UNIX and NT DoS/DDoS

• IP fragmentation overlap: IP packets may need to be broken in parts (fragments) in route and put together by the destination OS which may have a flaw:

  • teardrop (Linux), syndrop.c, boink.c (Windows)
  • countermeasures: Linux kernels 2.0 and above, NT use SP6a.

• Stream and raped attacks (UNIX/NT): resource starvation, making the CPU run up to 100%, preventing access to the NET and stopping/slowing other jobs

  • stream.c: sends TCP Ack packets to a series of ports with random sequence numbers and random source IP addresses
  • raped.c attacks: sends TCP Ack packets with spoofed IP addresses
  • countermeasures: in practice, none (unless you can change your IP address).

• DDoS attacks: first attacks in February of 200 --> Yahoo, E*TRADE, eBay, Buy.com, CNN.com, etc. Attacks have three stages:

  • attack systems and gain administration privileges (hunting grounds: @Home, DSL providers, etc).
  • Upload DDoS software (server) in the slaves (zombies) and run it (listen).
  • When there are enough slaves command them to attack victim.
• Examples: GRC.COM: a case example and press coverage of other attacks.

Previous slide

Next slide

Back to first slide

View graphic version