Denial of Service: First Denial of Service: First HandHandOR: Now I know why I always hated the SmurfsOR: Now I know why I always hated the Smurfs

Alan WhineryAlan Whinery

University of Hawaii ITS TelecomUniversity of Hawaii ITS Telecom

August 10, 1999August 10, 1999

whinery@hawaii.eduwhinery@hawaii.edu

The EventThe Event

Beginning on July 9, 1998, Internet Beginning on July 9, 1998, Internet connectivity was interrupted to the connectivity was interrupted to the University of Hawaii, Hawaii State University of Hawaii, Hawaii State Government, and Honolulu and Government, and Honolulu and Maui County governments for a Maui County governments for a period of 27 hours, period of 27 hours,

probably because someone didn’t probably because someone didn’t like SPAM.like SPAM.

Denial of ServiceDenial of Service

• Attacker intends to:Attacker intends to:– affect the availability of a service to a useraffect the availability of a service to a user

– affect the availability of a hostaffect the availability of a host

– affect the availability of a networkaffect the availability of a network

• Can affect large numbers of usersCan affect large numbers of users

• Often is an act of retributionOften is an act of retribution

Some Denial of Service Some Denial of Service TypesTypes• TCP SYN -- uses up system resources TCP SYN -- uses up system resources

• ICMP FLOOD -- leveraged bandwidth attack (smurf)ICMP FLOOD -- leveraged bandwidth attack (smurf)

• UDP FLOOD -- leveraged bandwidth attack UDP FLOOD -- leveraged bandwidth attack (fraggle)(fraggle)

• NETBIOS Out-Of-Band -- send unknowns to NETBIOS Out-Of-Band -- send unknowns to Windows File SharingWindows File Sharing

• TEARDROP -- Windows TCP/IP -- wrong size packet TEARDROP -- Windows TCP/IP -- wrong size packet (Teardrop, Bonk, Boink)(Teardrop, Bonk, Boink)

• LAND -- Windows TCP/IP -- packets from selfLAND -- Windows TCP/IP -- packets from self

• ICMP Unreachable -- Spoofs connection failureICMP Unreachable -- Spoofs connection failure

Some Denial of Service Some Denial of Service TypesTypes• TCP SYN -- uses up system resources TCP SYN -- uses up system resources

• ICMP FLOOD -- leveraged bandwidth attack (smurf)ICMP FLOOD -- leveraged bandwidth attack (smurf)

• UDP FLOOD -- leveraged bandwidth attack UDP FLOOD -- leveraged bandwidth attack (fraggle)(fraggle)

• NETBIOS Out-Of-Band -- send unknowns to NETBIOS Out-Of-Band -- send unknowns to Windows File SharingWindows File Sharing

• TEARDROP -- Windows TCP/IP -- wrong size packet TEARDROP -- Windows TCP/IP -- wrong size packet (Teardrop, Bonk, Boink)(Teardrop, Bonk, Boink)

• LAND -- Windows TCP/IP -- packets from selfLAND -- Windows TCP/IP -- packets from self

• ICMP Unreachable -- Spoofs connection failureICMP Unreachable -- Spoofs connection failure

ICMP FLOODICMP FLOOD

• Very Very easy to detecteasy to detect

• Very hard to traceVery hard to trace

• Can’t be stopped with a firewallCan’t be stopped with a firewall

• Involves 3 groups Involves 3 groups

– the attacker(s)the attacker(s)

– intermediate sitesintermediate sites

– the victim and everyone nearbythe victim and everyone nearby

Internet Control Message Internet Control Message Protocol (ICMP)Protocol (ICMP)

• Used to send info about packet deliveryUsed to send info about packet delivery

– network unreachablenetwork unreachable

– host unreachablehost unreachable

– port unreachableport unreachable

• Used to verify connectivityUsed to verify connectivity

– echo request, echo reply echo request, echo reply

• Also other stuff Also other stuff

IP addressesIP addresses

• Every Internet host has at least one Every Internet host has at least one

• A number that routers use to deliver A number that routers use to deliver data to the right machinedata to the right machine

• Special addressesSpecial addresses– broadcastbroadcast

– multicastmulticast

IP Broadcast addressIP Broadcast address

• An IP address that denotes every An IP address that denotes every host in a network (i.e Subnet, LAN) host in a network (i.e Subnet, LAN)

• For example: 128.171.6.255 would For example: 128.171.6.255 would reach every host on the reach every host on the 128.171.6.X/24 network128.171.6.X/24 network

• AKA: 128.171.6.0, 255.255.255.0AKA: 128.171.6.0, 255.255.255.0

IP Broadcast addressIP Broadcast address

CautionCaution: You can’t necessarily : You can’t necessarily identify an IP address as a broadcast identify an IP address as a broadcast by looking at it. Not all addresses by looking at it. Not all addresses that end in “255” are broadcasts. that end in “255” are broadcasts. Not all broadcasts end in “255”. Not all broadcasts end in “255”.

To identify an address as broadcast, To identify an address as broadcast, you need the network mask.you need the network mask.

PING (ICMP Echo)PING (ICMP Echo)

Broadcast PINGBroadcast PING

(Source) IP address (Source) IP address spoofingspoofing

• Def. -- sending packets with some other Def. -- sending packets with some other host’s IP addresshost’s IP address

• Source addresses are not examined by Source addresses are not examined by routing equipmentrouting equipment

• Easy to stop with source-side access-control Easy to stop with source-side access-control lists (ACL)lists (ACL)

SmurfSmurf

The PlayersThe Players• UH ITS Network staffUH ITS Network staff

• Our ISPOur ISP

• 2500 hosts on 37 networks in North 2500 hosts on 37 networks in North America, South America, and EuropeAmerica, South America, and Europe

• A bulk e-mail marketerA bulk e-mail marketer

• A neophyte mail administratorA neophyte mail administrator

• The ugly, smelly perpetratorThe ugly, smelly perpetrator

The Tools (1)The Tools (1)

• Traffic GraphsTraffic Graphs

The Tools (2)The Tools (2)

• tcpdumptcpdump– Unix software that allows watching trafficUnix software that allows watching traffic

– Runs on SunOS, Solaris, Linux, FreeBSDRuns on SunOS, Solaris, Linux, FreeBSD

– Esoteric but versatileEsoteric but versatile

The Tools (3,4,5,6)The Tools (3,4,5,6)

• whois (Internic, ARIN)whois (Internic, ARIN)

• nslookupnslookup

• An off-site e-mail accountAn off-site e-mail account

• A telephoneA telephone

• breakfastbreakfast

October 1997October 1997

• The first “smurf” attack on UH The first “smurf” attack on UH occursoccurs

• ISP informs us that they will not act ISP informs us that they will not act without an order from the FBIwithout an order from the FBI

• The FBI is called; they do not call The FBI is called; they do not call backback

November 1997November 1997

• ISP informs us that we are among ISP informs us that we are among the intermediate sites in a “smurf” the intermediate sites in a “smurf” attack against one of their attack against one of their customers. They threaten to customers. They threaten to disconnect us if we don’t make it disconnect us if we don’t make it stop.stop.

July 8, 1998July 8, 1998

• A Unix host on the UH network is A Unix host on the UH network is used to forward unsolicited email used to forward unsolicited email advertisements, also called “SPAM”advertisements, also called “SPAM”

July 9, 1998July 9, 1998• 10:00 AM: All user traffic to and 10:00 AM: All user traffic to and

from the mainland stopsfrom the mainland stops

• 10:15: 10:15: – Attack is identifiedAttack is identified

– samples of offending traffic are saved samples of offending traffic are saved for analysisfor analysis

• 10:30: 10:30: – Offending packets are blocked at the Offending packets are blocked at the

local Internet gateway restoring local local Internet gateway restoring local network functionnetwork function

July 9, 1998 (cont’d)July 9, 1998 (cont’d)• 10:45: anlaysis of the traffic and 10:45: anlaysis of the traffic and

continued monitoring indicates that continued monitoring indicates that the attacker is not on the UH the attacker is not on the UH networknetwork

• The UH target host is identified as The UH target host is identified as the same one that forwarded SPAM the same one that forwarded SPAM the day beforethe day before

• 11:00: ISP is notified. They don’t 11:00: ISP is notified. They don’t understand what we’re talking understand what we’re talking aboutabout

July 9, 1998 (cont’d)July 9, 1998 (cont’d)• Calls begin to come in from Calls begin to come in from

intermediate sites. Most are intermediate sites. Most are threatening litigation unless we stop threatening litigation unless we stop pinging them.pinging them.

• We identify all intermediate sites from We identify all intermediate sites from the traffic samplesthe traffic samples

• We begin emailing and faxing We begin emailing and faxing intermediates, providing an intermediates, providing an explanation of the attack and explanation of the attack and instructions for broadcast suppression instructions for broadcast suppression and filtering for Cisco routers. and filtering for Cisco routers.

July 9, 1998July 9, 1998

July 10, 1998July 10, 1998• 7:00 AM: Our local Internet gateway 7:00 AM: Our local Internet gateway

router begins to reboot every couple of router begins to reboot every couple of minutesminutes

• 11:00 AM: After dozens of conversations 11:00 AM: After dozens of conversations with the ISP, we have a conversation with the ISP, we have a conversation with an ISP employee who understands with an ISP employee who understands the problem and acts immediately to the problem and acts immediately to filter the traffic upstreamfilter the traffic upstream

• Internet access continues to be slow, Internet access continues to be slow, due to the high load on the upstream due to the high load on the upstream routerrouter

July 10, 1998July 10, 1998

• The attack, though filtered, The attack, though filtered, continues for at least two more dayscontinues for at least two more days

July 10, 1998July 10, 1998

InvestigationInvestigation

• Since the attacker forged the source Since the attacker forged the source addresses, finding him would require addresses, finding him would require packet-level analysis on each link from packet-level analysis on each link from the intermediate site to the attackerthe intermediate site to the attacker

• Since the offending echo request Since the offending echo request stream is much smaller than the echo stream is much smaller than the echo reply stream, it does not provide a reply stream, it does not provide a high-traffic signature to trace the path high-traffic signature to trace the path to the attackerto the attacker

InvestigationInvestigation

• Available “trace evidence”Available “trace evidence”– list of recipients of the SPAM message list of recipients of the SPAM message

probably includes the attackerprobably includes the attacker

– Some of the intermediate machines were Some of the intermediate machines were on the same network as the attacker, on the same network as the attacker, since they had 10.X.X.X addressessince they had 10.X.X.X addresses

– Finding the network with the 10.X.X.X Finding the network with the 10.X.X.X addresses that were responding would addresses that were responding would provide a geographical subset of the provide a geographical subset of the SPAM recipients that might include the SPAM recipients that might include the perpetratorperpetrator

Prevention is source-sidePrevention is source-side• Baseline normal network behaviorBaseline normal network behavior

• Avoid being an intermediate site Avoid being an intermediate site by configuring all routers to by configuring all routers to ignore echo requests to broadcastignore echo requests to broadcast

• Prevent the forwarding of SPAMPrevent the forwarding of SPAM

• Prevent Prevent outboundoutbound IP spoofing IP spoofing

• Actively seek out vulnerable hosts Actively seek out vulnerable hosts and deal with themand deal with them

IssuesIssues

• A large number of contact records A large number of contact records at ARIN and Internic do not include at ARIN and Internic do not include useful contact informationuseful contact information

• The average site or network The average site or network administrator does not command administrator does not command basic concepts necessary to effect basic concepts necessary to effect securitysecurity

Questions?Questions?

• ??????