observed by RFP, an attacker will have to resolve his victim's hostname before a DDOS attack. BIND name servers are capable of recording these requests. You can either send them a WINCH signal with 'kill' or you can specify query logging in the BIND configuration. A single PTR type query before an attack indicates the request was made from the attacker's host, a great load of PTR type query for a DDOS victim before an attack indicates that the flood servers have been fed a host name and each server was resolving the hostname for itself.

Anomaly 1: Amount of bandwidth exceeds a maximum threshold that is expected normal traffic for a site could cause. Alternatively, the threshold can be measures for addresses in the traffic. These are clear signs of flood traffic and ACL rules can be implemented on the backbone routers that detect these signs and filter traffic.

Anomaly 2: Oversized ICMP and UDP packets. Stateful UDP sessions are normally using small UDP packets, having a payload of not more than 10 bytes. Normal ICMP messages don't exceed 64 to 128 bytes. Packets that are reasonably bigger are suspicious of containing control traffic, mostly the encrypted target(s) and other options for the DDOS server. Once (non-decoy) control traffic is spotted, one of the DDOS servers' location is revealed, as the destination IP address is not spoofed in control traffic.

Anomaly 3: TCP packets (and UDP packets) that are not part of a connection. The stealthiest DDOS tools use random protocols, including connection-oriented protocols, to send data over non-connection-oriented channels. Using stateful firewalls or link-state routing can discover these packets. Additionally, packets that indicate connection requests with destination ports above 1024, with which no known service is registered and running, are highly suspicious.

Anomaly 4: Packet payload contains ONLY alphanumeric character (e.g. no spaces, punctuation, control characters). This can be a sign that the packet payload is BASE64-encoded, and therefore contains only base64 characters . TFN2K is sending such packets in its control traffic. A TFN2K (and TFN2K derivatives) specific pattern is a string of repeating A's (AAAA...) in the payload, since the buffer size is padded by the encryption routine. If the BASE64 encoding is not used, and the payload contains binary encrypted traffic, the A's will be trailing binary \0's.

Anomaly 5: Packet payload contains ONLY binary, high-bit characters. While this can be a binary file transfer (traffic transmitted over ports 20, 21, 80, etc. must be excluded if this rule is applied), especially if contained in packets that are not part of valid stateful traffic, it is suspicious of being non-base64 encoded, but encrypted control traffic that is being transmitted in the packet payload.

Some of the popular IDS are:

1. Shareware

2. Snort

3. Shadow

4. Courtney

5. Commercial

6. ISS RealSecure

7. Axent NetProwler

8. Cisco Secure ID (Net Ranger)

9. Network Flight Recorder

10. Network Security Wizard's Dragon

Use Scanning Tools

There are several tools available which could detect whether a system is being used as a DDOS server. The following tools can detect TFN2K, Trinoo and Stacheldraht.

1. Find_ddos

   (http://ftp.cert.org.tw/tools/Security_Scanner/find_ddos/)

2. SARA

   (http://www.cromwell-intl.com/security/468-netaudit.html)

3. DDoSPing v2.0

   (http://is-it-true.org/pt/ptips19.shtml)

4. RID

   (http://staff.washington.edu/dittrich/misc/ddos/)

5. Zombie Zapper

   (http:// razor .bindview.com/tools/zombiezapper_form.shtml)

The tool will detect several known denial-of-service attack tools by looking at all 32-bit ELF format files in a given directory tree, and comparing the files' strings and symbol table against a set of known "fingerprints" for TFN and trinoo tools. If a file is considered a close enough match to one of these fingerprints , it is identified with that file. The tool will optionally make a copy of all files that are found to match. If it finds a match in a running process, it will also grab a core image of the process for subsequent analysis. Any matches that are found are also examined for any embedded IP addresses. All results are either displayed to the user's terminal, or stored in a log file.

The tool also looks for files named ".sr", "...", "mservers", and optionally makes a copy of them for later analysis. (These are common names for files that contain a list of blowfish-encrypted IP addresses. The blowfish encryption key can be found by examining the binary.)

The distributed denial-of-service tools that are detected by the tool are:

• mstream master

• mstream server

• stacheldraht client

• stacheldraht daemon

• stacheldraht master

• tfn-rush client

• tfn client

• tfn daemon

• tfn2k client

• tfn2k daemon

• trinoo daemon

• trinoo master

The tool must be run as root. The syntax of the tool is:

 ./find_ddos [-g grabdir] [-1 logfile] [-p] [-v] [-V] [-x exclude1] [scandir] 

SARA

SARA (Security Auditor's Research Assistant), a derivitive of the Security Administrator Tool for Analyzing Networks (SATAN), remotely probes systems via the network and stores its findings in a database. The results can be viewed with any Level 2 HTML browser that supports the http protocol (e.g. Mosaic, Netscape etc.)

primary_targets(s) can specify a:

host (e.g., www.microsoft.com ),

range (e.g., 192.168.0.12 “192.168.0.223)

subnet (e.g., 192.168.0.0/23)

When no primary_target(s) are specified on the command line, SARA starts up in interactive mode and takes commands from the HTML user interface. When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, SARA collects data from each host in the named network. SARA can generate reports of hosts by type, service, vulnerability and by trust relationship.

RID can detect any remote software that elicits a predefined response to a given set of packets. Examples are:

• The Trinoo distributed denial of service attack client.

• The Tribal flood network distributed denial of service attack client.

• The StachelDraht distributed denial of service attack client.

This list is not extensive -- the tool is highly configurable to suit specific needs. RID is not a vulnerability assessment tool. It is also -- not a network intrusion detection system in the sense that it does not continually run monitoring your network.

 Example: # Sample config file start AgentStacheldraht      send icmp type=0 id=668 data=""      recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht 

Summary

• Denial of Service is a very commonly used attack methodology.

• Distributed Denial Of Service using a multiplicity of Zombie machines is an often seen attack methodology.

• There are various tools available for attackers to perpetrate DOS attacks.

• Protection against DOS is difficult due to the very nature of the attacks.

• Different scanning tools are available to aid detection and plugging of vulnerabilities leading to DOS