Transcript Defensive Measures on DDoS

Defensive Measures for
DDoS
By
Farhan Mirza
Contents









Survey Topics
Introduction
Common Target of DoS Attacks
DoS Tools
Defensive Measures & Their Vulnerabilities
Honeypot for DDoS
Honeypot implementation
Issues & Concerns
Conclusion
Survey Topic
 Paper
1
 Analysis of Denial-of-Service Attacks on Denialof-Service Defensive Measures
 Paper
2
 Honeypots for Distributed Denial of Service
Attacks
Introduction
DoS attacks
Weapons of Mass Destruction
 Paralyze Internet systems with bogus traffic
 4th Major Attack in 2001 – Computer Crime & Survey Report

Attacks on Targets
 Attacking
tools - More offensive
 To discover and filter – More difficult
 Powerful automatic scanning & observing
target’s vulnerability
 Uses methods - TCP Syn, UDP, ICMP
Flooding etc
 Includes Viruses & Worms - MS-SQL Server
Worm, Code Red etc
Code Red Worm Attack
Common Target of DoS attacks
 Bandwidth
DOS Attack
 Memory DOS Attacks
 Computation DOS Attacks
Bandwidth DoS Attacks
 Target
- Bandwidth
 Example – Slammer (MS-SQL Server Worm)
 Self Propagating malicious code
 Employs multiple vulnerabilities of SQL Server
Resolution Service
Memory Dos Attacks
 Target
– Memory
 Backscatter Analysis
(Moore Investigation)
:
 94% DoS attacks occurs on TCP Protocol
 49% of attacks are TCP Syn attacks targeting 3
way handshake
 2% on UDP
 2% on ICMP
Memory DoS Attacks



(Cont..)
Every TCP connection establishment requires an allocated
memory resource
Limited number of concurrent TCP half-open connections
Attacker can disable service - Sending overdosed
connection requests with spoofed source addresses
Computation DoS Attacks
 Target
– Computational Resources
 Example: Database Query Attacks
 Sequence of queries requesting DBMS to
execute complex commands, overwhelming the
CPU
Software Bugs & Exploits
 Exploit
on 7xx routers – connecting with
Telnet and typing very long passwords
 Effects –
 Reboot
the router
 Deny service to users during reboot period
Connecting with Telnet and
Typing long passwords
Software Bugs & Exploits
(Cont...)
 Smurf
DoS Bug – uses ICMP Echo Request
packet with spoofed source address
 Effects –
 All
machines on the subnet reply directly to
victim’s address
 Congestion in the victim’s network connection
DoS Tools
 Trin00
 TFN
– Tribe Flood Newtork
 Stacheldraht – “Barbed Wire”
Trin00
 Distributed
attacking tool
 Installed on intermediate host using a buffer
overrun bug
 Compiled on Linux and Solaris operating
systems
 Capable of generating a UDP packets for
attack
 Target Ports – 0 to 65534
TFN – Tribe Flood Network
 Launch
Distributed Denial of Service attacks
 Installed on Intermediate host and based on
buffer overrun bug
 Capable of launching ICMP floods, UDP
floods, SYN attacks, Smurf attacks
 Compiled on Linux and Solaris operating
systems
Stacheldraht ("barbed wire")
 Combines
features of Trin00 and TFN
 Capable of producing ICMP flood, SYN flood,
UDP flood, and SMURF attacks
 ICMP, UDP and TCP-SYN packets of sizes up
to 1024 bytes against multiple victim hosts
 TCP-SYN packets are generated against
random ports taken from selected range of
port numbers
DDoS Pattern
Scanning of large
ranges for potential
vulnerable targets
Setting up of a stolen
account as a repository
for attack tools
Creation of script
to perform the exploit
and to report the results
Choice of a subset of
suitable compromised
servers from the list
Script automated
installation of the needed
tools on the compromised
servers
Optional installation of a
root kit to hide the
compromise
Defensive Measures

System Self Defense
 Stop all unnecessary or non-essential system
services and network ports.
 Reduce the timeout period for simultaneous half
open connections

Vulnerability:
 Reconfiguration may delay, or even deny, legitimate
access
 Lead to a potential increase in resource usage
Packet Filtering
 Most
popular defensive mechanism
 Selectively screens out suspicious or
malicious packets
 Itself a deformed DoS
 Vulnerability:
 If manipulated or abused - Most convenient way
to accomplish DOS attack
Packet Filtering
 Types
(Cont…)
of Packet Filtering
 Egress/Ingress
 Manages
the flow inside and outside the network
 Ingress - Used to block packets with spoofed source
address
 Egress - manages the flow of traffic as it leaves a
network
 Vulnerability
 Effective
only if used in large-scale applications
Packet Filtering
(Cont…)
 Firewalls
 Victims
network mechanism
 Enable a form of protection against SYN Flooding
 Examine packets and maintain connection and state
information of session traffic
 Configured as a relay, as a semi-transparent gateway
 Vulnerability
 Cause
delays for every connection
 Flood of 14k packets/sec can disable even specialized
firewalls
IP Traceback
 Effective
& aggressive way to terminate DoS
attacks at their sources
 Vulnerability:
 Doesn’t locate the attacker, if attacker is
attacking from reflectors
State Monitoring



Uses software agents to continuously monitor TCP/IP
traffic in a network
RealSecure –
 Monitors local network for SYN packets that are not
acknowledged for a period of time defined by the users
Vulnerabilities:
 Need to maintain tremendous states to determine
malicious packets and consume system resources
Resource Allocation Control
Way to prevent exhaustion of the victim’s
resources to limit the resource allocation and
usage for each user or service
 Class Based Queuing –

 Configures different traffic priority queues and rules that
determine which packets should be put into which
queue

Vulnerability:
 In case of DoS attacks - Cannot determine which packet
belong to the same users or service for sharing some
quota or resources
Congestion Control
Network Congestion - Reduction in network throughput
 Pushback
 Mechanism for defending against DDoS attacks
 To identify most of the malicious packets, based on
Aggregate-based Congestion Control
 Vulnerability:
 Not an effective method to block bad traffic under
typical DDoS attack
 Cannot differentiate good and bad traffic and will drop
them equally

Active Networks
Programs can perform customized computations
and manipulations
 Allow users to inject customized programs into the
nodes of the network
 Active edge-Tagging –

 One of the example, which tags the actual source IP
address into the active networks layer header for each
incoming packets from the hosts with first-hop routers

Vulnerability:
 AN poses serious security threats as it is designed to
run executable codes on remote hosts
Bandwidth Overhead of
Defensive Measures
Memory Overhead of
Defensive Measures
Computational Overhead of
Defensive Measures
Attacks on Defensive Measures
Assumption
Reality
Firewalls - invincible and
power unlimited resources
Firewalls - still limited and
causes the single-failure point or
bottleneck
Network Congestion - control
messages delivered to
destination efficiently and
successfully
Network Congestion - the
control messages dropped or
lost during transmission
Defensive devices - will not be
targeted by attacker
Defensive devices – Many are
vulnerable to attack
Network devices - Trustworthy Network Devices - Control
and control messages will not messages might be tampered,
be tampered, eavesdropped or eavesdropped or forged
forged
Honeypot for DDoS
 Vantages
of System:
 Defending the operational network with high
probability against DDoS & new variant
 Trapping attacker to record the compromise to
help in legal action against attacker
 Devised
System:
 Implemented to lures the hacker to believe he
successfully compromised the system
 To learn the tactics, tools, methods and motive
of an attacker in order to secure the system
Characterization
 Should
be a replica of operational system
 Consists of similar systems and application
 Services such as Web, Mail, FTP, DNS
should be accessible for attacker
 Must be located in DMZ
Local Network Protection
 Must
be located in another zone protected
with Firewall
 Encrypted Transmission - Inside the LAN
 Clients run trusted OS
 Services are managed by an indirect
authentication method – Kerberos
 Detecting Systems like host based IDS &
vulnerability scanner must be running
Honeypot Implementation in Organization
View for an Attacker
Issues To Be Resolved
 Attack
must be detectable
 Attack packets must be actively directed to
the Honeypot
 Honeypot must be able to simulate the
organization’s network infrastructure
Concerns & Issues







Not a good idea in real operational environment
Require expertise
Small configuration mistake or loophole will create a
disaster
Difficult to identify regular user and attacker in most of the
cases
Uses DDoS signature type method while authentication –
Not as effective especially for first time authentication
Hard to identify culprit – Attacker using compromised
system
VPN and PKI as proposed – How both the environment
work
Conclusion
Like a Game - Attacking and defending of
networks
 Defensive Measure are not always secure and
valuable data is at risk with small effort of attacker
 Honeypot – Promising tool for luring attacker for
DDoS attack
 To secure our network – Defensive measures with
proper knowledge and expertise are required
