Denial-of-Service Attacks – D.O.S!!!

x-filesToday im gonna educate you to DOS attacks, how they works and how to perform one. I can here you heart rate pumping to just perform an attack, hehehe 🙂 well you’ve got to crawl first before you can walk. (keekay t0m bunanee…) so lets stop fooling around and get moving…

If you have ever had a system crash on you, you know how frustrating it is when you lose your data and are unable to work. This is the goal of a denial-of-service (DoS) attack. A DoS attack is one in which a malicious hacker renders a system unusable. He can do this through overloading a system so that it crashes, resulting in no one being able to access it, or by sending traffic with exceptional conditions in a way that the system was never prepared to handle. Malicious hackers cause DoS attacks when they are unable to access data otherwise or simply want the notoriety.

DoS attacks are categorized into one of three types:

  1. Bandwidth attacks
  2. Protocol exceptions
  3. Logic attacks

A bandwidth attack is the oldest and most common DoS attack. In this approach, the malicious hacker saturates a network with data traffic. A vulnerable system or network is unable to handle the amount of traffic sent to it and subsequently crashes or slows down, preventing legitimate access to users.

A protocol attack is a trickier approach, but it is becoming quite popular. Here, the malicious attacker sends traffic in a way that the target system never expected, such as when an attacker sends a flood of SYN packets. Pic below illustrates normal TCP traffic, and pic-2 shows what happens with a SYN flood protocol attack.

p1
(pic 1)

p2
(pic 2)

The third type of attack is a logic attack. This is the most advanced type of attack because it involves a sophisticated understanding of networking. A classic example of a logic attack is a LAND attack, where an attacker sends a forged packet with the same source and destination IP address. Many systems are unable to handle this type of confused activity and subsequently crash.

Although a simple DoS attack from a single host might often be effective, it is more effective if several hosts are involved in the attack. This is called a Distributed Denial of Service (DDoS) attack. Many firewalls and intrusion detection systems (IDS) can block a single host if they detect an active DoS attack, but imagine if 10,000 hosts are involved in the attack. Few firewalls can handle this much traffic.
p3
Although a penetration tester might be asked to test a host against DoS attacks, it is even less common to find a penetration tester testing using DDoS attacks. For this reason, this chapter focuses primarily on DoS attacks as they relate to penetration testing.
Types of DoS Attacks
The infos here introduce the common types of DoS attacks, many of which can be done as a DDoS attack.

Ping of Death
A Ping of Death attack uses Internet Control Message Protocol (ICMP) ping messages. Ping is used to see if a host is active on a network. It also is a valuable tool for troubleshooting and diagnosing problems on a network. As pic-4 illustrates, a normal ping has two messages:

  • Echo request
  • Echo reply

p4

C:\>ping 192.168.10.10

Pinging 192.168.10.10 with 32 bytes of data:

Reply from 192.168.10.10: bytes=32 time=1ms TTL=150
Reply from 192.168.10.10: bytes=32 time=1ms TTL=150
Reply from 192.168.10.10: bytes=32 time=1ms TTL=150
Reply from 192.168.10.10: bytes=32 time=1ms TTL=150

Ping statistics for 192.168.10.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
C:\>

With a Ping of Death attack, an echo packet is sent that is larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot.

You can perform a Ping of Death from within Linux by typing ping –f –s 65537. Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to a target.

You can also use the following software tools to perform a Ping of Death attack:

  • Jolt
  • SPing
  • ICMP Bug
  • IceNewk

Today, most hosts are hardened against Ping of Death attacks and even attempt to prevent you from sending one, although you might still find some network appliances that are vulnerable.

Smurf and Fraggle
A Smurf attack is another DoS attack that uses ICMP. Here, an echo request is sent to a network broadcast address with the target as the spoofed source. When hosts receive the echo request, they send an echo reply back to the target. Although a single echo request is probably insufficient to crash your target, sending multiple Smurf attacks directed at a single target in a distributed fashion might succeed in crashing it. You can even use a Smurf attack on an entire network by specifying several broadcast addresses as the destination with a target network as the source. pic-5 demonstrates a typical Smurf attack.
p5
If you discover that you cannot send a broadcast ping to a network, you can try using a Smurf amplifier instead. A Smurf amplifier is a network that allows you to send broadcast pings to it and sends back a ping response to your target host on a different network. NMap provides the capability to detect whether a network can be used as a Smurf amplifier. The syntax for testing networks that begin with 192.168.x.x is as follows:

nmap -n -sP PI -o amplifier.log

‘192.168.1.0,15,16,31,32,47,48,63,64,95,96,111,112,127,128,143,144,159,160,175,176

, 191,192,207,208,223,224,239,240,255’

A variation of the Smurf attack is a Fraggle attack, which uses User Datagram Protocol (UDP) instead of ICMP. Fraggle attacks work by using the CHARGEN and ECHO UDP programs that operate on UDP ports 19 and 7, respectively. Both of these applications are designed to operate much like ICMP pings; they are designed to respond to requesting hosts to notify them that they are active on a network. Because you can use both CHARGEN and ECHO to send a response back to anyone who sends traffic to these ports, you can use them to create an infinite loop by sending traffic between the two ports.

You can use the following tools to perform a Smurf or Fraggle attack:

  • Nemesis
  • Spike
  • Aggressor

LAND Attack
In a LAND attack, a TCP SYN packet is sent with the same source and destination address and port number. When a host receives this abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate communication with itself in an infinite loop. Although this is an old attack (first reportedly discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are vulnerable to this attack.

You can use the HPing tool to craft packets with the same spoofed source and destination address.

SYN Flood

A SYN flood is one of the oldest and yet still most effective DoS attacks. As a review of the three-way handshake, TCP communication begins with a SYN, a SYN-ACK response, and then an ACK response. When the handshake is complete, traffic is sent between two hosts, as shown previously in pic-1.

With a SYN flood attack, these rules are violated. Instead of the normal three-way handshake, an attacker sends a packet from a spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK response. A host has a limited number of half-open (embryonic) sessions that it can maintain at any given time. After those sessions are used up, no more communication can take place until the half-open sessions are cleared out. This means that no users can communicate with the host while the attack is active. SYN packets are being sent so rapidly that even when a half-open session is cleared out, another SYN packet is sent to fill up the queue again.

SYN floods are still successful today for three reasons:

  • SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of attack.
  • SYN packets do not require a lot of bandwidth to launch an attack because they are relatively small.
  • SYN packets can be spoofed because no response needs to be given back to the target. As a result, you can choose random IP addresses to launch the attack, making filtering difficult for security administrators.


Tools for Executing DoS Attacks

Hundreds of tools are available to execute DoS attacks. The following examine three of the most popular tools:
Datapool
Spendor Datapool (http://www.packetstormsecurity.org) is a DoS tool that runs on Linux. At press time, Datapool 3 supported more than 100 different DoS attacks. Datapool requires that Fyodor’s NMap (http://www.insecure.org) utility be installed in either /usr/local/bin or /usr/bin. Install NMap first, and either place it into these directories or have a symbolic link pointing to it.

Datapool is intelligent enough to keep a database of the most successful attacks so that you can try them first. It uses the following key files:

  • cipgen.sh—Script for generating the IP addresses in a subnet.
  • datamass.sh—Script for attacking multiple hosts.
  • datapool.sh—Script for attacking a single host.
  • datapool.fc—File that holds information on various DoS attacks. Look in this file to find the keywords to reference attacks when you are executing the program.
  • datapool.db—Database that records the addresses of all IP addresses that were susceptible to DoS attacks.

the follwong pic shows, Executing the datapool.sh command.
p6

At a minimum, you need to specify the destination target. The following is typical attack syntax for attacking a host at 192.168.10.10 with a spoofed source address of 192.168.10.9:

  #./datapool.sh -d 192.168.10.10 -p 1-1024 -v results.log -l T1 -I 192.168.10.9 -c -t 100

The –v switch records the results into a log file. The –l switch specifies the speed which, in this example, is the T1 speed. You should adjust this according to your bandwidth. The –c switch tells the program to continue its attempts until it successfully halts your target. Finally, the –t switch tells the program how many simultaneous sessions to start. The more sessions you start, the greater your chances of success will be. However, starting many sessions is processor and memory intensive.

Jolt2
Jolt2 is available on both Linux and Windows operating systems. It is an easy program to use because it does not provide many options. Like many other DoS utilities, it allows you to spoof the source. At its most basic use, type in the target IP address and the spoofed source address to launch a DoS attack:

C:\jolt\jolt2_v1_2>jolt.exe 192.168.1.76 192.168.1.5

jolt2 v1.2 [04 Jun 2002]

Ported to Windows XP by Kalibrc (metinsdr@hotmail.com)

….

Hgod
Hgod is another tool that runs on Windows XP. Like Jolt2 and Datapool, it allows you to spoof your source IP address. With it, you can specify both protocol (TCP/UDP/ICMP/IGMP) and port number (for UDP). Although Hgod supports other attacks, the default DoS attack is TCP SYN flooding. To launch a SYN flood attack against 192.168.1.75 on port 80 with a spoofed address of 192.168.1.9, type the following:

  hgod 192.168.10.10 80 -s 192.168.10.9

Other Tools
There are many more DoS utilities beyond those mentioned in this chapter. You can find many excellent utilities and scripts at http://www.antiserver.it/Denial-Of-Service/index.html.

LIVE TEST !!!
okay, enough chit chat ennu, so lets do a live test based on the information that we just lerned, We are attempting to execute a DoS attack against a Windows 2000 Server.

If the attempted to break into the Windows 2000 server failed with no success, we are going to bring the server down. we gathers a few favorite tools:

  • Hgod
  • Jolt2
  • SMBdie

Hgod and Jolt2 were disscussed earlier. SMBdie is another fantastic DoS tool that you can use on unpatched Windows 2000 systems. SMBdie causes these systems to crash within seconds of execution.

Step 1.  sw0rdf1sh, is located on the network, has decided to target the Windows 2000 server at 192.168.1.9. So i first starts with Hgod, attempting to send a SYN flood against the server:

C:>hgod 192.168.1.9 80 -s 1.1.1.1

Step 2.  sw0rdf1sh tests the server for responsiveness and notices that it is still up and running. He decides to add a little more excitement.

Step 3.  Starting up Jolt2 against the server, sw0rdf1sh is able to send a continuous stream of UDP packets to port 135 in a continued effort to bring down the target:

C:>jolt2 192.168.1.9 1.1.1.1 -P udp -p 135

Step 4.  Again, sw0rdf1sh tests the server for responsiveness. He still sees it up and running. He does notice, however, that network activity has increased quite a bit, so that will provide some small DoS.

Step 5.  Now, hoping for the possibility that the server is unpatched, sw0rdf1sh brings out SMBdie (proof of concept tool) and launches toward the server.
p7

Step 6.  Now for one last time, sw0rdf1sh checks for server responsiveness. He gets nothing back in return. The DoS has been a success. pic below displays the current screen on the Windows 2000 Server that sw0rdf1sh was attacking.
 p8
As you can see, sw0rdf1sh attempted several tools before achieving a DoS on the target. Although sw0rdf1sh could have waited for some time, and Jolt2 or Hgod might eventually have tied up the server to a point where it crashed, other tools like SMBdie can bring down unpatched systems in seconds. For this reason, it is imperative that you remain up to date with service packs and fixes.

well thats its folks, hope you learned quite abit about DOS, and hopefully will bringdown WINDOZ system, the best practice is to setup a lab with all the tools running and test on that lab, once you understand the concept then move on to the real world….
info taken from | Andrew Whitaker, Daniel P. Newman

so untill nextime, ciao :]

Advertisements

About this entry