March 1st, 2002, 03:49 AM
Denial of Service
A DoS (Denial of Service) could be described as an attempt to prevent legitimate users of a particular service to access that service (resource). This includes flooding the network, attempts to disrupt connections of machines in order to block the use of service, attempts to block particular user or system to use the service on server or client side. The server outages doesn't of course necessarily need to be the result of malicious DoS, also the outage may be caused by the attack indirectly (attacker's aim wasn't to block particular service, but a nature of the attack blocked it unexpectedly).
DoS can effectively disable your computer, network or whole organizations from use of the Internet. It can as well block a particular service. That's why it is important to know, how to prevent such type of attacks, and what actions to take when being attacked.
Some DoSes can be performed with very limited resources against large well secured sites. This type of attack is called 'asymmetric attack' . The character of networking protocols nowadays allows an attacker with old PC and slow modem attack effectively much faster and high-speed connected servers.
2. Types of attack
Denial of service comes in many forms and endangers a large variety of services. We acknowledge three basic types of attack:
A/ consumption of limited or non-renewable resources
B/ destruction or modification of configuration information
C/ physical destruction or alteration of hardware
A. Consumption of limited or non-renewable resources
To run a network of computers and provide the services, you need several basic resources, like CPU power, disk space, RAM memory, network bandwidth etc. This type of attacks try to overload or block usage of these resources in order to prevent using them effectively or completely.
A.1 Network bandwidth
Attacks to block network connectivity are probably most frequent. They're aiming to prevent client or server from communicating on the network. An example of this kind of attack can be a SYN flood, exploiting the way TCP/IP connections work. The attacker constantly begins the process of establishing a TCP/IP connection to the attacked computer, but doesn't complete the expected protocol process, instead floods the server with more and more attempts to connect. Meantime, attacked server allocates resources and waits to complete attacker's 'half-open' connections, while there's not enough resources to serve the legitimate users of the computer. SYN floods and similar attacks don't consume a large traffic on an attacker side, instead it consumes kernel data structures used for server's networking management. It fact, this kind of attack can be done from dial-up connection against a server on very fast network. It's a good example of assymetric DoS.
There actually has been released a lot kinds of the attacks, which are exploiting implementations of TCP/IP at various operating system. For ex. Teardrop attack exploits the way how IP protocol handles packet that is too large for the next router and needs to be fragmented. Every fragment packet includes an identification to the first packet that enables the whole packet to be reassembled. In the teardrop attack, the attacker puts a confusing reference value to the second or other fragment, that may crash the operating system which doesn't count on such situation.
A.2 Exploiting your own resources against you
There are more ways how you can be attacked effectively by using the vulnerabilities of remote services or those ones which are incorrectly set up or not secured enough. In Smurf attack intruder sends spoofed ICMP ECHO packet (which asks to "echo" its message back) to the attacked site. This packet specifies to be broadcasted to a number of hosts within the attacked site's network. The packet is modified by attacker that it specifies that the request is from another site, not an attacker's one, as should be correctly specified in packet. This is called spoofing (a sent packet has been modified, that the return address field doesn't contain real sender's address). The results is lot of ping replies flooding back to attacked host. If the flood is big enough, attacked host won't be able to receive legitimate users' traffic.
Snork attack is able to raise CPU utilization to 100% for up to 2 minutes on unpatched Windows NT systems running RPC services. An attackers sends constantly specially modified UDP packets to the attacked host, that result in constant packet bounce between all Windows NT servers on the same network. Increasing the number of systems attacked on a same network in a same time exponentially increases this traffic. The collisions start to occur, which leads to packet loss and attacked local network gets utilized to 100%. Both servers and network are then unusable.
A.3 Bandwidth usage
An attacker may be able to consume all of your available bandwidth by flooding your network by a large volume of packets, typically ICMP ECHO and usually spoofed - the return IP address is not the real sender's one (this doesn't mean, though, that echo's are the only way). This attack may be performed from a single machine, or cooperated pack of machines (Distributed Denial of Service - DDoS) as well. This attack was used quite largely in last two years, effectively cutting off such websites as Yahoo, CNN or Ebay. Distributed DoS may involve dozens of compromised computers or routers (agents) attacking the same network/host and managed remotely by an attacker. The attacker usually prepares the attack by scanning a large volume of hosts for vulnerable computers. He doesn't even need to have any skills, except how to use vulnerability scanner script. After he gets a list of hosts, it's a question of patience to compromise all of them, and install proper attack tools. Sometimes even script do that itself. An attacker may now remotely launch the attack simultaneously from all involved agents.
A.4 Consumption of other resources
The service at server needs various data structures or memory/harddrive resources to operate. The attacker can hog the server by overloading the service with large amount of particular requests. As well, every process allocates memory/resources . If an attacker has local access to the machine, he may be able to allocate these structures with a simple program which repeatedly creates copies of itself. Luckily modern operating systems have a process quota feature, which protects the system against running unnumerous processes.
An intruder can attack your system even by attempt to consume disk space. These attacks include generating excessive numbers of e-mail messages, (which need to be stored on the server and processed by e-mail daemon), generating errors intentionally (these are usually stored in log files), uploading files to anonymous ftp areas or network shares. Anything that allows to write the data on the disk without bounds, is a potential threat.
An attacker can lock up your system by sending unexpected date to a service. Not all of the sofware handles intentionally modified erroneous comunication that doesn't abide appointed standard. These may effectively freeze s particular service, or even the whole computer.
B. Destruction or alteration of configuration information
Service which is improperly configured may not perform well or may not perform at all. An intruder may remotely or locally alter or destroy configuration files that will prevent legitimate users from using the service. If attacker modifies routing tables of your router, your whole network may be disabled. If intruder manages to modify Windows NT/2000 server registry, some features or services may become unavailable or behave erroneously.
C. Physical destruction or alteration of hardware
Besides software and network based attacks, there should concern about physical security of network as well. It should be guarded, only people with permission and authorized and capable of use, should have an access to the network components (servers, routers, cables, power backups, cooling ...).
Denials of services can cause big money, effort, and time losses. Every organization providing content and services should consider relevant protection against these attacks. This may include:
- establishing appropriate password policy, especially for high priviledged users
- constructing the network topology in such way that it limits servers' mutual disrupts
- implementation of filters on the routers, firewalling, installing protection against tcp syn flooding
- using and allowing only those services that are essentially needed, disabling unused or unneeded ones
- enabling quota systems, where available, in order to prevent malicious users to fullfill disk space
monitoring server CPU loads, network bandwidth utilization
- patching the system and services, right after any vulnerability has been discovered - includes regular monitoring and reading security related reports and websites or other sources
- using intrusion detection systems (IDS) in order to be informed immediately about any suspicious activity
- establishing backup systems
The suggested steps to handle an attack:
1. Stay calm
Don't panic :-) Only so you'll be able to handle the incident succesfully. A compromised system vows to action, not to panic. Intruders could have been on your system for a few days, possibly weeks, another few hours won't make a difference.
2. Check carefully what had happened
Find out any information which can lead to learn 'who, when, how and where' has intruded/attacked your system. Check carefully log files, file system, configuration files, IDS reports, router reports etc.
3. Get help
Contact the trusted people who have capabilities to help or advise. Describe them your problem, ask them if they have had similar kind of attack, and how they resolved it. Contact immediately your administrators' (if available) team to check and secure the attacked systems.
4. Keep quiet about the incident
You don't really need reveal the info about what had happened, until you really know what had happened. Don't give the opportunity to the malicious people to misuse the information about the attack against you.
5. Use out-of-internet ways of comunication while resolving the situation
Attacker could have installed sniffers through your network, which would mean, any of information about securing including new passwords etc. Could be revealed to him.
6. Secure the attacked computers/network
Usually the best way is to disconnect the computer from network, that attacker can't mess with it, while you're securing it. If it is removing ethernet cable, or turning off router, do that, if possible.
7. Make backups
Backup all that's possible. Your data, configuration files, log files etc.
8. Get rid of an attack
This usually requires a deeper knowledge about the operating system and networking. You need to locate problem and fix it. It can include patching vulnerable daemons, fixing password and configuration files, putting a filter on a router etc. Sometimes the best way is to reinstall the system from the scratch, then applying needed patches to secure it.
9. Turn on back services,
and monitor the system behaviour and network transfers/connections carefully.
5. Description of some DoS/DDoS tools
Teardrop / Bonk / Boink and similar tools (exploit codes) exploit the overlapping IP fragment bug present in older Linux kernels, Win95/NT systems. These systems don't count with packet, which have incorrectly set fragment offset and crash.
Tribe Flood Network /aka TFN/ is DDoS tool. It is made of client and daemon programs which are capable of ICMP flood, SYN flood, UDP flood, and Smurf type atacks. It provides on demand root shell on compromised machines thru given TCP port as well. Complete analysis is available here.
TFN2K (Tribe Flood Network 2000) is successor of original TFN Trojan by Mixter. It can infect and use resources of Unix/Solaris/Windows NT servers. TFN2K consists from two components, a command driven client on the master and daemon slaves operating on agents. Multiple agents coordinated from master work simultaneously during attack to block access to target. Comunication between master and agents is encrypted. The master can spoof its IP adress. The agents can flood target with various forms of TCP/UDP/ICMP/Smurf floods. Full analysis here.
Trinoo is spread usually by exploiting buffer overruns on remote systems. The agents were first discovered on Solaris 2.5.1 and RedHat 6.0 systems, while master on RH 6.0. Trinoo is believed to be set to be installed on hundreds or thousands of systems, waiting to be used. There is many modified versions of Trinoo flowing thru the net, which differ in form of performed attack. It's usually UDP/Smurf attacks. Analysis: here.
Incident Handling Step by Step: Unix Trojan Programs
Denial of Service Attacks
Defying Denial of Service Attacks
The DDoS Project's "trinoo" distributed denial of service attack tool analysis
The "stacheldraht" distributed denial of service attack tool analysis
Technotronic DoS/DDoS ftp archive
My only fear in death is comming back reincarnated.
\"Would I ever sh*t you?\"
\"Of course not you are my favorite turd.\"--E5C4P3