Transcript Lecture 17
Network Denial of Service
Attacks
Advanced Network Security
Peter Reiher
August, 2014
Advanced Network Security
Lecture 17
Page 1
Outline
• Denial of service in networks
– Basic methods
• Non-distributed denial of service
attacks
Advanced Network Security
Lecture 17
Page 2
Denial of Service Attacks
• Unlike other forms of hacking, the goal
isn’t access
• Or theft of information or services
• The goal is to stop your service from
operating
– To deny service to legitimate users
• Generally temporarily
– Usually during duration of attack
Advanced Network Security
Lecture 17
Page 3
Attacker Motivations
•
•
•
•
•
Sometimes extortion
Sometimes political in nature
Sometimes personal feuds
Sometimes as distractions
Many other possible motivations
Advanced Network Security
Lecture 17
Page 4
How Can Service Be Denied?
• Lots of ways
– Crash your machine
– Crash routers on the path to your machine
– Fool a protocol into behaving badly
– Use up a key machine resource
– Use up a key network resource
• Using up resources is the most common
approach
Advanced Network Security
Lecture 17
Page 5
•
•
•
•
What Resources Can Be Used
Up?
Network bandwidth
Processing power
RAM
Network stack resources
– E.g., records of open connections
• Operating system or application resources
– E.g., entries in a hash table
Advanced Network Security
Lecture 17
Page 6
Simple Denial of Service Attacks
• One machine tries to overload another machine
• E.g., send more packets than the target can handle
• There is a fundamental problem for the attacker:
– The attack machine must be “more powerful”
than the target machine
– Otherwise, the attack machine can’t generate
enough packets
• The target machine might be a powerful server
• Can one typical client machine generate enough
work to overcome a powerful server?
Lecture 17
Advanced Network Security
Page 7
A Flooding Attack
Advanced Network Security
But does it
actually deny
service here?
Lecture 17
Page 8
The Problem With This Attack
• The attacking computer is usually a
home machine or office workstation
• Maybe it’s got outgoing bandwidth of
10Mbps
• The target is usually a server
• Maybe it’s got incoming bandwidth of
1 Gbps
• The target barely notices the attack
Advanced Network Security
Lecture 17
Page 9
“Solving” This Problem
• How can an attacker overwhelm a
machine with more resources than his?
• Two possibilities:
– Find a way to make the target pay
more per message than the attacker
– Use more than one machine to attack
Advanced Network Security
Lecture 17
Page 10
Solution 1: Make The Target
Pay More
• Usually the attacker’s limited resource
is bandwidth
– Sometimes processor power
• Try to attack some other resource
– Using small amount of bandwidth to
use a lot of this resource
• Another option: a reflector attack
Advanced Network Security
Lecture 17
Page 11
Denial of Service and
Asymmetry
• Sometimes generating a request is cheaper than
formulating a response
• If so, one attack machine can generate a lot of
requests
• And effectively multiply its power
• E.g., send random garbage packets to a machine
expecting encrypted packets
• Not always possible to achieve this asymmetry
• But often can be done
Advanced Network Security
Lecture 17
Page 12
An Example: SYN Flood
• TCP is connection-oriented
• Endpoints must keep information about
current TCP connections
– To detect packet loss
– For flow control and congestion
management
So attack this
• Typically kept in a table table, not the
bandwidth!
• Of fixed size . . .
Advanced Network Security
Lecture 17
Page 13
The TCP Open Connection Table
• Designed to support many TCP connections at a
time
– E.g., for high volume web server
• One entry per connection
• Reuse an entry once the connection ends
• Some legitimate connections will be slow
– So must not discard seemingly inactive
connection too soon
• But some legitimate connections will be dropped
– Eventually get rid of unused open connection
Advanced Network Security
Lecture 17
Page 14
The Basic Attack
• Attacker uses initial request/response
to start TCP sessions
• Then he abandons them
• Target keeps them open for a while
• Filling up the server’s open connection
table
• Preventing new real TCP sessions
Advanced Network Security
Lecture 17
Page 15
Why Is This Better Than Simple
Flooding?
• You can reserve a connection table slot
with one short message
• The slot will be used for a significant
period of time
– Even if you never make progress
• Provides attacker with good
asymmetry
Advanced Network Security
Lecture 17
Page 16
Normal SYN Behavior
SYN
SYN/ACK
ACK
Table of open TCP
connections
Advanced Network Security
Lecture 17
Page 17
A SYN Flood
SYN
SYN
SYN/ACK
Server can’t Table of open TCP
fill request!
connections
Advanced Network Security
Lecture 17
Page 18
Why Doesn’t the Attacker Send
an ACK?
• The attacker could send the second
message (the ACK)
– Then send no more messages
• Why wouldn’t he do that?
• Two reasons:
– Can you figure out what they are?
Advanced Network Security
Lecture 17
Page 19
How To Defend?
• Don’t let the attacker take too many
open connection slots
– Maybe restrict to three or four per IP
address
• Doesn’t help if attacker has a lot of
machines
• Doesn’t help if attacker spoofs IP
address
Advanced Network Security
Lecture 17
Page 20
Another Defensive Option
• Drop unused connections more
aggressively
– So half-open connections don’t
waste the resource as long
• Bad impact for slow legitimate clients
• Only requires slight speed-up by
attacker
Advanced Network Security
Lecture 17
Page 21
A Third Defensive Option
• Preferred clients
• Save most of your slots for their
known good IP addresses
• If attacker uses up the rest, doesn’t
impact your core clients
• Often not an option
• Problematic in face of IP spoofing
Advanced Network Security
Lecture 17
Page 22
A Fourth Defensive Option
• Increase the attacker’s cost
• Make him pay something for getting
the open connection table entry
• If the cost is high enough, he can’t
afford to fill my table
• What “currency” can we make him pay
in, though?
Advanced Network Security
Lecture 17
Page 23
Some Constraints on This Option
• We can’t change the TCP protocol
– A common theme when trying to protect
the Internet
– You can never change a widely deployed
protocol
• We can’t expect users to change the
software on their machines
• We can’t save information about connection
requests
Advanced Network Security
Lecture 17
Page 24
And no changes
to TCP protocol
itself
KEY POINT:
Server doesn’t
need to save
Client IP address cookie value!
SYN Cookies
SYN/ACK number is
secret function of
various information
& port, server’s
IP address and
port, and a timer
No room in the table,
so send back a SYN
cookie, instead
Server recalculates cookie to
determine if proper response
Advanced Network Security
Lecture 17
Page 25
Good Aspects of This Approach
• Doesn’t change TCP protocol
• Doesn’t require clients to do anything
they would not usually do
• Doesn’t require server to save any
information
• Can be turned on and off easily
• We would like many network security
solutions to be like this one
Advanced Network Security
Lecture 17
Page 26
General Single Machine Denial
of Service
• Usually dangerous only if there is an
asymmetry in resource use
• Usually easy to defeat if you figure out
what site is doing it
– Just drop all packets from that site
• Not typically a major threat on the
Internet
Advanced Network Security
Lecture 17
Page 27
Denial of Service as a Distraction
• Attackers sometimes perform denial of
service attacks just to distract
• Sysadmins will be occupied dealing
with them
• While attackers do their real work
somewhere else
• As defender, be aware that this could
happen
Advanced Network Security
Lecture 17
Page 28
Conclusion
• Denial of service attacks availability
– Sometimes used for other purposes
• Most often based on exhausting a
resource at the victim
– Any resource is a possible target
• Defense mechanisms must operate well
with ordinary behaviors
Advanced Network Security
Lecture 17
Page 29