- כ (Overview of Internet Security Technology - DDoS Attacks) ( ) Abstract( ) OS, DoS (Distributed DoS: DDoS).

Transcription

1 FS-TR00-11 Oct. 20, 2000 (12 pages) Technical Report - כ (Overview of Internet Security Technology - DDoS Attacks) ( ) chlim@future.co.kr Abstract( ) OS, (Denial of Service: DoS). DoS DoS (Distributed DoS: DDoS). ( ) Cryptography & Network Security Center, Future Systems, Inc. (

2 - (Overview of Internet Security Technology - DDoS Attacks) ( ) OS, (Denial of Service: DoS). DoS DoS (Distributed DoS: DDoS). 1 / web server, mail server, DNS server Access Control. identifiable user anonymous user. Identifiable user. IPSEC VPN (Virtual private Network). VPN LAN-to-LAN Mobile users-to-lan, VPN Server Access Control Policy Management end-to-end security Identifiable user ( ). anonymous Internet user כ. Firewall (DMZ ) compromise כ. DMZ access כ VPN. DMZ כ כ. monitoring fix כ כ. Firewall filtering proxying, real-time Intrusion Detection System (IDS) traffic analysis (pattern recognition, anomaly detection ) כ כ. IDS Firewall 1

3 on-line auto configuration Firewall filtering rule update כ IDS IDS monitoring כ. profile IDS update. ISP (CERT, FIRST, SANS ) כ כ.. כ כ black hacker,. Denial of Service (DOS) attack distributed network Distributed DoS attack. כ, כ כ. DoS attack כ Distributed DoS attack. 2 כ DoS(Denial of Service) attack / [4]. TCP/IP trusted subnet internetworking protocol, OS. / ( buffer overflow [1], format string vulnerability [2] ) misconfiguration compromise DoS. TCP/IP network-based DoS attack. TCP/IP malformed packet, TCP/IP distributed DoS (DDoS) attack primitive כ. vulnerability, OS/application-dependent implementation-dependent כ ( SANS Ten Most Often Exploited Internet Security Flaws [3] ). Vulnerability DoS attack CERT( SANS( DoS attack Packet Storm ( כ. 2.1 TCP SYN Attack [6] TCP connection-oriented protocol 1 three way handshake connection :SYNpacket Server SYN ACK packet connection queue connection timeout ( 1 ) ACK packet. TCP SYN Flooding three way handshake Server DoS attack random IP address SYN packet Server. Server SYN ACK connection queue ACK. IP address timeout ACK, Server connection queue 2

4 SYN : Seq# = X, Ack# = 0 Client SYN ACK : Seq# = Y, Ack# = X+1 Server ACK : Seq# = X+1, Ack# = Y+1 1: TCP Three Way Handshake Protocol half-open connection כ. IP spoofing random IP address private address valid host address source address. Private address IANA /8, /12, /16 כ. private address TCP SYN attack spoofed source address. source address valid host address SYN ACK packet כ 2. Firewall, FTP,. connection queue timeout. 2.2 Land Attack [8] / UDP Chargen-Echo DoS attack [5] Land attack source IP address/port target host destination IP address/port TCP SYN packet target host SYN packet loop SYN flood attack. Router firewall block. UDP flooding attack IP spoofing host chargen UDP service host echo UDP service (echo-echo, chargen-chargen ) UDPpacketstorm. Diagnostic port LAN כ router firewall block כ. Random Source Host UDP flooder pepsi exploit. 2.3 Ping of Death [7] / Teardrop Attack [8] IP packet network media MTU(Maximum Transmission Unit) fragment reassemble.tcp/ip IP packet fragmentation reassembly octet ICMP packet ( fragment offset packet size ) targethost fragmented packet reassemble packet size buffer overflow target host reboo hang (Ping of death, Jolt). Teardrop Attack IP packet fragmentation-reassembly,tcp/ip IP fragment offset field overlapping malformed packet reassemble. NewTear, Syndrop, Nestea, Bonk, Boink. 3

5 Bonk, Jolt, Land, Nestea, Newtear, Syndrop, Teardrop, Winnuke 8 exploit Targa Multi-platform DoS attack. Targ2 3 exploit, Targa3 כ IP (invalid fragmentation, protocol, packet size, header values, options, offsets, tcp segments, routing flags, and other unknown/unexpected packet values) exploit generator (DDoS TFN TFN2K Mixter כ IP stack vulnerability ). 2.4 Smurf/Fraggle - Directed broadcast ICMP/UDP flooding [9, 10] IP source-address spoofing DoS attack. ICMP/UDP flooding bandwidth, Smurf/Fraggle IP spoofing directed broadcasting packet packet amplification. Smurf Source IP address IP address ( source IP = target host s IP) ICMP echo request packet(ping) broadcast address (e.g., destination IP address = x.x ) network ICMP echo reply packet target host. broadcast network (smurf amplifier network) packet amplification. packet storm victim, broadcast network bounce site bandwidth ( 2 ). IP spoofing directed broadcast edge router firewall (4 ). ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply te et e pet at ct 2: Smurf Attack ICMP echo request UDP echo packet Fraggle attack. UDP echo broadcast network host bounce target host Smurf packet amplification. Smurf amplification 4

6 factor.udpecho ICMP echo כ Firewall. 3 כ DDoS(Distributed Denial of Service) attack DoS attack DDoS attack tool Internet Terrorism. sniffer network scanner vulnerable host compromise ( root privilege ), compromised host attacking tool (master/daemon programs, root kit [14] ) ( rcp ).. host (, ) meaningless packet stream (packet storm; packet flooding) down network bandwidth saturation כ. DDoS attack automated tool high bandwidth intermediate site (e.g., Internet 2 sites) distributed attacking network massive coordinated attack. target host Handler/Agent intermediate site. high bandwidth Agent ( 100 Agent Agent 1Mbps packet stream target host 100Mbps packet כ. target host network bandwidth packet storm כ ). Client Handler Handler Handler A A A A A A A A A A A Target A : Agent Control traffic Attack traffic 3: DDoS Attack 5

7 UNIX/NT zombie DDoS Windows PC., DSL/Cable modem high bandwidth home PC zombie. DDoS attack tool ( ) Trinoo, TFN, Stacheldraht, Shaft, TFN2K, Mstream attack network ( 3 ): Client (Attacker): DDoD command Handler/Agent remote control. Handler (or Master) nodes: compromised host Handler node Handler node Agent. Handler Agent, TFN2K Stacheldraht DDoS attack tool Attacker - Handler - Agent control message, Handler Agent IP spoofing. Agent (or Daemon) nodes: host Handler target host meaningless packet. Attacking tool ICMP, TCP SYN, UDP flood, Smurf target host.agent update. Target (Victim host) : packet storm. DDoS default port number. DDoS [12, 13]. 3.1 Trinoo - UDP Flooding [15, 16] Trinoo( Trin00) DDoS,UDPpacket / flooding. TFN2K Stacheldraht ( Handler Agent system admin control message clear text. IP spoofing ). Client Handler : TCP port Handler Agent : UDP port 27444/31335 Agent Target : UDP flood (with random UDP ports) 3.2 Tribe Flood Network (TFN) - ICMP, TCP, UDP Flooding [17, 16] TFN Mixter DDoS UDP flood TCPSYNflood,ICMPechorequest flood, ICMP directed broadcast (e.g., Smurf) DoS attack, Handler-Agent ICMP echo reply packet firewall detect block. Agent source IP address spoofing. Client Handler : command line execution (e.g., root shell bound to a TCP port, UDP-based client/server remote shells, SSH terminal sessions, or normal Telnet sessions, etc.). 6

8 Handler Agent : ICMP echo reply (commands in id field, argements in data payload) Agent Target : TCP SYN, UDP, ICMP/ping, Broadcast Ping (Smurf) packet floods Features: IP spoofing capability (randomized source addresses) 3.3 Stacheldraht - ICMP, TCP, UDP Flooding [18, 19] Stacheldraht /10 DDoS Trinoo TFN. source IP address spoofing, control message Agent remote update.handler Agent ICMP echo reply firewall router block.. Client Handler : TCP port or Handler Agent : TCP port 65000, ICMP echo reply Agent Target : TCP SYN, UDP, ICMP packet floods, Smurf Features: IP spoofing, control message encryption, and the ability to upgrade the program remotely. Show up: late September/early October Shaft - ICMP, TCP, UDP Flooding [20] Shaft DDoS Control communication Trinoo כ,, Agent Handler IP port, Agent control Password Ticket, Agent.. Client Handler : TCP port (telnet connection) Handler Agent : UDP port 18753/20433 Agent Target : UDP, TCP SYN, ICMP echo floods Features: the ability to dynamically change handler host and control ports, making it harder to detect; a ticket mechanism to keep track of its individual agents; statistics on packet generation rates of its individual agents. 3.5 TFN2K - ICMP, TCP, UDP Flooding, Smurf & Targa3 [21, 22] TFN2K TFN 2K xkawlrk qhek djfuqehfhr control message, Attacker Handler Agent. Handler-Agent command packet CAST-256 base-64 encoding, decoy packet. Handler-Agent Agent Target randomized TCP, UDP, ICMP packets. Client Handler : TCP port Handler Agent : TCP, UDP, ICMP (random TCP/UDP port numbers and source IP addresses) 7

9 Agent Target : TCP SYN, UDP, ICMP/ping, Broadcast Ping (Smurf) packet floods, Targa3. Features: IP spoofing, control message encryption, multiple types of control packets, and one way communication. 3.6 Mstream - Stream attack (TCP ACK flood) [23, 24] Mstream DDoS, Handler/Agent. Client Handler : TCP port 6723 (15104) Handler Agent : UDP port 7983/9325 (10498/6838) Agent Target : TCP ACK flood Features: very early stage of development; numerous bugs and limited control features. 6 DDoS, DDoS. IRC(Internet Relat Chat) DDoS Trinity v3 [25]. כ. Firewall IDS signature ( ) detection. Trinoo, TFN TFN2K, Stacheldraht DDoS attack tool כ כ. Firewall detect block UDP, ICMP IRC, communication channel embedded string כ, Handler Agent כ. programs/files/connections backdoor (Trojan horce) root kit כ כ. 4 DDoS Attack DDoS attack computer virus, כ ( ) כ כ כ. כ כ. ISP /, כ. firewall edge router filtering / כ, IDS host/network auditing tool monitoring Handler/Agent כ., 8

10 , Incident response handling team, ISP, CERT electronic forensic / כ (Results of the Distributed-Systems Intruder Tools Workshop [11] ). DoS attack כ IP spoofing directed broadcast, UDP diagnostic ports host router, firewall. firewall router filtering rule ( [30, 31, 32, 33] ). Verify unicast reverse-path [33]: router vendor ISP POP (Point of Presence) source IP address spoofing,. return path drop כ (reverse path filtering). Apply Ingress/ Egress filtering [27]: Router firewall local network outbound traffiic local network source address. local network inbound traffic source address local network address range block. Dial-up user RAS source address. router/ras IP spoofing כ. prefix range address spoofing כ. Filter all RFC 1918 private address space [26]: Source IP address spoofing private address reserved address Firewall /8 - Historical Broadcast /8 - RFC 1918 Private Network /8 - Loopback /16 - Link Local Networks /12 - RFC 1918 Private Network /24 - TEST-NET /16 - RFC 1918 Private Network /4 - Class D Multicast /5 - Class E Reserved /5 - Unallocated /32 - Broadcast Disable directed broadcast externally [28] : Smurf Fraggle directed broadcast DoS edge router firewall inbound traffic destination address network-prefix-directed broadcast drop. RFC 2644 directed broadcast כ default disable. Disable UDP/TCP diagnostic ports externally : UDP chargen echo diagnostic port UDP flooding, external host firewall block כ. Traffic shaping (rate limit of certain traffic) : (e.g., CISCO router Committed Access Rate (CAR)). DoS attack rate limit 9

11 (e.g., ICMP echo packets, TCP SYN packets). DoS attack traffic rate כ. Disable unnecessary ICMP, TCP & UDP traffic : Firewall explictly permitted port list TCP/UDP service block. ICMP type 3 (destination unreachable) packet drop כ, כ unsolicited ICMP echo reply packet drop , attack network packet storm. DDoS כ, / PC wireless כ,. כ / / כ. כ. CPU כ DoS. SSL TLS HTTP request HTTPS request 10. IPSEC-IKE ( cookie mechanism ). / כ. [1] Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole, To appear at the DARPA Information Survivability Conference and Expo (DISCEX), available at projects/immunix/publications.html. [2] Format string attacks, Tim Newsham, September 2000, available at com/data/library/formatstring.pdf. [3] How To Eliminate The Ten Most Critical Internet Security Threats, The Experts Consensus, Version 1.27, September 8, 2000, available at [4] CERT(R) Coordination Center, Denial of Service Attacks, available at tech_tips/denial_of_service.html. [5] CERT(R) Advisory CA , UDP Port Denial-of-Service Attack, available at cert.org/advisories/ca html. [6] CERT(R) Advisory CA , TCP SYN Flooding and IP Spoofing Attacks, available at http: // 10

12 [7] CERT(R) Advisory CA , Denial-of-Service Attack via ping, available at org/advisories/ca html. [8] CERT(R) Advisory CA , IP Denial-of-Service Attacks, available at advisories/ca html. [9] CERT(R) Advisory CA , Smurf IP Denial-of-Service Attacks, available at cert.org/advisories/ca html. [10] The latest in denial of service attacks: Smurfing description and information to minimize effects, Craig A.Huegen, Feb.8, 2000, available at white-papers/smurf.cgi. [11] The CERT Coordination Center, Results of the Distributed-Systems Intruder Tools Workshop, December, 1999, available at [12] Distributed Denial of Service (DDoS) Attack Tools by David Dittrich, available at washington.edu/dittrich/misc/ddos/. [13] Distributed denial of service attack tools at Packet Storm Security, available at packetstorm.securify.com/distributed/. [14] David Dittrich, Root Kits and hiding files/directories/processes after a break-in, available at [15] David Dittrich, The DoS Project s trinoo distributed denial of service attack tool, available at [16] CERT(R) Incident Note IN-99-07, Distributed Denial of Service Tools, available at cert.org/incident_notes/in html#tfn. [17] David Dittrich, The Tribe Flood Network distributed denial of service attack tool, available at [18] David Dittrich, The stacheldraht distributed denial of service attack tool, available at http: //staff.washington.edu/dittrich/misc/stacheldraht.analysis. [19] CERT(R) Advisory CA , Denial-of-Service Developments, available at org/advisories/ca html. [20] Sven Dietrich, Neil Long, and David Dittrich, An analysis of the Shaft distributed denial of service tool, available at spock/shaft\_analysis.txt. [21] Jason Barlow and Woody Thrower, TFN2K - An Analysis, available at securify.com/distributed/tfn2k_analysis-1.3.txt. [22] CERT(R) Advisory CA , Denial-of-Service Tools, available at advisories/ca html. [23] David Dittrich, George Weaver, Sven Dietrich and Neil Long, The mstream distributed denial of service attack tool, May 1, 2000, available at mstream.analysis.txt. [24] CERT(R) Incident Note IN , mstream Distributed Denial of Service Tool, May 2, 2000, available at 11

13 [25] Trinity v3 Distributed Denial of Service tool, Internet Security Systems Security Alert, September 5, 2000, available at [26] RFC 1918: Address Allocation for Private Internets, Y.Rekhter, B.Moskowitz, D.Karrenberg, G.J.de Groot and E.Lear, February 1996, available at [27] RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (Obsoletes RFC 2267), P. Ferguson and D.Senie, January, 1998, available at [28] RFC 2644, Changing the Default for Directed Broadcasts in Routers, D.Senie, August 1999, available at [29] CERT(R) Security Improvement Modules, available at [30] Consensus Roadmap for Defeating Distributed Denial of Service Attacks, A Project of the Partnership for Critical Infrastructure Security, Version 1.10, February 23, 2000, available at [31] Help Defeat Denial of Service Attacks: Step-by-Step, Revision: 1.41, March 23, 2000, available at [32] Resisting the Effects of Distributed Denial of Service Attacks, Version 1.10, available at http: // [33] Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks, Cisco Systems, February 17, 2000, available at 12