Guido Fortunati talk

ENGLISH

Kefar Uninet da la bienvenida a nuestro expositor de hoy

Kefar el Sr. Guido Fortunati,

Kefar residente en Irvine, California

Kefar se desempeña actualmente como administrador de red y

sistema

Kefar La conferencia se titula: DoS Attacks

Kefar se solicitan traductores para esta conferencia, los voluntarios

pueden intervenir

Kefar en el canal #redes

Kefar Adelante zuez

Kefar

Kefar

zuez hello everyone and welcome to the DoS tutorial

zuez this session has been created to make your internet life more

enjoyable ;)

zuez topics to be covered today include:

zuez 1) modern denial of service

zuez 2) modern attacks

zuez 3) high rate attacks

zuez 4) attacking infrastructures :)

zuez 5) lan attacks

zuez 6) DDoS

zuez 8) How to filter with FreeBVSD

zuez FreeBSD even

zuez 10) protectiong router interfaces

zuez and last

zuez nuke information for all the windows population and tipos :)

error: Connection reset by peer)

zuez my first topic will cover the ICMP type nuke..

zuez lets say ssping or jolt

zuez old school programs..

zuez these programs, send large and jumbled packets to windows

boxes.

zuez any windows, wether you are running 9x, 98, Me, NT, whatever

zuez as a sidenote, jolt is not to be mistaken with the beverage :)

#linux

zuez so anyways

zuez when windows attemps to re-asemble these packets into

usable data,m it cant and your connection often slows down or just dies

zuez keep in mind, that while this is a pain, a simple reboot would

fix it :)

peter111[169.158.160.148])

zuez i4d also would like to point out the main differente between

ssping and jolt

zuez first up, jolt..

faiku[212.174.49.117])

zuez jolt sends large and oversized packets top windoiws boxes

zuez sorry, windows boxes.

zuez ssping sends smaller packets, so that4s pretty much the main

difference..

zuez now

zuez first

zuez winnuke is a straight tcp pagket, sent to port 139

zuez common netbios/samba port..

zuez can you follow me, vixard?

zuez ok anyways, folks..

zuez winnuke will send you OOB packets

(Read error: Connection reset by peer)

zuez and no, OOB is NOT out of bound

zuez keep that in mind

zuez OOB stuff can also be send to other ports..

zuez so to speak, OOB won4t break things.

zuez actually, that4s why most port blockers work for windows

boxes.

zuez now, the other one i will explain before DoS stuff is ssping

zuez ssping works with the icmp protocol..

zuez 1) its od, and incepted only for LANs.

zuez 2) it4s easy to spoof, and no, there4s no way to trace spoofs :)

zuez 3) its implementation doesn4t even seem to be the same for

BSD/Linux, etc

Connection reset by peer)

zuez now, windows, being a little bit silly as many of you know :)

zuez expects that when it gets an icmp packet its going to be atleast

64bytes

zuez so, what ssping do?

#linux

zuez sends 63 bytes :)

#linux

#linux

zuez so when windows tries to unravel and decipher the packet it

comes up to one byte short, and chokes on a icmp furball

zuez this is as deep as i am going with this matter

zuez ask your questions in #qc :)

zuez ok, i am about to end with this matter..

zuez to put it simply, two words, memori write :)

off)

zuez when windows expects to write something of a certain size

and it cant, it will overwrite memory, move memory around, and eventually

choke

zuez #qc <MJesus> <viXard> que es "jolt" ???

zuez let me explain what is jolt once again

zuez jolt sends large and oversized packets like i said before.

zuez just to confuse your windows box

zuez this is as deep as i am covering this guys, if someone has any

kind of issue please ask.

#linux

zuez ok

zuez sorry for the delay

zuez macs shouldnt be affected

zuez and no UNIX systems are affected by this.

zuez so, if you run UNIX/MacOS you don4t have to worry about this.

zuez of course there are many ways to bring a mac down his

knees, but i won4t give out the codes :P

zuez ok

zuez i will be explaining now modern denial of service attacks..

zuez oh

zuez sorry

zuez i skeeped something elite

zuez no, nevermind.

zuez ok

zuez first off, serious modern Denial of Service attack looks nothing

like traditional attacks

Pabli[trinidad.ssp.sld.cu])

zuez #redes <viXard> espera a que el paquete icmp sea de 654

bytes

zuez the modern attacks which destroy services generally fall into

one or more of the following categories:

zuez high rate floods

zuez ansy ffflood of packets which is not designed to waste

bandwidth, but instead is designed to waste CPU and processing abilities,

can be quite devastating

zuez any, sorry

zuez in this case, syn floods..

zuez the evolution of the SYN flood has brought about the separate

evolution of the high rate flood, which now has a life of its own

zuez now, let me explain real quick how to protect your BOX from syn

attacks if you run FreeBSD

zuez you can simply add this line to your kernel, it should help

zuez options         TCP_DROP_SYNFIN

zuez beyond that, its a matter of timme and CPU

zuez so, be aware.

zuez the second class is, infraestructure attack

zuez for well defended victims, it may be easier for the attacker to go

after the network rather then sending packets directly to the true target

zuez now

zuez DDoS folks

zuez DDoS is much more than just multiplication of attack sources

zuez it brings about issues of path diversity, obscurity, invisibility, and

demoralization of the victim.

zuez word

zuez ok

zuez any question?

zuez next topic will be high rate floods

* zuez takes a 30s break :-)

zuez ok

> thanks, the translator are too busy, zuez

#linux Cannot send to channel

Kefar ok zuez

zuez #qc <Ston> es winxp vulnerable a algunos de los DoS

mencionado anteriormente ?

zuez yes, certainly it is

zuez i will dcc you a reg patch after this session if thats ok with you.

zuez yo t enviare un parche luego de la conversacion te enviare un

parche para el XP ston

zuez ok

zuez when i say high rate floods, i mean SYN floods

zuez believe me, SYN flood can be quite devastating..

zuez i4ve had to drive all over SFO to SD to unplug networks just to

stop SYN attacks, you cannot do too much about it..

zuez the original goal of the SYN flood was to overwhelm a small

queue of outstanding half-open connections with a very small amount of

bandwidth

zuez so, in other words, this will prevent new connections and use

your CPU

zuez specially if you are kinda poor and run a pentium 100MHz like i

do, its painfull!

zuez besides, this attack is against the tcp implementation

zuez it can be used from a dialup connection to bring T1s/T3s and

larger bandwidth to their knees

zuez #qc <sarnold> I'll explain why that opinion is *Very* stupid after

zeuz is finished

zuez any issue peep?

viXard maybe hi´s talking about my paste

zuez sorry for the delay, i am waiting for sarnold

zuez alright

zuez ok

zuez one way to fix the SYN problem was to develop a better TCP

stack

zuez just like fbsd did and linux..

zuez (for all you linux lovers down here!)

zuez i think they used hash tables to do this, but maybe people like

HoraPe, cron or vizard can help you with this better than me.

zuez so anyways

zuez the concept of the syn cookie was introduced essentially

encoding all state information necessary for the connection to be opened in

the return SYN|ACK

zuez so, no state needs to be mantained in the victim machine..

zuez now

zuez as far as i know, some time around mid 1998

zuez syn just came back to the itnernet life..

zuez this time the goal wasn't simply to overflow a queue and prevent

new connections, it was to generate packets so fast that the victim spent all

their time processing them

zuez to put it simply, CPU killer!

zuez it dont matter how cool your box is, bloiieve me

zuez i have had this PIII 800MHz with 1Gb sitting behind cisco pix and

checkpoints and someone killed our whole network when i ran an IRCtoo IRC

server :)

zuez the high rate flood highlights the problems of existing tcp/I`p

implementations

zuez tcp/ip sorry

zuez the amount of overhead which goes into handling each frame,

inspecting each header, and processing each packet is large

zuez so, figure yourself :)

zuez when doing packet/sec calculations, remember that link layer

overhead starts to play a major factor

zuez let me find something real quick for you folks

zuez ok here it is

zuez it works something like this

zuez     Preamble and SFD (8 bytes)

zuez   + Ethernet Header  (14 bytes)

zuez   + Payload          (40 bytes in a SYN flood)

zuez   + Frame Padding    (6 bytes)

zuez   + Frame Checksum   (4 bytes)

zuez   + Inter Frame Gap  (12 bytes)

zuez #qc <sarnold> zeuz, was that a problem with the FreeBSD stack,

with a very long execution path for any given packet?

zuez yes, it has been fixed with the 4.x/5.x branch, altho there are still

many issues about this i will cover later on if you don4t mind, for all you

FearBSD guys you can go to www.freebsd.org, however, i will explain how the

FreeBSD stack works l

zuez so, your best way is, if you are running 3.x which is obsolete,

cvsup to 4.x.

zuez so..

zuez #qc <peter111> yo quiero pregutar algo sobre la conferencia...

zuez dime

zuez #qc <peter111> quien sabe donde conseguir un programa para

Atackar por MS-DOS desde Win98 S.E

zuez you dont, or i am reporting you to the FBI autorities.

zuez so

zuez lets go on with this folks

zuez remember, attacking networks is bad.

zuez for example a 10Mbps ethernet pipe will max out at less then

5Mbps of IP, when handling smallest-size packets.

zuez please, Horape or riel or anyone correct me if thats wrong

please.

zuez now

zuez lets go on with secton 4 folks

zuez attacking the infraestructure of a network..

zuez the design of most routers involves a central processor which

handles routing protocols and administrative functions

zuez wether ytou have a cisco, juniper, whatever, it has a processor,

ram, etc

zuez its pretty much a computer designed to do networking duties

zuez the traditional design of routers placed certain exceptional

packets on the slow path, which requires attention from that processor

zuez so

zuez keep in mind, any time your router checks for a path or anything,

it will eventually use the processor

zuez and yes, to avoid the questions, it can easily grash with a big

attack

zuez however, i do believe cisco 12000 series, use distributed

processors on each line card to handle the majority of routing without touching

the main route processor used for routing protocols

zuez never used a cisco 12000 of course .)

zuez just general knowledge ;)

zuez when the processor which handles administrative and routing

functions handles any packets at all, and particularly when it lacks good

scheduling functions, it becomes vulnerable to denial of service

zuez i think you can get individual cards for cisco to continue

forwarding packets

zuez i am not sure, i am sorry :)

zuez so, what happens if you are running an ISP and you have a

strong attack folks?

zuez thanks horacio pena (horape) for the cisco information :)

zuez he just told me cisco can handle that nice feature, with few bugs

tho..

zuez so, lets go on with this folks..

zuez so, if you happen to experience a big attack, you may see the

router may not even be responsive at the local console, as the CPU spends its

time processing interrupts and packets

zuez so, dont try to do anything with it, just unplug the cord and wait

for a stop please.

zuez in the other side, attacks which overwhelm the route processors

can be particularly bad when BGP is disrupted

zuez If a BGP speaking router is held down long enough for its peers

to time out the keep alive and tear down the session, the routes get withdrawn..

zuez and, plus..

zuez If this removes the route used to carry the attack, the victim

becomes unreachable and the attack is discarded further upstream

zuez that should bring your routerto l life too

zuez to life sorry :)

zuez but, as soon as the peer is established, the attack will begin again

#linux

zuez (hope this explains a little bit why i dont want you to learn DoS

skills, peter ;)

zuez ok

zuez lets talk about juniper routes now

zuez i am not that familiar with juniper, in fact, i know a little bit about

them as i have had to deal with FreeBSD+juniper :)

zuez all i know is that juniper fare much better against this kind of

attack because of their clean separation between packet processing and the

routing engine

zuez thats whu i like junipers :)

zuez why.

zuez even exceptional packets which cannot be handled by an ASIC

have a dedicated processor which limits the destructive potential of this kind of

attack

zuez sorry for the delay, i am reading #qc as well :)

zuez #qc <velco> hmm, got a DDoS idea, instead DDoSing the

original target, original target's defense measures, e.g. cut the

zuez     routes, thus isolating innocent r00ted hosts which carry the

attack.

zuez you dont

zuez velco, you dont want to kill your upstream and get them to

discard your packets buddy.

zuez now..

zuez the most common way to attack a router is to send packets

destined to one of its local interfaces

zuez wether its a cisco, juniper, diet coke router, whatever, thats the

easier way to attack a router..

zuez some folks are msging me asking for smurf attacks, i will cover it

later on too..

zuez sorry if i skeiped smurf attacks

zuez so, lets keep talking about outers

zuez a cisco grp can be crippled by as few as 20,000 packets per

second or so, i don4t know exactly (i am not a machine, again folks, horape

riel or any folks probably know more about routers than i do..)

timeout)

zuez the funny part is ..

zuez syn ports cannot only be sent to open ports on roputers like

telnet..

zuez but floods to random ports can be way too more devastating

zuez another way to generate exceptional packets is the use of IP

options

zuez like hrm

* zuez remmebers ;)

zuez router caches..

zuez the most damaging thing of a SYN flood is the rst or ack replies

generated in response

zuez dont worry tho, i will explain how to protect random routers

against this problems :-)

zuez so now

packets/sec can also be generated in a twist in the usual use of a smurf attack

zuez how does it work?

zuez using the network broadcast..

zuez it will try to generate router harming effects instead of large

packets designed to use large amount of bandwidth

zuez once, my friend ramiro (zero) tried to smurf his neighbor

because he was using too much bandwidth (keep in mind they share a aDSL

line) and he got smacked down with a 4pounds hammer

zuez j/k.

zuez anyways

zuez the attack of choice is still syn

zuez any qurestion?

zuez err, any question?

zuez ask your questions in #qc.

zuez ok

zuez now i am covering LAN attacks

zuez mainly because my friend asked

#linux

zuez a variant of the smurf broadcast flood not commonly considered

is the link layer broadcast flood

zuez in an atTack like smurff..

zuez attack.

zuez packets are directed at an IP broadcast address, and the

router/gateway will convert the packet into a layer link broadcast..

zuez so

zuez one way to prevent yourself frm people like ramiro is to idisable

directed broadcast request.s

zuez requests..

zuez however, the attacker shall cause a LAN attack/smurf if he is in

the same broadcast

zuez just like the example i gave you folks

zuez ramiro was using the same broadcast his neighbor does..

zuez its also posible to generate a raw frame and forge the source

macaddress to make the attack more dificult to trace..

zuez anyways

zuez you can get good switches that can distinguish between

broadcast and multicast traffic

zuez another potential area for LAN DoS is a spoofed ICMPs..

zuez eek, ICMP

zuez err

zuez ICMP redirected to ARP :)

zuez thats it!

zuez which, will trick traffic into taking a detour ;)

zuez this not only create DoS, it can also be used to redirect trafic to

another network for sniffing and such things

zuez any question?

zuez ok

zuez i already explained DDoS a little bit

zuez and i know many of you are a little bite tired/bored ..

zuez #qc <Ston> el ataque OOB fue resuelto en win98 es cierto que

volvio a la luz en winxp ?

Questions and Commentary at #qc'

zuez no.

zuez 2000/XP NO son vulnerables.

zuez next chapter

zuez How to filter?

zuez filtering smurf is quite easy, as you dont need ICMP echo replies..

zuez let me cover how to filtetr w/cisco routers..

zuez no service tcp-small-servers to prevent abuse of the small

services for DOS or other attacks

zuez so thats tcp-small-servers

zuez you can asl

zuez err

zuez silly keyboard

zuez you can also add no service udp-small-servers

zuez ip route 0.0.0.0.0.0.0.0 null 0 253 todiscard packets with invalid

destination addresses

zuez err

zuez error

zuez that should be ip route 0.0.0.0.0.0.0.0 null 0 255 folks

peter111[169.158.160.151]: Connection reset by peer)

zuez thats as dee as i am going with cisco, if you need furter

assistance feel free to msg me after this session or visit www.cisco.com

zuez ip route 0.0.0.0 0.0.0.0 null 0 255

zuez thanks horape :)

zuez ok

zuez i think this session is over folks

zuez its taking way too much time

viXard :)

zuez does anyone have any question regarding anything?

viXard time to ask folks

viXard #qc for it

zuez well

zuez take what you have learned and use it to help yourself  and

others whenever possible

viXard nice explanation ;)

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

Kefar plas plas plas

Kefar plas plas plas

Kefar plas plas plas

Neo ;)))

Kefar plas plas plas

zuez :)

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

zuez thank you folks.

> clap clap clap clap clap clap clap clap clap clap

Neo zuez well done ;)

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

MySQL bravo!!!!!!!!!!!!!!!!!!!!!

Zero clap clap clap clap clap clap clap clap clap clap clap clap

dani plas plas plas plas plas plas plas plas <-- plas Flood DoS Atack

dani plas plas plas plas plas plas plas plas <-- plas Flood DoS Atack

dani plas plas plas plas plas plas plas plas <-- plas Flood DoS Atack

dani plas plas plas plas plas plas plas plas <-- plas Flood DoS Atack

dani plas plas plas plas plas plas plas plas <-- plas Flood DoS Atack

peter111 plas plas plas plas plas plas plas plas plas

peter111 plas plas plas plas plas plas plas plas plas

peter111 plas plas plas plas plas plas plas plas plas

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

zuez i would like to thank horape, mjesus, kefar, riel, cron among

others to the great support, and Zero for being a golden boy.

elzo plas plas plas plas

elzo plas plas plas plas

> clap clap clap clap clap clap clap clap clap clap

peter111 Otro!!!! Otro!!!! Otro!!!! Otro!!!

> clap clap clap clap clap clap clap clap clap clap

MySQL plas plas plas plas plas plas plas

> clap clap clap clap clap clap clap clap clap clap

MySQL plas plas plas plas plas plas plas

MySQL plas plas plas plas plas plas plas

> clap clap clap clap clap clap clap clap clap clap

MySQL plas plas plas plas plas plas plas

Zero lol

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

* cron felicita a zuez por el trabajo

MySQL bravo!!

peter111 clap clap... clap

peter111 clap clap... clap

MySQL bravo!!

peter111 clap clap... clap

MySQL torero!

MySQL torero!

peter111 plas plas plas

peter111 plas plas plas

peter111 plas plas plas

zuez muchas gracias :)

viXard <Ston> es posible detectar un DoS que se produsca dentro de

una red... si es posible como se arrria?

* peter111 le gusto mucho la conf.

viXard <Ston> haria

Ston s/arrria/haria

zuez ok

clap clap clap clap clap clap clap clap clap clap clap clap clap '

peter111 Felicidades zuez

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

zuez ston, what OS?

zuez anyways, if you happen to run snmp you should see a big traffic

going through your interfaces :)

Ston Linux To Win*

zuez ston: tcpdump :)

JALH clap clap clap clap!!

peter111 MJesus: cuando es la proxima conferencia?

JALH :)

> :))

Ston ahhhh the admin use winnt and i use linux...

zuez Ston: run any application that lets you debug your itnernal traffic.

dardhal nice lecture, very good

zuez i dont tend to run NT, i dont know :(

Ston ok

zuez thank you.

viXard peter111: el lunes

> Dec, 9. 22:00

> Horst von Brandt. (Chile)

> title pending !

sarnold zuez, thank you :) I'm sorry I phrased my message to viXard

so poorly ..

viXard http://grc.com/dos/

Ston es posible para totalmente un DoS ?

HoraPe viXard, ugh!

zuez sarnold, no problem man

zuez Ston: no, de hecho no hay mucho que puedas hacer :)

cron cosas como "echo 2 > /proc/sys/net/ipv4/tcp_keepalive_probes"

y "echo 30 > /proc/sys/net/ipv4/tcp_keepalive_time" pueden ser util. Ref:

http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3

/chap6sec75.html

Exiting)

viXard HoraPE: huh ?

HoraPe que esa página no vale nada...

zuez me voy llendo

zuez que tengan un muy buen fin de semana.

viXard no ?

botijo no es grave, Jorge...lo grave es el complejo de logo

HoraPe el que la escribe es un idiota

dani zuez: gracias por la charla ;)

viXard bueh

zuez gracias :)

> graciassssssssssssssssssss

* zuez se fue.

viXard corre que te corre XD

Ston ping -f -s -l 65510 zuez

Ston ;)

Ston yo me voy para mi casa, dejo de llover y la oficina da asco

Ston adios

here somewhere...)

sarnold vixard; grc.com's frequent ranting about WindowsXP is

completely unfounded.

sarnold vixard: as i understand grc.com's complains against WinXP, it

is primarily the 'raw sockets' that he doesn't like

viXard tell me more

sarnold vixard: however, it completely escapes him that 4.2BSD

introduced sockets back in 1983...

viXard jej

sarnold vixard: Completely free *BSD systems have had this capability

since 1994 at the absolute latest

viXard well, i just read the story about their DoS attack

sarnold vixard: and, I'm reasonably certain Linux had the same

capabiltiies around 1993, maybe earlier, again -- completely free

End of #linux buffer Fri Dec 07 23:23:38 2001

Generated by irclog2html.pl by Jeff Waugh - find it at freshmeat.net!

Mas información: