Network Security(CP33925)
DoS and DDoS
부산대학교 공과대학 정보컴퓨터공학부 What we’ll learn today …
DoS Attack
DDoS Attack
DoS and DDoS attack countermeasures
2 Understanding DoS attacks
DoS (Denial of Service)
. An attack that provides information beyond the ability of an attacking target to accept it and then, prevents an attacking target from operating normally beyond the capacity of the user or network
DoS Attack Features
. Destruction: Disks, Data, System Destruction
. System resource depletion: Heavy load due to excessive use of CPU, memory, disk
. Network resource depletion: Depletion of network bandwidth with garbage data
3 Ping of Death Attack (1/6)
Ping of Death Attack
. Use ping to make ICMP packets much larger than normal
. Large packets are routed through the network and are broken into very small pieces while reaching the attacking network
. The attack target should process much more fragmented packets, so it takes much more load than normal ping
Why to segment a packet and deliver it?
. Routing does not go through the networks with the same characteristics when forwarding packets
• If the maximum packet size for each network is different and the maximum packet size is small, then the data will be divided smaller
. Packets once divided do not grow again
• To increase the packet, it is necessary to store the packet and reassemble the packet data that comes in next time, which causes a load which is fatal to the performance of the router. 4 Ping of Death Attack (2/6)
Packet Segmentation
Data Data Data Header FCS 1/3 2/3 3/3
Data Data Data Header FCS Header FCS Header FCS 1/3 1/3 1/3
. Set the maximum length of ICMP packets to 65,500 bytes
. When you ping the network with a maximum size of 65,500 bytes, the packet is split into segments
. If the maximum transmissionable length of a network through a packet is 100 bytes, then one packet is divided into 655 number of packets
5 Ping of Death Attack (3/6)
Practice Environment
. Attacker system: Ubuntu desktop 14
. Attack target system: Windows server 2012
. Need hping3, Wireshark
Procedure
. Installing hping3
(sudo) apt- get install hping3
. Performing Ping of Death Attacks
6 Ping of Death Attack (4/6)
Procedure
. Analyzing Ping of Death Attacks
• Capture a packet sent from Ubuntu desktop 14 (attacker) to Windows Server 2012 (attack target) using Wireshark
7 Ping of Death Attack (5/6)
Procedure
. Analyzing Ping of Death Attacks
• Confirm details of the number 724 packet at Windows Server 2012 using Wireshark
8 Ping of Death Attack (6/6)
Security Countermeasures
. Ignore ICMP packets over a certain number of incoming iterations
. The most common countermeasures are patches
9 SYN Flooding (1/7)
SYN Flooding (flooding)
. To prevent other users from being offered services by mimicking as clients that do not exist in accessible space limited by server
Understanding SYN Flooding Attacks
① The attacker sends a large number of SYN packets to the server ② The server sends a SYN / ACK packet for each received SYN packet to each client ③ The server does not receive an ACK packet for the SYN/ACK packet it sent ④ The server waits for the connection of the session and the attack succeeds
. Waiting for an ACK packet in the 'SYN Received' state
Server Max. No. of Clients IIS Server 5.0 100,000 Apache Server 150 FTP, Telnet Server 10 100 SYN Flooding (2/7)
Practice Environment
. Attacker system: Ubuntu desktop 14
. Attack target system: Windows server 2012
. Need hping3 Procedure
. Getting started with Web services
• Install IIS on the victim machine
11 SYN Flooding (3/7)
Procedure
. Performing SYN Flooding attacks
• Using hping3, a lot of packets are sent in a very short time to perform SYN flooding attack easily hping3 --rand-source 192.168.0.100 -p 80 -S
-p 80: Packet transmission for port 80 -S: send only SYN of TCP packets
12 SYN Flooding (4/7)
Procedure
. Identifying packets of SYN flooding attacks
• Capture packets sent by hping3 to the victim machine using Wireshark
13 SYN Flooding (5/7)
Procedure
. Identifying attacks
• Make sure you are being attacked by using netstat, which is used to see information about the currently connected session
netstat -an
14 SYN Flooding (6/7)
Procedure
. Identifying attacks
• If multiple IPs are in SYN_RECV state, normal connection to Web server is not possible
15 SYN Flooding (7/7)
SYN Flooding Security Countermeasures
. Installing System Patches
. Install Intrusion Detection System (IDS) or Intrusion Prevention System (IPS)
. If it recognizes an attack that sends the same type of packet in a short time, it prohibits the connection of the ① When receiving a SYN packet from a client, corresponding IP address range or put a Syn_Cookie containing simple prohibits the connection from the authentication information in the sequence value and close the session firewall or router. ② When the client sends an ACK with a value . By using encryption technology in that contains Syn_Cookie, the server SYN+ACK packet sent from server to reopens the session and starts communicating client and sending it to client, use Wait time per server after receiving SYN
Syn_Cookie to generate a sequence Server Waiting Time number containing authentication Windows NT/2K 255 Sec information Unix/Linux 60 sec 16 Apache 300 sec (/etc/httpd.conf) Boink, Bonk, Teardrop (1/4)
Boink, Bonk, Teardrop
. Boink, Bonk, and Teardrop trick sequence numbers to overload the system's packet retransmission and reassembly
Understanding Boink, Bonk, Teardrop
. Bonk: After sending the first packet with the sequence number 1, the sequence numbers of the second packet and the third packet are set to 1
. Boink: After sending the first packet with the sequence number 1, number 101 for the second packet, number 201 for the third packet, etc., and send the patterned sequence number in the middle
. Teardrop: Shuffle the sequence number to make it more complicated by creating overlapping and free space, changing the sequence number constantly → The sequence numbers that are not matched at all cause confusion for the attacker to combine the packetized data and thus, the CPU is overloaded.
17 Boink, Bonk, Teardrop (2/4)
Teardrop Attack
Packet Number Seq. Number of Normal Packet Seq. Number of Attack Packet 1 1-101 1-101 2 101-201 811-181 3 201-301 221-321 4 301-401 2511-3511
18 Boink, Bonk, Teardrop (3/4)
Practice Environemnt
. Attacker system: Ubuntu desktop 14
. Attack target system: Windows server 2012
. Need hping3 Procedure
. Perform Teardrop Attacks
hping3 -a 200.200.200.200 192.168.0.1 --id 3200 --seqnum -p 21 -d 320 --flood
--id 3200: TCP packet's ID value, if the same ID value, considered TCP packets of the same session --seqnum: randomly set the sequence number of the TCP packet -d 320: set the length of the packet to 320 bytes
19 Boink, Bonk, Teardrop (4/4)
Procedure
. Analyze packets of Teardrop attack
• It can be confirmed that the sequence number of the TCP packet is arbitrarily generated and transmitted.
20 Land Attack (1/2)
Land Attack
. Putting the system in a bad state
. When sending a packet, make the packet whose source IP address and destination IP address are the same
• The value of the malformed IP address must be the IP address of the victim
. Land attack method occupies the number of concurrent users and thus, increases CPU load
Land security measures
. In a router or firewall, prevent the packet whose source IP address is the same as the internal IP address
Practice Environment
. Attacker system: Ubuntu desktop 14
. Attack target system: windows server 2012
. Need hping3 21 Land Attack (2/2)
Procedure
. Run Land attack
. Analyze packets of Land attack
• Capture packets sent by hping3 using Wireshark
22 Smurf & Fraggle Attack (1/3)
Smurf Attack
. When the worm attacks the network, it uses ICMP packets
. Routers do not support broadcasts by default, so when you broadcast to other networks, you will have a direct broadcast
. When the destination IP address value is set to 255.255.255.255 and the packet is sent, the router is prevented from going out to the external network, so that it operates only in the internal LAN
. The network that receives the ICMP request sends the ICMP Reply back to the forged IP address of the ICMP Request packet
. The victim receives a large number of ICMP replies, and numerous packets, such as Ping of Death, overload the system Smurf Security Countermeasures
. Prevent Direct Broadcast 23 Smurf & Fraggle Attack (2/3)
Practice Environment
. Attacker system: Ubuntu desktop 14
. Agent system: Ubuntu desktop 16
. Attack target system: windows server 2012
. Need hping3 Procedure
. Run Smurf attack
24 Smurf & Fraggle Attack (3/3)
Procedure
. Analyzing packets of Smurf attacks
• Check results captured with TCP Dump and Wireshark
25 7-layer DoS Attack (1/3)
7-layer DoS attack
. The recent DoS attacks are aimed at web applications, etc
. Difference between 3, 4-layer DoS attack and 7-layer DoS attack
3, 4-Layer DoS Attack 7-Layer DoS Attack • Bandwidth Depletion Attack • Server resource depletion attack Main Attack • Session depletion attack Main protocol • TCP, UDP, ICMP • HTTP, SMTP, FTP, VoIP etc. • Attacks by generating a large amount of flooding traffic • Attacks using normal traffic • Spoofed IP has a high percentage of attacks using • Attacks using a small amount of traffic Characteristics unusual traffic • Exploiting vulnerability of specific application • Can be defended through security equipment
Key features of 7-layer attack
. Normal TCP / UDP connection-based attack
• It is difficult to detect because it is difficult to distinguish from normal user's traffic with attack traffic after requesting access using normal IP instead of modulated IP
. The attack using a small amount of traffic makes it difficult to detect because the attack proceeds gradually over a long period of time
. Attacks using vulnerabilities of specific services (until now, attacks using Web service vulnerabilities have been the main factor) 26 7-layer DoS Attack (2/3)
Types of DoS Attacks for Web Applications
. HTTP GET Flooding Attack
• A method to execute a specific web page infinitely through the HTTP GET method after normally accessing through the TCP three-way handshaking process to the attack target system
. HTTP CC attack
• If the 'Cache-Control: no-store, must-revalidate' option is used in the DoS attack mechanism, the web server needs to respond without using the cache and thus, load at web server increases
. Dynamic HTTP Request Flooding Attacks
• Techniques for continually requesting web pages by changing request pages
. Slow HTTP Header DoS (Slowloris) Attack
• By manipulating the header information of the HTTP message to be transmitted to the server abnormally, keeps connection until the web server completely receives the header information and thus, consumes system resources and interferes with the normal service of another client 27 7-layer DoS Attack (3/3)
Types of DoS Attacks for Web Applications
. Slow HTTP POST attack
• Introduced at the 2010 OWASP AppSec Conference in Washington, DC, November 2010
• To keep the connection with the web server for a long time as long as possible so that the web server cannot accept the normal user's connection
Client Server • Set the required Content-Length to countermeasure slow HTTP POST attacks.
. Mail Bomb
• It is often called bomb mail, and spam
• The mail server allocates a certain amount of disk space to each user
– When the mail is congested and28 the disk space is full, the mail cannot be received. Web Application DoS Attack (1/3)
Slow HTTP POST attack
Procedure
. Accessing the normal web
• Implement POST function to input and output ID and password.
• The data is passed to POST and the Content- Length is 31
29 Web Application DoS Attack (2/3)
Procedure
. Performing a Slow HTTP POST Attack
• RUDY executes the command and then sees the result value, and can select which field to use for attack
python r-u-dead-yet.py http://192.168.0.1/member/member_login.asp
30 Web Application DoS Attack (3/3)
Procedure
. Check a Slow HTTP POST Attack Packet
• After the packet whose Content-Length value is set to 100,000,000 is transmitted, it confirms the process of transmitting a packet having a length of 1 byte
31 Understanding DDoS Attack (1/3)
Distributed Denial of Service (DDoS)
. An improved DoS attack
. The damage is serious, but there is no clear solution
. One of the most difficult attacks to deal with is the difficulty of identifying the attacker's location and specific origin
. By nature, most DDoS attacks use automated tools Basic configuration for DDoS attack
. Attacker: The attacker's hacker's computer
. Master: A system that receives commands directly from an attacker, managing multiple agents
. Handler program: A program that acts as a master system
. Agent: A system that directly attacks an attack target
. Daemon program: A program that acts as an agent system.
32 Understanding DDoS Attack (2/3)
DDoS Attacker Architecture
33 Understanding DDoS Attack (3/3)
DDoS Attack Sequence
. After acquiring an account that is used by a large number of people, has a large bandwidth, and cannot be managed by the administrator in every system, the attacker (tools) can acquire installation or root privileges by attacks such as sniffing or buffer overflows
. After scanning each network block to identify potential attack targets, identify the servers that provide vulnerable services that can cause buffer overflows at remote locations
. Check the list of vulnerable systems and create an exploit for the actual attack
. Compromise and install exploits on authorized systems
. Start an attack with the exploit you installed
34 Types of DDoS Attack Tools (1/4)
Trinoo
. It began to spread from late June to July 1999, and was the main culprit of the University of Minnesota accident (originally named Trin00)
. It was first discovered in Solaris 2.x systems, and at least 227 systems are known to be used for attacks
. UDP-based attack
. The 'statd, cmsd, ttdbserverd' daemon is the main attack target
Connector Connection Target Protocol Port Attacker Master TCP 27665 Master Agent UDP 27444 Agent Master UDP 31335 Agent Vitim UDP
35 Types of DDoS Attack Tools (2/4)
Tributed Flood Network (TFN)
. A slightly advanced form of the Trinoo developed by Mixter.
. Sometimes called the Teletubby Flood Network.
. Like Trinoo attacks the vulnerabilities of statd, cmsd, ttdb daemon
. Monitoring is not easy because ICMP Echo Request packet is used between client (master) and daemon, and neither TCP nor UDP is connected.
. From 17 bytes, it becomes possible to distinguish from a certain form
. There is a weakness in that the connection between the attacker system and the master system is delivered in plaintext rather than ciphertext
36 Types of DDoS Attack Tools (3/4)
TFN 2K
. An advanced form of TFN developed by Mixer Features of TFN 2K
. It is encrypted without using a specific port for communication
• UDP, TCP, and ICMP are used in combination through the program, and the port is arbitrarily decided
. TCP SYN Flooding, UDP Flooding, ICMP Flooding, Smurf attacks.
. All commands are encrypted with the CAST-256 algorithm
. Can run backdoor on specified TCP port
. The daemon avoids process monitoring by changing its process name during installation
. The header of the UDP packet is three bytes larger than the actual UDP packet
. The header of a TCP packet is always 0 (never be 0 if it is a normal packet) 37 Types of DDoS Attack Tools (4/4)
Stacheldraht (Stacholdrath)
. German word for "barbed wire(철조망)“
. It is known to have first appeared in October 1999.
. Encryption is added to communicate with attackers, masters, agents, and daemons.
. Each master in Stacheldraht can control up to 1,000 daemons
. The agent is automatically updated on the master
38 DDoS Attack Using Malicious Code (1/7)
DDoS attack using malicious code
. A zombie PC infected with a malicious code becomes an attacking agent of an attacker
. When an attacker delivers an attack command, the attacker performs a DDoS attack
. A typical attack was the "7.7 internet crisis" that occurred on July 7
• A total of three DDoS attacks were carried out on July 7 (18: 00 ~ July 10, 18:00)
. The DDoS zombie PC (infected PC) that was used in the attack is designed to end its life after the self-destruction
39 DDoS Attack Using Malicious Code (2/7)
Netbot Attacker
Procedure
. Click "Create Server File" to generate the malware to be created as a zombie PC
. Write down the IP:Port of the attacker and click Finish to create NB_Server.exe.
40 DDoS Attack Using Malicious Code (3/7)
Procedure
. Provides a menu to control the zombie PC when right-clicking on the list.
41 DDoS Attack Using Malicious Code (4/7)
Procedure
. The attacker can attack the target server through the "DDoS attack" menu
• Specify attack type, quantity, speed, destination, and port number
Attack Types
Select options and then attack
42 DDoS Attack Using Malicious Code (5/7)
Procedure
. When the attack is executed, the CPU utilization of server is increased.
43 DDoS Attack Using Malicious Code (6/7)
Countermeasure
. NetBot_v6.0 performs a health check for zombie PC management once every 50 seconds
• NetBot_v4.0 performs a health check once every 40 seconds
44 DDoS Attack Using Malicious Code (7/7)
Countermeasure
. When NetBot_v6.0 sends a command to the zombie PC, the following packet is delivered.
45 DoS and DDoS Attack Countermeasures (1/2)
Firewall Installation and Operation
. Typically installed on the boundary between internal and external networks
. The intrusion that the firewall can block is actually about 30%
. Source address, destination address, service (port number) to try to invade, protocol intrusion can be blocked
Firewall Ruleset (rule set)
. Provide minimal services and close ports of unused services
. If the source address of the incoming packet from the external network matches the address in the internal network, block it
. Trust between components within IPS is prohibited
. Do not allow internal/external users to connect to the system without authentication
. Prohibit any service other than explicit service
46 DoS and DDoS Attack Countermeasures (2/2)
Installation and operation of intrusion prevention system
. Intrusion Prevention System: A system to detect and actively respond to incoming attacks
• Since it can detect attack patterns before or during actual attacks, it should be upgraded and managed so that new patterns can be recognized by installing them System Patch
. If your system detects a vulnerability to a virus or a hacking attack, each vendor releases a patch (backup required).
Scanning
. Comprehensive system analysis Bandwidth limit per service
. CAR(committted Access Rate)
. The attacked service cannot obtain the minimum bandwidth required for
attack success, making it difficult47 to successfully attack 48