DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003.

DDoSA look back from 2003

DDoSA look back from 2003

Dave DittrichThe Information School /

Computing & CommunicationsUniversity of Washington

I2 DDoS Workshop - August 6/7 2003

OverviewOverview

• Why DoS?

• How DoS?

• The DDoS Landscape

• Attack tools over time

• Impacts on response

http://staff.washington.edu/dittrich/talks/I2-ddos.ppt

Why DoS?Why DoS?

• “An Introduction to Denial of Service,” Hans Husman, 1996 http://packetstormsecurity.nl/docs/hack/denial.txt

• Sub-cultural status• To gain access• Revenge• Political reasons• Economic reasons• Nastiness

Reality - PoliticsReality - Politics

• Brazilian government attacks (2000)

• India/Pakistani conflict - Yaha worm (2002)http://www.vnunet.com/News/1133119

• Al Jazeera web site (2003)http://www.infoworld.com/article/03/03/26/HNjazeera_1.html

Reality - EconomicsReality - Economics

• British Telecom (2000)“This is my payback to BT for ripping this country off.”

http://www.theregister.co.uk/content/1/12097.html

• CloudNine (2001)http://www.wired.com/news/business/0,1367,50171,00.html

Reality - Nastiness/Status/???Reality - Nastiness/Status/???

• Register.com reflected DNS attack (Jan. 2001)• www.whitehouse.gov attack (May 2001)

12:21:36 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200

12:29:29 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200

• Code Red attacks www.whithouse.gov (July 2001)• Steve Gibson “discovers” reflected DoS (Jan.

2002)• Root DNS servers (Oct. 2002)

Reality for I2Reality for I2

• Sept. 9, 1999• 40-200+ Mbps HDTV stream from UW to Stanford

(“speed record”)http://abcnews.go.com/ABC2000/abc2000tech/internettwo991013.html

• Sept. 17, 1999• DDoS against UMN (trin00)

• Total hosts: 2,200 up to 5,000• Out of 227 at one point, 114 at I2 sites (37 at UW)

• New speed record?http://stafff.washington.edu/dittrich/misc/trinoo.analysis.txt

How DoS (remotely)?How DoS (remotely)?

• Consume host resources• Memory• Processor cycles• Network state

• Consume network resources• Bandwidth• Router resources (it’s a host too!)

• Exploit protocol vulnerabilities• Poison ARP cache• Poison DNS cache

• Etc…

Targets of attackTargets of attack

• End hosts

• Critical servers (disrupt C/S network)• Web, File, Authentication, Update• DNS

• Infrastructure• Routers within org• All routers in upstream path

The DDoS LandscapeThe DDoS Landscape

Stepping StonesStepping Stones

Internet Relay Chat (IRC)Internet Relay Chat (IRC)

IRC w/Bots&BNCsIRC w/Bots&BNCs

Distributed Denial of Service (DDoS) Networks

Distributed Denial of Service (DDoS) Networks

DDoS NetworkDDoS Network

http://www.adelphi.edu/~spock/lisa2000-shaft.pdf

You are here…You are here…

Typical DDoS attackTypical DDoS attack

DDoS Attack Traffic (1)DDoS Attack Traffic (1)

One Day Traffic Graph

DDoS Attack Traffic (2)DDoS Attack Traffic (2)

One Week Traffic Graph

DDoS Attack Traffic (3)DDoS Attack Traffic (3)

One Year Traffic Graph

High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC

Attack tools over timeAttack tools over time

(D)DoS tools over time(D)DoS tools over time

• 1996 - Point-to-point• 1997 - Combined• 1998 - Distributed (small, C/S)• 1999 - Add encryption, covert channel comms,

shell features, auto-update, bundled w/rootkit• 2000 - Speed ups, use of IRC for C&C• 2001 - Added scanning, BNC, IRC channel

hopping• 2002 - Added reflection attack, closed port back

door, Worms include DDoS features• 2003 - IPv6 (back to 1996…)

Up to 1996Up to 1996

• Point-to-point (single threaded)• SYN flood• Fragmented packet attacks• “Ping of Death”• “UDP kill”

19971997

• Combined attacks• Targa

bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke

• Rape teardrop v2, newtear, boink, bonk, frag, fucked, troll

icmp, troll udp, nestea2, fusion2, peace keeper, arnudp, nos, nuclear, sping, pingodeth, smurf, smurf4, land, jolt, pepsi

19981998

• fapi (May 1998)• UDP, TCP (SYN and ACK), ICMP Echo, "Smurf" extension• Runs on Windows and Unix• UDP comms• One client spoofs src, the other does not• Built-in shell feature• Not designed for large networks (<10)• Not easy to setup/control network

• fuck_them (ADM Crew, June 1998)• Agent written in C; Handler is a shell script• ICMP Echo Reply flooder• Control traffic uses UDP• Can randomize source to R.R.R.R

(where 0<=R<=255)

19991999

• More robust and functional tools• trin00, Stacheldraht, TFN, TFN2K

• Multiple attacks (TCP SYN flood, TCP ACK flood, UDP flood, ICMP flood, Smurf…)

• Added encryption to C&C• Covert channel• Shell features common• Auto-update

20002000

• More floods (ip-proto-255, TCP NULL flood…)• Pre-convert IP addresses of 16,702 smurf amplifiers

• Stacheldraht v1.666

• Bundled into rootkits (tornkit includes stacheldraht)http://www.cert.org/incident_notes/IN-2000-10.html

• Full control (multiple users, by nick, with talk and stats)• Omegav3

• Use of IRC for C&C• Knight• Kaiten

• IPv6 DDoS• 4to6 (doesn’t require IPv6 support)

Single host in DDoSSingle host in DDoS

20012001

• Worms include DDoS features• Code Red (attacked www.whitehouse.gov)• Linux “lion” worm (TFN)

• Added scanning, BNC, IRC channel hopping (“Blended threats” term coined in 1999 by AusCERT)• “Power” bot• Modified “Kaiten” bot

• Include time synchronization (?!!)• Leaves worm

Power botPower bot

foo: oh damn, its gonna own shitloads foo: on start of the script it will erase everything that it has

foo: then scan over

foo: they only reboot every few weeks anyways

foo: and it will take them 24 hours to scan the whole ip range

foo: !scan status

Scanner[24]:[SCAN][Status: ][IP: XX.X.XX.108][Port: 80][Found: 319]

Scanner[208]:[SCAN][Status: ][IP: XXX.X.XXX.86][Port: 80][Found: 320]

. . .

foo: almost 1000 and we aren't even close

foo: we are gonna own more than we thought

foo: i bet 100thousand

[11 hours later]

Scanner[129]: [SCAN][Status: ][IP: XXX.X.XXX.195][Port: 80][Found: 34]

Scanner[128]: [SCAN][Status: ][IP: XXX.X.XXX.228][Port: 80][Found: 67]

Scanner[24]: [SCAN][Status: ][IP: XX.XX.XX.42][Port: 80][Found: 3580]

Scanner[208]: [SCAN][Status: ][IP: XXX.XXX.XXX.156][Port: 80][Found: 3425]

Scanner[65]: [SCAN][Status: ][IP: XX.XX.XXX.222][Port: 80][Found: 3959]

bar: cool

20022002

• Distributed reflected attack tools• d7-pH-orgasm• drdos (reflects NBT, TCP SYN :80, ICMP)

• Reflected DNS attacks, steathly (NVP protocol) and encoded covert channel comms, closed port back door• Honeynet Project Reverse Challenge binary

http://project.honeynet.org/reverse/results/project/020601-Analysis-IP-Proto11-Backdoor.pdf

20032003

• Slammer worm (effectively a DDoS on local infrastructure)

• Windows RPC DCOM insertion vector for “blended threat” (CERT reports “thousands”)

• More IPv6 DoS (requires IPv6 this time)• ipv6fuck, icmp6fuck

Types of attack trafficTypes of attack traffic

• Direct• Large packet flood (frag)• Small packet flood• TCP, UDP, ICMP, IGMP, ip-proto-255…

• Spoofed source• Full 32 bits• /24

• Reflected• Smurf• DNS

Types of control trafficTypes of control traffic

• Point to point• TCP (connection oriented)• TCP, UDP, ICMP, NVP, etc. (connectionless)

• IRC channel(s)• Static• Dynamic (“frequency hopping”)

• Autonomous (worms)• Indirect

• Random or “bogus” dst w/sniffing

• Reflected?• Time delayed?

Advanced featuresAdvanced features

• More efficient

• Harder to detect

• Harder to analyze

• “Blended threat”

ReflectionReflection

• Hard to prevent (for reflectors)

• Hard to filter (for victims or reflectors)

• Hard to trace back

• Traffic analysis necessary

Demands on ResponseDemands on Response

• “Whack a port” now common• How to notify?• How to shut off 800 ports?

• Wipe/re-install always common• Fast, but provides no information• High reccurance rate

• High bandwidth & monitoring• Liability lawsuits any day now?

http://www.ddos-ca.org/

Creative detectionCreative detection

• One to many/many to many inbound connections to new “servers”

• Many to one/many to many new outbound connections to servers

• New service ports on many internal hosts

• New protocols or new traffic volumes on existing protocols

• Honeynets & Honeypots

FINFIN

“You may have paid for the hardware, but do you really own your network?”

• For more information:http://packetstormsecurity.nl/distributed/http://staff.washington.edu/dittrich/talks/core02/http://staff.washington.edu/misc/ddos/dittrich (at) u.washington.edu