1 / 33

Denial of Service: First Hand OR: Now I know why I always hated the Smurfs

Denial of Service: First Hand OR: Now I know why I always hated the Smurfs. Alan Whinery University of Hawaii ITS Telecom August 10, 1999 whinery@hawaii.edu. The Event.

gerald
Download Presentation

Denial of Service: First Hand OR: Now I know why I always hated the Smurfs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service: First HandOR: Now I know why I always hated the Smurfs Alan Whinery University of Hawaii ITS Telecom August 10, 1999 whinery@hawaii.edu

  2. The Event Beginning on July 9, 1998, Internet connectivity was interrupted to the University of Hawaii, Hawaii State Government, and Honolulu and Maui County governments for a period of 27 hours, probably because someone didn’t like SPAM.

  3. Denial of Service • Attacker intends to: • affect the availability of a service to a user • affect the availability of a host • affect the availability of a network • Can affect large numbers of users • Often is an act of retribution

  4. Some Denial of Service Types • TCP SYN -- uses up system resources • ICMP FLOOD -- leveraged bandwidth attack (smurf) • UDP FLOOD -- leveraged bandwidth attack (fraggle) • NETBIOS Out-Of-Band -- send unknowns to Windows File Sharing • TEARDROP -- Windows TCP/IP -- wrong size packet (Teardrop, Bonk, Boink) • LAND -- Windows TCP/IP -- packets from self • ICMP Unreachable -- Spoofs connection failure

  5. Some Denial of Service Types • TCP SYN -- uses up system resources • ICMP FLOOD -- leveraged bandwidth attack (smurf) • UDP FLOOD -- leveraged bandwidth attack (fraggle) • NETBIOS Out-Of-Band -- send unknowns to Windows File Sharing • TEARDROP -- Windows TCP/IP -- wrong size packet (Teardrop, Bonk, Boink) • LAND -- Windows TCP/IP -- packets from self • ICMP Unreachable -- Spoofs connection failure

  6. ICMP FLOOD • Very easy to detect • Very hard to trace • Can’t be stopped with a firewall • Involves 3 groups • the attacker(s) • intermediate sites • the victim and everyone nearby

  7. Internet Control Message Protocol (ICMP) • Used to send info about packet delivery • network unreachable • host unreachable • port unreachable • Used to verify connectivity • echo request, echo reply • Also other stuff

  8. IP addresses • Every Internet host has at least one • A number that routers use to deliver data to the right machine • Special addresses • broadcast • multicast

  9. IP Broadcast address • An IP address that denotes every host in a network (i.e Subnet, LAN) • For example: 128.171.6.255 would reach every host on the 128.171.6.X/24 network • AKA: 128.171.6.0, 255.255.255.0

  10. IP Broadcast address Caution: You can’t necessarily identify an IP address as a broadcast by looking at it. Not all addresses that end in “255” are broadcasts. Not all broadcasts end in “255”. To identify an address as broadcast, you need the network mask.

  11. PING (ICMP Echo)

  12. Broadcast PING

  13. (Source) IP address spoofing • Def. -- sending packets with some other host’s IP address • Source addresses are not examined by routing equipment • Easy to stop with source-side access-control lists (ACL)

  14. Smurf

  15. The Players • UH ITS Network staff • Our ISP • 2500 hosts on 37 networks in North America, South America, and Europe • A bulk e-mail marketer • A neophyte mail administrator • The ugly, smelly perpetrator

  16. The Tools (1) • Traffic Graphs

  17. The Tools (2) • tcpdump • Unix software that allows watching traffic • Runs on SunOS, Solaris, Linux, FreeBSD • Esoteric but versatile

  18. The Tools (3,4,5,6) • whois (Internic, ARIN) • nslookup • An off-site e-mail account • A telephone • breakfast

  19. October 1997 • The first “smurf” attack on UH occurs • ISP informs us that they will not act without an order from the FBI • The FBI is called; they do not call back

  20. November 1997 • ISP informs us that we are among the intermediate sites in a “smurf” attack against one of their customers. They threaten to disconnect us if we don’t make it stop.

  21. July 8, 1998 • A Unix host on the UH network is used to forward unsolicited email advertisements, also called “SPAM”

  22. July 9, 1998 • 10:00 AM: All user traffic to and from the mainland stops • 10:15: • Attack is identified • samples of offending traffic are saved for analysis • 10:30: • Offending packets are blocked at the local Internet gateway restoring local network function

  23. July 9, 1998 (cont’d) • 10:45: anlaysis of the traffic and continued monitoring indicates that the attacker is not on the UH network • The UH target host is identified as the same one that forwarded SPAM the day before • 11:00: ISP is notified. They don’t understand what we’re talking about

  24. July 9, 1998 (cont’d) • Calls begin to come in from intermediate sites. Most are threatening litigation unless we stop pinging them. • We identify all intermediate sites from the traffic samples • We begin emailing and faxing intermediates, providing an explanation of the attack and instructions for broadcast suppression and filtering for Cisco routers.

  25. July 9, 1998

  26. July 10, 1998 • 7:00 AM: Our local Internet gateway router begins to reboot every couple of minutes • 11:00 AM: After dozens of conversations with the ISP, we have a conversation with an ISP employee who understands the problem and acts immediately to filter the traffic upstream • Internet access continues to be slow, due to the high load on the upstream router

  27. July 10, 1998 • The attack, though filtered, continues for at least two more days

  28. July 10, 1998

  29. Investigation • Since the attacker forged the source addresses, finding him would require packet-level analysis on each link from the intermediate site to the attacker • Since the offending echo request stream is much smaller than the echo reply stream, it does not provide a high-traffic signature to trace the path to the attacker

  30. Investigation • Available “trace evidence” • list of recipients of the SPAM message probably includes the attacker • Some of the intermediate machines were on the same network as the attacker, since they had 10.X.X.X addresses • Finding the network with the 10.X.X.X addresses that were responding would provide a geographical subset of the SPAM recipients that might include the perpetrator

  31. Prevention is source-side • Baseline normal network behavior • Avoid being an intermediate site by configuring all routers to ignore echo requests to broadcast • Prevent the forwarding of SPAM • Prevent outbound IP spoofing • Actively seek out vulnerable hosts and deal with them

  32. Issues • A large number of contact records at ARIN and Internic do not include useful contact information • The average site or network administrator does not command basic concepts necessary to effect security

  33. Questions? • ???

More Related