Denial of Service attacks

Introduction

This document looks at Denial of Service attacks, the people and devices at risk from attack, the law as a deterrent, the means of protection from such attacks using two Ethical Hacking methodology manuals and one Incident Response methodology for when everything else fails.

Buffer overflow code example has been provided along with brief explanations of matured methodologies. All information in this document has had to be compacted to meet a pre set word count so some parts are discussed briefly and as to the point as possible.

Two pieces of software will be discussed as recommended by ISSAF (2010), they are CpuHog and NTCrash.

This document tries to maintain the Harvard referencing system throughout.

Denial of Service

What is Denial of Service (DoS)?  DoS is the over flowing or under running of an operating system or application software buffer on a device, such as a personal computer, mobile computer, router, switch, mobile phone or games console. The intention is to use up all available resources of a device denying end users a service (Gibbs et al, 2006).

By using multiple infected systems against one device the DoS can be amplified. Because the task of DoS is spread across multiple machines it is known as a Distributed Denial of Service (DDoS), (Gibbs et al, 2006; Cisco, 2004; Schiller et al, 2007).

Buffer

What is a Buffer? A Buffer is a temporary piece of physical memory to hold data until handled by a process (Harris et al, 2008).  A Buffer is used in software by programmers to load information into before any work is performed on it. Before being transmit and upon arrival after traversing across a network information is loaded into a Buffer (Chien & Ször, 2002). In the context of Quality of Service (QoS) a Cisco router Buffer can also be known as a queue (Cisco, 2009).

Stack

What is a Stack? A Stack is used to keep note of function calls in most operating systems. The Stack grows from highest to lowest addressed memory. Buffer overflows exist because of the way the Stack grows (Harris et al, 2008).

Buffer Overflow

What is a Buffer overflow? A Buffer overflow happens when the total amount of data to go into a Buffer is higher than the pre configured maximum value (Chien & Ször, 2002). Below is an example in the C programming language of a simple declaration of a stack Buffer and the overflowing of the Buffer.

int i;

void buffer_overflow(void)

{

       char Buffer[256];  /* Create a Buffer of 256 bits */

       for( i = 0 ; i < 512 ; i++ )  /* Iterate 512 times */

      {

                Buffer[i] = ”H”;  /* Copy the letter H for Hacker into the Buffer */

      }

}

First a 256 bit character Buffer is created. A simple for loop set to run 512 times is then created to fill and overflow the 256 bit Buffer.

No formal definition exists on the types of Buffer overflow, although buffer overflows can be broken into three generations.

• First Generation - Overwrite stack memory.
• Second Generation - Involve heaps, function pointers, and off-by-one exploits.
• Third Generation - Involve format string attacks and vulnerabilities in heap structure

management.

(Chien & Ször, 2002; Skoudis, 2002)

Who is at risk from Buffer overflow based attacks? The short answer is everyone who owns a device or application that has underlying scripting errors in its makeup.

The Law

What laws exist to deter Denial of Service? In the United Kingdom and Northern Ireland there are two main laws that are used by both Ethical Hacker and law enforcement, they are the Computer Misuse Act 1990 (CMA, 1990) and the Police and Justice Act 2006 (PJA, 2006). Other laws exist but only two have been focused on in this document. CMA (1990), states that a person is guilty of an offence if they knowingly attempt “to impair the operation of any computer”. PJA (2006), states a person is guilty of an offence if they knowingly attempt “to impair the operation of any computer”. Both CMA (1990) and the PJA (2006) are intertwined to allow for prosecution of criminals. It is highly advisable that anyone participating in Ethical Hacking activities has a concrete understanding of these two laws.

DoS Prevention

Can Buffer overflow attacks be prevented? Information Systems Security Assessment Framework (ISSAF) - Penetration Testing Framework has been setup to help provide in-depth knowledge of how to carry out a penetration test correctly. It is maintained by the Open Information Systems Security Group (OISSG), they try to link penetration testing tasks to tools.

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer reviewed methodology for Penetration Testers and security experts. It is maintained by Pete Herzog of the Institute for Security and Open Methodology (ISECOM). OSSTMM is a technical manual that focuses on what items need to be tested, what to do before, during and after a penetration test and how to measure any results.
ISSAF Methodology

ISSAF (2008) use a peer reviewed modular methodology to perform a penetration test, tasks broken down into three phases, they are

• Phase – I: Planning and Preparation.
• Phase – II: Assessment.
• Phase – III: Reporting, Clean up and Destroy Artefacts.

(ISSAF, 2008)

Assessment Phase

As part of the assessment phase of an attack checks for DoS have been put in place. ISSAF (2008) break the assessment phase down into twelve sub tasks. They are

• Information Gathering.
• Passive Information Gathering.
• Active Information Gathering.
• Network Mapping.
• Vulnerability Assessment.
• Penetration.
• Gaining Access and Privilege Escalation.
• Enumerating Further.
• Compromise Remote User Sites.
• Maintain Access.
• Covering the Tracks.
• Audit.

(ISSAF, 2008)

Vulnerability Assessment

During the Vulnerability Assessment task, step 2 of ISSAF (2008) is to check manually for DoS vulnerabilities. It is important to check manually to reduce the chance of any damage to important systems or loss of valuable information.

There is four areas of security a device can be categorised into before performing any tests, they are

• Network Security.
• Host Security.
• Application Security.
• Database Security.

(ISSAF, 2008)

DoS prevention is a network wide issue and far beyond the scope of this document, for this reason only Host Security will be focused on.

Host Security

Four assessment frameworks exist within ISSAF (2008) for Host Security, they are

• Unix/Linux System Security Assessment.
• Windows System Security Assessment.
• Novell Netware Security Assessment.
• Web Server Security Assessment.

(ISSAF, 2008)

Because of the restrictions in word count of this document only Windows System Security Assessment framework will be focused on.

Windows System Security Assessment

The ISSAF guidelines try to cater for all three generations of Buffer overflow attacks although not currently up to date. ISSAF (2008) categorize overflows into four categories, they are

• Buffer Overflow Attacks.
• Heap Overflow Attacks.
• Integer Overflow Attacks.
• Format String Attacks.

(ISSAF, 2008)

To test for DoS on a Windows based operating system two guidelines exist within ISSAF (2008), they are

• Denial of Service: NTCrash.
• Denial of Service: CpuHog.

(ISSAF, 2008)

Denial of Service: NTCrash

NTCrash is an application programmed by Bryce Cogswell and Mark Russinovich in the early 1990s that exploits vulnerabilities in New Technology Operating System Kernel (NTOSKRNL), this is the kernel image for the Windows New Technology (NT) family of operating systems.

“NT programs use NTOSKRNL by invoking functions through calls to specific Dynamic Link Libraries (DLLs). In some calls parameters are not checked correctly. The missing checks are primarily range checks and legality of addresses” (ISSAF, 2008).

To perform a test for DoS on an NT based system in accordance with ISSAF (2008) guidelines it is as simple as running NTCrash with the –n switch.

Denial of Service: CpuHog

CPUHog is a small application written by Mark Russinovich to test how applications act under Central Processing Unit (CPU) overload. CPUHog uses the priority mechanism in NT to hang the system. By hanging the system no other applications can be started, this includes the task manager which is sometimes essential to kill a hung process. On new systems such as Windows 7, CPUHog will only reduce operating system performance. CPUHog highlights programs can still set priority levels without needing any special privileges.

To overload CPU resources in accordance with ISSAF (2008) guidelines, it is as simple as installing and running CPUHog.

OSSTMM 3 Methodology

OSSTMM (2010) bring a scientific approach to Ethical Hacking while aiming to be a straight forward way to implement and document a Penetration Test. Give a methodology for an in depth test, is not dependent on local law, started in the year 2000 and “designed to be consistent and repeatable” (OSSTMM, 2010). An unintended advantage of using OSSTMM methodology is that it can be used as a central reference manual for all security tests unbiased of technology, protection or size of an organisation.

OSSTMM (2010) use a modular approach to break up a Penetration Test. Modules or phases are broken down as follows

• Induction Phase.
• Interaction Phase.
• Inquest Phase.
• Intervention Phase.

(OSSTMM, 2010)

The focus of the document is DoS this is why the Intervention Phase will be focused on.

Intervention Phase

The end phase of a penetration test, important information could potentially be destroyed from other tests that are less aggressive. Four sub phases exist within the Intervention Phase, they are

• Quarantine Verification.
• Privileges Audit.
• Survivability Validation / Service Continuity.
• Alert and Log Review / End Survey.

(OSSTMM, 2010)

The Survivability Validation / Service Continuity phase concentrates on disruption of service to an end user this is why it will be focused on.
Survivability Validation / Service Continuity

This section focuses on device resources, overloading or starving those resources to gain access or potentially deny a user service. OSSTMM (2010) focus on methodology not the tools required to do those tasks, that is down to experience of the person carrying out a test. QoS is taken into consideration in this phase in regard to telecommunication technologies.

Incident Response

An organisation needs to know how to respond correctly to a network breach, this is why Schultz and Shumway (2002) believe a methodology is required. A methodology allows an organisation to add structure to the process of dealing with a potential security threat.

By using structure Schultz and Shumway (2002) say it has been proven to be more efficient and saves money through this efficiency. By breaking the process into phases, analysts can see where one process ends and another starts. The strategy being used can be changed to one that suits the situation better. A mental map of the incident process can then be easily put together and easier understood. An incident Response strategy allows an organisation to deal with the unexpected.

Schultz and Shumway (2002) believe having a methodology allows for mistakes to be reduced when analysing an attack. Human beings prefer structure not chaos, it is easier to understand when the lines of separation can be processed with the naked eye.  Methodology can reduce the risk of errors under stressful situations.

The methodology offered by Schultz and Shumway (2002) claims to be the first methodology created in the Incident Response genre of computer security. The Six Stage methodology first started in Pennsylvania at the Software Engineering Institute by approximately twelve people in 1989. It was part of an Invitational Workshop on Incident Response.

The six stages of the methodology are broken down as follows

• Preparation.
• Detection.
• Containment.
• Eradication.
• Recovery.
• Follow-Up.

(Schultz and Shumway, 2002)

Other methodologies may exist only the Six Stage has been focused on.
Conclusion

If problems are found before being exploited, damage and loss in money, time and man power can be avoided. But to avoid devices being exploited maintenance and good practice need to be maintained.

DoS is in the third generation in 2012 and shows through history that it does not have any intent in stopping any time soon. The network can be looked at like a corridor in a building such as a bank, each doorway leading to a new destination, each doorway leading to a new corridor, with access restrictions for staff and another type for customers. Every doorway needs to be evaluated based upon consequence of the risk. If the consequence of taking the risk means potential loss in money, time, man power, or potential loss of life then someone has to take the risk of making a choice. If one door is left open where does it go and who is taking that route to what destination? What can be accessed by taking a certain route? What information is behind each door along every corridor? When it comes to computer security someone has to make the choice to hold the blame on their shoulders if anything goes wrong because of their negligence.

Methodology alone does not allow for a thorough penetration test, knowing what to do if one system fails is also important. Experience and methodology are crucial to allow adaptability in unexpected circumstances.

By taking a scientific approach to computer security methods can be peer reviewed meaning they have more credibility. Universities and large organizations can work together to produce globally recognized Standard Operating Procedures (SOPs). SOPs are used by the British Armed Forces to carry out tasks in a recommended uniform chronologically manufactured and maintained order.

For security reasons it is advisable to not hire anyone who is previously known to have acted unethical. Hire people with proven appropriate qualifications and experience to do the job.