Zombies, webs, and denial of service: an introduction to DoS

By Gabriel Cruz

Description

Attacks Oh, attacks Denial? No, service Service? That's nothing more than a DEService A DoService

Denial of service (DoS) attacks are becoming increasingly common on the internet. Whether due to the ubiquitous nature of the internet in recent years, the ease of implementing such attacks, or even the difficulty of preventing them, it is clear that today, more than ever, denial of service attacks are a growing threat.

So let's take down your cousin's website... from the bakery!

Duration: 4 hours

Ganesh's curriculum: Ganesh is a non-profit group of students affiliated with ICMC-USP focused on the study, discussion, and development of techniques for the security of computer systems and computer networks. The group aims to directly apply the knowledge acquired in ICMC undergraduate courses and integrate it with the most diverse technologies available on the market. Through the study and development of techniques and algorithms focused on the security of computer systems and computer networks, the group aims to promote learning, dissemination, and exchange of knowledge and experiences among its members. In addition, it also aims to integrate and interact with other groups outside the University, as well as to disseminate its experiences and knowledge to the external community.

Introduction and background

DoS: Denial of Service

A denial of service (DoS) attack aims to prevent access to a particular resource, thereby compromising its availability. Here, a resource is understood to be anything that is useful to someone. In other words, resources can be files, web pages, statistics, numbers, etc.

The most common way to carry out a denial of service attack is by flooding the network of a server whose service we want to deny. Think about the ENEM website as soon as the results are released; it is very common for it to become unstable (you have difficulty accessing it). This happens because there are many people accessing the site at the same time, and the network or server does not have the capacity to handle so many simultaneous accesses. The most common DoS attacks perform mass accesses precisely to try to destabilize their targets.

In general, then, denial of service is achieved by flooding networks with requests, but this is not always the case! As we will see below, these attacks can be carried out in much simpler ways with equally effective results.

Short stories

1. Estonia (2007): Estonia is a country that invested early on in digitizing its government systems. Even elections are held online there. The suspicion is that the attack was motivated by political friction between Russia and Estonia over the relocation of an important World War II historical monument, the “Bronze Soldier of Tallinn.”

2.Github China (2015): This attack, also likely politically motivated, lasted several days and targeted specific Github repositories containing code and tools used to circumvent censorship imposed by the Chinese government. Baidu's search engine, widely used by Chinese users, contained JavaScript code that caused these users' browsers to fire off torrents of HTTP requests to the target repositories.

3.Mirai botnet (2016): In October 2016, Dyn's DNS servers (https://dyn.com/) were attacked by a botnet of IoT devices -- mainly Wi-Fi-connected surveillance cameras. The malware took advantage of a very simple vulnerability in these devices: many of them still used default passwords for administrator access. The botnet then caused the infected machines to spread the malware across the internet and ultimately attack a target (in this case, the Dyn DNS Provider).

• Mirai malware (Wikipedia)
• Mirai source code

Internet, Web, and other stuff

Internet vs Web

Often, especially in everyday informal language, we confuse the concepts of Internet and Web. However, these two concepts, although closely related, are indeed different, and learning the main differences between them is essential.

The Internet is a computer network, that is, the infrastructure that allows multiple computers to connect. When we talk about the Internet, we are referring to, for example, cables, IP addresses, routing protocols, etc.

The Web is a distributed application that runs over the Internet, that is, it is the set of HTML pages linked by hyperlinks (or just links) that are transmitted over the Internet using HTTP/HTTPS protocols.

So, when you hear about the Web, think about your browser, the ICMC web page, and HTML/CSS/JavaScript. When you think about the Internet, remember everything that runs on it: Skype/Discord (VoIP), IoT devices, Wi-Fi, and even the Web itself!

Protocols

If you felt a little lost when we talked about routing protocols, VoIP, IP, or HTTP/HTTPS, don't worry, we'll clarify this protocol thing now.

Protocols, especially communication protocols, are nothing more than communication standards or communication agreements. If you've ever played with a walkie-talkie, you probably know how a communication protocol works.

Walkie-talkies use a half-duplex communication channel, meaning a channel in which information can flow in either direction, but only in one direction at a time. This means that only one person can speak at a time. If both try to speak, it doesn't work (usually neither can transmit, but sometimes one person starts speaking a little earlier and “wins the channel”).

To solve the problem of people trying to talk at the same time on the Walkie Talkie, a communication protocol was invented: when someone finishes talking, they say “over,” which means that now others can start talking; when someone is going to turn off the device, they say “over, out”; when you understand what the other person said, you say “copy, over.”

In computer networks, it is exactly the same thing: there are protocols (IP, TCP, HTTP, NTP, ICMP, etc.) and each one defines a standard that it must follow. For example, in the IP protocol, we know that the first four bits will indicate the protocol version (IPv4 or IPv6), the next four — if it is IPv4 — will indicate the total size of the header, and so on.

Three very important points:

1. Protocols work because there is an agreement between computers, and they follow this agreement because, otherwise, it would be impossible to communicate!

2. Protocols are standards, but as long as what has been specified is obeyed, the implementation is up to the programmer. For example, it is possible to implement the functions of the IP protocol in both Assembly and C, and if the standard continues to be followed, these two implementations, even if completely different, will be able to communicate perfectly!

3. Protocols generally work together, creating stacks of protocols. Thus, a packet from one protocol can carry a packet from another protocol within it (hence the famous term TCP/IP).

RFCs: Most communication protocols are defined by the IETF (Internet Engineering Task Force) through documents called RFCs, or Requests For Comments. These documents can be easily found on the IETF website

• IP protocol RFC
• TCP protocol RFC

Packets

Message transmission protocols generally define packets, because the internet is generally a packet switching network, i.e., one that exchanges packets.

A packet is a well-defined unit of data that travels across the network and generally carries part of a larger piece of data. For example, a 30MB image is too large to be uploaded at once over the internet, because there may be bottlenecks in the network, such as sections of the path that only support small packets. So, what we do is break that image into several smaller packets that can be sorted correctly when they arrive at their destination, causing the image to be reassembled.

Note: Packets can also be called datagrams or, depending on the level we are at, frames. We will not dwell on these details, but they are in fact different in theory.

Client/Server Architecture

The Web as we know it today still works mostly according to the Client/Server architecture (although this is changing (https://github.com/ipfs/ipfs)).

In this architecture, a client requests a service from a server. A common example of this is browsers, which act as clients, requesting services, in this case HTML pages, from web servers, such as Google's.

But make no mistake: a server is not necessarily a huge machine, full of cables and so complex that it requires an entire team to operate it. Such servers do exist, but nowadays you can run a web server, such as Apache (https://www.apache.org/), on your own machine. In fact, you can run multiple servers on your machine—it all depends on how many accesses will be made to it (as we will see below, hehe :).

A First Attack

SYN Flood

When your machine communicates with another machine over the internet, it almost always uses the TCP protocol. This protocol allows two machines to open a connection, i.e., a pre-established communication channel. In order for this connection to be made, a procedure called Three-way handshake is performed.

The three-way handshake is a process in which, normally, machine A (or host) that wants to connect sends a TCP packet with a SYN (Synchronize) flag to machine B, indicating that it wants to connect. If machine B accepts the connection, it then responds with a SYN/ACK (Synchronization acknowledgement) packet. Finally, machine A needs to say that it has received the SYN/ACK packet, so it sends a third (and final) ACK packet.

But note that this whole process occurs normally, and our first attack takes advantage of unusual behavior in this transaction.

Now imagine that machine A sends the SYN, but does not receive a SYN/ACK in response. This can happen for a number of reasons: network problems, misconfigured firewalls, power outages, etc. That is why the TCP protocol has ACK packets, which are a mechanism for confirming message receipt. In this case, machine A would understand that something went wrong and would resend the SYN packet. Similarly, if machine B sends the SYN/ACK but receives a SYN again from A, it understands that A did not receive its SYN/ACK and resends the SYN.

Our attack then does the following: we send SYN packets non-stop, regardless of the target's response. It will think that we are not actually receiving its responses and will keep several connections open for a considerable amount of time. This causes the target's connection table to become crowded with our connections, preventing it from opening connections with other machines.

For this, we will use a tool called Hping3:

sudo hping3 -V -c <number of packets> -d <packet size> -S -p <target port> -i u<time> --flood <target IP>

-V: Verbose, makes the output more explicit (optional) -c <quantity>: Number of packets to be sent -d <packet size>: Size of each packet to be sent -S: Use the TCP SYN flag -p <target port>: Port of the target machine (generally does not matter, as long as it is a port where there is a socket in LISTEN mode) -i u<time>: time between sends (in milliseconds: u100 == 100 milliseconds between packets) --flood: Sends packets as fast as possible

• RFC on SYN flood
• Arigo on SYN Flood from Phrack Magazine
• Hping3 repository on Github
• Hping3 Wiki

IP Spoofing

In general, it is very easy to defend against one of these attacks, as it is sufficient to block any packets coming from the attacker's IP. However, a common practice that makes the attack much more powerful is IP Spoofing.

The idea behind IP spoofing is to send packets with a source IP different from the real one, making it appear that the packets come from other machines.

In Hping3, we can do IP Spoofing by specifying one more flag: --rand-source, which sets a random IP value as the source of the packet, or --rand-dest, which sets a random IP as the destination of the packet.

One...Two...Attack

Slow Loris

The idea behind Slow Loris is to open multiple TCP connections to a web server and, in each of them, send part of a GET request from time to time. The server thinks the connections are slow but legitimate, so it keeps them open, preventing other connections from regular users.

For this attack, we will use this wonderful code. First, we clone the repository:

$ git clone https://github.com/gkbrk/slowloris

Then we enter the cloned repository:

$ cd slowloris

Note: You may need to specify a different path to cd, depending on the folder where the repository was cloned and the folder where you are.

Finally, just use python to run the code, passing the target IP (in this case, our target is 10.10.10.10):

$ python3 slowloris.py 10.10.10.10

Or just the domain, if it exists:

$ python3 slowloris.py example.com

Note: There is another version of Slow Loris called R U Dead Yet, which sends POST requests instead of GET.

ADoS, DDoS, and Botnets

Imagine you want to take down a server, Google's for example. If you make a bunch of requests to Google's server with your crappy 1Mb/s home internet connection, it won't go down, or at least it shouldn't. That's because Google's link (their bandwidth) is vastly greater than yours at home, or rather, probably greater than your entire city's.

To take down Google using flood attacks, you need to find ways to control more machines than just your own. This can be done in two basic ways:

1. With an ADoS (Amplified DoS): ICMP Storm, an attack we will see below, exploits a vulnerability in the ICMP protocol that allows us to make all machines on a network send packets to our target. Other forms of ADoS exist, some involving DNS servers or even the NTP protocol, but we will stick to this example
2. A DDoS (Distributed DoS) through a Botnet: Another way to gain control of other machines is to create malware (malicious software) such as a virus, which infects other machines by spreading across the network. Then, the infected machines, called bots, create a network of zombies, the botnet, controlled by a master, the botmaster. The botmaster can then command the bots to attack a website or server. These attacks are generally extremely difficult to mitigate from the target server's point of view, as there are not many clues to differentiate accesses from the botnet from legitimate accesses.

THE THIRD ATTACK

ICMP Storm or Smurf Attack

ICMP (Internet Control Message Protocol) is the protocol used to exchange messages about the network status. If this seems difficult to imagine, just think of the famous ping. Ping is an ICMP packet used to check the round trip time (RTT) of a packet between two machines on the network.

What ICMP Storm does is send a ping on behalf of the target, i.e., spoofing the target's IP address on the network's broadcast address (the address that redirects to all machines on the network). All machines on the network will respond to the target, which, if there are enough machines connected, will be flooded with ICMP responses.

The command to do this in hping3 is:

sudo hping3 --icmp --spoof <target IP (“source”)> <broadcast IP (e.g. 192.168.1.255)>

DDoS, Botnets, and C&C

We often hear about denial of service linked to the acronym DDoS, rather than DoS, because the vast majority of denial of service attacks today are also distributed, hence the extra “D”: Distributed Denial of Service (DDoS).

As we have already seen, a common practice for carrying out DDoS attacks is to build malware, malicious software that infects other computers and, in general, replicates itself across the network to other machines. Infected machines are commonly called bots, and the network of these bots is called a botnet.

Anonymous

A botnet is not always built from computers infected with malware. Some DDoS attacks are carried out with volunteer bots, as is the case with attacks carried out by Anonymous.

A common tool for carrying out coordinated DDoS attacks is LOIC (Low Orbit Ion Cannon), which has an intuitive graphical interface and can be controlled by a master, the botmaster, via IRC channels.

Command and Control in Botnets

Botnets require a mechanism for the botmaster to control the bots. This mechanism is called Command and Control (C&C).

Centralized C&C: HTTP and IRC

The simplest way to control a botnet is to have the bots check a website or IRC chat (controlled by the botmaster) regularly and execute the commands found there. Thus, the botmaster would place the commands they want to send to the bots there, and the bots would then execute them.

The downside of this approach is, of course, that if the website or chat room goes down, it will be impossible to control the bots. A mitigation strategy for this approach would be to simply block any communication between the computers on a network (in this case, the network you want to protect) and the channel (website or IRC chat room).

Decentralized C&C: DHT (Distributed Hash Table)

You're probably thinking that DHT is something super complex and far from your reality. Well, it's not very intuitive, but you've probably used a DHT before: torrents!

DHT is a distributed data structure, which means that it is divided across multiple machines and uses the network for communication, search, and data insertion.

We won't go into details, but just know that it is possible to use DHTs to send messages on P2P (Peer-to-Peer) networks, which could very well be a botnet.

Further Reading

• Mini-course slides

• Cloudflare notes on DDoS

• Wikipedia page on client/server architecture

• RFC 4732: Internet Denial-of-Service Considerations

• Post about SYN flooding, ICMP flooding, and LAND attacks

• Various flood attacks with Hping3

• More examples with Hping3

• Smurf attack (ICMP Storm)

• IEEE article on Command and Control (C&C)

• Setting up test environments for DoS attacks

• Types of DoS attacks (theoretical)