dos attack: udp flooder li xiaoming valon sejdini hasan chowdhury

DOS Attack: UDP Flooder

Li Xiaoming

Valon Sejdini

Hasan Chowdhury

DOS Attack: UDP Flooding Attack

Content:

DOS and UDP flooder Lab setup and Test and Result Counter Measures for UDP flood attack

“A new kind of denial-of-service attack has emerged that delivers a heftier blow

to organizations' systems than previously seen DOS threats!”

VeriSign's security chief

Source: http://news.zdnet.com/2100-1009_22-6050688.html


DOS Attack: UDP Flooder In less than two months, 1,500 separate Internet

Protocol addresses were attacked using this method, he noted

These attacks have been significantly larger than anything we've seen," he said

Under a more common DOS attack, a network of bots, or compromised PCs commandeered by remote attackers, directly inundates a victim's Web server, name server or mail server with a multitude of queries. The goal of a DOS attack is to crash the victim's system, as it tries to respond to the requests.


Under a more common DOS attack, a network of bots, or compromised PCs commandeered by remote attackers, directly inundates a victim's Web server, name server or mail server with a multitude of queries. The goal of a DOS attack is to crash the victim's system, as it tries to respond to the requests.

But in this latest spate of DOS attacks, bots are sending queries to DNS (domain name system) servers with the return address pointed at the targeted victim. As a result, the DNS server, rather than the bot, makes the direct attack on the victim. The net result is a stronger attack and an increased difficulty in stopping it, Silva said.



Denial of Service (DoS) attack is coordinated attacks performed by hackers to disable a particular computer service through manipulation of techniques those are used to provide the services.

Some of the techniques used by hackers are branded as: SYN Flooding, UDP flooding, Stack Overflow, etc.

Our part is DOS attack with UDP flooding


A Denial of Service (DoS) attack is an attack for preventing legitimate users from using a specific resource such as web services, network or a host. DoS attack using UDP flooding is a technique that executes the attack using the UDP packets. During the year 1998-2000 security specialist discovered “DoS attack with UDP flooding” vulnerabilities in many of the Systems including Microsoft products.



Vulnerabilities were discovered in ACE/Server in its port 5000 against Fraggle attack

Cisco has also discovered vulnerabilities of its IOS software in routers against diagnostic port where attacker used two ports namely diagnostics ports and chargen port as attacking media to attack using UDP flooding.

Although DoS attack with UDP flooding are not new, there is still a significant risk exists of such attack as the new technique of DoS attack are being invented by the hackers.


Motivation of DoS Attack• The motivation for DoS attacks is not to break into

a system but to make the target system deny the legitimate user giving service. This will typically happen through one of the following ways:

• Crashing the target host system.• Disabling communication between systems. • Make the network or the system down or have it

operate at a lower speed to reduce productivity. • Freeze the system, so that there is no automatic

reboot, so that, production is disrupted.


Our motivation:• To generate a real UDP flooding attack based on

testbed setup in a laboratory environment• Observation of effect of the simulated attack• Observation of ability and effect of a

countermeasuring tool (IDS) to detect such attack.


DoS Attack Classes:• Bandwidth Depletion attack - floods a victim network and

thereby prevents authorized traffic from reaching and getting the service of the targeted victim.

• Resource Depletion attack - bind the resources of the target victim’s system (such as processor) making the victim unable to process valid requests for services.

** Among the other flooding tools, UDP flooding is also used to deplete bandwidth or resources of the victim system.

**Flood attacks are being launched either with UDP or ICMP packets.


Flood Attack• In this kind of attack, the network of the victims

system is flooded with a large number of packets by the attacker to deplete the network bandwidth and thereby making the victim’s systems performance degradation or sometimes system crash. Due to saturation of the network bandwidth of the victim’s system, the legitimate users of the system are prevented from accessing the system.

In a UDP Flood attack, numerous amounts of UDP packets are sent to either random or specified ports on the victim system.

To determine the requested application, the victim system processes the incoming data.

In case of absence of the requested application on the requested port, the victim system sends a “Destination unreachable” message to the sender (attacker).

In order to hide the identity of the attacker, the attacker often spoofs the source IP address of the attacking packets.

UDP flood attacks may also depletes the bandwidth of network around the victim’s system.

Thereby, the systems around the victim are also impacted due to the UDP flooding attack.


DOS Attack: UDP Flooder The Fraggle Attack• This type of attack is usually used in UNIX and its family of OS

platform, as well as, in network Routers and similar products. There are at least two service ports available (1) Echo (port #7 and (2) Chargen (port # 19) in this kind of OS or devices. Attacker sends UDP ECHO packets to the port that supports character generation (chargen port), with the return address spoofed to the victim’s echo service (echo port) creating an infinite loop.

• The UDP ECHO packet (called as UDP Fraggle packet) targets the character generator (chargen port) of the systems reached by the broadcast address.

• The chargen port generates a character and sends the same to the echo service (echo port) of the victim’s system. The victim’s system echo port then sends an echo packet back to the chargen port - the process repeats and generates a loop. Packet generation loop created in this fashion generates damaging traffic and cause severe damage in the system.


UDP Flooder (handy attacking tool)• UDP flooder is a handy attacking tool for Windows

Platform. The tool can send a numerous number of UDP packets (chosen by attacker) at a selected speed from a host to another host. It uses a specific port to attack and also uses some imaginary source address.


While testing with this tool, we have used three thread of the flooder and flooded the target computer with three different ports. And the result was two ways.

• Tie-up the CPU that resulted to crash (shut-down of the victim system).

• Reduced the network speed (communication between third computer and attacking host was very slow)


The laboratory setup• We have used three laptop, a workgroup hub, cat5e

network cable to set the laboratory network. The role of the three computers were attacker, victim and the legitimate user. The attacker was armed with UDP flooder. Snort was installed and necessary snort rules were activated in the victim’s computer to monitor traffic volume and pattern and to detect the DoS attack.

The laboratory setup Hardware setup: We have 3 computers in our network, the

hacker computer(hacker), IDS computer(victim), and legitimate computer(user). A 5 port workgroup hub (10MB/S) with 3 cables connects three computers and make a local area network

The computer configuration: 1. Hacker computer (hacker) IP: 10.0.0.5 Subnet mask: 255.255.255.0 Network card: 2.\Device\NPF_{87BF08D7-392D-4D2B-8406-4C123BB567A0}(Broadcom NetXtreme Gigabit

Ethernet Driver ) LAN: 100/1000 Mbps Fast Ethernet 2. IDS computer (victim) IP: 10.0.0.8 Subnet mask: 255.255.255.0 Network card: 3.\Device\NPF_{88A867A3-0DF5-47E6-84A6-C37663DF457B} (SiS NIC SISNIC) LAN: 10/100 Mbps Fast Ethernet 3. Legitimate computer(user) IP: 10.0.0.2 Subnet mask: 255.255.255.0 Network card: 2.\Device\NPF_{F55030C1-CA2E-42D9-A73B-834595873C4D} (Realtek RTL8139 Family Fas

t Ethernet Adapter ) LAN: 10/100 Mbps Fast Ethernet

Snort

Snort is free and open source software for network intrusion detection. It is capable of performing packet logging and real-time traffic analysis. We have used this to detect if there is a flooding attack depending on the threshold value set in snort rule.

IDS computer Snort configuration : D:\win-ids\snort\bin>snort -W

,,_ -*> Snort! <*- o" )~ Version 2.8.0-ODBC-MySQL-FlexRESP-WIN32 (Build 67) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 4.4 21-August-2003

Interface Device Description ------------------------------------------- 1 \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)

2 \Device\NPF_{3A649186-EB7E-44F9-9827-AEB8D98E71DD} (Broadcom 802.11g Network A

dapter (Microsoft's Packet Scheduler) ) 3 \Device\NPF_{88A867A3-0DF5-47E6-84A6-C37663DF457B} (SiS NIC SISNIC

(Microsoft' s Packet Scheduler) )

Snort configuration:

Snort command:

D:\win-ids\snort\bin>snort -v -Afull -c test.conf -l D:\win-ids\snort\log -i 3

-v Be verbose

-A Set alert mode: fast, full, console, test or none (alert file alerts only)

-c Use Rules File (test.conf include rule file)

-l Log to directory

-i Listen on interface


--== Initializing Snort ==-- Initializing Output Plugins! Var '_ADDRESS' redefined Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file test.conf PortVar 'HTTP_PORTS' defined : [ 80] PortVar 'SHELLCODE_PORTS' defined : [ 0:79

81:65535] PortVar 'ORACLE_PORTS' defined : [ 1521] Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes


--== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.0-ODBC-MySQL-FlexRESP-WIN32 (Build 67) '''' By Martin Roesch & The Snort Team:

http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 4.4 21-August-2003 Rules Engine: SF_SNORT_DETECTION_ENGINE Version

1.6 <Build 11> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_SMTP Version 1.0 <Build 7> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build

10> Preprocessor Object: SF_DNS Version 1.0 <Build 2> Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> Not Using PCAP_FRAMES

Code of Rule file: udp-flooding.RULES

# Copyright 2007 Project1-steven,valon,hasan

# DOS-UDP Flooding Attack RULE alert udp $EXTERNAL_NET any ->

$HOME_NET any (msg:"UDP_Flood Attack!!!!!"; content:"UDP Flood Test"; flow:stateless; threshold:type threshold, track by_dst, count 1000, seconds 60; classtype:attempted-dos; sid:1000001; rev:7;)

Screen shot of Rule file

IDS computer Wireshark :

Before the UDP Flooding attack

During the UDP Flooding attack

Test method:

We use the software UDP flooder from the hacker computer send packets to IDS computer, the snort is in IDS mode. It catches the entire packet and generates an alert. The legitimate computer can not get any response from the IDS computer, because it is crashed.

Test result:

The Snort generates an alert. Before the UDP Flooding attack, the IDS computer CPU utilization is 2%, during the UDP Flooding attack, the CPU utilization is 100%. Victim System is crashed when the 100% CPU utilization up to 5 minutes.

Code of Alert file: alert.IDS

[**] [1:1000001:7] UDP_Flood Attack!!!!! [**]

[Classification: Attempted Denial of Service] [Priority: 2]

11/04-19:31:40.465554 10.0.0.5:1515 -> 10.0.0.8:80

UDP TTL:128 TOS:0x0 ID:35979 IpLen:20 DgmLen:45

Len: 17

Screen shot of alert file in D:\win-ids\snort\log

DoS Countermeasures

Classified in three categories

1.Protection

2. Detection

3. Reaction

Attack Protection

It focuses in eliminating the possibility of the attack.

Cryptography: the basis for even more protection (data integrity protection, authentication, protection from eavesdropping, and so on. )

Protection approaches patch existing vulnerabilities, correct bad protocol design, manage resource usage, and reduce the incidence of intrusions and exploits.

Attack Protection Cont.

Hygiene approaches: try to close as many opportunities for DoS attacks in your computers and networks as possible, enhance security by keeping your network simple, well organized, and well maintained.

Fixing Host Vulnerabilities: The first step in maintaining network hygiene is keeping software packages patched and up to date.

Fixing Network Organization: Well-organized networks have no bottlenecks or hot spots that can become an easy target for a DoS attack.


A good way to organize a network is to spread critical applications across several servers, located in different subnetworks. The attacker then has to overwhelm all the servers to achieve denial of service.

A good network organization not only repels many attack attempts, it also increases robustness and minimizes the damage when attacks do occur.

Critical services are replicated throughout the network, machines affected by the attack can be quarantined and replaced by the healthy ones without service loss.


Filtering Dangerous Packets: the most standard approach against denial of service attacks is the use of Ingress/Egress filtering techniques.

Ingress filtering: is from the point of view of the Internet. Here an Internet Service Provider (ISP) filters out packets with illegitimate source address, based on the ingress link by which the packet enters the network.

Egress filtering: is from the point of view of the customer network and the filtering occurs at the exit point of a customer domain. Here a router checks whether the source addresses of packets actually belong to the customer’s domain. Packets with invalid source addresses are dropped.


UDP flooding is done using specific or random ports of the victims system. Therefore, it is recommended that you:

Disable and filter all unused UDP services Disable unused ports/services for IP infrastructure

devices such as routers and switches. Disable the service port (port #7) and chargen port (port

# 19) and filter the chargen and echo services.

Attack Detection

If protection approaches cannot make DoS attacks impossible, then the defender must detect such attacks before he can respond to them. Certain protection schemes are rather expensive, and some researchers have suggested engaging them only when an attack is taking place, which implies the need for attack detection.

Two major goals of attack detection are accuracy and timeliness.

Accuracy is measured by how many detection errors are made. A detection method can misstep in two ways. It can falsely detect an attack in a situation when no attack was actually happening. This is called a false positive.

Attack Detection Cont.

The other way for a detection method to misstep is to miss an attack. This is called a false negative.

The performance of the whole DDoS defense system depends on the timeliness of the detection. Attacks that are detected and handled early may even be transparent to ordinary customers and cause no unpleasant disruptions.

It is therefore desirable to detect an attack as early as possible, and respond to it, preventing the DoS effect and maintaining a good face to your customers.

Three main approaches to attack detection are signature, anomaly, and misbehavior detection.


Singature Detection: Signature detection builds a database of attack characteristics observed in the past incidents—attack signatures. All incoming packets are compared against this database, and those that match are filtered out.

Anomaly Detection: Anomaly detection takes the opposite approach from signature detection. Detects computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on rules, rather than patterns or signatures, and will detect any type of misuse that falls outwith normal system operation.


Misbehaviour Detection: At one extreme, misbehavior modeling is the same as signature-based detection: Receiving a sufficiently large number of a particular type of packet on a particular port with a particular pattern of source addresses may be both a misbehavior model and a signature of the use of a particular attack toolkit.

At the other extreme, misbehavior modeling is no different than anomaly modeling: If it is not normal, it is DoS. But misbehavior modeling, by trying to capture the characteristics of only DoS attacks, characterizes all other types of traffic, whether they have actually been observed in the past or not, as legitimate. True misbehavior modeling falls in the range between these extremes.

Attack Reaction

The goal of attack reaction is to improve the situation for legitimate users and mitigate the DoS effect. There are three major ways in which this is done:

1. Traffic policing

2. Attack Traceback

3. Service differentiation

Attack Reaction Cont.

Traffic policing: The most straightforward and desirable response to a DoS attack is to drop offending traffic. This makes the attack transparent both to the victim and to its legitimate clients, as if it were not happening. Since attack detection and characterization are sometimes inaccurate, the main challenge of traffic policing is deciding what to drop and how much to drop.

Attack traceback: Has two primary purposes: to identify agents that are performing the DoS attack, and to try to get even further back and identify the human attacker who is controlling the DoS network.


The first goal might be achievable, but is problematic when tens of thousands of agents are attacking. The latter is nearly impossible today, due to the use of stepping stones. These factors represent a major challenge to traceback techniques.

Effective traceback solutions probably need to include components that automatically police traffic from offending machines, once they are found.

Service differentiation: Many protection techniques can be turned on dynamically, once the attack is detected, to provide differentiated service. Clients are presented with a task to prove their legitimacy, and those that do receive better service.


Service Differentiation approach offers a good economic model. The server is generally willing to serve all the requests. At times of overload, the server preserves its resources and selectively serves only the clients who are willing to prove their legitimacy and provides best-effort service to the rest. A challenge to this approach is to handle attacks that generate a large volume of bogus legitimacy proofs. It may be necessary to distribute the legitimacy verification service to avoid the overload.

Conclusion

DoS attacks with UDP flooding are one of the many techniques hacker’s use to make the attack. Such attacks are made to make the network and related services non-operational and thereby restricting the legitimate user from using the system.

We have presented the problems and the solution for those that are presently available and developed on the basis of the attack emerged at past

Future consequences of such kind of attack could be more critical and damaging to the technology and economy of the service providing system and organization.

Conclusion cont.

As more amoral and unsatisfied users of the Internet observe the success of DoS attacks, the chances for the frequency and severity of DoS attacks will increase. Until we find a reasonable defense against some type of DoS attacks, we can expect to see their occurrence, power, and gravity to increase.

That is because of the network bandwidth, CPU speed, and number of available resources that can be hacked and compromised which all continue to increase, as does the advancement of hacking tools for compromising computers and using them to attack.

Conclusion cont.

Therefore, it is a prime responsibility of the technologists, business man’s as well as the users of the computerized and networked system of the globe to invent effective solution to prevent such an attack at present and future.

References 1. “Denial-of-Service attacks: Understanding network vulnerabilities”,

http://www.935.ibm.com/services/in/itsb/pdf/wp_denial-of-service.pdf 2. Stephen Specht and Ruby Lee, “Distributed Denial of Service: Taxonomies of Networks, Attacks, Tools,

and Countermeasures,” Princeton University, Department of Electrical Engineering Technical Report 3. “Winsort Configuration”,

http://www.winsnort.com/index.php?name=Sections&req=viewarticle&artid=5&page=1 4. “ Snort User Manual”, http://www.snort.org/docs/snort_manual/2.8.0/snort_manual.pdf 5. “Snort From Wikipedia”, http://en.wikipedia.org/wiki/Snort_(software) 6. “Snort and Winsnort”, http://www.snort.org/ ; http://www.winsnort.com/ 7. “WinDump Manual”, http://www.winpcap.org/windump/docs/manual.htm 8. Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher : “Internet Denial of Service: Attack and

Defense Mechanisms” Chapter 5.6: Defense Approaches; Publisher: Prentice Hall PTR 9. Ryan Russell (Editor), Dan Kaminsky (Author), Rain Forest Puppy (Author), Joe Grand (Author), K2

(Author), David Ahmad (Author), Hal Flynn 10. Udaya Kiran Tupakula and Vijay Varadharajan, A practical method to counteract denial of service

attacks. Proceedings of the twenty-sixth Australasian computer science conference on Conference in research and practice in information technology - Volume 16

http://www.935.ibm.com/services/in/itsb/pdf/wp_denial-of-service.pdf

http://www.winsnort.com/index.php?name=Sections&req=viewarticle&artid=5&page=1

http://www.snort.org/docs/snort_manual/2.8.0/snort_manual.pdf

http://en.wikipedia.org/wiki/Snort_(software)

http://www.snort.org/

http://www.winsnort.com/

Question?

dos attack: udp flooder li xiaoming valon sejdini hasan chowdhury

Documents

service attack

udp flooderdos attack

common dos attack

udp floodingdos attack

htmldos attack

stronger attack

direct attack

new technique of dos