Stop the DoS!

[Dr Toker]

DoS, or Denial of Service attacks first showed their ugly faces on the internet in the late 90's. Taking down sites such as Yahoo, Amazon, eBay, E*Trade, ZDNet, CNN and so forth. This type of attack is so efficient because of its simplicity. Before we get in to how to stop a DoS, we should first have an understanding as exactly what a DDoS is.

A DOS is a type of attack technique by saturating the victim system with enormous network traffic to the point of unresponsiveness to the user. The DOS attack system is very simple, much like the Client/Server model of ordinary IT system. The attack systems involved three system components: handler, agent and a victim. The Handler, being the system or network of the the person responsible for the attack. He then compromises a computer or set of computers(this is what makes the diff between dos and ddos.), usually with a high speed connection, theses computers are his Agents. The Agents acctually work as the attacking computers. Now, this is where things can get sticky. At this point if the "handler" chooses to "spoof" the Ip's of these computers, intern hiding the identity of the attacking computers, he can by editing the packet headers. This can make the task of stopping the attack, much more involved. This will be covered herein.



Now days, most security analysts are fully aware and prepared for a DoS attack. Most larger networking companies have employed a special department in which they defend their network against these attacks, with a swiftness to avoid any collateral loss. Welcome to the NOC, or Network Operations Center.

Like I said in an earlier post, which inspired this tutorial, its easy as 1,2,3. Packet capture, Determine source (which by the way can prove to be the most trying part) and blocking the IP in question.

1.)Capture/Mirror.
Depending on the recorces at hand you may or may not be able to mirror instead of capturing.Mirroring allows for the flow of data to continue as normal. Or as normal as can be expected during an attack. Captring would acctually Capture the packets from their current route. Before you can do this you must find out exaclty where this data is coming from. There are a few different ways to do this, we acctually have graphs, measuring the incoming and outgoing PPS.(packets per second). But if you dont, you can log into your router and run the "show interface" command, or "S in". This will display all the ethernet cards, and their subnets, and their incoming and outgoing PPS. Thats what you will need to be looking for, incoming and outgoing data. One will be significantly greater than the other, on the same interface. This is the lightbulb above your head. Capture that Interface/Subnet/port.

Once you have the data you can then analyse it. We'll use this excerpt from an attack I just stopped only minuets ago.

1 2002-11-04 18:03:01.7384 64.246.34.69 -> 65.94.243.180 HTTP Continuation
2 2002-11-04 18:03:01.7384 136.227.30.111 -> 64.246.34.23 TCP 27362 > 27470 [SYN] Seq=140073864 Ack=1701140270 Win=55391 Len=0
3 2002-11-04 18:03:01.7384 64.246.34.23 -> 148.26.121.107 TCP 59241 > 2920 [RST, ACK] Seq=0 Ack=186968011 Win=0 Len=0
4 2002-11-04 18:03:01.7384 56.1.47.14 -> 64.246.34.23 TCP 14530 > 6422 [SYN] Seq=480394252 Ack=921242601 Win=13696 Len=0
5 2002-11-04 18:03:01.7384 86.250.28.59 -> 64.246.34.23 TCP 45839 > 12004 [SYN] Seq=1375541492 Ack=1422001566 Win=31899 Len=0
6 2002-11-04 18:03:01.7384 16.243.206.39 -> 64.246.34.23 TCP 12053 > 19253 [SYN] Seq=1400035539 Ack=1067076072 Win=7781 Len=0
7 2002-11-04 18:03:01.7384 84.176.152.34 -> 64.246.34.23 TCP 37033 > 1051 [SYN] Seq=192960089 Ack=2008882033 Win=431 Len=0
8 2002-11-04 18:03:01.7384 160.192.40.27 -> 64.246.34.23 TCP 9616 > 22685 [SYN] Seq=1553251162 Ack=911558934 Win=55744 Len=0
9 2002-11-04 18:03:01.7384 151.231.199.108 -> 64.246.34.23 TCP 38506 > 42908 [SYN] Seq=1801709499 Ack=743178888 Win=14450 Len=0
10 2002-11-04 18:03:01.7384 27.18.80.51 -> 64.246.34.23 TCP 29970 > 51657 [SYN] Seq=797300689 Ack=630734721 Win=266 Len=0

One can plainly see the attack packets, and one can also see the small amout of legit traffic going to through this port. IE line one. HTTP continuation, this is TCP breaking down the HTML for transport. You will also note the Seq=, or sequence number. This is TCP's way of saying how to put the data back together once it has reached its destination.

One can also plainly see that the source IP has been spoofed.(the address' on the left.) Those rascally linux users. So, it seems that this paticular attack is a SYN flood. Damn, at 1,000,000 Packets per second our net Irons can only take about 30 seconds of this, before loosing packets. At this point i can look at every frames code. Getting all kinds of usfull data.

Frame 4 (60 on wire, 60 captured)
Arrival Time: Nov 4, 2002 18:03:01.738463000
Time delta from previous packet: 0.000003000 seconds
Time relative to first packet: 0.000009000 seconds
Frame Number: 4
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II
Destination: 00:02:a5:ed:5d:b4 (00:02:a5:ed:5d:b4)
Source: 00:e0:52:08:b8:bf (00:e0:52:08:b8:bf)
Type: IP (0x0800)
Trailer: C20000000000
Internet Protocol, Src Addr: 56.1.47.14 (56.1.47.14), Dst Addr: 64.246.34.23 (64.246.34.23)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xbcae
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 97
Protocol: TCP (0x06)
Header checksum: 0xd305 (correct)
Source: 56.1.47.14 (56.1.47.14)
Destination: 64.246.34.23 (64.246.34.23)
Transmission Control Protocol, Src Port: 14530 (14530), Dst Port: 6422 (6422), Seq: 480394252, Ack: 921242601
Source port: 14530 (14530)
Destination port: 6422 (6422)
Sequence number: 480394252
Header length: 20 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 13696
Checksum: 0xc2ed (correct)

If i go to ethernet 2, and look at the source MAC i see that it is the same as my NetIron. WTF! So, both the Mac AND the Ip are wrong. What in gods name can i do?!
In order to get the correct Mac Address', I am going to block the Destination at router level. That Way, no traffic can get in or out from that router/NetIron with the destination address, 64.246.34.23 in the packet.(This also stops the attack.) So after router level blocking has been implemented, I can re-capture that same port, then getting the correct MAC address. So now that we have the correct mac address, we can hopefully find out who is on that MAC. We do this by running a s arp ma 0000.0000.0000.0000. The router will then respond with the registered Ip for that mac. Then you block at backbone. And that should be the end of it.You should then Unblock the destination 64.246.34.23 at router level for normal traffic continuation.

[Striek]

Excellent tut, Toker, however there is one item I feel needs further explanation which I do not understand. A well-orchestrated DoS attack comes from several, if not thousands, of client machines. How then is it possible to stop the attack by blocking incoming traffic from one IP or MAC address? There should be tons of source adresses...

[GrApHiCTrOn]

thanks for the tut. Good job ToKeR

[Dr Toker]

Slip of the fingers. A DDOS is block by blocking many Ip's. Or by simply blocking destination at router level until the attack has subsided.


Hmmm... it appears i may have an anti fan.
HA bite me fanboy.