Denial of Service

■ Availability refers to the ability to use a desired information resource or service Denial of Service ■ A Denial of Service attack is an attempt to make that information (resource or service) unavailable to legitimate users ■ The most common attacks are aimed at Internet hosts, whose services are temporarily denied Ozalp Babaoglu ■ Diﬀerent motivations: economic interests, cyber-extortion, cyber-warfare, protest, hacktivism, etc. ■ Started in late 1990s, still very common (and dangerous) today

ALMA MATER STUDIORUM – UNIVERSITA’ DI BOLOGNA © Babaoglu 2001-2021 Cybersecurity 2

A metaphor: Denial-of-Dinner Attack Denial-of-Dinner Attack 2

Incoming call from 532 174-9528

Can’t wait to repeat my attack on Chez Panisse Restaurant!

Hello, Chez Panisse, how can I help you? Incoming call from 532 174-9528

I would like to make a reservation for next Friday.

Certainly! At what time, under what name and for how many persons? Wait a minute!! I recognize that number. It’s Miss O’Hara She booked 58 places last week and no one showed up! At 8pm, Miss O’Hara for 58 persons I will not fall for it another time!! I’ll just let it ring!

Very well! See you next Friday Miss O’Hara!

Thank you very much! Goodbye.

Incoming call from 355 932-1752 Incoming call from 340 254-8356

Hello, Chez Panisse, how can I help you? Hello, Chez Panisse, how can I help you?

I would like to make a reservation for next Friday I would like to make a reservation for next Friday

Certainly! At what time, under what name and for how many persons? Certainly! At what time, under what name and for how many persons?

At 8pm, Miss Suellen for 58 persons At 8pm, Mrs Marylou for 58 persons

Very well! See you next Friday Miss Suellen! I am sorry but we do not accept reservations for more than 4 from the same person.

Thank you very much! Goodbye.

Distributed Denial-of-Dinner Attack 5 å

Incoming call from 348 …

■ With the existing economic model for reservations, the Hello, Chez Panisse, how can I help you? restaurant is ﬁghting a losing battle I would like to make a reservation for 4 persons next Friday at 8pm, Jane ■ It costs very little for the customer to make a reservation OK ■ It costs a lot for the restaurant to lose a reservation

I would like to make a reservation for 4 persons next Friday at 8pm, John ■ This asymmetry opens up the possibility for exploitation

OK ■ Need to balance the two costs to avoid exploitation

I would like to make a reservation for 4 persons next Friday at 8pm, Julie ■ We can try one of two possibilities ■ Lower the cost of losing a reservation OK ■ Increase the cost of making a reservation — ask for a credit card

■ In the physical world, DoS attacks are very rare because ■ Completely Automated Public Turing test to tell Computers almost everything has a cost — real, indirect or social and Humans Apart ■ The cost model of the Internet does not tax volume, so it costs ■ Type of challenge-response test used in computing to (almost) the same to make one request or one million requests determine whether the user is human ■ One way to increase the cost of a request is to increase the ■ CAPTCHA involves one computer (a server) which asks a user time it takes to complete it — CAPTCHA to complete a test ■ Can be eﬀective in guarding services that involve human ■ The test can be generated and graded by a computer but a beings, e.g., creating accounts, directory look-up, image or computer is not able to solve the test document conversion

CAPTCHA CAPTCHA

■ CAPTCHA requirements: ■ Most humans can solve easily ■ Current computers are unable to solve accurately ■ Do not rely on the attacker never having seen the given type of CAPTCHA before ■ Can be generated automatically but require artiﬁcial intelligence techniques to solve

■ About 200 million CAPTCHAs are solved by humans around the ■ Today, it is possible to distinguish humans from bots using world each day sophisticated Machine Learning and AI techniques that take into ■ This amounts to more than 150,000 hours of work consumed account what a user does before and after ticking a simple each day checkbox ■ reCAPTCHA improves the process of digitizing books by sending words that cannot be recognized by computers to the Web in the form of CAPTCHAs for humans to decipher

reCAPTCHA to noCAPTCHA DoS types

■ Two general strategies for attacks: ■ Crash the services ■ Flood the services ■ Diﬀerent ways of launching an attack: ■ Consumption of bandwidth ■ Consumption of host resources: RAM, disk space, CPU time ■ Disruption of conﬁguration information (e.g., routing) ■ Disruption of state information (e.g., TCP sessions) ■ Disruption of information itself (cryptolocker) ■ Disruption of physical network components (LAN, WLAN, etc.)

■ US-CERT defines symptoms of DoS attacks: ■ Early DoS attacks were performed from a single host ■ Unusually slow network performance (e.g., accessing web sites) ■ Today, “armies” of hosts are used to launch more effective ■ Inability to provide a service for remote access (web site) “Distributed DoS” (DDoS) attacks: botnets of zombies ■ Inability to access a remote service (web site) ■ “Zombie” refers to a compromised computer (infested by ■ Inability to access local information (files) malware, virus, trojan horses, etc.) that can be used to ■ Increase in the number of spam emails received (email bomb) perform malicious tasks, unbeknownst to its legitimate owner ■ Disconnection of a wireless or wired internet connection ■ Botnets of zombies are remotely controlled by attackers

Some notable DoS attacks October 2016 Attack

■ (1996) Attack against the New York City Internet Service ■ Attack which took place over the weekend of October 21, Provider Panix (unavailable for one week, aﬀected Internet 2016 caused problems in reaching several websites, Chess Club, NYT) including Twitter, Netﬂix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times ■ (2000) Attack against Yahoo, eBay, Amazon, Datek, Buy, CNN, ETrade, ZDNet and Dell ■ Dyn, that hosts the Domain Name System (DNS), said it began experiencing what security experts called a distributed ■ (2001) Code Red used 250.000 zombies to attack the White denial-of-service attack just after 7 a.m. Oct. 21 House ■ The attack appears to have been highly distributed involving ■ (2013) Attack that brings down part of the Chinese Internet tens of millions of IP addresses from “IoT” devices like ■ (October 2016) Hackers Used New Weapons to Disrupt Major cameras, baby monitors and home routers that have been Websites Across U.S. infected

© Babaoglu 2001-2021 Cybersecurity 19 © Babaoglu 2001-2021 Cybersecurity 20 WORLDWIDE The largest DDoS attack reported by survey respondents INFRASTRUCTURE was 841 Gbps in 2018, with others reporting attacks of 450 SECURITY REPORT Gbps, 394 Gbps, and 300 Gbps (Figure 45). Not surprisingly, all these resulted from a combination of different reflection/ TABLE OF amplification vectors such as DNS, NTP, SSDP, Chargen, October 2016 Attack CONTENTS DDoS over the years SNMP, and Memcached. Kao što je već rečeno, DDoS napad se odvija kada su brojne ko pro itovane ašine, INTRODUCTIONinficirane LARGEST ATTACK SIZE REPORTED FIGURE 45 ENTERPRISE BY SERVICE PROVIDERS zlonamernim kodom■ The ,“Mirai” istovremen malwareo spreads i koordinira to vulnerablene pod devices kontrolo by continuously jednog napadača u ilju PEAK ATTACK SIZE INSIGHTS proboja sistema scanning zaštite žrtve, the Internet is rplj forivanja IoT systems njenih protected resursa byi uskraćfactory ivanjadefault usluga korisnicimaBY COUNTRY . 1,000 Gbps SERVICE PROVIDER usernames and passwords 900 Gbps 841 Gbps Postoje uglavnom dve vrste DDoS napada [5]: 2018 ATLAS SPECIAL REPORT 800 Gbps

CONCLUSION 1. Tipični DDoS napadi, 700 Gbps

800 Gbps 2. Distribuirani DoS (reflektor DRDoS) napadi. 600 Gbps 400 Gbps 2016 2014

500 Gbps 309 Gbps 600 Gbps 2.2.1 Tipični DDoS napadi 2013 2017 400 Gbps 500 Gbps 2015

U tipično DDoS napadu, armija (botnet) napadača sastoji se od master zombija i slave zombija. 300 Gbps 100 Gbps 2010 40 Gbps 49 Gbps 60 Gbps 60 Gbps Hostovi o e kategorije su ugrožene ašine koje su nastale tokom procesa skeniranja i koje su 200 Gbps 2008 2009 2011 2012 zaražene zlonamernim kôdom. Koordinate napadača i nared e master zombija, zauzvrat, 100 Gbps koordiniraju i pokreću slave zombije. Pre iznije, napadač šalje ko andu za napad master 0 Gbps 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 zo ija i aktivira sve napade na one pro ese ašina koji su u hi erna iji, čekajući odgovarajuće Peak Attack Size (Gbps) komande da se probude i počnu da napadaju. ati , master zo i, kroz te pro ese, šalje44 napad Source: Arbor Networks 13th Annual Worldwide Infrastructure Security Report na slave zombij© Babaoglue, naređujući 2001-2021 i da pokrenu CybersecurityDDoS napad na računar žrtve. Na taj21 način, ašine© Babaoglu 2001-2021 Cybersecurity 22 agenti (eng. slave zombies) počinju da šalju veliki roj paketa na računare žrtve, preplavljujući (eng. flooding) njihov sistem i nepotre ni opterećenje is rpljuju njihove resurse. Ova vrsta DDoS napada prikazana je na slici 4. Anatomy of a DDoS attack IP Spooﬁng

■ Most DDoS attacks rely on spoofed source IP addresses ■ the victim believes that the packet was sent by a machine other than the one that actually sent it ■ More effective if the spoofed IP address is of a host the victim trusts ■ Exploits (corrupted) IP headers ■ IP Spoofing has legitimate applications, for instance for simulating network load or traffic ■ Can be exploited for DDoS since it: ■ makes it more difficult to trace back attackers (no accountability) ■ makes it more difficult to filter malicious traffic ■ allows errors and floods in network traffic

© Babaoglu 2001-2021 Cybersecurity 23 © Babaoglu 2001-2021 Cybersecurity 24 Slika 4. Primer DDoS napada 19 U slučaju DDoS napada, lažne (spoofed) izvorne IP adrese se koriste u paketima sao raćaja napada. Napadač pre erira da koristi takve lažne izvorne IP adrese iz dva razloga prvo, napadač želi da sakrije identitet zo ija, tako da žrtva ne ože da prati napad unazad do njega. Drugi razlog se odnosi na učinak napada. Napadač želi da o eshra ri svaki pokušaj žrtve da iltrira zlona erni sao raćaj na firewall-u.

2.2.2 DRDoS napadi a razliku od tipičnih DDoS napada, u DRDoS napadu botnet se sastoji od master zombija, slave zombija i reflektora [6]. Scenario ovog tipa napada je isti kao kod tipičnih DDoS napada do određene aze. Napadači i aju kontrolu nad master zombijima, koji, pak, imaju kontrolu nad slave zo iji a. Razlika u ovoj vrsti napada je što slave zo iji na čelu sa master zombijima šalju veliki roj paketa sa IP adrese žrtve, kao izvorne IP adrese na druge ‘’zdrave’’ ašine (poznate kao reflektori), ohrabrujući ove ašine da se povežu sa žrtvo . Onda re lektori šalju Building a Botnet: Scanning Techniques Building a Botnet: Scanning Techniques

■ Different approaches to find vulnerable hosts: ■ The first action of an attacker is to build the Botnet ■ Topological scanning: the attacker exploits information contained on ■ Different approaches to find vulnerable hosts: the victim host in order to find new target (for instance, web sites ■ Random scanning: each infected host (by malicious code, starting URLs or subnetwork machines). Potentially vulnerable machines are from the attacker’s machine) probes IP addresses randomly and probed and the process is repeated. More precise and faster checks their vulnerability. If a vulnerable machine is found, it tries to ■ Local subnet scanning: acts behind a firewall, once one host is infect it and to install the same code. The process is repeated infected. The compromised host looks for targets in its own local ■ Hit-list scanning: the attacker collects lists of potentially vulnerable network, using the information that is hidden in “local” addresses. The machines from different sources. She then begins scanning down the attack is propagated quickly within the local network list looking for vulnerable machines. If a vulnerable host is found, the ■ Permutation scanning: combination of previous approaches in which malicious code is installed at that host and the list is split in two. Half zombies share a permutation list of (potentially vulnerable) IP of the list is given to the vulnerable machine and the process is addresses. This list is scanned and, if an uninfected host is found, it is repeated infected and the process is repeated. Very good performance and precision (no repeated infection of the same host)

Some known attacks DoS attacks: Ping of Death

■ Ping of Death ■ The attacker creates IP packets containing more than 65,536 ■ Teardrop bytes, the limit defined in the IP protocol ■ SYN Flooding ■ Malformed ping but can be generalized ■ Reflector attack ■ Exploits bugs in early implementations of TCP/IP when ■ Smurf reassembling fragmented packets, causing a crash ■ Slow HTTP DoS ■ Today solved in most systems, can also be prevented with ■ And many others firewalls

■ Exploits IP packet fragmentation ■ Each fragmented packet identifies an offset that enables the entire packet to be reassembled ■ The attacker sends malformed IP fragments with overlapping, over-sized payloads to the target machine, causing it to crash ■ Affected mostly Windows systems, patched and no longer effective

DoS attacks: SYN Flooding DoS attacks: SYN Flooding

■ Exploits vulnerabilities in the TCP three-way handshake through IP Spooﬁng ■ The attacker (through the Botnet) initiates many TCP connection requests by sending SYNs to the victim host ■ The victim initializes the connections in the Transmission Control Block (TCB), sends SYN-ACKs and waits for ACKs before declaring each connection ESTABLISHED ■ Since the initial connection requests are spoofed, the SYN- ACK messages are lost and the ACKs never arrive ■ The queue of incoming connections in the TCB is eventually exhausted and no more new connections can be accepted

© Babaoglu 2001-2021 Cybersecurity 31 © Babaoglu 2001-2021 Cybersecurity 32 žrtvi veći o i sao raćaja, kao odgovor na njegovu parolu za otvaranje nove veze, jer oni veruju da je žrtva host. Dakle, u DRDoS napadu, napad je pokrenut od strane ne kompromitovanih ašina koje nesvesno pokreću napad.

Upoređujući štetnost dva scenarija DDoS napada, treba napomenuti da DRDoS napad nanosi veću štetu nego tipičan DDoS napad. Prvi razlog je što DRDoS napad i a više ašina koje učestvuju u napadu, pa se i napad više distri uira. Drugi razlog je taj što DRDoS napad stvara DoS attacks: Reflectorveći o i sao raćaja z og svoje distri utivne prirode.DoS Gra attacks: ički odel DRDoSReflector napada je prikazan na slici 5.. ■ Distributed Reflector DoS: more hosts, more distributed, more traffic

■ Variation of the SYN Flood attack using the TCP three-way handshake with IP Spoofing ■ The attacker (through the Botnet) initiates many TCP connection requests with many hosts (reflectors) where the (spoofed) source address is that of the victim ■ Each of the reflectors sends its SYN-ACK message to the (spoofed) victim, flooding it

DoS attacks: Smurf2.3 POZNATI I DOKUMENTOVANI DDoS NAPADI DoS attacks: Smurf

Ovaj rad bi bio nepotpun bez osvrta na neke od najpoznatijih, dokumentovanih DDoS napada. [7], [8]: ■ Exploits vulnerabilities of Internet Control Message Protocol Apache2 Ovaj napad se pokreće protiv Apache Web server, gde klijent pita za uslugu (ICMP), IP Spoofing and errors in network broadcast slanjem zahteva sa brojnim HTTP zaglavlji a. Međuti , kada Apache Web server primi configurations veliki roj takvih zahteva, ne ože da im odgovori i dolazi do opterećenja i rušenja. ■ The attacker sends many ICMP echo-request packets to the ARP Poison: Address Resolution Protocol (ARP) Poison napadi zahtevaju da napadač i a broadcast address of a subnet (useful for diagnostic pristup LAN-u žrtve. Napadač obmanjuje host ašine u određenom LAN-u, šaljući i purposes) pogrešne MAC adrese za hostove, sa već poznate IP adrese. Napadač ože ovo postići kroz sledeći pro es u reži se prate "ARP –ovi’’ koji šalju zahteve za uspostavljanje ■ These packets contain spoofed IP addresses set to that of the veze. Či takav zahtev stigne, zlonamerni napadač pokušava da odgovori što je rže victim and are broadcast to all hosts in the subnet oguće ka ispitivanom hostu u ilju o ane tražene adrese. ■ Every host responds by sending (a flood of) ICMP echo-reply Back: Ovaj napad je pokrenut protiv Apache Web servera, koji je preplavljen zahtevima packets to the victim koji sadrže veliki roj prednje kose rte “/” (eng. front-slash) znakova u URL adresi. Kada server pokušava da o radi sve ove zahteve, nije u stanju da o radi druge legiti ne © Babaoglu 2001-2021 Cybersecurity 35 zahteve© Babaoglu i 2001-2021ti e ne pruža uslugu svoji Cybersecurity klijenti a. 36 CrashIIS: žrtva napada CrashIIS je najčešće Microsoft Windows NT IIS Web server. Napadač šalje žrtvi neispravan GET zahtev, koji ože da sruši web server. DoSNuke: U ovoj vrsti napada, Microsoft Windows NT žrtva je preplavljena "out-of- band" podacima (MSG_OOB). Paketi se šalju od strane napadajućih ašina sa oznako DoS attacks: Slow HTTP Defenses

■ Exploits a vulnerability in thread-based web servers (like Apache) which wait for entire HTTP headers to be received before releasing the connection ■ DoS attacks cannot be prevented and there is no 100% ■ While servers typically make use of timeouts to end incomplete effective defense HTTP requests, the timeout, which is set to 300 seconds by ■ Why is it so difficult to defend against DoS attacks? default, is reset as soon as the client sends additional data ■ Very difficult to distinguish between legitimate traffic and attacks ■ By keeping the HTTP request open and feeding the server ■ Filtering incoming flow might reject legitimate traffic bogus data before the timeout is reached, the HTTP ■ Filtering efficient only if detection is correct connection will remain open ■ Spoofed IP addresses make it very difficult to traceback the attacker ■ If an attacker succeeds in occupying all available HTTP ■ Heterogeneity of software and platforms connections on a web server, legitimate users would not be able to have their HTTP requests processed

Defenses Prevention

■ Reduce the possibility of being a zombie ■ Three main defense strategies: ■ Install security patches, antivirus, and intrusion detection ■ Attack Prevention (before the attack) systems ■ Attack Detection and Filtering (during the attack) ■ Keep protocols and operating system up-to-date ■ Attack Source Traceback and Identification (during and after the attack) ■ Install firewalls and configure network to filter input/output traffic ■ A comprehensive solution should include all three lines of ■ Configure available resources defense ■ Alternate network paths ■ Load balancing ■ Additional servers/cloud-based resources

■ Try to detect an attack as soon as possible and respond ■ Once detected, malicious traffic could be blocked by applying ■ Identification of statistical patterns of DDoS attacks and comparison filters of the same with live traffic ■ Where to apply filtering? ■ search for signatures from a database of known attacks ■ The closer to the attacker, the more effective the filter ■ reliable for known attacks, not effective for new ones ■ The best solution would be to filter at the zombies ■ for known attacks, can employ machine learning techniques ■ very difficult (often impossible) ■ Identification of deviations from standard behavior of clients and usual network traffic (anomaly-based detection) ■ Preventive filters: try to reduce traffic with spoofed IP ■ compare current network parameters with normal ones addresses on the network ■ effective against new attacks ■ The source IP address of outgoing traffic should belong to the ■ keep the model of “normal traffic” updated originating subnetwork ■ Hybrid approach combining both ■ The source IP address of incoming traffic should not

Filtering criteria Monitoring DDoS

■ http://www.digitalattackmap.com/ ■ Source address ■ Works if the attacker is known (but IP addresses are spoofed...) ■ Difficult to discover thousands of zombies/reflectors IP addresses ■ Difficult to deploy thousands of IP address filters ■ Service/port ■ Works if the attack mechanism is known (UDP, TCP) ■ Not effective if the attacker used a common port or service ■ Destination address ■ Works once the target is discovered ■ Legitimate traffic may be rejected ■ Useful to limit the consequences of an attack to other hosts served by the same ISP