Network Forensics (DDoS/Distributed Denial of Service Attack)

(1)

GITG342

Network Forensics

(DDoS/Distributed Denial of Service Attack)

(2)

Index

•

DDoS attacks

•

DDoS attacks taxonomy

•

Types of DDoS attacks

•

Current DDoS Attacks

•

DDoS attacks tools

•

DDoS countermeasures

(3)

DDoS Attacks

•

DoS attacks

• An attack on a computer or network that prevents legitimate use of its resources.

• Examples of DoS include • Flooding a network

• Disrupting connections between machines

• Disrupting a service

•

DDoS attacks

• Many machine are involved in the attack against one or more victim(s)

•

DDoS attackers motivation

• Financial/economical gain

• Revenge

• Ideological belief

(4)

DDoS Attacks

(5)

DDoS Attacks

•

Direct DDoS attack

• Send control traffic directly to the zombie to attack the victim host

•

Indirect DDoS attack

• Send control traffic indirectly to the zombie to compromise the target host

• Reflectors are non-compromised systems that exclusively send replies to a request

Attacker

Zombie Zombie Zombie

Victim

…

Attacker

Zombie Zombie Zombie

Reflector

…

Reflector Reflector Reflector

(6)

DDoS Attacks Taxonomy

•

DDoS attack taxonomy

DDoS Attack

Resource Depletion Bandwidth Depletion

Flood Attack Amplification Attack Protocol Exploit Attack Malformed Packet attack

ICMP UDP Smruf Fraggle TCP SYN PUSH+ACK

(7)

Types of DDoS Attacks

•

UDP flood attack

• In In UDP Flood attack attacker sends large number of UDP packets to a victim system, due to which there is saturation of the network and the depletion of available bandwidth for legitimate service requests to the victim system.

• A UDP Flood attack is possible when an attacker sends a UDP packet to a random port on the victim system.

• When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.

• When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of “destination unreachable” to the forged source address.

• If enough UDP packets are delivered to ports of the victim, the system will go down.

(8)

Types of DDoS Attacks

•

ICMP flood attack

• ICMP Flood attacks exploit the ICMP(Internet Control Message Protocol), which enables users to send an echo packet to a remote host to check whether it’s alive.

• More specifically during a DDoS ICMP flood attack the agents send large volumes of ICMP_ECHO_ REPLY packets (“ping”) to the victim.

• These packets request reply from the victim and this results in saturation of the bandwidth of the victim’s network connection.

(9)

Types of DDoS Attacks

•

SYN flood attack

• In a SYN Flood attack, the victim is flooded with Half open connections.

• Client server communication

• The client system begins by sending a SYN message to the server.

• The server then acknowledges the SYN message by sending SYN-ACK message to the client.

• The client then finishes establishing the connection by responding with an ACK message.

• The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server.

(10)

Types of DDoS Attacks

•

SYN flood attack

• half-open connection

• The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message.

• The server has built in its system memory a data structure describing all pending connections.

• This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.

• The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out.

(11)

Types of DDoS Attacks

•

Smurf attack

• In a “smurf” attack, the victim is flooded with ICMP "echo-reply" packets.

• On IP networks, a packet can be directed to an individual machine or broadcast to an entire network.

• When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network.

• In the "smurf" attack,

• attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks.

• When the attackers create these packets, they do not use the IP address of their own machine as the source address.

• Instead, they create forged packets that contain the spoofed source address of the attacker’s intended victim.

• The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine.

(12)

Types of DDoS Attacks

•

Ping of Death attack

• In Ping of Death attacks,

• the attacker creates a packet that contains more than 65,536 bytes, which is the limit that the IP protocol defines.

• This packet can cause different kinds of damage to the machine that receives it, such as crashing and rebooting.

• ping -l 86600 victim.org

•

Land attack

• The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination.

• The reason a LAND attack works is because it causes the machine to reply to itself continuously.

• Land attacks have been found in services like SNMP(Simple Network Management Protocol) and Windows 88/tcp (kerberos/global services) which were caused by design flaws where the devices accepted requests on the wire appearing to be from themselves and causing replies repeatedly.

(13)

Types of DDoS Attacks

•

Teardrop attack

• This type of denial of service attack exploits the way that the IP(Internet Protocol) requires a packet that is too large for the next router to

handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later

fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.

(14)

•

DDoS trends

• The most obvious trend seen at the end of 2013 and in 2014 was the increased use of amplification attacks

(15)

•

DDoS as a service trends

• The price range from US $5 to over $1,000

• Depending on the attack’s duration and size

(16)

DDoS Attacks Tools

•

Trinoo(Trin00)

• Trinoo was the first DDoS tool to be discovered

• Found in the wild (binary form) on Solaris 2.x systems compromised by buffer overrun bug in RPC(Remote Procedure Call) services: statd, cmsd, ttdbserverd

• rpc.statd: CVE-1999-0018, CVE-1999-0019

• rpc.cmsd: CVE-1000-0696

• rpc.ttdbserverd: CVE-1999-0687, CVE-1999-0003, CVE-1999-0693

• Trinoo daemons were UDP based password protected remote command shells running on compromised systems.

(17)

DDoS Attacks Tools

•

Trinoo communication

• Attacker to master:

• 27665/TCP

• The attacker must supply the correct password

• Master to daemons: • 27444/TCP

• Command lines are of form: arg1 password arg2 and the default password for commands is 144asdl

• Only commands with “144”substring are run

• Daemon to Master: • 31335/UDP

• When daemon starts up, it sends a HELLO to the master

• Master adds this daemon to its list

• Master sends PING to daemon on 27444/UDP, daemon replies PONG on 31335/UDP

(18)

DDoS Attacks Tools

•

Trinoo password protection

• Used to prevent sysadmins or other hackers from hijacking the trinoo network

• Used in symmetric fashion

• Encrypted password string is compiled into the server and used to compare with cleartext password using the crypt() function

• Wrong password = program exits

• Password protected daemon commands • 144asdl – Trinoo daemon password

• G0rave – Trinoo master server startup

• Betaalmostdone – Master remote I/F password

(19)

DDoS Attacks Tools

•

Some Trinoo master command

• Die – shut down master

• Quit – log off the master

• Mtimer N – set DoS timer to N seconds

• Dos IP – daemons to DoS the target IP address

• Mdie pass – disable all Bcast hosts

• Mping – send Ping to every active Bcast host

• Mdos ip1:ip2:ip3 – send multiple DoS command to each Bcast host

•

Some Trinoo daemon commands

• Aaa pass IP – DoS the IP address

• Bbb pass N – sets time limit for DoS attacks

• Shi pass – send HELLO to master lists

• Png pass – send PONG to the master

(20)

DDoS Attacks Tools

•

Trinoo defense

• Monitor packets for PING, PONG, HELLO • Ineffective for switched semnets

• Tcpdump signatures

• Source port is the same, destination ports are random and target address is the same

• Strings can show encrypted password string and you can run CRACK on it

• Daemon password is cleartext

• Once the daemon is found, you have a list of IP addresses of its masters

• Once a master found, the daemon list is in a file on it

(21)

DDoS Attacks Tools

•

TFN(Tribe Flood Network)

• Improved on some of the weaknesses of trinoo by adding different types of attacks that could be mounted against the victim site.

• Structured like trinoo with attackers, clients(masters) and daemons.

• Initial system compromise allows the TFN programs to be installed.

• It can implement Smurf, SYN flood, UDP flood, and ICMP flood attacks.

•

TFN communication

• Communication can be done by UDP based client/server shells, ICMP based client server shells (Loki, etc.) or normal telnet.

• No password is needed but an IP list of daemons is required.

• ICMP_ECHOREPLY packets are used to talk to TFN clients & daemons. No TCP/UDP because most IDS don’t look for ICMP.

•

TFN defenses

(22)

DDoS Attacks Tools

•

TFN2K(Tribe Flood Network 2000)

• Aimed at Solaris, Linux and Windows NT.

• 2 component system: command driven client on the master and daemon operating on an agent.

• Master instructs its agents to attack a list of designated targets. Agents flood targets with packet barrage.

• Master/agent –encrypted communications

•

TFN2K communication

• Commands are sent via TCP/UDP/ICMP or all 3 at random.

• Uses TCP/SYN, UDP, ICMP/PING, smurf attacks against victims.

• Can randomly alternate between all of them.

• Master/Agent packet headers are randomized.

• ICMP always uses ICMP_ECHOREPLY type code.

(23)

DDoS Attacks Tools

•

TFN2K

• UDP packet length (defined in the UDP header) is 3 bytes longer than actual length.

• TCP header length is always 0. Should never be this way.

• Hard to detect because all control communication is unidirectional, uses TCP,UDP, ICMP randomly

• Multiple protocol packets with same payload.

•

TFN2K detection

• Scan for files ‘tfn’ (the client) and ‘td’ (the daemon).

• Examine incoming traffic for unsolicited ICMP_ECHOREPLY packets containing sequence of 0x41 in their trailing bytes.

• Verify all other payload bytes are ASCIIprintable characters in the 2B, 2F-39, 0x41-0x5A or 0x61-0x7A range

(24)

DDoS Attacks Tools

•

Stacheldracht

• Combines features of trinoo and original TFN.

• Adds encryption of communications between attackers and masters.

• Adds automatic update of the agents.

• Components: attackers, masters (handlers),daemon (agent, bcast)

• Victims are compromised with buffer overflow attack on RPC services: statd, ttdbserverd, cmsd.

• Could mount ICMP, UDP, SYN floods & Smurf.

• Encrypts the connection between attacker and master unlike TFN

•

Stacheldracht communication

• Client to handler: 16660/TCP

• Handler to/from agent: 65000/TCP,ICMP_ECHOREPLY

• Uses both ICMP and TCP.

• Stacheldracht network control is via symmetric key encryption. Client accepts a single argument: its handler address

(25)

DDoS Attacks Tools

•

Stacheldracht commands

• .distro user server – agent installs and runs a new copy of itself using rcp on server using account user.

• .killall – kills all active agents

• .maddip1:ip2:ipN – add IP to list of victims

• .mdos – start the DoS attack

• .mlist – list the IPs of hosts being attacked

• .msadd–add new master server

• .mudpip1:ip2:ipN –start UDP flood against IP

• .showalive–show all active agents (bcasts)

•

Stacheldracht

• Block all ICMP_ECHO traffic

• Search for strings: skillz, spoofworks, sicken\n, niggahbitch, ficken in the DATA portion of the ICMP_ECHOREPLY packets.

(26)

DDoS Attacks Tools

•

Mstream

• Based on stream2.c, a point-point DoS attack tool.

• Most primitive of DDOS Tools

• Handler: master.c

• Agent: server.c

• Similar network control model / Attacker->handler->agent

•

Mstream communication

• Attacker – handler communication via unencrypted TCP – 6723/TCP, 12754/TCP, 15104/TCP

• Handler – agent communication via cleartext UDP – 7983/UDP, 6838/UDP

• Agent to Handler(s) – 9325/UDP, 6838/UDP

• Handler expects commands to be contained entirely in the data field of a single TCP packet.

(27)

DDoS Attacks Tools

•

Mstream handler commands

• No command entered in 40 seconds, the connection is closed.

• Stream – stream attack

• Servers – print all servers

• Ping – ping all servers

• Who – who’s logged in

• Mstream – let you stream more than 1 IP at a time

• Ping – identify remaining active agents

• Stream host seconds – attack host for second duration

• Mstream ip1:ip2:ipN seconds – attack multiple IP addresses for specified duration.

•

Mstream agent commands

• String based commands in the data portion of UDP packets.

(28)

DDoS Attacks Tools

•

Shaft

• From the same DDOS family

• Has the ability to switch handler servers and ports on the fly. Makes IDS harder.

• Has “ticket” mechanism to link transactions

• PASSWDS, TICKET #’S must match for agent to execute the request.

• Has some interest in packet statistics

• Client -> handler -> agent structure

•

Shaft communication

• Attacker uses a telnet program, “client” to talkto handlers.

• Client to handler: 20432/TCP

• Handler to agent: 18753/UDP

(29)

DDoS Attacks Tools

•

Shaft agent command

• Size <size> -size of the flood packets

• Type 0|1|2|3 – type of DoS to run, 0 UDP, 1 TCP, 2 UDP/TCP/ICMP, 3 ICMP

• Time <length> – length of DoS attack (sec)

• Own <victim> – add victim to agent list

• Switch <handler> <port> – switch to new handler and port

• New <password> -new agent reporting in

• Pktres<password> <sock> <ticket> <packets sent> -packet sent to the host identified by <ticket> number.

•

Shaft detection

• Scan for open port 20432 may reveal the presence of a handler.

• Sending ‘alive’ messages with the default password to all nodes on a network at port18753/UDP.

(30)

DDoS Countermeasures

•

IP traceback

• IP Traceback is a method to find the source of a DoS attack • link testing

• Start from the router closest to the victim and interactively test its upstream links until they determine which one is used to carry the attackers traffic.

• This technique assumes that an attack remains active until the completion of a trace.

• logging

• Log packets at key routers and then use data mining techniques to determine the path that the packet traversed.

• Advantage: It can trace an attack long after the attack has completed.

• Disadvantage: Needs enormous resources. • ICMP-based traceback

• Sample some of the packets with low probability and copy the contents into a special ICMP traceback message.

• packet marking

• This scheme is based on the idea that routers mark packets that pass through th em with their addresses or a part of their addresses

• This scheme is aimed primarily at DoS and DDoS attacks as it needs many attack packets to reconstruct the full path.

(31)

DDoS Countermeasures

•

IP traceback

Logging ICMP-based traceback

(32)

DDoS Countermeasures

•

Network Ingress Filtering

• Discard all packets that contain source IP addresses that do not match t he valid range of the customer’s known IP addresses

204.69.207.0/24 attacker Router 1 Router 2 Router 3 ISP B ISP C ISP A _{ISP D}

IF packet's source address from within 204.69.207.0/24 THEN forward as appropriate

IF packet's source address is anything else THEN deny packet

(33)

DDoS Countermeasures

•

Intrusion Detection Systems

• HIDS(Host-based Intrusion Detection System)

• The HIDS reside on a particular computer and provide protection for a specific computer system

• HIDS can be installed on many different types of machines

• servers, workstations and Laptops

• HIDS allows for remote monitoring, remote storage of events logs and ability to PUSH agents to new or existing hosts

(34)

DDoS Countermeasures

•

• NIDS(Network-based Intrusion Detection System)

• NIDS captures network traffic packets (TCP, UDP) and analyzes the content against a set of rules or signatures to determine if a possible event took place

• NIDS can also be installed on active network elements, for example on routers

(35)

DDoS Countermeasures

•

• NIDS(Network-based Intrusion Detection System) • Proactive defense mechanisms

• Instead of detecting the attacks by using signatures (attack pattern) or anomaly behavior, this mechanism try to improve the reliability of the global Internet infrastructure by adding extra functionality to Internet components to prevent attacks and vulnerability exploitation

• Reactive defense mechanisms using available IDS

• If the IDS system can detect the DDoS attack packets accurately, filtering

mechanism are used, which can filter out the attack stream completely, even at the source network.

• If the IDS cannot detect the attack stream accurately, rate limiting is used. • Post attack analysis

• The purpose of post attack analysis is to either look for attack patterns that will be used by IDS or identify attackers using packet tracing.

• The goal of packet tracing is to trace Internet traffic back to the true source.

• Trace back mechanism can help to identify zombies, however, it is impractical to defend against DDoS attacks for the following reasons.

(36)

DDoS Countermeasures

•

Firewall

• Often a firewall is also referred to as a packet filter.

• The basic task of a firewall is to control traffic between different zones of trust and/or administrative authorities.

• Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust).

• Firewall can protect internal network from the external network by accept/deny the traffic according to the rules specified in the list.

(37)

DDoS Countermeasures

•

Firewall

• Advantages of Firewalls

• They can stop incoming requests to inherently insecure services, e.g. you can disallow rlogin, or RPC services such as NFS.

• They can control access to other services e.g. bar callers from certain IP addresses, filter the service operations (both incoming and outgoing) 27

• They are more cost effective than securing each host on the corporate network since there are often only one or a few firewall systems to concentrate on.

• Disadvantages of Firewalls

• They may restrict legitimate users from accessing valuable services, for example, corporate users may not be let out onto the Web, or when

working away from home a corporate user may not have full access to the organization’s network.

• They can be a bottleneck to throughput, since all connections must go via the firewall system.

(38)

Research process

(39)

FE vs. DDoS

•

An exhaustion of network or server resources

• By a Flash Event

• Caused by legitimate users

• By Distributed Denial of Service (DDoS) attacks • Caused by attackers

(40)

Characteristics of FE and DDoS

•

characteristics of FE and DDoS to distinguish between them [1]

[1] J. Jung, B. Krishnamurthy and M. Rabinovich, “Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites”, in World Wide Web, May 2002.

FE DDoS

Traffic volumes High High

Distribution of clusters among clients

The number of clusters are much smaller than the number of clients

The number of clients and clusters are very similar

Cluster contribution to requests

Follows the Pareto-law (skewed / predictable)

Does not follow the Pareto-law (randomly distributed /

(41)

Simulation and Analysis of Real Traffic

• FE01: published many pictures and java scripts to decorate websites • FE02: a Microsoft Windows update website

• MBC: the biggest private broad cast company in Korea

(42)

Simulation and Analysis of Real Traffic

The number of clusters among clients

• MBC: the biggest private broad cast company in Korea

• DOS01 & DoS02: obtained from two trans-pacific T-3 links connecting the United states and a Korean Internet gateway.

(43)

Simulation and Analysis of Real Traffic

Distribution of clusters to requests

(44)

Traffic matrix construction

•

Place of an incoming request in matrix construction

•

Process of matrix construction

• Initialized with zero in all entries

• For each incoming request, overwritten the content of the entry with the value 1 using one bit

•

Clustering clients with IP

₂

and IP

₃

• There are many unused or unallocated IP address in the Internet. So, we do not use IP₁

(45)

Benefits of Randomness Check with Matrix

•

Easy to apply on the network

• if we define the method to construct traffic matrix and it’s size

•

Providing fixed threshold

• not depend on the network traffic environment

•

Easy to apply operations, such as XOR, AND and others, between

continuative matrix

• The XOR operation deletes normal traffic

• The AND operation remains normal traffic

(46)

Applying the XOR and AND operation

•

Apply XOR and AND operation between matrices of the current and

the previous time units XOR and AND operation

• M_t is the traffic matrix, generated at time t

•

Delete or remain traffic on the matrix using the XOR and AND

operation

(47)

Checking randomness

• Randomness check

• Apply Gaussian elimination

• Check the rank value, the number of leading ones

• The probability of a rank value of a mxnrandom matrix

• Calculation of the threshold • Apply log₂function

(48)

Evaluation

(49)

Conclusion

•

FDD, a simple yet effective mechanism, distinguish flash event and

DDoS attacks using randomness check

•

Our trace-driven evaluation results show that FDD distinguishes

between FE and DDoS attacks with high accuracy and low memory

usage

(50)