Computer Crime Research Center


Network security: DoS vs DDoS attacks

Date: December 02, 2005
Source: Computer Crime Research Center
By: Terrance A. Roebuck

... TCP. TCP keeps track of the datagrams going back and forth, and if one is lost, retransmits it. In order to do this, TCP must first establish a connection, using a "three way handshake" (the TWHS). A TWHS starts with a request for communication (the SYN packet), an acknowledgement of the request (a SYN-ACK to agree to talk, or a SYN-RST to deny a connection) and finally an acknowledgement from the originator (an ACK). If successful, the TWHS will establish a connection between a port on one system and a port on another. After the connection is made, TCP acknowledges the receipt of each packet so that the sender knows that it has arrived. At the sending side, TCP waits for acknowledgement of receipt of a packet and resends a packet if no acknowledgement has been received (in a reasonable time).

Whereas TCP and UDP carry data, ICMP contains purely control messages. ICMP has no ports like TCP or UDP but does have 2 fields called "type" and "code".
Security Issues with System Services

Many system services are often probed or otherwise exploited by cr/hackers to further other exploits. One common example is portmapper/RPCBind (UDP/TCP port #111). This service provides information on what services are enabled on the host. "If the intruder finds the appropriate service enabled, s/he will then run an exploit against the port where the service is running."[15] Examples include wu-ftpd, rpc.amd, Solaris Calender Messaging Service, and NFS mountd (typically these are all exploited by some form of buffer overflow).

In addition, the portmapper command #2 (UNSET) can be used to cause RPC-based programs to unregister themselves so this can be used as a DoS to kill your services (typically with a spoofed packet)

Other examples of system services exploited for information gathering include systat, who and finger

UDP/TCP port 53 (DNS - Domain Name Service) deserves special mention. By changing values in the DNS, it is possible to route communications in favor of the attacker (usually for further exploit, but it could be simply as a DoS attack). "Hackers/crackers may be attempting to do zone transfers (TCP), to spoof DNS (UDP) or even hide other traffic since port 53 is frequently neither filtered or logged by firewalls. An important thing to note is that you will frequently see port 53 used as the 'source' UDP port. Stateless firewalls frequently allow such traffic on the assumption that is a response to a DNS query. Hackers are increasingly using this to pierce firewalls."[31]
Security Issues with UDP Ports and Services

Any port can be attacked as a DoS by simply sending a packet to that port. If there is no service attached to that port, then the packet is ignored and the DoS attack fails. If there is a service attached to that port, then the service must deal with the packet, even if it is malformed or incorrect. The service will deal with the incoming packet as a high priority (interrupt) event. The success of the DoS attack is dependent on how effectively the service deals with the inbound packet.

As a rule, any UDP port that sends a response to a packet is subject to a DoS attack (and therefore to a DDoS attack). Since the UDP service is a stateless response, it can simply be flooded with packets, forcing a DoS as the system struggles to keep up with these high priority service interrupts.

Echo - UDP port #7 is a typical example of a DoS and DDoS attack point. "UDP Port #7 is normally the echo service. The function of this service is to transmit whatever data was sent to it back to the source."[16] The echo port is typically available as a service since many networks (and firewalls) use echo response for system management and performance monitoring. As well, "the Harvest Web server sometimes used port #7 to determine whether or not to update a cached web file. This means that any server that provides Web caching has to make UDP port #7 available for this service to work properly."[17]

A simple attack would be to forge a packet from system A, port #7 to system B, port#7. B would process the packet and send it back to A, who would return it to B. The two machines would engage in a high priority packet passing 'ping pong' game, using resources normally assigned to user processing. This can also serve to " ... dominate lower speed communications media, denying communications. But, if we want to be more certain iof this, we might add something else to the packet. For example, if we set the 'type of service' field to 'Network Control, Low delay, High Throughput, High Reliability' by setting the value to all 1's, we will force these packets to override other packets in the path between the two victims." [18] If the packet was to be sent between 2 systems configured as a cluster, the short communications channel between the 2 devices would serve to disable the entire cluster (which was set up as a cluster in the first place to ensure high reliability in the event of node failure).

A more sophisticated version of this attack is known as a "fraggle" attack (this is similar to a smurf -- discussed later under ICMP ping issues). These attacks are named after the hacker script (available for download on the Internet) that demonstrates them as attacks. A "fraggle" is an attack by originated by a broadcast message and takes adavantage of the 'echo' and 'chargen' UDP services. A forged packet is broadcast to the 'chargen' port (UDP port#19) of all hosts receiving the broadcast. These hosts see the spoofed return IP address of the victim; everyone responds with a packet of random data, flooding the victim. A "fraggle amplifier" is any host that has the echo service available. The forged message is sent to this service, which then acts to broadcast it to all hosts on their net, increasing the 'range' of the attack. Since many web servers sit outside of firewalls (in order to securely process requests) and since many have the echo service enabled, this attack is particularly effective.

In his article on UDP viruses,[19] Dr. Frederick Cohen suggests several "other UDP services that are likely to provide environments for protocol viruses ... " including 'systat' (UDP port #11), 'quote of the day' (UDP port #17), 'chargen' (UDP port#19), 'time' (UDP port#37), 'whois' (UDP port#43) and 'who' (UDP port#513).

Remember that any DoS attack at a UDP port can become a DDoS attack. This must be true if the definition of DDoS is multiple distributed attackers, because distributed hosts can be spoofed into participating by various vectors -- from a programmed virus through to infection from 'bad' html after visiting an infected web site.
Security Issues with TCP Ports and Services

TCP attacks differ in that TCP is not a stateless protocol and requires a TWHS (three way hand shake) before initiating service. This does not make TCP ports immune to DoS attacks. In fact the TWHS is itself a major target of cr/hacker DoS attack attempts.

A SYN-Flood and the ACK-Flood DoS takes advantage of the TWHS to perform a DoS on a host. The normal process of SYN followed by RST or ACK is interrupted and the victim is left with an open port awaiting communication that never materializes. The process is repeated until the total number of simultaneous sessions is open (in theory 1024) and the system is hung. "... in order to completely deny services to a given port on your computer until the next system reboot, the attacker need only send 1024 packets to your computer with the SYN bit set ... One second of packets results in a system reboot - that's a big advantage for the attacker ... (but) ... many systems run out of internal space to store the incomplete connections before the second passes and crash on their own."[20]

The SYN-Flood can easily be turned into a DDoS by using distributed hosts to bounce off packets so that the forensic log examination points to these hosts. A compromised web server can also be used so that infected systems participate after visiting the site, and so continue the attack.

Other TCP attacks include attacks against TCP services such as TELNET using combinations of TCP and ICMP forgery to create a "man-in-the-middle" situation that allows a cr/hacker to see (and route) TELNET packets.

Versions of UDP attacks also exist for TCP but are more difficult to initiate (because of the TWHS). However, once initiated, they can be very effective. For example, "on a TCP connection ... (to 'chargen' TCP port#19) ... it will spit out a continual stream of garbage characters until the connection is closed."[21]
Security Issues with ICMP

Whereas TCP and UDP carry data, ICMP contains purely control messages. ICMP attacks are attacks utilizing the Internet Control Message protocol to change the way a communications channel, or Internet service operates. "Hackers use ICMP messages to attempt to scan networks, DoS machines, or redirect traffic ... ICMP has no ports like TCP or UDP, but it does have two fields called 'type' and 'code'."[22]

One example is Router Advertisement (type=9). In this attack, the attacker uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router). By providing router services from a compromised host, the attacker can also place themselves in a "man-in-the-middle' situation and take control of any open channel at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions).

The Ping command is used to determine if a machine is available....

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-11-29 12:41:15 - very good article!!!... dmitriy
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo