Date: 02 October 2002
References:
Click here for printable version
On 14 September AusCERT issued an alert AL-2002.11 advising of the newly discovered Apache/mod_ssl, aka Linux.Slapper worm. The purpose of this article is to highlight the impact of the worm two weeks after it was discovered in the wild. The article also seeks to explore some potential implications of the distributed denial of service (DDoS) attacks which could be launched by hosts compromised by the Slapper, or similar, worm.
Although peer-to-peer networking is not new, in July 2002, the Apache Scalper was the first worm to incorporate peer-to-peer communication channels between its infected hosts. Slapper has taken this key feature from Scalper and improved on it.
Background
The key features of the Slapper worm are:
- It exploits a vulnerability in Apache web servers with the OpenSSL buffer overflow vulnerabilities reported in July 2002 (see AusCERT Advisory AA-2002.06).
- Although current versions of Slapper target Linux hosts, with some modification of the source code, it has the potential to affect any platform utilising the vulnerable versions of OpenSSL.
- The worm facilitates the following harmful actions :
- execution of arbitrary code on the host
- through the use of anonymous proxy connections, it forwards communications on behalf of the attacker
- communication between compromised Slapper peers
- by utilising a variety of scripts built into compromised Slapper hosts, an attacker can use the worm network to launch DDoS attacks against other sites
- The DDoS capabilities can allow an attacker to:
- select sites to attack
- select one of three DDoS attack methods, including DNS attacks
- determine the duration and/or frequency of attacks against targeted sites.
- The first version of the worm, of which there are currently three versions, launches attacks from, and to, UDP port 2002. Versions B and C use ports 4156 and 1978, respectively. New versions could easily propagate by making small changes to the worm’s code which is publicly available.
- Although Slapper is fundamentally different to the Apache Scalper worm (it exploits a different vulnerability), Slapper was modified from the Apache Scalper worm code (see AusCERT alert AL-2002.06). Similarities between the worm codes include their ability to establish and use peer-to-peer communications, their propagation method and DDoS capabilities.[1]
Ease of exploit
The DDoS functionality offered by hosts compromised by the worm is its most worrying feature since it provides potential attackers with a choice of thousands of infected hosts which can be used to participate in an attack. For each of the three versions of the worm currently in circulation, the worm keeps a track of hosts it infects, its parents and its children’s children and so on. Infected hosts in the process of scanning to identify new vulnerable hosts to infect, also record details of other infected peer hosts and automatically installs DoS and peer-to-peer communication.
Attackers may easily exploit the DDoS features of the worm in the following way :
- A would-be attacker just needs to scan the Internet looking for hosts which are listening on the particular ports used by the Slapper worms.
- Alternatively, an attacker can identify a compromised host by looking at firewall log records for the tell-tale signs of Slapper worm scanning activity directed at their own machines.
- By sending specially crafted packets to a single host compromised by the Slapper worm, the attacker can then direct its participation and the participation of potentially all known peers in DDoS attacks.
Impact so far
Since 13 September, sources report that around 30,000 hosts [2] have been and remain compromised. There have also been several reports that DDoS attacks have been launched by compromised Slapper hosts. However, the impact of these attacks for the sites concerned is not known. Posts to security newsgroups reveal that attackers are actively exploiting these newly-built networks.
Threat posed by Slapper peer-to-peer network
DDoS attacks and tools have been around for many years and the threat to a network’s external router, web site, or to any Internet-accessible critical information infrastructure services from a DDoS attack is not new. For an attacker, an advantage of exploiting the Slapper peer-to-peer network, is that the agents (peers) are already compromised and set up to facilitate such an attack. Less effort is required on the attacker’s part to launch an attack. For some attackers, this may increase their desire and ability to launch attacks. The Slapper peer-to-peer network therefore, increases the threat from DDoS attacks to networks by providing greater opportunity for some attackers to launch attacks than they would be willing or able to do otherwise.
Potential power and scale of a Slapper-facilitated DDoS
The type of organisations which generally operate Apache web servers utilising OpenSSL, are likely to include large organisations with high bandwidth connections to the Internet, including web hosting service providers. Most web servers have 100Mbps connections and therefore even a small number of compromised Slapper agents could consume the bandwidth of multiple E3 network connections [3] (or similar) and above. With several hosts working in unison, the transmission rate would be sufficient to deny service to organisations/routers with large bandwidth connections, including to some backbone connections.
Let’s consider some possible scenarios
What if a DDoS attack was directed against the Domain Name System of a country? DNS servers provide the ability to find the IP address for domain names, and hence allow communication between different domain names across the Internet to occur. If DNS servers are not available, within a short period of time (depending on the lifespan of cached DNS entries – usually between 24 - 48 hours), electronic communication within the world wide web, external e-mail and other Internet communication protocols, such as ftp, will fail.
In Australia, there are only a handful of higher-level DNS servers, or "country root DNS servers", which provide IP address and domain name resolution for the .org.au, .net.au, .edu.au, .com.au, and .gov.au domains. The situation is similar in other countries of similar population size.
Similarly, a DDoS attack against critical routers which provide an entry point for traffic for major telecommunication carriers into or out of Australia or elsewhere could similarly degrade the ability of organisations in those countries to communicate externally and vice versa. While traffic can be diverted through different routes, the loss of service for a few critical routers for a period of time would place an excessive load on alternative routes. In general, with bandwidth utilisation recommended to be less than 70% of bandwidth capacity, any large increase in traffic demand on alternative routes would soon slow network traffic down to rates where many Internet services would become ineffective.
Mitigation
Defending against DDoS attacks is more difficult than defending against ordinary DoS attacks, particularly when a large number of agents are involved. However, knowing what options are available in advance of such an attack will help with recovery and contingency planning. For some organisations, the possible loss or degradation of business IT systems for an extended period of time will only have a minor impact. For others, the impact may cause moderate to serious loss of business revenue or degrade IT business services on which clients rely. In these cases developing a plan to deal with DDoS attacks as part of an organisation’s overall business continuity plan is no doubt worth the investment. The following resources may assist in identifying appropriate response strategies for DDoS attacks:
The following papers provide guidance in tracking attacks:
http://www.cymru.com/Documents/tracking-spoofed.html
http://www.secsup.org/Tracking/
The following paper provides useful links on DDoS tools, defence and mitigation:
http://www.sans.org/ddos_roadmap.htm
The old adage that ‘prevention is better than cure’ is no less true for IT security. Each company and organisation can help prevent attacks by actively seeking to prevent compromises to their own networks. Preventing compromises protects their own assets and the assets and Internet services enjoyed by others. Invariably, vulnerable hosts are compromised either for the value they hold to an attacker in their own right, or as a resource to use to attack other sites. In the latter case, they provide the attacker with greater anonymity and networking power than they would otherwise have.
In the case of the Slapper worm, organisations operating Apache web servers with OpenSSL should check whether they are running a vulnerable version of OpenSSL; check whether the vulnerability has been patched and whether they may have already been compromised. AusCERT’s security bulletin AL-2002.11 provides further details about how to detect a compromise.
For information about how to recover from a system compromise, please refer to the article Steps for Recovering from a UNIX or NT System Compromise.
Reporting information about Slapper infections in Australia and New Zealand
AusCERT welcomes reports which provide details of compromised Australian and New Zealand sites, either directly from affected organisations or from third parties. AusCERT uses this information to gauge the level of impact of the worm within Australia and will use reports from third parties to inform affected Australian and New Zealand sites that their systems may be compromised. For further information, see How to report a computer/network security incident to AusCERT.
[1] SecurityFocus, ModapOpenSSL Worm Analysis, 16 September 2002,
http://analyzer.securityfocus.com
[2]
http://linuxworld.com.au/news.php3?nid=1857&tid=2
[3] E3 is a European standard for WAN connections used in Australia. E3 network connections have a capacity of 34.36Mbps.
This paper was made available to non-members on 10 October 2002.
|