1 / 22

A Brief History of Distributed Denial of Service Attacks

A Brief History of Distributed Denial of Service Attacks. Uniforum Chicago August 22, 2000 Viki Navratilova Security Architect, BlueMeteor, Inc. Tonight’s Talk. Wha t is DDoS? Famous DDoS incidents Brief History of DDoS tools What’s new in DDoS tools Where to get more info on DDoS tools

thane
Download Presentation

A Brief History of Distributed Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Brief History of Distributed Denial of Service Attacks Uniforum Chicago August 22, 2000 Viki Navratilova Security Architect, BlueMeteor, Inc.

  2. Tonight’s Talk • What is DDoS? • Famous DDoS incidents • Brief History of DDoS tools • What’s new in DDoS tools • Where to get more info on DDoS tools • <break> • How to keep DDoS from getting you down

  3. An attack to suspend the availability of a service Early DOS – smashing computer with sledge hammer Network DOS – modern times Prevent a Network-based service from doing its job Can be as easy as pulling the network plug Denial of Service (DOS)

  4. What is DDoS? • Distributed Denial of Service • Many “zombie” computers ganging up on one computer, directed by one “master”, which is controlled by the attacker

  5. The Week of Famous DDoS Attacks • February 7-11 2000 • CNN, Yahoo, E-Bay, Datek taken down for several hours at a time due to traffic flooding • Underadministrated computers at California college used as the slave attack computers • Trinoo, Tribal Flood Network, TFN2K, and Stacheldraht suspected tools used in attacks

  6. Simple 1-tier attacks – computer with bigger bandwidth wins, kicks loser off modem/irc channel Ping flood SYN flood UDP flood Smurf Attack – early 2-tier attack Attacker machine imitates victim, gets everyone to flood real victim Ping flood Early DDoS Tools(c. 1990? – 1997)

  7. Smurf Attack (2-tier) 31337! Broadcast Pings Ping Replies slaves victim

  8. Modern DDoS Tools • Once sites blocked broadcast pings, attackers found new ways to accomplish same things • DDoS tools gave new way to communicate across networks to slave attack computers • Attacker has to infiltrate several slave computers with DDoS slave client • Master client sometimes found on ISP’s name server – unlikely to be taken off network

  9. DDoS Attacks (3-tier) D00d! Master Slave Slave Slave Victim

  10. Why DDoS Tools Suck for Your Network • Hard to Trace to original culprit • Difficult to cut off flow of traffic attacking you because it’s coming from everywhere • Difficult to catch pre-attack communications between master and slave machines

  11. Trinoo – First Publicly Available DDoS Tool (c. 1997) • Attacker, Master, Slave Communications via unencrypted UDP • Easy to detect communications and passwords • Attack Method : UDP Flood • Solaris & Linux machines

  12. Tribe Flood Network (TFN) (c. 1998) • Attacker & Master communicate via unencrypted TCP, UDP, SSH, ICMP, telnet • No password required to run commands • Commands are sent as pre-determined 16-bit binary numbers • Master & Slaves talk ICMP • DOS Attacks available : ICMP, SYN, UDP, &Smurf-style Floods • Linux & Solaris

  13. TFN2K (1999) • Builds on TFN • Decoy packets & other measures make traffic difficult to identify & filter • Fakes source address of communications • New attacks include malformed packet floods – greater devastation in fewer packets • Available for Unix & NT Systems

  14. Stacheldraht “Barbed Wire” Fine German Engineering (late 1999) • Master – Slave communications require passwords • telnet-like encrypted connections over TCP and ICMP • Only way to prevent communications is to block all ICMP traffic (undesirable) • Ability to upgrade master & slave software via rcp – increases client functionality • Several DOS attacks like TFN • Solaris & Linux

  15. What’s New in DDoS Tools (since February 2000) • Shaft (Nov 1999) – modeled after Trinoo • Attacker-master : password : tcp / master-zombie : udp • Can switch master servers and ports on the fly • Uses ticket system to match zombies with their masters • Keeps zombie packet statistics • Mstream (April 2000) • Still in development • Attacker to master commands sent in one packet over unencrypted TCP – password protected • Master and zombies talk over udp • All logged in users (attackers) are notified of access attempts

  16. Where to Find More Info on DDoS Tools • Dave Dittrich’s White Papers http://staff.washington.edu/dittrich/misc/ddos • Packetstorm’s Distributed Attack Tools http://packetstorm.security.com/distributed • CERT Coordination Center http://www.cert.org

  17. Break

  18. How to Keep DDoS Tools from Getting You Down • Pay attention to your machines! • Egress filter your network, i.e. make sure whatever comes out of your network only has source addresses that belong to you • Ingress filter – confirm that packets coming to you have source addresses that aren’t on your inside network • Use tcpdump on Solaris or Linux to capture logs, and report incident to law enforcement (NIPC) tcpdump –i interface –s 1500 –w capture_file snoop –d interface –o capture_file –s 1500

  19. Cisco Router Configuration Options • Ip verify unicast reverse-path : confirms packets that arrive should be going back on same interface, otherwise drops • Rate limit ICMP and SYN packets • Filter non-routable address space: Interface xy ip access-group 101 in access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any

  20. Tools to Help Detect DDoS Tools • NIPC Tools – locates installations on hard drive by scanning file contents http://www.nipc.gov • Zombie Zapper – puts Trinoo, TFN, Stacheldraht, and Shaft zombies “to sleep” when flooding http://razor.bindview.com • Remote Intrusion Detector (RID) : Locates Trinoo, Stacheldraht, TFN on network http://www.theorygroup.com/Software/RID/

  21. Q & A

  22. Thank you

More Related