denial of services : limiting the threat
Post on 13-Nov-2014
888 Views
Preview:
DESCRIPTION
TRANSCRIPT
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Denial of Service:
Limiting the Threat
Denial of Service:
Limiting the Threat
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
1. CASE STUDYWake up call February 2000
2. THE BASICSUnderstanding the ‘Net
Understanding DoS
3. THE NEW KID ON THE BLOCK - HELLO DDoSIntroducing Co-ordinated Distributed Attacks
Profile of a typical attack
Common DDoS attack tools
4. DEFENDING YOURSELF & YOUR FRIENDSStrategies for availability
Join the team - global defense efforts
Getting greasy
5. RESPONDING TO DoS ATTACKSWhat to do when your number’s up
6. THE BOTTOM LINEQuestions & Conclusions
AGENDAAGENDAAGENDAAGENDA
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Hi! All about me.
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
IntroductionIntroductionIntroductionIntroduction
• About me
• SensePost
• Objective
• Approach
• References:– http://www.sensepost.com
– charl@sensepost.com
– info@sensepost.com
discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850
discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Ooh! Die bang-maak goed
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
February FunFebruary FunFebruary FunFebruary Fun
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
February FunFebruary FunFebruary FunFebruary Fun
• Major attack launched between February 7 and 14 2000
• Approximately 1,200 sites affected
• Including a number of high profile sites:– CNN.com, Yahoo, eBay, Amazon, Dell, Buy.com
• Simple bandwidth usage
• Yahoo! Attack lasted from about 10:30 a.m. till 1 p.m.
– requests totaled roughly 1 gigabit per second
• Canadian teen “Mafiaboy” arrested in April– pleads guilty to 55 charges in Montreal, November
2000
– Faces 2 years & US$650
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
February Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermath
• FBI estimates that DoS attacks during
February 2000 cost $1.2 billion
• eBay‘s share price fell 25% the day after its
Website was taken down costing them a total
of US1,2bn. They reportedly spent US$ 100
000 in securing their site against further
attacks.
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001
Peter G. NeumannSRI International
We are likely to see some organized, possibly collaborative, attacks that do some real damage, perhaps to our critical infrastructures, perhaps to our financial systems, perhaps to government systems all of which have significant vulnerabilities.
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001
Bruce MoultonFidelity Investments
Hactivism and other cyber attacks emanating from countries with weak or non-existent legal sanctions and investigative capabilities will escalate. This is likely to be the root of at least one headline-grabbing cyber incident (much bigger than DDOS or LoveBug) that will send a loud wake-up call to the commercial sector.
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001
Marcus H. SachsUS Department of Defense
2001 will also see continued development of distributed denial of service attack networks.These attack networks will no longer rely on manual establishment by the attacker, but willautomatically establish themselves through the use of mobile code and html scripting.
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
The Nuts & Bolts Stuff
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Understanding the ‘NetUnderstanding the ‘NetUnderstanding the ‘NetUnderstanding the ‘Net
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Understanding DoSUnderstanding DoSUnderstanding DoSUnderstanding DoS
An attack that causes a service not to function as expected thus denying the
legitimate owner fair return on investment
„The real requirement is not quick recovery but the absence of outages“
„The real requirement is not quick recovery but the absence of outages“
„We talk today of 'Internet Time'; the Internet does not allow for delays“
„We talk today of 'Internet Time'; the Internet does not allow for delays“
Steven J. Ross, Information Systems Control, March 2000Steven J. Ross, Information Systems Control, March 2000
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Why do DoS?Why do DoS?Why do DoS?Why do DoS?
• Vandalism
• Revenge
• Political
• Economic
• Means of access– Crashed system in unpredictable state
– As part of a spoofing attack
– Some application may have holes at startup
• Firewalls
– Keep the goog guys out
– Get stuff to run under Windows
– Exploit startup services
• bootp or boot-from-NIC
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
How DoS worksHow DoS worksHow DoS worksHow DoS works
• Resource consumption– Local or remote
• Disk space• Swap space• RAM• CPU• Bandwidth• Kernel space• Cache
• System crash– Application error– Out of bound values
• input, traffic etc• divide by zero
– Resource over-utilization
• Physical DoS
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Classical DoS examplesClassical DoS examplesClassical DoS examplesClassical DoS examples
• Endless loops– Directory creation or Nose-to-tail processes
• Virus & worms
• Email bombing
• FTP malformed user
• IIS 3.0 „Get //“
• Eeye buffer overflow oops
• Flood ping
• SYN Flood
• Ping of Death
• Winnuke
• Teardrop
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
DoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURF
check:www.netscan.org
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Revisiting SYN floodsRevisiting SYN floodsRevisiting SYN floodsRevisiting SYN floods
• TCP connection is established via a 3-way handshake– SYN
– SYN/ACK
– ACK
• SYN flood is based on an incomplete handshake– SYN but not ACK
• TCP/IP stack adds an entry in a table in kernel memory for each SYN received.– Wait a while before deleting entry
– Can‘t accept connections when aleady full
• A heavy flood can prevent legitimate connections.
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
New Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoS
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Profile of a typical attackProfile of a typical attackProfile of a typical attackProfile of a typical attack
• Initiate a scan phase in which a large number of hosts (100,000 or more) are probed for a known vulnerability.
• Compromise the vulnerable hosts to gain access.
• Rootkit
• Install the tool on each host.
• Use the compromised hosts for further scanning and compromises.
• Via automated processes a single host can be compromised in under 5 seconds
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Building an attack networkBuilding an attack networkBuilding an attack networkBuilding an attack network
• August 1999, a trinoo network of 2,200 systems used against the University of Minnessota and others
• Assuming 3 to 6 seconds for each host, pre-selection of the target systems, gives 2 - 4 hours to set up
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Common DDoS toolsCommon DDoS toolsCommon DDoS toolsCommon DDoS tools
• Trin00Trin00– First generation
– UDP flood attack
– Hardcoded password on daemon (no crypto)
– 1524 & 27665 tcp, 27444 & 31335 udp
– Ported to Windows
– Cannot spoof (couldn‘t)
• Tribal Flood Network (TFN)Tribal Flood Network (TFN)– UDP flood, SYN Flood, Ping Flood, SMURF
– Capable of using spoofed source Ips• Random
– Recent versions use Blowfish encryption on config files
– ICMP ECHO and ICMP ECHO REPLY packets for communications
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Common DDoS toolsCommon DDoS toolsCommon DDoS toolsCommon DDoS tools
• Stacheldraht Stacheldraht – Evolved system– Combines TFN & Trinoo– Encrypted comms & auto-update– 16660 & 65000 tcp– ICMP ECHO & ICMP ECHO REPLY
• AlsoAlso:– Stacheldraht v 2.666– TFN2K – shaft – mstream
• http://packetstorm.securify.com/distributed/
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
The challenge of DDoSThe challenge of DDoSThe challenge of DDoSThe challenge of DDoS
• You may be down• Spoofed addresses
– Technically difficult to trace
• Diverse network ownership– You don’t control the infrastructure
– Neither does your ISP
• Different Time Zones– Hello, is that Singapore?
• Language– Sprechen Sie Deutsch?
• National boundaries• Differing legislation• Protecting legitimate users
– You can’t block 196.4.160.0/16
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Boom! Assesing the impact
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
• Loss in productivity
• Human resources
– Internal & external
• Loss of reputation
• Lost confidence
– in your service & in e-business in general
• Lost transaction revenue
• Lost customer base
• Share price manipulation
– Share holders, staff, working capital
• Liability costs
What me worry?! What me worry?! What me worry?! What me worry?!
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
• JSE-listed NetActive reportedly experienced
two attacks in April 2000
• The Edcon group reportedly lost R1bn when a
disgrunteled programmer brought down 600
stores for a whole day
• irc.posix.co.za
– January 2001
– Classic SMURF
– Killed the server
– Effected all POSIX clients
RSADDoS (in the motherland)RSADDoS (in the motherland)RSADDoS (in the motherland)RSADDoS (in the motherland)
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!
icsa.net, February 2000:
„The Internet has now taken a drastic "hit" to its reliability and integrity due to the recent DDoS attacks. It is only through the cooperation and unification of all Internet users that we will find the solution-and stop DDoS from taking the Internet out from under our commerce, education, communities, and individuals.“
But has it really been all that bad?
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Pow! Fighting back
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
DoS defense strategiesDoS defense strategiesDoS defense strategiesDoS defense strategies
• Think global• Plan for disaster• Clean up your act:
– Broadcasts – Ingress & Egress Filtering– Host Security– Scanning & IDS– Logging
• Put pressure on your ISP:– Ingress & Egress filtering– Policies & Procedures– Logging
• Defend yourself• Be honest
– Share your experiences
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Ingress FilteringIngress FilteringIngress FilteringIngress Filtering
• RFC 2267• Filter on the ‚input‘ device of a router• Eliminates source address spoofing
– Enables us to trace the attacker• Restrict traffic to legitimate downstream
networks• Should be implemented at all levels
– CORE– ISP– Border
• Issues:– Special network services:
• Mobile IP• Layer 2 Tunneling• IPSec• Special source addresses
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Egress FilteringEgress FilteringEgress FilteringEgress Filtering
• RFC 1918• Outbound interface
• Spoofed IPs (Ingress)
• Implemented on border router
• Deny Private & Reserved Source IP Addresses
• Disable directed broadcasts
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Planning for disasterPlanning for disasterPlanning for disasterPlanning for disaster
• Be convinced that the Internet is not a friendly place
• Be prepared to detect of failure (malicious or accidental)
• Mirror critical resources
– geographically remote from the original
• Create transparent alternative entry points
• Implement switching in the case of failure
– Must be considered during the design phase
• Analyse, plan, communicate, test
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
DDoS - Defending yourselfDDoS - Defending yourselfDDoS - Defending yourselfDDoS - Defending yourself
• Sufficient bandwidth• Redundant design
– BGP4 routing• Filters @ ISP• Filter @ home
– ACL– Rate Limiting– Stack buffering
• Load balance• Resilient Platform• Platform optimization
– Line speed– Disk space– Swap space– Kernel Tables
• Service Optimization• Monitors & IDS
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Protecting web servers from DoSProtecting web servers from DoSProtecting web servers from DoSProtecting web servers from DoS
• Have redundant servers
• Bandwidth & Redundant Routing– Consider fronting at an ISP
• Consider a redirection site as a front-end– Easily move your servers around
• Assign multiple IP addresses
• Dynamically move requests to different IP addresses.
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Responding to a DoS attackResponding to a DoS attackResponding to a DoS attackResponding to a DoS attack
• Implement your plan
• Shut down unneccesary services
• Generate logs
• Communicate– ISP– Security Community– Law enforcement
• Implement filters
• Try different responses– ICMP reject, host not available, redirect, source
quench
• Shun via your ISP• Contact the middleman• Share your experience
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Getting Greasy
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Configuration Examples - CISCOConfiguration Examples - CISCOConfiguration Examples - CISCOConfiguration Examples - CISCO
• Use ip verify unicast reverse-path command
– checks that there is a route back to the source via the same interface on which it arrives
– may be effective against spoofing in simple environments (like POPs)
• Filter all RFC1918 address space using access control lists
• Apply ingress and egress filtering using ACL– See RFC 2267
– Can also be done with RPF under CEF
• Use CAR to rate limit ICMP packets
• Configure rate limiting for SYN packets
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Interesting other stuff
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Things to considerThings to considerThings to considerThings to consider
• The Internet is probably not your main income generator
• There’s more then one way to skin a cat– Physical attacks on infrastructure
– Hardware theft
– DNS & other upstream services
– Viruses & other content born attack
– Get "Slashdotted"
• Who’s responsible for your family jewels?
• It could get worse:– Imagine MS-based worm attack– http://www.hackernews.com/bufferoverflow/99/nitmar/nitmar1.html
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
Other possible tricksOther possible tricksOther possible tricksOther possible tricks
• IPv6– Should make it possible
• Enhancements to IPv4
– ICMP traceback message?• For selected packets Router sends packet indicating the
previous hop for that packet
– Congestion control techniques• Too many packet drops on a particular line triggers
message to upstream host.
– Use hashed 'cookies' instead of a connection table
– Randomly drop pending connections when the table gets full
• IPSec?• ISP injects HTTP redirects on the net on
upstream paths to combat attacks
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
• The Lainsburg DOS attack:
– Flood all Telkom manholes with water.
• The Johnnie Walker DOS attack
– Bribe a Telkom techie with some whiskey to
disconnect a circuit.
• The Big Boss DOS attack
– Get a well connected person to organise a lightning
strike on a Telkom DP
• The Ford F4 DOS attack
– Drive over a streetbox at high speed
DoS the SA wayDoS the SA wayDoS the SA wayDoS the SA way
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE
1. DDoS is a global problem
2. DDoS requires a global solution
3. A fight on three fonts- Source- Middleman- Victim
4. Keep your nose clean
5. Plan for the worst
6. Let’s do it to them before they do it to
us
INFO SEC AFRICA
Limiting the threat of Denial
of Service Attacks
February 2001
© charl van der waltwww.sensepost.com
questions?
top related