Lecture 22 - The Laboratory for Advanced Systems Research
Download
Report
Transcript Lecture 22 - The Laboratory for Advanced Systems Research
Other Types of DDoS Attacks
Advanced Network Security
Peter Reiher
August, 2014
Advanced Network Security
Lecture 22
Page 1
Outline
• Reflector attacks
• Shrew attacks
• Crossfire attacks
Advanced Network Security
Lecture 22
Page 2
Reflector Attacks
• A type of DDoS attack that addresses
issue of asymmetry
• Use a third party site to change a small
attack message to a big one
• Relies on IP spoofing
• Can make use of several different
protocols for reflection
Advanced Network Security
Lecture 22
Page 3
A Reflector Attack
Spoofing the IP
address of the
target
Reflector
SYN/ACK
SYN
Attacker
Advanced Network Security
Target
Lecture 22
Page 4
The Attack Multiplied
Advanced Network Security
Lecture 22
Page 5
Why Is This Helpful to the
Attacker?
• Packets arrive at target with many
source IP addresses
– Which are legitimate
– Makes it harder to defend
• The reflector’s response might be
bigger than the attacker’s request
– Leading to amplification
Advanced Network Security
Lecture 22
Page 6
Common Types of Reflectors
• DNS servers
– Small requests can give large results
– 100X amplification factor
• NTP
– A protocol flaw made reflector attacks
worthwhile
– Can amplify 200X
• Some DHT implementations
Advanced Network Security
Lecture 22
Page 7
The Core Reflector Problem
• Attackers can spoof target IP address
• May be difficult to detect attackers
– Attackers can use botnets to hide traffic volume
• Reflectors cannot easily distinguish
between legitimate and illegitimate requests
– Large number of possible reflectors
• Victim’s provider ISP can see the attack but
can do little about it
Advanced Network Security
Lecture 22
Page 8
Defending Against Reflector
Attacks
• Cut down on IP spoofing
– That’s often hard
• Make reflecting sites less available
– Most DNS servers are only intended for
local use, anyway
• Change reflector site behavior
– Either in protocol or site
• Research approaches
Advanced Network Security
Lecture 22
Page 9
One Research Approach - RAD
• Basic idea: reflected messages are
replies to request
• If the target remembers what he
requested
• He knows what replies he should see
• Drop “unexpected” replies
Advanced Network Security
Lecture 22
Page 10
RAD Deployment Choices
• Local
– Only sees the false replies
– Validate replies correspond to requests
– Reply volume may overwhelm a local defense
– Only requires local cooperation
• Core
– Can see all traffic
– Validate that packets correspond to source AS
– Requires core cooperation
Advanced Network Security
Lecture 22
Page 11
Local RAD
• Validate that replies correspond to a request
• Most reflectable protocols have a repeated
field from the request in the reply
– Initial sequence number between SYN and
SYN/ACK
– ID number in DNS query and DNS response
– ID and sequence number in ICMP ECHO and
ICMP ECHOREPLY
• Place a message authentication code (MAC)
in these fields
• Validate the reply’s MAC, proving the reply
corresponds to a legitimate request
Advanced Network Security
Lecture 22
Page 12
What Is In the MAC?
• Create MAC with 512-bit SHA-1
• Use src. IP, dest. IP, src. port, dest. port, a
counter and a 384-bit secret
– IP addresses and ports allow us to
generate different MACs for different
destinations and data flows
– Counter allows us to generate different
MACs for the same destination over time
– Secret is unique to source
Advanced Network Security
Lecture 22
Page 13
Using Local RAD
No correct MAC!
REQ + MAC
Sender
BAD REQ
Gateway
Attacker
Internet
Reflector
BAD RPL + MAC
Advanced Network Security
Lecture 22
Page 14
Core RAD
• Local RAD can be overwhelmed by sheer traffic
volume
• Move filtering farther from the target, into the
core
• Core RAD:
– Have edge ASes mark all their outbound traffic
– Have core nodes validate marks
• If a invalid mark is detected, drop the packet
Advanced Network Security
Lecture 22
Page 15
Marking the Packets in Core
RAD
• Generate a HMAC using the source address,
destination address, packet contents and a
secret key
– Source and Destination prevent replays of
one valid packet to many targets
– Packet contents makes it easier to detect
replays
• Place the HMAC into the IP ID field
Advanced Network Security
Lecture 22
Page 16
Core RAD in Operation
PKT
Sender
BAD PKT
PKT + MAC
Edge AS
Attacker
Core AS
Reflector
Advanced Network Security
Lecture 22
Page 17
Core RAD and DNS Reflector
Attacks
Advanced Network Security
Lecture 22
Page 18
RAD Lessons
• Local RAD
– Provides a defense that only requires local
cooperation
– Limited by local bandwidth or ISPs bandwidth
• Core RAD
– Provides nearly complete protection
– Requires core ASes to participate
– Core ASes can sell as a service
Advanced Network Security
Lecture 22
Page 19
Shrew Attacks
• Classic DDoS attacks have high
volume
• Which makes their presence pretty
obvious
• And requires lots of attacker resources
• Shrew attacks deny service more
stealthily, requiring fewer resources
Advanced Network Security
Lecture 22
Page 20
TCP and Packet Losses
• TCP responds to losses by assuming
they are caused by congestion
– Detected by packets not ACKed
– Due to timeout waiting for the ACK
• TCP’s response is to send less data
• The more losses, the less data sent
• Length of timeouts defined in the TCP
protocol
Advanced Network Security
Lecture 22
Page 21
Causing the Shrew Attacks
• Send brief bursts of high volume traffic
• At specifically chosen intervals
• To match timeouts of TCP’s
expectation of ACK delivery
• The bursts cause ACKs to be dropped
• The other party thinks that there’s
persistent congestion and backs off
Advanced Network Security
Lecture 22
Page 22
Effect of a Shrew Attack
• The attacker’s average sending rate
isn’t too high
– E.g., ~900 Kbps
• The target’s sending rate drops to near
zero
– Because he keeps missing ACKs at
critical moments
Advanced Network Security
Lecture 22
Page 23
Handling Shrew Attacks
• Hard to detect this shrew behavior
using existing methods
– So figuring out that someone is
doing it isn’t too likely
• Randomizing the TCP wait time helps
• But good choices don’t match nicely
with behavior in face of real
congestion
Advanced Network Security
Lecture 22
Page 24
Crossfire Attacks
• Traditional DDoS flooding attacks
involve sending packets to the target
• You could instead send packets
“across” the target’s nearby networks
• Congest those networks without ever
sending packets to the target at all
Advanced Network Security
Lecture 22
Page 25
The Crossfire Concept
Cut off a part of
the Internet (the
target area) that
contains your
victim (the
public server)
By congesting a
set of target
links
Advanced Network Security
Create the
congestion by
sending from
your attack
machines to
decoy servers
you set up near
the target links
Lecture 22
Page 26
Crossfire Effectiveness
• Can seriously degrade performance in
the attacked area
• While targeting a relatively low
number of links
– 10-50, in the original experiments
• With sufficient attack nodes, each need
only send a few Mbps
Advanced Network Security
Lecture 22
Page 27
Crossfire Countermeasures
• Difficult to defend against
• Either design networks with higher
internal connectivity
• Or get ISPs and core providers to work
together quickly and closely
• Neither is ideal
Advanced Network Security
Lecture 22
Page 28
Conclusion
• There are many interesting variations
of DDoS attacks
• More are discovered all the time
• Most real world attacks aren’t exotic
• But only because they don’t need to be
• If we can stop the basic ones, we’ll
need to tackle the advanced ones
Advanced Network Security
Lecture 22
Page 29