Being an Intermediary for Another Attack

1
Being an Intermediary for Another Attack

• Prepared By Muhammad Majali
• Supervised By Dr. Loai Tawalbeh
• New York Institute of Technology (winter 2007)

2
Introduction

• The rapid development of Internet and computer
  technologies makes it easier for the intruders to
  break into other people's computers. On one hand,
  application software becomes more and more
  complex and, therefore, thorough testing becomes
  increasingly difficult. As a result, "security
  holes" are unintentionally left open which are
  discovered and exploited by hackers.

3

• On the other hand, the computational power of
  computers is continuously increasing which means
  that a large number of computers connected on the
  Internet can be scanned in a short time and
  various security holes can be discovered quite
  easily.

4
Ways of being an intermediary for another attack

1. Smurf Flooding Attacks
2. Distributed DoS attack by compromising others
   host. (ex.MafiaBoy)

5
1- Smurf Flooding Attacks

• The attacker sends a long stream of pings (ICMP
  echo messages) to a third party. The attacker
  uses IP address spoofing, making source IP
  address in these pings the IP address of the
  victim. Consequently, pinged hosts send their
  ICMP echo replies to the victim host,
  overwhelming it.

6

• For this attack to be successful, the third party
  being pinged must have a router that will
  broadcast the ping message to all hosts in the
  routers attached networks. This way, a single
  echo request give rise to dozens or even hundreds
  or echo response packets that will flood the
  victim.

7
Smurf Flooding Scenario

• Let's look at the scenario to paint a picture of
  the dangerous nature of this attack. Assume a
  co-location switched network with 100 hosts, and
  that the attacker has a T1. The attacker sends,
  say, a 768kb/s stream of ICMP echo (ping)
  packets, with a spoofed source address of the
  victim, to the broadcast address of the "bounce
  site".

8

• These ping packets hit the bounce site's
  broadcast network of 100 hosts each of them
  takes the packet and responds to it, creating 100
  ping replies out-bound. If you multiply the
  bandwidth, you'll see that 76.8 Mbps is used
  outbound from the "bounce site" after the traffic
  is multiplied. This is then sent to the victim
  (the spoofed source of the originating packets).

9
Smurf Flooding DoS Attack
Innocent Firm
Echo
4. Echo Replies
Attacker 1.34.150.37
2. Router with Broadcasting Enabled
1. Single
ICMP Echo Message Source IP 60.168.47.47
(Victim) Destination IP Broadcast
3. Broadcast Echo Message
Victim 60.168.47.47
10
HOW TO DETERMINE IF YOUR NETWORK IS VULNERABLE

• Several sites have been established to do both
  active and passive scanning of networks to
  determine whether or not directed-broadcast is
  enabled.
• http//www.powertech.no/smurf/ is a site which
  will test scan your network and allow you to
  enter a known smurf amplifier site.

11
(No Transcript)
12
How to keep your site from being an intermediary
use to attack victims

• The perpetrators of these attacks rely on the
  ability to source spoofed packets to the
  "amplifiers" in order to generate the traffic
  which causes the denial of service.

13
Disable IP-directed broadcasts at your router

• In order to stop this, all networks should
  perform filtering either at the edge of the
  network where customers connect (access layer) or
  at the edge of the network with connections to
  the upstream providers, in order to defeat the
  possibility of source-address-spoofed packets
  from entering from downstream networks, or
  leaving for upstream networks.

14
Disable IP-directed broadcasts at your router

• Additionally, router vendors have added or are
  currently adding options to turn off the ability
  to spoof IP source addresses by checking the
  source address of a packet against the routing
  table to ensure the return path of the packet is
  through the interface it was received on.

15
Configure your operating system to prevent the
machine from responding to ICMP packets sent to
IP broadcast addresses.

• If an intruder compromises a machine on your
  network, the intruder may try to launch a smurf
  attack from your network using you as an
  intermediary. In this case, the intruder would
  use the compromised machine to send the ICMP echo
  request packet to the IP broadcast address of the
  local network. Since this traffic does not travel
  through a router to reach the machines on the
  local network, disabling IP-directed broadcasts
  on your routers is not sufficient to prevent this
  attack.

16

• Some operating systems can be configured to
  prevent the machine from responding to ICMP
  packets sent to IP broadcast addresses.
  Configuring machines so that they do not respond
  to these packets can prevent your machines from
  being used as intermediaries in this type of
  attack.

17
Information for victims and how to suppress
attacks

• Filtering ICMP echo reply packets destined for
  your high-profile machines at the ingress
  interfaces of the network border routers will
  then permit the packets to be dropped at the
  earliest possible point. However, it does not
  mean that the network access pipes won't fill, as
  the packets will still come down the pipe to be
  dropped at the router. It will, however, take the
  load off the system being attacked. Keep in mind
  that this also denies others from being able to
  ping from that machine (the replies will never
  reach the machine).

18
Distributed DoS attack by compromising others
host

• Intruders will frequently use compromised
  computers as launching pads for attacking other
  systems. An example of this is how distributed
  denial-of-service (DDoS) tools are used. The
  intruders install an "agent" (frequently through
  a Trojan horse program) that runs on the
  compromised computer awaiting further
  instructions. Then, when a number of agents are
  running on different computers, a single
  "handler" can instruct all of them to launch a
  denial-of-service attack on another system. Thus,
  the end target of the attack is not your own
  computer, but someone elses -- your computer is
  just a convenient tool in a larger attack

19
Installing Handler and Zombie Computers

• Before initiating the denial-of-service attack,
  the attacker first installs attack programs on
  the other computers. Zombie programs actually
  carry out the attack on the victim.
• Handler Programs tell the Zombie programs when to
  carry out attacks.

20
Implementing the Attack

• Once the handler and zombie programs are in
  place, the attacker sends messages to the handler
  computers, telling them to carry out the attack.
  The handlers in turn tell the zombie programs
  under their control to carry out the attack.

21
Difficulty in Identification

• The attackers computer, which is two steps
  removed from the attack, is very difficult to
  identify. In addition, because zombies can be
  spread all over the internet, the attack messages
  come from many different sources, making them
  difficult to filter out at border firewalls.
  Example (Mafiaboy).

22
Distributed Denial-of-Service (DDoS) Attack
Zombie
Handler
Attack Command
Attack Command
Attack Packet
Victim 60.168.47.47
Attacker 1.34.150.37
Attack Packet
Attack Command
Attack Command
Zombie
Attack Packet
Attack Command
Handler
Zombie
23
How to avoid your host of being Compromised by
attackers

1. Use anti-virus software
2. Use firewall protection
3. Do not open unknown e-mail attachment
4. Disable Hidden File Extensions
5. Keep your system updated
6. Disable "Mobile Code
7. Backups and start-up disk
8. Consult the Experts

24
References

• Books
• Corporate Computer and Network Security
• By Raymond R. Panko
• Websites
• http//www.cert.org/tech_tips/home_networks.htmlI
  II-B-4
• http//www.cert.org/advisories/CA-1998-01.html
• www.hp.com/rnd/support/manuals/pdf/release_06628_0
  7110/Bk2_ApixB_DoS_Protection.pdf
• http//www.strategic.gr/publications/InternetObser
  vatory2001/Makris.htm
• http//www.pentics.net/denial-of-service/white-pap
  ers/smurf.cgi