Distributed Denial of Service Attacks
Download
Report
Transcript Distributed Denial of Service Attacks
Distributed Denial of Service Attacks
Prepared For:
Prof. Ruby Lee
ELE 572
Prepared By:
Ali Bayazit
[email protected]
(609) 986September 23, 2002
Qiang Huang
Stephen Specht
[email protected] [email protected]
(609) 947-3131
(609) 986-9572
Princeton University
Electrical Engineering Department
Presentation Overview
• Introduction to DDoS
– Overview of DoS - Specht
– Overview of DDoS – Specht
– Case Study of DDoS victim GRC.com - Specht
• Defending Against DDoS Attacks
–
–
–
–
–
–
–
Conceptual Model – Huang
Layer 1 Coordinated Technical Solutions – Huang
IDIP: An Example of Anti-Flooding – Huang
Layer 2 Consistent Incentive Structure – Huang
Defending Wireless Networks Against DDoS – Huang
Reflectors Analysis – Bayazit
Traffic Tracking – Specht
September 23, 2002
Princeton University
Electrical Engineering Department
Introduction to DDoS
• Overview of DoS
–
–
–
–
Background Information: Denial of Service Attacks
Classification of Denial of Service Attacks
Countermeasures for Denial of Service Attacks
Denial of Service Attacks Shortfalls
• Overview of DDoS
– Distributed Denial of Service Attacks
– Distributed Denial of Service Attack Architecture
– Widely Used Distributed Denial of Service Tools
• Trinoo
• TFN/TFN2K
• Stacheldraht
– Common DDoS Countermeasures
– DDoS Protection Environment
• Case Study of DDoS victim GRC.com
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Background Information: Denial of Service Attacks
• Denial of Service Attack: an attack on a
computer or network that prevents legitimate use
of its resources.[1]
• DoS Attacks Affect:
– Software Systems
– Network Routers/Equipment/Servers
– Servers and End-User PCs
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Classification of DoS Attacks[1]
Attack
Affected Area
Example
Description
Network Level
Device
Routers, IP
Switches,
Firewalls
Ascend Kill II,
“Christmas Tree Packets”
Attack attempts to exhaust hardware
resources using multiple duplicate packets
or a software bug.
OS Level
Equipment
Vendor OS, EndUser Equipment.
Ping of Death,
ICMP Echo Attacks,
Teardrop
Attack takes advantage of the way operating
systems implement protocols.
Application
Level Attacks
Finger Bomb
Finger Bomb,
Windows NT RealServer
G2 6.0
Attack a service or machine by using an
application attack to exhaust resources.
Data Flood
Host computer or
network
Smurf Attack (amplifier
attack)
UDP Echo (oscillation
attack)
Attack in which massive quantities of data
are sent to a target with the intention of
using up bandwidth/processing resources.
Servers, Client
PC, DNS Servers
SYN (connection
depletion)
Attack in which “bugs” in protocol are
utilized to take down network resources.
Methods of attack include: IP address
spoofing, and corrupting DNS server cache.
(Amplification,
Oscillation, Simple
Flooding)
Protocol Feature
Attacks
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Countermeasures for DoS Attacks[1]
Attack
Countermeasure
Options
Example
Description
Network Level
Device
Software patches,
packet filtering
Ingress and Egress
Filtering
Software upgrades can fix known bugs and
packet filtering can prevent attacking traffic
from entering a network.
OS Level
SYN Cookies, drop
backlog connections,
shorten timeout time
SYN Cookies
Shortening the backlog time and dropping
backlog connections will free up resources.
SYN cookies proactively prevent attacks.
Application
Level Attacks
Intrusion Detection
System
GuardDog, other
vendors.
Software used to detect illicit activity.
Data Flood
Replication and Load
Balancing
Akami/Digital
Island provide
content
distribution.
Extend the volume of content under attack
makes it more complicated and harder for
attackers to identify services to attack and
accomplish complete attacks.
Extend protocols to
support security.
ITEF standard for
itrace, DNSSEC
Trace source/destination packets by a means
other than the IP address (blocks against IP
address spoofing). DNSSEC would provide
authorization and authentication on DNS
information.
(Amplification,
Oscillation, Simple
Flooding)
Protocol Feature
Attacks
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
DoS Shortfalls
• DoS attacks are unable to attack large bandwidth websites
– one upstream client cannot generate enough bandwidth
to cripple major megabit websites.
• New distributed server architecture makes it harder for one
DoS to take down an entire site.
• New software protections neutralize existing DoS attacks
quickly
• Service Providers know how to prevent these attacks from
effecting their networks.
• “Old” Internet Technology – something new needs to take
it’s place (Hackers want the challenge of a new
technology).
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Distributed Denial of Service Attacks
• What is a Distributed Denial of Service Attack?
As Defined by the World Wide Web Security FAQ: A Distributed Denial of
Service (DDoS) attack uses many computers to launch a coordinated DoS
attack against one or more targets. Using client/server technology, the
perpetrator is able to multiply the effectiveness of the Denial of Service
significantly by harnessing the resources of multiple unwitting accomplice
computers which serve as attack platforms. Typically a DDoS master program
is installed on one computer using a stolen account. The master program, at a
designated time, then communicates to any number of "agent" programs,
installed on computers anywhere on the internet. The agents, when they
receive the command, initiate the attack. Using client/server technology, the
master program can initiate hundreds or even thousands of agent programs
within seconds.[3]
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
DDoS Architecture
Client
Handler
Client
Handler
Handler
Handler
Agents
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Widely Used DDoS Programs
•
•
•
•
Trinoo
Tribe Flood Network
TFN2K
stacheldraht (barbed wire)
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Trinoo
• First DDoS Tool widely available[2].
• Uses UDP flooding attack strategy [2].
• TCP connectivity between master and
hosts [2].
• UDP connectivity between master and
agents [2].
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Analysis of trinoo[4]
1. A stolen account is set up as a repository for pre-compiled versions of attack tools including
trinoo daemon and master programs. This would include a list of vulnerable hosts. (it would
ideally have high bandwidth and little administrative oversight).
2. A scan is performed to identify potential targets (large network blocks are scanned). Systems
running services known to have exploitable buffer overflow bugs (Solaris 2.x / Linux) are ideal.
3. The list of vulnerable systems is used to create a script that performs the exploit (on the TCP
port, commonly 1524 “ingresslock” service port) and connects to this port to verify the exploit is
successful. From this exploit, a list of “owned” systems gets generated. These systems will be
candidates for the trinoo system.
4. A subset of “owned” systems with desirable attributes is selected for the attack network. Precompiled binaries of the trinoo daemon are created and stored on a stolen account somewhere.
5. A new script is written to automatically install the trinoo daemon on the selected systems. Some
systems will fail to install, but all successful installations create the attacking network.
6. Next, the master system is set up (typically on a service provider’s primary name server).
Remote control to the master is set up via TCP port 27665. The master system can communicate
with the agents via UDP on port 27444 and the agents send responses to the master on UDP port
31335.
7. The user can now use the master system to launch DDoS attacks against select targets.
8. Master and Agents are password protected.
9. Commands are three bit letters – in binary won’t show up as strings.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
TFN (Tribe Flood Network)
• Written in 1999 by “Mixter” [2].
• Allows for UDP flooding, TCP SYN, ICMP
flood, and smurf attacks[2].
• Communication between handlers and
agents is accomplished with
ICMP_Echo_Reply packets which are
harder to detect than UDP packets and can
pass through firewalls[2].
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Analysis of TFN[5]
• Installation steps similar to trinoo.
• Commands to the agents are sent in the form of a
16 bit binary number in the id field of an
ICMP_ECHO_REPLY packet. (The sequence
number is a constant 0x0000, which would make
it look like the response to the initial packet sent
out by the "ping" command)
• Difficulty in stopping this attack – one method is
to stop ICMP_ECHO_REPLY packets, however
this effectively stops all ICMP traffic.
• Provides no authentication, so that only one packet
captured will identify the source.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
TFN2K
• The successor to TFN, also written by “Mixter” [2].
• Allows for encrypted messaging between
components [2].
• Handlers and agents can communicate using ICMP,
UDP, or TCP. Random protocol selection is possible
[2].
• Adds an additional attack form called TARGA
(sends malformed IP packets known to slow down or
“hang up” the network stacks) [2].
• Also adds a MIX attack which uses UDP, SYN, and
ICMP_Echo_Reply Flooding [2].
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
stacheldraht
• German for “barbed wire”
• Based on early TFN versions[2].
• Provides ICMP, UDP, and TCP SYN attack
options[2].
• Has the ability to perform daemon updates
automatically[2].
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Analysis of stacheldraht[6]
• Combines trinoo and TFN tools and adds encryption of communication
between the attacker and stacheldraht masters
• Provides automatic updates to agents on demand (using Berkley “rcp”
command (514) all agents will log on to a server and upload a new
version).
• Includes a secure telnet (symmetric key encryption) connection
between attacker and master (prevents session hijacking).
• Built in limit of 1000 agents so as to not exceed the maximum number
of open file handles (1024).
• Agents and handlers continually send ICMP_ECHORPLY packets
between each other. These can be used to identify stacheldraht with a
packet sniffer.
• Agents can also perform an ID test to handlers.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Common DDoS Countermeasures [2]
•
•
•
•
Prevent Initial Hack
Use of Firewalls and Demilitarized Zone
Check Ingress/Egress Packets
Use a server farm and load balancer to offset the
effects of a DDoS attack
• Prevent SYN flood attacks by discarding the first
SYN packet (causes delay for legitimate users)
• Change IP address of attacked system (problem for
updating legitimate users of new system IP address)
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
DDoS Protection Environment [2]
• Linux Kernal (immune to TARGA & teardrop)
• Linux Virtual Server (provides balancing algorithms)
– NAT via load balancer (translates incoming traffic before it hits the
server).
– Direct Routing Request Dispatching (allows MAC addresses to
directly communicate with the server, bypassing the load
balancer).
– IP Tunneling
• Firewall – packet filtering
• Class Based Queuing (assigns repetitive packets to smaller queue
freeing up queue space for legitimate users)
• Traffic Monitor
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
DDoS Case Study: GRC.com[7]
• Gibson Research Corporation
• Provides free internet security testing
software: Shields Up, LeakTest, etc.
• Attacked in May 2001 by a DDoS attack.
The DDoS attack was using a “zombie bot”
which is a new form of DDoS tool.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.com Network[7]
Internet
100Mbps
Router
Firewall
T1 Trunk
T1 Trunk
100Mbps
Verio Router
GRC.COM
Internet
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Case Study: Initial Attack [7]
• May 4, 2001, GRC.COM Dropped Off of
the Internet.
• Both GRC T1 lines were at full 1.54 Mbps
capacity.
• GRC identified that it was the victim of a
DoS Attack
• GRC Firewall and Router were able to stop
flood traffic from affecting GRC equipment,
but T1 lines were completely used up.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Case Study: Initial Response to
DDoS Attack [7]
• GRC uses a packet sniffer to see that the packets
on the T1 lines are an attack. With this
information, GRC contacts its ISP, Verio. During
the 1st 17 hours, GRC captured 16.1 Gigabytes of
malicious packet data.
• The packet data revealed to GRC a number
network domain hosts where attacks originated
(most originated from cable ISPs).
• ISP Verio set up packet filters on their router so
that DDoS packets were not allowed on to the T1
lines. This brought GRC.com back online,
however the attack was not stopped.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Case Study: Additional Attacks [7]
• May 13 – Second attack occurs. Identical to the
first and using the same host machines. GRC
contacts Verio to reapply the packet filters.
• May 14th – 2 new attacks using new IP addresses
(of the GRC Firewall) which shut the system
down again. Verio asked again to apply new
packet filters. One T1 was still attacked, so it was
shut down.
• May 15th – New attack directly to the port of GRC
Cisco Routers, takes GRC off of the internet again
and due to a bug in Cisco routers, traffic gets
through and takes down GRC servers.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Case Study: Attacker’s Mistake [7]
• Attacker used compromised Windows machines –
which allowed for packet filtering. Other
machines (like Unix have ports that can generate
un-filterable packets). This allowed GRC to filter
and analyze the packets.
• GRC also gets e-mail posted to its message board
from 13 year old claiming to be responsible. –
Multiple e-mails are traded between “Wicked” and
GRC. The e-mails were used to trace “Wicked” to
a small network owned by Earthlink.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Case Study: Difficulty in Getting
Help Stopping DDoS Attacks [7]
• GRC contacts Earthlink but receives no help.
• GRC contact @Home (over 100 @Home PCs
were identified as hosts for the attack).
@Home however did not want to help.
• FBI unable to help GRC either.
• GRC then receives an anonymous e-mail in
their web-based Spyware drop box which
contains the “Zombie” (DDoS Daemon).
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Case Study: GRC’s Infiltration [7]
• GRC sets up “Sitting Duck” dummy computer
running DDoS daemon to see what happens (see
next slide).
• “Sitting Duck” successfully connects to IRC chat
server, gets instructions to attack a system in
Finland.
• GRC disables the packet generation feature of
“Sitting Duck” so no malicious packets will be sent.
• GRC writes an IRC chat Zombie to enter IRC
servers where hackers communicate/trade Zombie
DDoS tools.
• GRC communicates with hackers to “lay off”.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Case Study: GRC’s Infiltration
Network [7]
“Sitting Duck”
T1 Trunk
Packet sniffer
T1 Trunk
1.
2.
3.
IRC Servers
4.
Sitting Duck runs the Zombie DDoS
daemon.
Sitting Duck connects to an IRC server
On IRC server, Sitting Duck waited for
Instructions
When Instructions came, Sitting Duck
attacked a site in Finland.
Internet
Finland
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
GRC.COM Attack Network Setup
Attacker
1. Attacker logs on to IRC server
(IRC Server does not store IP address
and provides anonymous access.
IRC Servers
Internet
T1 Trunk
2. Zombie “bots” or DDoS tools that
were previously inserted to PCs out
in the network “wake up” and
connect to IRC server waiting for
instructions.
September 23, 2002
T1 Trunk
Verio Router
Princeton University
Electrical Engineering Department
GRC.COM
Specht
GRC.COM Attack Network Attacking
IRC Servers
Attacker
1. Attacker issues
command to attack
GRC.COM
Internet
T1 Trunk
2. Each DDoS daemon begins to
attack the selected website.
T1 Trunk
Verio Router
September 23, 2002
Princeton University
Electrical Engineering Department
GRC.COM
Specht
Defending Against DDoS Attacks
• Conceptual Model For Defending Against
DDoS
• Layer 1 Coordinated Technical Solutions
• IDIP Anti-Flooding System Example
• Layer 2 Consistent Incentive Structure
• Special Issue for Wireless Network
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Defending Against DDoS Attacks
1.
We need two things, suitable technological solutions in the Internet and
suitable incentives upon the users of the Internet. The machinery and the
incentives interlock and must be designed together. We also need to
consider the cost-effective issue: to construct technical solutions and
incentive structures in a cost-effective way.
2.
The biggest barrier in defending against DDoS attacks is the lack of
economic incentives for Internet users to cooperate. Sample
research by icsa.net shows that less than 15 percent of all corporate
users are filtering source IP addresses. An even smaller percentage
of Internet service providers – less than 8 percent – are doing this
type of filtering.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Defending Against DDoS Attacks
•
The inconsistent incentive structure in Internet traffic pricing: the victim
has the incentive to defend but cannot defend effectively, whereas the
owners of zombie computers and ISPs can defend effectively but do
not have the incentive to do so.
•
Flat monthly fee payments for wired Internet access: the owner of a
zombie computer incurs little cost due to DDoS attacks since all that is
stolen is just some traffic, but preventing a personal computer from
being controlled by any potential attacker requires frequent monitoring
and updating, at considerable cost.
•
Similar logic applies to ISPs who can always collect the monthly fees
no matter whether a DDoS attack happens or not. Thus, they may
hesitate to install filters since they will lower network performance.
•
So the technical solutions must work together with consistent incentive.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Defending Against DDoS Attacks
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• Device Security improvement
User-Level
• User level traffic control
• Coordinated filters
• Server level traffic monitor and class based queuing
• Tracing back
Server-level
Different solutions can coexist to achieve a better defense and
coordination is often required to be global.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• 1. Improving the security of all relevant devices. (
More detail to be explained by Ali)
Before initiating an effective DDoS attack, the attacker needs to break
into enough zombie devices to secure an ability to generate sufficient
traffic. A direct counterstrike is to secure all devices to make it difficult
for the attacker to seize enough zombies.
It is not practical, nor potentially beneficial, to secure all computers on
the wired Internet. Alternatively, an effective and efficient solution would
be to selectively secure those computers that have high traffic
throughput – such as routers –or high performance and high bandwidth
workstations so that the marginal benefit for each dollar spent on
security is optimized.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• 2. User-level traffic control
User-level traffic control is embodied in a set of traffic control rules specifically
for a given network device. For example, a wireless device user can set up a
daily traffic cap that is high enough not to disturb her/his normal usage, while
abnormally large traffic will be stopped.
Traffic control rules can be contingent on factors including other users’ usage
status. For example, a user can specify her/his data to be dropped or delayed if
the network is experiencing congestion.
For the wired Internet, Geng and Whinston propose to save the rules in edge
routers because routers, given their concentrated and limited functionalities, are
relatively easier to protect than other computers.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• 3. Coordinated filters
3.1
Block certain types of packets:
If there is no legitimate need for UDP packets to pass, then a
firewall or
router can block them. Multicasts from one subnet to
another are not always needed. A firewall or router can block these.
3.2 Block packets by source address:
IP touters can improve traceability by discarding packets whose source
address is impossible given the wire on which the packet arrived.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• 3. Coordinated filters
3.3 Derive attack signatures for the harmful packets
Filters detect anomalies, deviations from past behavior: more
than x connection requests (SYNs) per minute for a single IP
address, more than two standard deviations above the mean of a
packets-per-minute value for a single IP address, etc.
Attack signature: record the IP being flooded, the IP generating
the flood and IP of the nodes that the flood is traveling.
Participating routers and firewalls can discard some or all packets that
match the signature. The purpose of coordination among filters is to
stop the traffic as early as possible along the attacking paths.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• 4. IP Tracing (more detail to be explained by Steve)
Even if the coordinated filters cannot effectively stop the attack, possibly
because the attacking traffic is hard to distinguish from normal traffic, there still
exists another technological solution – to trace back to the zombie devices to
shut down the attack from the source.
In any case, when a zombie is used in the attack, it is very hard to trace past the zombie
and find the attacker. Our concern here is not catch the attacker as to stop the attack. The
attacker can stay anonymous as long as the attack is stopped. IP routers can apply
address filtering, discarding packets when the source address does not match the wire on
which the packet arrived. This will limit IP forgery at least to a sub-network. So the
tracing system should be efficient to prevent zombies.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• 5. Server level traffic Monitor and Class Based Queuing
If the traffic monitor in the load balancer detects a possible DoS attack it
gradually slows down all incoming traffic from the origination IP address by
assigning it to more and more slower queues. If even this does not stop the
attack, the IP address is blocked in a firewall list for a configurable amount of
time. Otherwise, after a certain interval of normal activity, the downgraded IP
can be upgraded to better queues. To decide whether a potential attacker is
indeed malicious, we will use Bayesian estimation method.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 1: Coordinated Technical Solutions
• 5. Server level traffic Monitor and Class Based Queuing
Bayesian estimation method: Likelyhood Evaluation
Let y be the set of filter readings defining a possible attack, and let x be the set of
hypothesis’s we believe to have caused these readings. Two determinations must be
made: the likelyhood of having received readings y given hypothesis x, and the
probability of hypothesis x. Through the use of Baye’s theorem, we have:
p( x y ) L( y x) p( x)
If multiple observations are made of the target, and each filter has an independent
likelyhood function (L1, L2,…Ln), the overall probability can be calculated as
p( x y1 , y2 ) L2 ( y2 x) L1 ( y1 x) p( x) L2 ( y2 x) p( x y1 )
This process may be repeated any number of times.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
IDIP: An Example of Anti-flood System
IDIP (Intruder Detection and Isolation Protocol) in general:
Trace and Block
• (1) When an attack traverses an IDIP-protected network, each IDIP
node along the path is responsible for auditing the connection;
• (2) when a component detects an intrusion attempt, the detector
distributes an attack report to its neighbors who can then help trace the
attack path and respond to the intrusion;
• (3) these neighbors further distribute the attack description along the
path of the attack.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
IDIP: An Example of Anti-flood System
• BC: boundary controllers (router, a firewall, etc.) do the blocking.
• A node n and a BC b are neighbors if they can send one another IP
packets that do not pass through another BC
• If two non-BCs can send one another IP packets that do not pass
through a BC, then the two non-BCs are considered to be in the
same IDIP domain. So BCs form the boundary of a domain.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
IDIP: An Example of Anti-flood System
IDIP against Floods
•
The basic message could be "I am seeing a flood for IP address xx.xx.xx.xx." The victim
or an intrusion detection system (IDS) could pass this message to its neighboring BCs.
Each of them could look to see if it too was seeing a flood for that IP address. If so, the
BC could begin discarding all or most packets bound for that address and send the IDIP
message on to its own neighbors in turn. Once a BC stopped seeing a flood for IP
address xx.xx.xx.xx, it would stop discarding packets for that address. This would
restore service.
•
A victim or an IDS watching all traffic to the victim can tell whether the victim is
getting too much traffic. For a BC it is harder. A BC must check whether the flood is
coming through it, wholly or partly. To reduce false positives and false negatives, use
Bayesian Estimation Method.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
IDIP: An Example of Anti-flood System
Example:
•
The figure represents a possible configuration of IDIP and a possible attack. The attacker a is
flooding the victim v. The flood is taking just one route through the network, passing through BCs r4,
r3, r2, and r1. They are probably routers. IV0-IV4 is each a set of indirect victims - those who cannot
communicate with v because of the attack. S1, S2, S3, S4 are other sets of BCs in the network. The
intrusion detector w can be part of v or another program.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 2: Consistent Incentive Structure
Incentive for Zombie Prevention
•
To stop the Million Zombie Flood we must make it much harder to hijack
zombies. If hosts used well known cures to well known vulnerabilities, then
they would be much harder to hijack and the Million Zombie Flood would be
much more expensive to mount. A great challenge is to induce everyone to
protect their hosts.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 2: Consistent Incentive Structure
Incentive for Zombie Prevention
• Non-Economic Approaches:
1. Sue a zombie owner:
Who can sue a million zombie owners?
2. Government regulations:
Hard to get uniform enforcement across the globe
Not necessarily the right regulations
Not fast enough to changes of technology
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 2: Consistent Incentive Structure
Incentive for Zombie Prevention
• Economic incentives:
Anti-flood participants upstream would block traffic bound for the flood's destination.
"Destination" could be a single IP address, a net, a subnet, or other unit.
Internet Service Providers (ISPs) will have an incentive to police their subscribers, or to
police them better. Consider an ISP that is not participating in the anti-flood system and
not policing its subscribers. Whenever some of its subscribers flood a victim, the antiflood system will trace the flood to the ISP and block it from sending packets to the
victim. All of the other subscribers will suffer. They will not like this, so that is the ISP's
incentive. Companies and organizations will likewise have an incentive to make sure
that their machines are not used as zombies.
In effect, the consequences of neglect (allowing hosts to be hijacked) are pushed closer
to the neglector. Now some areas of the Interact will be well policed and suffer few
flooding attacks. Other areas will be unpoliced and will suffer a lot.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Layer 2: Consistent Incentive Structure
Incentive to Join an Anti-Flood System
It helps that if more nodes support IDIP. The farther you can trace an attack, the more
selective can be your blocking. In the example, if r4 did not support IDIP, then IV3
would continue to suffer, but others would not. So if a customer wants to be able to get
to www.amazon.com even when someone is flooding it, it’s better to choose an internet
backbone with anti-flood machinery. There is a clear incentive both to the customer and
to the backbone operator.
Communication providers, and anyone who runs a router, will be motivated to offer the
anti-flood system as a quality-of-service feature. It is valuable to those downstream of
the router who may be flooded. They will be willing to pay for this protection.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Special Issue: Wireless Network Against DDoS
DDoS attacks can be a real threat in the near future given the increasing
computational power, network bandwidth, and users in the wireless Internet
economy.
Two significant events:
1. In the summer of 2000, there appeared the first preliminary virus against
mobile
phones. Eugene Kaspersky: “This is not the first and obviously not
the last security breach discovered in mobile phones. Moreover, I believe as
more functionality is added to mobile phones, it will result in more breaches
being found.”
2. The emergence of the first DDoS attack tool toward mobile phones, known as
the SMS-flooder. It tries to use the wired Internet to attack a wireless victim. First
it proliferates through Microsoft Outlook just as the Melissa virus does. Then it
commands all infected Microsoft Outlook software to send short messages
(SMS-messages) to a certain victim’s mobile phone to inundate it.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Special Issue: Wireless Network Against DDoS
Possible forms of DDoS attacks for wireless network:
1. Ones that are found on the wired Internet
2. Attacking the radio spectrum that is naturally a scarce resource
3. the attack across both the wireless and wired Internet. Given the
differences in computational power and the bandwidth between wired
and wireless devices, it is easier for an attacker to use wired devices to
initiate cross platform attacks toward wireless devices.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Special Issue: Wireless Network Against DDoS
Three different infrastructures of wireless Internet: the Wireless Extended
Internet, the Wireless Portal Network, and the Wireless Ad Hoc Network.
•
The Wireless Extended Internet: merely an extension of the wired Internet for
mobility convenience. Wireless access providers, or wireless ISPs, connect
mobile devices to fixed networks via radio frequency (RF) channels. The
traditional Client/Server architecture, as well as existing transport layer protocols
(usually TCP), is also used for the Wireless Extended Internet. Therefore, DDoS
attacks seen in the wired Internet are still feasible in the Wireless Extended
Internet.
•
•
•
•
Attacking devices using aggregated traffic.
Attacking the asymmetric structure.
Attacking the radio spectrum.
Avoiding tracing back by mobility: allowing a mobile device to send out IP datagrams
using its fixed home address rather than care-of address even if it roams away, the NonDisclosure Method (NDM) preventing the tracking of user movements by third parties…
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Special Issue: Wireless Network Against DDoS
•
The Wireless Portal Network: developed and privately owned by wireless
telecommunication providers, thus are highly centralized. Clients, contracted
content providers, and the service center become a walled community, i.e., a
reliable “security island”. It is difficult to launch attacks from outside the island.
However, the network could be vulnerable to internal attacks.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Special Issue: Wireless Network Against DDoS
DDoS attacks on the Wireless Portal Network:
•
Attacking the radio spectrum: Mimicking this natural congestion, it is possible to
disable a particular base station by simultaneously sending connection requests
and a mass of traffic from mobile zombies. As a result, all wireless devices
within this cell will not be able to connect to the network.
•
Attacking TCP/IP gateway: The TCP/IP gateway translates between wireless
bearer protocols and the Internet TCP/IP protocols. It is one crucial bottleneck in
the Wireless Portal Network.
•
Attacking value-added services: All these services are invisible outside the
portal net-works and will survive under outside DDoS flooding. But sophisticated
methods can launch attacks from devices within the portal network.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Special Issue: Wireless Network Against DDoS
Wireless Ad Hoc Network: formed temporarily by a group of mobile devices,
which have a common mission or interest. Adhering to a strict admission policy
and communication rules, all these devices form a special community of equals
to share information. There is no designated client or server.
•
The Ad Hoc Network is the best architecture against DDoS attacks: dynamic
routing protocols and mobility of the network components self-adjusting
properties.
1. It has no central server.
2. It may implement strict admission policies making it very hard for outsiders to
hack into the communication system.
3. No central point and no crucial resource means any blocked route can be
substituted by redundant links.
4. The community can reject an abnormal member by voting based on certain
admission policies.
•
The interconnection among Wireless Ad Hoc Networks through wired relay
services creates an asymmetric infrastructure in which critical points can be
attacked.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Wireless Network Against DDoS
Layer 1: Coordinated technical solutions
•
Improving the security of devices with high bandwidth connections, e.g.,3G devices, to
prevent them be used as zombies.
•
User-level traffic control: For the wireless Internet, the candidate host for traffic control
rules can be flexible: unique IDs or PINs to identify wireless devices and restricted
access functions that enable secure traffic control even if the wireless device is hacked-no software control and modification
•
Coordinated filters and tracing back: a Wireless Ad Hoc Network, filtering is not
applicable due to the symmetric structure. However, community rules, e.g., a voting
mechanism, may play the role of a central filter to decide which user device to block.
•
Server-level traffic control
•
Spread Spectrum: can’t simply say that “spread spectrum” is used and therefore
interference is not an issue.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Wireless Network Against DDoS
Layer 2: A consistent incentive structure
• An incentive structure based on usage-based fees
The direct effect of a usage-based fee is a sharp increase in the cost to zombie
devices if they are sending out attacking traffic.
With a usage-based fee structure, the owners of high-performance, highbandwidth devices will have the greatest immediate incentive to take security
actions. Specifically, such a usage-based fee plan makes ISPs more likely to
install coordinated filters and to support user-level traffic controls.
Fortunately and unlike the wired Internet industry, the wireless Internet industry
starts with usage-based fees. For example, Japanese vendor DoKoMo’s i-mode
service pricing is mainly packet based, as shown in table 1.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Wireless Network Against DDoS
Layer 2: A consistent incentive structure
•
Dynamic usage-based fees: a more targeted incentive structure against DDoS
A dynamic usage-based fee scheme deals with unpredictable congestions,
including those caused by DDoS attacks. The characteristic of a dynamic usagebased fee is the increase in unit price when congestion happens or will happen.
So the wireless device owners are more likely to set up traffic control rules in
their device to instruct to delay or cancel the data transmission when the
network is congested or approaching congestion. Therefore, even if an attacker
instruct all zombie devices to send attacking traffic at the same time, an
effectively synchronized attack is unlikely to occur.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Wireless Network Against DDoS
Layer 2: A consistent incentive structure
•
Usage-based fees can be flexible
A consistent incentive structure can be flexible in its form while still representing
the essence of a usage-based fee plan. In case that people dislike the
uncertainty and complexity associated with usage-based fees, we can adopt the
variants.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Wireless Network Against DDoS
Layer 2: A consistent incentive structure
•
A monetary incentive structure may not be available for the Wireless Ad Hoc
Network, simply because of the lack of a charging system. Instead, other
incentive mechanisms, e.g., a voting mechanism which effectively rules out a
member upon heavy radio frequency usage, can serve the same purpose.
•
For defending the Wireless Extended Internet, a usage-based fee plan is also
needed for the wired Internet, which is mainly used to prevent DDoS attacks
inside the wired Internet.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Wireless Network Against DDoS
Cost-effectiveness
Solution must be proactive and consistent with mainstream and commercial
Internet technologies. Employing these existing technologies will significantly
reduce the costs and risks in designing future wireless Internet. The Policy
Based Networking (PBN) is one promising technology for implementing usagebased fees.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Conceptual Model for Wireless Network Against DDoS
Cost-effectiveness
A usage-based fee scheme can be implemented by using PDPs and PEPs:
•
First, once the fee scheme is decided, it is implemented as a set of policies in
PDPs at the Wireless Authentication Centers.
•
Secondly, based on the fee scheme and the real-time traffic condition, a PDP
decides the pricing rules for every related mobile terminal and send these rules
as policies to PEPs on these mobile terminals.
•
Thirdly PEPs on mobile terminals enforce these pricing rules. Whenever there is
a surge in traffic, possibly caused by DDoS attacks, PEPs report the traffic
change and any possible congestion to the coordinating PDP, who in return
dynamically adjusts pricing rules according to the given fee scheme and
instructs PEPs to update their pricing rules.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
Wireless Network Against DDoS
Remarks
When DDoS attacks came to the wired Internet, the infrastructure of the
wired Internet had been stable for decades, lacking reliable
mechanisms for QoS control and incentive structures for traffic control.
As a result, it was repeatedly targeted by DDoS attacks. In comparison,
the wireless Internet industry has a chance to address DDoS attacks
before it fully matures.
September 23, 2002
Princeton University
Electrical Engineering Department
Huang
General Protections against DDoS
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Motivation
• The first computers in DARPAnet failed in
communicating, bacuase of a hand-shaking
problem, which was nothing but DoS.
• Examples:
– Code Red (July 2001)
– EFNet.org (July 2001)
– Microsoft (January 2001)
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Network Tracking Solutions
• Forward Tracing
– ICMP ECHO
– UDP
– TTL
• Backward Tracing
– Probabilistic Packet Marking
– Itrace
– SPIE
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Probabilistic Packet Marking
• Properties
– ID Field of IP
– Encryption
• Disadvantages
–
–
–
–
–
Requires High Volume of Traffic
Some applications use ID Field
Low Probability/Heavy Processing
Hardware Acceleration?
IPv6 doesn’t have ID field
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
ITrace
• Send a Packet
• Why Low Probability?
• Why probability pseudo random? Why not
just a counter?
• Higher volume of traffic
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
SPIE
• Traffic Logging
• Bloom Filtering
• Hash Function (k functions map to n bit
target space)
• High correlation between the headers?
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Computer Based Protection
•
•
•
•
•
Intrusion Detection Systems
Utilizing Basic Protections, SYN Cookies
Secure Operating Systems
Filtering, Firewalls
Security Updates and Tools
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Intrusion Detection Systems
Anomaly Based
Signature Based
Anomaly Based vs.
Signature Based
• Network Based
• Host Based
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Operating System
• Windows NT5/XP? Spoofing
• Linux
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Filtering
• Ingress Filtering
• Egress Filtering
– ISP Responsibility – Good Neighbor Network
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Problems with Filtering
• Local Domain Spoofing
• Non-Spoofing Attacks
• Spoofing Necessary
– Some Wireless Applications
– Inter-network Connections
• Requires Processing Power
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Filtering In Detail
• What can be filtered?
• Case Study on Reflectors
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Defending Against Reflectors
• Ingress Filtering
– Solves Everything?
– Recursive DNS Queries
– HTTP Proxy Request
• Signature Catch
– Wide screen deployment of Filtering
– Complex, heavy processing
– Impractical for large volume of traffic
• Trace Back
– Heavy Deployment of new Software
– There are many different Software Vendors
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
What can be filtered?
IP
Comments
Version
Insignificant
Header Length
Insignificant
TOS/DSCP
Could Be Useful
Length
Insignificant
Fragments
If Not Using NFS, AFS, GRE
TTL
None (is it?)
Protocol
None
Checksum
None
Source
????
Destination
????
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
What Can Be Filtered?
ICMP
Comments
Request/Reply
Filterable
Problem
Filterable
TCP
Comments
Source Port
Not Much, Depends
SYN ACK
Not Much, Depends
RST
Dangerous
Sequence numbers
DANGEROUS!
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
What Can Be Filtered?
UDP
Comments
Connectionless
No big deal
Length
Insignificant
Checksum
Insignificant
September 23, 2002
Princeton University
Electrical Engineering Department
Bayazit
Defending Against DDoS – Traffic Tracking
•
•
•
•
Network Traffic Tracking Systems (NTTS)
Model of Network Anonymity
Desirable Properties of an NTTS
Three Model Environments
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Network Traffic Tracking Systems [8]
• NTTS (Network Traffic Tracking Systems)
– System to track network traffic
– Difficult to track network traffic due to:
• Spoofing (network traffic source is a lie)
• Redirection (network entity receives traffic and edits
it in some way before resending)
– Issues
• NTTS – can be successful in a closed environment
with strong infrastructure
• In an open, global network (Internet) it is not
possible to deploy a perfect NTTS
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Model of Network Anonymity [8]
•
•
•
•
Addition of User Session Layer to 7 layer
OSI Model.
User Session Layer – models the
behavior of user login sessions in which
a user logs into a node by way of some
application, performs some action, and
eventually logs off.
User Session Layer allows for “island
hopping” and relaying. A relay node is a
network node that accepts a flow from
the network attack, possibly modifies it,
and passes it on to another node on the
network.
Typical attacks use multiple relays in a
serial connection. The last serial node is
left with attacker’s print, and previous
serial relays are undisclosed, including
the location/information of the attacker.
September 23, 2002
User Session Layer
Application Layer
Presentation Layer
Network Session Layer
Transport Layer
Privacy
Sensitivity
Network/Internetwork
Layer
Data Link Layer
Physical Layer
Princeton University
Electrical Engineering Department
Specht
Desirable properties of an NTTS [8]
• Accuracy
– Probability that source found for a certain piece of network traffic
will be correct
– Accuracy needed to get legal search warrant
• Precision
– Level of specificity that the NTTS identifies the source (i.e. NTTS
may identify the host, but not sub-network)
• Resist Subversion
• Low Overhead (bandwidth, processing, memory)
• Low Cost
• Scalability (sizing + full vs. partial network coverage)
• Realtime vs. Non-realtime tracing
• Privacy and Control
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
Three Model Environments [8]
•
Closed Model
–
–
–
–
–
•
Academic Model
–
–
–
–
•
Central authority controls all network hosts
Independent network, not connected to outside networks
All packet information and logs stored
Limited end-user privacy expectations (corporate networks)
Tracing higher protocol layers is easiest
Central authority controls network that connects hosts, but not hosts directly
Limitations due to host relaying and high overhead
Privacy issues would exist with end-users
Possible to trace low level protocols, but high level protocols are difficult
Internet Model
–
–
–
–
–
–
No Authority controls hosts
Modify internetworking protocols to provide “traceability”
Issues of cost and overhead
Scalability is on the order of millions of systems
Privacy Issues
Internet spans multinational/multi-government regions
September 23, 2002
Princeton University
Electrical Engineering Department
Specht
References
1.
2.
3.
4.
5.
6.
7.
8.
Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton
University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.
Kargl, Frank, Joern Maier, and Michael Weber. Protecting Web Servers from Distributed Denial
of Service Attacks. WWW10, May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005.
Stein, Lincoln. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002.
http://www.s3.org/security/faq/ - visited on October 1, 2002.
Dittrich, David. The DoS Project’s “trinoo” Distributed Denial of Service Attack Tool.
University of Washington, October 21, 1999.
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002
Dittrich, David. The “Tribe Flood Network” Distributed Denial of Service Attack Tool.
University of Washington, October 21, 1999.
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002
Dittrich, David. The “stacheldraht” Distributed Denial of Service Attack Tool. University of
Washington, December 31, 1999.
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt – visited on October 1, 2002
Gibson, Steve. The Strange Tale of the Denial of Service Attacks Against GRC.com. Gibson
Research Corporation, March 5, 2002. http://grc.com/dos/grcdos.htm
Daniels, Thomas E. and Eugene H. Spafford. Network Traffic Tracking Systems: Folly in the
Large? Center for Education and Research in Information Assurance and Security (CERIAS).
Lafayette, IN, ©2001.
September 23, 2002
Princeton University
Electrical Engineering Department
Specht