Transcript Lecture 17
Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014 Advanced Network Security Lecture 17 Page 1 Outline • Denial of service in networks – Basic methods • Non-distributed denial of service attacks Advanced Network Security Lecture 17 Page 2 Denial of Service Attacks • Unlike other forms of hacking, the goal isn’t access • Or theft of information or services • The goal is to stop your service from operating – To deny service to legitimate users • Generally temporarily – Usually during duration of attack Advanced Network Security Lecture 17 Page 3 Attacker Motivations • • • • • Sometimes extortion Sometimes political in nature Sometimes personal feuds Sometimes as distractions Many other possible motivations Advanced Network Security Lecture 17 Page 4 How Can Service Be Denied? • Lots of ways – Crash your machine – Crash routers on the path to your machine – Fool a protocol into behaving badly – Use up a key machine resource – Use up a key network resource • Using up resources is the most common approach Advanced Network Security Lecture 17 Page 5 • • • • What Resources Can Be Used Up? Network bandwidth Processing power RAM Network stack resources – E.g., records of open connections • Operating system or application resources – E.g., entries in a hash table Advanced Network Security Lecture 17 Page 6 Simple Denial of Service Attacks • One machine tries to overload another machine • E.g., send more packets than the target can handle • There is a fundamental problem for the attacker: – The attack machine must be “more powerful” than the target machine – Otherwise, the attack machine can’t generate enough packets • The target machine might be a powerful server • Can one typical client machine generate enough work to overcome a powerful server? Lecture 17 Advanced Network Security Page 7 A Flooding Attack Advanced Network Security But does it actually deny service here? Lecture 17 Page 8 The Problem With This Attack • The attacking computer is usually a home machine or office workstation • Maybe it’s got outgoing bandwidth of 10Mbps • The target is usually a server • Maybe it’s got incoming bandwidth of 1 Gbps • The target barely notices the attack Advanced Network Security Lecture 17 Page 9 “Solving” This Problem • How can an attacker overwhelm a machine with more resources than his? • Two possibilities: – Find a way to make the target pay more per message than the attacker – Use more than one machine to attack Advanced Network Security Lecture 17 Page 10 Solution 1: Make The Target Pay More • Usually the attacker’s limited resource is bandwidth – Sometimes processor power • Try to attack some other resource – Using small amount of bandwidth to use a lot of this resource • Another option: a reflector attack Advanced Network Security Lecture 17 Page 11 Denial of Service and Asymmetry • Sometimes generating a request is cheaper than formulating a response • If so, one attack machine can generate a lot of requests • And effectively multiply its power • E.g., send random garbage packets to a machine expecting encrypted packets • Not always possible to achieve this asymmetry • But often can be done Advanced Network Security Lecture 17 Page 12 An Example: SYN Flood • TCP is connection-oriented • Endpoints must keep information about current TCP connections – To detect packet loss – For flow control and congestion management So attack this • Typically kept in a table table, not the bandwidth! • Of fixed size . . . Advanced Network Security Lecture 17 Page 13 The TCP Open Connection Table • Designed to support many TCP connections at a time – E.g., for high volume web server • One entry per connection • Reuse an entry once the connection ends • Some legitimate connections will be slow – So must not discard seemingly inactive connection too soon • But some legitimate connections will be dropped – Eventually get rid of unused open connection Advanced Network Security Lecture 17 Page 14 The Basic Attack • Attacker uses initial request/response to start TCP sessions • Then he abandons them • Target keeps them open for a while • Filling up the server’s open connection table • Preventing new real TCP sessions Advanced Network Security Lecture 17 Page 15 Why Is This Better Than Simple Flooding? • You can reserve a connection table slot with one short message • The slot will be used for a significant period of time – Even if you never make progress • Provides attacker with good asymmetry Advanced Network Security Lecture 17 Page 16 Normal SYN Behavior SYN SYN/ACK ACK Table of open TCP connections Advanced Network Security Lecture 17 Page 17 A SYN Flood SYN SYN SYN/ACK Server can’t Table of open TCP fill request! connections Advanced Network Security Lecture 17 Page 18 Why Doesn’t the Attacker Send an ACK? • The attacker could send the second message (the ACK) – Then send no more messages • Why wouldn’t he do that? • Two reasons: – Can you figure out what they are? Advanced Network Security Lecture 17 Page 19 How To Defend? • Don’t let the attacker take too many open connection slots – Maybe restrict to three or four per IP address • Doesn’t help if attacker has a lot of machines • Doesn’t help if attacker spoofs IP address Advanced Network Security Lecture 17 Page 20 Another Defensive Option • Drop unused connections more aggressively – So half-open connections don’t waste the resource as long • Bad impact for slow legitimate clients • Only requires slight speed-up by attacker Advanced Network Security Lecture 17 Page 21 A Third Defensive Option • Preferred clients • Save most of your slots for their known good IP addresses • If attacker uses up the rest, doesn’t impact your core clients • Often not an option • Problematic in face of IP spoofing Advanced Network Security Lecture 17 Page 22 A Fourth Defensive Option • Increase the attacker’s cost • Make him pay something for getting the open connection table entry • If the cost is high enough, he can’t afford to fill my table • What “currency” can we make him pay in, though? Advanced Network Security Lecture 17 Page 23 Some Constraints on This Option • We can’t change the TCP protocol – A common theme when trying to protect the Internet – You can never change a widely deployed protocol • We can’t expect users to change the software on their machines • We can’t save information about connection requests Advanced Network Security Lecture 17 Page 24 And no changes to TCP protocol itself KEY POINT: Server doesn’t need to save Client IP address cookie value! SYN Cookies SYN/ACK number is secret function of various information & port, server’s IP address and port, and a timer No room in the table, so send back a SYN cookie, instead Server recalculates cookie to determine if proper response Advanced Network Security Lecture 17 Page 25 Good Aspects of This Approach • Doesn’t change TCP protocol • Doesn’t require clients to do anything they would not usually do • Doesn’t require server to save any information • Can be turned on and off easily • We would like many network security solutions to be like this one Advanced Network Security Lecture 17 Page 26 General Single Machine Denial of Service • Usually dangerous only if there is an asymmetry in resource use • Usually easy to defeat if you figure out what site is doing it – Just drop all packets from that site • Not typically a major threat on the Internet Advanced Network Security Lecture 17 Page 27 Denial of Service as a Distraction • Attackers sometimes perform denial of service attacks just to distract • Sysadmins will be occupied dealing with them • While attackers do their real work somewhere else • As defender, be aware that this could happen Advanced Network Security Lecture 17 Page 28 Conclusion • Denial of service attacks availability – Sometimes used for other purposes • Most often based on exhausting a resource at the victim – Any resource is a possible target • Defense mechanisms must operate well with ordinary behaviors Advanced Network Security Lecture 17 Page 29