Transcript DDoS

(Distributed) Denial of Service
• Relatively new development.
– Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
• One form of DDoS attack simply saturates the network
– prevents legitimate use of resources such as Web services.
• Another form exploits vulnerabilities to crash machines.
• Results in degradation of services on the network.
– Locked up accounts.
________________
CS3235, Nov 2002
A Simple DOS attack
Attacker
________________
CS3235, Nov 2002
Zombie
Victim
Attacker
________________
CS3235, Nov 2002
Zombies galore
DDoS Attack
Victim
DDoS
• Many more pathways utilized to attack the victim.
• Can involve hundreds or thousands of machines all over the
Internet.
– Break into weakly-secured computers using well known bugs.
– Conceal the break-in and hide traces of subsequent activity.
– Install software to “remote control” the machine.
• Launch a coordinated attack on the victim.
________________
CS3235, Nov 2002
Flooding Attacks
• Smurf attack.
– Send ICMP ECHO to broadcast address with source address of victim.
• TCP SYN attack.
– Send SYN datagrams to victim with forged, non-existent source
addresses.
• UDP flooding
– Send UDP datagrams at high volume to ports on the victim machine.
________________
CS3235, Nov 2002
Logic Attacks
• Ping of Death
– Construct ICMP ECHO datagram as fragments such that the assembled
datagram exceeds the 64K limit for IP datagrams.
• Land
– Send a datagram with the same source and destination address.
________________
CS3235, Nov 2002
Defeating DDoS
• Egress filtering.
– Stop spoofed packets from leaving your network.
• Stop your network from being used as an amplification site.
– Disable IP directed broadcast on all systems
________________
CS3235, Nov 2002
Countering DOS
• Simple cookies
– Would need to remember them.
1
A
C
2
3
START PROTOCOL
B
C, REALLY START PROTOCOL
• TCP SYN cookies (http://cr.yp.to/syncookies.html)
– Particular choices of ISN.
– Self verifying: e.g., MD5(secret, time, src ip, src pt, dest ip, dest pt)
SYN
STATELESS COOKIE
________________
CS3235, Nov 2002
Countering DOS
• Require clients to do work in order to connect [Juel99].
– E.g., what 27-bit number has a SHA checksum of x?
________________
CS3235, Nov 2002
References
Juel99 Juels, A. and Brainard, J., “Client Puzzles: A Cryptographic
Countermeasure against Connection Depletion Attacks”, NDSS
Conference, 1999.
________________
CS3235, Nov 2002