Stop the DoS!
Results 1 to 4 of 4

Thread: Stop the DoS!

  1. #1
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001

    Post Stop the DoS!

    DoS, or Denial of Service attacks first showed their ugly faces on the internet in the late 90's. Taking down sites such as Yahoo, Amazon, eBay, E*Trade, ZDNet, CNN and so forth. This type of attack is so efficient because of its simplicity. Before we get in to how to stop a DoS, we should first have an understanding as exactly what a DDoS is.

    A DOS is a type of attack technique by saturating the victim system with enormous network traffic to the point of unresponsiveness to the user. The DOS attack system is very simple, much like the Client/Server model of ordinary IT system. The attack systems involved three system components: handler, agent and a victim. The Handler, being the system or network of the the person responsible for the attack. He then compromises a computer or set of computers(this is what makes the diff between dos and ddos.), usually with a high speed connection, theses computers are his Agents. The Agents acctually work as the attacking computers. Now, this is where things can get sticky. At this point if the "handler" chooses to "spoof" the Ip's of these computers, intern hiding the identity of the attacking computers, he can by editing the packet headers. This can make the task of stopping the attack, much more involved. This will be covered herein.

    Now days, most security analysts are fully aware and prepared for a DoS attack. Most larger networking companies have employed a special department in which they defend their network against these attacks, with a swiftness to avoid any collateral loss. Welcome to the NOC, or Network Operations Center.

    Like I said in an earlier post, which inspired this tutorial, its easy as 1,2,3. Packet capture, Determine source (which by the way can prove to be the most trying part) and blocking the IP in question.

    Depending on the recorces at hand you may or may not be able to mirror instead of capturing.Mirroring allows for the flow of data to continue as normal. Or as normal as can be expected during an attack. Captring would acctually Capture the packets from their current route. Before you can do this you must find out exaclty where this data is coming from. There are a few different ways to do this, we acctually have graphs, measuring the incoming and outgoing PPS.(packets per second). But if you dont, you can log into your router and run the "show interface" command, or "S in". This will display all the ethernet cards, and their subnets, and their incoming and outgoing PPS. Thats what you will need to be looking for, incoming and outgoing data. One will be significantly greater than the other, on the same interface. This is the lightbulb above your head. Capture that Interface/Subnet/port.

    Once you have the data you can then analyse it. We'll use this excerpt from an attack I just stopped only minuets ago.

    1 2002-11-04 18:03:01.7384 -> HTTP Continuation
    2 2002-11-04 18:03:01.7384 -> TCP 27362 > 27470 [SYN] Seq=140073864 Ack=1701140270 Win=55391 Len=0
    3 2002-11-04 18:03:01.7384 -> TCP 59241 > 2920 [RST, ACK] Seq=0 Ack=186968011 Win=0 Len=0
    4 2002-11-04 18:03:01.7384 -> TCP 14530 > 6422 [SYN] Seq=480394252 Ack=921242601 Win=13696 Len=0
    5 2002-11-04 18:03:01.7384 -> TCP 45839 > 12004 [SYN] Seq=1375541492 Ack=1422001566 Win=31899 Len=0
    6 2002-11-04 18:03:01.7384 -> TCP 12053 > 19253 [SYN] Seq=1400035539 Ack=1067076072 Win=7781 Len=0
    7 2002-11-04 18:03:01.7384 -> TCP 37033 > 1051 [SYN] Seq=192960089 Ack=2008882033 Win=431 Len=0
    8 2002-11-04 18:03:01.7384 -> TCP 9616 > 22685 [SYN] Seq=1553251162 Ack=911558934 Win=55744 Len=0
    9 2002-11-04 18:03:01.7384 -> TCP 38506 > 42908 [SYN] Seq=1801709499 Ack=743178888 Win=14450 Len=0
    10 2002-11-04 18:03:01.7384 -> TCP 29970 > 51657 [SYN] Seq=797300689 Ack=630734721 Win=266 Len=0

    One can plainly see the attack packets, and one can also see the small amout of legit traffic going to through this port. IE line one. HTTP continuation, this is TCP breaking down the HTML for transport. You will also note the Seq=, or sequence number. This is TCP's way of saying how to put the data back together once it has reached its destination.

    One can also plainly see that the source IP has been spoofed.(the address' on the left.) Those rascally linux users. So, it seems that this paticular attack is a SYN flood. Damn, at 1,000,000 Packets per second our net Irons can only take about 30 seconds of this, before loosing packets. At this point i can look at every frames code. Getting all kinds of usfull data.

    Frame 4 (60 on wire, 60 captured)
    Arrival Time: Nov 4, 2002 18:03:01.738463000
    Time delta from previous packet: 0.000003000 seconds
    Time relative to first packet: 0.000009000 seconds
    Frame Number: 4
    Packet Length: 60 bytes
    Capture Length: 60 bytes
    Ethernet II
    Destination: 00:02:a5:ed:5d:b4 (00:02:a5:ed:5d:b4)
    Source: 00:e0:52:08:b8:bf (00:e0:52:08:b8:bf)
    Type: IP (0x0800)
    Trailer: C20000000000
    Internet Protocol, Src Addr: (, Dst Addr: (
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xbcae
    Flags: 0x00
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 97
    Protocol: TCP (0x06)
    Header checksum: 0xd305 (correct)
    Source: (
    Destination: (
    Transmission Control Protocol, Src Port: 14530 (14530), Dst Port: 6422 (6422), Seq: 480394252, Ack: 921242601
    Source port: 14530 (14530)
    Destination port: 6422 (6422)
    Sequence number: 480394252
    Header length: 20 bytes
    Flags: 0x0002 (SYN)
    0... .... = Congestion Window Reduced (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...0 .... = Acknowledgment: Not set
    .... 0... = Push: Not set
    .... .0.. = Reset: Not set
    .... ..1. = Syn: Set
    .... ...0 = Fin: Not set
    Window size: 13696
    Checksum: 0xc2ed (correct)

    If i go to ethernet 2, and look at the source MAC i see that it is the same as my NetIron. WTF! So, both the Mac AND the Ip are wrong. What in gods name can i do?!
    In order to get the correct Mac Address', I am going to block the Destination at router level. That Way, no traffic can get in or out from that router/NetIron with the destination address, in the packet.(This also stops the attack.) So after router level blocking has been implemented, I can re-capture that same port, then getting the correct MAC address. So now that we have the correct mac address, we can hopefully find out who is on that MAC. We do this by running a s arp ma 0000.0000.0000.0000. The router will then respond with the registered Ip for that mac. Then you block at backbone. And that should be the end of it.You should then Unblock the destination at router level for normal traffic continuation.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Excellent tut, Toker, however there is one item I feel needs further explanation which I do not understand. A well-orchestrated DoS attack comes from several, if not thousands, of client machines. How then is it possible to stop the attack by blocking incoming traffic from one IP or MAC address? There should be tons of source adresses...
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Senior Member
    Join Date
    Aug 2002
    thanks for the tut. Good job ToKeR

  4. #4
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Slip of the fingers. A DDOS is block by blocking many Ip's. Or by simply blocking destination at router level until the attack has subsided.

    Hmmm... it appears i may have an anti fan.
    HA bite me fanboy.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

 Security News


       Security Trends


           Buying Guides