root server attack method?

Networking/Security Forums -> Exploits // System Weaknesses

Author: flwLocation: U.S.A. PostPosted: Mon Nov 11, 2002 5:23 am    Post subject: root server attack method?
    ----
I still have not heard what method that was used in the root server attacks a few weeks ago where a number of them where out of service for a hour. Anybody heard any details as far as the methodology used?

fastlanwan

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Nov 11, 2002 11:13 am    Post subject:
    ----
None of the articles I read mentioned the methods used, but there aren't that many DDoS types around..

Probably a combination of a few, Trinoo, papasmurf, echo spoofing etc.

Author: Jason PostPosted: Mon Nov 11, 2002 4:52 pm    Post subject:
    ----
I would guess that you would need a fair amount of "drone" machines. anyone have any idea how many?

If you wanted to DDOS someone and you know their connection speed, is there any way to calculate how many hosts and how much bandwidth you need to DDOS them?

J

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Nov 11, 2002 5:01 pm    Post subject:
    ----
Not really, it's all dependant on the efficiency of the network they are on, the true bandwidth of the drones, the routing between the 2, general network traffic etc..

Too many variables.

But allow 10 times the bandwidth of the victim for a decent period usually suffices Smile

If the drones were all on ADSL/Cable at 512k, probably need around 5000-10,000 per machine you were attacking..

Author: flwLocation: U.S.A. PostPosted: Mon Nov 11, 2002 5:08 pm    Post subject:
    ----
The reason for my question is these servers are/were considered hardened yet even just for a limited time fell to some hole in the armor.

Maybe they were just thought to be hardened (because of importance) or were hardened by definition but still vulerable.

With a properly setup and maintained IDS and DMZ, this dos should be very difficult with tradtional methods. Unless you had tens of thousands (guess) of bots to just overload the IDS and infrastructure of that individual root server it would just be slow for legit requests. i.e. This concept worked well for the Chinese/Koreans (Gov., not the men) at the start of the Korean War.

What do you guys/gal think?

fastlanwan

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Nov 11, 2002 5:14 pm    Post subject:
    ----
They are hardened, load balanced and made redundant..

But there is nothing you can to stop a well co-ordinated DoS attack..

Apart from having some guy in the upstream backbone provider watching the network 24/7..

It's very hard to distinguish between a normal high load situation and an attack.

An IDS and DMZ do nothing against a DoS attack at all, an IDS if configured properly may tell you that one is occuring and having you machine in a DMZ wont make a difference at all (just reduces risk if the machine happens to get 0wned).

Basically they just fired so many mangled packets (usually fragmented udp, echo, chargen, time, ICMP, IGMP and tcp/ip fired at port 53) that the bandwidth for the server was swallowed.

Nothing can be done about that, as was shown by Mafiaboy and Yahoo! et al.

I used to play with DoS and DDoS back when scanning for broadcasts was fun (smurf) when you used to be able to pick up broadcasts with 10,000 replies...

It's hard to find any with above 100 now.

But still if you root enough machines with high bandwidth, install some natty tools, have a whole trinoo network you can pretty much take anything out.

Author: Mongrel PostPosted: Tue Nov 12, 2002 5:13 am    Post subject:
    ----
It was a ping flood against all 13 root DNS servers using smurf style attack.

http://www.pcw.co.uk/Analysis/1136694

btw they think they located the culprits in Korea - same ones that attempted another attack against nameservers.


http://www.linuxsecurity.com/articles/hackscracks_article-6064.html

Author: Abybaby24 PostPosted: Wed Nov 13, 2002 6:58 am    Post subject:
    ----
hmmmmm,

good discussion,

tx.


Abybaby.

Author: decypherohmLocation: World - Europe - Portugal - Lisbon PostPosted: Fri Nov 22, 2002 5:42 pm    Post subject:
    ----
how the heck do u make an smurf attack?!?!?!?!? are there "canned" programs for that?

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Fri Nov 22, 2002 5:46 pm    Post subject:
    ----
decypherohm wrote:
how the heck do u make an smurf attack?!?!?!?!?


By pinging the broadcast address of a network that is badly configured, all hosts on the network will reply to the ping rather than none. You simply spoof the address the ping request originates from and the poor sucker you spoofed gets hammered with ping replies from every machine on the broadcast network.

Smurf isn't so useful nowdays, I remember scanning back in the day when I could find broadcast amplifiers that were 10,000 - 1. Nowdays you are lucky if you get above 20 - 1. I could take out a 10mb link in about 15 seconds Twisted Evil (Only for testing purposes of course *ahem*)

decypherohm wrote:

are there "canned" programs for that?


Yes it's called papasmurf.c.

Author: delete852Location: Washington DC PostPosted: Fri Nov 22, 2002 6:34 pm    Post subject:
    ----
Wow thats a pretty awsome attack method, didn't know about it. Cool idea

Author: decypherohmLocation: World - Europe - Portugal - Lisbon PostPosted: Fri Nov 22, 2002 8:41 pm    Post subject:
    ----
errrrr.. can u get me a good C compiler... Very Happy i kinda suck finding compilers... heheheheheheeh

Author: max_blakkLocation: South Wales UK PostPosted: Mon Nov 25, 2002 9:07 pm    Post subject:
    ----
While on this topic more thread feeder, how about service dos..

How many syn connections would be needed from spoofed addresses to clog a service with pending connections...??

and could a 56k get enough connections out. Question

"hping -a forged_ip -p 80 -i u1 destination_ip"

Could it slow it down...?? (doughtful) without syn cookie support on the server.. Question
(syn cookies work well I have experimented)

I have bogged down my own internal services, ssh smb with forged requests (admittedly 100Mbs duplex connection)..

And has IIS implemented syn cookies now, also do cisco routers work with syn cookies or in a similar way, anybodz know Question

PS
Compiler
gcc..!!! tux does it again...



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group