::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 6 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Denial of Service: by Cronus *Introduction Denial of Service attacks are extremely useful and somewhat down grading attacks run over the net. In this article I will explain the different types of DoS attacks, their effectiveness and the sub culture that is associated with them. This file aims to teach you about the different types of attack, how to code them and how to bar against them. *Explanation Denial of Service attacks are specific attacks that can be run over the Internet or over a phone line. They attempt to shut down or seriously slow down a service provided by a computer system. By setting up fake connections, exploiting a flaw or flooding a computer with data packets the attack attempts to close the computer down and shut off its services. *Ping of Denial The primary and oldest denial of service attack. It is the most original attack and still the most widely used. Essentially the notorious Ping of Death is an attack that slows down the reaction time of the server that is being attacked. Ping is a technical term used on the net. When you ping a server you send a ping signal to it. The server receives the ping command and responds with a pong signal. Your computer keeps record of the time taken from the ping being sent and the pong being received. The time that is taken for the reply is considered the ping time and that is considered the lag of the server. The Ping of Death attack simply floods the server under attack with ping requests and lags the server so badly that all its services are seriously slowed down or at worst totally cancelled out. An effective ping attack can actually shut down the server for as long as the attack is maintained. Protection for the mighty Ping of Death isn't all that simple. All net computers at the moment need to have ping capabilities. On IRC for instance, no ping reply to the IRC server will cause you to be disconnected. Some more modern OS releases come with larger ping buffers in order to catch attempted attacks. They buffer the attacks before replying, this gives them enough time to either send a reply or realise that its an attack and close the port. But again, making the computer think that you are attacking can be good enough to knock a server offline. *Out of Bandwidth This attack is sometimes refereed to as a Win Nuker. Windows uses specific Internet software to operate its network connections. This is called Netbios. Rhino9 have done an excellent file on Netbios and its flaws. It is particularly venerably on ports 137, 138 and 139. Connection to them can cause serious errors in Windows. NT has been known to crash with these flaws and 95 has been reported to freeze or loose the net connection. Out of Bandwidth is a standard error message that is used by Netbios. It essentially tells the computer that there is no more space for the computer's net connection. The computer thinks that the signal was received from the Internet provider and so drops the line. If you send random data to any of these ports, it is very likely that the computer will freeze or crash. Coding a Nuker such as this is extremely simple. Simply write a program that connects to a target IP on either port 137 or 139. Then it should send random data to the open port, followed by the OOB message. There are patches for this old Windows flaw available from the Microsoft Site. Windows is the only OS that is vulnerable. By updating your version of Winsock you will patch that hole and protect your computer. Because Windows is the only OS that is susceptible to this attack and the fact that a patch is available, it makes it a somewhat obsolete attack. Never-the-less many Windows computers are still unpatched and for that reason it can still be used against certain systems. *ICMP ICMP is a protocol that doesn't require a connect such as TCP. You don't actually have to be connected to a computer in order to send it ICMP packets. This protocol is mainly used to set up connections, send error messages and monitor Internet connections. It is possible to set up an attack using only ICMP error messages. There are several ICMP messages that can be used to close an Internet connection such as; · DESTINATION UNREACHABLE · TIME TO LIVE EXCEEDED · PARAMETER PROBLEM · PACKET TOO BIG · SOURCE QUENCH It you were to send one of these messages to an open ICMP port, it would have the effect of closing the connect and disconnecting the computer from the Internet. Of course you would have to spoof the source address in order for the server to think the message came from the ISP. Certain systems are more vulnerable then others. Windows by default have ICMP redirect turned off. This makes it perfectly protected from this type of attack. However, most systems, including UNIX, have redirect turned on. This is because it can be very useful and necessary for a fast net connection. But if you feel at risk it might be necessary to close the ports that are effected. Some research on the topic will get you more information on what you can do to secure your specific machine. *Fragmentation The most modern type of net attack is fragmentation. This can be used on most systems quite easily. It is new attack and is still not used that widely. Essentially this attacks revolves around IP data packets. Whenever a computer sets up a net connection. It uses data packets to communicate with other computers on the net. This attack sends data packets to a computer that are deliberately fragmented. The packets are incomplete in their content. The computer that receives the fragmented packets sets up a routine to listen for the rest of the packets. While your attack stops sending those packets and starts to send another thread of fragmented packets. As the amount of threads build, the computer under attack slows down and will eventually crash or drop the net connection. Code a program to do this would require a high degree of programming knowledge. On a UNIX machine, you will need to have root access to run an attack like this because you will need to have raw access to the ports. You will need to code in a low level language for a Windows machine. You will also need to develop some means of optimisation that allows you to set-up multiple threads to speed up the attack. This attack should be effective on most operating systems. Although some protection have been set-up on some systems, most of them are still susceptible. Even ones that have protection should be vulnerable. While some systems will buckle faster then others, they will all buckle soon enough as long as you maintain the attack for long enough and your connection is fast enough. *E-Mail Bombing While this isn't always considered a denial of service attack. I decided to include it in this file as it can be used as a very effective DoS attack. While mail bombing is only usually used as a form of revenge or retribution, it can be used to crash a server in order to run a successful denial attack. If you wanted to crash a server, you might find in your research that it handles the SMTP protocol. This would open up the possibilities of mail bombing the server. If you were to bomb the target computer with a huge amount of mail messages, you might be able to flood the computer and choke up its hard drive space. The more space you take up, the more lagged the server will become and if you keep up your attack you will eventually cause the computer to crash due to lack of HD space. There isn't really any way of protecting against a mail bomb attack. If your computer needs to have mail capabilities, you can't close the mail ports. It is possible to set up a mail buffer to try and catch the attack. All operating systems are vulnerable to an attack of this sort. But more modern systems are set up in more advanced ways in order to catch possible attacks, but no way is perfectly secure. *Specific Flaws All operating systems have been found to contain security holes. Some of this holes can cause simply annoyances, others are serious flaws in the system that can cause it to crash or freeze. If you are aware of the system that you are attacking, then you will be able to find a hole in that system to exploit. Windows NT is one of the most modern server software packages that has been released. It can turn a normal computer into an Internet Server. This drastic upgrade means that it has become very popular among small companies that need to run a low cost server on the net. It has several very well documented holes that can be used against it. Certain UNIX routines are known to contain flaws that can exploited without actually have access to the server. They can be accessed over the Internet making an attack very easy. Certain deamons such as sendmail are widely known to contain flaws in its programming. Searching for these exploits would give you the direct capabilities to attack the server. Research over the net would be the best way to find exploits for specific systems. While most DoS attacks are general attacks, that need to be directed at a certain OS, some are unique and these need to be researched. *Port Flooding Port flooding is when your attack centres around flooding a certain port with multiple connections. This attack specifically floods a port with so many connections that the target computer is severely lagged that it starts to drop its other connections. UNIX machines have a process table that contains a list of all the programs that are currently running on the machine. If you were to flood the process table with dozens of invocations of a specific program, you will start to slow the sever response time down. For instance, if your attack were to make multiple connections to port 25 on a UNIX machine. You would flood the process table with lots of invocations of the sendmail program. This will soon start to disconnect other connections. And as the other programs die off, the attack would flood the free space, this would mean that the computer wouldn't be able to host any more connections or internal programs. A port flooding program can very easily be written. It would connect to the target computer with as many possible connections as your computer can handle. You would need to maintain the flooding for as long as the attack was necessary. If the program was starting sendmail routines, it would simply connect to the target computer on port 25 and then would hold the connection without sending an data. The attack would hold the connection till the target computer cut you off. *SYN Flooding The SYN - ACK protocol is a 3-way handshake for setting up Internet connections. A computer sends a SYN packet to the server. The server receives the SYN and responses with an ACK packet. The connection is now set up and running. The SYN flooding attack is based on an incomplete handshake. The attacker sends a SYN packet from his computer to the server under attack. The server responds with an ACK packet to acknowledge the connection. Then the attack would simply send another SYN packet and wait for the server to respond. By flooding the server with connections that don't actually send any information, you will start to lag it and perhaps even crash it. The Internet stack will wait a certain amount of time before dropping the connection, a SYN flooding attack will therefore keep setting up connections faster then the computer under attack can drop them. And by doing so can crash the server quite easily. There is no real way of securing a server from this type of attack. The problem lies in the fact that the SYN - ACK connection is a necessary protocol for a net server. Without it, it would be severely restricted in its on-line transactions. But by restricting the number of possible connections at any one time, you drastically reduce the chance of there being a problem. *Unique Attacks There are certain services that are available only on specific servers that you may need to attack. If the service is unique enough you may have some difficulty actually attacking it. One example is the services.dal.net server. It runs the services that are provided for the DalNet IRC network. ChanServ, MemoServ and NickServ are very unique services that are run from this server. These services can be accessed from anywhere on the DalNet IRC network. Hundreds of connections are consistently connected to DalNet and all these people are using the DalNet services repeatedly. To take over an IRC channel on DalNet you might want to shut down ChanServ. To do that you would need to research the service and find a hole in it that you can exploit. You may be able to research a little to find software similar to it that has some exploits already documented. *IP Spoofing Most DoS attacks are run from your own computer. Unless you want a pesky system administrator ringing you the next day, you will need to find some way to hide your location from the target computer that you are attacking. IP spoofing is the hardest thing that can be done these days in the world of hacking. There are several ways to hide your location from the log files on a target computer. Some are more appropriate then others because of the advantages and disadvantages. Wingating is the most widely used bounce technique. It involves connected to a computer that is running the Wingate program, so can then bounce off that computer and route your connection to another computer. This isn't really a choice for DoS attacks, because these attacks usually reply on speed for the attack. Wingate systems are slow and lagged on their own, your added connection won't help. IP packet spoofing is the next possibility. It involves creating an attack that actually sends packets of data that spoof the original IP address. This can't be achieved in a Windows environment, because Windows controls too much of the net interface. It is much easy to accomplish in on an UNIX machine as when you are programming you can have access to the raw sockets. As you can specify exactly what you want to send to the network output you can exactly choose the information to send out. You can even send a specific IP address that you wish the packets to seem to come from. *Making Your Attack All you need to make a successful attack is a little information on the server. You should probably try to log onto the server as a Guest account and try to gain as much information as you can. You will need to have the operating system information and a list of the software running internally or on the ports of the server. Search for techniques to exploit the server and its software. Once you have the necessary information or utilities you can attack the server. You will probably want to choose a time for the attack that would be could for your net connection. A time that your ISP won't be too bogged down with connections. Also a time that the net won't be flooded with users. The more relaxed the Internet is, the faster your connection will be and the faster your attack will go. You need to select a time that will allow you to have enough time on-line to complete the attack and go ahead with whatever you intend to do after the server drops. *Research There are lots of websites that discuss server exploits and software holes. You can search for information on the software and you should be able to find the necessary techniques and information for attacking the server. Here are a few; · http://www.rootshell.com · http://www.cdc.com · http://www.warforge.com Also check out my site http://homepages.iol.ie/~cronus for updates.