Arp Attack

Session Hijacking

Man In The Middle

DOS & DDOS

, OuTianOuTian.Liu@sti.com.tw

2007/2008/2009 0day

CEH (Certified Ethical Hacker)

358

359

360

361 1/2

362

363 358 ~ 360

6

TearDrop

Land

Ping of Death

Smurf

Fraggle

SYN Flood

//Sniffing

Man-In-The-Middle

Session Hijacking

Ex: MS08-001

Buffer Overflow

Format String

Race Condition

SQL Injection

Code/Command Injection

Arbitrary File Inclusion

MS08-001

Microsoft Windows TCP/IP IGMP MLD

Remote Code Execution Vulnerability

Microsoft Advisory

http://support.microsoft.com/kb/941644

Exploiting

http://immunityinc.com/documentation/ms08_

001.html

http://support.microsoft.com/kb/941644http://immunityinc.com/documentation/ms08_001.htmlhttp://immunityinc.com/documentation/ms08_001.html

Immunity CANVAS

http://immunityinc.com/products-canvas.shtml

Core Impact

http://www.coresecurity.com/content/core-impact-

overview

Metasploit

http://www.metasploit.com/

// []

http://immunityinc.com/products-canvas.shtmlhttp://immunityinc.com/products-canvas.shtmlhttp://immunityinc.com/products-canvas.shtmlhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.metasploit.com/

Arp Attack

/

Man-In-The-MiddleSession Hijacking

//ARPARP TableMAC (Ex: netcut)

//ARPIP

Mac Flooding Switch Mac-Address-Table

ARP SpoofingIP Forwarding

//

EE => AA (Unicast)

192.168.1.254 in EE

AA => FF (Broadcast)

who is 192.168.1.254 ?

Tell 192.168.1.1

Hub (Layer 1)

192.168.1.254

192.168.1.1 192.168.1.2 192.168.1.3

192.168.1.254 EE

MAC: AA

Not Me ! Not Me !

Is Me !

MAC: BB MAC: CC

MAC: EE

Go To Internet ~

[ HUB ]

EE => AA (Unicast)

192.168.1.254 in EE

AA => FF (Broadcast)

who is 192.168.1.254 ?

Tell 192.168.16.1

Switch (Layer 2)

192.168.1.254

192.168.1.1 192.168.1.2 192.168.1.3

192.168.1.254 EE

MAC: AA

Not Me ! Not Me !

Is Me !

MAC: BB MAC: CC

MAC: EE

Go To Internet ~

AA => EE

[ SWITCH ]

AA

EE

EE => AA (Unicast)

192.168.1.254 in EE

AA => FF (Broadcast)

who is 192.168.1.254 ?

Tell 192.168.1.1

Netcut

192.168.1.254

192.168.1.1 192.168.1.2 192.168.1.3

192.168.1.254 XX

MAC: AA

Is Me !

MAC: BB MAC: CC

MAC: EE

Go To Internet ~

AA => XX

[ SWITCH ]

AA

EE

?? => FF

192.168.1.254 in XX

XX

BB => AA

192.168.1.254 in BB

EE => AA (Unicast)

192.168.1.254 in EE

AA => FF (Broadcast)

who is 192.168.1.254 ?

Tell 192.168.16.1

Arp Spoofing

192.168.1.254

192.168.1.1 192.168.1.2 192.168.1.3

192.168.1.254 BB

MAC: AA

Is Me !

MAC: BB MAC: CC

MAC: EE

Go To Internet ~

AA => BB

[ SWITCH ]

AA

EE

BB

Man In The Middle

(Session Hijacking)

Layer 2

ARP [LAN]

Layer 3

DHCP Spoofing [LAN]

DNS Spoofing [LAN][INTERNET]

DNS Cache Poisoning [LAN][INTERNET]

Layer 7

Proxy [LAN] [INTERNET]

Layer 2

ARP Spoofing

ARP Table

IP ForwardingMan In The Middle

/

IP Smart Spoofing

IP Smart Spoofing

Layer 3

DHCP Spoofing

DHCP RequestDHCP ReplyIP/Gatewaly/DNS

DNSGateway Man In The Middle

/

Layer 3

DNS Spoofing

DNS DN IP

Man In The Middle

/

Layer 3

DNS Cache Poisoning

DNS SpoofingDNS

PORT/Query IDDNS Server DN IP Cache

DNS Server Man In The Middle

/

http://www.checkpoint.com/defense/advisories/public/

dnsvideo/index.html

http://www.checkpoint.com/defense/advisories/public/dnsvideo/index.htmlhttp://www.checkpoint.com/defense/advisories/public/dnsvideo/index.html

Layer 7

Proxy

ProxyMan In The Middle

Proxy Server

SSL

Transparent Proxy

In-Line Mode Transparent Proxy

RouterWCCP

Gateway IP/PORT Rewrite

SSL

Session Hijacking

root

/

Session ID

Layer 2

ARP [LAN]

Layer 7

Cookie & Session ID [LAN] [INTERNET]

Layer 2

ARP Spoofing

ARP Table

IP ForwardingMan In The Middle

RST

Layer 7

Cookie Spoofing

Cookie/Session ID

CookieSession

Proxy

Session ID

Session ID

Session

Cookie

GET /test.asp HTTP/1.1

Host: www.example.com

HTTP/1.1 200 OK

Set-Cookie: name=ABC

GET /test.asp HTTP/1.1

Host: www.example.com

Cookie: name=ABC

Cookie Table

Domain Path Name Value

www.example.com / Name ABC

Session

POST /test.asp HTTP/1.1

Host: www.example.com

Content-Length: 8

name=XYZ

HTTP/1.1 200 OK

Set-Cookie: SESSID=bbbb

GET /test.asp HTTP/1.1

Host: www.example.com

Cookie: SESSID=bbbb

SESSID:aaaaname=ABC

SESSID:bbbbname=XYZ

Cookie Table

Domain Path Name Value

www.example.com / SESSID bbbb

DOS && DDOS

DOS/DDOS

DOS Denial Of Service

DDOS Distributed DOS

45

!

46

ISP

IP

DOS

Incoming

Outgoing

/Performance

CPU

Chip

Capacity

Memory

Session Table

Disk Space

DOS

/

DDOS Attack

Teardrop

Land

Smurf

Fraggle

Ping of Death

IP Header

TCP/UDP Header

TCP

UDP

Teardrop

TCP bugCrash

Firewall Server

Windows 3.195NT

Linux kernel < 2.0.322.1.63

Teardrop

Land

Source/Destination IP TCP SYN Crash

Firewall Server

AIX 3

FreeBSD 2.2.5

IRIX 5.3

NetBSD 1.3

SunOS 4.1.4

Windows 95NT

Smurf

icmp echo-requestBroadcast Address

icmp echo-reply

Firewall

Internet RouterBroadcast Address (no ip directed-broadcast)

Windows ?? ICMP Broadcast

Linux (net.ipv4.icmp_echo_ignore_broadcasts)

Smurf

Fraggle

udp Broadcast Address

port 7 (echo)

port 19 (chargen)

UDP

Firewall

Internet RouterBroadcast Address (no ip directed-broadcast)

UDP

Ping of Death

65535 bytes ping

routerMTU

Crash

1997-1998 OS

Firewall Server

Internet DDOS

Sessionless =>

SYN Flood

ACK/RST Flood

UDP/ICMP Flood

IP Fragment Attack

Full Connection

Connection Flood

Zombie Connection

SSL Flood

HTTP Flood

Application Flood

60

61

62

DDoS

IP Header

TCP/UDP Header

Application Header

Limit Connect/s

Limit Concurrent Connections

SYN Proxy

SYN Cookies

DDoS ()

Limit Request/s

JavaScript/Cookie Challenge

Challenge/Response

SYN Flood

SYN Session Table SYN_RCVD

[] > [Timeout]

SYN Proxy / Server

Table

timeout

SYN Cookie

RFC 4987

SYN Flood DDOS Attack

TCP

Client Server

Session Table

Client Server

SYN Flooding

TCP State

67

SYN = 64 bytes

1Mbps 2000 pps SYN

100Mbps 200,000 pps SYN

500Mbps 1,000,000 pps SYN

New Session/s

68

100 Mbps

~ 200,000 pps

1000 Mbps ~ 2,000,000 pps

10Gbps !? !? !? !? !? !?

CPU

NIC

Linux

UNIX-based

Windows

69

On Linux 2.6 kernel

Intel chip NIC

NoteBookThinkpad X61s

500,000 pps (in Gigabit LAN)

1 Gbps ()

unlimited concurrent connections (!?)

Server Dell PowerEdge R805 800,000 pps

1 ~ 10 Gbps

RFC 4987

TCP SYN Flooding Attacks and Common

Mitigations

Filtering

Increasing Backlog

Reducing SYN-RECEIVED Timer

Recycling the Oldest Half-Open TCB

SYN Cache

SYN Cookies

Hybrid Approaches

Firewalls and Proxies

ACK/RST Flood

ACK/RST

FirewallProxyL4Session Table RST ( Drop )

Outbound

Stateful Firewall L4 Drop

SYN/ACK/RST Flood

Before WinXP sp1hping

HGod

After WinXP sp1 WinPcap Library

Linux tfn/tfn2k

juno.c

synk4.c

netflood.cpp

d0s.pl

Hgod

UDP/ICMP Flood

UDP/ICMP

overheadTCP

FirewallACL

IPS

QOSPPS

UDP Floods

Windows

Linux

pktgen (kernel module)

Fragment Packet Flood

Connection Flood

TCP

/

Firewall/IPS Connection Per Second

timeout

CPS

Proxy/L4

Zombie Connection

TCP

/ Session Table

Firewall/IPS IP

timeout

Proxy/L4

SSL Flood

SSL Handshake

SSL

SSL Offload

SSL Session Re-Use

SSL Accelerator

SSL Handshake

ServerClient

ClientHello

ChangeCipherSpec

ClientKeyExchange

Finished

ServerHello

Certificate

ChangeCipherSpec

ServerHelloDone

Finished

Supported SSL/TLS VersionCipherMethodSessionIDRandom Data

Used SSL/TLS VersionCipherMethodSessionIDRandom Data

Chain of Certificate/Public Key

Send client key encrypted by servers public key

Verify Cipher/Key

Verify Cipher/Key

HTTP Flood

HTTP Request

Request

Firewall/IPS IP

IP (ex: mod_evasive)

L7 (Cookie)

HTTP Flood

ab (Apache Benchmark)http://httpd.apache.org/

JMeterhttp://jakarta.apache.org/jmeter/

Siegehttp://www.joedog.org/siege/

Microsoft Web Application Stress Toolhttp://www.microsoft.com/technet/archive/itsolutions/

intranet/downloads/webstres.mspx

. Many toolshttp://www.softwareqatest.com/qatweb1.html

http://httpd.apache.org/http://jakarta.apache.org/jmeter/http://www.joedog.org/siege/http://www.microsoft.com/technet/archive/itsolutions/intranet/downloads/webstres.mspxhttp://www.microsoft.com/technet/archive/itsolutions/intranet/downloads/webstres.mspxhttp://www.softwareqatest.com/qatweb1.html

Microsoft Web Application Stress Tool

Firewall

IPS / IDP

Intrusion Detection&Prevention System

Application Delivery Controller

L4Load Balancer

ADC

DDoS

Firewall

IPS

Application Delivery Controller