220 likes | 510 Views
A Brief History of Distributed Denial of Service Attacks. Uniforum Chicago August 22, 2000 Viki Navratilova Security Architect, BlueMeteor, Inc. Tonight’s Talk. Wha t is DDoS? Famous DDoS incidents Brief History of DDoS tools What’s new in DDoS tools Where to get more info on DDoS tools
E N D
A Brief History of Distributed Denial of Service Attacks Uniforum Chicago August 22, 2000 Viki Navratilova Security Architect, BlueMeteor, Inc.
Tonight’s Talk • What is DDoS? • Famous DDoS incidents • Brief History of DDoS tools • What’s new in DDoS tools • Where to get more info on DDoS tools • <break> • How to keep DDoS from getting you down
An attack to suspend the availability of a service Early DOS – smashing computer with sledge hammer Network DOS – modern times Prevent a Network-based service from doing its job Can be as easy as pulling the network plug Denial of Service (DOS)
What is DDoS? • Distributed Denial of Service • Many “zombie” computers ganging up on one computer, directed by one “master”, which is controlled by the attacker
The Week of Famous DDoS Attacks • February 7-11 2000 • CNN, Yahoo, E-Bay, Datek taken down for several hours at a time due to traffic flooding • Underadministrated computers at California college used as the slave attack computers • Trinoo, Tribal Flood Network, TFN2K, and Stacheldraht suspected tools used in attacks
Simple 1-tier attacks – computer with bigger bandwidth wins, kicks loser off modem/irc channel Ping flood SYN flood UDP flood Smurf Attack – early 2-tier attack Attacker machine imitates victim, gets everyone to flood real victim Ping flood Early DDoS Tools(c. 1990? – 1997)
Smurf Attack (2-tier) 31337! Broadcast Pings Ping Replies slaves victim
Modern DDoS Tools • Once sites blocked broadcast pings, attackers found new ways to accomplish same things • DDoS tools gave new way to communicate across networks to slave attack computers • Attacker has to infiltrate several slave computers with DDoS slave client • Master client sometimes found on ISP’s name server – unlikely to be taken off network
DDoS Attacks (3-tier) D00d! Master Slave Slave Slave Victim
Why DDoS Tools Suck for Your Network • Hard to Trace to original culprit • Difficult to cut off flow of traffic attacking you because it’s coming from everywhere • Difficult to catch pre-attack communications between master and slave machines
Trinoo – First Publicly Available DDoS Tool (c. 1997) • Attacker, Master, Slave Communications via unencrypted UDP • Easy to detect communications and passwords • Attack Method : UDP Flood • Solaris & Linux machines
Tribe Flood Network (TFN) (c. 1998) • Attacker & Master communicate via unencrypted TCP, UDP, SSH, ICMP, telnet • No password required to run commands • Commands are sent as pre-determined 16-bit binary numbers • Master & Slaves talk ICMP • DOS Attacks available : ICMP, SYN, UDP, &Smurf-style Floods • Linux & Solaris
TFN2K (1999) • Builds on TFN • Decoy packets & other measures make traffic difficult to identify & filter • Fakes source address of communications • New attacks include malformed packet floods – greater devastation in fewer packets • Available for Unix & NT Systems
Stacheldraht “Barbed Wire” Fine German Engineering (late 1999) • Master – Slave communications require passwords • telnet-like encrypted connections over TCP and ICMP • Only way to prevent communications is to block all ICMP traffic (undesirable) • Ability to upgrade master & slave software via rcp – increases client functionality • Several DOS attacks like TFN • Solaris & Linux
What’s New in DDoS Tools (since February 2000) • Shaft (Nov 1999) – modeled after Trinoo • Attacker-master : password : tcp / master-zombie : udp • Can switch master servers and ports on the fly • Uses ticket system to match zombies with their masters • Keeps zombie packet statistics • Mstream (April 2000) • Still in development • Attacker to master commands sent in one packet over unencrypted TCP – password protected • Master and zombies talk over udp • All logged in users (attackers) are notified of access attempts
Where to Find More Info on DDoS Tools • Dave Dittrich’s White Papers http://staff.washington.edu/dittrich/misc/ddos • Packetstorm’s Distributed Attack Tools http://packetstorm.security.com/distributed • CERT Coordination Center http://www.cert.org
How to Keep DDoS Tools from Getting You Down • Pay attention to your machines! • Egress filter your network, i.e. make sure whatever comes out of your network only has source addresses that belong to you • Ingress filter – confirm that packets coming to you have source addresses that aren’t on your inside network • Use tcpdump on Solaris or Linux to capture logs, and report incident to law enforcement (NIPC) tcpdump –i interface –s 1500 –w capture_file snoop –d interface –o capture_file –s 1500
Cisco Router Configuration Options • Ip verify unicast reverse-path : confirms packets that arrive should be going back on same interface, otherwise drops • Rate limit ICMP and SYN packets • Filter non-routable address space: Interface xy ip access-group 101 in access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any
Tools to Help Detect DDoS Tools • NIPC Tools – locates installations on hard drive by scanning file contents http://www.nipc.gov • Zombie Zapper – puts Trinoo, TFN, Stacheldraht, and Shaft zombies “to sleep” when flooding http://razor.bindview.com • Remote Intrusion Detector (RID) : Locates Trinoo, Stacheldraht, TFN on network http://www.theorygroup.com/Software/RID/