How DDoS attacks are waged?
Download
Report
Transcript How DDoS attacks are waged?
Layer 3 Network Security
1
Outline
How Layer 3 Routers Work ?
DDOS Attack
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
2
How Layer 3 Routers Work ?
Layer 3 router uses store and forward scheme to
forward incoming IP packets (datagrams).
IP Address Lookup (Forwarding Table constructed
by routing protocols, such as RIP, OSPF, BGP, etc)
IP/MAC mapping table
The IP address lookup is longest prefix matching
lookup.
Forward IP packet into next hop if the destination IP is
IP
Next
140.114.77.0 Directly
140.114.78.0 Directly
140.114.79.0 Router Z
IP
IP(A)
IP(B)
IP(Y)
IP(X)
MAC
MAC(A)
MAC(B)
MAC(Y)
MAC(X)
found in the Forwarding Table. Otherwise, forward to
default port.
New router Architecture with L3 switching Fabric ASICs
and IP address lookup ASICs (hardware lookup)
Wire-speed forwarding design Gbps, 10Gbps, 100Gbps,
…
Not Plug-and-Play
3
IP Datagram Header Format
0
3
version
8
15
19
IHL Type of Service
Identification
Time to Live
31
Total length
Flags
Protocol
Fragment Offset
Header Checksum
Source IP Address
Destination IP Address
Options + Padding
Data
4
Type of Service (ToS) of IP
0 1
2
Precedence
3
4
5
6
7
D
T
R
O
O
Precedence
Delay
Throughput, Reliability
111 Network Control
110 Internetwork Control
101 CRITIC/ECP
100 Flash Override
011 Flash
010 Immediate
001 Priority
000 Routine
0 Normal
1 Low
0 Normal
1 High
0
0
1
2
DF
MF
Flags
DF
MF
0 May Fragment
1 Don't Fragment
0 Last Fragment
1 More Fragment
5
How datagrams are delivered in an Internet ?
H
A
Datagram
R
LAN
LAN
H
R
R
H
H
WAN
H
H
R
R
H
H
LAN
R
LAN
B
6
Routers
IP
IP(A)
IP(B)
IP(Y)
IP(X)
IP
Next
140.114.77.0 Directly
140.114.78.0 Directly
140.114.79.0 Router Z
140.114.77.62
HOST X
Higher
Layer
Protocols
MAC
MAC(A)
MAC(B)
MAC(Y)
MAC(X)
B
A ROUTER
Network
Network
MAC
PHY
140.114.77.60
MAC
MAC
A
PHY
PHY
LAN 1
IP = 140.114.77.0
Mask= 255.255.255.0
Higher
Layer
Protocols
Network
MAC
PHY
B
LAN 2
LAN n
IP = 140.114.78.0
Mask= 255.255.255.0
MAC(R)
IP(A) IP(B)
IP(B)
MAC(Y) MAC(B)
IP(Y)
MAC(A)
MAC(R) IP(A)
LAN m
HOST Y
B
140.114.78.66 A
Y
140.114.77.65
ROUTER Z
140.114.78.68
140.114.78.69
IP = 140.114.79.0
Mask= 255.255.255.0
IP Datagram
Datagram
IP
7
Intra-LAN and Inter-LAN Communications
B -> Y (Intra LAN)
MAC(Y) MAC(B) IP(Y) IP(B)
IP Datagram
B -> A (Inter-LAN)
MAC(R) MAC(B) IP(A) IP(B)
IP Datagram
MAC(A) MAC(R) IP(A) IP(B)
IP Datagram
8
An Internet Routing Example
20.0.0.5
Network
10.0.0.0
F
10.0.0.5
30.0.0.6
Network
20.0.0.0
G
Network
30.0.0.0
20.0.0.6
40.0.0.7
H
Network
40.0.0.0
30.0.0.7
To reach hosts Route to
on network
this address
20.0.0.0
Deliver Direct
30.0.0.0
Deliver Direct
10.0.0.0
20.0.0.5
40.0.0.0
30.0.0.7
• Routing Table
9
Router Characteristics
Network Layer Routing
Network layer protocol dependent
Filter MAC broadcast and multicast packets
Easy to support mixed media
Packet fragmentation and reassembly
Filtering on network addresses and information
Accounting
Direct Communication Between Endpoints and
Routers
Highly configurable and hard to get right
Handle speed mismatch
Congestion control and avoidance
10
Router Characteristics (Continued)
Routing Protocols
Interconnect layer 3 networks and exploit arbitrary topologies
Determine which route to take
Static routing
Dynamic routing protocol support
RIP: Routing Information Protocol
OSPF: Open Shortest Path First
Provides reliability with alternate routes
Router Management
Troubleshooting capabilities
Name-Address mapping services
11
Differences Between Bridges and Routers
Bridges
Routers
Operation at Layer 2
Operation at Layer 3
Protocol Independent
Protocol Dependent
Automatic Address Learning/Filtering
Administration Required for
Address,Interface and Routes
Pass MAC Multicast/Broadcast
MAC M/B can be Filtered
Lower Cost
Higher Cost
No Flow/Congestion Control
Flow/Congestion Control
Limited Security
Complex Security
Transparent to End Systems
Non-Transparency
Well Suited for Simple/Small Networks
For WAN, Larger Networks
No Frames Segmentation/Reassembly
Frames Segmentation/Reassembly
Spanning Tree Based Routing
Optimal Routing and Load Sharing
Plug and Play
Requires Central Administrator
12
Denial of service attack
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
14
Definitions
Denial-of-service (DoS) attack aims at disrupting the
authorized use of networks, systems, or applications
by sending messages which exhaust service provider’s
resources (network bandwidth, system resources,
application resources)
Distributed denial-of-service (DDoS) attacks employ
multiple (dozens to millions) compromised computers to
perform a coordinated and widely distributed DoS attack
15
Definitions
Victims of (D)DoS attacks
service-providers (in terms of time, money,
resources, good will)
legitimate service-seekers (deprived of
availability of service itself)
Zombie systems(Penultimate and previous
layers of compromised systems in DDoS)
16
Analyzing the goal of DoS attacks
A (D)DoS attack usually has the following goals
Just deny availability
Can work on any port left open
No intention for stealing/theft of information
Although, in the process of denying
service to/from
victim, Zombie systems may be hijacked
17
Who? What for?
The motivations
Earlier attacks were proofs of concepts or simple pranks
Pseudo-supremacy feeling upon denying services in large
scale to normal people
DoS attacks on Internet chat channel moderators
Political disagreements
Competitive edge
Hired
Levels of attackers
Highly proficient attackers who are rarely identified or
caught
Script-kiddies
18
Why should we care?
As per 2006 CSI/FBI Computer Crime and Security Survey
25% of respondents faced some form of DoS attacks in
previous 12 months. This value varied from 25% to 40%
over the course of time.
DoS attacks are the 5th most costly form of attacks
Internet is now a critical resource whose disruption has
financial implications, or even dire consequences on
human safety
Cybercrime and cyberwarfare might use of DoS or
DDoS as a potential weapon to disrupt or degrade
critical infrastructure
DDoS attacks are a major threat to the stability of the
Internet
19
Fast facts
In Feb 2000, series of massive DoS attacks incapacitated
several high-visibility Internet e-commerce sites, including
Yahoo, Ebay and E*trade
In Jan 2001, Microsoft’s name sever infrastructure was
disabled
98% legitimate users could not get to any Microsoft’s
servers
In Sept 2001, an attack by a UK-based teenager on the port
of Houston’s Web server, made weather and scheduling
information unavailable
No ships could dock at the world’s 8th busiest maritime
facility due to lack of weather and scheduling
information
Entire network performance was affected
20
Fast facts
In Oct 2002, all Domain Name System servers were attacked
Attack lasted only an hour
9 of the 13 servers were seriously affected
In May 2007, the DDoS attack on Estonia (national attack)
In Aug 2009, the attack on Twitter and Facebook
21
愛沙尼亞 DDoS 攻擊事件
Source: December 2008, Reader’s Digest
22
愛沙尼亞 DDoS 攻擊事件
In May 2007, the DDOS attack on Estonia (national attack)
北歐國家愛沙尼亞國防部長 雅克,阿維克索: “這起以愛沙尼亞主要網
路基礎設施為目標的攻擊, 是殭屍網路第一次威脅到整個國家的安全”
第一次網路大戰 (Web War One) 正式爆發了 !!
Source: December 2008, Reader’s Digest
23
愛沙尼亞 DDoS 攻擊事件
27th April , 2007, 愛沙尼亞當局將位於首都塔林的一尊兩公尺高銅像遷移.
1947 年由前蘇聯將納粹黨趕走後建立之解放紀念碑.
俄羅斯人在此定居, 大批愛沙尼亞人被放逐到西伯利亞
銅像是暴政佔領的象徵, 而愛沙尼亞於 1991 年獨立
郵差報科技主管 亞東, 瓦西 發現報社伺服器受到 230 萬次點閱, 已當機
20 次. 境內以及國際通往郵差報頻寬流量只剩下 20-30%, 且越來越少
愛沙尼亞是網路化程度高的小國
140 萬人口中, 四成每天閱讀網路報
九成以上銀行交易在網路上進行
當局已決定採用網路投票
境內遍佈無線網路 (WiFi)
手機可支付停車費或餐費
塔林郊外的 Skype 總部已取代國際電話業務
Source: December 2008, Reader’s Digest
24
愛沙尼亞 DDoS 攻擊事件
殭屍網路的自動電腦程式繼續將無數訊息張貼到 郵差報 頻論網頁, 造成
伺服器不堪負荷. 並避開了瓦西所撰寫的過濾軟體.
2nd May, 網站流量開始暴增, 主要來自國外訪客: 埃及, 越南, 秘魯, 到了中
午可用頻寬 0, 網站終於掛掉了.
切斷國際連線是唯一的選擇, 瓦西 輸入幾行代碼, 切斷國際通往郵差報的
連線, 郵差報由國際上消失, 但境內可用頻寬立刻轉成綠燈
8pm, 2nd May, 西拉.艾瑞雷 (愛沙尼亞網路安全應變小組負責人, CERT)
與 克提斯.林科維司 (網路診療師, 瑞典 Netnod 負責人之一, Netod 是全
球 13 個 root DNS servers 之一)晚餐並請求協助
網路診療師 (the Vetted) 是全球 ISPs 所信賴的極少數人, 可請求 ISPs 將
特定 IP 封鎖.
瑞典 派崔克. 法斯壯 (網路診療師 ) 與 美國 比爾. 伍考克 (網路診療
師 ) 也同意伸出 援手
Source: December 2008, Reader’s Digest
25
愛沙尼亞 DDoS 攻擊事件
接下來一星期網路攻擊時斷時續
Script Kiddies (腳本小子) 利用 大量的 ping 指令攻擊, 並在俄語聊天室熱
烈討論, 呼籲在 9th May 午夜 12 點 (俄羅斯慶祝二戰勝利日) 對指定的愛
沙尼亞網站發動 ping 攻擊.
僵屍網路會以垃圾郵件湧入指定的網址塞爆網路
駭客攻擊, 一名駭客說 “五月九日的大規模攻擊, 要將愛沙尼亞的網路…
完全癱瘓”
10pm, 8th May,愛沙尼亞網路安全應變小組總部
晚間進入愛沙尼亞流量維持正常: 20k pps
11pm, 流量飆升達 4m pps (兩百倍), 全球約 100 萬電腦同時登入愛沙
尼亞網站
小組開始往上遊追蹤來源 IP, 並請求世界各地 ISPs 在源頭將這些僵
屍 IP 封鎖,…, 找一個殺一個,….
6am, 9th May, 流量終於恢復到略高於正常
Source: December 2008, Reader’s Digest
26
愛沙尼亞 DDoS 攻擊事件
9th May, 莫斯科紅場, 慶祝俄羅斯戰勝納粹德國紀念日
俄羅斯總統普丁: “那些想要褻瀆戰爭紀念碑的人, 是在汙辱自己的同
胞, 並在國家與人民之間挑撥離間”
當天僵屍網路又對愛沙尼亞相繼展開 58 次攻擊
俄羅斯當局否認發動攻擊
但有兩個發動攻擊的電腦來自俄羅斯
其中一個更來自普丁總統位於克里姆林宮外的辦公室
愛沙尼亞外交部長直指普丁政府直接參與此事
之前數星期, 有人對西洋棋大師 蓋瑞.卡斯珀洛夫 領導的俄羅斯反對黨聯
盟展開類似攻擊, 這些政黨網站都被癱瘓
國際網路保全公司 Arbor Networks 分析說與這兩次 DDOS 攻擊有關的
網路發現重疊 – 攻擊俄羅斯反對黨派網站的僵屍網路, 有部分被用來攻
擊愛沙尼亞
五月中旬, 僵屍網路突然停止攻擊.
Source: December 2008, Reader’s Digest
27
Approaches to DoS attacks
Internet designed for minimal-processing and best-
effort forwarding any packet
Make shrewd use of flaws in the Internet design
and systems
Unregulated forwarding of Internet packets :
Vulnerability, Flooding
28
Approaches to DoS attacks
Vulnerability attack
Vulnerability : a bug in implementation or a bug
in a default configuration of a service
Malicious messages (exploits) : unexpected input
that utilize the vulnerability are sent
Consequences :
The system
slows down or crashes or freezes or
reboots
Target application goes into infinite loop
Consumes a vast amount of memory
Ex : Ping of death, teardrop attacks, etc.
29
Approaches to DoS attacks cont’d ….
Flooding attack
Work by sending a vast number of messages whose
processing consumes some key resource at the target
The strength lies in the volume, rather than the content
Implications :
Make the traffic
Flow of traffic
look legitimate
is large enough to consume victim’s resources
Send with high packet rate
These attacks are more commonly DDoS
Ex : SYN spoofing attack, Source address spoofing,
cyberslam, etc.
30
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
31
Classical DoS attacks
Simplest classical DoS attack: Flooding attack on an
organization
Ping flood attack
Service denied
to legitimate
users
32
Ping flood attack
Use of ping command options -n –l
Ping of Death
Source: learn-networking.com
33
Ping flood attack cont’d ….
Generally useless on larger networks or websites
34
Disadvantage to attacker
Attacker’s source is easily identified
Chances of attack flow being reflected back to
attacker
35
Source address spoofing
Falsification : Use of forged source IP address
Privileged access to network handling code via
raw socket interface
Allows direct sending and receiving of information by
applications
Not needed for normal network operation
In absence of privilege, install a custom device
driver on the source system
Dependent on operating system version
36
Spoofing via raw socket interface
Difficult to
identify
source
37
Spoofing via raw socket interface cont’d….
Unfortunately removal of raw sockets API is not a
solution to prevent DoS attacks
Microsoft’s removal of raw sockets API in the release of
Windows XP Service Pack 2 in August 2004 was
expected to break applications like the public domain
nmap port scanner
In just a few days, a workaround was produced
restoring the ability of nmap to craft custom packets
http://seclists.org/nmap-hackers/2004/0008.html
38
SYN spoofing
Takes advantage of the three-way handshake that occurs
any time two systems across the network initiate a TCP
connection request
Unlike usual brute-force attack, not done by exhausting
network resources but done by overflowing the system
resources (tables used to manage TCP connections)
Require fewer packets to deplete
Consequence: Failure of future connection requests,
thereby denying access to the server for legitimate users
Example: land.c sends TCP SYN packet using target’s
address as source as well as destination
39
TCP 3-way connection handshake
Address,
Port number,
Seq x
Recorded in
a table of
known TCP
connections
Server in
LISTEN State
Vulnerability:
Unbounded ness
of LISTEN state
40
SYN spoofing cont’d ….
41
Factors considered by attacker for SYN spoofing
The number of sent forged packets are just large enough to
exhaust the table but small as compared to a typical
flooding attack
Keep sufficient volume of forged requests flowing
Keep the table constantly full with no timed-out requests
Make sure to use addresses that will not respond to the
SYN-ACK with a RST
Overloading the spoofed client
Using a wide range of random addresses
A collection of compromised hosts under the attacker's
control (i.e., a "botnet") could be used
42
Detecting SYN spoof attack
After the target system has tried to send a SYN/ACK packet
to the client and while it is waiting to receive an ACK
packet, the existing connection is said to be half open or
host in SYN_RECEIVED state
If your system is in this state, it may be experiencing SYN-
spoof attack
To determine whether connections on your system are
half open, type netstat –a command
This command gives a set of active connections. Check for
those in the state SYN_RECEIVED which is an indication of
the threat of SYN spoof attack
43
Analysing traffic
Spoofing makes it difficult to trace back to attackers
Analyzing flow of traffic required but not easy!
Requires cooperation of the network engineers managing routers
Query flow information: a manual process
How about filtering at source itself ?
Backscatter traffic : used to infer type and scale of DoS
attacks
Utilize ICMP echo response packets generated in response to a
spoofed ping flood
44
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
45
Flooding attacks
Goal : Bombarding large number of malicious packets at
the victim, such that processing of these packets
consumes resources
Any type of network packet can be used
Attack traffic made similar to legitimate traffic
Valid traffic has a lower probability to access the server
Some ways of flooding :
To overload network capacity on some link to a server
To overload server’s ability to handle and respond to this traffic
The larger the packet, the more effective the attack
46
Flooding attack within local network
Simply sending infinite messages from one computer to
another on the local network.
Wasting the resources of the recipient computer to
receive and tackle the messages
47
Types of flooding attacks
Classified based on type of network protocol used to attack
ICMP flood
Uses ICMP packets , ex: ping flood using echo request
Typically allowed through, some required
UDP flood
Exploits the target system’s diagnostic echo services to create an
infinite loop between two or more UDP services
TCP SYN flood
Use TCP SYN (connection request packets)
But for volume packet
48
Indirect attacks
Single-sourced attacker would be traced
Scaling would be difficult
Instead use multiple and distributed sources
None of them generates traffic to bring down its own
local network
The Internet delivers all attack traffic to the victim
Thus, victims service is denied while the attackers are still
fully operational
Indirect attack types
Distributed DoS
Reflected and amplifier attacks
49
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
50
Distributed Denial-of-service
Attacker uses multiple compromised user work stations/PCs for
DoS by:
Utilizing vulnerabilities to gain access to these systems
Installing malicious backdoor programs , thereby making zombies
Creating botnets: large collection of zombies under the control of
attacker
Generally, a control hierarchy is used to create botnets
Handlers: The initial layer of zombies that are directly controlled by
the attacker
Agent systems: Subordinate zombies that are controlled by handlers
Attacker sends a single command to handler, which then
automatically forwards it to all agents under its control
Example: Tribe Flood Network (TFN), TFN2K
51
DDoS control hierarchy
Example: Tribe Flood Network (TFN)
Relied on large number of compromised systems and layered
command structure
Commandline program
Trojan
Program
52
53
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
54
How DDoS attacks are waged ?
Recruitment of the agent network
Controlling the DDoS agent network
Use of appropriate toolkits
Use of IP Spoofing
55
Recruitment of the agent network
Scanning
Breaking into vulnerable machines
Malware propagation
56
Scanning
Find sufficiently large number of vulnerable machines
Manual or semi-automatic or completely automatic
process
Trinoo: discovery and compromise is manual but only
installation is automated
http://staff.washington.edu/dittrich/misc/trinoo.analysi
s.txt
Slammer-,MyDoom- : automated process
Recruit machines that have sufficiently good connectivity
Netblock scans are initiated sometimes
Based on random or explicit rationale
Examples of scanning tools : IRC bot , worms
57
Scanning using IRC bot
58
Scanning using worms
Popular method of recruiting DDoS agents
Scan/infect cycle repeats on both the infected and infecting machines
Worms spread extremely fast because of their parallel propagation
pattern
Worms choice of address for scanning
Random
Random within a specific range of addresses
Using hitlist
Using information found on infected machines
Worms are often not completely cleaned up
Some infected machines might continue serving as DDoS agents
indefinitely!
Code Red – infected hosts still exist in the Internet
59
Scanning using worms cont’d ….
60
Breaking into vulnerable machines
Most vulnerabilities
provide an attacker
with administrative
access to system
Attacker updates his
DDoS toolkit with new
exploits
Propagation Vectors
61
Malware propagation
Propagation with central repository or cache approach
Advantage for defender: central repositories can be
easily identified and removed
Ex: trinoo , Shaft etc
Source: www.cert.org/archive/pdf/DoS_trends.pdf
62
Malware propagation methods cont’d….
Back chaining/pull approach
TFTP
Autonomous/push approach
Source: www.cert.org/archive/pdf/DoS_trends.pdf
63
Controlling DDoS agent network
Attacker communicates with agents using “many-
to-many” communication tools
Twofold-purpose for attacker
To command the beginning/ending and
specifics of attack
To gather statistics on agent behaviors
Strategies for establishing control
Direct command control
Indirect command control
64
Direct commands control
65
Drawbacks of direct command control
If one machine is captured, the whole DDoS
network could be identified
Any anomalous event on network monitor could
be easily spotted
Both handlers and agents need to be ready always
to receive messages
Opening ports and listening to them
Easily caught
66
Indirect command control
Where is the
handler ?
67
Advantages of IRC to attacker
Server is maintained by others
The channel (handler) not easily recognizable
amidst thousands of other channels
Even though channel is discovered, it can be
removed only through cooperation of the server’s
administrators
By turning compromised hosts to rogue IRC
servers, attackers are a step ahead in concealing
their identity
68
DDoS attack toolkits
Some popular DDoS programs
Trinoo,TFN,Stacheldraht,Shaft,TFN2K,Mstream,Trinity,Phatbot
Blended threat toolkits: Include some (all) of the following components
Windows network service program
Scanners
Single-threaded DoS programs
An FTP server
An IRC file service
An IRC DDoS Bot
Local exploit programs
Remote exploit programs
System log cleaners
69
DDoS attack toolkits cont’d ….
Trojan Horse Operating systems program replacements
Sniffers
Phatbot implements a large percentage of these functions in a single
program
70
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
71
Reflector and amplifier attacks
Unlike DDoS attacks, the intermediaries are not compromised
R & A attacks use network systems functioning normally
Generic process:
A network packet with a spoofed source address is sent to a
service running on some network server
A response to this packet is sent to the spoofed address(victim) by
server
A number of such requests spoofed with same address are sent to
various servers
A large flood of responses overwhelm the target’s network link
Spoofing utilized for reflecting traffic
These attacks are easier to deploy and harder to trace back
72
Reflection attacks
Direct implementation of the generic process explained
before
Reflector : Intermediary where the attack is reflected
Make sure the packet flow is similar to legitimate flow
Attacker’s preference: response packet size > original
request size
Various protocols satisfying this condition are preferred
UDP, chargen, DNS, etc
Intermediary systems are often high-capacity network
servers/routers
Lack of backscatter traffic
No visible side-effect
Hard to quantify
73
Reflection attack using TCP/SYN
Exploits three-way handshake used to establish TCP
connection
A number of SYN packets spoofed with target’s
address are sent to the intermediary
Flooding attack but different from SYN spoofing attack
Continued correct functioning is essential
Many possible intermediaries can be used
Even if some intermediaries sense and block the
attack, many other won’t
74
Further variation
Establish self-contained loop(s) between the intermediary and the
target system using diagnostic network services (echo, chargen )
Chargen service: Both UDP/TCP Chargens use Port 19.
UDP chargen server will send back one packet for each received
packet.
TCP chargen server will continuously send packets to the client if it
finds a connection is established between server and client.
Fairly easy to filter and block
Large UDP
Packet +
spoofed source
75
Amplification attacks
Differ in intermediaries generate multiple
response packets for each original packet sent
76
Amplification attacks possibilities
Utilize service handled by large number of hosts
on intermediate network
A ping flood using ICMP echo request packets
Ex: smurf DoS program
Using suitable UDP service
Ex: fraggle program
TCP service cannot be used (only one-to-one
response)
77
Defense from amplification attack
Not to allow directed broadcasts to be routed
into a network from outside
78
Smurf DoS program
Two main components
Send source-forged ICMP echo packet requests
from remote locations
Packets directed to IP broadcast addresses
If the intermediary does not filter this broadcast
traffic, many of the machines on the network
would receive and respond to these spoofed
packets
When entire network responds, successful
smurf DoS has been performed on the target
network
Source: http://www.cert.org/advisories/CA-1998-01.html
79
Smurf DoS program
Besides victim network, intermediary network
might also suffer
Smurf DoS attack with single/multiple intermediary(s)
Analyze network routers that do not filter broadcast
traffic
Look for networks where multiple hosts respond
Source: http://www.cert.org/advisories/CA-1998-01.html
80
DNS amplification attacks
DNS servers is the intermediary system
Exploit DNS behavior to convert a small request to a much
larger response
60 byte request to 512 – 4000 byte response
Sending DNS requests with spoofed source address being
the target to the chosen servers
Attacker sends requests to multiple well connected
servers, which flood target
Moderate flow of packets from attacker is sufficient
Target overwhelmed with amplified responses from
server
81
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
82
Teardrop
This DoS attack affects Windows 3.1, 95 and NT machines
and Linux versions previous to 2.0.32 and 2.1.63
Teardrop is a program that sends IP fragments to a
machine connected to the Internet or a network
Teardrop exploits an overlapping IP fragment bug
The bug causes the TCP/IP fragmentation re-assembly
code to improperly handle overlapping IP fragments
A 4000 bytes of data is sent as
Legitimately (Bytes 1-1500) (Bytes 1501 – 3000) (Bytes 3001-4500)
Overlapping (Bytes 1-1500) (Bytes 1501
– 3000) (Bytes 1001-3600)
This attack has not been shown to cause any significant
damage to systems
The primary problem with this is loss of data
83
Cyberslam
DDoS attack in a different style
Zombies DO NOT launch a SYN Flood or issue dummy
packets that will congest the Web server’s access link
Zombies fetch files or query search engine databases at
the Web server
From the web server’s perspective, these zombie requests
look exactly like legitimate requests
so the server ends up spending lot of its time serving
zombies, causing DoS to legitimate users
84
Techniques to counter cyberslam
Password authentication
Cumbersome to manage for a site like Google
Attacker might simply DDoS the password checking
mechanism
Computational puzzles
Computation burden quite heavy compared to service
provided
Graphical puzzles
Kill-bots suggested in [Kandula 2005]
S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Surviving Organized DDos Attacks That Mimic Flash
Crowds,” in USENIX Symposium on Network Systems Design and Implementation, May 2005.
85
Attack tree: DoS against DNS
Source: Cheung (2006)
86
How to protect DNS from (D)DoS ?
Multiple scattered name servers
Anycast routing
Multiple name servers sharing common IP address
Over-provisioning of host resources and network capacity
Diversity
DNS software implementation, OS, hardware platforms
TSIG : The transaction signature
Use of dedicated machines
Source: Cheung (2006)
87
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
88
DoS detection techniques
Detector’s goal: To detect and distinguish malicious packet
traffic from legitimate packet traffic
Flash crowds: High traffic volumes may also be accidental
and legitimate
Highly publicised websites: (unpredictable) Slashdot
news aggregation site
Much-awaited events: (Predictable) Olympics, MLB, etc.
There is no innate Internet mechanism for performing
malicious traffic discrimination. Once detected,
vulnerability attacks are easy to be addressed
If vulnerability attacks volume is so high that it manifests
as flooding attack, very difficult to handle
Source: Carl (2006)
89
Vulnerability attack detection techniques
Detection techniques can be installed locally or
remotely
Locally : detectors placed at potential victim resource or
at a router or firewall within the victim’s subnetwork
Remotely: To detect propagating attacks
Attack defined by detection methods:
an abnormal and noticeable deviation of some
statistic of the monitored network traffic
workload
Proper choice of statistic is crucial
Source: Cheung (2006)
90
Statistical detection methods
Activity profiling: Monitoring network packet’s
header information
Backscatter analysis
Sequential change-point detection
Chi-Square/Entropy Detector
Wavelet Analysis
Cusum and wavelet approaches
Source: Cheung (2006)
91
Backscatter Analysis
The UCSD Network Telescope is a passive traffic
monitoring system built on a globally routed, but lightly
utilized /8 network. Under CAIDA stewardship, this unique
resource provides valuable data for network security
researchers.
The UCSD network telescope (aka a black hole, an Internet
sink, darkspace, or a darknet) is a globally routed /8
network (approximately 1/256th of all IPv4 Internet
addresses) that carries almost no legitimate traffic
because there are few provider-allocated IP addresses in
this prefix.
http://www.caida.org/data/passive/network_telescope.xml
92
UCSD Network Telescope
After discarding the legitimate traffic from the incoming
packets, the remaining data represent a continuous view of
anomalous unsolicited traffic, or Internet Background
Radiation (IBR).
IBR results from a wide range of events, such as
backscatter from randomly spoofed source denial-ofservice attacks,
the automated spread of Internet worms and viruses,
scanning of address space by attackers or malware
looking for vulnerable targets, and
various misconfigurations (e.g. mistyping an IP address).
http://www.caida.org/data/passive/network_telescope.xml
93
UCSD Network Telescope
In recent years, traffic destined to darkspace has
evolved to include longer-duration, low-intensity
events intended to establish and maintain botnets.
CAIDA personnel maintains and expands the
telescope instrumentation, collects, curates,
archives, and analyzes the data, and enables data
access for vetted security researchers.
http://www.caida.org/data/passive/network_telescope.xml
94
UCSD Network Telescope
95
UCSD Network Telescope
96
Backscatter cont’d ….
The UCSD network telescope can be used to monitor the spread of
random-source distributed denial-of-service attacks.
To make it difficult for the attack victim (and the victim's ISPs) to block
an incoming attack, the attacker may use a fake source IP address
(similar to a fake return address in postal mail) in each packet sent to
the victim
The attacker sends packets with spoofed source addresses to the
denial-of-service attack victim.
97
Backscatter cont’d ….
Because the denial-of-service attack victim can't distinguish between
incoming requests from an attacker and legitimate inbound requests,
the victim tries to respond to every received request.
The denial-of-service attack victim cannot differentiate between legitimate
traffic and the attack packets, so the victim responds to as many of the
attack packets as possible.
98
Backscatter cont’d ….
When the attacker spoofs a source address in the network telescope,
we observe a response destined for a computer that doesn't exist (and
therefore never sent the initial query)
Because the network telescope composes 1/256th of the IPv4 address space,
the telescope receives approximately 1/256th of the responses to spoofed
packets generated by the denial-of-service attack victim.
99
Backscatter cont’d ….
By monitoring these unsolicited responses, researchers
can identify denial-of-service attack victims and infer
information about
the volume of the attack,
the bandwidth of the victim,
the location of the victim, and
the types of services the attacker targets.
Note that the network telescope can not monitor denial-
of-service attacks utilizing not spoofed or non-randomly
spoofed source IP addresses in attacking the victims.
100
Backscatter cont’d ….
Internet Worms
Many Internet worms spread by randomly generating an IP address to
be the target of an infection attempt and sending the worm off to that
IP address in the hope that it is in use by a vulnerable computer
Infected computers randomly attempt to infect other vulnerable
computers.
The network telescope captures approximately one out of every 256
infection attempts.
101
Backscatter cont’d ….
Because the network telescope includes one out of every
256 IPv4 addresses, it receives approximately one out of
every 256 probes from hosts infected with randomly
scanning worms.
Many worms do not scan truly randomly, and network
problems (both worm-induced and independent) may
prevent the network telescope from receiving probes
from all infected hosts.
In general, though, the telescope sees a newly infected
hosts transmitting at the slow speed of 10 packets per
second within 30 seconds of the infection.
102
Backscatter cont’d ….
Generally, source addresses chosen at random for
spoofing based flooding attacks
Unsolicited Victim’s responses are equi-probably
distributed (Backscattered) across the entire Internet
address space
Received backscatter evidence of presence of attacker
103
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
104
Defenses against DoS attacks
DoS attacks cannot be prevented entirely
Impractical to prevent the flash crowds without
compromising network performance
Three lines of defense against (D)DoS attacks
Attack prevention and preemption
Attack detection and filtering
Attack source traceback and identification
105
Attack prevention
Limit ability of systems to send spoofed packets
Filtering done as close to source as possible by routers
Reverse-path filtering ensure that the path back to
claimed source is same as the current packet’s path
Ex: On
Cisco router “ip verify unicast reverse-path”
command
Rate controls in upstream distribution nets
On specific packet types
Ex: Some ICMP, some UDP, TCP/SYN
Use modified TCP connection handling
Use SYN-ACK cookies when table full
Or selective or random drop when table full
106
Attack prevention cont’d ….
Block IP broadcasts
Block suspicious services & combinations
Manage application attacks with “puzzles” to
distinguish legitimate human requests
Good general system security practices
Use mirrored and replicated servers when high
performance and reliability required
107
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
108
Responding to attacks
Need good incident response plan
With contacts for ISP
Needed to impose traffic filtering upstream
Details of response process
Have standard antispoofing, rate limiting, directed
broadcast limiting filters
Ideally have network monitors and IDS
To detect and notify abnormal traffic patterns
109
Responding to attacks cont’d ….
Identify the type of attack
Capture and analyze packets
Design filters to block attack traffic upstream
Identify and correct system application bugs
Have ISP trace packet flow back to source
May be difficult and time consuming
Necessary if legal action desired
Implement contingency plan
Update incident response plan
110
Contents
DDOS Introduction
Classical DoS attacks
Flooding attacks
Distributed Denial-of-Service (DDoS)
How DDoS attacks are waged?
Reflector and amplifier attacks
Other DoS attacks
Detecting DoS attacks
Approaches to defense against DoS
Responding to a DoS attack
Conclusion
111
Conclusion
(D)DoS attacks are genuine threats to many Internet
users
Annoying < l < Debilitating ; l = losses
Level of loss is related to motivation as well
shielding attempts from the defender
Attackers taking advantage of ignorance of the victims
w.r.t. (D)DoS attacks
Defensive measures might not always work
Neither threat nor defensive methods are static
112
Conclusion
Prognosis for DDoS
Increase in size
Increase in sophistication
Increase in semantic DDoS attacks
Infrastructure attacks
DDoS are significant threats to the future growth
and stability of Internet
113
Cloud-based DDoS Protection
http://www.nexusguard.com/download/ClearDDoS%20Brochure-en.pdf
114
Cloud-based DDoS Protection
115