DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003
Dec 14, 2015
DDoSA look back from 2003
DDoSA look back from 2003
Dave DittrichThe Information School /
Computing & CommunicationsUniversity of Washington
I2 DDoS Workshop - August 6/7 2003
OverviewOverview
• Why DoS?
• How DoS?
• The DDoS Landscape
• Attack tools over time
• Impacts on response
http://staff.washington.edu/dittrich/talks/I2-ddos.ppt
Why DoS?Why DoS?
• “An Introduction to Denial of Service,” Hans Husman, 1996 http://packetstormsecurity.nl/docs/hack/denial.txt
• Sub-cultural status• To gain access• Revenge• Political reasons• Economic reasons• Nastiness
Reality - PoliticsReality - Politics
• Brazilian government attacks (2000)
• India/Pakistani conflict - Yaha worm (2002)http://www.vnunet.com/News/1133119
• Al Jazeera web site (2003)http://www.infoworld.com/article/03/03/26/HNjazeera_1.html
Reality - EconomicsReality - Economics
• British Telecom (2000)“This is my payback to BT for ripping this country off.”
http://www.theregister.co.uk/content/1/12097.html
• CloudNine (2001)http://www.wired.com/news/business/0,1367,50171,00.html
Reality - Nastiness/Status/???Reality - Nastiness/Status/???
• Register.com reflected DNS attack (Jan. 2001)• www.whitehouse.gov attack (May 2001)
12:21:36 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200
12:29:29 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200
• Code Red attacks www.whithouse.gov (July 2001)• Steve Gibson “discovers” reflected DoS (Jan.
2002)• Root DNS servers (Oct. 2002)
Reality for I2Reality for I2
• Sept. 9, 1999• 40-200+ Mbps HDTV stream from UW to Stanford
(“speed record”)http://abcnews.go.com/ABC2000/abc2000tech/internettwo991013.html
• Sept. 17, 1999• DDoS against UMN (trin00)
• Total hosts: 2,200 up to 5,000• Out of 227 at one point, 114 at I2 sites (37 at UW)
• New speed record?http://stafff.washington.edu/dittrich/misc/trinoo.analysis.txt
How DoS (remotely)?How DoS (remotely)?
• Consume host resources• Memory• Processor cycles• Network state
• Consume network resources• Bandwidth• Router resources (it’s a host too!)
• Exploit protocol vulnerabilities• Poison ARP cache• Poison DNS cache
• Etc…
Targets of attackTargets of attack
• End hosts
• Critical servers (disrupt C/S network)• Web, File, Authentication, Update• DNS
• Infrastructure• Routers within org• All routers in upstream path
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
Attack tools over timeAttack tools over time
(D)DoS tools over time(D)DoS tools over time
• 1996 - Point-to-point• 1997 - Combined• 1998 - Distributed (small, C/S)• 1999 - Add encryption, covert channel comms,
shell features, auto-update, bundled w/rootkit• 2000 - Speed ups, use of IRC for C&C• 2001 - Added scanning, BNC, IRC channel
hopping• 2002 - Added reflection attack, closed port back
door, Worms include DDoS features• 2003 - IPv6 (back to 1996…)
Up to 1996Up to 1996
• Point-to-point (single threaded)• SYN flood• Fragmented packet attacks• “Ping of Death”• “UDP kill”
19971997
• Combined attacks• Targa
bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke
• Rape teardrop v2, newtear, boink, bonk, frag, fucked, troll
icmp, troll udp, nestea2, fusion2, peace keeper, arnudp, nos, nuclear, sping, pingodeth, smurf, smurf4, land, jolt, pepsi
19981998
• fapi (May 1998)• UDP, TCP (SYN and ACK), ICMP Echo, "Smurf" extension• Runs on Windows and Unix• UDP comms• One client spoofs src, the other does not• Built-in shell feature• Not designed for large networks (<10)• Not easy to setup/control network
• fuck_them (ADM Crew, June 1998)• Agent written in C; Handler is a shell script• ICMP Echo Reply flooder• Control traffic uses UDP• Can randomize source to R.R.R.R
(where 0<=R<=255)
19991999
• More robust and functional tools• trin00, Stacheldraht, TFN, TFN2K
• Multiple attacks (TCP SYN flood, TCP ACK flood, UDP flood, ICMP flood, Smurf…)
• Added encryption to C&C• Covert channel• Shell features common• Auto-update
20002000
• More floods (ip-proto-255, TCP NULL flood…)• Pre-convert IP addresses of 16,702 smurf amplifiers
• Stacheldraht v1.666
• Bundled into rootkits (tornkit includes stacheldraht)http://www.cert.org/incident_notes/IN-2000-10.html
• Full control (multiple users, by nick, with talk and stats)• Omegav3
• Use of IRC for C&C• Knight• Kaiten
• IPv6 DDoS• 4to6 (doesn’t require IPv6 support)
20012001
• Worms include DDoS features• Code Red (attacked www.whitehouse.gov)• Linux “lion” worm (TFN)
• Added scanning, BNC, IRC channel hopping (“Blended threats” term coined in 1999 by AusCERT)• “Power” bot• Modified “Kaiten” bot
• Include time synchronization (?!!)• Leaves worm
Power botPower bot
foo: oh damn, its gonna own shitloads foo: on start of the script it will erase everything that it has
foo: then scan over
foo: they only reboot every few weeks anyways
foo: and it will take them 24 hours to scan the whole ip range
foo: !scan status
Scanner[24]:[SCAN][Status: ][IP: XX.X.XX.108][Port: 80][Found: 319]
Scanner[208]:[SCAN][Status: ][IP: XXX.X.XXX.86][Port: 80][Found: 320]
. . .
foo: almost 1000 and we aren't even close
foo: we are gonna own more than we thought
foo: i bet 100thousand
[11 hours later]
Scanner[129]: [SCAN][Status: ][IP: XXX.X.XXX.195][Port: 80][Found: 34]
Scanner[128]: [SCAN][Status: ][IP: XXX.X.XXX.228][Port: 80][Found: 67]
Scanner[24]: [SCAN][Status: ][IP: XX.XX.XX.42][Port: 80][Found: 3580]
Scanner[208]: [SCAN][Status: ][IP: XXX.XXX.XXX.156][Port: 80][Found: 3425]
Scanner[65]: [SCAN][Status: ][IP: XX.XX.XXX.222][Port: 80][Found: 3959]
bar: cool
20022002
• Distributed reflected attack tools• d7-pH-orgasm• drdos (reflects NBT, TCP SYN :80, ICMP)
• Reflected DNS attacks, steathly (NVP protocol) and encoded covert channel comms, closed port back door• Honeynet Project Reverse Challenge binary
http://project.honeynet.org/reverse/results/project/020601-Analysis-IP-Proto11-Backdoor.pdf
20032003
• Slammer worm (effectively a DDoS on local infrastructure)
• Windows RPC DCOM insertion vector for “blended threat” (CERT reports “thousands”)
• More IPv6 DoS (requires IPv6 this time)• ipv6fuck, icmp6fuck
Types of attack trafficTypes of attack traffic
• Direct• Large packet flood (frag)• Small packet flood• TCP, UDP, ICMP, IGMP, ip-proto-255…
• Spoofed source• Full 32 bits• /24
• Reflected• Smurf• DNS
Types of control trafficTypes of control traffic
• Point to point• TCP (connection oriented)• TCP, UDP, ICMP, NVP, etc. (connectionless)
• IRC channel(s)• Static• Dynamic (“frequency hopping”)
• Autonomous (worms)• Indirect
• Random or “bogus” dst w/sniffing
• Reflected?• Time delayed?
Advanced featuresAdvanced features
• More efficient
• Harder to detect
• Harder to analyze
• “Blended threat”
ReflectionReflection
• Hard to prevent (for reflectors)
• Hard to filter (for victims or reflectors)
• Hard to trace back
• Traffic analysis necessary
Demands on ResponseDemands on Response
• “Whack a port” now common• How to notify?• How to shut off 800 ports?
• Wipe/re-install always common• Fast, but provides no information• High reccurance rate
• High bandwidth & monitoring• Liability lawsuits any day now?
http://www.ddos-ca.org/
Creative detectionCreative detection
• One to many/many to many inbound connections to new “servers”
• Many to one/many to many new outbound connections to servers
• New service ports on many internal hosts
• New protocols or new traffic volumes on existing protocols
• Honeynets & Honeypots