A Seminar Report

On

DOS ATTACK
submitted by

BIPIN BHARTI

In partial fulfillment of the requirements for the Degree of

Bachelor of Technology(B.Tech)
In
Computer Science & Engineering

DEPARTMENT OF COMPUTER SCIENCE

SCHOOL OF ENGINEERING
COCHIN UNIVERSTY OF SCIENCE AND TECHNOLOGY
KOCHI-682022

AUGUST 2010
DOS Attack

ACKNOWLEDGEMENT

I am greatly indebted to Dr. David Peter, Head Of Department, Division of Computer

Science, CUSAT for permitting me to undertake this work.

I express my heartfelt gratitude to my respected Seminar guide Mrs. Anupama V

for her kind and inspiring advise which helped me to understand the subject and its
semantic significance.

I am extremely thankful to respected Lecturer in computer science Mr. Sudheep Elayidom

who shared valuable suggestions for presentation issue.

I am also very thankful to my colleagues who helped and co-operated with me in

conducting the seminar by their active participation.

BIPIN BHARTI

Division Of Computer Engineering, SOE, CUSAT Page 1

DOS Attack

ABSTRACT

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS

attack) is an attempt to make a computer resource unavailable to its intended users.
Although the means to carry out, motives for, and targets of a DoS attack may vary, it
generally consists of the concerted efforts of a person or people to prevent an Internet site
or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of
DoS attacks typically target sites or services hosted on high-profile web servers such as
banks, credit card payment gateways, and even root nameservers. The term is generally
used with regards to computer networks, but is not limited to this field, for example, it is
also used in reference to CPU resource management. There are two general forms of DoS
attacks: those that crash services and those that flood services.

One common method of attack involves saturating the target machine with external
communications requests, such that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered effectively unavailable. In general terms, DoS attacks are
implemented by either forcing the targeted computer to reset, or consuming its resources so
that it can no longer provide its intended service or obstructing the communication media
between the intended users and the victim so that they can no longer communicate
adequately.

Division Of Computer Engineering, SOE, CUSAT Page 2

DOS Attack

TABLE OF CONTENTS

1 INTRODUCTION 5-6
IP SPOOFING
2 07

3 TYPES OF DOS ATTACK 08-17

4 REAL LIFE EXAMPLES 18-20

5 DDOS ATTACK 21-22

6 RECOMMENDED TOOLS TO PERFORM DOS ATTACK 23-26

7 COUNTERMEASURES 27-28

8 DENIAL OF SERVICE ATTACK AND LAW 29

9 CONCLUSION 30

10 REFERENCES 31

Division Of Computer Engineering, SOE, CUSAT Page 3

DOS Attack

LIST OF FIGURES

DOS ATTACK
1 06

IP SPOOFING
2 07

3 PING OF DEATH 08

4 TEAR DROP ATTACK 11

5 SYN FLOODING ATTACK 12

6 SMURF ATTACK 14

7 DDOS ATTACK 22

Division Of Computer Engineering, SOE, CUSAT Page 4

DOS Attack

CHAPTER-1
INTRODUCTION
DOS Attacks or Denial Of Services Attack have become very common amongst Hackers
who use them as a path to fame and respect in the underground groups of the Internet.
Denial of Service Attacks basically means denying valid Internet and Network users from
using the services of the target network or server. It basically means, launching an attack,
which will temporarily make the services, offered by the Network unusable by legitimate
users.

In others words one can describe a DOS attack, saying that a DOS attack is one in which
you clog up so much memory on the target system that it cannot serve legitimate users. Or
you send the target system data packets, which cannot be handled by it and thus causes it to
either crash, reboot or more commonly deny services to legitimate users.

DOS Attacks are of the following different types-:

1. Those that exploit vulnerabilities in the TCP/IP protocols suite.
2. Those that exploit vulnerabilities in the Ipv4 implementation.
3. There are also some brute force attacks, which try to use up all resources of the
target system and make the services unusable.

Symptoms and Manifestations

The United States Computer Emergency Response Team defines symptoms of denial-of-
service attacks to include:

 Unusually slow network performance (opening files or accessing web sites)

 Unavailability of a particular web site
 Inability to access any web site
 Dramatic increase in the number of spam emails received—(this type of DoS attack
is considered an e-mail bomb)

Division Of Computer Engineering, SOE, CUSAT Page 5

DOS Attack

Denial-of-service attacks can also lead to problems in the network 'branches' around the
actual computer being attacked. For example, the bandwidth of a router between the
Internet and a LAN may be consumed by an attack, compromising not only the intended
computer, but also the entire network.

If the attack is conducted on a sufficiently large scale, entire geographical regions of

Internet connectivity can be compromised without the attacker's knowledge or intent by
incorrectly configured or flimsy network infrastructure equipment.

Before I go on with DOS attacks, let me explain some vulnerabilities in TCP/IP itself.
Some common vulnerabilities are Ping of Death, Teardrop, SYN attacks and Land Attacks.

DOS Attack

Division Of Computer Engineering, SOE, CUSAT Page 6

DOS Attack

CHAPTER-2
IP SPOOFING
A technique used to gain unauthorized access to computers, whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming from a
trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to
find an IP address of a trusted host and then modify the packet headers so that it appears
that the packets are coming from that host.

Newer routers and firewall arrangements can offer protection against IP spoofing.

IP SPOOFING

Division Of Computer Engineering, SOE, CUSAT Page 7

DOS Attack

CHAPTER -3

TYPES OF DDOS ATTACK

Ping of Death

This vulnerability is quite well known and was earlier commonly used to hang remote
systems (or even force them to reboot) so that no users can use its services. This exploit no
longer works, as almost all system administrators would have upgraded their systems
making them safe from such attacks. In this attack, the target system is pinged with a data
packet that exceeds the maximum bytes allowed by TCP/IP, which is 65 536. This would
have almost always caused the remote system to hang, reboot or crash. This DOS attack
could be carried out even through the command line, in the following manner: The
following Ping command creates a giant datagram of the size 65540 for Ping. It might hang
the victim's computer:
C:\windows>ping -l 65540

Ping of Death

How to test if you're vulnerable

Unfortunately, this bug is really easy to exploit. Users are already trying it out "just to see if
it worked". So, to test if your machine is in danger, find a Windows '95 or NT box (3.51 or
4), and run the following command:

ping -l 65550 your.host.ip.address

Division Of Computer Engineering, SOE, CUSAT Page 8
DOS Attack

How to prevent people from breaking your system

If no patch is available, and your main concern are pings from users outside your network,
it would seem the best quick-fix solution is to block ping at the firewall. This is not a long-
term solution. If you have any services listening on any ports at all, they are vulnerable. Be
assured that sooner or later someone will come out with a program which sends invalid
packets to a web server, an ftp port. The only solution is to patch your operating system.

By blocking ping, you prevent people from pinging you at all. This could possibly break
some things that rely on.

A better solution than blocking all pings is to block only fragmented pings. This will allow
your common-or-garden 64 byte ping through on almost all systems, while blocking any
bigger than the MTU size of your link. (This varies, but about 1k is a good bet).

Ping flood

A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim
with ICMP Echo Request (ping) packets. It only succeeds if the attacker has more
bandwidth than the victim (for instance an attacker with a DSL line and the victim on a
dial-up modem). The attacker hopes that the victim will respond with ICMP Echo Reply
packets, thus consuming outgoing bandwidth as well as incoming bandwidth. If the target
system is slow enough, it is possible to consume enough of its CPU cycles for a user to
notice a significant slowdown. There are two general forms of DoS attacks: those that
crashes services and those that flood services.

Division Of Computer Engineering, SOE, CUSAT Page 9

DOS Attack

Teardrop

The Teardrop attack exploits the vulnerability present in the reassembling of data packets.
Whenever data is being sent over the Internet, it is broken down into smaller fragments at
the source system and put together at the destination system. Say you need to send 4000
bytes of data from one system to the other, then not all of the 4000 bytes is sent at one go.
This entire chunk of data is first broken down into smaller parts and divided into a number
of packets, with each packet carrying a specified range of data. For Example, say 4000
bytes is divided into 3 packets, then:

The first Packet will carry data from 1 byte to 1500 bytes
The second Packet will carry data from 1501 bytes to 3000 bytes
The third packet will carry data from 3001 bytes to 4000 bytes

These packets have an OFFSET field in their TCP header part. This Offset field specifies
from which byte to which byte does that particular data packet carries data or the range of
data that it is carrying. This along with the sequence numbers helps the destination system
to reassemble the data packets in the correct order. Now in this attack, a series of data
packets are sent to the target system with overlapping Offset field values. As a result, the
target system is not able to reassemble the packets and is forced to crash, hang or reboot.
Say for example, consider the following scenario-: (Note: _ _ _ = 1 Data Packet)
Normally a system receives data packets in the following form, with no overlapping Offset
values.
___
___
___
(1 to 1500 bytes)
(1501 to 3000 bytes)
(3001 to 4500 bytes)
Now in a Teardrop attack, the data packets are sent to the target computer in the following
format:
___

Division Of Computer Engineering, SOE, CUSAT Page 10

DOS Attack

___
___
(1 to 1500 bytes)
(1500 to 3000 bytes)
(1001 to 3600 bytes)
When the target system receives something like the above, it simply cannot handle it and
will crash or hang or reboot.

Tear drop Attack

Division Of Computer Engineering, SOE, CUSAT Page 11

DOS Attack

SYN Flooding Attack

The SYN attack exploits TCP/IP's three-way handshake. Thus, in order to understand as to
how SYN Attacks works, you need to first know how TCP/IP establishes a connection
between two systems. Whenever a client wants to establish a connection with a host, then
three steps take place. These three steps are referred to as the three-way handshake. In a
normal three way handshake, what happens is that, the client sends a SYN packet to the
host, the host replies to this packet with a SYN ACK packet. Then the client responds with
a ACK (Acknowledgement) packet. This will be clearer after the following depiction of
these steps-:

Client Server
TCP header
SYN_SENT
Spoofed Targeted (Active open) SYN J
Source Destination SYN_RCVD
addr addr
SYN H (Passive
open)
SYN L

SYN k ACK SYN N

Keep waiting
for
Lost or
J+1
SYN Q ACK H+1 ..
Unreached .. acknowledgem
SYN R ACK
L+1.. . ent

. until TCP
timeout

FigureAttack
SYN Flooding 1

1. Client- - - - - - - -SYN Packet--------------à Host

In the first step the client sends a SYN packet to the host, with whom it wants to
establish a three-way connection.
The SYN packet requests the remote system for a connection. It also contains the
Initial Sequence Number or ISN of the client, which is needed by the host to put
back the fragmented data in the correct sequence.

Division Of Computer Engineering, SOE, CUSAT Page 12

DOS Attack

2. Host- - - - - - - - - - - - -SYN/ACK Packet----------à Client

In the second step, the host replies to the client with a SYN/ACK packet. This
packet acknowledges the SYN packet sent by the client and sends the client its own
ISN.
3. Clie n t- - - - - - - - - - - - - - A C K-----------------------à H o s t

In the last step the client acknowledges the SYN/ACK packet sent by the host by replying
with a ACK packet. These three steps together are known as the 3-way handshake and only
when they are completed is a complete TCP/IP connection established.
In a SYN attack, several SYN packets are sent to the server but all these SYN packets have
a bad source IP Address. When the target system receives these SYN Packets with Bad IP
Addresses (spoofed ip), it tries to respond to each one of them with a SYN ACK packet.
But the reply goes to the spoofed ip not at all to the attacker ip. Now the target system waits
for an ACK message to come from the bad IP address. However, as the bad IP does not
actually exist, the target system never actually receives the ACK packet. It thus queues up
all these requests until it receives an ACK message. The requests are not removed unless
and until, the remote target system gets an ACK message. Thus in all cases only 2 steps is
executed not the 3rd process at all. Hence these requests take up or occupy valuable
resources of the target machine. To actually affect the target system, a large number of
SYN bad IP packets have to be sent. As these packets have a Bad Source IP, they queue up,
use up resources and memory or the target system and eventually crash, hang or reboot the
system.
But since these spoofed ip might not exist and the hence the packets is likely to move
through the network until its TTL values.

Division Of Computer Engineering, SOE, CUSAT Page 13

DOS Attack

Land Attacks

A Land attack is similar to a SYN attack, the only difference being that instead of a bad IP
Address, the IP address of the target system itself is used. This creates an infinite loop
between the target system and the target system itself. However, almost all systems have
filters or firewalls against such attacks.

Smurf Attacks

Smurf Attack

A Smurf attack is a sort of Brute Force DOS Attack, in which a huge number of Ping
Requests are sent to a system (normally the router) in the Target Network, using Spoofed IP
Addresses from within the target network. As and when the router gets a PING message, it
will route it or echo it back, in turn flooding the Network with Packets, and jamming the
traffic. If there are a large number of nodes, hosts etc in the Network, then it can easily clog
the entire network and prevent any use of the services provided by it.

Division Of Computer Engineering, SOE, CUSAT Page 14

DOS Attack

The two main components to the smurf denial-of-service attack are the use of forged ICMP
echo request packets and the direction of packets to IP broadcast addresses.

The Internet Control Message Protocol (ICMP) is used to handle errors and exchange
control messages. ICMP can be used to determine if a machine on the Internet is
responding. To do this, an ICMP echo request packet is sent to a machine. If a machine
receives that packet, that machine will return an ICMP echo reply packet. A common
implementation of this process is the "ping" command, which is included with many
operating systems and network software packages. ICMP is used to convey status and error
information including notification of network congestion and of other network transport
problems. ICMP can also be a valuable tool in diagnosing host or network problems.

On IP networks, a packet can be directed to an individual machine or broadcast to an entire

network. When a packet is sent to an IP broadcast address from a machine on the local
network, that packet is delivered to all machines on that network. When a packet is sent to
that IP broadcast address from a machine outside of the local network, it is broadcast to all
machines on the target network (as long as routers are configured to pass along that traffic).

IP broadcast addresses are usually network addresses with the host portion of the address
having all one bits. For example, the IP broadcast address for the network 10.0.0.0 is
10.255.255.255. If you have subnetted your class A network into 256 subnets, the IP
broadcast address for the 10.50 subnet would be 10.50.255.255. Network addresses with all
zeros in the host portion, such as 10.50.0.0, can also produce a broadcast response.

In the "smurf" attack, attackers are using ICMP echo request packets directed to IP
broadcast addresses from remote locations to generate denial-of-service attacks. There are
three parties in these attacks: the attacker, the intermediary, and the victim (note that the
intermediary can also be a victim).

The intermediary receives an ICMP echo request packet directed to the IP broadcast
address of their network. If the intermediary does not filter ICMP traffic directed to IP
broadcast addresses, many of the machines on the network will receive this ICMP echo
request packet and send an ICMP echo reply packet back. When (potentially) all the

Division Of Computer Engineering, SOE, CUSAT Page 15

DOS Attack

machines on a network respond to this ICMP echo request, the result can be severe network
congestion or outages.

When the attackers create these packets, they do not use the IP address of their own
machine as the source address. Instead, they create forged packets that contain the spoofed
source address of the attacker's intended victim. The result is that when all the machines at
the intermediary's site respond to the ICMP echo requests, they send replies to the victim's
machine. The victim is subjected to network congestion that could potentially make the
network unusable. Even though we have not labeled the intermediary as a "victim," the
intermediary can be victimized by suffering the same types of problem that the "victim"
does in these attacks.

Attackers have developed automated tools that enable them to send these attacks to multiple
intermediaries at the same time, causing all of the intermediaries to direct their responses to
the same victim. Attackers have also developed tools to look for network routers that do not
filter broadcast traffic and networks where multiple hosts respond. These networks can the
subsequently be used as intermediaries in attacks.

Solution

Disable IP-directed broadcasts at your router.

One solution to prevent your site from being used as an intermediary in this attack is to
disable IP-directed broadcasts at your router. By disabling these broadcasts, you configure
your router to deny IP broadcast traffic onto your network from other networks. In almost
all cases, IP-directed broadcast functionality is not needed.

This network management best practice is described in more detail in the following
document authored by Daniel Senie of Amaranth Networks Inc.:

You should disable IP-directed broadcasts on all of your routers. It is not sufficient to
disable IP-directed broadcasts only on the router(s) used for your external network
connectivity. For example, if you have five routers connecting ten LANs at your site, you
should turn off IP-directed broadcasts on all five routers.

Division Of Computer Engineering, SOE, CUSAT Page 16

DOS Attack

1. Configure your operating system to prevent the machine from responding to

ICMP packets sent to IP broadcast addresses.

If an intruder compromises a machine on your network, the intruder may try to

launch a smurf attack from your network using you as an intermediary. In this case,
the intruder would use the compromised machine to send the ICMP echo request
packet to the IP broadcast address of the local network. Since this traffic does not
travel through a router to reach the machines on the local network, disabling IP-
directed broadcasts on your routers is not sufficient to prevent this attack.

Some operating systems can be configured to prevent the machine from responding
to ICMP packets sent to IP broadcast addresses. Configuring machines so that they
do not respond to these packets can prevent your machines from being used as
intermediaries in this type of attack.

UDP Flooding
This kind of flooding is done against two target systems and can be used to stop the
services offered by any of the two systems. Both of the target systems are connected to each
other, one generating a series of characters for each packet received or in other words,
requesting UDP character generating service while the other system, echoes all characters it
receives. This creates an infinite non-stopping loop between the two systems, making them
useless for any data exchange or service provision.
Loop back flooding attack
It is one of oldest type of dos attack.

Division Of Computer Engineering, SOE, CUSAT Page 17

DOS Attack

CHAPTER-4
REAL LIFE EXAMPLES

Updates on the status of the Twitter service on Aug 6, 2009

Thursday August 6

Ongoing denial-of-service attack 1 year ago

We are defending against a denial-of-service attack, and will update status again shortly.

Update: the site is back up, but we are continuing to defend against and recover from this
attack.

Update (9:46a): As we recover, users will experience some longer load times and slowness.
This includes timeouts to API clients. We’re working to get back to 100% as quickly as we
can.

Update (4:14p): Site latency has continued to improve, however some web requests
continue to fail. This means that some people may be unable to post or follow from the
website.

Other examples are following

 The first major attack involving DNS servers as reflectors occurred in January 2001.
The target was Register.com. This attack, which forged requests for the MX records
of AOL.com (to amplify the attack) lasted about a week before it could be traced
back to all attacking hosts and shut off. It used a list of tens of thousands of DNS
records that were a year old at the time of the attack.

 In February, 2001, the Irish Government's Department of Finance server was hit by
a denial of service attack carried out as part of a student campaign from NUI
Maynooth. The Department officially complained to the University authorities and a
number of students were disciplined.

Division Of Computer Engineering, SOE, CUSAT Page 18

DOS Attack

 In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that
was analyzed turned out to be yet another DDoS agent, which implemented several
DNS related attacks, including an optimized form of a reflection attack.

 On two occasions to date, attackers have performed DNS Backbone DDoS Attacks
on the DNS root servers. Since these machines are intended to provide service to all
Internet users, these two denial of service attacks might be classified as attempts to
take down the entire Internet, though it is unclear what the attackers' true
motivations were. The first occurred in October 2002 and disrupted service at 9 of
the 13 root servers. The second occurred in February 2007 and caused disruptions at
two of the root servers.

 In February 2007, more than 10,000 online game servers in games such as Return to
Castle Wolfenstein, Halo, Counter-Strike and many others were attacked by the
hacker group RUS. The DDoS attack was made from more than a thousand
computer units located in the republics of the former Soviet Union, mostly from
Russia, Uzbekistan and Belarus. Minor attacks are still continuing to be made today.

 In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack
directed at Georgian government sites containing the message:
"win+love+in+Rusia" effectively overloaded and shut down multiple Georgian
servers. Websites targeted included the Web site of the Georgian president, Mikhail
Saakashvili, rendered inoperable for 24 hours, and the National Bank of Georgia.
While heavy suspicion was placed on Russia for orchestrating the attack through a
proxy, the St. Petersburg-based criminal gang known as the Russian Business
Network, or R.B.N, the Russian government denied the allegations, stating that it
was possible that individuals in Russia or elsewhere had taken it upon themselves to
start the attacks.

 During the 2009 Iranian election protests, foreign activists seeking to help the
opposition engaged in DDoS attacks against Iran's government. The official website
of the Iranian government (ahmedinejad.ir) was rendered inaccessible on several
occasions. Critics claimed that the DDoS attacks also cut off internet access for
protesters inside Iran; activists countered that, while this may have been true, the

Division Of Computer Engineering, SOE, CUSAT Page 19

DOS Attack

attacks still hindered President Mahmoud Ahmadinejad's government enough to aid

the opposition.

 On June 25, 2009, the day Michael Jackson died, the spike in searches related to
Michael Jackson was so big that Google News initially mistook it for an automated
attack. As a result, for about 25 minutes, when some people searched Google News
they saw a "We're sorry" page before finding the articles they were looking for.

 June 2009 the P2P site The Pirate Bay was rendered inaccessible due to a DDoS
attack. This was most likely provoked by the recent sellout to Global Gaming
Factory X AB, which was seen as a "take the money and run" solution to the
website's legal issues. In the end, due to the buyers' financial troubles, the site was
not sold.

 Multiple waves of July 2009 cyber attacks targeted a number of major websites in
South Korea and the United States. The attacker used botnet and file update through
internet is known to assist its spread. As it turns out, a computer trojan was coded to
scan for existing MyDoom bots. MyDoom was a worm in 2004, and in July around
20,000-50,000 were present. MyDoom has a backdoor, which the DDoS bot could
exploit. Since then, the DDoS bot removed itself, and completely formatted the hard
drives. Most of the bots originated from China, and North Korea.

 On August 6, 2009 several social networking sites, including Twitter, Facebook,

Livejournal, and Google blogging pages were hit by DDoS attacks, apparently
aimed at Georgian blogger "Cyxymu". Although Google came through with only
minor set-backs, these attacks left Twitter crippled for hours and Facebook did
eventually restore service although some users still experienced trouble. Twitter's
Site latency has continued to improve, however some web requests continue to fail.

 In July and August, 2010, the Irish Central Applications Office server was hit by a
denial of service attack on four separate occasions, causing difficulties for
thousands of Second Level students who are required to use the CAO to apply for
University and College places. The attack is currently subject to a Garda
investigation.

Division Of Computer Engineering, SOE, CUSAT Page 20

DOS Attack

CHAPTER-5
DISTRIBUTED DOS ATTACKS

DOS attacks are not new; in fact they have been around for a long time. However there has
been a recent wave of Distributed Denial of Services attacks which pose a great threat to
Security and are on the verge of overtaking Viruses/Trojans to become the deadliest threat
to Internet Security. Now you see, in almost all of the above TCP/IP vulnerabilities, which
are being exploited by hackers, there is a huge chance of the target's system administrator
or the authorities tracing the attacks and getting hold of the attacker.

Now what is commonly being done is, say a group of 5 Hackers join and decide to bring a
Fortune 500 company's server down. Now each one of them breaks into a smaller less
protected network and takes over it. So now they have 5 networks and supposing there are
around 20 systems in each network, it gives these Hackers, around 100 systems in all to
attack from. So they sitting on there home computer, connect to the hacked less protected
Network, install a Denial of Service Tool on these hacked networks and using these hacked
systems in the various networks launch Attacks on the actual Fortune 500 Company. This
makes the hackers less easy to detect and helps them to do what they wanted to do without
getting caught. As they have full control over the smaller less protected network they can
easily remove all traces before the authorities get there.

Not even a single system connected to the Internet is safe from such DDOS attacks. All
platforms including Unix, Windows NT are vulnerable to such attacks. Even MacOS has
not been spared, as some of them are being used to conduct such DDOS attacks.

Typical DDoS Attacks

In a typical DDoS attack, the army of the attacker consists of master zombies and slave
zombies. The hosts of both categories are compromised machines that have arisen during
the scanning process and are infected by malicious code. The attacker coordinates and
orders master zombies and they, in turn, coordinate and trigger slave zombies. More
specifically, the attacker sends an attack command to master zombies and activates all
Division Of Computer Engineering, SOE, CUSAT Page 21
DOS Attack

attack processes on those machines, which are in hibernation, waiting for the appropriate
command to wake up and start attacking. Then, master zombies, through those processes,
send attack commands to slave zombies, ordering them to mount a DDoS attack against the
victim. In that way, the agent machines (slave zombies) begin to send a large volume of
packets to the victim, flooding its system with useless load and exhausting its resources.
Figure 4 shows this kind of DDoS attack.

DDOS ATTACK

Division Of Computer Engineering, SOE, CUSAT Page 22

DOS Attack

CHAPTER-6
RECOMMENDED TOOLS TO PERFORM DDOS ATTACK

These tools are easily available on the internet and can be downloaded to use :
 Tribal flood network or TFN DDOS attacking tool
 Trinoo
 Babbed wire – best tool combining the feature of both.
 Mstring
 Shaft
 Win trinoo is a windows based trinoo tool
The above all tools are available, but all you require a unix system, except of course the
win trinoo tools.
The DDos attack relies on the covert existence of certain program tools on compromised
machines. These tools enable an attacker to formulate, prepare and implement a DDos
attack. The current report collates information on two common and related DDos attack
tools: trinoo, a Unix based tool, and wintrinoo, a recent Windows based tool. To this
end, details are provided of the attack anatomy, the tool structure and function, and
possible lines of defence. Although details pertain directly to the (win)trinoo tools,
certain generalities can be extracted that provide a coherent view of all DDos attacks
(such as the TFN, TFN2K, Stacheldraht, and Smurf Attacks).

Trinoo

Trinoo (also known as trin00) was the first well known DDos attack used against the
University of Minnesota in August 1999. This two day attack involved flooding servers
with UDP packets originating from thousands of machines. Source addresses were not
spoofed, so systems running the offending daemons were contacted. However, the attacker
responded simply by introducing new daemon machines into the attack. Trinoo was first
found as a binary daemon on a number of compromised Solaris 2.x systems. Malicious
code had been introduced through exploitation of buffer over-run bugs in the remote

Division Of Computer Engineering, SOE, CUSAT Page 23

DOS Attack

procedure call (RPC) services ‘statd’, ‘cmsd’ and ‘ttdbserverd’.

The trinoo DDos formulation begins with the attacker compromising one of many master
systems. These systems are set-up with vulnerability scanning tools, root kits (to conceal
malicious programs, files and connections), the master and trinoo daemon programs, and a
list of vulnerable hosts (which are potential daemon systems). DDos attack preparation
involves the master(s) scanning for systems exhibiting the vulnerabilities described above
(typically Solaris 2.x and Linux systems). A list of vulnerable systems is then passed to an
exploit script that compromises each system, sets up and connects a listening shell (tcp port
1524), and compiles a list of successful compromises – or ‘owned’ systems. The list of
‘owned’ systems is passed to another script that installs the trinoo daemon and a root kit via
the open tcp port 1524 – completing the construction of the ‘trinoo network’.

The DDos attack begins when the attacker connects (to masters) via telnet to tcp port 27665
and enters a password (the password was "betaalmostdone" in the case examined by
Dittrich). Masters then pass command lines to daemons via UDP port 27444. These
commands are password protected and are of the form: arg1 password arg2. Daemons
respond to masters on UDP port 31335. Masters form a list of alive daemons by listening
for the text "*HELLO*" in the data portion of UDP packets originating from daemons.

Attackers can send a number of commands to masters. Examples are:

 quit

- to logoff from the master

 dos IP

- to launch a DDos attack against the address IP

 mdos

- to launch a multiple DDos attack

 bcast

Division Of Computer Engineering, SOE, CUSAT Page 24

DOS Attack

- to form a list of started daemons

Masters can send commands to daemons according to what the attacker has ordered. For
example:
 aaa password IP

- Dos attack address IP by sending UDP packets to random (0-65534) UDP ports.

 bbb password N

- Period of time in seconds to run Dos attack.

 rsz N

- Set size of UDP packets to N bytes.

 d1e

- Shutdown the daemon

Trinoo programs can be detected if active on the master and daemon systems unless root
kits have been installed. The command: netstat -a --inet will show tcp port 27665 and UDP
port 27444 open on the master, and UDP port 31335 open on the daemon.

Wintrinoo

The addition of Windows machines to the pool of potential zombies increases the overall
threat and destructive capability of DDos attacks. Wintrinoo is a Windows version of trinoo
that was first reported to CERT on February 16th 2000 (CERT IN-2000-01). (Note that
TFN2K, derived from TFN, also runs on NT and appeared in December 1999). In the
wintrinoo case, zombies are formed by machines that run the program
service.exe
. Typically, this program comes to be executed in a number of ways:

 users run the program when it arrives as an e-mail attachment

Division Of Computer Engineering, SOE, CUSAT Page 25

DOS Attack

 it is executed by document macros

 it is installed and run via Back Orifice.

When executed,
service.exe
installs a copy of itself to \windows\system and adds a registry entry making it restart when
the system restarts. The pertinent key is:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/

CurrentVersion/Run
When running,
service.exe
will appear in the Windows task-list and it can be ended. However,
service.exe
will restart unless the registry entry is deleted. It must be noted that
service.exe
is distinct from the normal
services.exe
.

service.exe
is approximately 23kB in size and will run on Windows NT4, 95 and 98. It differs from the
trinoo daemon in that it listens for masters on UDP port 34555 and passes information to
the masters on UDP port 35555. As with trinoo, this can be observed using the command:
netstat -an.
service.exe
has been found on systems concurrently infected with Back Orifice suggesting that this
trojan horse may have been the method of entry. (Gary Flynn, 2000).

Division Of Computer Engineering, SOE, CUSAT Page 26

DOS Attack

CHAPTER-7

COUNTERMEASURES

The best defence against DDoS attacks is to prevent initial system compromises. Generally,
this involves installing patches, antivirus software, using a firewall and monitoring for
intruders. However, even vigilant hosts can become targets because of lesser prepared, less
security aware hosts (especially if these hosts have always-on high-speed internet
connections). Many systems are compromised because patches for vulnerabilities reported
and fixed months beforehand were never installed. Similarly, such systems have anti-virus
software that are not update hence cause this attack to prevail or causing a loophole.

It is difficult to specifically defend against becoming the ultimate target of a DDos attack
but protection against being used as a daemon or master system is more easily attainable.
To this end, the following measures should be met:

 Check for frequent patches and subscribe to automatic vendor notifications

 Attempt to understand the vulnerabilities in your software and configuration
 Disable unnecessary network software
 Only accept program files from trusted sources (or at least be cautious)

For Unix operators:

 Limit accessibility with network access control tools e.g. TCP Wrappers
 Use file system integrity checks e.g. Tripwire
 Download programs to test for common DDos attacks. For example:
http://www.fbi.gov/nipc/trinoo.htm for Sun and Linux boxes
http://www.theorygroup.com/Software/RID for all unix platforms. (Remote
Intrusion Detector for detecting trinoo, TFN and stacheldraht DDos tools).

Division Of Computer Engineering, SOE, CUSAT Page 27

DOS Attack

For Windows operators:

 Keep anti-virus (e.g. Norton) and anti-trojan (e.g. BOClean) software up to date
 Disable scripting on browsers and e-mail clients
 Run a desktop firewall
 Download Wtrinscan.exe which scans for wintrinoo
 The system administrator should compartmentalize critical services such as separate
section for ftp servers, mail servers, web servers, etc so that if one servers is goes
down by attackers, other should not got affected. However it is expensive but for the
security purpose it outweighs the cost matters.
 Always buy more bandwidth than normally requires to counter the sudden traffic,
suppose for example you it’s a requirement of handling 1 million users than you
should buy the bandwidth for 2 million users
 It is also good practice to filter out malicious traffic as early as possible, this can
only be done if you work closely with your ISPs, for example you may need to
block out sudden range of bad ip by seeing the statistics provided by your ISPs
 Disable publicly available services
 Balance the traffic load on a set of different servers, for example the google has 4
nameservers etc.
 You must update your system frequently by looking at the vendors
 IP sec: ip security is not implemented commercially if implemented it will provide
proper authentication.
 You must have measures which can detect DDOS tools and daemons.

Division Of Computer Engineering, SOE, CUSAT Page 28

DOS Attack

CHAPTER-8
DENIAL-OF-SERVICE ATTACKS AND THE LAW
In the Police and Justice Act 2006, the United Kingdom specifically outlawed denial-of-
service attacks and set a maximum penalty of 10 years in prison.

In the US, they can be a serious federal crime under the National Information Infrastructure
Protection Act of 1996 with penalties that include years of imprisonment, and many
countries have similar laws.

A U.K. law has been passed that makes it an offense to launch denial-of-service attacks,
which experts had previously called "a legal gray area."

Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on
Wednesday, is a clause that makes it an offense to impair the operation of any computer
system. Other clauses prohibit preventing or hindering access to a program or data held on
a computer, or impairing the operation of any program or data held on a computer.

The maximum penalty for such cybercrimes has also been increased from 5 years to 10
years.

Division Of Computer Engineering, SOE, CUSAT Page 29

DOS Attack

CHAPTER-9
CONCLUSION

DDos attack tools are readily available and any internet host is targetable as either a zombie
or the ultimate DDos focus. These attacks can be costly and frustrating and are difficult, if
not impossible to eradicate. The best defence is to hinder attackers through vigilant system
administration. Applying patches, updating anti-malicious software programs, system
monitoring, and reporting incidents go further than retarding DDos attacks – these defences
also protect against other attacks.

The Internet is not stable—it reforms itself rapidly. This means that DDoS countermeasures
quickly become obsolete. New services are offered through the Internet, and new attacks
are deployed to prevent clients from accessing these services. However, the basic issue is
whether DDoS attacks represent a network problem or an individual problem—or both. If
attacks are mainly a network problem, a solution could derive from alterations in Internet
protocols. Specifically, routers could filter malicious traffic, attackers could not spoof IP
addresses, and there would be no drawback in routing protocols. If attacks are mostly the
result of individual system weaknesses, the solution could derive from an effective IDS
system, from an antivirus, or from an invulnerable firewall. Attackers then could not
compromise systems in order to create a "zombies" army. Obviously, it appears that both
network and individual hosts constitute the problem. Consequently, countermeasures
should be taken from both sides. Because attackers cooperate in order to build the perfect
attack methods, legitimate users and security developers should also cooperate against the
threat. The solution will arise from combining both network and individual
countermeasures.

Division Of Computer Engineering, SOE, CUSAT Page 30

DOS Attack

REFERENCES

[1] CIS 659 "Introduction to Network Security – Fall 2003,"

http://www.cis.udel.edu/~sunshine/F03/CIS659/class15.pdf

[2] Kevin Tsui, "Tutorial-Virus (Malicious Agents)," University of Calgary, October 2001.

[3] Nicholas Weaver, "Warhol Worms: The Potential for Very Fast Internet Plagues,"

http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm

[4] Nicholas Weaver, U.C. Berkeley BRASS group, "Potential Strategies for High Speed

Active Worms: A Worst Case Analysis," February 2002

[5] David Moore and Colleen Shannon, "The Spread of the Code Red Worm (crv2)," July

2001, http://www.caida.org/analysis/security/codered/coderedv2_analysis.xml#animations

[6] "A Chronology of CERT Coordination Center Involvement with Distributed Denial-of-

Service Tools," http://www.cdt.org/security/dos/000229senatehouse/chron.html

[7] "Analyzing Distributed Denial Of Service Tools: The Shaft Case," Sven Dietrich, NASA

Goddard Space Flight Center; Neil Long, Oxford University; David Dittrich, University of

Washington, http://www.usenix.org/events/lisa2000/full_papers/dietrich/dietrich_html/

[8] http://staff.washington.edu/dittrich

[9] http://www.panix.com/press/synattack.html

Division Of Computer Engineering, SOE, CUSAT Page 31