Transcript Computer Security: Principles and Practice, 1/e

Computer Security: Principles and
Practice
Chapter 8 – Denial of Service
by William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown
1
Denial of Service
• denial of service (DoS) an action that prevents or impairs
the authorized use of networks, systems, or applications
by exhausting resources such as central processing units
(CPU), memory, bandwidth, and disk space. -- NIST
• attacks
– network bandwidth
– system resources
– application resources
• have been an issue for some time
2
Classical “ping flooding” Denial of Service Attack
• use ping command
(ICMP echo request)
• from higher capacity link
to lower
• an attack on network
bandwidth
• source of flood traffic
can be easily identified
3
Source Address Spoofing
• use forged source addresses
– easy to create with “raw socket interface” of OS
• generate large volumes of packets with different,
random, source addresses
• directed at target to cause congestion
• responses are scattered across Internet
• real source is much harder to identify by simply
checking packet headers
4
Classical SYN Spoofing DoS Attack
• attacks the ability of a server to respond to future
TCP connection requests
• overflows the tables used to manage TCP connections
• an attack on system resources
5
TCP Three-Way Connection Handshake
6
TCP SYN Spoofing Attack
• attacker often uses source
addresses that will not respond to
the SYN-ACK with a RST
– random source addresses
– source addresses of overloaded
servers
• has much lower traffic volume
– attacker can be on a much lower
capacity link
7
An illustration of Backscatter in Action
(Inferring Internet Denial-of-Service Activity, by David Moore, Geoffrey M. Voelker, and Stefan Savage,
USENIX Security 2001)
Backscatter traffic
can be monitored
to analyze the type
and scale of
attacks being used
8
Types of Flooding Attacks
• Overload the network capacity on some link to a server
• ICMP Flooding
– uses ICMP packets, e.g., echo request
– typically allowed through (e.g., ping), some required (e.g.,
destination unreachable, time exceeded)
• UDP Flooding
– uses UDP packets directed to ports of some services
• TCP SYN Flooding
– use TCP SYN (connection request) packets
– but with a much larger volume of traffic
9
Distributed Denial of Service Attacks (DDoS)
• have limited volume if single source used
• multiple systems allow much higher traffic
volumes to form a DDoS attack
• often compromised PC’s / workstations
– zombies with backdoor programs installed
– forming a botnet
• e.g. Tribe Flood Network (TFN) tool, TFN2K
10
Structure of a DDoS Attack
11
Reflection Attacks
• use normal behavior of network
• attacker sends packet with
– spoofed source address being that of an actual attack target
– destination address being that of a normal server (reflector)
• server response is directed at target
• if send many requests to multiple reflectors, response
can flood target
• various protocols e.g. ICMP, UDP or TCP/SYN, …
• ideally want response larger than request
• harder to trace back, harder to quantify
• prevent if block source spoofed packets
12
Structure of a Reflection Attack
(An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, by Vern Paxson, ACM
SIGCOMM Computer Communication Review, vol. 31, no. 3, pp. 38-47, July 2001)
13
Amplification Attacks
14
DNS Amplification Attacks
• use DNS requests with spoofed source address
being the target
• exploit DNS behavior to convert a small request to
a much larger response
– 60 byte request to 512 - 4000 byte response
• attacker sends requests to multiple well connected
servers, which flood the link to the target
– need only moderate flow of request packets
– DNS servers will also be loaded
15
DoS Attack Defenses
• high traffic volumes may be legitimate
– result of high publicity
– results of expected/unexpected flash events (flash crowds)
(Jaeyeon Jung et. al, “Flash crowds and denial of service attacks: characterization and
implications for CDNs and web sites”, WWW 2002)
• three lines of defense against (D)DoS:
– attack prevention and preemption
– attack detection and filtering
– attack source traceback and identification
16
Attack Prevention
• block spoofed source addresses
– RFC 2827 egress filtering
– on routers as close to source as possible
– still far too rarely implemented
• rate controls in upstream distribution nets
– on specific packets types
– e.g. some ICMP, some UDP, TCP/SYN
• use modified TCP connection handling
– use SYN cookies when table full
– or selective or random drop when table full
17
Attack Prevention Cont.
•
•
•
•
block IP directed broadcasts
block suspicious services & combinations
use CAPTCHA to tell computers and human apart
good general system security practices
– IPS, IDS
– detect and notify abnormal traffic patterns
• use mirrored and replicated servers when highperformance and reliability required
18
Responding to Attacks
• a good incident response plan
• identify type of attack
– capture and analyze packets
– design filters to block attack traffic
– or identify and correct system/application bug
• have ISP trace packet flow back to source
– may be difficult and time consuming
– necessary if legal action desired
• implement contingency plan
• update incident response plan
19
(D)DoS Attack Research Examples
• David Moore et. al, “Inferring Internet Denial-of-Service
Activity”, USENIX Security 2001
• Vern Paxson, “An Analysis of Using Reflectors for
Distributed Denial-of-Service Attacks”, SIGCOMM 2001
• Jaeyeon Jung et. al, “Flash crowds and denial of service
attacks: characterization and implications for CDNs and
web sites”, WWW 2002
• Cheng Jin et. al, “Hop-count filtering: an effective defense
against spoofed DDoS traffic”, CCS 2003
20
(D)DoS Attack Research Examples Cont.
• Abraham Yaar et. Al, “Pi: a path identification mechanism
to defend against DDoS attacks”, IEEE S&P 2003
• Srikanth Kandula et. al, “Botz-4-sale: surviving organized
DDoS attacks that mimic flash crowds”, NSDI 2005
• Michael Walfish et. al, “DDoS defense by offense”,
SIGCOMM 2006
• Vinh The Lam et. al, “Puppetnets: misusing web browsers
as a distributed attack infrastructure”, CCS 2006
• Marti Motoyama et. al, “Re: CAPTCHAs—Understanding
CAPTCHA-Solving Services in an Economic Context”,
USENIX Security 2010
21
Summary
•
•
•
•
•
•
•
introduced denial of service (DoS) attacks
classic flooding and SYN spoofing attacks
ICMP, UDP, TCP SYN floods
distributed denial of service (DDoS) attacks
reflection and amplification attacks
defenses against DoS attacks
responding to DoS attacks
22