August 31, 2006

ISSA – DoS Article

Category: Security Article Reviews — Raffael Marty @ 1:31 am

Finally I am travelling again. This also means that I have some time to read through the stack of security magazines that are piling up on my desk. It was getting a bit scary to think about reading through all these magazines. But somehow I was looking forward to the ISSA magazine. I kind of new that there would be something to critizise… And here we go:

There is an article in the June 2006 issue about “Denial of Service Attacks: Should it Mean Denial of Service?” I guess it is due to the fact that I am not a native English speaker, but this title does not really make sense to me.

Anyways. Let’s see what we can learn about DoS attacks. The first thing that stroke me is that the author mentions that

  • “… how firewalls help prevent denial of service under DoS/DDoS attacks”. I guess it depends on how someone defines DoS (which the author does later in the article), but in general a resource consumption DoS (don’t ditch me for not using correct DoS categories, I quite frankly have not seen a good taxonomy that I could reference) cannot be stopped by a firewall. Never! Unless you deploy it on an ISP level, but that’s a whole different story. And even if you talk about other DoS attacks which attack specific services and kill them (by for example exploiting some vulnerability), how do you make sure that you block the attack and not legitimate customers? I guess I am moving way too fast, the author promises to give us an answer in the article. Unfortunately he really fails to do so. He mentions packet filters at some point, but does not at all tell us how he would really mitigate a DoS attack. Bummer.
  • Did I just say that I had no real taxonomy for DoS attacks ready? Well, the author fills that gap right away. But be warned. I don’t like the taxonomy at all. Actually, this gets me going off topic. But have you every read up on taxonomies and how they are defined? Do it. It’s really interesting. Please, don’t call your attempt to come up with some kind of a categorization a taxonomy. It’s plain wrong! A taxonomy is a beautiful mathematical construct that has certain well-defined properties! Honor that fact! Please! What we have here is definitely no taxonomy, but let’s leave it at that.

    The first category the author mentions is by traffic type. “Legitimate traffic flood” – okay. I like that. But! The examples given don’t fall into this category at all: UDP floods – okay. Maybe. What’s the last time you have seen an application using UDP? I thought we were in the age of Web2.0? Then ICMP floods. Hmm… Since when are your applications running over ICMP? Interesting. Maybe Kaminski is tunneling something again *gins*. Certainly no legitimate traffic! Then SYN floods. Okay. If we stretch legitimate traffic, that might be okay. Why don’t you just mention someone with a huge pipe making legitimate Web requests on your Web application? That would do it!
    The next Traffic Type the author mentions is “Malicious traffic flood”. Why is this defined as “These packets carry malicious content and may be self-propagating.” Interesting. The packets are self-propagating? Like source-routed? Just kidding.

    Next category: I love the title: “Attack Intent”. How do you possibly know what the intent of an attack is? Maybe I am just playing around and hit you by accident. How does that traffic look different from a targeted attack? So you know what my intent was? I doubt it! Anyways; here comes the same entry again that we just had: “Bandwidth depletion” how is that different from traffic floods? And why would smurf-attacks, fraggles, UDP floods (note that we already had this example in another category) and ping floods. Somehow I don’t really need any of these “sophisticated” attacks to consume all your bandwidth.

    Here goes another nice one: Category: “Exploitation Type”: Network-based. Hmm… “These attacks exploit the limitations of the network under attack and can be controlled by the use of firewalls…” Really? How come you can still accept legitimate traffic if your uplink is saturated? And then: “NAT techniques can be used to isolate and secure corporate internal networks”. How does that have anything to do with DoS attacks? Wow…

  • Makes me curious how the author is going to talk about the “DoS Attacks in Detail”. It’s going to be fun, I bet!
    The first pretty interesting statemenet about the details is who launches DoS attacks: “… irresponsible, unethical people with destructive intentions.” Really? Have you heard of commercial interests? Irresponsible? Why? Unethical? Maybe. But let’s move on. “The goal of the attackers is to exploit vulnerabilities in victim systems …” What? Why would that be the goal? The goal would be to rob someone of the ability to conduct business. Or to use his resources.

    We are slowly getting down in the protocol stack to talk about the really important details. The networking details of the attack. That’s going to be fun! First clue that the author really knows his networking: “The attacker typically employs TCP, UDP or ICMP protocols to launch the attack”. On the transport layer, what other protocols have you used lately? I don’t know many more…
    “ICMP Unreachable Flood”: Maybe the author should read up on this again. Why would I flood someone with ICMP unreachable messages (by the way, did you know there were two types of unreachables? Host and Port?) And why would I spoof the source IP? Did you mean I send spoofed UDP packets to closed ports and the spoofed source address is the one of the victim? Try that!
    Hang in there, the best is still to come!

    “This instructs the routers to send the messages to all IP addresses”. Do you know how broadcast works? Yes? How many packets are sent if I want to send something to all 254 hosts of a C class? One! All machines are instructed to read the packtes! There are NOT 254 (and certainly not 255) packets!
    But here comes the gem: Under Fraggle Attacks: “It is different from smurf attacks in that the packets are UDP ECHO packets instead of ICMP ECHO packets.” Do you find the mistake? UDP ECHO? Wow. Where did you acquire your TCP/IP skills? Especially the fact that the author mentions the chargen attack as a specific item. That’s the same my friend. It’s UDP packets, but they are going to the chargen/echo service…
    “PUSH+ACK attacks”. What? This is getting better and better. Maybe I should read Stevenson’s books again. Gosh. Has anyone tried what the author suggests about hijacking sessions and stuff? I don’t think he has heard of TCP sequence numbers and issues like that. Uiuiui… The same problem with “TCP reset floods”!

    And talking about “Ping of Death and ECHO/Chargen” attacks in 2006 is kind of interesting. Okay. I heard that Vista was vulnerable to the PoD attack; But a Chargen attack? Dude, in what century do you live?
    Here comes the attack for 2006: “Packet Header Scrambling”. The author suggests to set all the QoS bits. Hmm… Interesting. Have you tried this?

    I really advise the authors to do some more research before they write about a certian topic and even more so the magazines should not accept every article they get. Has anyone proof-read this before it was published?

    I thought that was it, but the article continues with suggestions on countermeasures…

    Maybe there are some interesting methods mentioned here. I love this countermeasure: “MIB Statistics”. How the heck is this a countermeasure? Oh sorry, it’s under the topic of ‘prevention of seconday victims’. Right!

    Mitigation of DoS attacks via Load Balancing? Throttling? Dropping requests? Auch… Again, maybe on the ISP level.

    “Other Measures”: Honeypots! Interesting. So HoneyPots as a countermeasure to DoS attacks. Why not. But how? Well, by doing traffic analysis (isn’t that too late already?) or by packet tracing (at least you know what IP attacked you) or by replaying traffic (to generate some more load on my systems?)

    And if you should not know what an IDS is: “Intrusion Detection/Prevention systems are configured to baseline regular traffic and detect anomalies based off the normal traffic flow”. I really wish they did! Wouldn’t that be nice! And which IDS does that?

    1 Comment »

    1. Yeah, the DDoS paper was truly one of the dumbest I’ve read for a looong time…

      Comment by Anton Chuvakin — September 5, 2006 @ 3:51 pm

    RSS feed for comments on this post. | TrackBack URI

    Leave a comment

    XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .