Transcript DoS
CSC 382/582: Computer Security
Denial of Service
CSC 382/582: Computer Security
Slide #1
Topics
1.
2.
3.
4.
5.
6.
7.
Introduction
History of DoS
Modes of Attack
Technical Attacks
Distributed DOS (DDOS)
Computational Attacks
Defending against DoS
CSC 382/582: Computer Security
Slide #2
Denial of Service
• Attacks against availability of services.
• Common attacks:
– CAIDA conservatively estimated 4000/week.
– Attacks have increased since 2001 estimate.
• Most DoS vs. small site for short duration.
• However, DoS attacks can be very big
– Millions of packets/second.
– Many thousands of hosts involved.
• DoS attacks are very difficult to stop.
CSC 382/582: Computer Security
Slide #3
Denial of Service Motives
• Attacker Competitions
– Take over IRC channels.
– Fame: take down a well-known target.
– Revenge for being DoSed.
• Political
– Take down computers of political opponents.
• Financial
– Take down competitor web site.
– Extortion: pay attacker or be DoSed.
CSC 382/582: Computer Security
Slide #4
History of Denial of Service
1988: Morris Worm brings down most of Internet.
1996: SYN flood attacks take out IRC networks.
1997: Fragment attacks used to DoS Windows systems.
1998: Distributed DoS attack tools appear.
1999: Heavy use of DDoS tools.
2000: DDoS attacks takes down Amazon, eBay, Yahoo.
2001: Reflected DDoS attacks appear.
2002: DDoS takes down 9 of 13 root DNS servers.
2003: DDoS takes down Al-Jazeera after broadcasting pictures
of captured American soldiers.
2003-: Financially motivated DDoS. Spammers DDoS antispam organizations. Extortionists DDoS small sites.
CSC 382/582: Computer Security
Slide #5
DoS: Modes of Attack
1. Technical Attacks
•
•
•
Fragment attacks.
SYN Floods
Smurf.
2. Bandwidth Consumption
•
DDoS, amplifier-based attacks.
3. Other Resource Consumption
•
•
•
Email bombs.
Disk filling by syslog spoofing/anonymous ftp.
Computational attacks.
CSC 382/582: Computer Security
Slide #6
Packet Fragmentation
Occurs at IP layer
Each fragment has own IP header
Characteristics:
– Each fragment of a packet has same identification field.
– More Fragments flag set (except on final frag).
– Fragment Offset is offset (8-byte units) of fragment from
beginning of original datagram.
– Total Length field is length of fragment.
CSC 382/582: Computer Security
Slide #7
Fragment Security Issues
Large Datagrams
– Use multiple fragments that will be re-assembled into a
packet larger than the maximum IP packet size of 64KB.
– example: ping of death
Incomplete Datagrams
– Jolt2: stream of fragments, with no first fragment.
Overlapping Fragments
– Fragment offsets overlap, so during reassembly, second
packet is copied over part of TCP header, allowing true
header to be hidden in second packet while firewall reads
misleading header data from first packet.
– Denial of Service: Teardrop attack uses overlapping
fragments to overflow integer in memory copy to crash
Windows 95/NT and Linux <2.0.32 hosts.
CSC 382/582: Computer Security
Slide #8
SYN Floods
Create many half-open connections to target
– Send SYN packet from spoofed, invalid IP address.
– Ignore SYN+ACK response
Target connection table fills up
– all new TCP connections refused
SYN a, ACK x
SYN b, ACK y
SYN c, ACK z
SYN x
SYN y
SYN z
SYN_RECV x from IP n
SYN_RECV y from IP n
SYN_RECV z from IP n
Attacker
Target
CSC 382/582: Computer Security
Slide #9
SYN Flood Defences
• Micro-connections: Allocate few resources (~16
bytes) micro-record until ACK recv’d
• RST Cookies:
– Server sends incorrect SYN+ACK to first client
connection request, eliciting RST as response.
Thereafter, connections from that client are accepted.
• SYN Cookies: Store state in ISN, not on server.
– Compute ISN using hash of src + dst IP addresses and
ports.
– Valid clients will respond with ISN+1, allowing server to
compute connection table entry.
CSC 382/582: Computer Security
Slide #10
Smurf Attack
Reflector Network
SRC=Target IP,
DST=10.0.0.255
10.0.0.*
Target
Attacker
CSC 382/582: Computer Security
Slide #11
Smurf Attack
Build special ICMP/UDP echo packet
Forge IP source address to be that of target.
Destination address is a broadcast address.
Each host that receives broadcast will respond
to the spoofed target address with an echo
packet, overwhelming target host.
Most current routers refuse to pass on directed
broadcast packets.
CSC 382/582: Computer Security
Slide #12
DDoS Attacks
Attack
zombies:
• Use valid protocols
• Spoof source IP
• Massively distributed
• Variety of attacks
Provider Infrastructure:
• DNS, routers, and links
Access Line
CSC 382/582: Computer Security
Entire Data Center:
• Servers, security devices, routers
#13
• Ecommerce, web, DNS, Slide
email,…
Timeline of a DDOS Attack
1. Set up DDOS Network (Botnet)
1. Manual compromise by group of crackers.
2. Automated comprise by a worm.
2. Launch Attack
3. Victim networks become unresponsive
Identification difficult due to router/host failures and lack
of logging of packets.
4. Third party effects
Victim responses sent to spoofed IP addresses.
CSC 382/582: Computer Security
Slide #14
DDoS Attack Architecture
CSC 382/582: Computer Security
Slide #15
DDOS Machines
Intruder: One or more intruders access master
machines to control network, typically
through intermediate proxies.
Master: The command and control servers that
control agents. Multiple masters are used for
redundancy and scalability. Often
communication is via the IRC protocol.
Agent: Infected hosts that launch DDOS attack
and recruit more agents, aka zombies or bots.
CSC 382/582: Computer Security
Slide #16
Level of Automation
• Manual
– Manual compromise and attack
• Semi-automated
– Use of automated exploit to compromise hosts,
then DDoS agent (Stacheldraht, TFN2k, Trinoo)
• Automated
– Worm such as W32/Blaster
CSC 382/582: Computer Security
Slide #17
Agent Lifecycle
1.
2.
3.
4.
5.
6.
7.
Old agent scanner selects target host.
Old agent attempts exploit against target.
If exploit ok, agent transfers self to target.
Agent begins running on target.
Agent registers itself with master server.
Master accepts agent as member w/ pw.
Agent logs into communication channel
with provided password.
8. Agent waits for commands from master.
CSC 382/582: Computer Security
Slide #18
Agent Capabilities
• DDOS Attacks
–
–
–
–
–
SYN floods
Smurf
UDP floods
ICMP floods
Mixed
• Recruitment
– Scanning engine.
– Many exploits.
– Use other bot backdoors.
CSC 382/582: Computer Security
•
•
•
•
•
•
File transfer
Proxying
E-mail harvesting
Sniffing
Spamming
Self-defence
– Anti-virus
– Polymorphism
– Rootkit.
Slide #19
Botnet Families
• Agobot/Phatbot
– Over 500 variants.
– Modular structure: easy to add features.
– Some use WASTE p2p communication.
• SDBot
– Simpler than Agobot, but common.
• mIRC-based bots
– Script mIRC client for Windows.
CSC 382/582: Computer Security
Slide #20
Distributed Reflection DOS
Combine SYN Flood + DDOS attacks
– Forge target’s IP address in SYN flood on multiple
reflection servers.
– Amplification: most OSes send multiple SYN+ACK
responses to SYN packet.
– Concealment: packets come from multiple reflection
servers, not actual attacker host.
– Difficult to block: attacker may rotate attacks from
large pool of reflection servers, many of which may be
important hosts which you need to receive traffic from.
CSC 382/582: Computer Security
Slide #21
Computational Attacks
• Goal: Exhaust CPU resources of target.
• Target: Application Layer
• Examples:
– 2002. BBCode markup language of phpBB could
consume 100% CPU in infinite expansion of multiply
nested tags.
– 2003. Crosby and Wallach show how to select input to
reduce hash (O(1) performance) to linked list (O(n)
performance). Attacks vs. Bro IDS, perl.
– 2005. Tomcat 5.5 directory listing of large directories
could use large amounts of CPU.
CSC 382/582: Computer Security
Slide #22
Why DDoS is Hard to Stop
1. Attacker ease of use
Attackers can d/l user friendly advanced tools.
2. IP spoofing
DDoS attacks can always be spoofed.
3. Numerous agents
Attacker agents spread across networks.
4. Variety of traffic
DDoS attacks can be launched with any protocol.
5. High-volume traffic
At DDoS traffic volumes, firewalls and IDS must analyze
each packet quickly, i.e. without deep packet inspection
or cross-packet correlations.
CSC 382/582: Computer Security
Slide #23
Filterable and non-Filterable Attacks
Filterable Attacks
– Attack non-essential services (ICMP echo) or
ports (random UDP flood.)
Non-filterable Attacks
– Attack essential services (email or web.)
– Packets may be partially valid for targeted
protocol.
CSC 382/582: Computer Security
Slide #24
DDOS Prevention
• Apply patches against technical attacks.
• Firewall rules to drop known attacks at perimeter.
• Overprovisioning
– Network bandwidth, NICs
– Memory, disk
– CPU
• Load balancing
• Caching
– Create static page frequently instead of dynamically
creating page whenever accessed.
CSC 382/582: Computer Security
Slide #25
DDOS Detection
• Detecting zombie hosts
– DDOSPing
– Zombie Zapper
• Detecting a DDOS attack
– Performance monitoring: network and host
– Network intrusion detection systems
CSC 382/582: Computer Security
Slide #26
DDOS Reaction
• Filter out identifiable DDOS traffic.
• Contact ISP for help with
– Filtering and rate limiting.
– Tracking down source of attack.
• Move the target
– White House avoided by changing IP address.
• Use Alternate Infrastructure
– Use caching to decrease server load.
– Use anti-ddos provider like Akamai, Prolexic.
CSC 382/582: Computer Security
Slide #27
Key Points
• Types of denial of service attack
– Technical attacks (SYN flood, smurfing)
– Bandwidth attacks (DDOS)
• DOS attacks are a serious threat
– Can take down large sites (often for money.)
– Difficult to prevent and react to.
• Botnets make DDOS easy and effective
– Agents evolve rapidly, offer auto-updating.
CSC 382/582: Computer Security
Slide #28
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
“Al-Jazeera Hobbled by DDOS Attack,” InfoWorld,
http://www.infoworld.com/article/03/03/26/HNjazeera_1.html, March 26, 2003.
Scott Berinato, “How a Bookmaker and a Whiz Kid Took On an Extortionist—and Won,” CSO
Online, http://www.csoonline.com/read/050105/extortion_pf.html, Nov 22 2003.
CERT Coordination Center, “Results of the Distributed-Systems Intruder Tools Workshop,”
December 1999, http://www.cert.org/reports/dsit_workshop-final.html
David Dittrich, DDOS Archives, http://staff.washington.edu/dittrich/misc/ddos/, 2006.
Greene, “ISP Security 101 Primer,” http://www.nanog.org/mtg-0602/greene.html, 2003.
The Honeynet Project, “Know Your Enemy: Tracking Botnets,”
http://www.honeynet.org/papers/bots/, 2005.
Steve Gibson, “Distributed Reflection Denial of Service,” http://www.grc.com/dos/drdos.htm, Feb
22 2002.
Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5/e, McGraw-Hill, 2005.
Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher, Internet Denial of Service: Attack
and Defense Mechanisms, Prentice Hall, 2005.
C. Nuttall, “Crime Gangs Extort Money with Hacking Threat,” The Financial Times, 11 Dec 2003,
http://www.rense.com/general44/hack.htm
Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition,
McGraw-Hill, 2006.
Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.
Scott A Crosby and Dan S Wallach, “Denial of Service via Algorithmic Complexity Attacks,”
USENIX Security 2003, http://www.cs.rice.edu/~scrosby/hash/, 2003.
CSC 382/582: Computer Security
Slide #29