пересказ к 30 марта

Распределенная атака типа "отказ в обслуживании"

Распределенная атака "отказ в обслуживании" перегружает целевую сеть или систему. Идея атаки, заключается в использовании разных источников (демонов) для атаки, и "владельцев" для управления. Наиболее известные утилиты организации DDoS (распределенный отказ в обслуживании, Distributed Denial of Service) -- это Tribal Flood Network (TFN), TFN2K, Trinoo и Stacheldraht. На рисунке 13 приведен пример организации DDoS:

Рис.13: Распределенная атака "отказ в обслуживании"

Злоумышленник использует "хозяинов" (masters) для управления источниками. Очевидно, что ему необходимо подключится (TCP) к "хозяинам" для того, чтобы их настроить и приготовить атаку. "Хозяева" лишь пересылают команды источникам по протоколу UDP. Без "хозяев", злоумышленнику пришлось бы устанавливать соединение с каждым из источников. Таким образом, происхождение атаки можно было бы легко обнаружить, а реализация ее занимала бы больше времени.

Каждый источник обменивается с "хозяином" специфическими сообщениями. В зависимости от используемых утилит, общение может быть с использованием механизма авторизации и/или шифрования. Для установки источников и "хозяев", злоумышленник использует известные уязвимости (переполнение буфера таких сервисов, как RPC, FTP, и т.п.). Сама же атака являет собой либо SYN-наводнение, либо Smurf и приводит к отказу в обслуживании целевой сети или системы.

http://www.linuxfocus.org/Russian/March2003/article282.shtml

DOS Model Development

In Figure 2, we have sectioned the DOS attack model development into three stages, each of which represents a transformation from the previous stage by the inclusion of a new element that increases the attacker's computational power. We will explore each of these transformations using the scenario described earlier.

The first transformation (Figure 2A) brought the inclusion of slaves into the DOS model. In this case we can think of the attacker as partially successful, and being able to move to a managing position as he hires new employees (equivalent of slaves) that will now be in charge of performing the attacks on command. The second transformation (Figure 2B) brought in another new element to the DOS model, the masters. Because of the distributed nature of the DOS model at this point, the attack became known as Distributed DOS Attack or DDOS. In this case, we think of the attacker as moving to a CEO position, and hiring managers (equivalent of masters) to supervise the attacks launched by employees on command, and to cover his tracks after the attacks are completed to avoid trace back.

Figure 2: (A) Denial of Service (DOS) Attack, (B) Distributed DOS (DDOS), (C) Distributed DOS with Reflectors (DRDOS)

The third and most dangerous transformation of the DOS attack model (Figure 2C) is known as Distributed DOS with Reflectors or DRDOS. As can be derived from the name, reflectors are the new element included in the model at this stage. The inclusion of this element differs in nature from the previous two. Instead of providing more computational power for the attacker, reflectors make it possible to execute a more effective and secure attack, therefore increasing the damages and decreasing the risk of trace back.

We can think of the volume of customers of the attacker's company increasing to such a point as to make it necessary for the attacker to outsource some of the work in order to maintain a profitable operation. The task being outsourced in this case would be the covering of tracks, which now becomes the job of the contractors (equivalent of reflectors). The reflectors' goal is to deflect any response to the attack onto themselves, which is accomplished by having the slaves list a reflector as the originator of the traffic instead of themselves. This DOS model allows the slaves to be free to attack at all times, and also decreases the possibility of trace back since the target server will assume the reflectors to be the originators of traffic, and thus forward all responses to them.

http://www.acm.org/crossroads/xrds10-1/tracingDOS.html