1. DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003

2. Overview Why DoS? How DoS? The DDoS Landscape Attack tools over time Impacts on response http://staff.washington.edu/dittrich/talks/I2-ddos.ppt

3. Why DoS? “An Introduction to Denial of Service,” Hans Husman, 1996 http://packetstormsecurity.nl/docs/hack/denial.txt http://packetstormsecurity.nl/docs/hack/denial.txt Sub-cultural status To gain access Revenge Political reasons Economic reasons Nastiness

5. Reality - Politics Brazilian government attacks (2000) India/Pakistani conflict - Yaha worm (2002) http://www.vnunet.com/News/1133119 Al Jazeera web site (2003) http://www.infoworld.com/article/03/03/26/HNjazeera_1.html

6. Reality - Economics British Telecom (2000) “This is my payback to BT for ripping this country off.” http://www.theregister.co.uk/content/1/12097.html http://www.theregister.co.uk/content/1/12097.html CloudNine (2001) http://www.wired.com/news/business/0,1367,50171,00.html

7. Reality - Nastiness/Status/??? Register.com reflected DNS attack (Jan. 2001) www.whitehouse.gov attack (May 2001)www.whitehouse.gov 12:21:36 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200 12:29:29 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200 Code Red attacks www.whithouse.gov (July 2001)www.whithouse.gov Steve Gibson “discovers” reflected DoS (Jan. 2002) Root DNS servers (Oct. 2002)

8. Reality for I2 Sept. 9, 1999 40-200+ Mbps HDTV stream from UW to Stanford (“speed record”) http://abcnews.go.com/ABC2000/abc2000tech/internettwo991013.html Sept. 17, 1999 DDoS against UMN (trin00) Total hosts: 2,200 up to 5,000 Out of 227 at one point, 114 at I2 sites (37 at UW) New speed record? http://stafff.washington.edu/dittrich/misc/trinoo.analysis.txt http://stafff.washington.edu/dittrich/misc/trinoo.analysis.txt

9. How DoS (remotely)? Consume host resources Memory Processor cycles Network state Consume network resources Bandwidth Router resources (it’s a host too!) Exploit protocol vulnerabilities Poison ARP cache Poison DNS cache Etc…

10. Targets of attack End hosts Critical servers (disrupt C/S network) Web, File, Authentication, Update DNS Infrastructure Routers within org All routers in upstream path

11. The DDoS Landscape

12. Stepping Stones

13. Internet Relay Chat (IRC)

14. IRC w/Bots&BNCs

15. Distributed Denial of Service (DDoS) Networks

16. DDoS Network http://www.adelphi.edu/~spock/lisa2000-shaft.pdf

17. You are here…

18. Typical DDoS attack

19. DDoS Attack Traffic (1) One Day Traffic Graph

20. DDoS Attack Traffic (2) One Week Traffic Graph

21. DDoS Attack Traffic (3) One Year Traffic Graph

22. High Low 1980198519901995 2001 password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source: CERT/CC Attack tools over time

23. (D)DoS tools over time 1996 - Point-to-point 1997 - Combined 1998 - Distributed (small, C/S) 1999 - Add encryption, covert channel comms, shell features, auto-update, bundled w/rootkit 2000 - Speed ups, use of IRC for C&C 2001 - Added scanning, BNC, IRC channel hopping 2002 - Added reflection attack, closed port back door, Worms include DDoS features 2003 - IPv6 (back to 1996…)

24. Up to 1996 Point-to-point (single threaded) SYN flood Fragmented packet attacks “Ping of Death” “UDP kill”

25. 1997 Combined attacks Targa  bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke Rape  teardrop v2, newtear, boink, bonk, frag, fucked, troll icmp, troll udp, nestea2, fusion2, peace keeper, arnudp, nos, nuclear, sping, pingodeth, smurf, smurf4, land, jolt, pepsi

26. 1998 fapi (May 1998) UDP, TCP (SYN and ACK), ICMP Echo, "Smurf" extension Runs on Windows and Unix UDP comms One client spoofs src, the other does not Built-in shell feature Not designed for large networks (<10) Not easy to setup/control network fuck_them (ADM Crew, June 1998) Agent written in C; Handler is a shell script ICMP Echo Reply flooder Control traffic uses UDP Can randomize source to R.R.R.R (where 0<=R<=255)

27. 1999 More robust and functional tools trin00, Stacheldraht, TFN, TFN2K Multiple attacks (TCP SYN flood, TCP ACK flood, UDP flood, ICMP flood, Smurf…) Added encryption to C&C Covert channel Shell features common Auto-update

28. 2000 More floods (ip-proto-255, TCP NULL flood…) Pre-convert IP addresses of 16,702 smurf amplifiers Stacheldraht v1.666 Bundled into rootkits (tornkit includes stacheldraht) http://www.cert.org/incident_notes/IN-2000-10.html http://www.cert.org/incident_notes/IN-2000-10.html Full control (multiple users, by nick, with talk and stats) Omegav3 Use of IRC for C&C Knight Kaiten IPv6 DDoS 4to6 (doesn’t require IPv6 support)

29. Single host in DDoS

30. 2001 Worms include DDoS features Code Red (attacked www.whitehouse.gov)www.whitehouse.gov Linux “lion” worm (TFN) Added scanning, BNC, IRC channel hopping (“Blended threats” term coined in 1999 by AusCERT) “Power” bot Modified “Kaiten” bot Include time synchronization (?!!) Leaves worm

31. Power bot foo: oh damn, its gonna own shitloads foo: on start of the script it will erase everything that it has foo: then scan over foo: they only reboot every few weeks anyways foo: and it will take them 24 hours to scan the whole ip range foo: !scan status Scanner[24]:[SCAN][Status: ][IP: XX.X.XX.108][Port: 80][Found: 319] Scanner[208]:[SCAN][Status: ][IP: XXX.X.XXX.86][Port: 80][Found: 320]... foo: almost 1000 and we aren't even close foo: we are gonna own more than we thought foo: i bet 100thousand [11 hours later] Scanner[129]: [SCAN][Status: ][IP: XXX.X.XXX.195][Port: 80][Found: 34] Scanner[128]: [SCAN][Status: ][IP: XXX.X.XXX.228][Port: 80][Found: 67] Scanner[24]: [SCAN][Status: ][IP: XX.XX.XX.42][Port: 80][Found: 3580] Scanner[208]: [SCAN][Status: ][IP: XXX.XXX.XXX.156][Port: 80][Found: 3425] Scanner[65]: [SCAN][Status: ][IP: XX.XX.XXX.222][Port: 80][Found: 3959] bar: cool

32. 2002 Distributed reflected attack tools d7-pH-orgasm drdos (reflects NBT, TCP SYN :80, ICMP) Reflected DNS attacks, steathly (NVP protocol) and encoded covert channel comms, closed port back door Honeynet Project Reverse Challenge binary http://project.honeynet.org/reverse/results/project/020601- Analysis-IP-Proto11-Backdoor.pdf http://project.honeynet.org/reverse/results/project/020601- Analysis-IP-Proto11-Backdoor.pdf

33. 2003 Slammer worm (effectively a DDoS on local infrastructure) Windows RPC DCOM insertion vector for “blended threat” (CERT reports “thousands”) More IPv6 DoS (requires IPv6 this time) ipv6fuck, icmp6fuck

34. Types of attack traffic Direct Large packet flood (frag) Small packet flood TCP, UDP, ICMP, IGMP, ip-proto-255… Spoofed source Full 32 bits /24 Reflected Smurf DNS

35. Types of control traffic Point to point TCP (connection oriented) TCP, UDP, ICMP, NVP, etc. (connectionless) IRC channel(s) Static Dynamic (“frequency hopping”) Autonomous (worms) Indirect Random or “bogus” dst w/sniffing Reflected? Time delayed?

36. Advanced features More efficient Harder to detect Harder to analyze “Blended threat”

37. Reflection Hard to prevent (for reflectors) Hard to filter (for victims or reflectors) Hard to trace back Traffic analysis necessary

38. Demands on Response “Whack a port” now common How to notify? How to shut off 800 ports? Wipe/re-install always common Fast, but provides no information High reccurance rate High bandwidth & monitoring Liability lawsuits any day now? http://www.ddos-ca.org/ http://www.ddos-ca.org/

39. Creative detection One to many/many to many inbound connections to new “servers” Many to one/many to many new outbound connections to servers New service ports on many internal hosts New protocols or new traffic volumes on existing protocols Honeynets & Honeypots

40. FIN “You may have paid for the hardware, but do you really own your network?” For more information: http://packetstormsecurity.nl/distributed/ http://staff.washington.edu/dittrich/talks/core02/ http://staff.washington.edu/misc/ddos/ dittrich (at) u.washington.edu http://packetstormsecurity.nl/distributed/ http://staff.washington.edu/dittrich/talks/core02/ http://staff.washington.edu/misc/ddos/