Security Laboratory
- Security Laboratory: Methods of Attack Series
These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.
Methods of Attack - May 2nd, 2007
Logic Bombs, Trojan Horses, and Trap Doors - May 2nd, 2007
Denial of Service - May 10th, 2007
Are Satellites Vulnerable to Hackers? - May 15th, 2007
Extrusion Detection - April 30th, 2007
Spam and Flooding - May 15th, 2007
Spear Phishing - May 9th, 2007
Remote Maintenance - May 9th, 2007
The Risk of Default Passwords - May 11th, 2007
Race Conditions - May 11th, 2007
Interrupts - May 11th, 2007
Browsing and Enumeration - May 16th, 2007
Traffic Analysis - May 16th, 2007
Alteration Attacks - May 16th, 2007
Denial of Service
May 10th, 2007
By Stephen Northcutt
CERT describes Denial of Service this way: "A 'denial-of-service' attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: [1]
- attempts to "flood" a network, thereby preventing legitimate network traffic
- attempts to disrupt connections between two machines, thereby preventing access to a service
- attempts to prevent a particular individual from accessing a service
- attempts to disrupt service to a specific system or person"
1. consumption of computational resources, such as bandwidth, disk space, or CPU time;
2. disruption of configuration information, such as routing information;
3. disruption of physical network components."[2]
(Three basic types is close, but not quite complete, so let's add)
4. injecting an unexpected value the host computer or network device is not capable of parsing
Consumption of resources
In terms of flooding the network, the authority is a guy named Dave Dittrich. He has a web site[3] with tons of documentation on the growing capabilities of attack tools, especially in the early days. Today, network Distributed Denial of Service is done with bots under the control of a bot herder, and there are three major modes of control:
Centralized
Centralized Command and Control relies on a single host, often a bot itself, to provide command of all of the bots. In large botnets, a pyramid like model may be used where a single bot herder system may pass communications to several agent systems that, in turn, each have thousands of bots connecting to them. The bots can point to multiple servers for redundancy and improved survivability. Centralized was used by the first botnets and has matured over the years. It is still the most commonly implemented model. Advantages of the centralized model are that it is easy to implement, scales to support large botnets (seen as large as 1.5 million systems with the Toxbot trojan botnet and, unofficially, reported to have been significantly larger than this number), and allows for low latency communication between the bot herder and his botnet. The main disadvantage is that, by being in one place, it is more vulnerable to being taken down. Removing the command and control system removes the botnet. Because of the significant advantages of scalability, maturity of the technology, and low latency (bot-herders can push out commands to their botnets relatively quickly.) Centralized is by far the preferred and most widely employed model, and the one model that currently supports large botnets.
Peer2Peer
Peer2Peer Command and Control distributes functionality within the botnet itself, not relying on a single system for administration duties. Advantages of the P2P model are that there is no single host that can be removed to bring down C&C, and that detection may be more difficult since there isn't a single destination in communications. Disadvantages include scalability, since only small quantities of zombies can currently be utilized in a group, and there is no way currently to ensure message delivery or low latency communications. The botnets created by the SpamThru Trojan contain a professional quality P2P command and control, but currently only scales to about 2,000 zombies. While improvements over time may make P2P more viable in the future, right now it isn't capable of supporting large botnets.
Distributed/Random
In the distributed or random model, infected hosts never attempt to contact the command and control. Instead, they sit and wait for communication from the bot herder. To find active bots, the bot herder must scan large blocks of the Internet. This model has not yet been observed in the wild. Advantages include being nearly impossible to detect and taken down as you won't observe infected machines initiating communication in the rallying process, but must wait until they are contacted and instructed by the bot-herder. Disadvantages include latency and scalability. It is very slow and time consuming to scan for, find, and send messages to individual bots. Another disadvantage is the inability to contact successfully infected bots behind NAT routers and firewalls. Because of these disadvantages, botnets based on distributed/random command and control cannot become large botnets.
NOTE: for further information on bot command and control, read the excellent paper, Managing Large Botnets,[4] by Kevin Bong and John Brozycki, from which the section above is taken.
Not all resource exhaustion attacks require bombing a system with packets. "A fork bomb process 'explodes' by recursively spawning copies using the system call fork as already suggested by its name. Eventually it saturates all the process table entries and effectively degrades the system. Saturating the process table makes sure that no new process will be started until some of them kill (or at least one kills itself) themselves. Even if that happens, it is not likely that a useful program may be started since the instances of the bomb program are each waiting to take that slot themselves."[5]
Disruption of configuration information
This happens every time you ground out your boot ROM to reset it to its default configuration because you forgot the password. But other examples include hacking Linksys wireless boxes, "The WRT54G is notable for being the first consumer-level network device that had its firmware source code released to satisfy the obligations of the GNU GPL. This allows programmers to modify the firmware to change or add functionality to the device."[6]
It could also happen intentionally, for instance, feeding router configuration information to a network that made a system with no connection to the Internet the most attractive link to use to get to the Internet. That would disrupt service for a while, no one would be able to get to the Internet until the correct configuration was sent to the routers. Of course, this can be used for good as well; some network and security engineers are experimenting with so-called black hole routing so that malicious traffic can be sent "into a black hole." It remains to be seen if such an idea can ever be production ready.
Physical destruction/disruption
The most famous example of a DOS caused by physical disruption is a backhoe event. We have lived though over 12. Despite all the warnings and the fines, backhoe operators end up digging up fiberoptic cables and disrupting networks. Cars crash into utility poles and knock them down. We do not seem to be able to operate without the physical layer.
Injecting an unexpected value that the host computer or network device is not capable of parsing
A land attack was a denial of service attack with a network signature as shown:
192.168.1.1:80 -> 192.168.1.1:80
When hosts received this spoofed packet from themselves to themselves from port 80 to port 80, many of them would die. Simply put, they could not properly parse this packet. The original blue screen of death, or Win Nuke, exploited earlier Windows machines (because they do not handle the URG flag) by sending a string of Out-of-Band data to TCP port 139 on the victim's machines. The Windows system was unable to parse it properly and died.
Perhaps the most interesting was the Intel f0 or f00f bug; on older Pentiums if you held down the alt key and used the numeric keypad to type in 240 and then released the alt key, the computer would freeze instantly.[7] A great way to get your spouse's attention when he/she is paying more attention to their email than you.
The advanced SANS[8] courses and GIAC certifications[9] that are most concerned with Denial of Service are:
- Intrusion Detection In-Depth[10] which prepares you for the GCIA[11] where you learn many attack patterns and what they look like on the network
- Perimeter Protection In-Depth[12] which prepares you for the GCFW[13] where you learn to build a series of perimeters to manage this traffic
- Hacker Techniques, Exploits and Incident Handling[14] which prepares you for the GCIH[15] where you learn about the software used to create these attacks and the incident response measures you can take if they are used against your organization.
1. http://www.cert.org/tech_tips/denial_of_service.html
2. http://en.wikipedia.org/wiki/Denial_of_service
3. http://staff.washington.edu/dittrich/misc/ddos/
4. http://www.sans.edu/resources/student_projects/200704_001.doc
5. http://www.osweekly.com/index.php?option=com_content&task=view&id=2228&Itemid=0&limit=1&limitstart=1
6. http://en.wikipedia.org/wiki/WRT54G
7. http://linuxmafia.com/faq/Hardware/f00f-bug.html
8. http://www.sans.org/
9. http://www.giac.org/
10. http://www.sans.org/training/description.php?tid=242
11. http://www.giac.org/certifications/security/gcia.php
12. http://www.sans.org/training/description.php?tid=422
13. http://www.giac.org/certifications/security/gcfw.php
14. http://www.sans.org/training/description.php?tid=243
15. http://www.giac.org/certifications/security/gcih.php