Background Reading - Electrical and Information Technology
Transcription
Background Reading - Electrical and Information Technology
DDoS in Experimental Environment Johan Haleby Franz Levin Department of Information Technology Lund University Advisor: Ben Smeets 15th July 2005 Printed in Sweden E-huset, Lund, 2005 Abstract Distributed Denial of Service (DDoS) attacks have been a threat to Internet services for the last couple of years. Massive distributed and distributed reflective DoS attacks have the potential to cause major disruption of Internet functionality and availability even to the extent as concerning backbones. It is important for companies and institutions to maintain an accurate network configuration and knowledge to be able to take appropriate actions to reduce the risk of such an attack. This thesis focuses on how to setup and configure a test environment for these kinds of attacks to facilitate learning and simulate attacks within a LAN. The thesis also includes topics on what can be done to prevent DDoS attacks as well as a detailed look at different techniques to perform such attacks. i ii Preface This master thesis was performed at the Department of Information Technology at Lund Institute of Technology. We would like to thank all people who supported us in the making of this thesis. Especially our advisor Ben Smeets who provided us with hints and tips. A big thanks is also sent to Morgan Persson, also at the Department of Information Technology, for his help on several issues. At last but not least, we would like to thank Bertil Lindvall and Mats Cedervall. Johan Haleby and Franz Levin iii iv Contents 1 2 3 Background 1.1 Introduction . 1.2 Purpose . . . 1.3 Scope . . . . 1.4 Project goals 1.5 Outline . . . 1.6 Timetable . . TCP 2.1 2.2 2.3 2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 1 2 2 3 and Raw Sockets TCP connection establishment Raw Sockets . . . . . . . . . Raw Sockets in Unix . . . . . Raw Sockets in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 6 6 7 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 11 12 14 15 15 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System resource consuming Denial of Service 3.1 TCP/SYN flood . . . . . . . . . . . . . . 3.2 Teardrop . . . . . . . . . . . . . . . . . . 3.3 Ping of Death . . . . . . . . . . . . . . . . 3.4 Winnuke . . . . . . . . . . . . . . . . . . 3.5 Pepsi Attack . . . . . . . . . . . . . . . . 3.6 Mail bombing . . . . . . . . . . . . . . . . 4 Bandwidth consuming denial of Service Attacks 17 4.1 Distributed Denial of Service Attacks . . . . . . . . . . . . . . . 17 4.2 Distributed Reflective Denial of Service Attacks . . . . . . . . . . 19 4.3 Non distributed bandwidth consuming DoS Attacks . . . . . . . 22 5 Defending against Denial of Service Attacks v 23 5.1 5.2 5.3 5.4 5.5 5.6 6 7 DoS proof TCP/IP stack Ingress filtering . . . . . Egress filtering . . . . . Change of IP address . . Additional resources . . Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 24 26 26 27 27 Tracing Denial of Service Attacks 6.1 Actively querying routers about traffic they forward . 6.2 Logging-based IP traceback . . . . . . . . . . . . . 6.3 Probabilistic Packet Marking (PPM) scheme . . . . 6.4 iTrace . . . . . . . . . . . . . . . . . . . . . . . . . 6.5 Intention-Driven iTrace (ID-iTrace) . . . . . . . . . 6.6 Caddie Message Generation . . . . . . . . . . . . . 6.7 IPSec-Based Source Tracing . . . . . . . . . . . . . 6.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 29 29 30 31 32 33 36 39 Denial of Service applications 7.1 Trinoo . . . . . . . . . . . . 7.2 Tribe Flood Network . . . . 7.3 Stacheldraht . . . . . . . . 7.4 Comparison and conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 41 42 44 46 Denial of Service Control Center . Zombie . . . . . Misc . . . . . . . using SYN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Our 8.1 8.2 8.3 application 47 . . . . . . . . . . . . . . . . . . . . . . . . . . 47 . . . . . . . . . . . . . . . . . . . . . . . . . . 47 . . . . . . . . . . . . . . . . . . . . . . . . . . 48 9 Test scenario 53 9.1 The test environment . . . . . . . . . . . . . . . . . . . . . . . . 53 9.2 The tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 10 Discussion 97 11 Abbreviations 99 Bibliography 101 A EthernetII Packet 105 B ARP packet 107 vi C IP datagram 109 D ICMP packet 111 E UDP datagram 113 F TCP segment 115 G Manual for the Control Center and Zombie application 117 G.1 Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 G.2 Zombie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 123 H Class Diagrams H.1 Control Center Class Diagram . . . . . . . . . . . . . . . . . . . 123 H.2 Zombie Class Diagram . . . . . . . . . . . . . . . . . . . . . . . 124 vii viii List of Figures 2.1 2.2 2.3 TCP connection establishment . . . . . . . . . . . . . . . . . . Unix TCP/IP stack . . . . . . . . . . . . . . . . . . . . . . . . Windows TCP/IP stack . . . . . . . . . . . . . . . . . . . . . . 3.1 3.2 DoS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 The concept of a legitimate and a malicious fragment concatenation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.1 4.2 4.3 DDoS attack using zombies . . . . . . . . . . . . . . . . . . . . 18 Distributed reflective TCP/SYN DoS attack . . . . . . . . . . 20 Smurf attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.1 Server initial TCP sequence number . . . . . . . . . . . . . . . 23 6.1 The different modes available in the Caddie Message Generation scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . A brief comparison of iTrace, ID-iTrace, and Caddie Message Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . The concept of CutSet . . . . . . . . . . . . . . . . . . . . . The secure tunnels between the routers which exposes the attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . An illustration on how PHIL switching can be used to traceback an attack . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 6.3 6.4 6.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 . 35 . 37 . 39 . 40 7.1 7.2 7.3 7.4 7.5 A trinoo network . . . . . . . . . . Ports used in standard configuration A TFN network . . . . . . . . . . . A stacheldraht network . . . . . . . Ports used in standard configuration 8.1 Memory layout of the value 0x12345678 in big and little endian 49 9.1 Captured packets in a smurf attack . . . . . . . . . . . . . . . 60 ix . . . . . . of trinoo . . . . . . . . . . . . of trinoo 5 8 9 . . . . . 41 42 43 44 45 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 When using two Zombies in the smurf attack, more request packets were generated . . . . . . . . . . . . . . . . . . . . . . High throughput to all Windows hosts but nothing was returned The responding units . . . . . . . . . . . . . . . . . . . . . . . Different data sizes caused different behaviors in Windows. . . The CPU utilization at the victim reached to about 100% when receiving a large amount of packets per second which is not the primary intention of the ICMP Ping attack . . . . . . About 97 Mbit per second of bogus data was sent to the victim. CPU utilizations with different intervals by the LAND attack . A screenshot of Ethereal when capturing the SNMP traffic generated by the Zombie to and from the switch. . . . . . . . . PRTG lost contact with the switch due to all the bogus SNMP traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The infamous bluescreen after executing a WinNuke attack. . 3 Zombies and 3 reflectors with 1408 bytes of data was enough to cause a distributed reflective ICMP DoS attack . . . . . . . A legitimate ping test shows that some packets get through even though the inbound network utilization is close to 100% . 2 computers each running 2 Zombies and 4 reflectors was enough to cause a total distributed reflective ICMP DoS attack An example of how to initialize a successfull distributed reflective ICMP attack . . . . . . . . . . . . . . . . . . . . . . . . . 2 Zombies flooding and 2 victims flooding between themselves was enough for an ICMP Bounce DoS attack. . . . . . . . . . PRTG screenshot where 3 Zombies flooding with 4000 pps each, causing denial of service. . . . . . . . . . . . . . . . . . . PRTG screenshot where 4 Zombies flooding on two computers with about 4000 pps per Zombie, causing denial of service. . . An extract of ping replies between two VMware 4.5 hosts . . . Ethereal saw a multiplication of requests which explains the extra reply packet . . . . . . . . . . . . . . . . . . . . . . . . . A screenshot from TcpView by SysInternals. All ”SYN RCVD” states are half open TCP connections. . . . . . . . . . . . . . . Approximately 3300 TCP/SYN packets per second was sent to the victim. . . . . . . . . . . . . . . . . . . . . . . . . . . . An extract of the netstat command in Knoppix while the host was under a TCP/SYN attack. . . . . . . . . . . . . . . . . . . Packets captured in Ethereal. . . . . . . . . . . . . . . . . . . . Packet rate for each computer in the setup when exposed to the attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x 61 62 63 63 65 66 68 69 70 72 73 74 75 76 77 78 79 80 80 82 83 84 85 87 9.26 An example of how to initialize a distributed reflective TCP/SYN attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.27 The Sygate firewall detected a Ping of Death attack . . . . . . 9.28 The ramdisk created by the Windows 95A boot loader that occupied drive A: . . . . . . . . . . . . . . . . . . . . . . . . . 9.29 In discordance with Ethereal, Tcpdump found that 8 bytes were missing in the packet . . . . . . . . . . . . . . . . . . . . 9.30 The error message displayed in VMware 4.5.2 after the PoD attack was executed with a packet size of 65525 bytes . . . . . 9.31 Ethereal was used to see that the packets received were really fragmented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.32 A comparison between the CPU and network utilization of the Teardrop flood (the two topmost figures) and distributed UDP Flood (the two bottom most figures) . . . . . . . . . . . . . . G.1 G.2 G.3 G.4 Control Center startup arguments . . Default attack parameter values . . . Zombie startup arguments . . . . . . Zombie initialized with an ICMP ping xi . . . . . . . . . . . . attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 89 90 92 92 93 94 117 120 120 121 xii Chapter 1 Background 1.1 Introduction Attacks on computer systems such as DoS attacks have been and are still a big threat to Internet services and availability. A wisely configured network of hacked machines remotely controlled by a single person may cause big financial damage to large sites. This thesis describes some of the DoS attack techniques that are used today and also some of yesterday’s. The thesis also presents methods of defending as well as different schemes that may be used to trace back these kinds of attacks. A DoS application that supports some of the old attacks as well as some of the new are also implemented for experimental purposes. The implemented attacks are also tested in a test environment. The outcome will be used as a foundation for a new course in Computer Security. 1.2 Purpose The purpose of this thesis is to simulate real DoS attacks in a test environment as well as presenting some of the techniques that may be used to trace back or defending against an attack. The outcome should be used as a foundation for a laboratory experiment in an upcoming Computer Forensics course at Lund Institute of Technology. 1.3 Scope The implemented DoS application should work in the given test environment to the greatest extent possible. Due to time restrictions only the most significant traceback and defending techniques will be presented in the thesis with 1 2 Background reasonable detail. Covering all available techniques in the smallest of detail is not possible and probably not even desirable. 1.4 Project goals One goal of this project is to have a fully operating DoS application that will support numerous DoS attacks. Another goal is to present facts and background information about various attacks as well as traceback techniques and ways of defending against an attack. 1.5 Outline This thesis is divided into 7 parts. The first part (Chapters 1 and 2) presents the background for the thesis as well as an introduction to raw sockets and why they are important in a DoS application. The second part (Chapters 3 and 4) deals with different kinds of DoS attacks. The third part (Chapters 5 and 6) is about defence and traceback techniques. The fourth part (Chapters 7 and 8) presents different real DoS attack networks as well as our DoS application for experimental environments. The fifth part (Chapter 9) describes the test scenario and the problems encountered while using our DoS application in the test environment. The sixth part (Chapter 10) presents a discussion of the outcome and possible future improvements. The last part is the appendices describing protocol packets, the manual for our DoS application, class diagrams, and program listings. Week Start Abstract Choice of objection DDoS research TCP research Diary Objection completed Coding start Coding complete Assembly of the whole report Report ready for objection Presentation Report completed Work on report Class diagram Programming Test, LAND Test, WinNuke Test, PoD2 Test, Smurf Test, Distributed ICMP Ping Test, ICMP Ping Bounce Test, Distributed UDPFlood Test, Distributed Reflective ICMP Ping Test, TCP/SYN Test, Pepsi Test, Teardrop Test, Fraggle Test, Distributed Reflective TCP/SYN 1.6 Timetable 5 x x x x 4 x Ti x x x x x x x x 6 x x x x x x 8 x 7 x x x 9 x x x x 10 x x x x 11 x x x x 12 x x x 13 x x x 14 x x x 15 x x x x x 16 x x x x x x 17 x x x x x 18 x x x x x x x x x x x x x x x x x x x x x 20 19 x x x x x x x x 21 x x x x x x x x x 22 x x x x x x x 23 x x x x x x 24 x x x x x x 25 x x x x 1/7 x x x 26 x x x x x x 27 x x 15/7 x x 28 22/7 x x 29 Background 3 4 Background Chapter 2 TCP and Raw Sockets 2.1 TCP connection establishment This may be a well known topic for the reader but since it is of great importance for the understanding of this article, the TCP initiation phase will be presented here as a reminder. Although a client-server application usually initiates its session with a client inquiring the server for permission to connect, it is possible to establish a connection in different ways. In a more general application not based on the client-server model it is possible for both parties to initiate a connection at the same time. Because of this, a connection is established by using a three-way handshake procedure as seen in Figure 2.1 [1]. Figure 2.1: TCP connection establishment 1. The TCP client sends a connection request packet known as a SYN packet (a TCP/IP packet with the SYN flag set) to the server on a specific port. 5 6 TCP and Raw Sockets 2. The TCP server receives the SYN packet and responds with an acknowledgement packet known as an ACK packet (a TCP/IP packet with the ACK and SYN flag set) to initiate a connection in the returning direction. The packets returned include information specifying the source and destination IPs as well as source and destination ports. This will indicate to the client that the server is willing to start a TCP session and also that a round trip path exist between the two participants. If the server was unable or unwilling to process the clients connection request an RST/ACK (Reset Acknowledgement) packet or an ICMP port unreachable packet is sent to inform the client that the connection was denied if the port was configured to reject packets. It is also possible to silently discard a packet by configuring a port as blocked. 3. When the client receives the SYN+ACK packet it replies with a new ACK packet. This tells the client that a two way TCP connection has been established. When the server receives the last ACK packet it gets a similar confirmation. By now both client and server have setup a connection and data is ready to be sent or received in both directions [2]. 2.2 Raw Sockets A vital part for a person performing an attack is to remain anonymous and untraceable to the greatest extent possible. There are numerous ways to complicate the task of tracing the origin of an attack after it has been utilized. Using a stolen dial-up connection to the internet in a combination with hacked shell accounts is just one effective way to disguise oneself. Another way is for the attacker to create his own TCP/IP packets where the source ip is spoofed (falsified). This is where raw sockets become a vital part of any DoS attack application. Only by using raw sockets is it possible to spoof the source IP of a TCP package. By setting the source IP to be an arbitrary IPv4 address makes finding the perpetrator of the attack extremely difficult. If combined with other ”disguise techniques” as the ones mentioned above it becomes virtually impossible to locate the attacker. 2.3 Raw Sockets in Unix In 1981 The Computer Systems Research Group (CSRG) at the University of California made it possible to connect Unix to the Internet. They did this by implementing a TCP/IP stack as illustrated in Figure 2.2 into the Unix environment. They also created an abstraction of the complex underlying TCP and Raw Sockets 7 protocols called sockets. The purpose was to simplify the task of creating applications that needed access to Internet communication. They did retain the option to create and use the so called raw socket for the purpose of research. A full raw socket can be seen as a shortcut (which ignores the TCP/IP stack) to directly access the underlying network data transport layer[3]. Many Unix and Linux distributions today supports the use of Raw sockets. Since it is possible to disregard the TCP/IP stack it is possible for Unix and Linux users to implement their own protocol on top of IPv4. A user must be given root access (effective user id 0) to be able to make use of raw sockets. Raw sockets use the standard address structure defined in IPv4 [5]. 2.4 Raw Sockets in Windows The raw socket implementation in most versions of Windows does not reach beyond the IP protocol level. It is still possible to create functional utility packets such as ICMP echo requests, but they will have no access to the physical lower level of Internet. There are some versions of Windows which do implement full raw socket support. These are Windows 2000, Windows 2003 Server and Windows XP prior to service pack 2. For reasons described earlier, full raw socket support was retained in the release of the second service pack. It is still possible to get full raw socket support in a Windows version not supporting it from scratch. Certain device drivers can be created to bypass the Windows blocking mechanisms [2]. But despite what is being said in [2], a Windows application called Winject can be used under several Windows environments to bypass the security mechanisms and use raw sockets [8]. There is also an open source library for packet capture and network analysis called WinPcap that can be used to gain access to raw sockets under Windows 95, 98, ME, NT, 2000, XP and 2003 [49]. There are no known DDoS applications utilizing this kind of technique today [2]. 8 TCP and Raw Sockets Figure 2.2: Unix TCP/IP stack TCP and Raw Sockets 9 Figure 2.3: Windows TCP/IP stack 10 TCP and Raw Sockets Chapter 3 System resource consuming Denial of Service Attacks The goal of any DoS attack is to make a computer system or network unreachable for its user, thus having these users denied of service. One way to achieve this is by overloading the resources of the attacked system [4]. There are several different attacks available. Many of these are quite old and are not working in the modern operating systems of today. But to know about what may emerge in the future, it is important to know about the past. 3.1 TCP/SYN flood Figure 3.1: DoS Attack 11 12 System resource consuming Denial of Service Attacks When a server receives a SYN packet from a proposed client to initiate the connection sequence, it allocates resources and data about the client. For instance memory buffers used for the transmission of data and in most cases are also information about the client, such as IP address and port number used, stored in a log file. Thinking about this for a moment, one can probably figure out that the resources allocated are of a limited nature and should be able to be abused if no protection mechanism is installed on the server. This is exactly what a malicious hacker can take advantage of. As we just saw, the use of raw sockets may contribute to the use of a spoofed source IP address from the client side. Utilizing the technique of having the IP address set as an arbitrary one, the SYN+ACK package sent in step 2 in Section 2.1 in response to the previously sent SYN package from the client will not reach the real client computer system. No real connection will then be available, only a so called half open one. There is no way for the server to know that the IP address from the client was spoofed and therefore it need to treat it like any other non abusive connection initiation. In other words it needs to allocate the necessary resources, wait a while for the client to respond and then resend the SYN+ACK packet up till three times1 , believing the package may have been lost in transmission. But if the client repeats sending SYN packages fast enough, the server will accumulate all the half open connections and its resources will eventually be exhausted. This will lead to the maximum number of half open connection will be reached. But since these are all ”fake” half open connections, new legitimate users of the server will have to be denied. A denial of service point has been reached. It is possible that a single computer, even with a slower connection speed than the exposed computer, can cause this denial of service phenomenon [2]. In most cases the attack does not concern existing connections to the server but only the new ones. However, in some cases, the system may exhaust memory or crash [21]. It is possible to protect a system from this kind of attack. This is discussed in detail in Section 5.1 on page 23. 3.2 Teardrop The goal of this attack is to send a maliciously fragmented UDP packet whose offset and payload is constructed in such a way that it does not overlap the endpoint of the previous fragment sent. If the OS is not patched it will most likely crash. Since this is a really old and well known attack, no modern operating systems are vulnerable to this attack and patches have been released to the old ones. When this exploit was first found, all Linux systems were 1 According to [2], but our own experiments showed that a Linux host resends SYN+ACK packets 6 times. More on this in Section 9.2.11 on page 84 System resource consuming Denial of Service Attacks 13 vulnerable as well as Windows 95 and Windows NT 4. The reason for the crash is that when the OS kernel reassembles the IP fragments to form the original IP datagram, it runs in a loop, copying the payload from all the queued fragments into a newly allocated buffer. While it does check to see if the fragment length is too large, which would have the kernel copy too much data, it does not check to see if the fragment length is too small, which would have the kernel copy way too much data. It will work fine if the current fragment’s offset is inside the end of a previous fragment (overlap) and its payload reaches beyond the end of the previous packet. The topmost picture in Figure 3.2 describes this behavior. The striped part of the new fragment (striped+dotted is the whole new fragment) is overlapping a previous fragment so the part being outside the endpoint is concatenated to the previous (gray) fragment. The striped part of the new fragment is discarded since the data ←→ Added part from fragment ←→ Negative packet length Figure 3.2: The concept of a legitimate and a malicious fragment concatenation contained in that part have already been received earlier. Problems occur when the payload of the new fragment is not large enough to cross the endpoint of the previous fragment as seen in the bottom most picture of Figure 3.2. The reason why is that an unpatched kernel only wants to concatenate the part of the new fragment that is outside the endpoint of the previous one (i.e. the dotted part in the top most picture of Figure 3.2). Therefore it copies the part that is equal to the new fragment endpoint − the old fragment endpoint. In normal scenarios this works fine since it will always return a positive integer value for memcpy() to copy. But if the endpoint of the new fragment does not overlap the endpoint of the previous packet due to a too 14 System resource consuming Denial of Service Attacks small payload (such as the striped fragment in the bottom most picture in Figure 3.2), the value of the subtraction will be negative. Since memcpy() expects an unsigned integer, the negative value will result in a wrap-around of the lower bound of the 32 bit integer and therefore memcpy() will end up copying extremely much data resulting in a reboot or a halt, depending on the amount of physical memory present [36]. 3.3 Ping of Death In a ping of death attack the attacker attempt to destabilize an operating system by sending an ICMP Echo Request (ping) packet with an oversized total packet size. This means greater than 65535 bytes including the header length [10, 16]. Sending packets this large is not possible in most operating system with the exception of Windows 95 and Windows NT 3.51 or 4. But a problem emerge since it is possible to manually build fragmented packets that, when reassembled, have a total packet length greater than 65535 bytes. The fragmentation of packets is a fundamental part of the Internet architecture. Packets that contains a payload greater than the maximum size the underlying layer can handle (the MTU) are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500 bytes. An ICMP Echo Request packet (the ICMP header is embedded in the IP packet) can have a maximum payload of totally 65535−IP header size−ICMP header size= 65535−20−8 = 65507 bytes. The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes upon reassembly. Thus in the last fragment, it is possible to combine a valid offset with a suitable fragment size such that (offset+size) > 65535 bytes. Since typical machines do not process the packet until they have all fragments and have tried to reassemble it, there is the possibility for overflow of 16 bit internal variables, which is the reason why too much memory has to be copied resulting in that the operating systems may crash or reboot or something similar. Note that it is possible to use other packet types than just ICMP to make use of the fragmentation bug. Malformed TCP and UDP packets will work just as well [35]. To protect against this attack one can block the ICMP Echo requests by using a firewall. The backside of this is of course that valid ICMP Echo requests are ignored. Patches have though been available for years [10, 16]. There is also a second version of the ping of death attack. Instead of sending just one 64k ICMP packet which becomes fragmented, the ping of death 2 attack sends a cluster of 64k packets which are all fragmented. This also causes Windows and some Linux hosts to lock up or crash. An OS able to protect from a normal ping of death attack may still be vulnerable to this System resource consuming Denial of Service Attacks 15 attack. To protect oneself from this annoyance, another hotfix from Microsoft must be installed [14]. The hotfix was also implemented into the new service packs of the concerned systems [15]. 3.4 Winnuke In June of 1997 a new kind of remote DoS attack exploited a bug in the Windows 95 and Windows NT systems [11]. This DoS attack was called Winnuke. The exploit sent a string of out of bound data to the victims computer on port 139 exposing programming flaws. This led to the infamous bluescreen and ultimately caused the system to crash [11, 12]. A reboot was necessary for continued use of the network. Microsoft responded quickly to this threat by releasing so called hotfixes (patches). The original version of Winnuke will hardly be seen as a threat by today’s standards but there is a new version of Winnuke functioning on systems such as Windows XP SP 1, Windows 2000 up till SP3, Windows NT and some versions of .NET. It operates on port 139 used by NetBIOS and port 445 used by Active Directory. What happens in an attack is that a specially crafted Server Message Block (SMB) packet is sent to one of the ports [11]. This is the protocol that Microsoft uses to share files, printers and serial ports. In a network environment where the server provides files and resources to clients, clients can make SMB requests to request resources from the server and the server make SMB responses to the client. When the malformed packet request is sent to an unpatched host, a denial of service state may be reached since the computer may stop responding and hang. It is possible for an attacker to use both user accounts and anonymous access to carry out the attack. To be protected from this kind of attack a hotfix (MS02-045) from Microsoft has to be downloaded and installed. The update is also included in most of the latest service packs for the respective operating systems [13]. Though it is not yet fixed in the latest version of the service pack (6a) to Windows NT 4. Another way of protection is to install a firewall and have it block ports 135 to 139 and 445 from being used from the Internet. To really be safe, both methods should be applied [11]. 3.5 Pepsi Attack This is a form of UDP flooding directed at harming network devices and especially Internet Service Providers by transmitting a large number of spoofed UDP packets, such as echo request (SNMP packets), to the diagnostic port of the network device [17, 18]. If the amount of UDP packets sent is large 16 System resource consuming Denial of Service Attacks enough, all CPU resources will be consumed serving bogus requests and no valid requests can get through. There are a couple of different ways to defend against this attack. One thing to do is to disable the UDP diagnostic ports or have them secured by a firewall. The drawback of this is obvious [18]. 3.6 Mail bombing Mail bombing is something that is typically quite easy to execute. What happens is that the attacker sends thousands of e-mails to a single mail account. It is usually pretty harmless but if the attack is well coordinated, for instance distributed, the SMTP (mail) server can be filled up. The most serious thing about this attack usually is that lots of time is wasted for a person to single out which mails are bogus mail and which are not. The purpose for the attack is not primarily to consume the bandwidth of the victim (although it is possible) but rather to fill up hard disk space and take up peoples time [19]. The normal approach for executing an attack is that a zombie trojan is installed on a host. When an attack is launched the zombie is called remotely and the infected host is used as a mail server and sends e-mails directly to the recipients. Because of this it has been pretty easy to block machines flooding e-mails. A new kind of e-mail bombing have emerged though. Here the zombie uses the mail server of its ISP to send the spam. The problem now is that it is very impractical to block mail with domain names from large ISPs since this will also block lots of legitimate e-mails as well. ISPs around the world are trying to deal with this problem which is predicted to increase in the future. For instance, some ISPs have blocked relay ports such as port 25 to stop spammers from spreading mails from servers operated from home. Others say they have implemented safeguards in the form of SMTP authentication servers and rerouting of legitimate e-mail to decrease the flow [20]. Chapter 4 Bandwidth consuming denial of Service Attacks 4.1 Distributed Denial of Service Attacks In 1999 a new kind of widespread DoS attack was brought to the surface. These attacks used a distributed approach to cause a denial of service. Back then, the most popular DDoS network application used was called Trinoo (described later in this article in Section 7.1 on page 41) [7]. As opposed to most ordinary DoS attacks, a DDoS attack is mostly not of a system resource consuming kind but rather of a bandwidth consuming one. DDoS focuses on consuming the bandwidth of a victimized server and in the end causing a denial of service state. This can be achieved by sending loads of nonsense Internet traffic through the aggregation router to where the attacked system is located. This causes regular users to be denied of service since all the bogus traffic transmitted from the network of attacking hosts overwhelms the amount of meaningful traffic. Although system resources are naturally consumed, it is not the main reason for this kind of denial of service to users [2]. The attacking computer hosts (often referred to as zombies [2]) often have broadband connections to the Internet and have been infected by various kinds of viruses, worms or trojan horses. These allows the perpetrator to remotely control and synchronize an attack, often through a network of bots such as botnet [4]. 4.1.1 Zombie attack What happens is that the perpetrator sends a go signal to a number of presumably hacked zombie machines. These will activate the flooding sequence and start jamming the victim with Internet traffic. Even if the victim has a good Internet connection, the combined amount of data received will probably 17 18 Bandwidth consuming denial of Service Attacks Figure 4.1: DDoS attack using zombies Bandwidth consuming denial of Service Attacks 19 be more than it can handle. In other words, the amount of data is so great that the aggregation router has to drop and discard a large percentage of the packets trying to reach the attacked server. 4.2 Distributed Reflective Denial of Service Attacks Distributed Reflective DoS attacks are among the worst attacks a system can be put under. Here the attacker floods an intermediate device which in turn multiplies the data sent from the attacker to the victim. This may force the victim to receive an enormous amount of Internet data traffic quickly letting regular users be denied of service. 4.2.1 Distributed Reflective TCP/SYN Attack By sending SYN packets to intermediate hosts (possibly random) with a spoofed source IP address of the victim, the hosts will reply with SYN+ACK packets to the victim. Since the victim is unaware of what has happened and has not requested a connection, it will try to send an RST packet back to the intermediate host to signal a connection termination. But because it is being flooded with SYN+ACK packets from many different locations, it will not have time to reply to all of them and has no choice but to start dropping packets. The intermediate host will therefore not receive an answer from what it believes to be a legitimate connection request. It will therefore assume that the SYN+ACK packet previously sent has been lost in transit and will try to send it again up till 6 times depending on the OS. Using this multiplying (reflective) technique, the attacker does not require as many compromised hosts as ordinary DDoS due to the fact that the intermediate hosts may multiply the amount of data it receives [2]. This attack is illustrate in Figure 4.2. 4.2.2 Smurf IP Denial of Sercive Attack A smurf Denial of Service attack, or ICMP packet magnification, consists of spoofed ICMP echo request packets sent to the broadcast address of a network [9]. If the router delivering traffic to those broadcast addresses performs the IP broadcast to the layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with one ICMP echo reply each. This reply will reach the host of the spoofed source IP address. Thus the flooding effect may be multiplied by a great number since there may be several hundreds of hosts on a single IP network. There are two parties that are affected by the attack. The intermediary broadcast devices and of course the victim whose IP address is contained in 20 Bandwidth consuming denial of Service Attacks Figure 4.2: Distributed reflective TCP/SYN DoS attack the spoofed source IP address. The victim will most likely receive much more bogus traffic than the broadcast device. For instance lets say that a network has 100 hosts attached to it. The perpetrator sends a stream of ICMP echo request packets at 123 kbps with the victims IP address in the source address field to the broadcast address of the network. All hosts of the network will then reply with an ICMP echo reply packet to the victim. The 123 kbps has been multiplied by a 100 resulting in a flow of 12.3 Mbps leaving the network and heading towards the victim [17]. Protection There are ways to protect against this type of attack. One technique is to block all incoming ICMP echo requests destined for the broadcast address in the router, and the second approach is to configure every host to not reply to ICMP echo request to the broadcast address [9]. More general techniques can be found in Section 5.2 on page 24. Note: There is a variant to this attack, called Fraggle attack, that instead of using ICMP echo request packets uses UDP echo request packets in the same way. This was just a rewrite of the Smurf attack [17]. Bandwidth consuming denial of Service Attacks Figure 4.3: Smurf attack 21 22 Bandwidth consuming denial of Service Attacks 4.3 Non distributed bandwidth consuming DoS Attacks 4.3.1 PHP and WEB page overloading It is also possible to launch a denial of service attack by misusing PHP scripts by continually loading them. This is especially dangerous if a large cluster of zombie machines are set to do this at the same time so that all the bandwidth of a server can be maxed out. The same thing concerns web servers which can be overloaded by repeated reloading of a web page and also databases can be overloaded by using search queries. A good way of defending against attacks like this is to prevent the zombies to have more than one connection per IP session. This will reduce the bandwidth consumption and the attack needs far more zombies to achieve something from the attack [19]. Chapter 5 Defending against Denial of Service Attacks It is possible to defend against certain types of DoS attacks. As seen earlier one can protect oneself from mail bombing and so on. There are other, more general ways to be protected or help to protect others. One is by enabling ingress and egress filtering on the router (see Section 5.3 on page 26) and another is by enabling SYN cookies. 5.1 DoS proof TCP/IP stack using SYN Cookies It is possible to defend against a TCP/SYN flood described earlier in Section 3.1 on page 11. One can postpone the effects of the attack by using a large SYN queue and random early drops may make TCP/SYN flooding more expensive but it does not solve the problem. It will still be possible to exhaust system resources. SYN cookies use cryptographic techniques to solve the problems concerning TCP/SYN flooding. They are particular choices of initial TCP sequence numbers by TCP servers. t mod 32 5 bits encoded MSS 3 bits secret function 24 bits Figure 5.1: Server initial TCP sequence number 23 24 Defending against Denial of Service Attacks In Figure 5.1, t is a 32-bit time counter that increases every 64 seconds and the next 3 bits are an encoding of the server Maximum Segment Size (MSS) in relation to the clients MSS. The bottom 24 bits are the output of a secret function combining the client and server IP-address and port number with t. It is selected by the server. A server that uses SYN cookies does not have to drop new connections in the case of a full SYN queue. Instead it deceives the client by returning a SYN+ACK packet just as it would if the queue had been larger. There are some exceptions though. One is that the server does not make use of the TCP large window option and it must use one of the eight MSS values that it can encode. When the server receives the ACK packet from the connecting client, it checks that the secret function is valid for a recent value of t, and then rebuilds the SYN queue entry with regard to the encoded MSS [22]. It is not completely unrealistic that an attacker can guess a sequence number from someone else’s host, using that to forge a connection from that host. It is also possible for an attacker to analyze the cryptographic mechanism used as the secret function for the purpose of intelligently guessing a new valid cookie. But if the function is secure enough it will take approximately the same time as to just guess randomly. An attacker will succeed in a connection forgery after having sent millions of ACK packets but there are ways to postpone this, for instance by increasing the size of the sequence numbers used. Today SYN cookies are implemented in most variants of unix including Linux, FreeBSD, and SunOS (though nothing is said that they are enabled by default). The first implementation was done by Jeff Weisberg in October 1996 and a Linux implementation followed soon after in February 1997 by Eric Schenk. The first one to design an Internet Protocol that used cookies to defend against DoS attacks like these was Phil Karn. To enable SYN cookies in Linux or FreeBSD one could add echo 1 > /proc/sys/net/ipv4/tcp_syncookies to the boot script [22]. 5.2 Ingress filtering Ingress filtering is usually applied at the network edges to ensure that the traffic arriving to an interface really are routable from that interface. When applied correctly it is an effective mechanism to stop spoofed traffic from entering the network and the closer to the source this is applied the more efficiently it will stop spoofed traffic. There are five major approaches to apply these filters [31]. Defending against Denial of Service Attacks 25 • Ingress Access Lists • Strict Reverse Path Forwarding • Feasible Path Reverse Path Forwarding • Loose Reverse Path Forwarding • Loose Reverse Path Forwarding ignoring default routes 5.2.1 Ingress Access Lists An Ingress Access List is a filter that is used by a router to check every incoming packet for a valid source address against a predefined list of acceptable addresses. This list should contain all the addresses that can possibly enter the router on that interface. If it does not match an entry in the list, the packet is dropped. The drawback of this technique is that the lists usually are maintained manually and must be updated on a regular basis to not discard legitimate packets [31]. 5.2.2 Strict Reverse Path Forwarding Strict Reverse Path Forwarding is an dynamic technique for building lists like the ones that the Ingress Access Lists approach uses. The key feature is that it looks at the source address of the incoming packets and looks it up in the Forwarding Information Base (FIB) table (routing table). If the router is to accept a packet it first validates that the source address is actually a part of the subnet. This is possible by comparing the interface where the packet arrived with the interface that the router would have forwarded packets destined to this sender. If the interfaces differ the packet is dropped, otherwise it is accepted. This technique is only of practical value when the incoming and outgoing traffic share the same path, like in most border network interfaces for an ISP. Between ISPs it is common to use asymmetric paths (these are paths where the sending and receiving path differs) in routing and thus almost all traffic will be blocked by this approach [31]. 5.2.3 Feasible Path Reverse Path Forwarding This is an extension to Strict RPF where not just the symmetric routes but also all the asymmetric routes are included in the FIB for consideration. The lists are usually managed by routing specific protocols like BGP. Most problems with asymmetric routes with Strict RPF is solved with this relatively easy method to update the tables. 26 Defending against Denial of Service Attacks The biggest problem with this is if a secondary ISP does not forward the BGP information to the primary ISP which then will not have any information about the routes in the secondary ISPs network and the packets will be filtered too. This is a very powerfull technique in asymmetric routing paths but it has to be applied very carefully otherwise ligitimate packets will be lost [31]. 5.2.4 Loose Reverse Path Forwarding The algorithm in Loose RPF reminds of the one used in strict RPF, but with the difference that it only checks if a route, even the default route, exists and not on which interface it points to. It is rather useless as an ingress filter at the edge of a network because it does not check where the source of the packets is. One application of this filter would be in an ISPs upstream to its providers to get rid of foreign and non-routable addresses coming into his own network [31]. 5.2.5 Loose Reverse Path Forwarding ignoring default routes This is the same as Loose RPF with the difference that it ignores the default routes when examining a packet. Hence the filter is mostly used when the default route is only used to catch bogus packets [31]. 5.3 Egress filtering The main idea about egress filtering is to only allow traffic with a source address originating in your own network to slip through. This can be applied in the border router to your ISP or in a firewall. As a general rule it is better the closer to the sender it is applied. An ISP can also apply a more general rule as an egress filter to only allow customers to send traffic into the Internet. Big service suppliers will usually have difficulties as they often send traffic between other ISPs and do not have any traffic originating from their networks [23, 32]. 5.4 Change of IP address When a single system is under attack a temporary countermeasure could be to just change the IP address of the attacked system. The DNS record should also be updated and the new address should only be given to a few selected users. Defending against Denial of Service Attacks 27 This technique cannot be used to prevent a flooding attack that consumes all available bandwidth from the ISP, since there will not be any bandwidth left for users. But in a low bandwidth consuming attack this would solve the problem and the service can still be used by trusted users. 5.5 Additional resources During a system resource consuming attack it would be possible to add an extra server during the attack to accommodate the extra requests and postpone the DoS attack. But if it is a big attack with many participants this will not be enough, despite how many servers are added. There will still more requests to handle. The only thing left is to wait until the attack is over. 5.6 Conclusion As seen in this chapter, there are ways to defend or complicate the task of performing a spoofed DoS attack. Ingress and/or egress filtering may be used by an ISP to filter legitimate traffic from malicious traffic. It is recommended for each system administrator to enable some kind of filtering. This is often as easy as just looking up the setting in the manual. For a normal user, one way to prevent one’s own computer from being used as a zombie host, is to run an OS such as Windows XP SP2 that have built-in mechanisms to complicate the use of spoofed packets. Firewalls and anti virus software should always be enabled. 28 Defending against Denial of Service Attacks Chapter 6 Tracing Denial of Service Attacks In many cases is it important to figure out the path that packets take through the Internet. Especially when a computer is affected by a denial of service attack using a spoofed IP address. There are other fields of application as well, such as path characterization and detection of asymmetric routes. There are existing tools, such as traceroute, but these generally provide the forward path, not the reverse [24]. One way of identifying an attack path is by reconstruction, using a collection of packets, marked or especially generated by routers along the attack path. Another way is to query routers about what traffic they are forwarding. Yet another approach is to use logging [27]. 6.1 Actively querying routers about traffic they forward If a victim recognizes that it is being attacked, it develops an attack signature, consisting of some data common and unique to the attack traffic. A query including the attack signature is then sent hop-by-hop to each router along the path. This presuppose that each routing device supports input debugging and is able to tell through which interface a packet corresponding to the attack signature arrived. This technique is however not very efficient and requires a lot of manpower and good contacts with other network providers. Some ISP’s may have implemented a more sophisticated and automated technique for this to speed up the trace procedure within their own network. A drawback is that tracing can only be done during an ongoing attack [27]. 6.2 Logging-based IP traceback Generally logging of such great proportions as needed in this case should be avoided since it often requires huge storage capacities. The basic idea is to setup the routers to store information about forwarded packets. Later on, the 29 30 Tracing Denial of Service Attacks victim of an attack can query a specific router to find out whether that router forwarded a specific packet [28]. But there is an approach called Hash-Based IP traceback that can actually make this work without humongous storage usage. With the use of an efficient logging technique, only collecting small hashes of the packets instead of storing the entire contents in the packet, which would require 20 to 1,500 bytes of storage per packet, it is possible to trace a single route of one packet [27, 28]. 6.3 Probabilistic Packet Marking (PPM) scheme This scheme implicates that the intermediate routers sample packets with a predefined probability constant and encode its identification (router ID) into these sampled packets. Each packet will be forwared to the address specified in the IP header. The end host can then decode each sampled packet and obtain its path. There are several implementation proposals for this scheme. One is called node sampling. This technique inserts the routers 32-bit IP address into the IP header of each sampled packet. A drawback of this scheme is that the probability of finding a marked packet will decrease significantly with the number of hops between the sending and receiving hosts. Thus making it difficult to trace the original host. Furthermore, since this method just provide node identification, it is hard for the end host to figure out the sequence of intermediate routers and then to discover correct routing paths. To address this issue, another technique called edge sampling can be used. Here the link between two routers (edge) is stored into the packet along with the number of hops between them. This requires additional data (72 bits) to be inserted into each packet sampled. Two 32 bit IP addresses and one 8 bit field to store the number of hops. Under these circumstances 72 bits is quite a lot and therefore the packets are fragmented. When all fragments have reached the end host, the data is reassembled and the edge information can be obtained. Even though this approach solves some of the sequence and space problem issues there are still several drawbacks to this approach. First of all it requires a lot of overhead when marking the packets. The attack also requires more marked packets due to the fragmentation. Another problem with both node and edge sampling is that there is a possibility for a users to mark packets with falsified data. There is a third technique created to address the issues of overhead and authentication called Advanced Marking Scheme. Instead of fragmenting 64 bits of IP address data, this scheme uses two unique hash functions to compute the hash of one router IP address. As input it will take a 32 bit IP address and the output will be a 11 bit hash sequence. To generate the edge id, the Tracing Denial of Service Attacks 31 two hashes are XOR:ed together. This value is stored in the IP identification field (16 bits) and the rest 5 bits are used to store the number of hops. When a packet is received by the end host it can use the hashes to figure out the path of the packet and also the sequence of the nodes. Though it is still possible for an attacker to overwrite legitimate markings with garbage or false markings. Authentication can be supported if the scheme is extended by the Authentication Marking Scheme. This scheme lets the end host authenticate the marked packets. If it fails to authenticate, the packet will be dropped. The drawback of these two techniques is the massive amount of overhead time it takes to mark a packet. To efficiently discover routing paths with these techniques a sample probability of 1/25 to 1/10 must be used. In the long run this may add up to a lot of process overhead. Another huge drawback for all of the techniques described in this section is that none of them can detect the true source if the attack is distributed and reflective. In a distributed attack zombies (reflectors) are used. The malicious user forges the source address and sets it to point towards the victim’s IP address. This will cause the zombies to reflect the received packets to the victim. The reason why the victim does not have any use of the schemes is that packets are only marked and forwarded in the direction of the destination host. So in this example where the destination IP points to the zombies, the schemes assume that the packet has reached the end host so there is no need of marking more packets. But in the case of a distributed reflective attack, the zombie replies to the received packets and therefore sends an answer to the source address, which in this case is the same as the victim. No packets are being marked so the victim cannot trace the true host [28]. 6.4 iTrace Another way to help solve the problem of tracing back to the original host is by using the ICMP Traceback (iTrace) scheme. When routers are forwarding packets they can, with low probability (e.g. generating one iTrace packet for an average of 20,000 forwarded packets), generate a traceback message that is sent along to the destination. The good thing about this is that the process does not require too much delay, no extra time is needed to alter the existing packet. This is possible since the randomly selected packets are actually copied and then forwarded immediately. After the real packet has been forwarded, an out of band ICMP packet (the iTrace packet) is sent to the destination address located in the IP header. The message contains information about the IP and MAC address of both the upstream and downstream links of the router that selected the packet. There is also information about the packet’s destination and source address and a bit of the payload. It is also 32 Tracing Denial of Service Attacks possible to use authentication, but this is optional. With enough traceback messages from enough routers along the path, the traffic source and path can be determined [24, 28]. ITrace can also trace back attacks that are distributed and reflective but it depends on the configuration. This is possible since the scheme stores both the source and the destination addresses. If an iTrace packet is sent both to the destination and the source, instead of only to the destination, the victim will receive an iTrace packet disregarding if the attack is distributed reflective or not. There are special tools that can be used to log, extract information, and analyse the iTrace packets known as Intrusion Detection Systems (IDS). They can be used to (in realtime) reconstruct attack paths [28]. There are some statistic problems with this approach though. One thing is that routers closer to the victim have a higher probability of generating iTrace packets toward the true victims. The other thing is that the routers close to DDoS zombies might have a relatively small probability (smaller than the routers around the victims) to generate ”useful” iTrace packets [25]. An iTrace packet is called useful when it is sent towards the domain of the victim since only then can it be used to trace back an attack. There is also the issue of a potential bottleneck. For instance, if the probability of sending an iTrace packet is 1/20000, one iTrace packet will be sent every 1/500th second on a 10 Mbit router. If the router is slower it will take much longer time before an iTrace packet is sent. Since the routers randomly determines which packets to iTrace, it may require many iTrace processes before the first useful iTrace packet is received by the victim [28]. 6.5 Intention-Driven iTrace (ID-iTrace) This approach has an enhancement over the iTrace scheme such that it can dynamically trace more closely to the DDoS slaves with the same number of ICMP trace-back messages [26]. It increases the probability of receiving a useful iTrace message when really needed. By using a special intention value that can be propagated to routers through BGP updates it is possible for a host or victim to raise the probability of receiving iTrace packets from remote routers [27]. This can be done without the need to adjust the sample probability. Instead of randomly choosing a packet for which an iTrace packet is transmitted, the thing about ID-iTrace is that it uses so called intention bits and triggers (iTrace Execution bits) [28]. By splitting up nodes into three different kinds, the ID-iTrace method distinguishes between these kind of nodes [25]: • DDoS victims with intention to trace the slaves. Tracing Denial of Service Attacks 33 • DDoS victims without the intention. • non-DDoS victims without the intention to trace and with a strong aversion not to receive any. For instance, let us say a router that uses the ID-iTrace scheme has three entries in the routing table: A, B, and C. Let us also assume that entry A is under a DoS attack and the administrator would like to find the attack source. Instead of having the router sending iTrace packets whether the receiver wants it or not, as in the case of normal iTrace, the victim instead tells the router that uses ID-iTrace to set the intention bit for entry A. This tells the router that entry A wants to receive iTrace packets. The intention bit is initally set to zero for all entries in the routing table. Now some of the packets will be sampled with a certain probability just as in normal iTrace. Since packets arriving to the router are destined for either entry A, B, or C it is not certain that the packet that was just sampled belongs to an entry that is under attack (in this case A which have its intention bit set and wants to receive iTrace packets). So instead of just sending an iTrace packet about the sampled packet directly, it checks whether this packet is destined for an entry in the routing table that has its intention bit set. If it is, an iTrace packet is sent. If it is not, the incoming packet was not an attack packet destined for the victim in entry A. Instead of just letting the sample go to waste and hope that the next sample is an attack packet, the iTrace Execution bit is set for those entries in the routing table that have their intention bits set (in this case entry A). This means that the next packet arriving to the router that is destined to entry A will trigger an iTrace packet to be sent towards the victim (after the iTrace packet was sent, the execution bit will be reset to zero). The next packet does not neccessarily have to be an attack packet though but this approach is still much better than normal iTrace in the terms of lower bandwidth consumption and that only systems that would like to receive iTrace packets are actually receiving them. 6.6 Caddie Message Generation In Caddie Message Generation an ICMP Caddie message is generated to follow the original packet with a certain probability. The scheme is implemented in the intermediate routers. It distinguishes between three types of routers. One is a router that is not a part of the communication link between the attacker and the victim. The second one is called a Caddie Initiator which is the routing device that creates a new Caddie message (the first router in the link between the attacker and the victim). Finally there is the third kind which are called Caddie Propagators which are used to update Caddie messages coming 34 Tracing Denial of Service Attacks from another (previous router) with useful data. Routers not supporting the scheme, but which are still used in the link between the attacker and the victim, only forwards a Caddie message as a normal ICMP packet. Thus it is possible that a Caddie message does not contain a complete path between the attacker and the victim but instead it is highly flexible. A Caddie message contains information such as a copy of the source and destination address taken from the original message and information about the previous Caddie propagator (or Caddie initiator) and the next Caddie propagator (or destination host) in the link. Whenever a Caddie message passes a Caddie propagator, new information about this router will be appended to the Caddie message along with the number of hops between this and the previous one. To later verify the router list in the Caddie message, the Caddie destination can make use so called ”Time-Released Key Chains”. What this means is that each router generates a sequence of secret keys (that are valid for a certain time slot) by applying a one way hash function to a random seed. These keys are revealed after a delay at the end of each time slot. This is a good alternative of instead having each router sharing a secret key with several Caddie destinations. The Caddie destination is now only required to retrieve the latest key. By using this key it is possible to compute all the secret keys for the previous time slots and use these to retrieve information. To reduce overhead the secret keys are precalculated and the session keys are reused. The values generated will still be distinct. A Caddie initiator or propagator uses a Caddie timer to check for how long time the device has been operating without generating or propagating a Caddie message. If the time has exceeded a certain value, the router will automatically function as a Caddie initiator and send a new Caddie message to the destination. There are four different modes that can be used which are shown in Figure 6.1. As seen in Figure 6.1, Caddie messages can also be used to identify packet dropping DoS attacks. These are attacks that will make routers or switches maliciously drop particular packets. Since each packet entering a routing device should also leave the routing device (if not destined for that router), a Caddie destination can find which routers that are dropping packets [44]. Compared to other schemes, Caddie Message Generation uses less network and router storage overhead and supports incremental deployment since not all routers in the link between the attacker and the victim have to support the scheme. It also have higher precision and lower computation costs. An brief comparison between iTrace, ID-iTrace, and Caddie Message Generation can be seen in Figure 6.2 [44, 45]. Network A indicates the network from where the ICMP message is sent and Network B is the network receiving the packet. Tracing Denial of Service Attacks Mode Simple Basic Responsive Enhanced 35 Description Only append router information to the Caddie message when passing a Caddie propagator. Simple mode features + protect the router information using a hash value (HMAC) at each Caddie propagator. Basic mode features + a response is sent back to the origin for each Caddie propagator and Caddie destination. This enables detection of packet dropping at the router. Basic mode features + matching each Caddie message with its original packet at every Caddie propagator or destination. Figure 6.1: The different modes available in the Caddie Message Generation scheme Scheme iTrace ID-iTrace Caddie Message Generation Bandwidth overhead High High Fair Storage overhead Network A Network B None High High Fair Low Low Computation overhead Network A Network B Low Very High Low High Low Fair Figure 6.2: A brief comparison of iTrace, ID-iTrace, and Caddie Message Generation 36 Tracing Denial of Service Attacks 6.7 IPSec-Based Source Tracing Node-to-node authentication provides a way to trace back an attack since a receiving node can be sure that an authenticated packet must have been sent from a specific node. In other words the attack origin should be traceable. A protocol that can be used in an implementation of a traceback nodeto-node authentication algorithm is the IPSec which provides this type of authentication by default. There are at least two tracing approaches that utilize IPSec to trace back an attack to the originating source. One is the Decentralized Source Identification for Network-based Intrusion also known as DECIDUOUS and another one is the Packet Head Information List also known as PHIL. The PHIL switching technique was designed to enhance the tracing ability of DECIDUOUS [28]. To be able to understand how the algorithms work, it is necessary to have basic knowledge about IPSec. A description about IPSec is presented below. 6.7.1 Introduction to IPSec IPSec is a protocol suite that allows for integrity, confidentiality and authentication of data communications over an IP network. It has two operating modes called transport mode and tunnel mode. Using transport mode will have the source and destination hosts performing the cryptographic operations directly. This allows for end to end security. Using tunnel mode on the other hand will allow for special gateways to perform the cryptographic operations and therefore allow for gateway to gateway security [39]. There is also an authentication header (AH) protocol, whose (only) purpose is to provide authentication for IP packets. To provide the encryption and authentication, the encapsulating security payload (ESP) protocol may be used. Another important part of IPSec architecture is the key manager which provides the negotiation of connection parameters such as which protocol (AH or ESP) to use [28]. When a packet is passed through a gateway supporting IPSec tunnels, the packet is wrapped into a new header which includes the Security Parameter Index (SPI). The SPI specifies which keys and algorithms used by the previous system to view the packet. Using this technique will also protect the payload of the packet since any error or change to the payload will cause the end system in the tunnel to drop the packet. When a packet is received by the end system in the tunnel, the header that was previously added is now removed (if the packet is successfully verified and validated) to avoid unnecessary overhead. Another part of the IPSec architecture is the security association (SA). It uses the SPI number that is carried in the AH or ESP part in the IPSec packet to identify which SA that is being used in the packet in question. Also included Tracing Denial of Service Attacks 37 in the SA is the destination IP address to which the packet is finally destined to as well as the security protocol (AH or ESP) [39]. Each IPSec connection have its own specific SA and therefore a security association database (SAD), that stores which SAs being used for the different connections, is needed [28]. 6.7.2 DECIDUOUS One way to identify spoofed attacks by using IPSec would be to establish SAs between every pair of nodes that might ever need to communicate. This is however too expensive from a computational viewpoint. There would be a lot of IPSec processing overhead even when there are no attacks so this option is not feasible. Another way would be to set up static SAs between a limited number of communicating node pairs but this will not guarantee source identification since not all nodes are covered. The solution is to dynamically establish IPSec tunnels and locate the attack with the help of an IDS [37]. The purpose of DECIDUOUS is to decide where, when and how to establish SAs using IPSec [38]. It uses a concept called CutSet which is a group of routers that are on the same hop count away from the victim. CutSet enables DECIDUOUS to transform the network topology into a linear topology. Only then is DECIDUOUS able to establish IPSec tunnels between the different CutSets and with the help of the IDS it can trace back the attack. Figure 6.3 helps to clarify what is going on. CutSet 0 in (the blue filled circle Figure 6.3: The concept of CutSet in Figure 6.3) is the victim itself. The CutSet index represents the number of hops between the current CutSet and the victim. The dashes in the circles are 38 Tracing Denial of Service Attacks routers (nodes) in the current CutSet. Using Figure 6.3 as an example, the linear topology created by DECIDUOUS will look like: Attacker↔ CutSec 3↔CutSec 2↔CutSec 1↔ CutSec 0 (victim). The arrows indicate a secure IPSec tunnel between the routers within the participating CutSets. If the IDS detects an ongoing attack, it signals to an DECIDUOUS daemon to start tracing. Knowing about the converted linear network topology, DECIDUOUS dynamically sets up IPSec tunnels from routers within the same CutSet of the victim. Each tunnel gets a unique SPI. The IDS will then verify the attack once again and, based on the authentication information gathered from the tunnels, send the results to DECIDUOUS. DECIDUOUS will start checking if the attack packets (identified by the IDS) are forwared through an authenticated border router within the current CutSet. If this is not the case, the true origin of the attack is not within the current CutSet and so DECIDUOUS will destroy the IPSec tunnels already built and set up other tunnels with a border router located in a CutSet one step further away from the victim. This will continue until DECIDUOUS finds the first authenticated border router in a CutSet that do not forward attack packets. DECIDUOUS now knows that the true origin of the attack is a host located between the previously authenticated router found (which forwarded attack packets) and the last authenticated router found (which did not forward attack packets). Using the information stored in the SPI, DECIDUOUS can then locate the true origin of the attack. For instance say that the routers in Figure 6.4 are border routers of different CutSets. What DECIDUOUS does is to first see if the router closest to the victim (Router A in CutSet 1) are forwarding attack packets. Since it does, DECIDUOUS knows that it must search one step further and finds border router B in CutSet 2. This router does also forward attack packets and therefore the attacker is not located in this CutSet either. DECIDUOUS continues to search this way until it finally finds that Router D in CutSet 4 is not forwarding attack packets. Since the previous router checked to forward attack packets was located in CutSet 3, DECIDUOUS concludes that the true origin of the attack is located in CutSet 4 and will be able to find the true source by using an intra-domian tracing technique [28, 38]. There are some problems with the DECIDUOUS approach though. First it is difficult to obtain the IPSec header information needed to traceback the attack because every time an end system of an IPSec tunnel is reached this information is removed from the packet. One solution would be to integrate the IDS into the network protocol stack to detect the attack in the network layer. Otherwise there is no way for DECIDUOUS to fetch the IPSec authentication header and thus a traceback is not possible. Another problem is regarding security issues such as the unwillingness for domain administrators to share the local network topology with others. Without the knowledge of Tracing Denial of Service Attacks 39 Figure 6.4: The secure tunnels between the routers which exposes the attacker the network topology, DECIDUOUS will not function [28]. 6.7.3 PHIL PHIL was designed to tackle the issues of DECIDUOUS. PHIL may be seen as an extension to DECIDUOUS that provides an application layer approach instead of the network layer approach used by DECIDUOUS as well as a possibility to trace back an attack without knowledge of the different network topologies. The first challenge is solved since PHIL uses a special data structure to store the IPSec headers whenever an IPSec system throws them away. This is done by using special PHIL API socket interfaces so that applications may retrieve data as well as IPSec headers. When sending data, PHIL also provides options to send data along with SAs to be processed by IPSec. Another improvement from DECIDUOUS is that PHIL no longer needs complete knowledge of the network topology in the different networks on which it operates. PHIL provides a switching scheme that coordinates security information among different administration domains by maintaining relationships between their SAs in a PHIL switching table. If someone in one of these domains would like to know the IPSec tunnel relationship with another domain a query can be sent to the PHIL switching table to gather the requested information. Either an SNMP model or a UDP client/server model can be used. By utilizing this technique it is possible to trace back a spoofed DoS attack. For an example refer to Figure 6.5 [28]. 6.8 Conclusion As seen in this chapter there are numerous ways to trace back an attack even if the source address of the packet was spoofed. Though nothing is said that 40 Tracing Denial of Service Attacks Figure 6.5: An illustration on how PHIL switching can be used to traceback an attack this should be easy. Special schemes must be used and intermediate routers in the link between the attacker and the victim must support these schemes. It can be costly to implement, both time and money wise. When talking about the ”attacker” in this sense it does not necessarily mean the initiator of the attack. The ”attacker” rather means the host directly responsible for transmitting malicious data. For instance, if the true perpetrator is using a flood network such as one of those described in Chapter 7, he can hide behind zombies and reflectors. A traceback scheme can only trace back as far as the zombie actually transmitting the malicious packets. Theoretically it is possible for the perpetrator to send an attack command to a zombie that is not initiated until several hours or days later. It will be impossible for a traceback scheme (and extremely difficult for the system administrator of the zombie infected host if he has no previous knowledge of the attack) to locate this packet and trace back the attack. It is even possible for the perpetrator to initiate this delayed attack by just sending one spoofed UDP packet. So the main purpose of all the schemes presented above is not to find the true initiator of the attack (even if this may be possible in some cases) but rather to locate the presumably hacked attack source that is transmitting the bogus traffic to later be able to contact its administrator to deal with the problem. For this issue, traceback schemes are invaluable. Chapter 7 Denial of Service applications 7.1 Trinoo Trinoo is an implementation of a distributed UDP flood attack. A trinoo network is built up of a network with a couple of masters controlling a larger network of daemons as seen in Figure 7.1. There is no communication between two masters or between two daemons, the communication flows only in top to bottom direction and reversed. Figure 7.1: A trinoo network Trinoo masters and daemons were first seen on Solaris 2.x systems and were wide spread thanks to a buffer overflow in RPC. Later it was also found on Linux systems. The big focus on these two systems was due to the easy availability of root kits and exploits for these system. In the original version of trinoo the communication was handled on the ports as showed in Figure 7.2. To connect to a trinoo network all that is required is a TCP connection to a master, typically a telnet application is used here. In the beginning of the session the user have to enter the correct password and if someone else 41 42 Denial of Service applications attacker to master master to daemon daemon to master 27665/tcp 27444/udp 31335/udp Figure 7.2: Ports used in standard configuration of trinoo is already connected to the master a warning is issued that there is someone already connected. When a daemon starts it sends out a ”*HELLO*” string to all masters it knows about and the master adds this daemon to a list over active daemons. Most commands between masters and daemons are password protected and look like the following: arg1 password arg2 These commands all have different password phrases. The passwords are stored in the binary encrypted with crypt() [6] but it is sent unencrypted over the network. When a password is received it is encrypted with crypt() and compared with the stored password phrase. If they are the same the command is executed otherwise nothing happens. When a master is started it first asks for a password and if the correct password is entered it prints a confirmation and forks a process to be run in the background and finally it terminates its execution. The masters have a list over active daemons stored in the file ”...”. To update it the master can send out a ”png” command to all known daemons and they will answers back with a ”PONG”. To protect oneself against hosting a trinoo daemon is not as easy as to just block the ports because high port numbers are usually used by legitimate programs. A better approach is to study and block all UDP packets that contain footprints from trinoo commands which is possible since they are sent unencrypted [41]. 7.2 Tribe Flood Network The Tribe Flood Network (TFN) is a flooding network with a couple of clients controlling a lot of daemons, see Figure 7.3. It implements ICMP flood, TCP/SYN flood, UDP flood, and smurf attacks. It can even start a remote root shell listening on a TCP port on demand. There is no password protecting the client, instead a list with IP adresses to daemons must be supplied from the user. To connect to a client one of the following ways may be used: • remote shell bound to a TCP port Denial of Service applications 43 • UDP based client/server remote shell • ICMP based client/server shell • SSH terminal session • telnet TCP terminal session Figure 7.3: A TFN network TFN was spread about one month after trinoo and the main target for TFN was also Solaris 2.x due to the RPC buffer overflows. The communication between the client and the daemons is done with ICMP Echo Reply packets. No TCP or UDP traffic exists between them. One big reason for this is that some network analyzing tools do not show ICMP packets in standard configuration. The traffic is encrypted by using the ID field of the ICMP header to represent different commands and with the sequence number set to 0x0000 it looks like a reply to an ordinary ”ping” commando. Arguments for the commands are sent as null terminated strings in the data field of the packets. The choice of using ICMP Echo Reply instead of Echo Request is that the kernel would have answered back with an ICMP Echo Reply to every request sent by the client. Later versions of TFN have been found but no new source. From the binaries it have been possible to come to the conclusion that encryption have been added, probably to the IP list, the list over clients and the traffic in the ICMP data field. By using ICMP packets for communication the network administrator have a difficult task to block these packets because blocking all ICMP packets will break a lot of legitimate program relying on ICMP messages. A workaround would be to investigate the difference between TFN commands and ordinary ”ping” traffic. 44 Denial of Service applications Because the daemon does not do any authentication of the source of commands it is possible to flush it with only one packet if the commands have not been changed. Even if they have been changed it is still possible to flush it by using brute force and test every possibe combination of the ID field, because it is only 16 bits wide there are only 65536 possible combinations [42]. 7.3 Stacheldraht Stacheldraht is based on TFN with features from trinoo. New features include encryption between client (attacker) and handlers (masters) and a commando to update the agents (daemons) automaticaly on demand. The first known stacheldraht version was found in late September 1999 and had competition by TFN2k (a new version of TFN). Also stacheldraht was wide spread thanks to the RPC exploit in solaris 2.x systems. Even stacheldraht included support for ICMP flood, TCP/SYN flood, UDP flood, and smurf attacks. There has not been found any versions with a remote root shell in stacheldraht. A stacheldraht network is built up of one or a few handlers controling a large set of agents as seen in Figure 7.4. The attacker connects to the handler with a special client with encryption capabilities so the communication between client and handler can not be easily read. With this encryption stacheldraht tried to overcome the biggest flaws in TFN, that where subject for standard TCP attacks such as session hijacking and RST sniping. Figure 7.4: A stacheldraht network An attacker controls or a few handlers that each can control up to 1000 agents. The limit is set to 1000 because most unix implementations have a Denial of Service applications 45 hard limit on 1024 filehandlers. In the original version the communication is handled on the ports shown in Figure 7.5. client to handler handler to/from agent 16660/tcp 65000/udp, ICMP Echo Reply Figure 7.5: Ports used in standard configuration of trinoo When the client is started it asks for a password and applies the crypt() encryption on it. The encrypted password is checked against the password stored in the binary. If it matches, blowfish encryption is applied on the already ”crypt()” encrypted password before it is sent to a handler. As in TFN commands between handler and agents are sent in the id field of an ICMP header. In the startup of an agent it begins by reading a configuration file with a list, encrypted with blowfish, over known handlers. If the list is empty or nonexisting it has a fallback in form of one or two hardcoded handlers in the binary. In the second phase the agent starts to send an ICMP Echo Reply to all known handlers and the handlers will respond to the agent with a confirmation. This communication continues throughout the execution of the agent. When the agent has got a confirmation from a handler it tests for the possibility to send spoofed packets by sending a spoofed ICMP Echo Request packet to a handler. The ID field and the Type of Service field of the ICMP header have a predefined value so the handler knows that an agent sent it and the IP of the agent is written down in the datafield of the ICMP packet. If a master replies to this request with another predefined value in the ID field and a message in the data field that spoofing is successful the agent will use spoofing in the future. When the hander commands the agents to upgrade themself the agents start by removing the old binary and download the new from a stolen account by the RPC protocol. When the new version is downloaded the agent starts it and terminate itself. It is not a good idea to block all ICMP traffic to stop stacheldraht from using a network because many applications rely on ICMP messages. One approach is to look for outgoing ICMP Echo Requests with spoofed source address (as in Section 5.3) as the agent sends them in the startup. If the packet is logged then it will be easy to find which computer sent it. It is also possible to detect a running agent/handler by the continuous communication with ICMP Echo Request packets beeing sent between an agent and its handlers and if many RPC connections are made in a rapid flow it could be agents upgrading themselves and should be further investigated [43]. 46 Denial of Service applications 7.4 Comparison and conclusion All three of these DDoS networks were wide spread a short time after each other and thus could use the same security flaw in the targeted systems, this time it was the RPC buffer overflow. They all used some kind of technique to disguise or hide them selves so they would not be easily discovered. On some systems they were even restarted automatically if something happened to them. The first DDoS network to show up was trinoo and it only had one attack implemented and utilized ordinary UDP and TCP connections. The communication was also unencrypted so it was rather easy to watch the communication and take control over a master. The successor, TFN, added a couple of attacks and also thought about encrypting the communication between clients and daemons. Due to the unencrypted communication between the attacker and a client it was still possible to take over a TFN network just by sniffing the communication. The next version to be seen was stacheldraht, with most of the functionality in TFN and encryption between attacker and handler. The current big flaw in the stacheldraht communication is that the command arguments are sent unencrypted in the data field, so a wise step would be to add encryption here. Chapter 8 Our Denial of Service application 8.1 Control Center The Control Center is a multithreaded CLI that is used to remotely control zombies by a TCP/IP connection. For instance it may be used to initialize, start, stop, and monitor an attack. It may be regarded as a master in a flood environment such as the trinoo network (Section 7.1). There are several implemented attacks that may be used to attack another computer by a DoS attack (for details refer to the manual in Section G). The actual implementation of the attacks is realized, in the zombie. The Control Center has been tested in Windows 2000 and XP but it will probably work in other versions as well as long as they have support for Winsock 2 and Boost threads. At the moment there is no support for Linux but it has been implemented in such a way that it would be easy to port. It is mainly the network part that is platform specific. 8.2 Zombie The Zombie is the application that actually performs an attack. It is controlled by a Control Center and cannot be used as a stand alone tool. TCP/IP connection is used to communicate with the Control Center which can transmit commands for the Zombie to execute. The connection is established when the Zombie is started and if the connection is lost the Zombie will end its execution. It uses IPC to exchange IP and MAC information with other Zombies on the same computer (the reason why is described later in Section 9.1.1). When an attack command is received from the Control Center the specified attack will start in a new thread. This thread will end its execution and will be deleted when the attack is stopped. The Zombie requirements are the same as for the Control Center but with the addition of WinPcap 3.1 beta 4. 47 48 Our Denial of Service application 8.3 Misc 8.3.1 Boost threads To allow the Control Center to have multiple Zombie clients connected at the same time and for the exchange of messages between them, threads were used. Since there are no built-in thread support in STL C++ and because it should be easy to port the application to Linux, Boost threads were chosen. Boost [46] is a collection of free portable C++ libraries with the emphasis on working well in the STL library. Another goal of the Boost project is to eventually have the library standardized in C++. To get Boost running can be quite tricky. First of all it must be downloaded and compiled. To compile Boost for Visual Studio .NET the following steps should be performed: 1. Download Boost from the Boost homepage [46] 2. Download Boost jam from the same site 3. Build Boost jam by running build.bat 4. Copy bjam.exe to a directory in the path 5. Start a Visual Studio command prompt 6. Enter the Boost directory and execute ”bjam -sTOOLS=vc-7 1” Be aware, compiling Boost requires about 600 Mb of free disk space and takes several hours to compile. To setup a Visual Studio debug solution configuration of Boost, the following steps should be performed: 1. Goto Tools → Options → Projects → VC++ Directories → Library files and add the path to libboost thread-vc71-mt-sgd-1 32.lib 2. Goto Tools → Options → Projects → VC++ Directories → Include files and add the path to the Boost root directory 3. Change Visual Studio to support multithreaded application by: right clicking on the project → Properties → C/C++ → Code Generation → Runtime Library and choose Multi-threaded (/MT) 4. Right click on the project → Properties → Linker → Command Line, add /NODEFAULTLIB:LIBCMT In order to setup a Visual Studio release solution configuration, the lib file called ”libboost thread-vc71-mt-s-1 32.lib” should be used instead of the one mentioned in the first item above. Our Denial of Service application 49 Before trying out Boost threads another thread library called PThreads (POSIX) were installed and evaluated. But after a while the decision to choose Boost threads instead was very prominent since PThreads did not seem to work in an object oriented manner in C++ and is better suited for C. 8.3.2 Endian The different ways that multi byte data can be represented by a computer system and dictated by the CPU is called endianness. Different systems uses different representation thus making it harder to create platform independent software. There are two different ways to represent multi byte integers, big and little endian. In big endian the most significant byte (MSB) is stored at the lowest address of the memory address while in little endian the MSB is stored at the highest address [47]. For example refer to Figure 8.1. Since the host running a Control Center or a Zombie may use a different endianness than Ethernet (big endian) a class that is able to convert between big and little endian was implemented. For instance is the Intel 80x86 CPU architecture using little endian. There are built-in functions in C to convert to and from from big endianness but these do not support 64 bit conversions nor are they platform independent. The implemented class supports both. It has though only been tested in little endian environment but it should work in both. Endian Big Endian Little Endian 00 12 78 Address 01 02 03 34 56 78 56 34 12 Figure 8.1: Memory layout of the value 0x12345678 in big and little endian 8.3.3 Multicast sockets Multicasting is a bandwidth conserving technique that makes it possible to simultaneously send a stream of data to many systems without adding any additional burden to the source or receivers. The packets from the source are replicated by the routing device and forwarded to all listening receivers. This is especially useful in video streaming technology [48]. To avoid having to manually enter the IP address and port of the Control Center each time a Zombie is started, the use of multicast sockets was implemented. Multisockets uses the address space between 224.0.0.0 and 239.255.255.255. Whenever a Zombie is started it will listen to 224.0.0.1 on port 1337 for a message from the Control Center. The address of 224.0.0.1 50 Our Denial of Service application will only reach systems in the local subnet which is the intension since the application should not reach beyond the test environment. When the Control Center is started it connects to the multicast address and sends a message containing its IP address and port to the listening Zombies that were started prior to the Control Center. The Control Center will then continue to listen on the multicast address for messages. When a Zombie is started it connects to the multicast address and sends a request for the IP and port to the Control Center. The Control Center will reply with this information and the Zombie disconnects from the multicast address and connects to the Control Center. It is possible to skip the multicast IP lookup, refer to the manual in Appendix G for more details. 8.3.4 Protocol Each message sent from the Control Center to the Zombie and vice versa are sent in accordance with the protocol described in ”Protocol.h”.All messages begins with a pre string and ends with a post string defining the beginning and the end of a message. Commands and arguments have only a pre string. ”Protocol.h” is shared between all classes that compose messages to be sent, both in the Zombie and the Control Center. ”Protocol.h” also contains macro like functions to ease the use of the protocol. Below is a couple of examples of communication between the Zombie and the Control Center. Initialization: When an attack is initialized by the Control Center it sends out a message to the specified Zombie, all if none specified, and does not wait for any replies. Status: If the Control Center needs to know what state every Zombie is in it can send out a status request to the Zombies and they will reply with the current state they are in. If an attack is ongoing the number of packets sent as well as how long time the attack have been running are returned. If no response is received within 5 seconds the Zombie is considered dead. Start attack: To start an attack the Control Center sends a message to the specified Zombies, or all, to start the initialized attack. If the Zombie has an attack initialized, it starts the attack and returns its current state. If it does not have any attack initialized it returns a message specifying that. Stop attack: A stop of an attack is handled in the same way as to start an attack. The Zombie returns one of: attack stopped successfully, no attack running, and no attack initialized. Our Denial of Service application 51 Shutdown: When the Control Center is shutting down it sends out a message to every Zombie connected and then ends its own execution. Broken link: If at any time the connection between a Zombie and its Control Center is broken the Zombie ends its execution and the Control Center closes that socket and continues as normal. 8.3.5 stdint Since different compilers use different bit length representation of primitive data types, this had to be dealt with in the implementation. For instance may the primitive data type ”long” be treated as either a 32 bit or a 64 bit representation depending on the compiler. To get around this problem a special library file called ”stdint.h” was created that made it possible to define exactly how many bits that were to be used. For instance ”int64 t ” represents a 64 bit integer. 8.3.6 WinPcap A mayor part of the Zombie application is the use of raw sockets. As described in earlier sections this feature was withdrawn from Windows XP SP2 but by using a third party software called WinPcap it is still possible to send raw sockets from this OS. WinPcap is an open source packet capture and network analysis library for the Win32 platform. It will work under most version of Windows. It provides direct access to raw sockets independent of underlying network hardware. WinPcap was mainly designed to be used in open source network analysis tools that may be freely distributed under a BSD-style license [49]. Although this may sound quite fantastic there are still some limitations when using WinPcap in Windows XP SP2. The problems are presented in Section 9.1.1. 52 Our Denial of Service application Chapter 9 Test scenario 9.1 The test environment The test environment used to test the Denial of Service application consisted of 16 IBM compatible computers with Intel 2.0 GHz CPUs and 256 MB of system RAM. The operating system installed on all the hosts was Microsoft Windows XP with service pack 2. The hosts also used active directory and network login. The network speed was 100 Mbit and all hosts were connected to a 3Com SuperStack 3 switch (”stack-2” (130.235.4.52)). Windows XP was configured to automatically download and install the latest security patches using Windows Update when available. 9.1.1 Problems The problems concerning the test environment mainly originated from Windows XP SP2 and the network configuration. One thing was the frequent security updates which on at least one occasion caused disturbances. Attacks that previously had worked did no longer work for example. There were also an unresolved issue of the Smurf attack whose outcome seemed to change over night without any functional changes in the code (more on this later in this chapter). But the main issue was regarding Windows XP SP2. Some of the problems that came up during the test face are presented below. Problems with Windows XP SP2 ARP problem The problem was that when several Zombies were used simultaneously on the same computer, some of them did not receive a response from an ARP request. A Zombie sends out an ARP request to find a host’s Ethernet address 53 54 Test scenario from an IP address. If no response is received the Zombie will use the default MAC address of ff:ff:ff:ff:ff:ff which is the MAC address for the broadcast address. This would slow down an attack significantly, packet rates around 100 packets per second were not unusual. This effected all Zombies on the same computer. If only one of the started Zombies failed to retrieve an ARP response all other Zombies would flood at a very slow level. One confusing thing about this was that it did not seem to matter if there were say 15 Zombies running on the same computer or if there were only 5. There were always around 1-3 Zombies that failed to get an ARP response. To see that it really was a Windows XP SP2 related problem a test was executed. 18 Zombies were started on a Windows XP SP1 host. An attack was initialized against a Windows XP SP2 machine located in the test environment (an attack initialization automatically triggers an ARP request). Running this OS resulted in that all Zombies received the MAC address just as they were supposed to. This test was repeated over and over again and only once did one of the 18 Zombies fail to retrieve the MAC address from the SP2 computer. But when starting only 15 Zombies on a Windows XP SP2 host in the test environment and initializing an attack against the same computer, there were always 1-3 Zombies failing to get a response. The problem was therefor not that the remote Windows XP SP2 host detected a flood and stopped responding to the ARP requests. The same test was conducted both with the Windows Firewall enabled and disabled but there were no difference of behavior. What caused this problem is unknown. There is no mentioning of this behavior in [33] which is Microsoft’s own documentation about the updates in Windows XP SP2. It was possible to find a workaround for this problem. The first thing tried was to simply resend an ARP request up till 10 times for each Zombie process with 1 s interval between each retransmission. This did however not solve the problem. The next thing tried was to implement Inter-Process Communication (IPC) between the Zombies who now shared a memory mapped file. When a Zombie retrieves a MAC address it checks the memory mapped file to see if the IP/MAC address pair exists in the file. If it does not the IP/MAC pair will be appended to the file. If it does the previous IP/MAC pair will be overwritten. The reason why it is overwritten and not just discarded is because there is a small chance that the MAC address have been changed since a previous attack. If a Zombie fails to retrieve an ARP response it will first wait 100 ms then check the memory mapped file to see if another Zombie has inserted the IP/MAC pair. This is done by matching the IP address whose MAC address did not resolve to already inserted IP/MAC address pairs. If the IP/MAC pair does not exist it will go back and send a new ARP request and repeat the whole process up till 10 times. This solved the problem in a sufficient manner. Test scenario 55 Restricted traffic over raw sockets With the release of Windows XP service pack 2 the full use of raw sockets was withdrawn. According to Microsoft [33], these are the raw socket restrictions in SP2: • TCP data cannot be sent over raw sockets. • UDP datagrams with an invalid source address (one that does not exist on a local network interface) will be dropped. Our experiments have shown that this not true. It is possible to spoof the source address of a TCP packet (using WinPcap) just as well as an UDP packet in Windows XP SP2. The test environment was configured to drop packets that had an invalid source MAC address which was very confusing at first. This led to the belief that the SP2 non spoof barrier did indeed work but as proven later it does not if WinPcap is used to send the packets. It is possible to set an arbitrary IP source address for a packet in the test environment but the source MAC address had to be accepted by the switch otherwise the packet was dropped. This problem is really important to keep in mind when using the flood application since the problem will not be noticeable from the Control Center. Checking the status for each connected Zombie will not indicate any dropped packets. Not even by using Ethereal on the Zombie computer is it possible to see this behavior (Ethereal will show that the forged packet is sent as it should). To see that the packet does not reach the victim, a packet sniffer must be installed at the victim or the data flow in the switch may be checked with PRTG or a similar application. But as stated earlier, it is possible to spoof the source MAC address to an address that exist in the local network and thus is accepted by the switch. When a packet with an spoofed source MAC address set to an address outside the local network is sent, connections are blocked for a short period of time (approximately a minute or so). It is not possible to use a browser to access web pages for example. It was not possible to reinitialize the attack with a functional source address until this time had passed. The problem with dropped packets were experienced in some tests, for instance in the distributed UDP flood (Section 9.2.8). Microsoft has implemented these functions to limit the ability for DoS applications to send spoofed packets [33]. 56 Test scenario Limited number of simultaneous incomplete outbound TCP connection attempts Windows XP SP2 will limit the number of simultaneous incomplete outbound TCP connections attempts. When this limit has been reached, the following TCP connections will be put in a queue and will be resolved in a fixed rate and an event (ID 4226) will appear in the system log [33]. What the actual limit is, is not defined in [33] but using a tool such as ”EvID4226Patch” it was found to be 10. By using this tool it is also possible to set a new limit of maximum 16777214 connections. The patch alters tcpip.sys which is located in the %windir%\system32\drivers directory. It is not possible to alter all versions of tcpip.sys. For instance it works fine on version 5.1.2600.2685 but it fails on version 5.1.2600.2180. According to the same source, this restriction has been implemented to limit the speed at which malicious programs (for instance viruses and worms) spread to other computers. These programs often use random addresses to find new infectable systems. This restriction may cause some security tools such as port scanners to run more slowly [33]. 9.1.2 Task manager only monitors own packets This is not really a problem but rather a weakness in Windows XP (and quite possibly other Windows versions as well). The task manager will only monitor outgoing network traffic when the source addresses (IP and MAC) of the sent packet matches the network interface card installed. Hence spoofed traffic sent by WinPcap will not be detected. This could be quite confusing for a network administrator if he only relies on the network monitor in Windows task manager (or other network monitoring tools for that matter) to monitor the data flow (though this is hopefully very unlikely). Traffic should be monitored from the switch by, for instance, PRTG. The traffic is fully visible in the network monitor at the victim so it seems that this issue only regard outgoing traffic. 9.1.3 Packet rate limit per process Running only one instance of the Zombie application in the test environment would not make use of all available bandwidth. A rate above approximately 4000 packets per second (per Zombie) was not possible in our tests. This phenomena occurred only in the test environment. When testing the Zombies on Windows XP SP2 (and SP1) hosts outside the test environment this behavior did not occur. Test scenario 57 To get around this issue, several Zombie instances have to be started on the same computer as seen in many of the conducted tests (described in Section 9.2). A simple batch file could be created to easily start several Zombies ”at once”. 9.1.4 Recommended test environment Windows XP SP2 is not the ideal OS to use as a test environment because of its many built-in protective mechanisms. It is quite possibly one of the worst. Linux would probably be best suited in most situations since it is free and has better configuration support. For instance it is possible to enable broadcast ping responses and set a port to blocking mode without commercial third party applications (problems that are described more in detail later). It would also be more convenient to run the Zombies on a Linux host since there would be no need of a WinPcap-like application to send raw sockets. But this is currently not possible since there is no Linux support for the implemented DoS application at the moment. At the moment Windows 2000 or Windows XP with SP1 is recommended as the platform for the Zombies. The Control Center will work just as fine on a Windows XP SP2 host since it does not require the use of raw sockets. To test some of the old attack such as WinNuke and possibly PoD2 and Teardrop, Windows 95 should also be installed on at least one computer. Another important thing is that under laboratory circumstances the test environment should be cut off from all other networks to avoid interferences and disturbances. It is possible to cause severe damage to other systems and networks if these are reachable from the test environment. Other reasons for having the test environment as a separate network is to avoid automatic updates and to allow for easier configuration. 9.1.5 Configuration Several third party applications were used when testing the DoS application. Some of them are required, some are optional. Ethereal Ethereal is an open source licensed protocol analyzer that was used to sniff packets in a network to see their contents. Ethereal is supported in both Windows and Linux, although the Windows version was mainly used. A utility like this was invaluable in the creation of the DoS application and also to see how different packets are built. It was also used, together with the Windows task manager, to see if a flood actually reached the victim computer. 58 Firewalls PRTG VMware WinPcap Task Manager Tcpdump Test scenario Several firewalls were tried to see if it was possible to set a port to block mode. The firewalls used were Zone Alarm 4.5 Pro, Sygate personal firewall 5.5 pro and Tiny Personal firewall. Zone Alarm was the only one capable of doing this. They are all available for trial use. PRTG is a Windows software (based on MRTG) that can monitor bandwidth, memory and CPU usage via SNMP. This was the application used to gather data from the switch in the test environment. It is available in different editions. During our tests, a trial version of the commercial edition (version 4) was used. The trial version supported up to 50 sensors that could be used to monitor the switch. Prior to PRTG, MRTG was tried but it could not update the graphs as fast as PRTG and it is not as easy to configure. VMware workstation was used to run multiple virtual x86 computers simultaneously. This was very useful when several different operating systems were to be tested. There were, for instance, no need for rebooting when switching between operating systems. VMware workstation is also a safe and convenient way to install and test different operating systems. The system that is running VMware is called a host OS and a system that is used in a virtual computer within VMware is called a guest OS. A trial version of the VMware workstation 5 is available for download. WinPcap 3.1 beta 4 is a required tool that has to be installed on every Windows computer that will host a Zombie in the test environment. Its purpose have been described earlier in Section 8.3.6. The Windows task manager was frequently used to monitor incoming traffic at the victim. It is not a good tool for checking outgoing traffic as described in Section 9.1.2. Tcpdump is another open source licensed packet sniffer that was used in Linux. It detected some errors that Ethereal was unable to detect (see Section 9.2.12 for more details). The only required application of those listed above is WinPcap (and of course the Zombie and Control Center application). Ethereal is highly recommended and PRTG is recommended to overview broadcast attacks. VMware workstation is a nice application to use if an attack should be conducted Test scenario 59 against several operating systems. VMware workstation can then be used at the victim to avoid time consuming reboots when switching operating system as well as safe installation and maintenance. 9.2 The tests 9.2.1 Smurf When first testing this attack a few errors were found in the code and several obstacles were encountered. The first test run was started using attack type smurf destip 130.235.5.255 srcip 130.235.5.174 zombieid 0 but to our surprise there was only one unit replying to the ICMP Echo Request. Using the normal ping utility in Windows resulted in many more replies than this so something was obviously wrong. By examining the packets sent in Ethereal, a conclusion was made that the length of the Echo Request packet was too small. After a couple of new unsuccessful test runs even more errors in the packet were detected. The IP checksum was not correct, an Ethernet II checksum was used even though it was not needed and the IP identification and ICMP sequence number was not updated. After fixing these errors, replies were fetched from 6 computers, but only 3 of them replied continuously to each request. Discussions led to the conclusion that the switch examines the incoming spoofed packets and thinks that the victim’s MAC address had been moved to the port of the sender in the switch. Therefore a reply was returned on the same port as the request was sent from. This resulted in a vast majority of replies returned to the sender even though the address was spoofed. The expected victim did not get nearly as many results. The solution to this problem was to use a non valid MAC address in the source field. The following command triggered a working Smurf attack in the switched environment: attack type smurf destip <BroadcastAddress> srcip <VictimAddress> srcmac <NonValidSourceAddress> The attack was later optimized even more, i.e. the checksum was no longer calculated for each packet but instead only the affected parts of the checksum were updated. It was once again tested in the test environment (this test was conducted approximately 3 weeks after the last test) but this time with a completely different outcome. If the source (victim) MAC address was set to a non existing one, no packets would reach the victim. The results shown in the first couple of tests could not be reproduced. Instead, the source MAC 60 Test scenario Figure 9.1: An extract of packets that reached the victim an early Smurf attack address had to be that of the correct MAC of the victim. There were now 16 units replying to the broadcast ping request. Using 1 Zombie and a data size of 1408 bytes, the result shown in Figure 9.1 appeared in Ethereal. That was exactly what was expected. 16 units responded to the broadcast ping requests sent by the Zombie. But the network utilization of approximately 30% was not enough for a DoS attack though. The same attack was then executed with 2 Zombies on 2 computers. This was enough to cause a DoS attack and the CPU utilization rose to 98%. Even though the victim was flooded enough to be denied of service, it is uncertain whether one really can consider this a successful smurf attack or not. Sure enough, the malicious packets from the Zombies were sent to the broadcast address and that was what made the victim DoS:ed. But it was not the responding units that caused the DoS attack, rather it was the requests generated by the Zombies as seen in Figure 9.2. The majority of the responding units were not fast enough to reply to this massive amount of request packets. This explained the irregularities among the request and reply packets in Figure 9.2. Another thing was that all computers in the subnet were exposed to the request flood by the two Zombies. That in it self is not wrong but they received too many requests in a too short period of time, which should be unnecessary. The intension of the attack is to send a small number of requests and have the amount of packets multiplied by repliers. The second Zombie could might as well have been used to flood the victim directly in- Test scenario Figure 9.2: When using two Zombies in the smurf attack, more request packets were generated 61 62 Test scenario stead of taking the detour via broadcast address. This would have spared a lot of bandwidth consumption for the units not responding to broadcast ping requests such as computers running Microsoft Windows. Figure 9.3 illustrates that a lot of traffic is sent to Windows hosts and nothing is returned. Figure 9.3: The smurf attack demonstrated high throughput to all Windows hosts but nothing was returned The attack was also tested with packets using the default data size of 64 bytes. When using only one Zombie the network utilzation at the victim went up to 20% but after a couple of seconds it went down to 7%. The unit responses that still got through are shown in Figure 9.4. This was interesting because when flooding with a large data size of 1408 bytes, the network utilization was on a quite stable level of about 30% all the time, with 17 units responding. The reason seemed to be that Windows XP has a built in flood protection. When the packet rate exceeds a certain threshold it seems like Windows blocks some of the packets. In other words Windows XP does not seem to care about the amount of bandwidth actually getting through but rather it only cares about the packet rate. This is illustrated in Figure 9.5. The attack was stopped for a short period of time, which can be seen in the small area of Figure 9.5 where the network utilzation is at 0%. The attack Test scenario 63 was then started again but this time with a data size of 1408 bytes. The figure shows that the network utilization fluctuated a whole lot upon starting the attack again, all the way from 9 to 43% before temporary stabilizing at 9%. The reason for this was thought to be that Windows was still blocking labcam.it.lth.se rex-7.it.lth.se bast.it.lth.se ExLaser.it.lth.se dplaser.it.lth.se Figure 9.4: The responding units packets but since the packet rate dropped with the larger data size it allowed more packets to get through. Finally after a few seconds the blocking mech- Figure 9.5: Different data sizes caused different behaviors in Windows. anism switched off and all the large packets went through again, causing the network utilziation to raise close to 30% again. The Zombies sent packets in the rate of approximately 3900 packets per second with the default data size of 64 bytes. When using a large data size of 1408 bytes, the rate was just 170 64 Test scenario packets per second. Note that it did not matter if the firewall was turned on or off, the same result occurred. Another thing worth mentioning is that a normal ping request was sent to the broadcast address to see if there were equally many units responding as when using the Zombie application. This was not the case. There were actually one unit less responding to the normal ping than to the Zombies ping request. The reason for this was because the normal ping request was issued after the last test suite was completed. One of the units, duolaser.it.lth.se, did no longer respond. It is possible that this unit went down during the attack. Conclusion Since Microsoft has chosen to silently discard broadcast ping requests in accordance with [40] the result of the smurf attack in the test environment is somewhat dubious. The replies were mainly from network units such as printers, cameras and other embedded systems which were not fast enough to generate the amount of bandwidth necessary to cause a denial of service by themselves. It is nothing wrong with the implemented attack, but the responding units need to be faster. It was shown that by using two Zombies to flood the broadcast address, the victim was indeed denied of service, but not in the manner it really should in an optimal smurf attack. The attack may still very well be used as proof of concept. To initialize a working attack one can use the following command: attack type smurf destip <BroadcastAddress> srcip <VictimAddress> datasize <largeDataSize> 9.2.2 Distributed ICMP Ping When this attack was first tested the setup consisted of 10 Zombies uniformly distributed on 10 computers. But each Zombie was only capable of sending data in the rate of approximately 1000 packets per second. The reason was due to the high CPU utilization needed to recalculate the packets each and every time a new packet was sent. The aggregated throughput was only about 9900 packets per second. This was only enough for a 12% network utilization at the victim. To speed up the execution, the generation of a packet was moved outside the sending loop in the Zombie attack and the same packet was sent over and over again. This payed off and the Zombies now produced about 40000 packets per second. Though moving the packet generation outside the loop results in a static ICMP identification. This was however solved by increasing the identification at the same time as decreasing the checksum for each packet Test scenario 65 sent. This was possible since the identification value is aligned at an even 16 bit offset and the checksum is equal to the bitwise inversed sum of the whole packet. In english this means that if a value in the ICMP packet is increased by one, the checksum is decreased by one, though compensations must be made when the 16 bit integer wraps around its maximum or minimum value. Using this approach saved a lot of CPU resources and generated a greater throughput but still not enough for a denial of service attack. The network utilization at the victim did increase significantly but still not more than to 33%. Figure 9.6: The CPU utilization at the victim reached to about 100% when receiving a large amount of packets per second which is not the primary intention of the ICMP Ping attack After a while it was noticed that when only using one Zombie per computer the CPU utilization was only about 66%. In other words, Windows would not let the Zombie application use all resources and thus the attack could not be used with full potential. The reason lies within the test environment and have been discussed earlier in section 9.1.3 on page 56. So instead of using just one Zombie, 6 Zombies were started on each computer and now the CPU usage went well up to 100% resulting in an aggregated throughput of about 53000 packets per second. Though the network utilization at the victim did not get any higher than 45% which was still not enough for a 66 Test scenario bandwidth consuming denial of service attack. An interesting observation was that the CPU utilization at the victim went up to about 100% when receiving a large amount of packets per second as seen in Figure 9.6. From the usage perspective this may be regarded as a denial of service attack since the user cannot operate the computer in a sufficient manner. But this was not the kind of denial of service attack the attack was intended for primarily. After thoroughly going through the Zombie application using the AutomatedQA AQtime 4.5 profiler it was noticed that the sendPacket() method used lots of CPU time. It contained time consuming memory copying from a vector to an array which were executed every time a packet was sent. By moving this outside the main flood loop the performance increased significantly. The .NET environment was also set to compile the application as a release version which was optimized for Pentium 4. After all these improvements our application was about 150% faster than the previous version. Still the network utilization did not reach beyond 65% when conducting a full scale flood. Since the amount of data in the packets used to flood the victim was of minimal size, experiments were conducted to see if the network utilization increased with the data size. As expected, a fewer amount of packets were sent but due to their size 1408 bytes, the bandwidth consumption at the victim increased well up to 99%. A denial of service state was finally reached due to bogus traffic with large packets. PRTG showed that about 97 Mbit of malicious data was sent towards the victim which can be seen in Figure 9.7. Figure 9.7: About 97 Mbit per second of bogus data was sent to the victim. Test scenario 67 Conclusion Before optimizing the application, the test environment used was not enough to flood a victim with bogus requests to cause a denial of service attack in the common sense. Though the CPU usage would raise close to 100% making the computer almost impossible to use, hence one could regard this as a denial of service from the usage perspective. This was due to the time the tcp stack takes to process a large amount of small packets. After optimizing the code and increasing the data size to 1408 bytes a denial of service state was reached. Only 2 computers running 6 Zombies each were needed. The reason for using big packets is that it takes longer time to create a huge amount of small packets than a smaller amount of big packets. Therefore it is easier to produce a high amount of data throughput using big packets. 9.2.3 LAND The LAND attack aims for victims running Windows XP SP2 and whose goal is to raise the CPU utilization to the maximum level due to a weakness in the system. On the 14th of May 2005 there was a mayor confusion when the implemented attack had gone from working perfectly to not working at all in what seemed to be a split second. The reason was that Microsoft had released a security update (hotfix) called KB893066 one day earlier. To make use of the attack this hotfix has to be removed from the victims system. To do this go to settings→control panel→ Add/Remove programs, check the ”Show updates” box and uninstall the Microsoft XP Hotfix KB893066. When this has been done, the attack is really easy to execute and it is a great attack in the terms of low bandwidth consumption. It is initialized by attack type land ip <victimip> interval <interval> port <open port> Note that it is crucial that the source IP address is the same as the destination IP address and the source port is the same as the destination port. This is easily done by using the ”ip” and ”port” command in the Control Center. When exposing a computer to the LAND attack the results depends on whether the victim have the Windows Firewall turned on or off. If the firewall is on, Windows XP SP2 will block it self from the network. This happens because the Windows Firewall recognizes that the computer is under attack and tries to block the IP sending the packets. But since the source IP is forged and set to the same IP as the victim, the firewall will block itself from the network thinking it have blocked the perpetrator. In other words, Windows has put itself in a denial of service position. The second alternative is when 68 Test scenario the Windows Firewall is disabled. This will raise the CPU utilization to 100% making the computer almost impossible to use. The really interesting part of the LAND attack is that only a few packets have to be sent to cause this effect. Other attacks requires thousands of packets per second whereas this attack may require as little as one packet every 5 seconds. In Figure 9.8 illustrates some different intervals used in the test and their results on the CPU utilization at the victim. In order to Figure 9.8: CPU utilizations with different intervals by the LAND attack guarantee 100% CPU utilization all of the time the interval must be pretty low, around 200 ms. But it can be increased significantly and still cause a pretty decent CPU utilization of 100% most of the time. Though the CPU utilization can fall for a short period of time before the next packet arrives if the intervall is too great. Conclusion The LAND attack is a very nice attack in the terms of low bandwidth consumption. Much can be done with only a few packets per second. The outcome depends whether the Windows Firewall is enabled or not. The drawback is that Microsoft recently released a patch for this vulnerability (Microsoft XP Hotfix KB893066) which has to be uninstalled. When that is done, the attack works great in the test environment. 9.2.4 Pepsi This attack is aimed against a switch by flooding its diagnostic port with valid SNMP requests. The goal is to have the switch (in our case 130.235.4.52 (stack-2)) max out its CPU resources so no ordinary packets can be processed and forwared. By using an application called snmpwalk it was possible to Test scenario 69 read all available MIBs in the switch. It was decided to query the switch for a string value hoping it would take longer time to process strings than integers. The following SNMP message was sent to the switch: Version: 1 Community: public PDU type: GET Request ID: 4a0f Object identifier: 1.3.6.1.2.1.2.2.1.2.198 (IF-MIB::ifDesc.198) In the first test flood, 60 Zombies uniformly distributed on 15 computers were used. The initiating was done by: attack type pepsi destip <switch ip> srcip <spoofed ip> An interesting thing about this was that there were actually two units being exposed to the attack. First there was the switch which was the main objective for the attack, and secondly there was also the host of 130.235.5.168 which would receive all the repsonses from the bogus SNMP requests sent by the Zombies. Using this many Zombies was more than enough to overload the Figure 9.9: A screenshot of Ethereal when capturing the SNMP traffic generated by the Zombie to and from the switch. switch with SNMP requests. Since the switch went down the Control Center lost contact with the Zombies since they were behind the same switch. And of course PRTG lost contact with the switch as well and could not gather data. This is the actual proof that the attack worked since this was exactly what was supposed to happen. The switch was down for almost 10 minutes after the attack was stopped but after that it seemed to work as it should once again. Using 15 computers with totally 60 Zombies for this attack was an overkill. The same attack was later conducted using only 4 computers with 4 Zombies each. The switch went down this time as well but came back only shortly after the attack was stopped (about 1 minute). But this was sufficient to show that only 4 computers are needed for the attack. 70 Test scenario Figure 9.10: PRTG lost contact with the switch due to all the bogus SNMP traffic. Test scenario 71 Conclusion The attack itself works very well in the test environment. The switch stops responding to ”real” SNMP requests and no other traffic gets through the switch. You cannot use the Internet from the computers that are connected to the switch for instance. There is one problem with this attack in the test environment though. That was because the switch that was exposed to the attack was connected to the Zombies conducting the attack. The contact with the Control Center was therefore lost. If possible it would be more convenient to attack a switch not essential for the connection between the Control Center and Zombies. 9.2.5 WinNuke This version of WinNuke will only work in Windows 95. To initialize the attack run: attack type winnuke destip <Win95 host ip> interval <interval> Note that it is not possible to spoof the source address since a TCP connection needs to be established in order to send an OOB packet. The attack worked as expected and the infamous bluescreen appeared. The Windows 95 system had to be rebooted in order to continue usage. It is recommended to use a high interval since there is usually no need of sending more than one OOB packet. Conclusion This version of WinNuke only works in Windows 95 and is very straight forward. In all of the tests conducted against a Windows 95 box, a Windows bluescreen appeared and the computer crashed. Trying to execute this attack on a computer running something other than Windows 95 as OS will not lead to anything noticeable. 9.2.6 Distributed Reflective ICMP Ping When first conducting the test, 2 Zombies and 2 computers were used as reflectors. A data size of 64 bytes were used but this proved to be insuffcient to cause a denial of service attack. The network utilization at the victim did not surpass 7% when sending packets this small. When changing the data size to a larger size of 1408 bytes, the throughput increased a lot but was still 72 Test scenario Figure 9.11: The infamous bluescreen after executing a WinNuke attack. not enough for a successful DoS attack. The network utilization at the victim now reached to 94%, but still no DoS. It was not until the test was conducted for the third time, now using 3 Zombies and 3 reflectors, that it was possible to fill up all available bandwidth and maximize the network utilization at the victim. Hence the attack was proved to be successful as a DoS attack. Figure 9.12 shows the incoming and outgoing bandwidth in the switch for the involved ports. Port 222 was the port for the victim, port 218 was the port for the intermediate host and port 223 was the port for one of the Zombies. Due to limitations of the test environment (described in Section 9.1.1 on page 53) a test using 4 Zombies on 2 computers with 2 reflectors were also conducted. This resulted in a greater total throughput than 3 Zombies on 3 computers with 3 reflectors but in spite of this, all traffic was not totally blocked to or from the victim. With the first alternative (3 Zombies on 3 computers with 3 reflectors) there were a total throughput of about 140 Mbit from the Zombies and the second one (4 Zombies on 2 computers with 2 reflectors) provided a total throughput of 190 Mbit. But the victim was still able to respond to small ping packets about 90% of the time and it was possible to browse small web pages such as www.google.com and www.wikipedia.com. Though more demanding pages such as www.idg.se failed to load. It seemed like the switch had easier to forward data if it is distributed on several ports than just a few, this might be the reason for this behavior but it has not been able to get confirmed and is therefore only a speculation. Test scenario 73 Figure 9.12: 3 Zombies and 3 reflectors with 1408 bytes of data was enough to cause a distributed reflective ICMP DoS attack Figure 9.13 shows an extract of a legitimate ping test, which shows that most packets get through even though the inbound network utilization was close to 100%. A final test was also conducted to see if it was possible to cause a total denial of service attack by still using only two computers but instead using 4 reflectors. The test was also conducted to see whether it was possible to camouflage the attack by distributing the data on more reflectors so that only a small amount of the available bandwidth were utilized per reflect. This test proved to be successful! Using 4 reflectors totally blocked the computer under attack and each reflector only used half of its available bandwidth as seen in Figure 9.14. The more reflectors and Zombies used, the harder it is to spot which computers are participating in the attack. Port 221 and 224 are Zombies, port 211 to 214 are intermediates (reflectors) and port 222 is the victim. To initialize a successfull attack the following command should be used: attack type icmpping zombieid <id> srcip <victim IP> destip <intermediate IP> datasize 1408 For an example refer to Figure 9.15. 74 Test scenario U:\>ping -t fox-24 Pinging fox-24.it.lth.se [130.235.5.174] with 32 bytes of data: Request timed out. Reply from 130.235.5.174: Reply from 130.235.5.174: Request timed out. Request timed out. Reply from 130.235.5.174: Reply from 130.235.5.174: Reply from 130.235.5.174: Request timed out. Reply from 130.235.5.174: Request timed out. Reply from 130.235.5.174: Request timed out. Reply from 130.235.5.174: Request timed out. Reply from 130.235.5.174: Request timed out. Request timed out. Reply from 130.235.5.174: Reply from 130.235.5.174: Reply from 130.235.5.174: Reply from 130.235.5.174: bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 time=1ms TTL=128 bytes=32 bytes=32 bytes=32 bytes=32 time=1ms time=1ms time=1ms time=1ms TTL=128 TTL=128 TTL=128 TTL=128 Ping statistics for 130.235.5.174: Packets: Sent = 22, Received = 13, Lost = 9 (40% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Figure 9.13: A legitimate ping test shows that some packets get through even though the inbound network utilization is close to 100% Test scenario Figure 9.14: 2 computers each running 2 Zombies and 4 reflectors was enough to cause a total distributed reflective ICMP DoS attack 75 76 Test scenario Figure 9.15: An example of how to initialize a successfull distributed reflective ICMP attack Conclusion It was possible to conduct a successful distributed reflective ICMP ping attack in the test environment used. A minimum of 8 computers were needed. 2 computers were used as Zombies (but each computer had to run 2 Zombies), 4 computers as reflectors, one as Control Center and one as victim. Another alternative would be to have 3 computers each running one Zombie and use 3 reflectors instead (as in Figure 9.15). The data size should be set to 1470 bytes which is the maximum data size for an non fragmented ICMP packet in Ethernet II. 9.2.7 ICMP Ping Bounce The purpose of an ICMP ping bounce (or just ICMP bounce) attack is to overflow two hosts simultaneously with malicious data. The special thing about this attack is that the two victims should help to contribute to the overload by sending packets between themselves as well. The trick is to have two Zombies, one flooding the first victim with the source IP address set to the IP address of the second victim and vice versa. For instance this will trigger a working ICMP ping bounce attack: attack type icmpping zombieid <id0> destip <victim IP0> datasize attack type icmpping zombieid <id1> destip <victim IP1> datasize srcip <victim IP1> 1408 srcip <victim IP0> 1408 The attack worked perfectly the first time it was launched using 1408 bytes as data size. 2 Zombies flooding and 2 victims flooding between themselves was enough for a DoS attack as expected. As seen in Figure 9.16 the two Test scenario 77 victims sent data between themselves in half the rate of the received data from the Zombies. Figure 9.16: 2 Zombies flooding and 2 victims flooding between themselves was enough for an ICMP Bounce DoS attack. Conclusion The attack worked as expected and since the two victims also flooded each other, not as many Zombies were needed. It would have been nice to be able to limit the packet rate since then it would have been possible to determine how many packets each Zombie needed to send to cause a DoS attack. But despite this the attack was very well suited in the test environment. 9.2.8 Distributed UDP Flood The attack was first initialized using: attack type udpflood srcip 10.0.0.1 destip 130.235.5.174 datasize 1408 where the srcip was a spoofed address. Two Zombies were used on two computers. When the attack was started, contact was lost to both Zombies after just a few seconds. This appeared to be quite strange at first so a second test was conducted in an environment not running Windows XP SP2. Here 78 Test scenario the attack worked flawlessly and no problems were encountered. The problem was that the source IP of ”10.0.0.1” resolved to MAC address 0. The switch in the test environment was configured to drop packets such as these since the source MAC should not exist in the network. If a spoofed packet is sent, the real address is blocked for a certain amount of time (as described in Section 9.1.1) and therefor the connections to the Zombies were lost. After initializing the attack as attack type udpflood srcip 130.235.5.160 destip 130.235.5.174 datasize 1408 now using a source IP and MAC inside the same network as the Zombie, the attack worked without any problems in the test environment as well. Using only two Zombies on two computers was not enough for a denial of service attack though. Only about 94% of the bandwidth was consumed at the victim (94 Mbit malicious data was sent from the switch to the victim). Using 3 Zombies on 3 computers, each one sending about 4000 packets per second, resulted in denial of service. The victim only received about 8500 packets per second, the rest of the packets were dropped by the switch due to insufficient bandwidth as seen in Figure 9.17. Port 221, 223, 224 are the Zombies and port 222 is the port of the victim. Figure 9.17: PRTG screenshot where 3 Zombies flooding with 4000 pps each, causing denial of service. Test scenario 79 The attack was later tested to see if only using two computers were necessary for a successful attack when running two Zombies on each one. This proved to be successful and another denial of service attack was witnessed. The results can be seen in Figure 9.18. Port 221 and 224 are the computers each running two Zombies and port 222 is the victim. When looking at the figure more closely one can notice that the victim is not really overloaded with malicious requests. The victim still have a small amount of bandwidth left to responde to a small percentage of the incoming requests. But this did not really matter in this case since it only contributed the achievement of the DoS attack. Figure 9.18: PRTG screenshot where 4 Zombies flooding on two computers with about 4000 pps per Zombie, causing denial of service. Conclusion It was possible to achieve a denial of service attack using 3 computers running one Zombie each or using 4 Zombies on two computers. Though one had to be certain to use a source MAC of the same network as the Zombies when running in the test environment. This should not be of any concern if the attack is performed in a network without MAC filtering on the switch. In the test environment used in this test, the following initialization command triggers a working attack: attack type udpflood srcip 130.235.5.160 80 Test scenario destip 130.235.5.174 datasize 1408 9.2.9 Fraggle Since neither Windows nor Linux replies to UDP echo requests by default, there were small hopes of actually witnessing a denial of service attack when running this attack. To see that the implementation was correct, Fedora Core 3 (Linux) was installed in VMware 4.5 and it was configured to answer on UDP echo requests by issuing the following command: chkconfig echo-udp on as root. A test was then conducted by sending UDP echo request packets with spoofed source addresses to the broadcast address. The specially configured Linux host replied to the request, not just once, but to our surprise twice. The suspicions were directed against VMware 4.5 and when sending a normal ping request to another VMware guest OS the result seen in Figure 9.19 appeared. This showed that there were 4 replies for each request, 3 of these ping -i 10 cyan PING cyan.net (192.168.15.43) 56(84) bytes of data. 64 bytes from cyan.net (192.168.15.43): icmp_seq=0 ttl=128 64 bytes from cyan.net (192.168.15.43): icmp_seq=0 ttl=128 64 bytes from cyan.net (192.168.15.43): icmp_seq=0 ttl=128 64 bytes from cyan.net (192.168.15.43): icmp_seq=0 ttl=128 time=3.92 time=4.09 time=4.09 time=4.09 ms ms (DUP!) ms (DUP!) ms (DUP!) Figure 9.19: An extract of ping replies between two VMware 4.5 hosts were dupes. To see why, Ethereal was used to sniff packets at the receiving host (cyan.net). Ethereal showed that it received two requests even though only one was actually sent. An extract can be seen in Figure 9.20. It first Figure 9.20: Ethereal saw a multiplication of requests which explains the extra reply packet looked as VMware somehow duplicated directed packets that were sent within VMware since the host receiving the ping requests saw two requests instead of one. Therefore it responded with two ping replies. These replies would also be duplicated and resulted in the 4 replies seen in Figure 9.19. But pinging a VMware guest from another computer resulted in no multiplication of packets. Test scenario 81 So this did not explain why there were 2 replies for each ICMP ping request packet that was sent to the broadcast address. The reason seemed to be that the attack was tested between two VMware guest systems on the same host which had two enabled network devices. This caused the duplication of packets. This problem only occurred with this configuration. The attack was also tested in the test environment. As expected, there were no hosts listening on the UDP Echo port and thus a DoS attack could not be produced. Conclusion The attack did not work in the test environment since there were no hosts that replied to the UDP echo port. It may be possible to activate this port and reply to UDP echo requests in Windows by using a special service or daemon (as it is in Linux) but this has not been looked into further. The implementation of the attack was correct which was proven in Linux. Though there were some problems with the test due to multiple network devices in VMware 4.5 which resulted in more replies than what is usually expected. This should however not be of a big concern since this behavior should not be common. The ping issue was successfully tested in VMware 5.0 on a system with two network devices (but only one was physically connected to a network) without multiplication of packets which proves that the attack works as expected. 9.2.10 TCP/SYN Flood This attack has several limitations when being used in the current test environment. When this test was first executed it was initialized without specifying an open TCP port at the victim end when the Zombie was running on Windows XP SP2. This will not work, the specified port must be open. Secondly, it was not possible to spoof a source MAC address outside the test environment. It does not matter if the source IP address of a packet is set to a non existing IP address inside the test environment, since the source MAC address has to be valid. The victim will therefore always have a valid source address to reply to. This means that if a Zombie floods a victim with TCP/SYN request packets, the victim will respond to a valid source address with a SYN+ACK respond packet. The source host will in its turn respond to the victim with an RST (reset connection) packet since it have not actually requested a connection. Because of this, the connection will close and therefore there will be no half open TCP connections which is essential for this kind of attack. In other words is it impossible to successfully execute a TCP/SYN denial of service attack in the test environment. Windows XP SP2 also have 82 Test scenario Figure 9.21: A screenshot from TcpView by SysInternals. All ”SYN RCVD” states are half open TCP connections. Test scenario 83 a limitation of how many incomplete outbound TCP connections that can exist simultaneously (Section 9.1.1 on page 56). This is also a reason why it is virtually impossible (without a third party patch) to conduct a TCP/SYN flood from a Windows XP SP2 host. The attack can however be demonstrated by running the Zombie on a Windows XP computer with SP1 or lower or also Windows 2003 Server. It is almost certain that it can be conducted (using our application) from a Zombie running on other versions of Windows as well, like for instance Windows NT and Windows 2000 but this has not been tested. Using an XP SP1 host outside the test environment made it possible to spoof the source IP and MAC addresses and therefore the victim would not receive any RST packets that terminated the connection. The result - half open TCP connections that has to be taken care of by the operating systems TCP stack or a denial of service attack will be present. Windows 2000 and XP incorporate a form of adaptive encrypted token SYN spoofing immunity that automatically ”kicks in” when a Windows 2000 or XP machine is under a SYN spoofing attack [34]. Therefore the Windows XP SP2 victim the attack was directed against was immune to the TCP/SYN flood (i.e. no DoS) but a proof of concept is shown in Figure 9.21 and Figure 9.22. Figure 9.22: Approximately 3300 TCP/SYN packets per second was sent to the victim. To see that the attack actually do work, an attack was directed against 84 Test scenario a Linux host running Knoppix 3.8.2. The default settings for Linux is to have SYN Cookies (Section 5.1 on page 23) turned off. The attack proved to work as expected. There were 769 half open TCP connections and it was not possible to connect to the SSH server running on the Linux host nor was it possible to reach the web from the same machine. # netstat -ta|head -n2;netstat -ta|grep SYN_RECV Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address tcp 0 0 knoppix.it.lth.se:ssh fox-15.it.lth.se:31875 tcp 0 0 knoppix.it.lth.se:ssh fox-15.it.lth.se:32022 tcp 0 0 knoppix.it.lth.se:ssh fox-15.it.lth.se:31941 tcp 0 0 knoppix.it.lth.se:ssh fox-15.it.lth.se:31910 tcp 0 0 knoppix.it.lth.se:ssh fox-15.it.lth.se:32288 tcp 0 0 knoppix.it.lth.se:ssh fox-15.it.lth.se:32261 tcp 0 0 knoppix.it.lth.se:ssh fox-15.it.lth.se:32084 State SYN_RECV SYN_RECV SYN_RECV SYN_RECV SYN_RECV SYN_RECV SYN_RECV Figure 9.23: An extract of the netstat command in Knoppix while the host was under a TCP/SYN attack. When turning on SYN Cookies there were even more half open connections, more specifically 1024, but it was still possible to surf the web and connect to the SSH server. Conclusion The following command will initialize a working TCP/SYN attack for a Zombie outside the test environment (i.e. on a network that this is not dropping packets with a falsified MAC address): attack type tcpsyn srcip 130.235.5.190 srcmac aabbccddeeff destip 130.235.5.174 destport 135 The victim’s operating system will decide whether a DoS attack is possible or not. Flooding a Windows XP machine will not result in a DoS attack. Flooding a Linux host will result in a DoS attack if SYN Cookies are not used. The attack can always be used as a proof of concept if the Zombie is running on a Windows OS other than XP SP2. TcpView by SysInternals is a good utility for detecting half open TCP connections in Windows. 9.2.11 Distributed Reflective TCP/SYN Because of the limitations in the test environment, problems were expected when running this attack. To be sure that the attack actually did work and was properly implemented, it was first tested in another environment using Test scenario 85 a Linux host running Knoppix 3.8.2 as victim and another Linux host running Gentoo (2.4.24 kernel) as intermediate. The victim host was configured to block all incoming TCP traffic on a specific port. By doing so, no RST packet was sent back to the intermediate host. This is crucial in order to get the intermediate host to retransmit SYN+ACK packets. If an RST packet is received by the intermediate host it will stop sending SYN+ACK packets. If no RST packet or connection confirmation is received by the intermediate host, it will retransmit the SYN+ACK packet believing it was lost in transfer, thus multiplying the amount of data sent from the Zombie (see Section 3.1 on page 11). So when using Linux as the host OS of the victim, the intermediate host retransmitted the TCP/SYN packets 6 times for each SYN packet received from the Zombie. Figure 9.24: Packets captured in Ethereal during a distributed reflective TCP/SYN attack. SYN+ACK packets are sent 6 times for each SYN query. According to [2], a SYN+ACK packet should only be resent up till 3 times but this test showed twice that value. The difference depends on which operating system that is being used for the intermediate host. A test with Windows XP SP2 as the intermediate host and with a victim (Windows 2000 Pro running Zone Alarm 4.5, not a part of the test environment) configured to block connections showed that Windows only multiplies SYN+ACK packets three times. This agrees with what is being said in [2] if the author is referring to a Windows host. But as this experiment (using Linux as intermediate host) showed, different operating systems may resend SYN+ACK packets different amount of times. Trying to recreate this scenario in the Windows XP SP2 test environment proved to be very difficult. After having studied the Windows firewall it was concluded that it only supported two modes for each port, enabled and disabled. Configuring the port as disabled would return an RST packet to the sender which was undesirable. If it on the other hand was configured as enabled, it would reply with an ACK packet which was equally undesirable. So configuring Windows XP to block packets (i.e. just drop the incoming packets instead of sending a reply) without a third party software seems to 86 Test scenario be impossible. Several other firewalls were tested to see if they would provide what was needed. First off was Zoom Alarm 4.5. By using this application it was possible to block certain ports and it was also successfully tested on a Windows 2000 Pro host. But after having installed first Zone Alarm at the victim in the test environment, the machine would fail to boot. It stopped during the loading of Windows when login information was to be gathered from the domain. That same problem occurred with Sygate Personal Firewall Pro. So using either one of these two applications made it impossible to login to the domain in our test environment and therefore it was also not possible to conduct any tests. A third firewall was also tested, Tiny Personal Firewall. But it was an application specific firewall and could not deal with the more advanced features that was needed for this test. Despite all this the attack was tested in the test environment. During all tests, a total number of 28 Zombies were used on 7 computers and 7 computers were also used as intermediate hosts. The first time the test was executed it used destination port 999 which was closed on all the intermediate hosts. The result was that the victim was flooded with RST packets instead of the intended SYN+ACK packets. An interesting observation was that the intermediate host did not answer all SYN packets with an RST packet. Some packets were dropped and not replied to. The reason for this is most likely due to the Windows Firewall (which was not disabled on the intermediate hosts) or that SP2 was all stacked up with TCP connections so it was forced to drop some of them. The network utilization at the victim rarely surpassed 15% as illustrated in Figure 9.25 which was not enough for a DoS attack. The second test was directed against an open TCP port (135). Now the victim received the expected SYN+ACK packets but also several RST packets. The reason behind the RST packets was probably because the firewall rejects packets if the rate is too high. Worth mentioning is that the network utilization landed on a modest 13%. The mean CPU utilization seemed to increase a little bit though, but nowhere close to 100%. To initialize an attack like this can be quite complicated so Figure 9.26 illustrates an example of how it was done in the test environment. The source IP (”srcip”) is the IP to the victim and the destination IP (”destip”) is the IP to an intermediate host. Conclusion This attack never lead to a satisfying denial of service attack. The retransmission of SYN+ACK packets were not working in the test environment since it was not possible to configure the victim to block SYN+ACK packets. A Linux host as a victim would be recommended since it can be configured to Test scenario Figure 9.25: Packet rate for each computer in the setup when exposed to the attack. 87 88 attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack attack Test scenario type type type type type type type type type type type type type type type type type type type type type type type type type type type type tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn tcpsyn srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip srcip 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 130.235.5.174 port port port port port port port port port port port port port port port port port port port port port port port port port port port port 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 135 destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip destip 130.235.5.161 130.235.5.166 130.235.5.166 130.235.5.166 130.235.5.166 130.235.5.159 130.235.5.159 130.235.5.159 130.235.5.159 130.235.5.164 130.235.5.164 130.235.5.164 130.235.5.164 130.235.5.163 130.235.5.163 130.235.5.163 130.235.5.163 130.235.5.162 130.235.5.162 130.235.5.162 130.235.5.162 130.235.5.160 130.235.5.161 130.235.5.160 130.235.5.161 130.235.5.161 130.235.5.160 130.235.5.160 datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize datasize 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid zombieid 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Figure 9.26: An example of how to initialize a distributed reflective TCP/SYN attack. block certain ports without third party software. Having a computer running Linux as the victim, the attack does not require more than 3 computers (one as victim, one as intermediate (reflector) and one for the Zombie and Control Center combined) to prove its concept. A high interval can be used during initialization in the Control Center so that one can use Ethereal to sniff packets to see the packet multiplication process. It is most likely possible to conduct the attack on a Windows XP host as well to prove the concept of the attack. But then a third party firewall or similar must be used in order to configure a port to block packets (no RST reply). Due to insufficient access rights this could not be tested properly. One thing to notice is that it is of no use trying to change the data size in the packets from the Control Center. This is of course due to the fact that it is the intermediate hosts that sends packets to the victim and these packets are ”independent” of what is being initialized in the Control Center. 9.2.12 PoD2 Testing this attack proved to be very troublesome. The attack was first conducted from a Windows 2000 Professional host OS against a Windows 95 (4.00.950) guest OS running in VMware 5.0. Everything seemed ok when sniffing the packets in Ethereal in Windows 2000 Professional but the ex- Test scenario 89 pected outcome, a Windows 95 bluescreen, did not appear. The first thought was that VMware had a built in protection for this attack. Lots of effort was put into figuring out whether this was the case or not. Many packet sniffers were installed to see if VMware just blocked the incoming packets. But none of the installed sniffers worked in Windows 95. Today, 10 years after the release of the first Windows 95 version, it is difficult to find any compatible software or drivers for this OS. Finally, the hypothesis was rejected after testing the application on a Windows 2000 Server host also running in VMware with Sygate Personal Firewall Pro 5.5 which detected a Ping of Death attack as seen in Figure 9.27. This proved that VMware did not filter the malicious Figure 9.27: The Sygate firewall detected a Ping of Death attack packets before forwarding them to the guest OS. The next thing tried was to install Windows NT 3.51 in VMware after having read that this system was also affected by the PoD bug. But this failed due to problems with the installation process. First, the Windows NT 3.51 installation CD was booted from a Windows 95 boot loader that for some reason created a ramdisk as drive A: (see Figure 9.28). This created problems later during the installation when the installer wanted to write three floppies which had to be inserted into drive A:. This failed because of the ramdisk. There were never a choice to insert the disks into another drive so the installation could not continue. Secondly Windows NT 3.51 was tried to be installed by upgrading from a running version of Windows 95 (not running in VMware) to see if the installation worked better than before. This did not work at all, it was not possible to upgrade a Windows 95 host to a Windows 3.51 host from setup files. Later the three disks needed by the installation program was found on the installation CD and after creating these disks it was possible to boot directly from them instead of the Windows 95A boot loader. Hence no ramdisk was created and it was possible to use drive A:. But this did not help too much. After a short period of time the installer wanted the installation CD in drive D:. But the installation did not detect a CD in the drive even though it was properly inserted. For the moment no resolution to the problem has been 90 Test scenario Figure 9.28: The ramdisk created by the Windows 95A boot loader that occupied drive A: found. Another reason for upgrading to Windows NT 3.51 in the first place was because Windows 95 did not support the Realtek 8139 network device that was mounted in the computer from scratch. The hopes were that Windows NT 3.51 would support the device but when the installation failed a thoroughly search for drivers supporting the network device in Windows 95 were conducted. Finding drivers to such an old operating system as Windows 95 proved difficult. Ater a while, drivers were found for the Realtek 8139 network device that should work in Windows 95 according to the description. But the size of the driver were of such size that there were not enough 1.44 Mb floppies to copy the driver to the Windows 95 computer. A CD could not be used at the particular moment since the CD burner was currently not installed in the computer having the files. The easiest way to transfer the files was to boot Knoppix 3.8.2 from the CD on the same computer as the one running Windows 95. Knoppix found the network device without any problems and from here the drivers were downloaded and copied into the Windows 95 partition. Though it was still not possible to install the network device using these drivers. After several attempts with different device drivers the network device was exchanged for a 3Com 3C900. But the same difficulties of finding drivers arose with this device as well. A third attempt was made with a 3Com 3C905B but still no luck. Finally, a really old ISA card, Realtek 8019, was mounted in the computer. Initially this led to even more problems since it was not compatible with the built in SCSI card so the hard drive running Windows 95 could not be used. But after having mounted an IDE hard drive and installed Windows 95 on this drive, it was able to boot once again. Now Windows 95 finally found the card and was able to use it without any additional device drivers. Test scenario 91 Even though this much effort was put into having a real Windows 95 host running with network support, the PoD attack still did not work. According to [35], a Windows 95 host may crash itself if running the normal ping utility with a too large packet size, say 65510 bytes. Though the packet size must be greater than 65507 bytes for a PoD attack to work. So for instance ping -l 65510 <ip> may crash the Windows 95 computer when transmitted, but it did not have this effect on the version that was just installed. But according to the same site, it was also quite common that nothing happened to the host being exposed to the attack. What caused these different behaviors for different people never emerged. Another attempt to test the attack was made. This time Red Hat 5.2 within VMware 4.5.2 was tried to be installed but the installation process was disrupted because of an ”incorrect architecture” error and had to be abandoned. Finally Debian 2.1 was installed within the same VMware and the kernel was replaced from the enclosed 2.0.38 kernel to version 2.0.23 which should be vulnerable to the PoD attack. But the Zombie application failed to crash this OS as well. But now it was possible to crash the Linux system from Windows 95 using the ”ping -l 65510” command from the command prompt. Finally it was proved that there was something wrong with the implementation of the PoD attack in the Zombie. After hours of debugging the error was finally found and corrected. The problem was that the packet length was 8 bytes too long since the UDP header length was added to the length of the packet despite that a header was never included in the fragment. This was really difficult to spot since Ethereal, which was the program used to capture packets, reported no errors. It was not until the packets were captured on the Linux host using tcpdump icmp that it was possible to see that it was actually a programming fault and not because the system was invulnerable to the attack. The error response from tcpdump was quite difficult to interpret since it said that the IP was truncated. An extract of the error messages can be seen in Figure 9.29. When the length problem was corrected the attack worked just as well as when sending the malformed ping packet from the Windows host using the normal ping utility. Note that it is not possible to send packets of a greater size than 65500 bytes with the ping utility in most modern operating systems and therefore it cannot be used to recreate this attack in those systems. Anyway, the Linux system crashed and VMware displayed the error seen in Figure 9.30 but this error message may differ depending on the size of the packet. The attack did 92 Test scenario 11:15:40.662341 11:15:40.662341 11:15:40.662341 11:15:40.662341 11:15:40.662341 11:15:40.662341 mog.homenet > umaro.homenet: icmp: echo request (frag 21887:1480@0+) mog.homenet > umaro.homenet: icmp: echo request (frag 21887:1480@0+) truncated-ip - 8 bytes missing!mog.homenet > umaro.homenet: (frag 21887:1488@1480+) truncated-ip - 8 bytes missing!mog.homenet > umaro.homenet: (frag 21887:1488@1480+) truncated-ip - 8 bytes missing!mog.homenet > umaro.homenet: (frag 21887:1488@1480+) truncated-ip - 8 bytes missing!mog.homenet > umaro.homenet: (frag 21887:1488@1480+) Figure 9.29: In discordance with Ethereal, Tcpdump found that 8 bytes were missing in the packet *** Virtual machine kernel stack fault (hardware reset) *** The virtual machine just suffered a stack fault in kernel mode. On a real computer, this would amount to a reset of the processor. It can be caused by an incorrect configuration of the virtual machine, a bug in the operating system, or a problem in the VMware Workstation software. Press OK to reboot virtual machine or Cancel to shut it down. Figure 9.30: The error message displayed in VMware 4.5.2 after the PoD attack was executed with a packet size of 65525 bytes however not work against the Windows 95 version that was installed, even though it was supposed to be the first version of this OS with no patches. The reason why it did not work could not be found. Conclusion It was a great difficulty to successfully test this attack. Since the Sygate Personal Firewall Pro 5.5 logged that a Ping of Death attack was detected when executing the attack against a Windows 2000 server host, it was first believed that the attack did work as expected i.e. no implementation fault. But even though the error was finally found and corrected, it was not possible to see any artifacts in Windows 95. It is nothing wrong with the Zombie application, rather it is the outcome of the attack that can be so versatile that it is difficult to actually spot the attack. Our assumption of a bluescreen or reboot in Windows 95 was not noticeable, nothing seemed to happen at all. But according to [35] this does not mean that something has to be wrong. An explanation to why only some Windows 95 hosts are affected have not been found. It was however possible to successfully test this attack against an old Linux host, which crashed upon receiving the malformed packets. The attack did not work in the test environment. Test scenario 93 9.2.13 Teardrop Because of the difficulties in testing the PoD attack, not as much effort was put into testing this attack. The Teardrop attack (also known as the UDP Fragment Flood attack) is also a very old and well known attack that is intended for older systems such as Windows 95 or Linux prior to 2.0.32 and would therefore not work in this test environment [36]. The attack may of course be used as a normal bandwidth consuming denial of service attack but there are other attacks, such as the distributed UDP Flood, that does this better. When initializing the attack with one Zombie using an interval of 3000 ms the information in Figure 9.31 was extracted from Ethereal. Figure 9.31: Ethereal was used to see that the packets received were really fragmented During this attack it was noticed that the CPU utilization at the victim increased to about 20% every time the victim received a packet. Therefore a new attack was executed using 8 Zombies on 4 computers to see whether the CPU utilization could be increased close to 100% and in that case to see if it was because of the fragmented packets or not. With the interval option removed, thus flooding in the maximum speed with an aggregated packet rate of about 33000 packets per second, the CPU utilization went up to 25% with a bit of fluctuation. In other words, the increase in CPU utilization was not proportional with the increase of packet rate. The network utilzation was about 15%. To see whether the CPU utilization depended on this attack specifically, which was not very likely after the last test, a distributed UDP Flood with the default data size of 64 bytes was conducted with equally many Zombies on equally many computers. As expected, the CPU utilzation at the victim increased a lot upon receiving the packets, even more than the UDP fragment flood. The fluctuation was greater, now varying between 66% and 79%. The network utilization was much greater than the UDP fragment 94 Test scenario Figure 9.32: A comparison between the CPU and network utilization of the Teardrop flood (the two topmost figures) and distributed UDP Flood (the two bottom most figures) flood, about 63%. The aggregated packet rate of the distributed UDP flood was about 32000 packets per second. A summary can be found in Figure 9.32. The test was also conducted against a Windows 95 host, both under VMware 4.5 and as a standalone installation but without any noticable artifacts occuring. Conclusion The Teardrop attack does not work in the way it is supposed to in the test environment running Windows XP SP2. This attack aims for much older systems such as Windows 95 or old versions of Linux and is not suitable in the test environment used. The attack can never the less be initialized by the following command: attack type teardrop destip <dest IP> Test scenario 95 srcip <source IP> datasize <dataSize> 9.2.14 Overall conclusion Windows XP SP2 is not the best test environment imaginable for testing DoS attacks due to its built-in protective mechanisms. But as seen above it was still possible to conduct several successful attacks to and from a Windows XP SP2 host. In a real situation, it is recommended to at least use a version of Windows 2000 and/or possibly even Linux if the DoS application is further developed. Since a part of the thesis was to examine the possibility of using Windows XP SP2 as the foundation for a DoS attack (as this was the OS present in the test environment), the focus has mainly been on this OS. And indeed Windows XP SP2 was proven to work with some exceptions. One problem was the packet rate limit per Zombie process and the failure of fetching ARP replies. This was resolved by starting several Zombies on the same computer and having them communicate with IPC. Another problem was that it was not possible to spoof the source MAC of a packet in the test environment because the switch drops packets with unaccepted source MACs. To see that the old attacks (such as WinNuke or PoD2) are working, older operating systems or a Firewall capable of detecting these attack must be installed. A good way would be to install Microsoft Virtual PC (not tested) or VMware and use Windows 95 or an old Linux version as a guest OS in those programs, just as in some of the test cases above. It is possible to install a trial version of VMware that can be used for evaluation. The outcome of some attacks were better than others. It were, in most cases, easier to conduct bandwidth consuming DoS attacks such as ICMP ping than attacks that used exploits such as PoD2. The reason is of course that bandwidth consuming DoS attacks are independent of the victim’s OS whereas exploit attacks often require a certain OS or that a particular hotfix is not present. In some of the test cases above, comparisons of outcome between large and small data size were examined. A data size of 1408 bytes were frequently used to test an attack with a large data size. The maximum value for the data size in the application is 1470 bytes though. The reason for choosing 1408 bytes were that this was the the maximum size for a previous version of the Zombie that had not yet been optimized. If a packet size exceeds 1500 bytes, which is the Ethernet II limit, the computer will crash upon sending the packet. 1408 bytes proved to be a safe value when testing the attacks. It was later calculated that the maximum data size was 1470 bytes. This value is calculated from the maximum Ethernet II packet size − IP header size − TCP header size = 1500−20−10 bytes = 1470 bytes. The IP and TCP header sizes are the largest combination of header sizes that our DoS application will use. 96 Test scenario It would be physically possible to, for instance, conduct an ICMP ping attack with a larger data size than 1470 bytes (without fragmentation), but it would have taken too much time to implement an attack/packet specific data size limit. 1470 bytes is therefore used as the limit for all attacks where applicable. Even though some the attacks were tested with a data size of 1408 and not 1470 bytes, it was enough to prove the concept of behavior when comparing small packet sized attacks (with 64 bytes of data) to large ones. Overall, the outcome was good. The only attack, namely the old Teardrop, did not work. It should be possible to use this DoS application in a laboratory experiment for some of the attacks. But since some of the attacks requires several computers it may be difficult to gather as many computers needed for a big laboratory group. Chapter 10 Discussion Overall the project has been a success. It was proven that it is possible to use Windows XP SP2 in a test environment (even though it is not recommended). A DoS application capable of conducting several different kinds of attacks, both distributed and distributed reflective, was implemented and the attacks were thoroughly tested. Generally speaking it is easier to implement bandwidth consuming attacks than system resource consuming attacks. This is because system resource attacks make use of exploits in an OS and therefore the perpetrator needs greater knowledge about the system. On the other hand the perpetrator must use several hacked zombie machines to successfully conduct an bandwidth attack, whereas a system resource attack often work with only one. The DoS attack application was specifically developed to suit a test environment. It is for instance impossible to flood a host that is located outside the the boundaries of the local network if no special argument is passed to the Zombie at startup (an exception is if a packet is manually forged to reach the gateway). Another thing is that the chosen multicast address of 224.0.0.1 only broadcasts to devices in the local network. If needed, it is possible to specify the IP address to the Control Center when starting up a Zombie together with the ”-n” (no test environment mode) switch so that victims, Zombies, and Control Center’s can be in separate networks. Though this mode should be used with extreme caution since it may (if used irresponsibly or maliciously) cause severe damage to foreign hosts. It would have been much easier to use a completely stand alone test environment that was not a part of a domain that automatically updates hotfixes and patches. For a laboratory experiment it is highly recommended to use a stand alone test environment partly because of the hotfix update ”problem” and partly so that it will be physically impossible to disturb other networks. As always there are room for improvements in several areas. For instance UDP communication could have been used between the Control Center and 97 98 Discussion the Zombies. Partly to save some bandwidth (though it would hardly make any noticeable significance since the data flow between them are quite limited) and partly so that the Zombies will not be terminated due to a lost communication link when network is overloaded. Another thing to improve would be the processes of choosing a network device at the Zombie. If the Zombie should use a different network device than the default device (which is the second device that WinPcap discovers, the first is a generic device), this have to be specified by the ”-d” switch and then manually chosen from a list that appears on the screen. This would be a disaster if one has to do this for each Zombie on every host. It would have been much better to pass the network device as an argument to the Zombie at startup. There are of course many more improvements that could have been made. A Linux port would be very desirable for example. The application is written in such a way though that it should not be too difficult to do exactly that. Chapter 11 Abbreviations AH API ARP BGP BSD CD CLI CPU CRC DNS ESP FIB FTP ICMP IDS IKE IP ISA ISP IRC IRQ MAC MSS MTU OOB PoD RAM RPC RPF Authentication Header Application Programming Interface Address Resolution Procotol Border Gateway Protocol Berkeley Software Distribution Compact Disc Command Line Interface Central Processing Unit Cycle Redundancy Check Domain Name System Encapsulating Security Payload Forwarding Information Base File Transfer Protocol Internet Control Message Protocol Intrusion Detection System Internet Key Exchange Internet Protocol Industry Standard Architecture Internet Service Provider Internet Relay Chat Interrupt Request Medium Access Control Maximum Segment Size Maximum Transmission Unit Out Of Band Ping of Death Random Access Memory Remote Procedure Call Reverse Path Forwarding 99 100 RST SA SAD SCSI SMTP SNMP SP SPI STL SSH TCP UDP Abbreviations Reset Security Association Security Association Database Small Computer System Interface Simple Mail Transfer Protocol Simple Network Management Protocol Service Pack Security Parameter Index Standard Template Library Secure Shell Transmission Control Protocol User Datagram Protocol Bibliography [1] Fred Halsall, Data Communications, Computer Networks and Open Systems (Fourth Edition) (1995). [2] Distributed Reflection Denial http://www.grc.com/dos/drdos.htm (Feb 2002). of Service, [3] Why Windows XP will be the Denial of Service Exploitation Tool of Choice for Internet Hackers Everywhere, http://www.grc.com/dos/winxp.htm (Oct 2003). [4] Denial-of-service attack, http://en.wikipedia.org/wiki/Ddos (Jan 2005). [5] Manpage to Linux IPv4 RAW http://www.rt.com/man/raw.4.html (Oct 1998). sockets, [6] Manpage to crypt, http://www.rt.com/man/crypt.3.html (Sep 1994). [7] Trends in Denial of Service Attack Technology, http://www.cert.org/archive/pdf/DoS_trends.pdf (Okt 2001). [8] Dissecting Steve Gibson http://grcsucks.com/grcdos.htm GRC DoS Page, [9] CERT Advisory CA-1997-28 IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1997-28.html (Mar 1998). [10] Prevent hacker probing: Block bad ICMP http://techrepublic.com.com/5100-6264-5087087.html 2003). messages, (Okt [11] WinNuke lives on, and it’s coming to a system near you, http://techrepublic.com.com/5100-6313-1054537.html (Nov 2002). 101 102 Bibliography [12] WinNuke on Wikipedia, http://en.wikipedia.org/wiki/Winnuke (Jan 2005). [13] MS02-045: Unchecked Buffer in Network Share Provider May Lead to Denial-of-Service, http://support.microsoft.com/default.aspx?scid=KB;EN-US; Q326830& (Sep 2004). [14] Microsoft Windows Platforms running TCP/IP Subject to Denial of Service Attack, http://www.windowsitpro.com/Article/ArticleID/9233/9233.html (Jun 1997). [15] Microsoft fixes ”Ping of Death http://www.windowsitpro.com/Article/ArticleID/17129/ 17129.html (Jul 1997). 2”, [16] JTC 019 Ping of Death Detection, http://advanced.comms.agilent.com/n2x/docs/journal/ JTC_019.html (2004). [17] THE LATEST IN DENIAL OF SERVICE ATTACKS: ”SMURFING” DESCRIPTION AND INFORMATION TO MINIMIZE EFFECTS, http://www.pentics.net/denial-of-service/white-papers/ smurf.cgi (Feb 2000). [18] Defining Strategies to Protect Against UDP Diagnostic Port Denialof-Service Attacks, http://cio.cisco.com/warp/public/707/3.html (Feb 2004). [19] Denial of Service FAQ Basic, http://www.securitydocs.com/library/ 2774 (Dec 2004). [20] Zombie trick expected to send spam sky-high, http://news.com.com/Experts+Zombie+trick+set+to+send+spam+ sky-high/2100-7349_3-5560664.html?tag=nefd.top (Feb 2004). [21] CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, http://www.cert.org/advisories/CA-1996-21.html (Nov 2000). [22] SYN cookies, http://cr.yp.to/syncookies.html (Nov 2000). [23] Global Incident Analysis Center: Special Notice - Egress Filtering, http://www.sans.org/y2k/egress.htm (Feb 2000). [24] ICMP Traceback (iTrace), http://www.ietf.org/html.charters/ itrace-charter.html (Mar 2002). Bibliography 103 [25] Intention-Driven iTrace, http://www.ietf.org/proceedings/01mar/ slides/itrace-1/sld001.htm (Mar 2001). [26] Intention-Driven ICMP Trace-Back, http://whitepapers.zdnet.co.uk /0,39025945,60028074p-39000424q,00.htm (Feb 2001). [27] An evaluation of different IP traceback approaches, http://www.sm.luth.se/csee/csn/publications/ip_traceback.pdf (Oct 2002). [28] On Network-Layer Packet Traceback: Tracing Denial-ofService (DoS) and Distributed Denial-of-Service (DDoS) attacks, http://www.lib.ncsu.edu/theses/available/etd-01062004-093357 /unrestricted/etd.pdf (2003). [29] Address Allocation for Private http://www.ietf.org/rfc/rfc1918.txt (Feb 1996). Internets, [30] Network Ingress Filtering: Defeating Denial vice Attacks which employ IP Source Address http://www.ietf.org/rfc/rfc2827.txt (May 2000). of SerSpoofing, [31] Ingress Filtering for Multihomed http://www.ietf.org/rfc/rfc3704.txt (Mar 2004). Networks, [32] Searchsecurity.com Egress Filtering, http://searchsecurity.techtarget.com/tip/ 1,289483,sid14_gci883409,00.html (Mar 2003). [33] Changes to Functionality in Microsoft Windows XP Service Pack 2 Part 2: Network Protection Technologies, http://www.microsoft.com/downloads/info.aspx?na=46&p=3& SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=7bd948d7b791-40b6-8364-685b84158c78&genscs=&u=http%3a%2f%2f download.microsoft.com%2fdownload%2f8%2f7%2f9%2f879a7b46 -5ddb-4a82-b64d-64e791b3c9ae%2f02_CIF_Network_Protection.DOC (Sep 2004). [34] Gibson’s ENcryption-Enhanced Spoofing Immunity http://grc.com/r&d/nomoredos.htm (Oct 2003). System, [35] Ping of Death, http://www.insecure.org/sploits/ping-o-death.html. [36] Teardrop DoS, http://attrition.org/security/denial/w/teardrop.dos.html (Nov 1997). 104 Bibliography [37] Network Intruder Location Using Markov Decision Processes, http://www.ee.umd.edu/~shayman/papers.d/raid_2000.ps (Apr 2000). [38] Towards Tracing Hidden Attackers on Untrusted IP Networks, http://www.cs.ucdavis.edu/~wu/publications/Decid_im2001.ps. [39] IPsec: How it works and why we need it, http://www.computerworld.com/securitytopics/security/story/ 0,10801,91312,00.html (Mar 2004). [40] Requirements for Internet Hosts – Communication Layers, http://www.ietf.org/rfc/rfc1122.txt?number=1122 (Oct 1989). [41] The DoS Project’s ”trinoo” distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/trinoo.analysis (Oct 1999) [42] The ”Tribe Flood Network” distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/tfn.analysis (Oct 1999) [43] The ”stacheldraht” distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/ stacheldraht.analysis (Dec 1999) [44] Multifunctioal ICMP Messages for e-Commerce, http://www1.cs.columbia.edu/~bowang/PublishedPapers/ MultifunctionalICMPMessagesForE-Commerce.pdf (2003) [45] A DoS-Resistant IP Traceback http://www.nyman-workshop.org/2003/papers/ A%20Denial-of-Service-Resistant%20IP%20Traceback %20Approach_Bao-Tung%20Wang.pdf (2003) Approach, [46] Boost C++ Libraries, http://www.boost.org/ (Oct 2004) [47] Intel Endianness White Paper, ftp://download.intel.com/design/intarch/papers/endian.pdf (Nov 2004) [48] Internet Protocol Multicast, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ ipmulti.pdf [49] WinPcap: the Free Packet Capture http://www.winpcap.org/ (Jun 2005). Library for Windows, Appendix A EthernetII Packet EthernetII packet: Destination address 6 bytes Source address Ethertype 6 bytes 2 bytes Data 46 - 1500 bytes CRC 4 bytes If data is less than 46 bytes it is padded with zeros. 105 106 EthernetII Packet Appendix B ARP packet ARP packet: Hardware type 16 bits Hardware address length Protocol address length 8 bits 8 bits Source hardware address Variable length Source protocol address Variable length Destination hardware address Variable length Destination protocol address Variable length 107 Protocol type 16 bits Opcode 16 bits 108 ARP packet Appendix C IP datagram IP datagram: 20-65535 bytes Header Data 20-60 bytes 0-65515 bytes IP header: VER HLEN Service type Total length 4 bits 4 bits 8 bits 16 bits Identification Flags Fragmentaion offset 16 bits 3 bits 13 bits Time to live Protocol Header checksum 8 bits 8 bits 16 bits Source IP address 32 bits Destination IP address 32 bits Option 0-40 bytes 109 110 IP datagram Appendix D ICMP packet ICMP packet: 8-65515 bytes Header Data 8 bytes 0-65507 bytes ICMP header: Type Code Checksum 8 bits 8 bits 16 bits Identifier Sequence number 16 bits 16 bits 111 112 ICMP packet Appendix E UDP datagram UDP datagram: 8-65515 bytes Header Data 8 bytes 0-65507 bytes UDP header: Source port address 16 bits Total length 16 bits Destination port address 16 bits Checksum 16 bits 113 114 UDP datagram Appendix F TCP segment TCP segment: 20-65515 bytes Header Data 20-64 0-65495 bytes TCP header: Source port address Destination port address 16 bits 16 bits Sequence number 32 bits Acknowledgement number 32 bits HLEN Reserved U A P R S F Window size 4 bits 6 bits R C S S Y I 16 bits G K H T N N Checksum Urgent pointer 16 bits 16 bits Options & padding 0-44 bytes 115 116 TCP segment Appendix G Manual for the Control Center and Zombie application G.1 Control Center The Control Center is the application that is used to control the Zombies. By using the Control Center it is possible to send commands to the connected Zombies. For instance it is possible to start or stop an attack or gather status for each Zombie. There are a few arguments that may be passed to the Control Center in the startup sequence as seen in Figure G.1. The server uses multicast to sends its IP to the Zombies by default. ControlCenter.exe [-p port] [-n] [-h] [-r file] -r –readfile Specify a file to read initialization commands from. -p –port Specify the port number to listen on. -n –nomulticast Don’t use multicast mode (default address). -h –help Show this help. Figure G.1: Control Center startup arguments When the Control Center starts up it will display a message if multicast mode is used followed by the IP address and port number that will be used for communication with the Zombies. The prompt (”¿”) will then be displayed and the Control Center will wait for instructions from the user. The available commands are shown below: help: Shows a list of available commands. 117 118 Manual for the Control Center and Zombie application attack: Used to initialize an attack. More details are available below. attack start zombieID: Starts a previously initialized attack for Zombie zombieID. If the zombieID argument is excluded, all initialized Zombies will start their attack session. attack stop zombieID: Stops a running attack for Zombie zombieID. If the zombieID argument is excluded, all initialized Zombies will stop their attack session. status: Send a query to each Zombie to get their current status. The replies are shown on the screen. This command may be used to retrive Zombie ids. readfile file: Read initialization commands from file (the file syntax is the same as a normal attack initialization and several commands may be entered in the same file with one command per line). kill zombieID: If no argument is used all Zombies will be disconnected from the Control Center otherwise only the specified Zombie will be disconnected. quit: Disconnects all Zombies and exits the application. exit: Same as quit. help attack: Displays more comprehensive information about the attack command. As seen earlier it is possible to get more information about the attack initialization by issuing the ”help attack” command. The available initialization arguments for the ”attack” command are: type a: Set the attack to be issued. See Figure G.2 for a list of available attack types. mac m: Set both the source and destination MAC address to m. The format can be either AABBCCDDEEFF or AA:BB:CC:DD:EE:FF. srcmac m: Set the source MAC address to m. destmac m: Set the destination MAC address to m. ip i: Set both the source and destination IP address to i. srcip i: Set the source IP address to i. destip i: Set the destination IP address to i. port p: Set both the source and destination port to p. Manual for the Control Center and Zombie application 119 srcport p: Set source port to p. destport p: Set destination port to p. datasize d: Set the data size of the packets to d bytes. The maximum data size is 1470 bytes. Note that if the data size is too small it is possible that the packet will be padded to fit the specifications. interval i: Set the delay between the transmission of two packets to i milliseconds. Default value is zero. zombieid i: Initialize Zombie i with these attack parameters. If this argument is not used, all Zombies will be initialized. The ”i” value is an integer value representing a unique Zombie. It is shown by the ”status” command. All arguments above are optional except ”type”. The different attacks use different default values for each argument. For details refer to Figure G.2. It does not matter in what order the arguments are entered. The exception is if two or more arguments contradicts each other then the last one entered is chosen. For instance if both ”ip 1.2.3.4” and ”destip 1.2.3.5” are entered, 1.2.3.5 will be chosen as the destination IP address since it was entered last. An example of how to initialize Zombie 0 to attack the host of 130.235.5. 174 with an ICMP ping attack (using a spoofed source IP address of 127.0.0.1, spoofed source MAC address of 11:22:33:44:55:66, a data size of 1200 bytes, and an interval of 40 milliseconds between each ICMP packet) is seen below: attack type icmpping zombieid 0 srcip 127.0.0.1 destip 130.235.5.174 srcmac 11:22:33:44:55:66 datasize 1200 interval 40 To start the attack at Zombie 0 type: attack start 0 G.2 Zombie The Zombie is controlled by a Control Center and once started it is not possible to alter its behavior. There are a couple of arguments that can be passed to the Zombie in the startup sequence as seen in Figure G.3. The server address is fetched by using multicast lookup if no IP is specified. When the Zombie is started (with no arguments) it first displays what date and time the main Zombie file (zombie.cpp) was compiled on. It then displays some local network information such as network device (rpcap), IP, 120 Manual for the Control Center and Zombie application Attack type fraggle icmpping land pepsi pod2 srcmac 0x0 0x0 0x0 0x0 0x0 destmac 0xffffffffffff 0xffffffffffff 0xffffffffffff 0xffffffffffff 0xffffffffffff Default values srcip destip srcport 0.0.0.0 0.0.0.0 random 0.0.0.0 0.0.0.0 − 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 random 0.0.0.0 0.0.0.0 − smurf tcpsyn teardrop 0x0 0x0 0x0 0xffffffffffff 0xffffffffffff 0xffffffffffff 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 udpflood winnuke 0x0 0x0 0xffffffffffff 0xffffffffffff 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 − random random random random random destport 7 − 0 161 − − 0 0 0 0 139 datasize 64 64 0 44 1472 1480 403 64 64 0xAC 0xA9 64 1460 Figure G.2: Default attack parameter values. The values that are not interchangeable are underlined. The ”−” indicates that the attack is discarding that particular option. Zombie.exe [-i ip] [-p port] [-n] [-h] [-d] -i –ip –hostip IP to server (no multicast). -p –port Port to server. -n –notestenvironment Enable use of gateway to access foreign networks. -d –device Choose a non default network device to attack from. -h –help Show this help. Figure G.3: Zombie startup arguments Manual for the Control Center and Zombie application 121 and MAC address. The Zombie then connects to the multicast address of 224.0.0.1 and fetches the IP address and port to the Control Center. It then disconnects from the multicast address and connects to the Control Center with the fetched IP address and port and then wait for instructions. Figure G.4 shows an example of a Zombie that has been initialized with an ICMP ping attack. Figure G.4: Zombie initialized with an ICMP ping attack When choosing to use a non default network device (-d switch) a list of possible network devices will be displayed on the screen. Here the user must choose which network device to use by entering an integer number. 122 Manual for the Control Center and Zombie application Appendix H Class Diagrams This chapter displays the class diagrams for the Control Center and Zombie applications. H.1 Control Center Class Diagram 123 H.2 Zombie Class Diagram 124 Class Diagrams