Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series


Denial of Service


By Stephen Northcutt
Version 1.1

If you are a manager involved in IT or Cybersecurity you are quite aware of the importance of up time. Bonuses may be tied to a service level expectation and it may even be a contractual obligation. Understanding denial of service is a key to managing it.

CERT describes Denial of Service this way: "A 'denial-of-service' attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: [1]
  • Attempts to "flood" a network, thereby preventing legitimate network traffic
  • Attempts to disrupt connections between two machines, thereby preventing access to a service
  • Attempts to prevent a particular individual from accessing a service
  • Attempts to disrupt service to a specific system or person"

Or, as we say in cyber warfare, a denial-of-service attack is an effort to make your opponents' information resources less valuable to them. Of confidentiality, integrity, and availability, this is primarily an availability attack. According to Wikipedia, "A DoS attack can be perpetrated in a number of ways. There are three basic types of attack:
1. consumption of computational resources, such as bandwidth, disk space, or CPU time;
2. disruption of configuration information, such as routing information;
3. disruption of physical network components."[2]
(Three basic types is close, but not quite complete, so let's add)
4. injecting an unexpected value the host computer or network device is not capable of parsing

Consumption of resources

In terms of flooding the network, the authority is a guy named Dave Dittrich. He has a web site[3] with tons of documentation on the growing capabilities of attack tools, especially in the early days. Today, network Distributed Denial of Service is done with bots under the control of a bot herder, and there are three major modes of control:

Centralized

Centralized Command and Control, (C&C) relies on a single host, often a bot itself, to provide command of all of the bots. In large botnets, a pyramid like model may be used where a single bot herder system may pass communications to several agent systems that, in turn, each have thousands of bots connecting to them. The bots can point to multiple servers for redundancy and improved survivability. Centralized was used by the first botnets and has matured over the years. It is still the most commonly implemented model. Advantages of the centralized model are that it is easy to implement, scales to support large botnets (seen as large as 1.5 million systems with the Toxbot trojan botnet and, unofficially, reported to have been significantly larger than this number), and allows for low latency communication between the bot herder and his botnet. The main disadvantage is that, by being in one place, it is more vulnerable to being taken down. Removing the command and control system removes the botnet. Because of the significant advantages of scalability, maturity of the technology, and low latency (bot-herders can push out commands to their botnets relatively quickly.) Centralized is by far the preferred and most widely employed model, and the one model that currently supports large botnets.

Peer2Peer or DNS

Peer2Peer Command and Control distributes functionality within the botnet itself, not relying on a single system for administration duties. Advantages of the P2P model are that there is no single host that can be removed to bring down C&C, and that detection may be more difficult since there isn't a single destination in communications. Disadvantages include scalability, since only small quantities of zombies can currently be utilized in a group, and there is no way currently to ensure message delivery or low latency communications. The botnets created by the SpamThru Trojan contain a professional quality P2P command and control, but currently only scales to about 2,000 zombies. While improvements over time may make P2P more viable in the future, right now it isn't capable of supporting large botnets.

If you are reading this to prepare for MGT 512, we will cover DNS in much more depth in the course, but for now it is important to keep in mind DNS is both a protocol for requests and replies and a distributed database. The database can store far more than just IP addresses and domain names. There is an attacker technique called flux that lets them use a pool of IP addresses, (IP fluxing), or a variety of domain names, (name fluxing), or both; when you combine this with tunneling, you have a C&C system that is hard to disable.

Distributed/Random

In the distributed or random model, infected hosts never attempt to contact the command and control. Instead, they sit and wait for communication from the bot herder. To find active bots, the bot herder must scan large blocks of the Internet. This model has not yet been observed in the wild. Advantages include being nearly impossible to detect and taken down as you won't observe infected machines initiating communication in the rallying process, but must wait until they are contacted and instructed by the bot-herder. Disadvantages include latency and scalability. It is very slow and time consuming to scan for, find, and send messages to individual bots. Another disadvantage is the inability to contact successfully infected bots behind NAT routers and firewalls. Because of these disadvantages, botnets based on distributed/random command and control cannot become large botnets.

NOTE: for further information on bot command and control, read the excellent paper, Managing Large Botnets,[4] by Kevin Bong and John Brozycki, from which the section above is taken.

Not all resource exhaustion attacks require bombing a system with packets. "A fork bomb process 'explodes' by recursively spawning copies using the system call fork as already suggested by its name. Eventually it saturates all the process table entries and effectively degrades the system. Saturating the process table makes sure that no new process will be started until some of them kill (or at least one kills itself) themselves. Even if that happens, it is not likely that a useful program may be started since the instances of the bomb program are each waiting to take that slot themselves."[5]

Disruption of configuration information

This happens every time you ground out your boot ROM to reset it to its default configuration because you forgot the password. But other examples include hacking Linksys wireless boxes, "The WRT54G is notable for being the first consumer-level network device that had its firmware source code released to satisfy the obligations of the GNU GPL. This allows programmers to modify the firmware to change or add functionality to the device."[6]

It could also happen intentionally, for instance, feeding router configuration information to a network that made a system with no connection to the Internet the most attractive link to use to get to the Internet. That would disrupt service for a while, no one would be able to get to the Internet until the correct configuration was sent to the routers. Of course, this can be used for good as well; some network and security engineers are experimenting with so-called black hole routing so that malicious traffic can be sent "into a black hole." It remains to be seen if such an idea can ever be production ready. This is expected to become a serious threat vector to the so called "Internet of things".

Physical destruction/disruption

The most famous example of a DOS caused by physical disruption is a backhoe event. We have lived though over 12. Despite all the warnings and the fines, backhoe operators end up digging up fiberoptic cables and disrupting networks. Cars crash into utility poles and knock them down. We do not seem to be able to operate without the physical layer. When they were extending the Metro line from Dulles airport to Tysons Corners they would sometimes dig up fiber optic cables that were not listed in Miss Utility databases. Imagine the backhoe operator's surprise when government black SUVs showed up a couple minutes later with guns at the ready.[8]

Injecting an unexpected value that the host computer or network device is not capable of parsing

The IPv4 land attack was a denial of service attack with a network signature as shown:
192.168.1.1:80 -> 192.168.1.1:80

When hosts received this spoofed packet from themselves to themselves from port 80 to port 80, many of them would die. Simply put, they could not properly parse this packet. The original blue screen of death, or Win Nuke, exploited earlier Windows machines (because they do not handle the URG flag) by sending a string of Out-of-Band data to TCP port 139 on the victim's machines. The Windows system was unable to parse it properly and died. Many readers will think this is a dated example, and it is, but one of the first IPv6 attacks against Windows was, you guessed it, the IPv6 Land attack.

Perhaps the most interesting was the Intel f0 or f00f bug; on older Pentiums if you held down the alt key and used the numeric keypad to type in 240 and then released the alt key, the computer would freeze instantly.[7] A great way to get your spouse's attention when he/she is paying more attention to their email than you. Anyone involved in industrial control systems, (what they used to call SCADA), knows just how serious this can be.

Though Heartbleed is primarily an enumeration attack, it was an unexpected value and sometimes crashed the service. In June 2014, NewsBites reported there are still 300,000 vulnerable servers operating on segments of the Internet that could be scanned.[9]



1. http://www.cert.org/tech_tips/denial_of_service.html
2. http://en.wikipedia.org/wiki/Denial_of_service
3. http://staff.washington.edu/dittrich/misc/ddos/
4. http://www.sans.edu/resources/student_projects/200704_001.doc
5. http://www.osweekly.com/index.php?option=com_content&task=view&id=2228&Itemid=0&limit=1&limitstart=1
6. http://en.wikipedia.org/wiki/WRT54G
7. http://linuxmafia.com/faq/Hardware/f00f-bug.html
8. https://www.schneier.com/blog/archives/2009/06/secret_govermen.html
9. https://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed-vulnerability-without-exploiting-the-server/