Babel, DDoS of Biblical proportions

Babel, DDoS of Biblical proportions
By Floydman,
Bachelor in Computer Sciences
[email protected]
[email protected]
August 10th, 2000

You can distribute this document freely, as long as no changes are made to the file, or as long as credit for it is not pretended by someone else.  All comments and suggestions about the material presented here should be directed at [email protected].  If future versions of this document include add-ons coming from other people than me, then proper credit to the various authors will be clearly identified.  All version updates of this document are to be released by me.

You can find it online at http://www.geocities.com/floydian_99/

Abstract

The goal of this paper is to present the concepts that can (and most probably will) be used in the near future to perpetrate a distributed denial of service attack of such proportions that the attacks that Mafiaboy is accused of will seem like a drop of water in the ocean.  I have called such a potential attack Babel, from the tower of the same name found in the Bible.  The book has it that the creation of languages was a punition from God to men, who was irate that men would try to reach the sky with the Babel tower.  It resulted that it created confusion amongst mankind, preventing them to collaborate in such grandiose projects in the future.


Preface

Things have never been perfect on the Internet, but way back then (before the Internet went commercial), it still wasn't so bad.  The only major outbreak I could remember from the "old days" is the Morris worm, and even then, it's because I read about it, but I didn't find that much information from this era concerning major outbreaks.  And back then, "major" meant maybe 2000-3000 Unix machines; nothing compared to today's viruses like Melissa and I Love You.  Another popular trend amongst Internet vandals is denial of service attacks.  In this paper, I will present several ways someone can combine virus techniques and denial of service attacks in order to create the biggest threat on the Internet, a traffic storm that could paralyze the Internet for days, maybe even weeks.  Who knows, maybe forever?

Targeted audience

This document is presented to anyone who has interests in computer security, denial of service attacks, viruses and Trojan horses, networking and computing in general.

Table of contents

1. Internet, the past 5 years
2. Some quick talk about viruses
3. Some quick talk about DoS and DDoS
4. Adding things up
5. Analysis of a Babel attack: potential Internet collapse
6. Can it be cured?
7. In conclusion

1. Internet, the past 5 years

For most of its existence, Internet was used primarily by schools and government agencies as a way to share information.  Then, several things happened in quite a short period of time, which all combined together and resulted in a dramatic change of the Internet structure; it became commercial.  The emergence of HTTP and the web browser, breakthrough in bandwidth technology, increase of processing power and slashes in price, combined with the global position Microsoft achieved on the market with it's line of products, caused the Internet to probably be the next Babel tower.  Before, Internet was a few thousand of Unix boxes, administered by computer professionals.  Today, it have been invaded with millions of PC based machines running some flavor of Microsoft Windows, and anybody can have access to one.  These machines come mainly from companies, where employees have Internet access, or from cable and DSL ISP customers (I omitted dial-up because of negligible bandwidth, but they are part of the problem also).  These employees and customers, in the most part, barely knows enough to power their computer up and send e-mail, yet they have machines that are far more powerful in their hands.  This is Achilles' heel of Internet.

2. Some quick talk about viruses

First, if you haven't already done so, I recommend that you read one of my previous papers, "Virus prevention in a Microsoft network, or How to stand a chance".  I discuss there about what an effective virus detection scheme should look like in order to be effective in a networked environment.  This goes far more than just say "keep your antivirus up to date", but more specifically about the many ways to get this done, along with optimized configuration and information gathering, all done remotely.  I also explain how such a setup saved my hide when I made a close encounter with WormExplorerZip.  A must read for all NT admins and support personnel.

If you've read my paper, you know that I strongly suggest to anyone to cease to use any version of Outlook (Express).  For over a year or two, most of all new viruses are specifically designed at exploiting flaws in Outlook, achieving outbreaks of proportions never seen before.  That means that unless a virus also has a local payload, if you're not using Outlook, you're immune, even without any antivirus software!  So, if it's so easy to protect from it, then why is millions of computers infected every time?  Simple, they didn't learn their lesson and they're still using it.  The day after I published my paper, the following article was published at www.herald.co.nz (reproduced here at http://www.geocities.com/floydian_99/news1.html).  It's about a new vulnerability in Outlook Express that enables e-mail viruses to be activated without anyone even reading the mail, much less executing attachments.  So this means that even if you practice safe computing, you're not safe enough if you're using Outlook Express.  Convinced yet?

And never forget that no antivirus software can effectively catch a never-seen-before virus.  Not until next update...

3. Some quick talk about DoS and DDoS

Denial of Service attacks are rather simple, but I'd still like to elaborate a bit on the subject.  A typical DoS attack is made when a computer sends packets to a victim machine in order to cause disruption of the service provided by the victim.  The attack could rely on specially formed packets that causes undesirable effect on the victim (100% CPU usage, OS crash, etc), or simply flood the victim with packets in order to reduce dramatically the bandwidth available to the victim, making it harder to reach for valid requests.

In order to achieve better results with the second option, the attacker will benefit if he uses more than one machine to bombard the victim(s).  This is Distributed Denial of Service.  I don't have actual experience of using DoS tools, but in order to understand how these tools works, I read "The "stacheldraht" distributed denial of service attack tool" by David Dittrich ([email protected]).  Here is an excerpt from his paper:

-----
The stacheldraht network is made up of one or more handler programs
("mserv.c") and a large set of agents ("leaf/td.c").  The attacker uses
an encrypting "telnet alike" program to connect to and communicate
with the handlers ("telnetc/client.c").  A stacheldraht network would
look like this:

                   +--------+             +--------+
                   | client |             | client |
                   +--------+             +--------+
                       |                      |
        . . . --+------+---------------+------+----------------+-- . . .
                |                      |                       |
                |                      |                       |
          +-----------+          +-----------+           +-----------+
          |  handler  |          |  handler  |           |  handler  |
          +-----------+          +-----------+           +-----------+
                |                      |                       |
                |                      |                       |
. . . ---+------+-----+------------+---+--------+------------+-+-- . . .
         |            |            |            |            |
         |            |            |            |            |
     +-------+    +-------+    +-------+    +-------+    +-------+
     | agent |    | agent |    | agent |    | agent |    | agent |
     +-------+    +-------+    +-------+    +-------+    +-------+
-----

In short, what David Dittrich explains in his paper is that the attacker will connect to his "handlers" (or masters) through one or more "telnet-like" client.  He then configures the handlers with its assigned list of targets and agents (or slaves).  The handlers then sends the list of targets to its assigned agents, and will forward any command sent by the attacker to the agents (add IP in list, remove IP in list, start or stop the DoS attack, etc.)  It will be the agents that will bombard victims sites with network packets.  Of course, handlers and agents are compromised machines.

I know Denial of Service attacks are lame, and that they are mostly used by script kiddies.  This is exactly why I'm surprised to see so much interoperability and sophistication in such a tool, I would have thought it was simpler.

I will tell you how simple, and "efficient" it could be.

4. Adding things up

It's pretty easy to see where I'm going from there.  First, I want to point out that I did not invent any of the techniques described in this paper, I am only putting some already existing pieces together.  If I didn't think of it, somebody else would.

So, let's design our Babel virus/DoS.  There are two things to think about when designing a virus: propagation and payload.  Let's look at payload first, it should be quite obvious.  It's a DoS tool (either an existing tool, or a new one, or simply the ping command sent repeatedly).  Depending on the propagation strategy an attacker will choose (more on that later), he may want the payload to be activated on a certain date and time, or to be activated at infection time.  If the attacker wants to really play dirty and make a big name for himself, he will choose big, well-known commercial sites.  Banks, credit card companies, TV and newspaper websites, software publishers, government websites...  He will probably targets several of them, maybe 30, 50, 100, 1000, maybe more?  Or he could let chaos rule by attacking random addresses, but I don't really like this scenario.  And let's not forget to DoS the sites from where the cure is most likely to come from: antivirus vendors, CERT and the likes.

Now, let's look at propagation.  There are two approaches an attacker might want to do this, depending on the results he want to achieve.  Let's examine the first one.  He creates some gimmicky software that will serve as a vessel for our payload (Trojan Horse).  And he will rely that the gimmicky software will make it to desktops, every new recipient finding it worthy to share with his friends.  This model has worked in the past, and the most blatant example virus of this kind contains actually no code at all: virus hoaxes.  Mouth to hear is very effective on the Internet.  All he has to do is to make sure that the vessel will be attractive enough (why not a joke-a-day program that delivers a joke pulled from a big text file?).  In this form of propagation, the attacker will want to set the attack at a predetermined date and time (forget reaching them remotely like the stacheldraht, there'll be too many of them, and besides, you don't know where to reach them).  So the attacker sends an e-mail to his friends, with his little "gift" attached and wait for the 2 or 3 months of dormancy to pass.  If he's bright, he'll try to cover his tracks by forging the e-mail header to include FW: information with a few e-mail addresses throwed in for good measure, as if the trojan came from somewhere else and he just passed it along unknowingly.  The dormancy period should also help to cover tracks (but he must refrain from taking credits for the joke-a-day program;-).  The disadvantage of this option is if an infected computer have a wrong date in time, it can cause the attack to be launched prematurely from this machine, potentially giving the attack away.  The upside is that this solution is e-mail client independant.

The other way to propagate our payload is more efficient, and relies more on technology than social engineering.  Let's use the good Outlook way!  This is the model I will use in the next chapter for the Babel attack.  So, the attacker will craft some code that will exploit the hole-du-jour in Outlook mail clients in order to launch automatically, and to send itself to as many addresses it can from the address book.  And then start DoSing.  In this case, the attacker should make sure to use an anonymous mail service, or else he's gonna be tracked down as the source.  This should result in the biggest DDoS attack ever performed on the Internet to this day.

5. Analysis of a Babel attack: potential Internet collapse

Here is what a real-life Babel attack could look like: it would propagate using Outlook and OutlookExpress vulnerabilities to send itself over to addresses contained in the address book, in a way similar to Melissa, ExploreZip and I Love You.  I couldn't get numbers for the other two, but CERT (www.cert.org) estimates that 500 000 computers were infected with I Love You within the first four days of life of the virus.  Quite impressive, but I'm sure that can be surpassed.  I made several job interviews lately, and I know that several companies plans to keep using or switching to Outlook.  All that computer base available for Denial of Service.  Let the show begin!

-----
SeaNN.com News website
02/30/2001
A sad day for Internet users across America.  Computer experts have reported a new virus outbreak dubbed "fuckyou.com" that spreads via Microsoft's e-mail clients Outlook and Outlook Express, officials said today.  This virus performs denial-of-service type of attacks against a variety of major websites all over Internet, amongst them yours truly SeaNN.com, which means that nobody can actually read this article, but we keep publishing anyway, always in the desire to better serve our audience.  Also taken in the drift, online banks and e-commerce websites.  After the Barcklay scandal last year, and this attack, some major banks have decided to retire, at least for the moment, its online activities.  As for e-commerce, loss of revenue is estimated to over 50 billions of $, according to report from Toilette et Douche consulting.  A cure is now available at major antivirus vendors websites, but it seems they have some difficulties to effectively distribute the patch due to high traffic caused by the DDoS attack.

To see this story in full streaming audio and video, click here.
------

This would actually cause a denial-of-service of such proportions that it will almost be impossible to get rid of it.  There is strength in number.  With such a computer base available for attack, I can hardly imagine any valid data making it to its destination for at least a couple of days.  That will also mean that Internet will be an unreachable medium (at least for quite a while) to distribute information and fix about this outbreak.  People will have to rely on traditional medias to do so, and these are not always quite accurate when it comes to dealing with technology.  Second, as the fix becomes more and more available and distributed, the attack will still happen until the last machine infected is cleaned or disconnected.  Another aspect of the attack is the fact that it's impossible for victims to block incoming DoS packets based on the source address at the firewall, because they will also block a lot of potentially valid traffic.  They will have to rely on packet fingerprinting, unless the DoS tool uses randomness in the packet generation.  Also, victims could try to change the IP addresses for their machines, but this would fail if the packets are sent to www.companyname.com instead than 12x.x4x.55.xx.  Besides, once the first attack is done, there will probably be variants that will take care of re-emerged victims.  In short, it will be quite a mess.

6. Can it be cured?

Sure!  I mean, antivirus software will eventually come up with a cure, and with some time and ingenuity, they will be able to distribute it.  This will lessen the strength of the attack, and maybe give enough bandwidth for security experts to get together online to try to find ways to eliminate the attack completely.  This could take some time: a few weeks, a few months?   But then what?  We wait for the next one?  What if the next one does as big an impact, but on top of it will delete files on hard drives?  When will the lesson be learned?  Will the computing community will really sit down and try to iron out some old problems?  Will software publishers still rush their product to the market with bugs in it?  Will e-commerce survive?  Will the PC survive?  I don't know.

7. In conclusion

I did not invent anything here; it is all stuff waiting to happen right now.  I state this because I don't want to be blamed when this will happen.  Because it _will_ happen.  This is a Damocles sword that is hanging over Internet at this very moment.  It could happen anytime, and it will more than likely transform our life and our way to do things in an unexpected way.  Babel, God's punition to men for it's lack of humility, maybe that's what we need after all.