Transcript Denial of Service Attacks

Denial of Service Attacks
Simulating Strategic Firewall Placement
By
James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt
Denial of Service Attacks


A distributed denial of service attack
involves overloading a company’s Internet
connection with more traffic than it can
handle.
Once the connection is overloaded, the
company is unable to function on the
Internet.
Denial of Service Attacks


Banks, academic institutions,
and small businesses have
become dependent on the
Internet for even the most
fundamental of daily functions.
Therefore, the cost of a
disruption in service and the
subsequent recovery can be
truly enormous.
Denial of Service Attacks



Distributed Denial of Service Attacks are
one of the most difficult security threats.
Network administrators typically cannot
stop a DDoS attack without contacting the
ISP.
Failure to stop a DDoS attack can result in
a complete network overload and
shutdown.
Denial of Service Attacks



Any skilled hacker can gain
control of a large number of
proxy computer systems and
use them to flood a targeted
server.
It is virtually impossible to
discover the identity of the
hacker.
Once the targeted server is
flooded, it will shut down,
thereby halting even the
legitimate traffic of the
organization.
Physical Layout


Because there is a large physical distance
between the ISP router and the company
network that an ISP services, the ISP
usually has to use cheaper, low-bandwidth
cable for this part of the connection.
This is typically the slowest part of the
connection line, and it is called a
“bottleneck”.
Bottleneck


To shut down the company’s connection, a
hacker only has to overload this relatively
slow part of the line.
To stop DDoS attacks, illegitimate traffic
must never be allowed to reach the
bottleneck.
Normal connection
Cable connection
(Bottleneck)
Firewall
(Bad traffic
stopped
here)
ISP
Strategic Firewall Placement


In the strategic firewall placement
method, the company’s firewall is placed
on the ISP’s premises.
This means that the line connecting the
ISP router to the firewall is very short, and
a much higher bandwidth line (ex.
Ethernet) can be used for this connection
at very little extra cost.
Strategic Firewall Placement
ISP
ISP
Ethernet
Ethernet
Bottleneck
connection
connection
Firewall
Firewall
(Bad traffic
stopped here)
Bottleneck
Strategic Firewall Placement


Firewall remains under the control of the
company.
Now the company is able to control
exactly which traffic is allowed into the
bottleneck part of the connection.
Strategic Firewall Placement


Attack packets are dropped before they
can reach the bottleneck.
A hacker could still run a denial of service
attack, but would require a huge amount
of bandwidth to overwhelm the system.
Strategic Firewall Placement



In the old setup, to thwart a
DDoS attack, the company had
to call the ISP and tell them
which kinds of packets to filter.
The company’s internet
connection remained inoperative
until the ISP was able to
complete the company’s
request.
When the company controls the
firewall, as in strategic firewall
placement, they can instead
filter unwanted packets almost
immediately.
Additional Requirements

Moving the firewall is helpful, but, to
completely protect against DDoS attacks,
the company also has to change the way
its firewall handles inbound connection
requests.
Default Deny



The changes deal with how the company’s
firewall handles inbound connections.
When a computer wants to connect to the
company’s server, it sends a packet called a
TCP/SYN packet requesting the connection.
The normal response to this packet is a
SYN/ACK packet from the company’s server,
acknowledging that the connection is open.
Default Deny


If every TCP/SYN packet
is allowed to reach the
company server, hackers
can still flood the
company’s server with
these packets, and
overload the connection.
Instead, the firewall
sends back a SYN/ACK
packet that only looks
like it came from the
company’s server.
Spoofed TCP/SYN Firewall
1
SYN/ACK
Blocked Connection
Real TCP/SYN
2
SYN/ACK
Connection Allowed
Spoofed TCP/SYN
3
SYN/ACK
Blocked Connection
Spoofed TCP/SYN
4
SYN/ACK
Blocked Connection
Server
Default Deny


Once the firewall sends out the SYN/ACK
packet, it only allows a connection from
the IP address that sent the original
TCP/SYN packet.
A hacker has to have control of that IP
address to be able to connect to the
company.
Default Deny



This helps prevent a technique known as
“spoofing” IP addresses.
Spoofing allows a hacker to send the
server connection requests from IP
addresses that he is not actually using.
The default deny policy prevents hackers
from using multiple spoofed addresses at
once, and using them to flood the
network.
Firewall Capabilities



Maintaining these policies could require a lot of
computational power from the firewall.
Firewall may not be able to handle the entire job
itself.
The processing work of the firewall can be
spread among multiple computers if necessary,
and those computers would feed directly into
the firewall.
Simulation of Strategic Firewall
Placement



Used network simulation program NS-2 to
simulate DDoS traffic.
Red – legitimate packets
Blue – DDoS attack packets
Simulation of Strategic Firewall
Placement
DDoS attack
Router
Buildup of packets in
queue on high-speed
link
1.5 mbps
Legitimate
traffic
Firewall
Target
Simulation Results
Attack Traffic
Bottleneck Link
100 Mbps
50 Mbps
10 Mbps
1.5 Mbps
100
Mbps
1.24 Mbps
1.24 Mbps
1.24 Mbps
1.24 Mbps
50 Mbps
1.24 Mbps
1.24 Mbps
1.24 Mbps
1.24 Mbps
10 Mbps
816 bps
32 Kbps
57 Kbps
1.23 Mbps
1.5 Mbps
0 bps
0 bps
816 bps
6.5 Kbps
Simulation of Strategic Firewall
Placement


When the link leading up to the firewall is
too slow, a DDoS attack basically shuts
down the system.
When the link leading up to the firewall is
fast enough, the system continues running
through a DDoS attack, even after the
attack is increased in intensity from 50 to
100 mbps.
Conclusion

Strategic firewall placement allows
companies to use the Internet during a
DDoS attack, and it allows them to
continue receiving the packets they want.
Sources



S. Gibson, “Distributed Reflection Denial of Service.
Description and analysis of a potent, increasingly
prevalent, and worrisome Internet attack,” February 22,
2002, http://grc.com/dos/drdos.htm
Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of
Distributed and Cooperating Firewalls in a Secure Data
Network,” IEEE Transactions on Knowledge and Data
Engineering, IEEE Educational Activities Department, vol
40, no 5, (September): pp 1307 – 1315, 2003.
Chatam, W. Rice, J. and Hamilton, J.A. Jr., "Using
Simulation to
Analyze Denial of Service Attacks" 2004 Advanced
Simulation Technology
Conference, April 18 - 24, Arlington, VA