A Distributed DoS in Action

Slides:



Advertisements
Similar presentations
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Advertisements

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Introduction to Security Computer Networks Computer Networks Term B10.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
Multi-Route Anomaly detection using Principal Component Analysis Adnan Iqbal Superviser Dr. Waqar Mahmood
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
File Transfer: FTP and TFTP
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
DDos Distributed Denial of Service Attacks by Mark Schuchter.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
File Transfer Protocol (FTP)
The Transport Layer.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Copyright © Texas Education Agency, All rights reserved.1 Web Technologies Web Administration.
Lesson 3 Security Needs for Successful E-Commerce.
Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 6 Basic TCP/IP Services.
Ferry Astika Saputra FTP & TFTP Server. Overview File Transfer Protocol (RFC 959) Why FTP? FTP’s connections FTP in action FTP commands/responses Trivial.
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Overview Network communications exposes one to many different types of risks: No protection of the privacy, integrity, or authenticity of messages Traffic.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Simple Mail Transfer Protocol (SMTP)
The Transmission Control Protocol (TCP) TCP is a protocol that specifies: –How to distinguish among multiple destinations on a given machine –How to initiate.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an infected node?
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Transmission Control Protocol TCP. Transport layer function.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Lesson 4 Networked Computer Security Attacks on Internet Computers.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
TFTP: Trivial file transfer protocol
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Denial of Service Attacks
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Client/Server Socket Programming Project
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Malicious Software.
DoS/DDoS attack and defense
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
© 2002, Cisco Systems, Inc. All rights reserved..
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
CITA 352 Chapter 2 TCP/IP Concepts Review. Overview of TCP/IP Protocol –Language used by computers –Transmission Control Protocol/Internet Protocol (TCP/IP)
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
Lesson 2 Network Security and Attacks
Port Scanning (based on nmap tool)
Client-Server Interaction
Topic 5: Communication and the Internet
Starting TCP Connection – A High Level View
Brad Karp UCL Computer Science
Protocol Application TCP/IP Layer Model
Crisis and Aftermath Morris worm.
Presentation transcript:

A Distributed DoS in Action Client Hacker Broadcast Host Master Master Control Programs Agents Registration Phase Verify Registration PONG *Hello* png The Internet When the Master Control Programs are loaded and run, they just listen at TCP port 27665 for any messages coming from the Client Hacker, and they listen at UDP port 31335 for any messages coming from the hundreds of Broadcast Agents. Any messages coming from the Client Hacker will require a password, as well, to be accepted by the Master Control Program. When the Broadcast Agents are loaded, they contain a small encrypted list of IP addresses for the locations of all the Master Control Programs. When the Broadcast Agent is first run, it sends a short UDP packet containing the word “*HELLO*” to these IP addresses (port 31335, of course) so they will, in effect, register with the Master Control Program that they are ready. The Master Control Programs will record the IP address of the sender (the location of the Broadcast Agent). The Broadcast Agents then just listen at UDP port 27444 for any future commands coming from the Master. Prior to initiating the attack, the Client Hacker can, optionally, send a command to the Master Control Programs to verify that the Broadcast Agents are still ready (and that they have not been discovered or the host taken offline). The Master Control Programs sends a UDP packet containing the word “png” to all the Hundreds of Broadcast Agent IP addresses (at port 27444). Agents that are still active will respond back with the word “PONG” (to port 31335 on the Master).

The Attack Phase Client Hacker The Internet Agents Target Attack Broadcast Host Agents Attack Target Attack Target The Internet When the Hacker is ready to begin the attack, he sends the command, along with the password and list of IP addresses to target, to the Master Control Programs (to TCP port 27665). The Master Control Programs then send the command and IP address list to hundreds of Broadcast Agents they have registered all over the Internet (to UDP port 275444). The hundreds of Broadcast Agents then begin their attack and flood random ports of the target host(s) with simple UDP packets. Additionally, in the case of stacheldraht, the packets sent have a spoofed source IP address. This way the attacks looks like they are coming from a complete different source, which now involves yet another party in the attack. Trinoo comes with 6 different commands that the Master will accept from the Client Hacker. They include: Setting a timer to begin the attack at a future time Begin DoS attack at one IP target Begin DoS attack at multiple IP targets Kill all Broadcast Agents registered Verify that registered Agents are still ready (the “png”-”pong”) Set size of UDP packet to use in the flood attack UDP Flood Attack UDP Flood Attack COLLATERAL DAMAGE

How CODE RED Works First infected system Cod Red exploits the vulnerable index service Internet Service API (ISAPI), a remote buffer overflow vulnerability that affects all versions of Microsoft IIS. First infected systems attempts to connect to other systems via port 80 (web)

Scans to find new victims How CODE RED Works First infected system Scans to find new victims 100 system probes

Scans to find new victims How CODE RED Works First infected system Scans to find new victims

- Each new victim starts scanning process over again - From the 20th to the EOM, attempts to launch a DOS against 198.137.240.91 (www.whitehouse.gov) by sending large junk packets - Each new victim starts scanning process over again - 20th to EOM, primary target is www.whitehouse.gov

How NIMDA Works First infected system NIMDA attempts to infect using the following methods: IIS Extended Unicode Directory Traversal Vulnerability IIS Escaped Character Decoding Command Execution Vulnerability Previous backdoors left by Code Red II and Sadmind infections First infected systems attempts to connect to other systems via port 80 (web)

tftp Admin.dll from attacking system (contains NIMDA payload) How NIMDA Works First infected system tftp Admin.dll from attacking system (contains NIMDA payload) - Once the victim has been infected, it uses the trivial file transfer protocol (similar to ftp) to retrieve “Admin.dll” from the attacking system. Admin.dll contains the NIMDA code. Attacking system

vulnerable IIS web servers How NIMDA Works First infected system Sends infected email attachment NIMDA propagates via open file shares Infected system scans network for vulnerable IIS web servers Once infected with NIMDA the victim system will: Scan the network for vulnerable IIS web servers harvests email addresses from the Windows address book and sends infected “readme.exe” attachment attaches a copy of NIMDA, named “README.EML” to all web related files (.html, .htm, etc) attempt to copy NIMDA to all open file shares NIMDA attaches to web pages on infected server

How NIMDA Works - NIMDA prefers to target its neighbors NIMDA targets systems in its own IP space; it will only attack a completely random target IP with a 25% probability NIMDA chooses targets having the same first octet (only) with 25% probability NIMDA chooses targets having the same first two octets with 50% probability - NIMDA prefers to target its neighbors - Very rapid propagation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.