b0g!#@! Magazine

[home] [<-back] [index] [next->]



 ____________________________________________________________________

[20:. - [ DoS attacks explained ]                      [[bx]root] :. ]
                                              [datacrime@b0g.org] :. ]
 ____________________________________________________________________



overview:
  - general information
  - a DDoS attack overview
  - some useful links



GENERAL INFORMATION
===================

First of I start with this: DoS and DDoS attacks are (mostly) used
by script kiddies. Probably they tried to hack a single webserver or a
whole network but failed and are so pissed they "nuke" the system.
(yes, for those who didn't know, nuking is also a DoS attack)

Every computer which stops working normally because of extern cases,
is the victim of a Denial Of Service attack. Like I said, most ppl
know this of the Winnukes somewhere in 1997 to crash a win95 machine.
With a nuke program you could send an "OutOfBand"-packet to the open
port 139, which crashed the system. Newer version of windows haven't
this 'flow'. Winnuke is a typical DoS attack because it creates a
buffer overrun which takes the whole system down.

There are a lot of programs to realize a DoS-attack, thinking of
Teardrop, Land, Bonk, Snork or Smurf. But these attacks became 'old'
because most systemoperators have patched that flow so
the webserver has kind of a protection against these attacks.

Attackers which uses these kind of attacks belong to the group of
script-kiddies. Most of the time this boys just download programs from
hacking-groups and use them to annoy other internet users (or network
users)

A whole other thing is a DDoS attack (Distributed Denial Of
Service). With an attack of this form the target computers gets
multiple attacks from different computers (servers). With this
kind of attack you can take down major systems like Yahoo, eBay and
Amazon.com

To arrange such an attack you have to become root on the other
attacking systems to install the backdoor trojan. Therefor you are
required to know the basics of real hacking. To attack major systems
like listed above, you need a lot of knowledge and have to work with
other hackers as well. This isn't the layer of script-kiddies anymore.

There exist some 'secret' (=not anymore now) batch-files which helps
hackergroups to take control over a lot of systems at a time. But
nobody outside the hardcore hackculture has found such a tool.
(contact me if you have it)

The four most popular tools for DDoS are Trin00, Tribe Flood Network
(TFN), Tribe Flood Network2000 (TFN2K) and Stacheldraht.

Trin00 exists since the summer of 1999 and can be used from a single
computer through a masterprogram (=handler) which controls all the
other programs (daemons) on the attacking servers. You can use a SYN-
flood which has a max use time of 33 mins. Trin00 uses TCP and
UDP and has variable ports.

In TribeFlood Net (also since summer of 1999) the masterprogram
(client) communicates with the flooders (=agents) through ICMP
(Internet Control Message Protocol, known from ping)
The size of the ICMP packets decides which kind of attack was
executed. Next to several SYN-floods TFN also supports UDP, ICMP
floods and smurf-attacks.

TFN2K has more features then his predecessor. One of those is that
it encrypts its commands and runs also on winNT (next to Solaris and
linux). But TFN and TFN2K has one advantage and that's why they are
more popular then Trin00, they spoof the IP's of the attacking servers
including the masterserver (which sends to command, so it's you) and
makes the attack hard to stop and trace you.

Stacheldraht combines the most important features of TFN and Trin00.
It can execute all the listed attacks, it encrypts the commands and
isn't hooked up to a certain port. The program also checks if the
server of the victim is running an 'old' DDoS IP filter, if so it
checks if there is a way to bypass that filter. Stacheldraht also uses
a three layer method, server / client / agentarchitecture which makes
it impossible to trace the original commander of the attack. TFN,
TFN2K and Stacheldraht are probably created by a German hacker called
'Mixter'. The FBI is chasing him down since February when the
attacks begun on Amazon, Yahoo!, eBay and the FBI. (I think his arrest
won't stop the DDoS hype because the source code is available and this
way the programs will only get new features) -]
not that I think it's bad .heh

The recent DDoS attacks were all done with Stacheldraht. In that
three layer attack a hacker sends from his computer the command for
the attack to all the client machines. Every client has a list with IP
addresses of the servers where the agent is running. On their turn,
the client servers send over an encrypted way the command to the
agents which execute the attack and take the system down.

The most used type is a SYN-flood. In this case the victim's server
was attacked by the SYN request (synchronize) on port 80 (http). Such
a request is a part of a standard connection.
Your browsers sends the SYN request to the server and waits till the
server requests with SYN.

The browser reacts with ACK (acknowledge) and then the transfer of a
webpage starts. With a SYN-flood the server reacts just like always
but the agent uses a spoofed (or fake) IP address which commits a
packet loss. The server waits a few seconds but won't get a ACK
reply. At that very little moment is the serverproces (called
thread) which waits on the ACK reply not available for other visitors
to the site.

During a DDoS attack many Stacheldraht agents send in a fast way a
lot of SYN requests to the server. So in a few seconds all the threads
of the server are used and the server is not reachable for other users
anymore. When the server still gets some free threads, they are
immediately taken by another SYN request from one of the agents.
Because of all the requests and the spoofed IP's, most sysadmins won't
have time enough to block all the IPaddresses and the system won't be
reachable for some hours (maybe days). UDP and ICMP floods
are done also that way but are easier to block and not so popular.


A DDoS OVERVIEW
===============

The first (big) victim of DDoS was IDsoftware on january 7. They had
a lot of attacks on there quake III keyservers. The q3 'freaks'
weren't able to play online for twelve hours. After that
attacks were noticed on CNN.com, Ebay.com, Yahoo.com, Etrade.com,
Amazon.com and Buy.com (this last site got a 800Mbit datatraffic every
second!) The co-ordinated attack took down those sites for about three
hours. Next day ZDnet.com was taken down for 2 hours. and on february
25 the FBI site was down for a whole day. The only real threat comes
from windows-users who have the Trin00 trojan installed. This program
came also on win9x,NT,2000. It works on port 34555 using the TCP
protocol. Somebody who has this trojan installed and has for example
an ADSL connection is able to participate a DDoS attack without
knowing it, with the danger that your IP isn't masked. (only TFN,TFN2K
and Stacheldraht spoofs your IP)


SOME USEFUL LINKS
=================
HTTP://staff.washington.edu/dittrich (analyses plus detection kit
for those trojans)
HTTP://packetstorm.securify.com/advisories/iss/iss.00-02.wintrinoo
HTTP://mixter.void.ru (the creator's homepage)
HTTP://www.void.ru (security related site - choosing english is best
way to understand it)
HTTP://networkmagazine.com/ddos_special.htm (DDoS explained)
HTTP://www.cert.org/security-improvement (security tips for
sysadmins)


b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!


MOST CAVERNOUS CROTCH
Linda Manning of Los Angeles could, without preparation, completely
insert a lubricated American football into her vagina.
[^-top] [next->]