Zaraky Posted June 4, 2012 Report Posted June 4, 2012 ABSTRACTThe usage of peer-to-peer networks in massive distributed denial of service attacks is well known sincethe beginning of year 2007 when this kind of attack has often been observed [1][2] against many publicservers. At the date of this article's writing (July 2008) there were not so frequent DC++ generatedDDoS attacks reported.But the big danger still remains because a great number of the DC++ hubs around the world are ownedby people whose ethics is questionable and who could (any time) generate such an attack.This article discusses in great depth the anatomy of a DC++ based DDoS attack and shows somemeasures that could be used to defend against it, including a tool to detect the attacker hubs.The ideas presented in this article are based on practical experience during a confrontation with thistype of attack.1. INTRODUCTIONDistributed Denial of Service (DDoS) attacks are known for many years and they can be very effectiveeven in nowadays. The main idea of a DDoS attack is to deplete the resources of the victim (bandwidth,CPU, memory, disk space, etc) and no matter how many resources the victim reallocates, the attack willstill overwhelm it.There are several methods to implement a DDoS attack nowadays. One of them is by commanding thebots (zombies) of a botnet to simultaneously send attack traffic against a victim. The attack intensitydepends on the size of the botnet [3]. Several botnets are now disputing for supremacy around theworld: Storm, Kraken, Srizibi, etc. [4]A more stealthy method of doing a DDoS attack is to inject hidden code into well known sites that arevulnerable. The hidden code could contain instructions to initiate connections to the victim server.When the visitors visit those sites, they automatically execute the code and initiate legitimateconnections to the victim server. [5]Peer-to-peer networks can also be used in DDoS attacks. One of the most aggressive of these attacksexploits the DC++ network. This is different from a botnet attack because the attacker does not exploitany vulnerability in the clients that generate the attack traffic. He just instructs them to blindly connectto the victim through the DC++ hub. In the next parts of this article we will discuss in depth this DC++based DDoS attack.2. DC++ OVERVIEW2.1 DC++ history and architectureIn 1999 a high-school boy named Jonathan Hess was creating a company named NeoModus, which hadthe objective to facilitate the file sharing over the Internet. He was using for this purpose a proprietary---------------------------------------------------------------------------------------------------------------------------protocol called Direct Connect. The first client application for this network was NMDC (NeoModusDirect Connect). The idea of sharing files over the Internet became very popular, so other DirectConnect (freeware) clients were written - DC++, StrongDC, oDC, Valknut, etc - by reverse engineeringthe protocol. The most popular of them is DC++, which gave the name of the network.DC++ peer-to-peer network is composed of three entities: clients, hubs and hublist servers. The clientsare the ones who want to share files between each other. The hubs are server applications (ex. Verlihub,YnHub, HexHub, Ptokax, etc) that facilitate the communication between the clients. For a client toknow which hubs to connect to, it must know the hub’s name or IP address and the hub’s port. Theseinformation can be set manually or the client can download a list with hub information from specializedhublist servers. The architecture of a DC++ network is presented in Figure 1.Figure 1. DC++ network architectureDC++ clients identify themselves to the hub and to the other clients by a so called nickname. Somehubs impose restrictions for the nickname to have a specific format (ex. [RO][CZONE]xxx) butothers allow random nicknames.Clients can connect to the DC++ hubs in two ways: passive or active. A passive client is the one thatconnects to the hub from behind a firewall or from a LAN with private IP addresses. A passive clientcannot receive direct connections from the Internet. An active client is the one that has a public IPaddress and is connected directly to the Internet. It can receive direct connections from other clients.An active client can download files from any other client of any type but a passive client can downloadfiles only from active clients. Two passive clients cannot download files from each other using DC++protocol unless they are on the same LAN.There are millions of DC++ hubs in the Internet and each of them can have thousands of clients,depending on its resources.---------------------------------------------------------------------------------------------------------------------------2.2 DC++ usage in DDoS attacksAt the beginning of year 2007 there were many reports of DDoS attacks against web servers, generatedby DC++ clients.This kind of attack can have a very large scale, respectively several thousand computers that sendtraffic to a victim server resulting in about 25.000 connections/second for a moderately big attack.While a typical server can handle a few hundred connections/sec before its performance begins todegrade, most web servers “die” almost instantly when they have to face six or seven hundredconnections/sec. So, in case of a DDoS attack implemented with DC++ clients, most of the web serverscan be completely disabled.The classical defense mechanisms are not effective against them and the really effective ones are veryexpensive.3. ATTACK DESCRIPTION3.1 Direct ConnectIn order to fully understand this kind of attack, the Direct Connect protocol must be understood first.Direct Connect protocol has no standard version and it was initially documented by reverse engineeringthe first Direct Connect client application – NeoModus. Nowadays it is being maintained anddeveloped by various groups from the Internet.Direct Connect (DC) is an application level protocol that uses TCP for transport. It is a clear textprotocol, unencrypted, that uses commands of the following form: $<command>|, where ‘|’ is thecommand delimiter.In DC protocol there are four communication types (usage scenarios):1. HubClient2. ClientClient3. HubHub (still in development)4. HubHublist serverFor the purpose of this article we will explain the second scenario, the ClientClientcommunication, which is exploited to generate DDoS attacks.DC++ clients communicate directly with each other when they want to download files. Thecommunication between two clients is initiated through the hub to which are both connected, becausethis is their only common point. As we mentioned before, if the Downloader client and the Uploaderclient are both passive, the file transfer between them is not possible using Direct Connect protocol. Ifthe Downloader is active and the Uploader is passive, then the Downloader cannot initiate a connectionto the Uploader in order to transfer files. So, in order to do the file transfer, it will give the Uploader acommand (through the hub) to initiate back a connection to the active Downloader and this way the filetransfer can begin.These are the steps of a file download in DC protocol:D = downloaderU = uploaderH = hub1. D>H: $ConnectToMe <U's username> <D's IP and port>|2. H>U: $ConnectToMe <U's username> <D's IP and port>|3. U>D: TCP Connection to D’s IP and port4. U>D: $MyNick <U's nick>|$Lock <new lock with pk>|5. D>U: $MyNick <D's nick>|$Lock <new lock with pk>|$Direction Upload---------------------------------------------------------------------------------------------------------------------------<anumber>|$Key <key for U's lock>|6. U>D: $Direction Download <anumber>|$Key <key for D's lock>|7. D>U: $Get <filepath + filename>$<start at byte (1=beginning of file)>|8. U>D: $FileLength <length of the requested file>|9. D>U: $Send|10. U>D: Data, in many chunks.11. D>U: $Send|<- when 40906 bytes are sent, ask for moreWe will explain the first four steps, because they are relevant to the DDoS attack. Steps 5-11 are alsoprotocol specific and they deal with the transfer of the file bytes, after the direct connection betweenthe two clients has been established. A full Direct Connect command reference can be found in [6].We can see in the first step that the Downloader sends the command $ConnectToMe to the hub. Thecommand parameters are the Uploader’s nickname and the Downloader’s IP address and port. The hubmust send this command unaltered to the Uploader (identified by its nick name) – step 2. When a client(Uploader) receives a $ConnectToMe command, it must initiate a TCP connection to the client that sentthis command (identified by its IP address and port) – step 3. As we already said, this behavior isnecessary when direct connection between two clients is not possible because of the network topology(one of the clients is behind of a NAT device or firewall and the other has public IP address).After the TCP connection has been established, the Uploader sends to the Downloader the command$MyNick which is used to identify itself. The rest of the commands (steps 5-11) are used to effectivelydo the data transfer, between the two clients directly.3.2 The AttackThe attack uses a vulnerability in the DC++ hubs (Verlihub-0.9.8c, Verlihub-0.9.8d-rc1, Ynhub <1.0306, Ptokax < 0.3.5.2), respectively in the Client-to-Client communication described above.The vulnerability is in step 2, when the hub forwards the $ConnectToMe request to the Uploader clientwithout verifying it. So the Downloader can put any IP address and port it wants in the $ConnectToMerequest and the receiving client (Uploader) will connect to that address, trying to continue the filedownload protocol.It is very easy to make a tool that generates a DDoS attack using this vulnerability. All the tool needs todo is connect to several DC++ hubs (which are vulnerable) and repeatedly send forged $ConnectToMerequests to each of the hub’s clients. The forged requests must have the Downloader’s IP address andport set to victim server’s IP address and port. That way all the hub clients that receive this messagewill initiate connections to the victim and try to continue the file download (steps 3 and 4).D = downloader (attacker)U = uploader (DC++ client)H = hubV = victim1. D>H:2. H>U:3. U>V:4. U>V:$ConnectToMe<U’s username, Victim’s IP and port>$ConnectToMe<U’s username, Victim’s IP and port>TCP Connection$MyNick <U’s nick>|$Lock <new lock with pk>|This behavior is presented in Figure 1.---------------------------------------------------------------------------------------------------------------------------Figure 1. A DC++ DDoS attack in actionSo, from the attacker’s point of view it is a low bandwidth attack but the effects on the victim side aremaxim.This kind of attacks is usually done against web servers. During the attack, the web server first doeslegitimate TCP handshakes with the DC++ clients and then receives non-HTTP packets containingDirect Connect commands like: $MyNick clientxxx|$Lock EXTENDEDPROTOCOLPk=DCPLUSPLUS0.674 (step 4).The HTTP protocol makes the server wait for a configured period of time until it receives a valid HTTPrequest. So its resources for that connection will be unavailable until the timeout expires. The very bignumber of connections simultaneously established with the web server finishes its resources and makesit unavailable for any legitimate requests.The number of connections/sec generated during an attack can be calculated after the followingformula:connections/sec = hub_no * hub_clients * $CTMs/secwhere:hub_no= number of hubs participating in the attackhub_clients = average number of clients on each hub$CTMs/sec = number of $ConnectToMe commands received by each client per secondFor a moderately big attack, the variables could be:---------------------------------------------------------------------------------------------------------------------------hub_no~= 5hub_clients ~= 5000$CTMs/sec ~= 1=> 25.000 connections/secBecause of the big number of requests, the attack could easily be confounded with a SYN flood attack.4. ATTACK MITIGATIONIn this section we will present a number of methods that can be used on the victim side to mitigate theattack. Such an attack can last days or weeks and the administrator of the victim server has time to trydifferent mitigation methods and to find the culprit. The ideas presented below come from practicalexperience during such an attack.The first thing that comes in mind when dealing with a DC++ based DDoS attack is to block the IPaddresses of the DC++ clients at network level using a firewall. But this method usually doesn’t haveany positive effect because the clients of a DC++ hub are very dynamic and the IP addresses change inmatter of seconds or minutes. New clients from different IP blocks join the attacker hubs and theblacklisting method is not efficient. A big number of firewall rules would considerably slow down thefirewall device resulting also in service unavailability.After a little bit of thinking, another possible solution comes in mind. We can see that this is an IPbased attack. So, in case of a web server, we could change periodically the IP address of the web serverand modify the DNS resolution accordingly. Some attack tools are smarter but others are just for scriptkiddies. This solution could slow down a script kiddy that doesn’t know how to modify the tool inorder to target the current IP address of the victim.In case of a web server being attacked, we can see that when it receives a non-HTTP packet, it waits fora timeout to expire before resetting the TCP connection. This timeout is specified in the configurationfile of the web server. In case of Apache, this parameter can be found in httpd.conf file and is calledTimeout. Its default value is 300 seconds (5 minutes!) and it should be lowered to 30 seconds. This way,the server will not keep its resources busy for that long time.This kind of DC++ based DDoS attack is an application level attack. Older DDoS attacks were atnetwork or transport level and they were easier to mitigate by using firewalls or other IP filteringmechanisms. But application level attacks are legitimate from the network or transport’s layer point ofview. So the only way to effectively mitigate this kind of attacks is by using an application levelfirewall that has deep packet inspection capabilities.The easier and cheapest solution, considering a Linux/Unix machine, is to use the string module ofiptables. This module searches the packet for a given string and can reset the connection if the string isfound. The command is like:IPTABLES -A INPUT -d $TARGET_IP -p tcp --dport $TARGET_PORT --tcp-flags ALLPSH,ACK -m string --algo bm --string MyNick --to 100 -j REJECT --reject-with tcp-resetThis method is effective for small scale DDoS attacks. But when the attack is bigger, the performanceof the server lowers because it still has to make full TCP handshakes with the DC++ clients and resetthe connections only when the first data packets come.---------------------------------------------------------------------------------------------------------------------------The most effective way to mitigate a DC++ based DDoS attack is to use an application level gateway,or proxy server, or a firewall that can do deep packet inspection. This kind of device knows how tointerpret application level data (layer 7 protocols) and can reject malformed HTTP requests. But thedisadvantage of this solution is that is very expensive.Another (expensive) solution to this problem is to redirect the traffic of the attacked server to a CleanPipe service provider. This type of service filtrates the malicious packets and allows only the legitimateones to reach the customer.5. FINDING THE ATTACKER5.1 Method details - HubMonitorIn this type of attack is very difficult to detect the real attacker (the one running the attack tool) becausethe victim doesn’t have any information about him. The packets that reach the victim are generated bythe DC++ clients and contain no information about the real attacker.But there is a nondeterministic method that a victim can use in order to gather evidence about theattacker during the attack and/or to stop the attack from its root point. By using this method, the victimcould find the attacker hubs. When one of these hubs is found, the legal way to shut it down is tocontact its service provider and give it the evidence of the attack and to contact hublist server owners toerase the hub from its list because of DDoS. Considering that the number of hubs participating in anattack is very small (comparing to the number of DC++ participating clients), shutting down one or twoof them can significantly reduce the amount of attack traffic.As we have seen until now, the real attacker is a modified DC++ client that sends $ConnectToMerequests to all of the other clients of the hubs to which it is connected. So all of the clients of theattacker hubs receive the $ConnectToMe messages that contain the victim’s IP address and port. Themethod of detecting these attacker hubs uses also a modified DC++ client that connects simultaneouslyto multiple DC++ hubs and listens for $ConnectToMe ($CTM) messages that are targeted to the victim.In Figure 2 there is a visual description of this behavior.I have implemented this method into a freeware tool called HubMonitor that can be found at [7].HubMonitor is a command line tool that allows its operator to inspect automatically or manually thetraffic of multiple hubs and detect the attacker ones. The algorithm used by HubMonitor is aparallelized version of this one (pseudo-code):1. Read the list of hubs to connect to2. For each hub Ha. Connect to Hb. Wait few minutes for $CTM packetsc. IF receive $CTM and (IP == victim IP) AND (port == victim port)i. H is an attacker hubELSEii. H is not an attacker hubd. Disconnect from H3. Exit---------------------------------------------------------------------------------------------------------------------------Figure 2. Detecting the attacker hubsThis very simplistic algorithm has one unknown element. This is the hub list to connect to. To get thehub list, the operator has at least two methods:- get the hub list from a Hublist server- compose manually the hub list based on observationsFor the moment, HubMonitor only accepts a list of hubs given as an input file.But getting the hub list from a hublist server can be done automatically too. Hub lists can be found onXML format or on a special hublist.config format. The advantage is that the tool will crawl through avery big number of hubs and the chances of finding the attacker hubs are greater. But the method isslow because connecting to each hub is time consuming. Hublist servers can be easily found with asimple web search. Example: dchublist.com, adchublist.com, dchublist.ro, dchubs.ro, hublist.top25.ro.For better results, the hublist servers from the country where the victim resides should be searched first.The algorithm below is an improved version of the one HubMonitor currently uses:1. Read the list of Hublist servers2. For each Hublist server HBa. Connect to HBb. Download hub_listc. Parse hub_list and extract INFO: hub name, port, minimum share sized. Add INFO to hub_info_list3. For each hub H in hub_info_lista. Connect to Hb. Wait few minutes for $CTM packetsc. IF receive $CTM and (IP == victim IP) AND (port == victim port)i. H is an attacker hubELSEii. H is not an attacker hub---------------------------------------------------------------------------------------------------------------------------d. Disconnect from H4. ExitWhen you want to compose a list of hubs to verify (with HubMonitor), there are some observations thatcan be useful:• Look at the nicknames from the $ConnectToMe packet. Many nicknames contain additionalinformation such as country, town, ISP (ex. [RO][RDS] xxx, [iT]kkk, [FI] ppp, etc). Basedon the predominant country you can focus on hublist servers from that country. The countrycan also be obtained from the IP address.• If you are an ISP and your server is attacked, there is a big probability that some of theattacking DC++ clients to be in your network (verify by source IP address). Then you can callon the phone the person who has that IP address and ask him to tell you all the hub names towhich he is connected in that moment. Those suspect hubs can be used as input to the tooldescribed above and the chances to find the attacker hubs are greatly improved.• Think about your enemies and analyze any messages received during the attack that can pointto the hackers performing it. There are specialized hacker groups in the Internet that ownDC++ hubs and can generate such an attack against your server. You can find their hubs andtry the tool on them. More about this subject on the next paragraph.5.2 DC++ teamsWhen this attack was often used by various malicious people from the Internet, there were a lot ofvulnerable hubs out there. Now their number is considerably lower because the administrators haveupgraded the hub software and they cannot be used in the attack anymore. Furthermore, the vulnerablehubs have been blacklisted on some hublist servers.But many of the hubs from the Internet are owned by individuals who are part of various hacker teams.So they can downgrade anytime their hub software to a vulnerable version or use a custom made hubsoftware in order to use them in DDoS attacks.One of these teams is called TeamElite (‘][’€AM € LiT €) and is composed of various young personsaround the world (Romania, Latvia, United Kingdom, etc). The most skilled of them are goodprogrammers, capable of building their own hacking tools (including viruses, worms, etc) and havedeep knowledge of computer systems. One of their leaders is Cristian Albu (a.k.a Lord_Zero, Vektor)and he is the writer of HexHub software and other hacking utilities.TeamElite has often been involved in many illegal activities, including web site defacements and DDoSattacks [8]. They are the owners of a couple of DC++ hubs and they also work on Direct Connectprotocol development [9][10].In case of an attack, system administrators should consider checking the hubs of the known hackerteams – using the method presented in 5.1 - who might use them in the attack.6. CONCLUSIONSPeer-to-peer networks have a big attack potential from the malicious people’s point of view. Whenhackers find flaws in these networks, the generated attacks can be very powerful because of the bignumber of clients participating at them.The DDoS attack described in this article is very dangerous because it is easy to implement by thehackers and is very difficult to defend against it on the victim side. Above that, the victim has no way.
Zaraky Posted June 4, 2012 Author Report Posted June 4, 2012 nu mai stiu sigur de unde am luat documentul ca il am in pc..
sakura002 Posted May 12, 2014 Report Posted May 12, 2014 Hey great info on this. Was wondering if you may have flooders for DC? new or old?
Gushterul Posted May 27, 2014 Report Posted May 27, 2014 E usor de filtrat... In plus, din cate stiu trebuia sa fie serverul DC++ vulnerabil.
