introduction to denail of service.txt

1000 HOWTOs for various needs [WINDOWS]

          
===================================                    
=INTRODUCTION TO DENIAL OF SERVICE=
===================================

Hans Husman
t95hhu@student.tdb.uu.se
Last updated: Mon Oct 28 14:56:31 MET 1996

.0. FOREWORD

.A. INTRODUCTION
	.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
	.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
		.A.2.1. INTRODUCTION
		.A.2.2. SUB-CULTURAL STATUS
		.A.2.3. TO GAIN ACCESS
		.A.2.4. REVENGE
		.A.2.5. POLITICAL REASONS
		.A.2.6. ECONOMICAL REASONS
		.A.2.7. NASTINESS
	.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?

.B. SOME BASIC TARGETS FOR AN ATTACK
	.B.1. SWAP SPACE
	.B.2. BANDWIDTH
	.B.3. KERNEL TABLES
	.B.4. RAM
	.B.5. DISKS
	.B.6. CACHES
	.B.7. INETD

.C. ATTACKING FROM THE OUTSIDE
	.C.1. TAKING ADVANTAGE OF FINGER
	.C.2. UDP AND SUNOS 4.1.3.
	.C.3. FREEZING UP X-WINDOWS
	.C.4. MALICIOUS USE OF UDP SERVICES
    	.C.5. ATTACKING WITH LYNX CLIENTS
	.C.6. MALICIOUS USE OF telnet
	.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
	.C.8. HOW TO DISABLE ACCOUNTS
	.C.9. LINUX AND TCP TIME, DAYTIME
	.C.10. HOW TO DISABLE SERVICES
	.C.11. PARAGON OS BETA R1.4
	.C.12. NOVELLS NETWARE FTP
	.C.13. ICMP REDIRECT ATTACKS
	.C.14. BROADCAST STORMS
	.C.15. EMAIL BOMBING AND SPAMMING
	.C.16. TIME AND KERBEROS
	.C.17. THE DOT DOT BUG
	.C.18. SUNOS KERNEL PANIC
	.C.19. HOSTILE APPLETS
	.C.20. VIRUS
	.C.21. ANONYMOUS FTP ABUSE
	.C.22. SYN FLOODING
	.C.23. PING FLOODING
	.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
	.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
	.C.26. FLEXlm
	.C.27. BOOTING WITH TRIVIAL FTP

.D. ATTACKING FROM THE INSIDE
	.D.1. KERNEL PANIC UNDER SOLARIS 2.3
	.D.2. CRASHING THE X-SERVER
	.D.3. FILLING UP THE HARD DISK
	.D.4. MALICIOUS USE OF eval
	.D.5. MALICIOUS USE OF fork()
	.D.6. CREATING FILES THAT IS HARD TO REMOVE
	.D.7. DIRECTORY NAME LOOKUPCACHE
	.D.8. CSH ATTACK
	.D.9. CREATING FILES IN /tmp
	.D.10. USING RESOLV_HOST_CONF
	.D.11. SUN 4.X AND BACKGROUND JOBS	
	.D.12. CRASHING DG/UX WITH ULIMIT 
	.D.13. NETTUNE AND HP-UX
	.D.14. SOLARIS 2.X AND NFS
	.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
	.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X

.E. DUMPING CORE
	.E.1. SHORT COMMENT
	.E.2. MALICIOUS USE OF NETSCAPE
	.E.3. CORE DUMPED UNDER WUFTPD
	.E.4. ld UNDER SOLARIS/X86

.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
	.F.1. BASIC SECURITY PROTECTION
		.F.1.1. INTRODUCTION
		.F.1.2. PORT SCANNING
		.F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
		.F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
		.F.1.5. EXTRA SECURITY SYSTEMS
		.F.1.6. MONITORING SECURITY
		.F.1.7. KEEPING UP TO DATE
		.F.1.8. READ SOMETHING BETTER
	.F.2. MONITORING PERFORMANCE
		.F.2.1. INTRODUCTION
		.F.2.2. COMMANDS AND SERVICES                      
		.F.2.3. PROGRAMS
		.F.2.4. ACCOUNTING

.G. SUGGESTED READING
	.G.1. INFORMATION FOR DEEPER KNOWLEDGE
	.G.2. KEEPING UP TO DATE INFORMATION
	.G.3. BASIC INFORMATION

.H. COPYRIGHT

.I. DISCLAIMER

.0. FOREWORD
------------

In this paper I have tried to answer the following questions:

	- What is a denial of service attack?
	- Why would someone crash a system?
	- How can someone crash a system.
	- How do I protect a system against denial of service attacks?
	
I also have a section called SUGGESTED READING were you can find
information about good free information that can give you a deeper
understanding about something.

Note that I have a very limited experience with Macintosh, OS/2 and
Windows and most of the material are therefore for Unix use. 

You can always find the latest version at the following address:
http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT

Feel free to send comments, tips and so on to address:
t95hhu@student.tdb.uu.se

.A. INTRODUCTION
~~~~~~~~~~~~~~~~

.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
-----------------------------------------

Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved. 

.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
---------------------------------------
 
.A.2.1. INTRODUCTION
--------------------

Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:

	.1. Sub-cultural status.
	.2. To gain access.
	.3. Revenge.
	.4. Political reasons.
	.5. Economical reasons.
	.6. Nastiness.

I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.

.A.2.2. SUB-CULTURAL STATUS
---------------------------

After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP-spoof attack, it was "only" a denial of service
attack. Why? 

I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their carrer with denial of service attacks.

.A.2.3. TO GAIN ACCESS
----------------------

Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:

	.1. Some older X-lock versions could be crashed with a 
	method from the denial of service family leaving the system
	open. Physical access was needed to use the work space after.

	.2. Syn flooding could be a part of a IP-spoof attack method.

	.3. Some program systems could have holes under the startup, 
	that could be used to gain root, for example SSH (secure shell).

	.4. Under an attack it could be usable to crash other machines
	in the network or to deny certain persons the ability to access 
	the system.  	

	.5. Also could a system being booted sometimes be subverted,
	especially rarp-boots. If we know which port the machine listen
	to (69 could be a good guess) under the boot we can send false
	packets to it and almost totally control the boot.

.A.2.4. REVENGE
---------------

A denial of service attack could be a part of a revenge against a user
or an administrator.

.A.2.5. POLITICAL REASONS
-------------------------

Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.

For example imaginate the Bank A loaning company B money to build a
factory threating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.

.A.2.6. ECONOMICAL REASONS
--------------------------

Imaginate the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.

As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.

.A.2.7. NASTINESS
-----------------

I know a person that found a workstation where the user had forgotten to
logout. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the login time and placed a call to
the program from the profile file. That is nastiness.

.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
---------------------------------------------

This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.

A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.

Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.

In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.

That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:

	- Unix have much more tools and programs to discover an
	attack and monitoring the users. To watch what another user
	is up to under windows is very hard.

	- The average Unix administrator probably also have much more
	experience than the average Microsoft administrator.

The two last points gives that Unix is more secure against inside
denial of service attacks.

A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.

.B. SOME BASIC TARGETS FOR AN ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.B.1. SWAP SPACE
----------------

Most systems have several hundred Mbytes of swap space to 
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based 
on a method that tries to fill up the swap space.

.B.2. BANDWIDTH
---------------

If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.

.B.3. KERNEL TABLES
-------------------

It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.

Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.

For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.
 
.B.4. RAM
---------

A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are 
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at 
a NFS server is trivial. The normal NFS client will do a 
great deal of caching, but a NFS client can be anything 
including the program you wrote yourself...

.B.5. DISKS
-----------

A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.

.B.6. CACHES
-------------

A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.

These caches are found on Solaris 2.X:

Directory name lookup cache: Associates the name of a file with a vnode.

Inode cache: Cache information read from disk in case it is needed
again.

Rnode cache: Holds information about the NFS filesystem.

Buffer cache: Cache inode indirect blocks and cylinders to realed disk
I/O.

.B.7. INETD
-----------

Well once inetd crashed all other services running through inetd no
longer will work.


.C. ATTACKING FROM THE OUTSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


.C.1. TAKING ADVANTAGE OF FINGER
--------------------------------

Most fingerd installations support redirections to an other host.

Ex:

	$finger @system.two.com@system.one.com

finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:

	$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack

All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).

The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.

.C.2. UDP AND SUNOS 4.1.3.
--------------------------

SunOS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.

The solution is to install the proper patch.

.C.3. FREEZING UP X-WINDOWS
---------------------------

If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple XOpenDisplay() to the port.

The same thing can happen to Motif or Open Windows.

The solution is to deny connections to the X-Windows port.

.C.4. MALICIOUS USE OF UDP SERVICES
-----------------------------------

It is simple to get UDP services (echo, time, daytime, chargen) to 
loop, due to trivial IP-spoofing. The effect can be high bandwidth 
that causes the network to become useless. In the example the header 
claim that the packet came from 127.0.0.1 (loopback) and the target 
is the echo port at system.we.attack. As far as system.we.attack knows 
is 127.0.0.1 system.we.attack and the loop has been establish. 

Ex:

	from-IP=127.0.0.1
	to-IP=system.we.attack
	Packet type:UDP
	from UDP port 7
	to UDP port 7

Note that the name system.we.attack looks like a DNS-name, but the
target should always be represented by the IP-number.

Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"
 
	" A great deal of systems don't put loopback on the wire, and simply
	emulate it.  Therefore, this attack will only effect that machine 
	in some cases.  It's much better to use the address of a different 
	machine on the same network.  Again, the default services should 
	be disabled in inetd.conf.  Other than some hacks for mainframe IP 
	stacks that don't support ICMP, the echo service isn't used by many 
	legitimate programs, and TCP echo should be used instead of UDP 
	where it is necessary. "

.C.5. ATTACKING WITH LYNX CLIENTS
---------------------------------

A World Wide Web server will fork an httpd process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses ps. In most causes it is therefore very
safe to launch a denial of service attack that makes use of 
multiple W3 clients, typical lynx clients. But note that the netstat
command could be used to detect the attack (thanks to Paul D. Robertson).

Some httpd:s (for example http-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)

.C.6. MALICIOUS USE OF telnet
-----------------------------

Study this little script:

Ex:

	while : ; do
	telnet system.we.attack &
	done