slides - The Fengs
Download
Report
Transcript slides - The Fengs
Distributed
Denial-of-Services
(DDoS)
Ho Jeong AN
CSE 525 – Adv. Networking
Reading Group #8
Reading Group # 8 – DDoS
Papers
F.
Kargl, J. Maier, M. Weber “Protecting Web Servers
from Distributed Denial of Service Attacks”, WWW
2001
V. Paxson, “An Analysis of Using Reflectors
for Distributed Denail-of-Service Attacks”,
CCR vol. 31, no. 3, July 2001
Catherine Meadows, “A cost-based framework for
analysis of denial of service in network”, Journal of
Computer Security, 9(1—2):143-164, 20012
Classification of IT Attacks
Denial of Service (DoS)
Main goal
of the attack is the disruption of service
Intrusion
Intension is
simply to get access to system and to
circumvent certain barriers
Information Theft
Main goal
of attack is access to restricted, sensitive
information
Modification
Attacker
tries to alter information.
Definition of DoS
WWW Security FAQ (http://www.w3.org/Security/FAQ)
… an attack designed to render a computer or network
incapable of providing normal services …
J.D. Howard (http://www.cert.org)
… Denial-of-service can be conceived to include both
intentional and unintentional assaults on a system's
availability. The most comprehensive perspective would be
that regardless of the cause, if a service is supposed to be
available and it is not, then service has been denied ...
Definition of DDoS
WWW Security FAQ
(http://www.w3.org/
Security/FAQ)
…
A Distributed Denial
of Service attack uses
many computer to
launch a
coordinated DoS
attack against one
or more targets. …
DoS attack Classification
System Attacked
Router
Firewall
Load-balancer
Individual web server
Supporting services (i.e. database servers)
Part of the system attacked
Hardware failure
OS or TCP/IP stack of host/router
Application level (i.e. web server, database servers)
Bug or overload
Bugs
Overload
DoS attack Classification
Example
Cisco
7xxx routers with IOS/700 Software version
4.1(1)/4.1(2)
Jolt2 – targeting most Microsoft Windows Systems
(98/NT4/2000)
MIIS version 4.0/5.0
Smurf
SYN Flood
Apache MIME flooding/Apache Sioux Attack
DDoS tools
Trinoo
Tribe Flood Network (TFN)
Trinoo’s UDP flooding, TCP SYN and ICMP flood
TFN2K
Known to the first DDoS tools
UDP flooding
Encrypted communication between components
TARGA attack
stacheldraht
ICMP, UDP and TCP SYN flooding
Update to agents automatically
DDoS Protection Environment
Linux Kernel
Immune to
Teardrop, TARGA
tcp_syn_cookie
enabled against
SYN flood attack
Load Balancer
Linux Virtual
Server against
overload attack
DDoS Protection Environment
ipchains Firewall
Only
port 80 is reachable directly
Only ICMP host unreachable messages are accepted
Class Based Queuing
Function of
the Linux kernel
Setup different traffic queues
Determines what packets to put in what queue
Assign a bandwidth to each of the queue
DDoS Protection Environment
Traffic Monitor
Monitor
Thread 1: monitors in and out packet
Thread 2: checks the hashtable
Thread 3: server thread
Manager
Analyzes the supplied data
Sorts the IPs in one of several classes, class 1
through class 4
Test 1: http-attack using http_load
and static html database
Conclusion
DDoS attacks are substantial threat to
today’s Internet infrastructure
Solution to the problem of handling
massive http overload requests is based on
class based routing and active traffic
monitoring
DDoS attack by using reflector
Reflector
Any IP host that will return a
packet if it receives request
All web server, DNS server, router
ICMP
Victim eventually receive “huge”
number of message and
clogging every single path to
victim from the rest of the
Internet
Defense against Reflector
Ingress filtering
Traffic generated by reflector
Our
pick
Reflector enable filtering
Require widespread
Deploy trace back mechanism
Enormous
deployment of filtering
deployment difficulties
IDS
Widespread deployment
of security technology
Filtering out reflector replies
IP
version,
header length
TOS/DSCP
length
ID
fragments
TTL, protocol, checksum
source
destination
Filtering out reflector replies
ICMP
Request/response
Generated ICMP
messages
TCP
source
port
SYN ACK
RST
guessable sequence number
T/TCP
Filtering out reflector replies
UDP
DNS
DNS
reply
DNS recursive query
SNMP
HTTP proxy server
Gnutella (TCP application)
Other UPD application
Implications of reflector attacks
for traceback
A major advantage to attackers in using ref
lectors in DDOS attack is difficult tracebac
k
Low volume flows – SPIE
HTTP proxies
Logging
Reverse ITRACE
Conclusion
DDoS attack by using reflector have a seve
ral significant threat
Most major threats are
TCP
guessable sequence number
DNS query to name server
Gnutella
Defender vs. Attacker
Defense against attack
Increase
the resources of the defender
Introduce authentication
Goal of attacker
Waste
resource of defender
Keep the defender from learning attacker’s identity
Formal method are good way to addressing probl
ems.
Station to Station protocol
Station to station protocol is a protocol that was
makes use of the Diffie-Hellman protocol togeth
er with digital signatures in order to exchange an
d authenticate keys between two principals.
XA
A B :
B A :
XB
, EK ( S B (
A B : EK ( S A (
XA
,
XB
,
XB
))
XA
))
Station to Station protocol
A B : preeexp1, storename1 ||
X ||
A
storeonce1 ,storename2 ,accept1
B A : preexp1 , sign1 , exp1 , encrypt1||
X , EK ( S B ( X , X )) ||
B
B
A
checkname1 , retrivevenonce1 , exp2 , decrypt1 , checksig1 , accept 2
A B : sign 2 , encrypt 2 ||
EK ( S A ( X A , X B )) ||
checkname2 , retrivevenonce2 , decrypt 2 , checksig 2 , accept 3
Station to Station protocol
Compute the attack cost functions and the
protocol engagement cost functions for eac
h accept events
Compute the attack cost functions and the
message processing cost functions for each
verification event
Station to Station protocol
It is vulnerable to DOS attack in several pl
aces
First
message
Intruder could mount Lowe’s attack
Solution
Cookie
exchange
Lowe’s attack – including the identity of inten
ded receiver
Conclusion
This framework shows how existing tools a
nd methods could be modified against DoS
attack.