Internet: Security Student Paper: El-Chebeir - California Western
Internet: Security Student Paper: El-Chebeir

Denial of Service

by Wessam El-Chebeir

Recently, some Internet crackers attacked several major Internet companies and caused them to stop providing services to web surfers and customers for several hours causing what is called "Denial of Service". A denial of Service attack is a merciless stream of information sent to a target with the intention of flooding it until it crashes or can no longer take legitimate traffic. Unlike most other hacks, a denial of service attack does not involve the attacker gaining access or entry into the target server. The information is frequently sent in the form of "pings"--small packets of data used as a signal between computers. If the pinger lies about its real address, the target computer cannot return the ping to make the connection. In that case, the target waits and finally gives up. In great amounts, this can overwhelm a server. The server becomes so busy handling the bogus requests, legitimate users will not receive a response.

A new form of Distributed Denial of Service (DDoS) attack has been discovered following the release of the trin00 and Tribe flood network (TFN) denial of service programs. In addition to these two programs, two additional tools are currently being used to implement this attack: TFN2K and Stacheldrat. Both of these tools are based on the original TFN/trin00 attacks. Attackers can install these tools on hundreds of compromised machines and direct a network of trin00/TFN machines to initiate an attack against a single victim. This attack occurs simultaneously from these machines, making it more dangerous than any DoS attack launched from any single machine.

I.  How does the trin00 work?

The trin00 distributed denial of service system consists of 3 parts:

The Client: The client is not part of the trin00 package. The telnet or Netcat program (TCP connections) is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target. (The master and broadcast are described below.)

The Master: The master is contained in the file "master.c" in the trin00 package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "??" prompt, waiting for a password. The password is "gOrave".

The Broadcast (or Bcast): The Broadcast is the code in trin00 that performs the actual flooding. It is "ns.c" in the trin00 package. When the Broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the Broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. The DoS attack that trin00 Broadcasts use is a UDP flood. Trin00 sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns Internet Control Message Control (ICMP) Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point there will be little or no network bandwidth left.

II- How does the Starcheldrant (Bared Wire) work?

Stacheldraht (Barbed Wire) consists of three parts: the master server, client, and agent programs.

The Client: The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken," which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.

The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client. The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

The Attack: Like TFN, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth.

III- How to prevent these attacks?

Any unused or unneeded network services should be disabled. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack. Quota systems on the operating system if they are available should be enabled. For example, if the operating system supports disk quotas, they should be enabled for all accounts, especially accounts that operate network services. In addition, if the operating system supports partitions or volumes (i.e., separately mounted file systems with independent attributes) partitioning the file system should be considered so as to separate critical functions from other activity. The system performance should be observed and baselines for ordinary activity should be established. The baseline should be used to gauge unusual levels of disk activity, CPU usage, or network traffic. Routinely, the physical security with respect to the current needs should be examined. Servers, routers, unattended terminals, network access points, wiring closets, environmental systems such as air and power, and other components of the system should be considered. To use Tripwire or a similar tool to detect changes in configuration information or other files.

Also, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of source-address-spoofed packets from entering from downstream networks, or leaving for upstream networks.

Finally, the tin00, the TFN, the TFN2K, the Stacheldraht, and a lot of other softwares should not be marketed at all. Indeed, these tools, together with existing port scanners (which check for system vulnerabilities,) enable hackers with little or no experience to bring down even the largest Web site without fear of reprisal.