DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003

Overview Why DoS? How DoS? The DDoS Landscape Attack tools over time Impacts on response

Why DoS? “An Introduction to Denial of Service,” Hans Husman, Sub-cultural status To gain access Revenge Political reasons Economic reasons Nastiness

Reality - Politics Brazilian government attacks (2000) India/Pakistani conflict - Yaha worm (2002) Al Jazeera web site (2003)

Reality - Economics British Telecom (2000) “This is my payback to BT for ripping this country off.” CloudNine (2001)

Reality - Nastiness/Status/??? Register.com reflected DNS attack (Jan. 2001) attack (May 2001) 12:21: GET /scripts/../../winnt/system32/ping.exe :29: GET /scripts/../../winnt/system32/ping.exe 200 Code Red attacks (July 2001) Steve Gibson “discovers” reflected DoS (Jan. 2002) Root DNS servers (Oct. 2002)

Reality for I2 Sept. 9, Mbps HDTV stream from UW to Stanford (“speed record”) Sept. 17, 1999 DDoS against UMN (trin00) Total hosts: 2,200 up to 5,000 Out of 227 at one point, 114 at I2 sites (37 at UW) New speed record?

How DoS (remotely)? Consume host resources Memory Processor cycles Network state Consume network resources Bandwidth Router resources (it’s a host too!) Exploit protocol vulnerabilities Poison ARP cache Poison DNS cache Etc…

Targets of attack End hosts Critical servers (disrupt C/S network) Web, File, Authentication, Update DNS Infrastructure Routers within org All routers in upstream path

The DDoS Landscape

Stepping Stones

Internet Relay Chat (IRC)

IRC w/Bots&BNCs

Distributed Denial of Service (DDoS) Networks

DDoS Network

You are here…

Typical DDoS attack

DDoS Attack Traffic (1) One Day Traffic Graph

DDoS Attack Traffic (2) One Week Traffic Graph

DDoS Attack Traffic (3) One Year Traffic Graph

High Low password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source: CERT/CC Attack tools over time

(D)DoS tools over time Point-to-point Combined Distributed (small, C/S) Add encryption, covert channel comms, shell features, auto-update, bundled w/rootkit Speed ups, use of IRC for C&C Added scanning, BNC, IRC channel hopping Added reflection attack, closed port back door, Worms include DDoS features IPv6 (back to 1996…)

Up to 1996 Point-to-point (single threaded) SYN flood Fragmented packet attacks “Ping of Death” “UDP kill”

1997 Combined attacks Targa  bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke Rape  teardrop v2, newtear, boink, bonk, frag, fucked, troll icmp, troll udp, nestea2, fusion2, peace keeper, arnudp, nos, nuclear, sping, pingodeth, smurf, smurf4, land, jolt, pepsi

1998 fapi (May 1998) UDP, TCP (SYN and ACK), ICMP Echo, "Smurf" extension Runs on Windows and Unix UDP comms One client spoofs src, the other does not Built-in shell feature Not designed for large networks (<10) Not easy to setup/control network fuck_them (ADM Crew, June 1998) Agent written in C; Handler is a shell script ICMP Echo Reply flooder Control traffic uses UDP Can randomize source to R.R.R.R (where 0<=R<=255)

1999 More robust and functional tools trin00, Stacheldraht, TFN, TFN2K Multiple attacks (TCP SYN flood, TCP ACK flood, UDP flood, ICMP flood, Smurf…) Added encryption to C&C Covert channel Shell features common Auto-update

2000 More floods (ip-proto-255, TCP NULL flood…) Pre-convert IP addresses of 16,702 smurf amplifiers Stacheldraht v1.666 Bundled into rootkits (tornkit includes stacheldraht) Full control (multiple users, by nick, with talk and stats) Omegav3 Use of IRC for C&C Knight Kaiten IPv6 DDoS 4to6 (doesn’t require IPv6 support)

Single host in DDoS

2001 Worms include DDoS features Code Red (attacked Linux “lion” worm (TFN) Added scanning, BNC, IRC channel hopping (“Blended threats” term coined in 1999 by AusCERT) “Power” bot Modified “Kaiten” bot Include time synchronization (?!!) Leaves worm

Power bot foo: oh damn, its gonna own shitloads foo: on start of the script it will erase everything that it has foo: then scan over foo: they only reboot every few weeks anyways foo: and it will take them 24 hours to scan the whole ip range foo: !scan status Scanner[24]:[SCAN][Status: ][IP: XX.X.XX.108][Port: 80][Found: 319] Scanner[208]:[SCAN][Status: ][IP: XXX.X.XXX.86][Port: 80][Found: 320]... foo: almost 1000 and we aren't even close foo: we are gonna own more than we thought foo: i bet 100thousand [11 hours later] Scanner[129]: [SCAN][Status: ][IP: XXX.X.XXX.195][Port: 80][Found: 34] Scanner[128]: [SCAN][Status: ][IP: XXX.X.XXX.228][Port: 80][Found: 67] Scanner[24]: [SCAN][Status: ][IP: XX.XX.XX.42][Port: 80][Found: 3580] Scanner[208]: [SCAN][Status: ][IP: XXX.XXX.XXX.156][Port: 80][Found: 3425] Scanner[65]: [SCAN][Status: ][IP: XX.XX.XXX.222][Port: 80][Found: 3959] bar: cool

2002 Distributed reflected attack tools d7-pH-orgasm drdos (reflects NBT, TCP SYN :80, ICMP) Reflected DNS attacks, steathly (NVP protocol) and encoded covert channel comms, closed port back door Honeynet Project Reverse Challenge binary Analysis-IP-Proto11-Backdoor.pdf Analysis-IP-Proto11-Backdoor.pdf

2003 Slammer worm (effectively a DDoS on local infrastructure) Windows RPC DCOM insertion vector for “blended threat” (CERT reports “thousands”) More IPv6 DoS (requires IPv6 this time) ipv6fuck, icmp6fuck

Types of attack traffic Direct Large packet flood (frag) Small packet flood TCP, UDP, ICMP, IGMP, ip-proto-255… Spoofed source Full 32 bits /24 Reflected Smurf DNS

Types of control traffic Point to point TCP (connection oriented) TCP, UDP, ICMP, NVP, etc. (connectionless) IRC channel(s) Static Dynamic (“frequency hopping”) Autonomous (worms) Indirect Random or “bogus” dst w/sniffing Reflected? Time delayed?

Advanced features More efficient Harder to detect Harder to analyze “Blended threat”

Reflection Hard to prevent (for reflectors) Hard to filter (for victims or reflectors) Hard to trace back Traffic analysis necessary

Demands on Response “Whack a port” now common How to notify? How to shut off 800 ports? Wipe/re-install always common Fast, but provides no information High reccurance rate High bandwidth & monitoring Liability lawsuits any day now?

Creative detection One to many/many to many inbound connections to new “servers” Many to one/many to many new outbound connections to servers New service ports on many internal hosts New protocols or new traffic volumes on existing protocols Honeynets & Honeypots

FIN “You may have paid for the hardware, but do you really own your network?” For more information: dittrich (at) u.washington.edu