Home Page | Papers

Distributed Denial Of Service Attack

DOS Attacks are Real Deadly in Nature Understand them to Prevent them.
 

     
    Well whats a Dos ? its not Disk Operating System. It is Denial of Service. It is a kind of attack in which the victims denies service to anybody who wants to use its resource. It is not Breaking into a computer but it is to deny everybody from using that system. Simple Type of Dos Attacks were carried by only one system and the target was only one system like this 

                                    Attacker -------------> Victim

    Why makes Hackers Do a Denial Of Service Attack or A Distributed Denial Of Service Attack ?

    1)    Just For Fun. (I mean it its just for fun)

    2)    To Show Off Other Members Of Underground Community How ellite they are.

    3)    Some Times Motivated for Political Reasons.

    4)    Just to Disrupt Services.

    5)    To Take Revenge. (I didnt get the mail from my girl friend as yahoo made it thought it as junk and blocked so i am gona DOS it now.. Well this is Just an Example,but these things does happen when you have power and knowledge.)

    6)    To Warn. (This happens Rarely. A hacker emails the Authorities about some kind of vuln. in their services and they dont react with the problem, which gets them into Trouble)

    7)    There many more things.. Which make hackers Launch Denial Of Service Attacks.

    But now adays hackers have become smart, they dont want their butt's being burned by the feds. and also a typical attacker is probably is on a dial-up or cable, which is just not enough to flood a typical server with T1, so due to these limitations DDOS was discovered and it is the Most sucessful attack on the Internet. And I can bet That No Server in the world can Withstand every DDOS attack, no matter what ever the OS, the server is running , it can be linux, unix, Windows. the OS doesnt just matter. probably all the resources are used up which in turn denies access to system. and every system on the Internet has a limit. like 2 CPU's are just not enough to process millions of requests and so it suffers. In DDOS (Distributed Denial Of Service) Attacks tens or hundred's or thousands of computers are co-ordinating to attack a server.

                                                    Attacker

                                                        || 

        host1 host2 host3 host4 host5 host6 host7 host8 host9 host10
        host11 host12 host13 host14 host15 host16 host17 host18 host19 host20
        host21 host22 host23 host24 host25 host26 host27 host28 host29 host30
        host31 host32 host33 host34 host35 host36 host37 host38 host39 host40

                                                | | | | | | | | | |

                                                        || 

                                                Victim Server.

    And all these Servers from host 1 to 40 are made to FLOOD the Victim. now just think of what will happen to the Victim. In these DDOS Attacks hackers hack weakly secured servers and install a backdoor and infact a slave kit, which obeys the command of the hacker when ever he connects to it and issue the commands with the master to flood a given victim. DDOS are like Client/Server or infact like Trojans on most windows computers, you install a server on the victims system and control it with a client and thats how DDOS works. DDOs is typically a major weakness in the internet today.

    Internet consists of thousands and millions of local area networks, which are interconnected, they can communicate with each other by the means of IP Addresses assigned to them. When one computer wants to send a message to other system, the message is broken into mostly fixed pieces of fragments called as "Packets". And it is send to the remote computer and the all the fragmented packets are assemble togather to make a single meaningful packet. These packets contain source ip and destination ip address, which helps to re-arrange the packet. and these packets are passed through routers but these routers ignore the source ip they dont check the source ip and send the ip to the destination ip address and this is possibly a security threat, which helps to launch Smurf Attacks.

What is Smurf Attack ?

    Smurf Attack is really simple and effective and it uses ICMP (Internet Control Message Protocol). ICMP is used for handling error's in network connectivity and is used to transmit control messages. The most common utility which uses ICMP is Ping. In a smurf attack a Zombie(It is a computer on which slave kit is installed) is used to send ping flood to the Victim which clog's the bandhwith of the victim and ultimately leads to DDOS.

    Indept analysis of Smurf Attack, Smurf Attacks take the Advantage of Aplifiers, now i know your question what is an Amplifier, well when a Attacker send a single packet to the amplifier it responds back with hunderds of packets maybe thousands, let me go in a bit detail. asume this is the ip range of a client of a ISP 192.168.100.1 - 192.168.100.255. and when you ping a single ip address like this :

                                        ping 192.168.100.50 

    this will result in a single machine replying, so u get a single packet back. but what if you ping like this (Suppose 192.168.100.255 is the Directed Broadcast System)

                                        ping 192.168.100.255 

    then it reply's with many responses because it sends a single packet to every single host in the network, and which ultimately results in Amlifying, so this is how thousands of requests can be generated with just a single packet. this mechanism is known as Directed broadcast. So a single packet is broadcasted to whole of the subnet and all the systems respond to it and generates a lot of traffic. now back to smurfing. ok now what our attacker does is spoof the ip address of the victim, which leads to thousands of machines replying back to the victim, but the victim has'nt pinged them but he is being flooded, it is because of the Attacker who is spoofing the source ip address and victim is paying for it, now let me give you a simple calclulation a typical attacker is on a dial up connection of 56 kbps and the amlipfying network is a 10 Mbps line, so if the attacker transmits 56000 bps and the amplifying traffic is 560000000 bps and which becomes much more dangerous if the victim is using more and more broadcast addresses. so this is how smurf attack can cause hell lot of traffic. 

    The Smurf Attack was named after a typical tool named smurf and a variant of smurf is known as fraggle which uses UDP packets to flood. And for your information it is just a simple commandline arguement can be used to reboot a windows 98 machine. from your linux box type this ping -f xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the ip of the machine) there are a lots of other scripts and tools availiable for download from http://www.cotse.com/dos and NewOrder.box.sk
    

    All of them lead to some kind of DOS Attack :

    1) Smurf
    2) Fraggle
    3) Pepsi
    4) TearDrop
    5) OverDrop
    6) Aggressor
    7) Boink
    8) Bonk
    9) CPUHog
    10) Die3Nt
    11) Icmp Flooder
    12) Linux-icmp
    13) misfrag
    14) New Tear
    15) Nuke Nabber
    16) Tribe Flood Network.
    17) UDP Flood
    18) echok
    19) papasmurf
    20) SynFul
    21) Synk
    22) Pong
    23) Covin
    24) IPbomb
    25) Kkill
    26) Bloop
    27) Flushot
    28) puke
    29) Smack
    30) mbuf

    I think This much be enough for you now, there are lot other on these site check them out :)


    How do i know if i am vulnerable to Smurf Attack ?

    1)    Visit http://www.powertech.no/smurf it scans for your broadcast address and informs you if you are vulnerable.

    2)    Other very good site is http://www.netscan.org it also scans your broadcast address's and reports you of being vulnerable or not.

    3)    Filter the Source address spoofed packets from entering your downstream or while leaving your upstream


    Tracing Spoofed Packet streams.

    Tracing these kinds of attacks is probably much more difficult and needs a lots of communication, possibly logging packets at the routers can prove to be helpful but it can cause heavy load on the CPU. and its easy to overload the syslog daemon with high traffic. it is infact impossible for the victim to trace the attacker directly but i can be done with the help of Zombies's network Admins, if they agree and process the ip header information through the routing table which ultimately lead to the attackers ip address and contacting his isp might stop the attack and then further steps can be taken against him.


    There are many other types of attacks such as TCP SYN flooding and UDP Flooding. TCP SYN flooding spoofs the source ip address and connects to the victim on a specified port like smtp, etc and this results in thousands of connecions and it eats up the system resources and makes the system to hang or sometimes crash, and UDP flooding does the same thing flood the victim with UDP packets it is often called as pepsi attack. it was named after the exploit named pepsi which used for UDP FLooding.

    What Does A Typical Dos Attack do ?

    1)    It tries to Crash some Service or Daemon Running on the System.
    2)    It tries to Srash the Entire System.
    3)    It tries to disconnect other systems from communicating with each other.
    4)    It tries to Knock the system OFF the Net. Merely Disconnecting it from the internet
    5)    It Slows down the network connections with useless traffic pretending to be Legitimate.
    6)    It even hangs the System. which has to be manually rebooted.

    Preventing Dos Attacks.

    1)    Filter the Packets that go through your network to prevent source address spoofing.

    2)    Always keep an Eye on services running on the systems on your domain. may be one of them is infected with some slave kits.

    3)    Solaris can be set not to respond to ICMP echo requests. Add the
           following line to your /etc/rc2.d/S69inet startup: 
           ndd -set /dev/ip ip_respond_to_echo_broadcast 0
           If you're using Solaris as a router, you can configure it not to
           forward directed broadcasts by placing the following line in
           your /etc/rc2.d/S69inet startup:
           ndd -set /dev/ip ip_forward_directed_broadcasts 0

    4)    IBM has provided a setting in AIX 4.x to disable responses to broadcast
           addresses. It is not available in AIX 3.x. Use the "no" command to turn
           it off or on. NOTE: On AIX 4.x responses are DISABLED by default.
           no -o bcastping=0 # disable bcast ping responses (default)
 

5)        Under NetBSD, directed broadcasts can be disabled by using the sysctl
            command: 
            sysctl -w net.inet.ip.directed-broadcast=0

 6)       Under Linux, one can use the CONFIG_IP_IGNORE_ECHO_REQUESTS variable to
            completely ignore ICMP echo requests. Of course, this violates RFC 1122.
            "ipfw" can be used from Linux to block broadcast echos, a la: 

 7)        Any system with ipfw can be protected by adding rules such as: 
            ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
            ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8
            (replace 123.123.123.0 and 123.123.123.255 with your base network number
            and broadcast address, respectively)

8)        To protect a host against "fraggle" attacks on most UNIX machines, one
            should comment the lines which begin with "echo" and "chargen" in
            /etc/inetd.conf and restart inetd.
 

- Anish Shaikh.