Conference DEFCON 19. Three generations of DoS-attacks (with the participation of the audience as victims). Part 1

Published on February 18, 2019

Conference DEFCON 19. Three generations of DoS-attacks (with the participation of the audience as victims). Part 1

https://www.youtube.com/watch?v=1EAnjZqXK9E
  • Transfer
My name is Sam Bone, I'm here to talk to you about DoS attacks, and you will help me with this. We'll talk a little about hacktivists who used such attacks, because I find them interesting. They clearly show how much damage you can do with various types of DoS attacks, while at the same time risking to go to prison.

In any case, it helps other people to sell security systems, and for me to motivate my students to learn how these attacks work and how to protect themselves from them. So today you will be my victims. Who of you brought with him a device that is not a pity to "kill"? One, two, three ... not much. Ryan has set up a wireless network to which no more than 40-50 devices can be connected, after which this network will be destroyed. I was sure that not many of those present would want their device to be “killed”. However, I believe that this attack can be used to kill every machine on DefCon. I will demonstrate the version of such an attack, which will be deadly for devices in this room, but will not affect connectivity in other rooms.

On this slide you see me, I teach hacking ethics, networking and computer security at San Francisco City College.



Here with me here are two invited. This is Matthew Prince, who is going to talk about his relationship with ALLSEC. I was very happy to meet him because we were both upset about how immoral, evil people help LulzSec.



I retweeted some of the ALLSEC tweets that pointed to instances of data theft that I thought were important, and he launched a service that they used to protect themselves from such attacks. Therefore, we will be interested to hear about this from Matthew himself.

My second guest is Ryan Carter. He built a network here and is going to use it to “kill” people who have expressed a desire to voluntarily expose themselves to a DoS attack, because through this we learn about several new vulnerabilities.



This is not a zero-day attack, I did not invent it, it has been known for many years and all because many device manufacturers do not fix their vulnerabilities. So if any of you have exotic devices, it would be interesting to subject them to this attack in order to find out how vulnerable they are.

So, here is the content of what I am going to show you. First I will talk about the history of the DoS attacks and the hackers who used it, then about the DDoS attack on the 4th, the OSI transport layer, in which thousands of attackers bring down one site, about the DoS attack on the 7th, application layer, when the hacker single-handedly brings down one or more servers and a router's local network DoS-attack, when one hacker brings down the entire network.

Last year, I told you that the version of Ipv6 will bring a lot of security problems, and that’s what happened. The sixth version of the Internet protocol is a “time warp” when a bunch of things developed in 1993 returned to our networks again, so the old hacker trick worked again. In fact, this is not a very old trick, but rather destructive, and I will show you how one hacker can kill all the machines running Windows on the same network. To do this, you need to send only a few packets per second.



Julian Assange, the head of Wikileaks, agitated everyone with information leakage by publishing about a thousand secret telegrams of the US government, and then posted a mysterious file encrypted with the AES-256 algorithm as a security on the BitTorrent network, so it cannot be decrypted without a key. Assange said that if he is put in prison or killed, he will publish this key, with which the world will be able to learn even more "terrible" secrets. However, despite the fact that Assange was detained in the UK and are preparing to deport to Sweden, the key has not yet been published.

The next slide shows the members of the Anonymous community, who are just tired of posting photos of cats on 4chan and decided to save the world using DoS. For them, it makes sense, but I think this behavior is meaningless.



In general, they began to attack everyone they hated, and started with Scientologists, so that it is very easy to hate Scientologists. Then they took on other people and eventually attacked HB Gary Federal. This guy, Aaron Barr, was supposed to be here, but three days ago he was given a court order forbidding him to participate in the DefCon discussion and tell what actually happened there.

Barra was contractually involved in computer security for government companies when Aaron announced that he was able to find people working with LulzSec and exposed them by correlating their accounts on Twitter and Facebook. Therefore, hackers decided to punish him, which turned out to be an unusually easy task.

The Anonymous community usually uses primitive hacking tools, but the more skilled part of this community has been able to join forces against HB Gary Federal. In order to bring down their website, they used SQL injection and captured an email server. Then they sent a fake letter as if on behalf of the owner of the company with a request to change the login and password and disable the firewall. It worked, after which Anonymous got into the server, took out emails from there and published them on the Internet.

These guys, who later performed as LulzSec, did what any sane person usually asks not to do, and then laughed at what they did. They published the stolen mail - it's funny, they put confidential information about the state of people's health into the network, causing them harm - it's funny again. They found a lot of real dirt in the company's correspondence and published it, because they really decided to tweak HBGary with a serious disgusting thing.



Then Anonymous decided to attack the US Chamber of Commerce, using the Drupal exploit, which is more advanced in a technical sense than the primitive attack tools that this community usually used.

Consider the attack haktivista Th3j35t3r, known under the nickname The Jester (Jester), on the site Wikileaks. This is a demonstration of a powerful attack on OSI level 7, although no one knows what exactly this attack does, it is really secret. Jester announces his attacks on Twitter, discusses them on his blog and shows live on irc.2600.net.

People who were attacked by Jester retained the packet logs, based on which we can conclude that Slowloris was used in this case - an attack with some variations. We can say that he belongs to the right wing of the same movement, the left wing of which is represented by the groups Anonymous and LulzSec. He is probably a former military man, since he tried to strike back those whose actions he regarded as a threat to the lives of American soldiers, in this case Julian Assange, and the recruitment sites of Islamic jihadists. He brought down their sites with his tools and tweeted it.



Anyone could communicate with him, and I spoke with him, he has no partners, unlike LulzSec. This is probably why he hasn’t been caught yet, and he also understands the security of military operations, which LulzSec didn’t learn.

In any case, he alone managed more than a day to disable the site Wikileaks. I talked to him in the IRC chat, and he said: “I am going to stop the attack,” and the attack immediately ceased. Then he said: “Now I will launch it again!”, And the attack resumed. This convinced me that he really controls this attack and this is his business. This slide shows the progress of the attack on Wikileaks, which he carried out alone without a botnet. The attack, which lasted just over 30 minutes, disabled the site for 1 day 3 hours 50 minutes.



After that, Jester decided to fight Anonymous, because those did not like the attacks on Wikileaks. He stated that he was going to introduce the Trojan into the Anonymus tools and capture them from the inside. Jester focused on the fight that ensued between him, Anonymous and LulzSec last year, when they started to “blast” each other with various tricks, including DoS.

Then Jester turned against the guys from the Westboro Baptist church. These guys are also very easy to dislike because of their pathological hatred of homosexuals and LBHT community.



To demonstrate their hatred, they choose a funeral and simply ask for someone to go to them in their faces. Jester brought down 4 of their sites with the help of a regular 3G phone for 2 whole months, and I have no doubt about that, because I know that I can do it myself, and my students could do it, just like any of you. Attack Slowloris runs on Windows, so it is not difficult to implement.

So, the most advanced part of LulzSec continued to hack everyone and in the end they published a phone on which you could call and order them to hack who you want. They hacked into the US Senate, FBI, NATO, and British government sites; they published the contents of the database of consulting firm Booz Allen Hamilton. It made me mad when they hacked into the Arizona Police Server, because it was a very significant blow - they published their names, password hashes and logins, emails. I was outraged when they published hashes with 50 thousand Booz Allen Hamilton passwords, half of which were cracked the next day.

The data of the highest military leadership were in free access, and anyone could use their passwords and logins. They brought down some gaming sites that I hadn’t even heard of, and then posted on lulzsecurity.com a list of their victims and gave links to data stolen from them.



Then they hacked into the PBS non-commercial television service website and posted all sorts of nonsense. Anyway, now they are caught. On June 21, 2011, Ryan Cleary, who was on the periphery of LulzSec, was arrested, and on July 19 in London, the head of this hacker organization was detained. Just a few days ago, on July 27, the Topiary hacker was arrested. So in reality, these hackers are just British teenagers who did dirty work as soon as they broke out of their own home, and their goal was to make people laugh for the sake of laughter. I wonder what makes them do this kind of thing. I am sure this is because they are just young and stupid, which is why they think that you can attack any government site for fun.

By the way, Jester and Sabu both said on Twitter that they visited here yesterday and were in the pool of this hotel, where DefCon is held. I doubt it, but who knows what risks these guys are capable of. Sabu, the main man in LulzSec, is still at large, and is supposed to be about to be captured, because all his accomplices are already arrested. As is usually the case, it is worth arresting one, and he will hand over everyone else, because they are not too strong in providing operational security.



In any case, the DoS attack on the 4th level of the OSI model is one of the simplest attacks when multiple attackers attack the same target. This is what was used to “bring down” MasterCard and Visa, but the hackers couldn’t damage Amazon in the same way, although Anonymus tried to do it.

The MasterCard attack was a protest that united many people. This method of attack, produced by the hacker tool Low Orbit Ion Canon, requires the participation of many computers, 3000 or maybe even 30,000 intruders, their exact number is not known.



They were able to disable the site of this payment system for 1 day, 13 hours and 23 minutes.



This is one of the types of attacks that Kaspersky spoke about in his May 21 interview. He was asked how many compromised machines it would take to completely sever South Africa from the Internet, and he replied that this would require hundreds of thousands of infected computers. But I know that this is not true, for this you need only one 3G mobile phone. Apparently, Kaspersky was not referring to such an attack, he was thinking about an attack on OSI level 4, where thousands of machines are aimed at destroying one common goal. For this, it is enough that many users press the F5 key repeatedly, refreshing the browser page, and thereby overload with requests a specific site. This is one of the most primitive DoS attacks.

One of the most powerful types of DoS attacks on the 7th level of the OSI model is an attack using the Slowloris software written by Robert "RSnake" Hansen a couple of years ago. There were many versions of this software, the essence of which is that one computer sends many incomplete GET requests to the web server, trying to keep the connection open as long as possible.

The server is forced to process them and, ultimately, it is simply “muffled” by all these requests. A request to retrieve a page from the server is an HTTP header that looks like 2nd or 3rd level information. This slide shows several lines, and you send only a portion of these lines to the server and never send the rest. At the same time, the server thinks that you are in some kind of unreliable network, so your packets were fragmented, and since it has the first half, it considers that the second half of the request is still going and continues to wait for it, without closing the connection.



Thus, the server "freezes" all incoming connections, and this is a very powerful attack that actually disables it from the rest of the Internet. I'll show it to you in a couple of minutes.

Slowloris "freezes" all available incoming lines, and in order to kill the Apache server, you just need to send about one packet per second.



Another tool for DoS attacks called RU-Dead-Yet is similar to Slowloris, but uses incomplete HTTP POST and sending long message fields to the server. This stops IIS, but requires thousands of packets per second.



A DoS attack using the Keep-Alive mode allows you to send 100 requests in one connection. It is not as powerful as Slowloris, but it is another effective way to completely load the server with requests.



In many attacks, Jester allegedly adheres to such principles: he acts through Tor to hide the address of the source of the attack, no one knows exactly what he is doing, and his DoS attacks are directed to the 7th level. In doing so, he uses his own tool called XerXes, whose graphical interface is similar to Linux.



One of the most important properties of DoS attacks on the 7th level is that if you can run them through the anonymizer, you will not go to jail. Low Orbit Ion Canon does not use this function, because it has to send a lot of traffic from you to the other end of the network, but if you try to launch it through Tor, you will simply drown your own attack. In addition, such an attack is capable of bringing Tor down, because it acts as a flamethrower, burning everything that is located by you and the target.

The attack on the 7th level acts as a guided rocket - it simply sends a few packets that will not harm you when you get to the server but make it unavailable. Therefore, such an attack can be launched through the anonymizer. At the same time, the victim will not only be able to determine where the attack is coming from, but also will not be able to defend himself using firewall rules, because the firewall is looking for one source address, and in this case, the packets come from different addresses.

If you block all Tor output nodes, and that’s what you should do, it will prevent Tor from using the Tor network and they will look for something else, like a botnet of hacked machines. In any case, XerXes starts working through an anonymous Asian network and “knocks down” the target, after which Jester publishes another tweet called “TANGO DOWN”. For the first time this tool appeared about two years ago.

Another type of DoS attack is Link-Local DoS, which uses the new Internet Protocol IPv6. If you have a version of any modern Linux, Vista, Windows 7 or Windows XP operating system, then you enable IPv6, which is not used by default, because all domain servers, DNS servers or mail servers use IPv6, whether you like it or not . But if you follow your own rules, then disable it like any other unwanted service that you do not use, which will allow you to "kill" the attack.



If you are not so strange a person to use a static IP address, and most people do not use it, then using IPv4, your computer asks for a DHCP server through a router to give it an IP address. The server responds: “OK, use this IP here”, making sure that no one else uses this address, and that’s it. There is no more traffic between the computer and DHCP until the computer is restarted or turned off, and this can be quite a long time. A brief summary of this process: I need an IP - I get an IP.

However, the IPv6 protocol works differently - here a router participates in the distribution of addresses, which advertises itself with the appeal “I am a router! Well, drop all your business and immediately join my network! ”, After which all computers respond, get IP addresses and connect to the network. Broadband broadcasts are taking place here, although picky people will notice that this is not quite the case - in this protocol broadband broadcasts are called multicast. There is no broadband, multicast is used instead, when there is one source and several recipients. That is, the router sends one packet to all nodes, thanks to which each node connects to the network.



This seems to be nothing bad. The next slide shows the advertising package of the router, sent to each node of the network, with which it informs people which network they should join.



The problem is that you can send a lot of ads to the router, and when the targets connect to the network, everything seems to be fine, except that Windows does it extremely inefficiently. So let me show you some of these attacks, which are called “Flooded router announcements,” or RA Flood.



For this, I need to install several virtual machines, as I do in the classroom with my students. I use virtual machines to create an isolated network.

So let's start with an old-fashioned attack. I have here a distribution of Back Track 5 for Linux machines, working as a web server, so if I go to localhost and update this page with a picture of a cat, everything looks fine.



But if you run this page, you will see the status of your server. Now I will try to turn off all unnecessary to save space on the screen.



So, this is the Apache server status page, at the bottom of which is the current connection status. We see that the server is waiting for one connection, and the remaining 9 are also available.



This server can process requests from hundreds of people who view this web page, so if I go to it and update it, and then return to the status page, I’ll see that we now have several active connections and 7 more available. So let's try to attack this poor Linux machine from a Windows machine. Let's start with old-fashioned things and use the Low Orbit Ion Canon tool, which bad people use as a short way to jail.

I need to insert an IP address here, and I type http: // 192.168.198.173 in the address bar, I hope I remember it correctly. So, our attack is on, and I need more screen space. Something is not very successful, which is why I do not like virtual machines, although I have to use them. Now I will refresh the page, I think it will work. The process is rather slow and you need to get used to it. You see that the IP address has finally appeared in the target window of our hacker tool. With it, I can perform various types of attacks.



Unfortunately, I don’t see the scroll bar, so I’ll have to go to full screen mode. I use the HTTP request as a method, and now I need to get to the “Fire!” Button and make a “shot” from our low-orbit laser gun. Now all requests are addressed to my unfortunate virtual machine, I refresh the page, and you see a whole bunch of connections - 49 requests are processed, 0 are free. After each page refresh, the number of calls to the server increases and gradually reaches 141.

What is happening now is complete connections. The server connects, downloads this small web page, and then waits for a timeout. So, this thing fills all possible connections, and the web server becomes unavailable. But she does this very poorly, because each connection is completed normally, linking the server for just a few seconds.



Now let me go back to my virtual machine and use the more powerful attack tool - Slowloris. I have a really small Windows version of this exploit. Now we do not need such a large window. I am typing the IP address of our target in this line, and now we are all set to launch the attack.



If you go back to our server and refresh the page, you can see that it is back to normal, I don’t attack it, so we only have one connection open. So, I click on the “Launch Attack” button, update the server page, and you can see how the query string is filled with R characters - these are incoming requests, each of which waits for 400 seconds by default. Thus, you do not need to send too many such requests to fill all incoming connections with requests and cause a denial of service. This is what the Slowloris attack represents, the HTTP POST attack is very similar to it, and both of these attacks are powerful and dangerous enough.

If I stop the Slowloris attack, the server will very quickly recover its performance. I don’t know why requests didn’t take 400 seconds, it’s possible that the default timing in Apache on Back Track 5 is different from what I think of it. In any case, now that I've shown you how to kill Linux or Windows, let's go the other way and try a more powerful attack. Close all these windows to show you the evil that is about to happen.

So, I will go to the console and ask me to show me the configuration of this computer. This is a regular Windows machine, and I have set a static IPv6 IP address here in the 2: 2 range, it also has its IP address using the IPv4 protocol.



In fact, nothing has happened here yet. I will call the task manager window, because this is an interesting way to see the damage that will be caused to the computer by this attack. You can see that the CPU usage is 0%. Now I’ll try to send IPv6 packets to my machine, but before that I’ll create a fake router number 6. I’m using the THC IPv6 attack suite, developed by van Hauser from THC. Next, I type in the eth1 line and am going to send it to the network def: cO :: / 64. I press "Enter", and the router sends some packages advertising this network.



There is no need to wait for anything anymore - all devices on this network will connect to my fake router, and now you see that the computer settings have changed - now the IPv6 IP address starts in the def: cO range.



That is, I add a router that declares its prefix, everyone joins it, and the game is over. But if I send a bunch of unwanted packets at a speed of several hundred per second, you will see that the computer's processor hangs under a load of 100% for a long, long time.

(audience applause)



24:00 min.

Conference DEFCON 19. Three generations of DoS attacks (with audience participation as victims). Part 2


Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until spring for free if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?