Attacks & Hacker Tools

Before talking about defenses, need to look at network from attackers perspective
Reconnaissance Network mapping IP address spoofing

Port scanning
Sniffing

Session hijacking
DoS DDoS

Polytechnic University

Attacks

Reconnaissance
casing the joint

Lets take a close look at: Reconnaissance with whois Reconnaissance with DNS
A few words about a Registrar: Organization where you register a domain name Verifies uniqueness of name Enters domain name into various databases: whois & DNS
Polytechnic University
Attacks 2

List of registrars from internic.net:

Polytechnic University

Attacks

Whois databases
Input: domain name or company name
Output: registrar, whois server, dns server

Some useful whois sites: www.internic.net

www.allwhois.com For country-code top-level domains, e.g., jp, fr

For com, net and org top-level domains

Two steps First find targets registrar Then whois target at registrar
Polytechnic University

Attacks

Internic Whois: Target kazaa

Polytechnic University

Attacks

Whois: next step

Do whois at registrar, eg, register.com Input: domain name, IP address, net administrator name Output:
Names

of people (administrator, billing contact) Telephone numbers E-mail addresses Name servers and IP addresses

Polytechnic University

Attacks

Whois at kazaas registrar

Polytechnic University

Attacks

Reconnaissance: IP Ranges
ARIN: American Registry for Internet

Numbers

Maintains whois database that includes IP address ranges in US

RIPE: Europe APNIC: Asia

Polytechnic University

Attacks

Query at ARIN

Polytechnic University

Attacks

Why whois databases needs to be publicly available

If youre under attack, can analyze source

address of packets. Can use whois database to obtain info about the domain from where the attack is coming. Can inform admin that their systems are source of an attack

Polytechnic University

Attacks

10

Reconnaissance: DNS database

Lets quickly review DNS: distributed database implemented in hierarchy of many DNS servers Authoritative name server: for a given domain (e.g., poly.edu), provides server name to IP address mappings for servers (Web, email, ftp, etc) in domain Primary and secondary name server for reliability

Polytechnic University

Attacks

11

Root DNS Servers

com DNS servers

org DNS servers

edu DNS servers

poly.edu umass.edu DNS servers DNS servers

yahoo.com DNS servers

amazon.com DNS servers

pbs.org DNS servers

Figure 2.18 Portion of the hierarchy of DNS servers

Polytechnic University
Attacks 12

DNS: queries
2

root DNS server

3 4 5 local DNS server

dns.poly.edu

TLD DNS server

requesting host
cis.poly.edu

authoritative DNS server dns.cs.umass.edu

gaia.cs.umass.edu Polytechnic University

Attacks 13

DNS records
DNS: distributed db storing resource records (RR) RR format: (name,
Type=A name is hostname value is IP address Type=NS name is domain (e.g. foo.com) value is IP address of authoritative name server for this domain
Polytechnic University

value, type, ttl)

Type=MX value is name of mailserver associated with name

Attacks

14

DNS protocol, messages

Name, type fields for a query RRs in reponse to query records for authoritative servers additional helpful info that may be used

Query and reply messages sent Over UDP on port 53

Polytechnic University
Attacks 15

DNS: caching and updating records

once (any) DNS server learns mapping, it

mapping cache entries timeout (disappear) after some time

caches

Polytechnic University

Attacks

16

Interrogating DNS servers

Attacker first gets primary or secondary

authoritative server for target organization using whois. Attacker can then query the DNS by sending DNS query messages. Tools (often available in Unix and Windows machines; also available at web sites):
nslookup host dig

Polytechnic University
Attacks 17

nslookup
Avaiable in most unix & Windows machines Get dialpad DNS server IP address from whois set type=any get all
Polytechnic University
Attacks

18

Reconnaissance summary
Obtaining information from public

databases:

whois databases
Tool: web sites

DNS database
Tool: nslookup

Defense

Keep to a minimum what you put in the public database: only what is necessary

Polytechnic University

Attacks

19

Attacks & Hacker Tools

Before talking about defenses, need to look at network from attackers perspective
Reconnaissance Network mapping IP address spoofing

Port scanning
Sniffing

Session hijacking
DoS DDoS

Polytechnic University

Attacks

20

Network mapping
Goal: Learn about a remote network

attacker

121.27.2.1

121.27.2.4

firewall?

Internet

firewall?

Internal network

121.27.2.16
Polytechnic University
Attacks 21

Network mapping
Attacker uses ping sweeps to determine live

hosts Attacker uses port scans to determine live services Attacker often uses traceroute to determine path to each host discovered during ping sweep.

Overlay results from traceroute to create an approximate network diagram

Polytechnic University

Attacks

22

Traceroute
traceroute: gaia.cs.umass.edu to www.eurecom.fr
Three delay measements from gaia.cs.umass.edu to cs-gw.cs.umass.edu
1 cs-gw (128.119.240.254) 1 ms 1 ms 2 ms 2 border1-rt-fa5-1-0.gw.umass.edu (128.119.3.145) 1 ms 1 ms 2 ms 3 cht-vbns.gw.umass.edu (128.119.3.130) 6 ms 5 ms 5 ms 4 jn1-at1-0-0-19.wor.vbns.net (204.147.132.129) 16 ms 11 ms 13 ms 5 jn1-so7-0-0-0.wae.vbns.net (204.147.136.136) 21 ms 18 ms 18 ms 6 abilene-vbns.abilene.ucaid.edu (198.32.11.9) 22 ms 18 ms 22 ms 7 nycm-wash.abilene.ucaid.edu (198.32.8.46) 22 ms 22 ms 22 ms trans-oceanic 8 62.40.103.253 (62.40.103.253) 104 ms 109 ms 106 ms link 9 de2-1.de1.de.geant.net (62.40.96.129) 109 ms 102 ms 104 ms 10 de.fr1.fr.geant.net (62.40.96.50) 113 ms 121 ms 114 ms 11 renater-gw.fr1.fr.geant.net (62.40.103.54) 112 ms 114 ms 112 ms 12 nio-n2.cssi.renater.fr (193.51.206.13) 111 ms 114 ms 116 ms 13 nice.cssi.renater.fr (195.220.98.102) 123 ms 125 ms 124 ms 14 r3t2-nice.cssi.renater.fr (195.220.98.110) 126 ms 126 ms 124 ms 15 eurecom-valbonne.r3t2.ft.net (193.48.50.54) 135 ms 128 ms 133 ms 16 194.214.211.25 (194.214.211.25) 126 ms 128 ms 126 ms 17 * * * * means no reponse (probe lost, router not replying) 18 * * * 19 fantasia.eurecom.fr (193.55.113.142) 132 ms 128 ms 136 ms Polytechnic University
Attacks 23

Traceroute: How it works

Source sends UDP packets to target
Each

to an unlikely port 3 packets with the same TTL, then increments TTL
When router decrements TTL to 0, sends

back to source ICMP packet

type 11, code 0, TTL expired

When target receives packet, sends back

to source ICMP packet

type 3, code 0, destination port unreachable

Attacks 24

Polytechnic University

Ping Sweep
Ping Recall ICMP messages are directly encapsulated in IP datagrams (protocol 1) To ping a host:

send ICMP Echo Request (ICMP type 8) Host responds with ICMP Echo Reply (type 0)

So lets ping the entire IP address range Use automated tool for this ping sweep If firewall blocks ping packets: Try sweeping with TCP SYN packets to port 80 Or try sending UDP packets to possible ports

Polytechnic University

Attacks

25

Port scanning
Now that we have a map with some hosts, lets find

out what ports are open on a target host 65,535 TCP ports; 65,535 UDP ports

Port scanning tools can scan: List of ports Range of ports All possible TCP and UDP ports

Web server: TCP port 80 DNS server: UDP port 53 Mail server: TCP port 25

Attacker may scan a limited set of ports, to avoid

detection

Polytechnic University

Attacks

26

Interlude TCP segment structure

32 bits

source port #
ACK: ACK # valid

dest port #

sequence number
head not UA P R S F len used

acknowledgement number
Receive window Urg data pnter checksum

counting by bytes of data (not segments!)

RST, SYN, FIN: connection estab (setup, teardown commands)

Options (variable length)

application data (variable length)

Polytechnic University

Attacks

27

Interlude: TCP seq. #s and ACKs

Seq. #s: byte stream number of first byte in segments data ACKs: seq # of next byte expected from other side
Host A
User types C

Host B

host ACKs receipt of C, echoes back C

host ACKs receipt of echoed C

simple telnet scenario

Polytechnic University
Attacks

time

28

Interlude: TCP Connection Establishment

Three way handshake:
Step 1: client host sends TCP SYN segment to server

SYN=1, ACK=0

specifies initial seq # no data

Step 2: server host receives SYN, replies with SYN-ACK segment

SYN=1, ACK=1

server host allocates buffers specifies server initial seq. # Step 3: client receives SYN-ACK, replies with ACK segment, which may contain data

SYN=0, ACK=1
Attacks 29

Polytechnic University

TCP: Reset packet

If machine receives a TCP packet it is not

expecting, it responds with TCP packet with RST bit set.

For example when no process is listening on destination port

For UDP, machine returns ICMP port

unreachable instead

Polytechnic University

Attacks

30

Nmap (1)
Extremely popular usually run over linux rich feature set, exploiting raw sockets need root to use all features Ping sweeping over any range of IP addresses with ICMP, SYN, ACK OS determination Port scanning Over any range of ports Almost any type of TCP, UDP packet Source IP address

spoofing

Packet fragmentation Timing Options

Decoy scanning

Excellent reference: Nmap man page

Attacks 31

Polytechnic University

Nmap (2)
Input:
nmap [Scan Type] [Options] <target hosts>
Default for port scanning: ports 1-1024 plus ports

Output: open ports: syn/ack returned; port is open unfiltered ports: RST returned: port is closed but not blocked by firewall filtered ports: nothing returned; port is blocked by firewall
Polytechnic University
Attacks 32

listed in nmap service file

Nmap (3): ping sweep

Nmap sP v 116.27.38/24
Sends ICMP echo request (ping) to 256

addresses Can change options so that pings with SYNs, ACKs -sP = ping -v = verbose
Polytechnic University

Attacks

33

Nmap (4): polite port scan

nmap sT -v target.com Attempts to complete 3-way handshake with each target port Sends SYN, waits for SYNACK, sends ACK, then sends FIN to close connection If target port is closed, no SYNACK returned

Instead RST packet is typically returned Target (e.g. Web server) may log completed connections Gives away attackers IP address

TCP connect scans are easy to detect

Polytechnic University

Attacks

34

Nmap (5) : TCP SYN port scan

nmap sS -v target.com Stealthier than polite scan Send SYN, receive SYNACK, send RST Send RST segment to avoid an accidental DoS attack Stealthier: hosts do not record connection But routers with logging enabled will record the SYN packet Faster: dont need to send FIN packet

Polytechnic University

Attacks

35

Nmap (6): TCP ACK scans

Many filters (in firewalls and routers) only let

internal systems hosts initiate TCP connections

Drop packets for which ACK=0 (ie SYN packet): no sessions initiated externally

To learn what ports are open through firewall, try

an ACK scan (segments with ACK=1)

ACK dest port 2031 ACK dest port 2032

firewall
RST

Polytechnic University

I learned port 2032 is open through the firewall

Internal Network
Attacks

36

Nmap (7): UDP port scans

UDP doesnt have SYN, ACK, RST packets

nmap simply sends UDP packet to target

port

ICMP Port Unreachable: interpret port closed Nothing comes back: interpret port open
False positives common

Polytechnic University

Attacks

37

Nmap (8): Obscure source

Attacker can enter list of decoy source IP

addresses into Nmap For each packet it sends, Nmap also sends packets from decoy source IP addresses
For

4 decoy sources, send five packets

Attackers actual address must appear in

at least one packet, to get a result If there are 30 decoys, victim network will have to investigate 31 different sources!
Polytechnic University
Attacks 38

Nmap (9): TCP stack fingerprinting

In addition to determining open ports,

attacker wants to know OS on targeted machine:

exploit machines known vulnerabilities sophisticated hacker may set up lab environment similar to target network

TCP implementations in different OSes

respond differently to illegal combinations of TCP flag bits.

Polytechnic University

Attacks

39

Nmap (10): Fingerprinting

Nmap sends

SYN to open port NULL to open port (no flag bits set) SYN/FIN/URG/PSH to open port SYN to closed port ACK to closed port FIN/PSH/URG to closed port UDP to closed port

Nmap includes a database of OS

fingerprints for hundreds of platforms

Attacks 40

Polytechnic University

Nmap (11): examples

nmap -v target.com

Scans all TCP default ports on target.com; verbose mode First pings addresses in target network to find hosts that are up. Then scans default ports at these hosts; stealth mode (doesnt complete the connections); tries to determine OS running on each scanned host Sends an Xmas tree scan to the first half of each of the 255 possible subnets in the 198.116/16. Testing whether the systems run ssh, DNS, pop3, or imap

nmap -sS -O target.com/24

nmap -sX -p 22,53,110,143 198.116.*.1-127

nmap -v -p 80 *.*.2.3-5

finds all web servers on machines with IP addresses ending in .2.3, .2.4, or .2.5

Polytechnic University

Attacks

41

Defenses against network mapping

Filter using firewalls and packet-filtering

capabilities of routers

Block incoming ICMP packets, except to the hosts that you want to be pingable Filter Time Exceeded ICMP messages leaving your network
Close all unused ports Scan your own systems to verify that

unneeded ports are closed Intrusion Detection Systems

Polytechnic University

Attacks

42

Attacks & Hacker Tools

Before talking about defenses, need to look at network from attackers perspective
Reconnaissance Network mapping IP address spoofing

Port scanning
Sniffing

Session hijacking
DoS DDoS

Polytechnic University

Attacks

43

Review of interconnection devices

Hubs

Switches
Routers

Polytechnic University

Attacks

44

Hubs
Hubs are essentially physical-layer repeaters: bits coming from one link go out all other links at the same rate no frame buffering no CSMA/CD at hub: adapters detect collisions provides net management functionality

twisted pair

hub

Polytechnic University

Attacks

45

Sniffing
Attacker is inside

firewall Requirements

Attackers host connected to shared medium NIC should be in promiscuous mode

Grab and file away: userids and passwords credit card numbers secret e-mail conversations

Sniffer has two

processes all frames that come to NIC

components

Capture Packet analysis

Island hopping attack: Take over single machine (eg virus) Install sniffer, observe passwords, take over more machines, install sniffers

Polytechnic University

Attacks

46

Passive sniffing
Easy to sniff: 802.11 traffic Ethernet traffic passing through a hub
Cable

Any packets sent to hub is broadcast to all interfaces Not true for a switch

Popular sniffers Wireshark (saw this in CS 684) tcpdump (for unix) Snort (sniffing and intrusion detection)

modem traffic

Polytechnic University

Attacks

47

Active Sniffing through a switch

How does attacker sniff packets sent to/from the victim?
attacker

switch

victim

Have to get victims packets to attacker!

Polytechnic University
Attacks

48

Sniffing through a switch: flooding switch memory approach

Host sends flood of frames with random source MAC addresses
Switchs forwarding table gets filled with bogus MAC addresses When good packet arrives, dest MAC address not in switch memory Switch broadcasts real packets to all links

Sniff all the broadcast packets

Polytechnic University

Attacks

49

Defenses
Tie MAC addresses to switch ports
Available

on high-end switches Sophisticated configuration

Give priority to existing mappings
Only

replace them when timeout expires

Polytechnic University

Attacks

50

Sniffing through LAN: poison victims ARP table approach

Idea: have clients traffic diverted to attacker
(0) Sniff all frames that arrive. Configure so that IP packets arriving from victim are attacker forwarded to default router

(1) Send fake ARP response, mapping router IP address to attackers MAC address

(3) Packets are forwarded from attackers host to default router

victim (2) Victim sends traffic switch

destined to outside world. Poisoned ARP table causes traffic to be sent to attacker

default router for LAN

outside world

Polytechnic University

Attacks

51

Powerful sniffing tools

Dsniff and ettercap
Flooding

switch memory ARP poisoning Poisoning DNS

Polytechnic University

Attacks

52

Sniffing defenses
Encrypt data: IPsec, SSL, PGP, SSH

Get rid of hubs: complete migration to switched

network Use encryption for wireless and cable channels Configure switches with MAC addresses

Intrusion detection systems: Lookout for large numbers of ARP replies

Turn off self learning Eliminates flooding problem

Honeypot Create fake account and send password over network Identify attacker when it uses the password
Polytechnic University
Attacks 53

Attacks & Hacker Tools

Before talking about defenses, need to look at network from attackers perspective
Reconnaissance Network mapping IP address spoofing

Port scanning
Sniffing

Session hijacking
DoS DDoS

Polytechnic University

Attacks

54

IP address spoofing (1)

SA: 36.220.9.59 DA: 212.68.212.7

145.13.145.67

212.68.212.7

Attacker doesnt want actions traced back

Simply re-configure IP address in Windows

or Unix. Or enter spoofed address in an application

e.g.,

decoy packets with Nmap

Attacks 55

Polytechnic University

IP address spoofing (2)

145.13.145.67 SA: 36.220.9.59 DA: 212.68.212.7 212.68.212.7

attacker

36.220.9.59 SA: 212.68.212.7 DA: 36.220.9.59

victim

But attacker cannot interact with victim. Unless attacker is on path between victim and spoofed address.

Polytechnic University

Attacks

56

IP spoofing with TCP?

Can an attacker make a TCP connection to

server with a spoofed IP address? Not easy: SYNACK and any subsequent packets sent to spoofed address. If attacker can guess initial sequence number, can attempt to send commands

Send ACK with spoofed IP and correct seq #, say, one second after SYN

But TCP uses random initial sequence

numbers.

Polytechnic University

Attacks

57

Defense: Ingress filtering: access ISP

127.32.1.1

127.32.1.1

privately administered

Internet

222.22/16
Polytechnic University
Attacks 58

Ingress Filtering: Upstream ISP (1)

12.12/24 regional ISP 34.34/24
BGP update: 12.12/24, 34.35/24

tier-1 ISP 56.56/24

BGP update: 56.56/24, 78.78/24

regional ISP 78.78/24

Polytechnic University

Attacks

59

Ingress Filtering: Upstream ISP (2)

12.12/24
BGP update: 12.12/24, 34.34/24 Filter all but 12.12/24 and 34.34/24

34.34/24

56.56/24

BGP update: 56.56/24, 78.78/24

Filter all but 56.56/24 and 78.78/24

78.78/24

Polytechnic University

Attacks

60

Ingress Filtering: Upstream ISP (3)

12.12/24 regional ISP 34.34/24
56.56.1.1

Filter all but 12.12/24 and 34.34/24

tier-1 ISP
56.56/24 regional ISP 78.78/24
Filter all but 56.56/24 and 78.78/24

Polytechnic University

Attacks

61

Ingress Filtering: Upstream ISP (3)

12.12/24
34.34.1.1

regional ISP

Filter all but 12.12/24 and 34.34/24

34.34/24

spoofed packet gets through!

tier-1 ISP
56.56/24 regional ISP 78.78/24
Filter all but 56.56/24 and 78.78/24

Polytechnic University

Attacks

62

Ingress filtering: summary

Effectiveness depends on widespread

deployment at access ISPs Deployment in upstream ISPs helps, but does not eliminate IP spoofing
Filtering

can impact router forwarding perf

Even if universally deployed at access,

hacker can still spoof another address in its access network 12.12/24 See RFC 2827 Network Ingress Filtering: Defeating DDoS
Polytechnic University
Attacks 63

Attacks & Hacker Tools

Before talking about defenses, need to look at network from attackers perspective
Reconnaissance Network mapping IP address spoofing

Port scanning
Sniffing

Session hijacking
DoS DDoS

Polytechnic University

Attacks

64

Session hijacking
Take control of one side of a TCP connection
Marriage of sniffing and spoofing

Alice telnet Bob

Alice

Attacker Polytechnic University

Attacks 65

Session hijacking: The details

Attacker is on segment where traffic passes from

Alice to Bob

Attacker sniffs packets Sees TCP packets between Bob and Alice and their sequence numbers

Attacker jumps in, sending TCP packets to Bob;

source IP address = Alices IP address

Bob now obeys commands sent by attacker, thinking they were sent by Alice

Principal defense: encyrption Attacker does not have keys to encrypt and insert meaningful traffic
Polytechnic University
Attacks

66

Session hijacking: limitation

2. to resync, Alice sends segment with correct seq #
1. weird ACK # for data never sent Alice

Bob

Bob is getting segments from attacker and Alice. Source IP address same, but seq #s different. Bob likely drops connection.

Attacker

Attackers solution: Send unsolicited ARP replies to Alice and Bob with non-existent MAC addresses Overwrite IP-to-MAC ARP tables Alices segments will not reach Bob and vice-versa But attacker continues to hear Bobs segments, communicates with Bob
Attacks 67

Polytechnic University

Session Hijacking Tools:

Hunt
http://lin.fsid.cvut.cz/~kra/index.html

Provides ARP poisoning

Netcat
General

purpose widget Very popular

Polytechnic University

Attacks

68

Denial-of-Service
Prevent access by legitimate users or stop critical system processes
Vulnerability attack: Send a few crafted messages to target app that has vulnerability Malicious messages called the exploit Remotely stopping or crashing services
Connection flooding Overwhelming connection queue with SYN flood Bandwidth flooding

attack:

Polytechnic University

Overwhelming communications link with packets Strength in flooding attack lies in volume rather than content
Attacks 69

DoS and DDoS

DoS:
source

of attack small # of nodes source IP typically spoofed

DDoS
From

thousands of nodes IP addresses often not spoofed

Good book:

Internet Denial of Service by J. Merkovic, D. Dittrich, P. Reiher, 2005

Attacks

Polytechnic University

70

Interlude: IP datagram format

32 bits header length (bytes) type of data max number remaining hops (decremented at each router) upper layer protocol to deliver payload to

type of ver head. len service

length fragment 16-bit identifier flgs offset upper time to Internet layer live checksum 32 bit source IP address 32 bit destination IP address Options (if any)

total datagram length (bytes) for fragmentation/ reassembly

data (variable length, typically a TCP or UDP segment)

Polytechnic University

Attacks

71

IP Fragmentation and Reassembly

Example 4000 byte datagram MTU = 1500 bytes
1480 bytes in data field offset = 1480/8 length ID fragflag offset =4000 =x =0 =0 One large datagram becomes several smaller datagrams length ID fragflag offset =1500 =x =1 =0 length ID fragflag offset =1500 =x =1 =185 length ID fragflag offset =1040 =x =0 =370

Polytechnic University

Attacks

72

DoS: examples of vulnerability attacks

Land: sends spoofed

packet with source and dest address/port the same Ping of death: sends oversized ping packet Jolt2: sends a stream of fragments, none of which have offset of 0. Rebuilding consumes all processor capacity.
Polytechnic University

Teardrop, Newtear,

Bonk, Syndrop: tools send overlapping segments, that is, fragment offsets incorrect.

Patches fix the problem, but malformed packet attacks continue to be discovered.
Attacks

73

Connection flooding: Overwhelming connection queue w/ SYN flood (1)

Recall client sends SYN

packet with initial seq. number when initiating a connection. TCP on server machine allocates memory on its connection queue, to track the status of the new halfopen connection. For each half-open connection, server waits for ACK segment, using a timeout that is often > 1 minute
Polytechnic University

Attack: Send many SYN

packets, filling connection queue with half-open connections.

Can spoof source IP address!

When connection queue is

exhausted, no new connections can be initiated by legit users.

Need to know of open port on victims machine: Port scanning.

Attacks 74

DoS: Overwhelming connection queue with SYN flood (2)

amateur attack:

attacker
Connection queue freed up with RST segment

victim Alice Expert attack: Use multiple source IP addresses, each from unresponsive addresses.
Attacks 75

Polytechnic University

SYN flood defense: SYN cookies (1)

SYN with ISNA
Host A

SYN-ACK with ISNB= cookie

Host B

When SYN segment arrives, host B calculates

function (hash) based on:

Host B uses resulting cookie for its initial seq #

Source and destination IP addresses and port numbers, and a secret number

(ISN) in SYNACK Host B does not allocate anything to half-open connection:

Does not remember As ISN Does not remember cookie

Polytechnic University

Attacks

76

SYN flood defense: SYN cookies (2)

If SYN is legitimate Host A returns ACK Host B computes same function, verifies function = ACK # in ACK segment Host B creates socket for connection Legit connection established without the need for half-open connections
Polytechnic University

If SYN-flood attack with spoofed IP address No ACK comes back to B for connection. No problem: B is not waiting for an ACK What if Host A sends only ACK (no SYN)? Will host B establish a connection?

Attacks

77

Overwhelming link bandwidth with packets

Attack traffic can be made similar to

legitimate traffic, hindering detection. Flow of traffic must consume targets bandwidth resources.
Attacker

needs to engage more than one machine => DDoS

May be easier to get target to fill-up its

upstream bandwidth: async access

Example: attacking BitTorrent seeds

Polytechnic University

Attacks

78

Distributed DoS: DDos

bot Attacker takes over many machines, called bots. Potential bots are machines with vulnerabilities.

bot attacker bot bot processes wait for command from attacker to flood a target bot Polytechnic University
Attacks 79

Internet victim

DDoS: Reflection attack

DNS server request request DNS server

reply
reply

attacker

request reply DNS server

victim

request
reply
Source IP = victims IP

DNS server Polytechnic University

Attacks 80

DDoS: Reflection attack

Spoof source IP address = victims IP

Goal: generate lengthy or numerous replies

for short requests: amplification

Without amplification: would it make sense?

January 2001 attack: requests for large DNS record generated 60-90 Mbps of traffic Reflection attack can be also be done with

Web and other services

Polytechnic University

Attacks

81

DDoS Defenses
Dont let your systems Over-provisioning of

become bots

resources

Keep systems patched up Employ egress antispoof filtering on external router.

Filter dangerous

Abundant bandwidth Large pool of servers ISP needs abundant bandwidth too. Multiple ISPs

packets

Signature and anomaly

Vulnerability attacks Intrusion prevention systems

detection and filtering

Upstream hopefully

Rate limiting Limit # of packets sent from source to dest

Attacks 82

Polytechnic University

DNS attacks
Reflector attack: already discussed Leverage DNS for attacks on arbitrary targets Denying DNS service Stop DNS root servers Stop top-level-domain servers (e.g. .com domain) Stop local (default name servers) Use fake DNS replies to redirect user Poisoning DNS: Insert false resource records into various DNS caches False records contain IP addresses operated by attackers
Polytechnic University
Attacks

83

DDos DNS Attack

Oct 21, 2002 Ping packets sent from bots to the 13 DNS root servers. Goal: bandwidth flood servers Minimal impact:

During attack, some networks filtered pings; corresponding

DNS caching rate limiting at upstream routers: filter ping when they arrive at an excessive rate

root servers remained up. Root server attack is easy to defend: download root server database to local (default) name servers

TLD servers are more volatile

Not much data in root server; changes infrequently

Similar kind of attack in May 2004, Feb 2007

Polytechnic University

Attacks

84

DNS attack: redirecting

hub or WiFi

1 network
local DNS server Issues: Must spoof IP address: set to local DNS server (easy) Must match reply ID with request ID (easy) May need to stop reply from the local DNS server

client

attacker 1. Client sends DNS query to its local DNS server; sniffed by attacker 2. Attacker responds with bogus DNS reply

(harder)
Polytechnic University

Attacks

85

Poisoning DNS Cache (1)

Poisoning: Attempt to put bogus records

into DNS name server caches

But unsolicited replies are not accepted at

Bogus records could point to attacker nodes Attacker nodes could phish

a name server.

But can send a reply to a request.

Polytechnic University

Name servers use IDs in DNS messages to match replies to queries So cant just insert a record into a name server by sending a DNS reply message.

Attacks

86

Poisoning local DNS server (2)

authoritative DNS for poly.edu
2. iterative DNS queries

1. DNS query poly.edu=?

3. DNS reply poly.edu= 17.32.8.9

Local DNS Server (eg, Berkeley)

Attacker in Australia: 17.32.8.9

Polytechnic University

Goal: Put bogus IP address for poly.edu in local Berkeley DNS server 1) Attacker queries local DNS server 2) Local DNS makes iterative queries 3) Attacker waits for some time; sends a bogus reply, spoofing authoritative server for poly.edu.
Attacks 87

Poisoning local DNS server (3)

authoritative DNS for poly.edu
1. DNS query ftp.poly.edu=?

Poisoned local DNS server (eg, Berkeley)

2. DNS query ftp.poly.edu=?

Attacker in Australia 17.32.8.9

DNS response can provide IP address of malicious server!

Attacks

Polytechnic University

88

DNS Poisoning (4)

Issues:

Attacker needs to know sequence number in request message sent to upstream server
Not easy!

Attacker may need to stop upstream name server from responding

So that server under attack doesnt get suspicious Ping of death, DoS, overflows, etc

Polytechnic University

Attacks

89

DNS attacks: Summary

DNS is a critical component of the

Internet infrastructure But is surprisingly robust:

DDoS attacks against root servers have been largely unsuccessful Poisoning and redirection attacks are difficult unless you can sniff DNS requests
And even so, may need to stop DNS servers from replying

DNS

attacks against non-DNS nodes

can be leveraged for reflection

Polytechnic University

Attacks

90

Attacks & Hacker Tools

Before talking about defenses, need to look at network from attackers perspective
Reconnaissance Network mapping IP address spoofing

Port scanning
Sniffing

Session hijacking
DoS DDoS

Polytechnic University

Attacks

91