Sam Bowne’s primary focus in this section of his talk is on the technical part of different types of DoS attacks: the relatively primitive Layer 4 DDoS, variations of the more sophisticated Layer 7 DoS and Link-Local IPv6 router advertisement attack.
The technical part of this is you have a Layer 4 DDoS as the simplest kind of attack. This is what was used to take down MasterCard and Visa. They couldn’t take down Amazon this way. Anonymous tried this. This is a protest which involves many people.
So, the reason it does is because the tool they use is the Low Orbit Ion Cannon (see screenshot) which is just a network stress tester, and it doesn’t do much harm. So it takes a lot of people to bring down a website this way. But with the participation of 3,000 or perhaps 30,000 attackers, the number is not entirely clear, they were able to hold down MasterCard for more than a day, and many other sites.
And this is the kind of attack that Kaspersky was talking about when they interviewed him a while ago and asked him how many infected machines it would take to bring South Africa off the Internet completely. And he said it would take hundreds of thousands of infected machines to do that. And I know that’s false. I know it would take one 3G cell phone.
However, he is not thinking of that kind of attack, he is thinking of the Layer 4 attack, where it takes thousands of machines to take down one target. And it’s really nothing more than pressing F5 in your browser, F5, F5, F5… If enough people do that, the page goes down. It is a denial-of-service of a sort, it’s just a very weak primitive one.
There are more powerful ones, like the SlowLoris attack that RSnake1 came up with a couple of years ago. There were many previous versions of the same thing. Here you do something smarter.
Instead of sending a complete request to the web server, and just sending a lot of complete requests to the web server so it has to work too hard to serve them all up, you send it something that would jam up the web server, for instance an HTTP GET request to get a page from a server looking like this.
You have the Layer 2 information and Layer 3 information, and down here you got the GET, which is several lines of information. If you just send part of the GET and you never send the rest of it, then the network assumes that you are on some kind of unreliable network and the packets have been fragmented. And so I’ve got the first half of it, and the other half is still coming. So it waits for the other half and that ties up incoming lines. And it’s extremely powerful.
SlowLoris will freeze all available incoming lines, and all you need is about one packet per second to stop an Apache server dead.
R-U-Dead-Yet is another similar one, but it uses POSTs and affects IIS (see image). IIS is not affected by the SlowLoris attack with incomplete GET requests, but it is affected by incomplete POSTs requests.
There are other variations of it now. There is one using Keep-Alive DoS – that works, I tried that, it’s somewhat effective. It’s not as powerful as SlowLoris attack but it’s another way to send requests that make the server do a lot of work.
The Jester’s tool presumably uses one of these principles. It is called XerXeS (see screenshot). It is a graphical interface, looks like it runs on a bunch of Linux to me, but who knows. One important thing about Layer 7 attacks is you can run them through an anonymizer, so you don’t go to prison.
The Low Orbit Ion Cannon does not enjoy this feature because it has to send a lot of traffic from you to the other end. If you try to run it through the Tor3 network, it will just choke off your attack and bring down the Tor network, because it’s like flamethrower: it burns everything between you and the target. And with Layer 7 attack, it’s like a guided missile: it just sends a few packets that do not harm anything, and when it gets to the server – bang, the server becomes unavailable. So you can run it through an anonymizer, which is what he does, which means that not only can they not find out where it is coming from, but they also cannot protect from it by using a simple firewall rules that search by source address, because all the packets come from different source addresses. Although, if you block all Tor agent nodes, which you should all do, that will stop them from using Tor, and they would have to use something else like a botnet of compromised machines to do it, and that would make it a little harder.
But anyway, his tool starts, runs this thing through an anonymization network, and then brings down the target. And it independently does a series of tests to the target. When the target goes down, then it sends out twitts – ‘Tango Down’.
Anyway, that’s where we were up to maybe 2 years ago, these things were running. The Link-Local DoS is much newer, with IPv6. You are using IPv6 if you have any version of any modern operating system, any modern version of Linux, any Windows Vista or Windows 7, or Windows XP – if turn on IPv6, although it’s not on by default. And you server as your domain controller, as your DNS server, as your email server are all using IPv6 whether you like it or not, unless you have gone out of your way to turn it off.
And like any other unwanted service, if you are not using it it’s opening you to the attacks. So, with IPv4, when a machine joins a network, unless you are weird enough to be using static IP addresses, which most people aren’t, your machine boots up and asks the router, a DHCP4 server: “I need an IP”, and it says “Okay, use this IP”. And then there is another back and forth to make sure nobody else is using that IP, and it’s the end of the game. There will be no further DHCP traffic until you restart that machine, or until a long time passes, like 4 days. That’s a PULL process: I need an IP, I ask for an IP.
But IPv6 is not normally done in that fashion. With IPv6, addresses are generally distributed by router advertisement. So the router pushes a router advertisement and says: “I am the router, everybody stop what you are doing and join my network now”. Everybody has to stop, make up an address and join the network. It’s a broadcast packet, although they say there is no broadcast in IPv6, but there is something called ‘multicast to all nodes’.
The difference between these things is still logical in nature, and I don’t intend to go into it. But the point is the router sends out one packet that goes to every node, and every node now has to join the network, which doesn’t seem that bad. Here is the router advertisement packet going to a multicast to a ‘multicast to all nodes’ address ff02::1 and telling people what network to join (see image). The problem is you can send out a lot of router advertisements. And when you do, the poor target joins all these networks. That would be alright, except that Windows is extremely inefficient in doing that.
1 – RSnake (Robert “RSnake” Hansen) is the Chief Executive Officer of SecTheory – a web application and network security consulting firm. Robert is a co-author of the authoritative book “XSS Exploits: Cross Site Scripting Attacks and Defense”.
2 – IIS (Internet Information Services) is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows.
3 – Tor (short for ‘The onion router’) is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.
4 – DHCP (Dynamic Host Configuration Protocol) is a network configuration protocol for hosts on Internet Protocol (IP) networks. It provides a central database of devices that are connected to the network and eliminates duplicate resource assignments.