Denial of service (DoS) attacks are something that you should avoid launching against your own network. End of chapter.
Seriously, denial of service is something that you need to be very careful with. Unlike many other chapters in this book, which have focused on how to launch various attacks, this chapter focuses on countermeasures and how to non-destructively test for denial of service conditions.
A denial of service attack is any attempt by an attacker to deny his victim’s access to a resource. Although you could consider a volcano eruption, an act of war, or an earthquake to be a denial of service attack, this chapter addresses only intentional attacks launched by computers against other computers. You can break these attacks into four broad categories:
Flooding or other network disruption attacks that attack the network linkage between systems
Resource starvation attacks, which can take the form of CPU starvation, memory starvation, or consumption of disk storage
Disruption of service, at either the application or host level, including intentional misconfiguration
Physical attacks (which are beyond the scope of this book)
Flooding attacks have one simple rule: the one that has the most bandwidth at its command wins. In its simplest form, a flooding attack occurs when one system sends packets, possibly with a spoofed source address, endlessly at the victim. That’s all there is to it. In DDoS attacks, a number of systems are used in concert to consume the bandwidth of the victim.
More Info
For more information about spoofing, see Chapter 20.
A DDoS attack can be launched in a couple of ways. One approach is to take over a large number of systems (known as zombies) using one or more widespread vulnerabilities, install attack software on those systems, and make the systems send large numbers of packets at the victim, preferably using different characteristics and random, spoofed source addresses. Unlike a single source attack, you will have a much harder time dealing with the attack by applying filtering rules.
Note
A zombie is a host that has been compromised through the exploitation of some vulnerability, resulting in special client software being installed by an attacker. At some point, the attacker will control all the zombie hosts via master software control, causing the zombies to initiate DoS attacks against the chosen targets.
A second approach to launch a DDoS attack is to use an asymmetric condition, in which one packet originating from the attacker results in many packets being sent to the victim. The classic Smurf attack works by sending a single ping packet to the network broadcast address (see the "What is a network broadcast address?" sidebar), which causes a large number of echo responses to be received. The source address is spoofed to the victim. This type of attack, shown in Figure 16-1, is also sometimes called an amplification attack.
Let’s take a look at how the Smurf attack works. The attacker locates the IP address of a victim, and then sends a ping packet to the network broadcast address of a misconfigured network. All the systems on the network receive the echo request packet, and some of them respond with an echo response that bounces back to the victim. If the misconfigured network is a large one, one ping packet can theoretically produce thousands of responses, so an attacker using a dial-up connection with 56-Kb bandwidth could potentially consume 56-Mb worth of bandwidth on the other end. If the victim is connected with, for example, a T-1 connection that provides 1.5-Mb worth of bandwidth, an attacker could effectively take the victim off the Internet. If the victim is a larger company with much more bandwidth, the company might not notice, or the attacker would have to start using zombies.
Note
It’s worth pointing out that a DDoS attack can be launched against not just single hosts, but against an entire network. In fact, a flooding attack launched against one host is likely to cause a denial of service to other systems on the same network segment, and possibly beyond.
One variant of a flooding attack causes many systems on the same network to respond to one another without end, a condition sometimes referred to as a "network food fight." This type of attack, shown in Figure 16-2, relies on a vulnerability being present. For example, Microsoft Windows NT 4.0 systems had a flaw where a malformed packet sent to the UDP RPC port (135) provoked an error response. If the system receiving the error response didn’t expect the error, it responded with another error. The CPUs of both systems would hit 100 percent, and all the available network bandwidth was consumed.
Another example of a network food fight comes from people finding inventive ways to combine the echo and chargen service. A packet sent to echo gets the packet reflected to what the echo service believes is the sender, and a packet sent to the chargen service results in a packet full of characters. If you can spoof a packet from one system’s echo service to another’s chargen service, those systems will exchange lots of packets until someone shuts down one of the services. If an attacker can send a request to all of the chargen services on a subnet using a broadcast packet, so much the better for the attacker. This is probably the most extreme version of an asymmetric attack—just one packet disrupting an entire network. Most currently available implementations of both echo and chargen do not respond to requests with a source address in the reserved range (below port 1024), and they should not respond to broadcast packets at all.
More Info
A SYN flood usually isn’t much of a flood because only a few packets can cause a denial of service condition in most cases, and it doesn’t consume as much bandwidth as a flood meant to clog the network. If you’re interested in the details of how a SYN flood works, http://www.cert.org/advisories/CA-1996-21.html is an excellent original reference.
You’ll want to know whether your network will participate in flooding attacks and whether you’re vulnerable. You should send pings to the directed broadcast address of your external networks, and then check to see whether you were sent multiple replies. If you were, there is a router misconfiguration.
Checks for outdated chargen and echo services can be conducted simply by using a tool like Netcat: create a socket on a low port, send a packet, and see whether you get a reply. In general, you won’t want easily abused services like chargen and echo to be running on an external network. Chargen is usually found on port 19, both UDP and TCP; and echo is typically found on port 7, also both UDP and TCP.
Testing for vulnerable versions of a service that could lead to network food fights is best done by checking for patch compliance. You’re unlikely to find any systems vulnerable to the Windows NT 4.0 RPC network food fight problem described earlier because the RPC vulnerability was fixed years ago, and a system that has not been patched for the last six years probably has many other problems.
SYN flood testing should be done on idle systems configured identically to your production servers. In most cases, you should check the system configuration to see whether the system has SYN flood protection enabled. SYN flood protection settings vary among vendors and versions of the operating system as the protections become more sophisticated. Consult your vendor’s website for exact details about how to protect your servers from SYN floods.
Although Smurf attacks aren’t the menace they once were now that most current operating systems no longer respond to broadcast echo requests, variants of the attack are sometimes still available. For example, a flawed network service might still respond to UDP packets sent to the broadcast address. The best protection approach is to ensure that your routers have rules that block directed broadcasts.
Additionally, anti-spoofing rules should be in place, both inbound and outbound. Getting these rules set up isn’t always easy, but if you have them in place, you won’t be as susceptible to participating in DDoS attacks. Many network devices can also impose rate limitations on specific networks, and you can use this to mitigate a flooding attack. Also, get in touch with your ISP immediately.
Finally, blocking inbound ICMP packets might be warranted. As mentioned previously, several types of ICMP packets are used in normal network operation. For example, if path MTU discovery is enabled and the corresponding error response packets (type 3-unreachable and code 4-fragmentation required) are blocked, you will have errors. Most administrators of large external networks disable path MTU discovery, which overcomes this objection. Other types of ICMP packets can be helpful, but many network administrators find that the risks outweigh the benefits.
Resource starvation attacks are DoS attacks that attempt to consume a resource on a target system so that the resource isn’t available to legitimate users. This section discusses three types of this attack: CPU starvation, memory starvation, and disk storage consumption.
CPU starvation attacks come in a number of forms. In most cases, these are application-specific, but they can also apply at the host level. As is the case with many types of denial of service attacks, the attacker is looking for an asymmetric situation.
Because you cannot normally take down your own network without putting your job at risk, testing CPU starvation attacks isn’t always practical. The surest approach is to pay attention to whether any problems have been announced recently, and to test for patch compliance. In some cases, you can perform modified attacks. In the preceding example, just a few sets of "/../*" delivered to the FTP server would bring the server down for a few minutes and distinguish between a patched and an unpatched system.
Most of the time, CPU starvation countermeasures consist of making sure the latest patches are applied. Custom applications can be subject to CPU starvation attacks, so be aware of the symptoms of a CPU starvation attack: a slow response, along with an overworked CPU. Don’t mistake a simple underpowered system as being a CPU starvation attack—crying wolf undermines your credibility. If you suspect a problem, first check the logs for your application. You might also want to set up a way to record network traffic coming to that system.
Memory starvation attacks work in much the same way as CPU starvation attacks, relying on errors in either the operating system or the application. Memory starvation attacks usually take a fairly clever approach. One example of a memory starvation attack occurred when the inetd application (common on UNIX and Linux systems) used a poorly chosen hashing algorithm to keep track of the number of incoming connections. Ironically, the application kept track of these connections to reduce the possibility of denial of service attacks. Because the attacker carefully chose the source IP addresses for the spoofed packets, inetd consumed large amounts of memory.
As with CPU starvation attacks, you test for these by monitoring patch compliance in most cases.
Disk storage consumption (also called disk storage denial of service) can occur when either a file share is left open or a writable FTP server is found. Internet-exposed file shares are also a problem because file sharing protocols typically open up other lines of attack as well.
Important
Writable FTP directories are often used as a repository for various contraband, ranging from hacking tools and stolen software to pornography. Some of this material might open you up to legal risk, and if you do find child pornography, you are required in many places to report this to the authorities.
A variation of this type of attack is to consume storage resources in other ways. One of the most obvious is to consume the e-mail quota for a specific user, which is an attack known as mail bombing. This is accomplished by sending large amounts of e-mail, typically spoofed, to the victim until they no longer accept mail.
One annoying but marginally useful denial of service attack against disk storage is known as log flooding. Log flooding is especially effective against systems running syslog. Syslog in its basic form is an unauthenticated UDP-based logging protocol, and is inherently spoofable. Improved versions of syslog are available. If an attacker can send system packets for long enough, the volume containing the logs will fill up and be unable to log any further. The attacker could then perform mischief of his choosing, secure in the knowledge that his misdeeds wouldn’t be logged. It can take quite a while to fill the drive, and this attack also tends to be CPU-consuming as well. Administrators would likely notice something going on before you finished conducting the attack. Windows systems always have upper limits on the amount of log space that event logs can utilize; whether the attack causes the event log to cease logging depends on system settings. Be warned that you can cause a Windows system to fail if it is set to fail when it is unable to log. Most sites don’t enable this setting, but if you test enough networks, you’ll find nearly everything at least once.
The obvious way to test for a disk storage denial of service is to simply fill the disk. Transfer large numbers of files (or just large files) until the disk becomes full. As with most DoS attacks, you run the risk of disrupting legitimate business operations, and depending on the configuration of the operating system, you can cause the system to malfunction. If the administrator gave you write-only access, you won’t be able to clean up any files you created.
There aren’t very effective defenses against mail bombing, so you wouldn’t normally check for that during a penetration test. The best way to check for log flooding conditions is to check configuration settings, and in the case of syslog, ensure that recent versions that allow some level of authentication are running instead of the older versions.
Your first task is to strongly question whether a share or FTP server needs to be available. If you must enable Windows file sharing on an Internet-exposed system, take the following precautions:
If files written should not be authenticated, enable the guest account.
Using local security policy, deny administrators the right to log on from the network. This will require using either terminal services or local logons to administer the system, and will reduce the security risk associated with the share.
Block inbound access to all ports other than 445 TCP on the Internet-exposed interface. Port 445 exposes the file and print sharing interfaces, as well as many administrative interfaces.
On the share, create a drop directory, and allow the guest account to write the directory but not read it.
Ensure that the share is not on the same volume as the operating system.
Set a disk quota for the share so that if someone does place enough files in it to fill the quota, the share won’t consume the entire volume.
Even after you implement all these countermeasures, attackers can still create files with peculiar names, such as File.con, or File.lpt. You will need to use POSIX utilities (Rm.exe, found in the Windows Resource Kit) to remove the files.
An FTP server can sometimes be a better approach. FTP is optimized for binary transfer of large files, and it doesn’t expose any administrative interfaces as a side-effect. The best way to set up an FTP drop is to create a drop directory that is not readable or writeable. Then create subdirectories underneath the drop directory using random names, and make these subdirectories writeable but not readable. Tell your customers the location by using e-mail or the telephone; they can place files there, but an attacker is unlikely to be able to do anything with your server. If creating these subdirectories requires too much overhead, a directory that is writable but not readable can be a good compromise. An attacker looking for a place to store contraband at someone else’s expense is not going to drop files for very long if he can’t get them back out.
The best solution to counteract a disk storage consumption attack is to create a specialized Web application that places restrictions on the size of the uploaded files and places the files on internal directories that aren’t available to outsiders.
Unlike many other forms of attack, where service resumes when the attack stops, a crash results in a service outage until you restart the system or service yourself. Crashes are almost always something you’d like to avoid. As with many other types of denial of service, the cure for disruption of service is to apply patches, and the way to detect the potential for a problem is through normal patch compliance auditing. You might sometimes inadvertently create a crash when doing penetration testing. For example, let’s say you have a nice new exploit against a service that has a recent problem. The only catch is that you have to guess remotely which service pack has been applied to the service, and fingerprinting doesn’t help. You’ve got a 50-50 shot, so you give it a whirl, and splat! Down it goes. Now you need to find the owners of the system and let them know that you brought it down.
If you do encounter a system that is crashing for unknown reasons, check the application logs and consider the possibility that the cause is an exploit that isn’t quite working yet. In one case, some sharp system administrators discovered a new, non-public exploit this way.
Another way an attacker can cause a denial of service is through intentionally misconfiguring a system. The Doom worm (launched in early 2004) utilized this approach to add entries to the host file of a system so that the host could reach resources to obtain patches and update antivirus software. A live attacker might do the same thing.
One of the many variants of denial of service is to inject packets into an existing data stream between two servers to reset the connection. To accomplish this, the attacker either needs access to the network traffic or needs to be able to take advantage of a sequence number–guessing attack. This is covered in more detail in Chapter 20.
Q. | My security auditing tool has several denial of service attacks listed, but only some of them warn about crashing systems. What’s going on? |
A. | As discussed in Chapter 14, security auditing tools can detect many vulnerabilities using methods other than direct attacks. Your tool might be detecting application of the patch, in which case it won’t give you reliable results without high levels of access. The auditing tool might also be using a modified version of the attack that either causes a momentary disruption or checks for a side effect of the patch. Read the documentation to learn as much about the check as possible. |
Q. | How do I check my internal network for denial of service attacks? |
A. | In general, you don’t. Running an automated security auditing tool with live denial of service attacks enabled is a great way to find another place to work. You can also check for patch compliance, and review network configuration. |
Q. | I still want to check for denial of service attacks. What now? |
A. | Warn the system administrators that you need to test for denial of service attacks. Ensure that you have management support. Place the administrators on standby so that they can bring the failed systems back up. |
Q. | I ran a port scan with all the advanced settings running because they looked interesting. Networked print devices, various network-enabled automation controllers, and other interesting things crashed. What now? |
A. | Don’t use unusual packets to port scan. Unless you’re willing to risk the systems on your network, use full connect port scans, or at the very least send only legal packets. For example, SYN/ACK or FIN packets won’t usually cause problems. Ordinary port scans don’t usually cause problems. |
Q. | My network auditing tool caused systems to crash and I didn’t think I was running any DoS attacks. What do I do now? |
A. | First, check the detailed log output for your scanning tool. If possible, determine which check was the last check to run. Don’t run this tool again until you’ve isolated the vulnerability test that caused the failure. If possible, bring up a test system with the same configuration, and review the vulnerability checks one by one until you’re sure which check caused the problem. Report the problem in as much detail as possible to the vendor who created the tool. If the tool isn’t supported by a vendor, you assume the responsibility for thoroughly testing the tool on test systems before running it on production systems—this is a good practice even with commercial tools. |
Q. | Someone claimed my tool crashed her system, but I scanned the same type of systems all over the network, and they all survived. What’s the problem? |
A. | First, check whether the system that crashed had an unusual configuration. Next, try and reproduce the problem; the system might not be crashing because of the scan. If you scan enough systems, some will crash just after being scanned through pure coincidence. People will also sometimes find excuses to keep you from checking their security. |
Q. | Where can I find more information about denial of service attacks? |
A. | One good resource that addresses DoS attacks is maintained by CERT at http://www.cert.org/tech_tips/denial_of_service.html. |
Q. | How do I protect myself against SYN floods? |
A. | If you’re running a Windows server, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTHardTCP.asp. |
Q. | |
A. | Several services exist that monitor your network availability, and typically they notify you if you experience a loss of service. Your customers or users will be certain to let you know when things don’t work. You can also use a number of different network monitoring and system availability tools to find denial of service problems and help you react quickly. |