[Prev][Next][Index][Thread]

Denial of service





===========================================================================

===================================                    
=INTRODUCTION TO DENIAL OF SERVICE=
===================================

Hans Husman
t95hhu@student.tdb.uu.se
Last updated: Thu Sep 26 11:36:47 MET DST 1996
VERSION 2.1
 
.0. FOREWORD

.A. INTRODUCTION
	.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
	.A.2. DOCUMENT HISTORY

.B. SOME BASIC TARGETS FOR AN ATTACK
	.B.1. SWAP SPACE
	.B.2. BANDWIDTH
	.B.3. KERNEL TABLES
	.B.4. RAM
	.B.5. DISKS
	.B.6. CACHES

.C. ATTACKING FROM THE OUTSIDE
	.C.1. TAKING ADVANTAGE OF FINGER
	.C.2. UDP AND SUNOS 4.1.3.
	.C.3. FREEZING UP X-WINDOWS
	.C.4. MALICIOUS USE OF UDP SERVICES
	.C.5. ATTACKING WITH LYNX CLIENTS
	.C.6. MALICIOUS USE OF telnet
	.C.7. MALICIOUS USE OF NETSCAPE
	.C.8. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
	.C.9. HOW TO DISABLE ACCOUNTS
	.C.11. HOW TO DISABLE SERVICES
	.C.12. PARAGON OS BETA R1.4
	.C.13. NOVELLS NETWARE FTP
	.C.14. ICMP REDIRECT ATTACKS
	.C.15. BROADCAST STORMS
	.C.16. EMAIL BOMBING AND SPAMMING
	.C.17. TIME AND KERBEROS
	.C.18. THE DOT DOT BUG
	.C.19. SUNOS KERNEL PANIC
	.C.20. HOSTILE APPLETS
	.C.21. VIRUS
	.C.22. ANONYMOUS FTP ABUSE
	.C.23. SYNFLODING

.D. ATTACKING FROM THE INSIDE
	.D.1. KERNEL PANIC UNDER SOLARIS 2.3
	.D.2. CRASHING THE X-SERVER
	.D.3. FILLING UP THE HARD DISK
	.D.4. MALICIOUS USE OF eval
	.D.5. MALICIOUS USE OF fork()
	.D.6. CREATING FILES THAT IS HARD TO REMOVE
	.D.7. DIRECTORY NAME LOOKUPCACHE
	.D.8. CSH ATTACK
	.D.9. CREATING FILES IN /tmp
	.D.10. USING RESOLV_HOST_CONF
	
.E. MONITORING PERFORMANCE
	.E.1. INTRODUCTION
	.E.2. COMMANDS AND SERVICES                      
	.E.3. PROGRAMS

.F. SUGGESTED READING


.0. FOREWORD
------------

The author of this document attempts to give a short introduction
to denial of service attacks, through giving examples of such methods.

Note that I have a very limited experience with Macintosh, OS/2 and
Windows and most of the material are therefore for unix use. 

You can always find the latest version at the following address:
http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT

Feel free to send comments, tips and so on to address:
t95hhu@student.tdb.uu.se

.A. INTRODUCTION
~~~~~~~~~~~~~~~

.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
-----------------------------------------

Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved. 

.A.2. DOCUMENT HISTORY
----------------------

Mon Aug 26 13:45:15 MET DST 1996:
	o .A.2. 	NEW
	o .F.		NEW
	o .B.3. 	MORE INFORMATION  
	o .C.22.	NEW
	o .C.4.		MORE INFORMATION

.B. SOME BASIC TARGETS FOR AN ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.B.1. SWAP SPACE
----------------

Most systems have several hundred Mbytes of swap space to 
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service is often based 
on a method that tries to fill up the swap space.

.B.2. BANDWIDTH
---------------

If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.

.B.3. KERNEL TABLES
-------------------

It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.

Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinarie processes. Meaning that any system
can be crashed and with a mean (or in some sence good) algorith pretty
fast.

For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.
 
.B.4. RAM
---------

A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are 
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at 
a NFS server is trivial. The normal NFS client will do a 
great deal of caching, but a NFS client can be anything 
including the program you wrote yourself...

.B.5. DISKS
-----------

A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be missused in many ways.

.B.6. CACHES
-------------

A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.

These caches are found on Solaris 2.X:

Directory name lookup cache: Associates the name of a file with a vnode.

Inode cache: Cache information read from disk in case it is needed
again.

Rnode cache: Holds information about the NFS filesystem.

Buffer cache: Cache inode indirect blocks and cylinders to realed disk
I/O.

.C. ATTACKING FROM THE OUTSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


.C.1. TAKING ADVANTAGE OF FINGER
--------------------------------

Most fingerd installations support redirections to an other host.

Ex:

	$finger @system.two.com@system.one.com

finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:

	$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack

All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).

The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.

.C.2. UDP AND SUNOS 4.1.3.
--------------------------

SunOS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.

The solution is to install the proper patch.

.C.3. FREEZING UP X-WINDOWS
---------------------------

If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple XOpenDisplay() to the port.

The samething can happen to Motif or Open Windows.

The solution is to deny connections to the X-Windows port.

.C.4. MALICIOUS USE OF UDP SERVICES
-----------------------------------

It is simple to get UDP services to loop, due to trivial IP-spoofing.
The effect can be high bandwidth that causes the network to 
become useless. In the example the header claim that the packet came
from 127.0.0.1 (loopback) and the target is the echo port at system.we.attack.
As far as system.we.attack knows is 127.0.0.1 system.we.attack and
the loop has been establish. 

Ex:

	from-IP=127.0.0.1
	to-IP=system.we.attack
	Packet type:UDP
	from UDP port 7
	to UDP port 7

Note that the name system.we.attack looks like a DNS-name, but the
target should always be represented by the IP-number.

Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"
 
	" A great deal of systems don't put loopback on the wire, and simply
	emulate it.  Therefore, this attack will only effect that machine 
	in some cases.  It's much better to use the address of a different 
	machine on the same network.  Again, the default services should 
	be disabled in inetd.conf.  Other than some hacks for mainframe IP 
	stacks that don't support ICMP, the echo service isn't used by many 
	legitimate programs, and TCP echo should be used instead of UDP 
	where it is necessary. "

.C.5. ATTACKING WITH LYNX CLIENTS
---------------------------------

A World Wide Web server will fork an httpd process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses ps. In most causes it is therefore very
safe to launch a denial of service attack that makes use of 
multiple W3 clients, typical lynx clients. But note that the netstat
command could be used to detect the attack (thanks to Paul D. Robertson).

Some httpd:s (for example http-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)

.C.6. MALICIOUS USE OF telnet
-----------------------------

Study this little script:

Ex:

	while : ; do
	telnet system.we.attack &
	done

An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and httpd:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP. 

This is a simple high risk vulnerability that should be checked
and if present fixed.

.C.7. MALICIOUS USE OF NETSCAPE
-------------------------------

Under Netscape 1.1N this link will result in a segmentation fault and a
coredump.

Ex:

	<a name="http://xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
	xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.
	xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.
	xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
	xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx...>

.C.8. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
-----------------------------------------------

If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:

Ex:

	Control-}
	quit

then will inetd keep going "forever". Well a couple of hundred...

The solution is to install the proper patch.

.C.9. HOW TO DISABLE ACCOUNTS
-----------------------------

Some systems disable an account after N number of bad logins, or waits
N seconds. You can use this feature to lock out specific users from
the system.

.C.10. LINUX AND TCP TIME, DAYTIME
----------------------------------

Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).

The solution is to install the proper patch.

.C.11. HOW TO DISABLE SERVICES
------------------------------

Most unix systems disable a service after N sessions have been
open in a given time. Well most systems have a resonable default
(lets say 800 - 1000), but not some SunOS systems that have the
default set to 48...

The solutions is to set the number to something resonable.

.C.12. PARAGON OS BETA R1.4
---------------------------

If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router. 

The solution is to install the proper patch.

.C.13. NOVELLS NETWARE FTP
--------------------------

Novells Netware FTP server is known to get short of memory if multiple
ftp sessions connects to it.

.C.14. ICMP REDIRECT ATTACKS
----------------------------

Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to missuse ICMP redirection we must know an existing connection
(well we could make one for ourself, but there is not much use for that). 
If we have found a connection we can send a route that
loses it conncectivity or we could send false messages to the host
if the connection we have found don't use cryptation.  

Ex: (false messages to send)

	DESTINATION UNREACHABLE 
	TIME TO LIVE EXCEEDED
	PARAMETER PROBLEM

The effect of such messages is a reset of the connection.

Ex: 

ICMP Time exceeded in transit from xxxx.xxx.xx.xx (xxx.xxx.xx.xx)
 for icmp from xxxxxx.xxx.xxx.xx (xxx.xxx.xxx.xx) to xxxx.xxx.xx.xx (xxx.xxx.xxx.x)

The solution could be to turn ICMP redirects off, not much proper use
of the service.

.C.15. BROADCAST STORMS
-----------------------

This is a very popular method in networks there all of the hosts are
acting as gateways. 

There are many versions of the attack, but the basic method is to 
send a lot of packets to all hosts in the network with a destination 
that don't exist. Each host will try to forward each packet so 
the packets will bounce around for a long time. And if new packets 
keep coming the network will soon be in trouble.

Services that can be missused as tools in this kindof attack is for
example ping, finger and sendmail. But most services can be missused
in some way or another.

.C.16. EMAIL BOMBING AND SPAMMING
---------------------------------

In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.

There is no way to prevent email bombing or spamming.

.C.17. TIME AND KERBEROS
------------------------

If not the the source and target machine is closely aligned will the
ticket be rejected, that meens that if not the protocol that set the 
time is protected it will be possible to set a kerberos server of
function.

.C.18. THE DOT DOT BUG
----------------------

Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If send a "DIR ..\" to the workstation will a STOP messages
appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.

The solution is to install the proper patch.

.C.19. SUNOS KERNEL PANIC
-------------------------

Some SunOS systems (running TIS?) will get a kernel panic if a
getsockopt() is done after that a conncection has been reset.

The solution could be to install Sun patch 100804.

.C.20. HOSTILE APPLETS
----------------------

A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:

	1) Problems due to bugs.
	2) Problems due to features in the language.

In group one we have for example the java bytecode verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X. 
could be executed through an applet. The java bytecode verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I'am wrong!!!).

Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JDK 1.0.1.

Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. could be performed by an applet. More information
and examples could be found at address:
	
	http://www.math.gatech.edu/~mladue/HostileArticle.html

If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable. 

.C.21. VIRUS
------------

Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.

It is a misunderstandning that virus writing is hard. If you know
assemply language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:
	
	* Genvir.
	* VCS (Virus Construction Set).
	* VCL (Virus Construction Laboratory).
	* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
	* IVP (Instant Virus Production Kit).
	* G2 (G Squared).

PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.

An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easly be catch by any scanner.

.C.22. ANONYMOUS FTP ABUSE
--------------------------

If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the harddisk.

For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.

.C.23. SYNFLOODING
-----------------

Both 2600 and Phrach have posted information about the synflooding attack.
2600 have also posted exploit code for the attack. 

As we know the syn packet is used in the 3-way handshake. The synflooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before tropping
the connecion, a synflooding attack will therefore keep the syn_received connection queue of the target machine filled.

The synflooding attack is very hot and it is easy to find more information
about it, for example:

	[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
	Article by Christopher Klaus, including a "solution". 
	
	[.2.] http://jya.com/floodd.txt
	2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane

	[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
	IP-spoofing Demystified by daemon9 / route / infinity
     	for Phrack Magazine

.D. ATTACKING FROM THE INSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.D.1. KERNEL PANIC UNDER SOLARIS 2.3
------------------------------------

Solaris 2.3 will get a kernel panic if this
is executed:

EX:
	
	$ndd /dev/udp udp_status

The solution is to install the proper patch.

.D.2. CRASHING THE X-SERVER
---------------------------

If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.

.D.3. FILLING UP THE HARD DISK
-----------------------------

If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.

Ex:

	while : ;
	mkdir .xxx
	cd .xxx
	done

.D.4. MALICIOUS USE OF eval
---------------------------

Some older systems will crash if eval '\!\!' is executed in the
C-shell.

Ex:
 
	%eval '\!\!'
	eval '!!'
	eval '!!'
	eval '!!'
	eval '!!'
	eval '!!'
	eval '!!'
	^C
	%
	
.D.5. MALICIOUS USE OF fork() 
-----------------------------

If someone executes this C++ program the result will result in a crash
on most systems.

Ex:
	
	#include <sys/types.h>
	#include <unistd.h>
	#include <iostream.h>
	
	main()
	{
		int x;
		while(x=0;x<1000000;x++)
			{
				system("uptime");
				fork();
			}
	}

You can use any command you want, but uptime is nice
because it shows the workload.

If you are real mean you could also fork a child process for
every child process and we will get an exponentialincrease of
workload. 

There is no good way to stop this attack and
similar attacks. A solution could be to place a limit
on time of execution and size of processes.

.D.6. CREATING FILES THAT IS HARD TO REMOVE
-------------------------------------------

Well all files can be removed, but here is some ideas:

Ex.I.

	$cat > -xxx
	^C
	$ ls
	-xxx
	$ rm -xxx
	rm: illegal option -- x
	rm: illegal option -- x
	rm: illegal option -- x
	usage: rm [-fiRr] file ...
	$

Ex.II.

	$touch xxx!
	$rm xxx!
	rm: remove xxx! (yes/no)? y
	$touch xxxxxxxxx!
	$rm xxxxxxxxx!
	bash: !": event not found
	$

	(You see the size do count!)

Other well know methods is files with odd characeters or spaces
in the name. 

These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". It you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./<filename>. It should work for
the first example if you have a shell.

.D.7. DIRECTORY NAME LOOKUPCACHE
--------------------------------

Directory name lookupcache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty diskreet denial of service attack.

Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.

If the impact is not big enough you should create more files or launch
more processes.
 
.D.8. CSH ATTACK
----------------

Just start this under /bin/csh (after proper modification) 
and the loadlevel will get very high (that is 100% of the cpu time) 
in a very short time. 

Ex:

	|I /bin/csh
	nodename : **************b

.D.9. CREATING FILES IN /tmp
----------------------------

Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some causes this could be used for a
denial of service attack.

.D.10. USING RESOLV_HOST_CONF
-----------------------------

Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is 
read in the variable and access through ping.

Ex:
	
	export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf

 
.E. MONITORING PERFORMANCE
~~~~~~~~~~~~~~~~~~~~~~~~~

.E.1. INTRODUCTION
------------------

There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.

.E.2. COMMANDS AND SERVICES
---------------------------

For more information read the man text.
 
netstat		Show network status.
nfsstat		Show NFS statistics.
sar		System activity reporter.
vmstat		Report virtual memory statistics.
timex		Time a command, report process data and system
		activity.
time 		Time a simple command.
truss		Trace system calls and signals.

Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.

.E.3. PROGRAMS
--------------

Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
	ftp://opcom.sun.ca/pub/binaries/
	
Top: Top might be a more simpel program than Proctool, but is
good enough.


.F. SUGGESTED READING
~~~~~~~~~~~~~~~~~~~~

(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Husman, H. INTRODUKTION TILL DATASDKERHET UNDER X-WINDOWS, 1995.
(6) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(7) Sun Microsystems Security Bulletins.
(8) CERT Security Bulletins.
(9) Various articles from: 		- comp.security.announce
					- comp.security.unix
					- comp.security.firewalls

(10) The following rainbow books:	- Teal Green Book (Glossary of
					Computer Security Terms).
					- Bright Orange Book( A Guide
					to Understanding Security Testing
					and Test Documentation in Trusted
					Systems).
					- C1 Technical Report-001 
					(Computer Viruses: Preventation,
					Detection, and Treatment).

(11) Ranum, Marcus. Firewalls, 1993.
(12) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(13) Husman, H. ATT SPERA ODOKUMENTERADE SDKERHETSLUCKOR, 1996.
(14) Dark OverLord, Unix Cracking Tips, 1989.
(15) Shooting Shark, Unix Nasties, 1988.
(16) Varius 40Hex Issues.
(17) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.