slides - The Fengs

Download Report

Transcript slides - The Fengs

Distributed
Denial-of-Services
(DDoS)
Ho Jeong AN
CSE 525 – Adv. Networking
Reading Group #8
Reading Group # 8 – DDoS

Papers
 F.
Kargl, J. Maier, M. Weber “Protecting Web Servers
from Distributed Denial of Service Attacks”, WWW
2001
 V. Paxson, “An Analysis of Using Reflectors
for Distributed Denail-of-Service Attacks”,
CCR vol. 31, no. 3, July 2001
 Catherine Meadows, “A cost-based framework for
analysis of denial of service in network”, Journal of
Computer Security, 9(1—2):143-164, 20012
Classification of IT Attacks

Denial of Service (DoS)
 Main goal

of the attack is the disruption of service
Intrusion
 Intension is
simply to get access to system and to
circumvent certain barriers

Information Theft
 Main goal
of attack is access to restricted, sensitive
information

Modification
 Attacker
tries to alter information.
Definition of DoS

WWW Security FAQ (http://www.w3.org/Security/FAQ)


… an attack designed to render a computer or network
incapable of providing normal services …
J.D. Howard (http://www.cert.org)

… Denial-of-service can be conceived to include both
intentional and unintentional assaults on a system's
availability. The most comprehensive perspective would be
that regardless of the cause, if a service is supposed to be
available and it is not, then service has been denied ...
Definition of DDoS

WWW Security FAQ
(http://www.w3.org/
Security/FAQ)
…
A Distributed Denial
of Service attack uses
many computer to
launch a
coordinated DoS
attack against one
or more targets. …
DoS attack Classification

System Attacked
Router
Firewall
 Load-balancer
 Individual web server
 Supporting services (i.e. database servers)



Part of the system attacked




Hardware failure
OS or TCP/IP stack of host/router
Application level (i.e. web server, database servers)
Bug or overload


Bugs
Overload
DoS attack Classification

Example
 Cisco
7xxx routers with IOS/700 Software version
4.1(1)/4.1(2)
 Jolt2 – targeting most Microsoft Windows Systems
(98/NT4/2000)
 MIIS version 4.0/5.0
 Smurf
 SYN Flood
 Apache MIME flooding/Apache Sioux Attack
DDoS tools

Trinoo



Tribe Flood Network (TFN)


Trinoo’s UDP flooding, TCP SYN and ICMP flood
TFN2K



Known to the first DDoS tools
UDP flooding
Encrypted communication between components
TARGA attack
stacheldraht


ICMP, UDP and TCP SYN flooding
Update to agents automatically
DDoS Protection Environment

Linux Kernel
 Immune to
Teardrop, TARGA
 tcp_syn_cookie
enabled against
SYN flood attack

Load Balancer
 Linux Virtual
Server against
overload attack
DDoS Protection Environment

ipchains Firewall
 Only
port 80 is reachable directly
 Only ICMP host unreachable messages are accepted

Class Based Queuing
 Function of
the Linux kernel
 Setup different traffic queues
 Determines what packets to put in what queue
 Assign a bandwidth to each of the queue
DDoS Protection Environment

Traffic Monitor
 Monitor
Thread 1: monitors in and out packet
 Thread 2: checks the hashtable
 Thread 3: server thread

 Manager
Analyzes the supplied data
 Sorts the IPs in one of several classes, class 1
through class 4

Test 1: http-attack using http_load
and static html database
Conclusion
DDoS attacks are substantial threat to
today’s Internet infrastructure
 Solution to the problem of handling
massive http overload requests is based on
class based routing and active traffic
monitoring

DDoS attack by using reflector

Reflector




Any IP host that will return a
packet if it receives request
All web server, DNS server, router
ICMP
Victim eventually receive “huge”
number of message and
clogging every single path to
victim from the rest of the
Internet
Defense against Reflector


Ingress filtering
Traffic generated by reflector
 Our

pick
Reflector enable filtering
 Require widespread

Deploy trace back mechanism
 Enormous

deployment of filtering
deployment difficulties
IDS
 Widespread deployment
of security technology
Filtering out reflector replies

IP
 version,
header length
 TOS/DSCP
 length
 ID
 fragments
 TTL, protocol, checksum
 source
 destination
Filtering out reflector replies

ICMP
 Request/response
 Generated ICMP

messages
TCP
 source
port
 SYN ACK
 RST
 guessable sequence number
 T/TCP
Filtering out reflector replies


UDP
DNS
 DNS
reply
 DNS recursive query




SNMP
HTTP proxy server
Gnutella (TCP application)
Other UPD application
Implications of reflector attacks
for traceback
A major advantage to attackers in using ref
lectors in DDOS attack is difficult tracebac
k
 Low volume flows – SPIE
 HTTP proxies
 Logging
 Reverse ITRACE

Conclusion
DDoS attack by using reflector have a seve
ral significant threat
 Most major threats are

 TCP
guessable sequence number
 DNS query to name server
 Gnutella
Defender vs. Attacker

Defense against attack
 Increase
the resources of the defender
 Introduce authentication

Goal of attacker
 Waste
resource of defender
 Keep the defender from learning attacker’s identity

Formal method are good way to addressing probl
ems.
Station to Station protocol

Station to station protocol is a protocol that was
makes use of the Diffie-Hellman protocol togeth
er with digital signatures in order to exchange an
d authenticate keys between two principals.
XA
A  B :
B  A :
XB
, EK ( S B (
A  B : EK ( S A (
XA
,
XB
,
XB
))
XA
))
Station to Station protocol
A  B : preeexp1, storename1 ||
 X ||
A
storeonce1 ,storename2 ,accept1
B  A : preexp1 , sign1 , exp1 , encrypt1||
 X , EK ( S B ( X ,  X )) ||
B
B
A
checkname1 , retrivevenonce1 , exp2 , decrypt1 , checksig1 , accept 2
A  B : sign 2 , encrypt 2 ||
EK ( S A ( X A ,  X B )) ||
checkname2 , retrivevenonce2 , decrypt 2 , checksig 2 , accept 3
Station to Station protocol
Compute the attack cost functions and the
protocol engagement cost functions for eac
h accept events
 Compute the attack cost functions and the
message processing cost functions for each
verification event

Station to Station protocol

It is vulnerable to DOS attack in several pl
aces
 First
message
 Intruder could mount Lowe’s attack

Solution
 Cookie
exchange
 Lowe’s attack – including the identity of inten
ded receiver
Conclusion

This framework shows how existing tools a
nd methods could be modified against DoS
attack.