Infosec 2002UniNet

Español

Presentación

Programa

Desarrollo

English

Presentation

Program

Congress Details

Français

Présentation

Programme

Détails
 
 
viZard Hello everyone
viZard lets pay attention
viZard Our next guest is from brazil
viZard his talk is entitled "Denial Of Service"
viZard we are glad to present Leandro Malaquias :-)
viZard Leandro
leandro start with the basics
leandro 3 way hand shake
leandro   Client  ----------<IP>-----<SYN>------> ServerIn that SYN packet comes along with other information the reply IP ( syn packet is usually sent from a client port between 1024 and 65535)
leandro Client <---------<IP>----<SYN/ACK>--- ServerReplyes to the IP in the packet header, if he accept it or not in this case the server says: I've received your packet <SYN> and you may connect <ACK>
leandro Client ----------------<ACK>-------------> Server The client replyes:  I received the permission to connect so I will, the client may now flow freely in either direction between the two TCP endpoits.
leandro TCP is full duplex.
leandro So what happened was: the client asked for permission, the server allowed the connection, so the client connected. 
leandro Any question yet?
leandro So lets move on.
leandro The tradicional Syn Flood (DoS) how it works:
leandro A server tipically allocates memory buffer for sending and receiving the connection data.
leandro Attacker ---------<forged IP>------<SYN>------------> VictimAttacker forges an IP
leandro ?  <--------<SYN/ACK>--- The server tryes to reply, if the IP was forged but valid the valid IP server might reply with a RST packet, to let the server know that he didn't as for connection
leandro But there's a good chance that the address and the packet will be discarded.
leandro The problem is there's no way for the server to know that the SYN packet is fraudulent forcing the server to accumulate a continously growing incomplete connection
leandro how to protect yourself: I know two great prog- SYN cookies and GENESIS 
leandro DDoS Attacks:
leandro The master machine using attack programs through zombie machines each individual zombie begins generating a flood of malicious traffic aimed at a single target/victim machine or network
leandro Attacker ---------Send malicious traffic to Victim--->Zombie    ----------------------<junk>---------------------------------> VictimThe attacker remotly orders the zombies to inittiate a flood on the victim
leandro I'll try to illustrate it a little better hold on.
leandro attacker----Orders the zombie through progs to attack the victim--------zombie------- receives the order and executes it----------------victim
leandro So the attacker uses zombie machines to execute remote commands through progs.
leandro Now DRDoS works like this:
leandro Attacker-----<Forged Victim IP>----------<SYN>--> Routers -------------<SYN/ACK>---<Victim IP----------------->Victim
leandro In a DRDoS attack the attacker is not going to use zombies.
leandro Believing that the Victim was trying to connect to the routers, the routers are going sent to the victim a SYN ACK packet back. In other words he will go straight to the 2 sequence of a hand shake.
leandro If you want any additional info on the subject visit this web site: http://grc.com/dos/drdos.htm
leandro There is an illustrated case study by steve gibson.
leandro If your interested in bandwidth comsumption visit: http://grc.com/dos/grcdos.htm
viZard Thank you lendro
viZard questions and comments at #qc please
MJe clap clap clap clap clap clap clap clap clap clap
MJe clap clap clap clap clap clap clap clap clap clap
MJe clap clap clap clap clap clap clap clap clap clap
MJe clap clap clap clap clap clap clap clap clap clap
MJe clap clap clap clap clap clap clap clap clap clap
viZard questions and comments at #qc please
viZard leandro will answer here
viZard <leandro> Security: Block port 179 BGP on routers, it will prevent that your router be used to execute a DRDoS.
leandro Please if you have any questions make them, that's why I'm here.
viZard <leandro> You can either try and hack heaps of zombies or rely on a router response with out having to hack anything.
viZard <sarnold> leandro -- gandalf has implemented a netfilter plugin to help prevent denial of service attacks; I tend to think that solutions to prevent DOS attacks that don't include you being Cisco might not be so useful...
viZard <sarnold> leandro -- in other words, what is your opinion on what end-users can do to help mitigate denial of service attacks?
viZard <Gandalf> sarnold: well it's not I who wrote the netfitler module, I've just been helping bugfixing it and so
leandro Unfortunetly this is a TCP process and not an operating system process.
viZard <PaNkePaSa> maybe is off-topic, but what about the string module of iptables?
leandro So to prevent it you'll need to deny things like ping responses.
leandro You can stop it at your firewall, but if your routers isn't configured right some one could use your router to attack someone else.
viZard <iarenaza> leandro what about egress filtering on border routers at ISP to prevent ip spoofing and DOS?
viZard <Gandalf> leandro: the DDoS attacks I've seen have been from ip's in a few /24 subnets, probably one host in the subnet spoofing other ip's in the same subnet (as most spoof protection is based on subnets), is the most common form of DDoS attacks or what do they look like?
leandro ISP should have port 179 BGP blocked. Cause that the comunication port an attacker looks for. But they don't listen or read advisories it seems.
viZard <Gandalf> s/is the/is this the/
leandro DDoS is not a Ip spoofing attack, in a DDoS the attacker will use other machines as zombies and throught them, he will attack.
leandro He's not going to spoof any IPs what the attacker will try to do is install trojans in the zombie machines.
viZard <Gandalf> leandro: yes I know it's not about ip spoofing but it actually seems like the zombie machines are spoofing ip's in the same subnet to hide their identity somewhat
leandro Why would anyone go through all that trouble to hide himself, if most networks use DHCP? Have you scanned your network looking for trojans?
leandro have you port scanned workstations in your network?
viZard <Gandalf> leandro: the problem is not on my network, I'm talking about the zombine machines that's attacking our network, and my original question was if what I've been seeing is the normal form of DDoS (the part that the zombie machines appears to be spoofing their sourceip's to other ip's in the same subnet)
viZard <leandro> sorry my mistake, yes it is.
viZard <Gandalf> ok thanks
viZard <sarnold> why would the DDoS zombies bother forging their IPs?
viZard <sarnold> and why would they bother forging it based on subnet?
leandro he wont cause he wont know he's acting as a zombie.
leandro Starting next month Our security portal will be online with heaps of texts related to net security. the address is: www.c-cret.com.br All texts will be in portuguese and english.
viZard PLAS PLAS PLAS PLAS PLAS PLAS PLAS (virtual applause)
viZard PLAS PLAS PLAS PLAS PLAS PLAS PLAS
viZard PLAS PLAS PLAS PLAS PLAS PLAS PLAS
viZard PLAS PLAS PLAS PLAS PLAS PLAS PLAS
viZard PLAS PLAS PLAS PLAS PLAS PLAS PLAS
viZard PLAS PLAS PLAS PLAS PLAS PLAS PLAS
viZard PLAS PLAS PLAS PLAS PLAS PLAS PLAS
sarnold leandro: thank you :)
viZard Thank you leandro, i guess home users should pay attention now ;)
viZard :)
Ricardo thank you leandro :-)
leandro thanks for having me. And good night
viZard Our next conferencist apologizes, he can´t talk today because a Job Meeting 
viZard but he´ll be here tomorrow with Diego Melendez
viZard together, they will speak to you all :-)
sarnold viZard: thanks :)
viZard Aplausos para los traductores
viZard sin su ayuda, esto no sria posible :-)
Ricardo viZard: Gracias, gracias :)
viZard :-)
viZard el bar esta abierto
Oroz viZard: ¡Bar? ¿Dónde?
viZard alla, en la esquina, al lado del toro

Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!