• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

root server attack method?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Mon Nov 11, 2002 5:23 am    Post subject: root server attack method? Reply with quote

I still have not heard what method that was used in the root server attacks a few weeks ago where a number of them where out of service for a hour. Anybody heard any details as far as the methodology used?

fastlanwan
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Nov 11, 2002 11:13 am    Post subject: Reply with quote

None of the articles I read mentioned the methods used, but there aren't that many DDoS types around..

Probably a combination of a few, Trinoo, papasmurf, echo spoofing etc.
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Mon Nov 11, 2002 4:52 pm    Post subject: Reply with quote

I would guess that you would need a fair amount of "drone" machines. anyone have any idea how many?

If you wanted to DDOS someone and you know their connection speed, is there any way to calculate how many hosts and how much bandwidth you need to DDOS them?

J
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Nov 11, 2002 5:01 pm    Post subject: Reply with quote

Not really, it's all dependant on the efficiency of the network they are on, the true bandwidth of the drones, the routing between the 2, general network traffic etc..

Too many variables.

But allow 10 times the bandwidth of the victim for a decent period usually suffices Smile

If the drones were all on ADSL/Cable at 512k, probably need around 5000-10,000 per machine you were attacking..
Back to top
View user's profile Send private message Visit poster's website
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Mon Nov 11, 2002 5:08 pm    Post subject: Reply with quote

The reason for my question is these servers are/were considered hardened yet even just for a limited time fell to some hole in the armor.

Maybe they were just thought to be hardened (because of importance) or were hardened by definition but still vulerable.

With a properly setup and maintained IDS and DMZ, this dos should be very difficult with tradtional methods. Unless you had tens of thousands (guess) of bots to just overload the IDS and infrastructure of that individual root server it would just be slow for legit requests. i.e. This concept worked well for the Chinese/Koreans (Gov., not the men) at the start of the Korean War.

What do you guys/gal think?

fastlanwan
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Nov 11, 2002 5:14 pm    Post subject: Reply with quote

They are hardened, load balanced and made redundant..

But there is nothing you can to stop a well co-ordinated DoS attack..

Apart from having some guy in the upstream backbone provider watching the network 24/7..

It's very hard to distinguish between a normal high load situation and an attack.

An IDS and DMZ do nothing against a DoS attack at all, an IDS if configured properly may tell you that one is occuring and having you machine in a DMZ wont make a difference at all (just reduces risk if the machine happens to get 0wned).

Basically they just fired so many mangled packets (usually fragmented udp, echo, chargen, time, ICMP, IGMP and tcp/ip fired at port 53) that the bandwidth for the server was swallowed.

Nothing can be done about that, as was shown by Mafiaboy and Yahoo! et al.

I used to play with DoS and DDoS back when scanning for broadcasts was fun (smurf) when you used to be able to pick up broadcasts with 10,000 replies...

It's hard to find any with above 100 now.

But still if you root enough machines with high bandwidth, install some natty tools, have a whole trinoo network you can pretty much take anything out.
Back to top
View user's profile Send private message Visit poster's website
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Tue Nov 12, 2002 5:13 am    Post subject: Reply with quote

It was a ping flood against all 13 root DNS servers using smurf style attack.

http://www.pcw.co.uk/Analysis/1136694

btw they think they located the culprits in Korea - same ones that attempted another attack against nameservers.


http://www.linuxsecurity.com/articles/hackscracks_article-6064.html
Back to top
View user's profile Send private message
Abybaby24
Just Arrived
Just Arrived


Joined: 12 Nov 2002
Posts: 0


Offline

PostPosted: Wed Nov 13, 2002 6:58 am    Post subject: Reply with quote

hmmmmm,

good discussion,

tx.


Abybaby.
Back to top
View user's profile Send private message
decypherohm
Just Arrived
Just Arrived


Joined: 16 Nov 2002
Posts: 1
Location: World - Europe - Portugal - Lisbon

Offline

PostPosted: Fri Nov 22, 2002 5:42 pm    Post subject: Reply with quote

how the heck do u make an smurf attack?!?!?!?!? are there "canned" programs for that?
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Nov 22, 2002 5:46 pm    Post subject: Reply with quote

decypherohm wrote:
how the heck do u make an smurf attack?!?!?!?!?


By pinging the broadcast address of a network that is badly configured, all hosts on the network will reply to the ping rather than none. You simply spoof the address the ping request originates from and the poor sucker you spoofed gets hammered with ping replies from every machine on the broadcast network.

Smurf isn't so useful nowdays, I remember scanning back in the day when I could find broadcast amplifiers that were 10,000 - 1. Nowdays you are lucky if you get above 20 - 1. I could take out a 10mb link in about 15 seconds Twisted Evil (Only for testing purposes of course *ahem*)

decypherohm wrote:

are there "canned" programs for that?


Yes it's called papasmurf.c.
Back to top
View user's profile Send private message Visit poster's website
delete852
Just Arrived
Just Arrived


Joined: 19 Nov 2002
Posts: 4
Location: Washington DC

Offline

PostPosted: Fri Nov 22, 2002 6:34 pm    Post subject: Reply with quote

Wow thats a pretty awsome attack method, didn't know about it. Cool idea
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
decypherohm
Just Arrived
Just Arrived


Joined: 16 Nov 2002
Posts: 1
Location: World - Europe - Portugal - Lisbon

Offline

PostPosted: Fri Nov 22, 2002 8:41 pm    Post subject: Reply with quote

errrrr.. can u get me a good C compiler... Very Happy i kinda suck finding compilers... heheheheheheeh
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
max_blakk
Just Arrived
Just Arrived


Joined: 29 Oct 2002
Posts: 0
Location: South Wales UK

Offline

PostPosted: Mon Nov 25, 2002 9:07 pm    Post subject: Reply with quote

While on this topic more thread feeder, how about service dos..

How many syn connections would be needed from spoofed addresses to clog a service with pending connections...??

and could a 56k get enough connections out. Question

"hping -a forged_ip -p 80 -i u1 destination_ip"

Could it slow it down...?? (doughtful) without syn cookie support on the server.. Question
(syn cookies work well I have experimented)

I have bogged down my own internal services, ssh smb with forged requests (admittedly 100Mbs duplex connection)..

And has IIS implemented syn cookies now, also do cisco routers work with syn cookies or in a similar way, anybodz know Question

PS
Compiler
gcc..!!! tux does it again...
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register