Log-based Signature Analysis
Denial of Service Attacks
- from analyst’s point of view
Computer and Network Forensics
Yong Guan
3216 Coover
Tel: (515) 294-8378
Email:
[email protected]
October 9, 2003
2What is a DoS attack?
!
A DoS attack can be defined as an attack designed to
disrupt or completely deny legitimate users’ access to
networks, servers, services, or other resources.
A brief history:
o
Fall of 1999, Carnegie Mellon CERT Coordination Center
released a message that warned of a new type of attack –
denial of service.
Classification of DoS attacks
!
Target resource starvation
A resource starvation attack attempts to deny service to a
particular machine or a particular service on a machine.
!
Network bandwidth consumption
Network bandwidth consumption attacks target an entire
network – aiming to shut out all legitimate access, both
inbound and outbound.
4
Last time, one example - Snork
!
DoS – Resource Starvation
!
Land Attack – Windows NT 4.0, pre-SP4
!
Attack mechanism:
!
Spoofed RPC datagrams to UDP dest port 135:
!One RPC server sends bad data to another RPC server. The second server returns a REJECT packet and the first server replies with another REJECT packet and create a loop that is not broken until a packet dropped.
!If this spoofed UDP packet is sent to multiple dests, many loops may be created, consuming processor resources and network bandwidth.
Last time, another example – SYN flood
!
DoS – Resource Starvation
!SYN Flood
!
TCP three-way handshake: SYN -> SYN-ACK -> ACK
!
Use good packet in a bad way (instead of bad packet)
!Trace
!
See next slide
6
Last time, another example – SYN flood
(cont.)
[**] Unknown FTP access [**]
04/27 20:08:51.848175 210.104.180.1:3299 > xxx.xxx.xxx.189:21 TCP TTL: 45 TOS:0x0 ID:33389 DF
**S***** Seq: 0xF883F9 Ack: 0x0 Win: 0x7D78 TCP options =>MSS: 1460 SackOK TS: 34460833 0 NOP WS: 0
04/27 20:08:51.870167 xxx.xxx.xxx.189:21 > 210.104.180.1:3299 TCP TTL: 64 TOS:0x0 ID:95 DF
**S***A* Seq: 0x5BA70BF Ack: 0xF883FA Win: 0x4470 TCP options =>MSS: 1460
04/27 20:08:54.480821 xxx.xxx.xxx.189:21 > 210.104.180.1:3299 TCP TTL: 64 TOS:0x0 ID:96 DF
**S***A* Seq: 0x5BA70BF Ack: 0xF883FA Win: 0x4470 TCP options =>MSS: 1460
04/27 20:09:01.666058 210.104.180.1:3299 > xxx.xxx.xxx.189:21 TCP TTL: 236 TOS:0x0 ID:34629
Last time, another example – SYN flood
(cont.)
Source address was spoofed: TTL difference
10 seconds elapsed between the time when xxx.xxx.xxx.189 sent SYN-ACK and the time RST was received.
8
TCP: TCP segment format
Source Port Destination Port
Sequence Number
Acknowledgement Number
Checksum Urgent Pointer
Options
Padding
0
4
10
16
24
31
U R G A C K P S H R S T S Y N F I NHeader
Length
Reserved
Window Size
Data
"
Source / Destination Ports (16b unsinged int):
–
the source and sink port numbers of transport user
"
Sequence (Acknowledgement) Numbers (32b unsigned
int):
–
number of first byte sent (expected from other side) in the
segment to other side
–
Initial Sequence Number (ISN) by sender (ISN + 1) (SYN)
»
ISN is (must) be chosen at random.
–
Acknowledgement Number is byte expected next (ACK)
"
Header Length: in 32b words
"
Reserved (0)
TCP: TCP segment format (cont.)
10
TCP: TCP segment format (cont.)
"
Flags:
–
URG:
urgent pointer
is valid
–
ACK: Acknowledgement number is valid
–
PSH: deliver data received by receiving TCP immediately
–
RST: Receving TCP must abort connection
–
SYN: Connection Request with ISN = SN;
–
FIN: Sender has no more data to send to receiving TCP;
»
shutdown(sd, 1) /* C */;
"
(“Advertised”) Window Size: amount of data receiver is
willing to accept.
–
Credit of data
"
Urgent Pointer (if URG flag is set)
–
points to last byte of “urgent” data;
IP Datagram Format
ver length 32 bitsdata
(variable length,
typically a TCP
or UDP segment)
16-bit identifier Internet checksum time to live32 bit source IP address header length (words) Time-to-Leave max number remaining hops (decremented at each router) fragmentation / reassembly minimum fragment size = 576 total datagram length (bytes)
Upper layer protocol
to deliver payload to ICMP=1, TCP=6, UDP=17, OSPF=89, etc. head. len type of service
Type of Service flgs fragment
offset upper
layer
32 bit destination IP address
Options (if any) Options
timestamp, record route taken, specify list of routers to visit, etc. IP protocol version number 12 "
IPversion [0.0..3] –
–
4 = current, 6 = next generation IP “IPng” or IPv6, 5 = ST2 (a
Real-Time stream protocol)
"
Header Length [0.4..7] – in 32bit words
"
Type of Service [0.8..15] – (preferences 4b, priorities 3b):
–
min delay, min $cost, max throughput, max reliability;
–
most routers ignore ToS; OSPF can use it;
–
DiffServ uses it as
»
differentiated Service (DS) Field (6 bits)
»
other two bits used by ECN (Early Congestion Notification).
"
Total Length [0.16..31] – in bytes
≤
2
16"
Id, Flags, Offset [1.0..31] – used in fragmentation
"
Time To Live (TTL) [2.0..7] – maximum number of hops DG can be
forwarded.
Small Footprint DoS
!
With the attack, one packet can kill certain process that listen
promiscuously on a network and make network monitoring
ineffective.
!
Example: By crafting a packet with an IP version of 0 and
header length of 0, the attack can crash certain version of
TCPdump.
!
Anyone can see this packet should not exist.
Packet irregularities: IP version 0, IP header length 0, protocol
field 4 (IP in IP encapsulation)
!
How it works?
Upon receiving an IP packet with protocol 4 and ihl=0, TCPdump
enters an infinite loop within ip_print() from file print_ip.c.
!
See trace on transparency.
14
Telnet DoS attack
!
No need to kill to harm
!
No shutdown the network, no completely deny service to a
particular machine or port.
!
Just want to make things a little slower. (Time-sensitive data
transmission)
!
By sending many many Control-D (0x04) characters, the target
machine cannot cleanly close the connection with a FIN packet and is
forced to resort to sending RST packet.
!
This attack may come from a malicious attacker or a careless user who
happens to sit on the keyboard in the wrong place at the wrong time.
!
Attack against old SunOS and Solaris
!How it works?
!
Setup a connection to the telnet (23/TCP) on the victim machine and
negotiate telnet options, and then send a continual stream of ^D
characters.
Summary of Resource Starvation DoS
attacks
!
Causing RS DOS attacks is not that hard. It could happen
for completely legitimate reasons.
!
Ask the guy streaming audio from your file server to stop
for a while and see how much better your system
performs.
!Several points:
!
Source address in most DoS attacks are spoofed.
!Look for packets that are unusual.
!
So far, all these DoS attacks have just one target. Next,
we comes to a new class of DoS attacks that affect entire
network – target bandwidth utilization.
16
DoS attacks – Bandwidth Consumption
!To consume bandwidth so that no legitimate data can be
processed, much bogus data need be generated to flood
the network
#
Impossible to generate tremendous number of packets from
attacker’s workstation
#
Amplification method: one packet generates many response.
(DDOS)
!
Exception: Normal traffic may have the same effect to
cause a huge problem. (9/11, CNN website)
#
This is called slashshot effect.
Internet Control Message Protocol (ICMP)
"
ICMP [RFC 792] is a “sibling” protocol with IP and it is
used by hosts, routers, gateways to communicate
network-level information among each other.
"
ICMP is a Request / Reply protocol.
"
Services:
–
ECHO Request / Reply (
ping
)
–
Timestamp Request / Reply (
ping
)
–
Redirect (from router to source host)
–
Destination unreachable (protocol, port, or host)
–
TTL exceeded (stop datagram endless “cycling”)
–
Checksum failed
–
Reassembly failed
–
Cannot fragment
18
ICMP (cont.)
" ICMP is used by hosts, routers, gateways to communicate network-level information
– error reporting: unreachable host, network, port, protocol – echo request/reply (used by
ping)
" network-layer “above” IP: – ICMP msgs carried in IP
datagrams
" ICMP message:type, code plus first 8 bytes of IP datagram causing error
" ping " traceroute
Type Code description 0 0 echo reply (ping)
3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion
control - not used) 5 x redirects
Smurf Attacks
!
Smurf uses the broadcast IP to amplify one packet into
many.
!
Sending a stream of ICMP echo request packets from
spoofed IP addresses to an open network broadcast
address. All the hosts on the destination subnet will send
ICMP echo replies to the spoofed source address.
!
A few hundred packets can generate thousands of packets
that can deny service to targeted networks.
!
See trace in transparency.
20
Echo-Chargen Looping Attacks
! UDP port 7: echo port
It echoes the received packet back to the source.
! UDP port 19: character generator
Upon receiving a packet, it replies with a random string of characters.
! If an attacker finds these ports available, one spoofed packet can generate
many thousands of additional packets.
! The chargen port generates characters to the echo port, which echoes them
back to the chargen port, which gernrates characters to the echo port, and so on.
Consume CPU cycles and network bandwidth Syslog:
Spoofed DNS queries - DoomDNS
! UDP does not perform authentication of the packet received
.
! DoomDNS sends odd queries to BIND servers that can elicit many responses
from the server. When successful, 20-30 of these packets can generate 400-500 responses.
Consume CPU cycles and network bandwidth
!
Use spoofed source IP address
Syslog:
Apr 21 18::23:14 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018
Apr 21 18::23:56 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018
Apr 21 18::45:14 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018
Apr 21 19::10:11 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018
