Denial-Of-Service (Dos) Attacks

Denial-of-Service (DoS) Attacks

Chien-Chung Shen [email protected] Denial-of-Service (DoS)

• Defined in NIST Computer Security Incident Handling Guide as “an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.” • Attempt to compromise availability by hindering or blocking completely the provision of some service • Attempt to exhaust some critical resource associated with the service • Example: flooding a Web server with many spurious requests that it is unable to respond to valid requests from users in a timely manner

DoS Attacks

• Potency steadily increases over time due to Internet bandwidth growth – 400 MBps (2000) -> 100 GBps (2010) -> 300 GBps (Spamhaus [http://www.theregister.co.uk/ 2013/03/27/spamhaus_ddos_megaflood/], 2013) – thousands of attacks each day – massive flooding attacks in 50 GBps are powerful enough to exceed bandwidth capacity of most intended targets • A form of attack on the availability of some service Categories of Resources

1. Network bandwidth relates to capacity of network links connecting a server to Internet (ISP) 2. System resources aims to overload or crash network handling software 3. Application resources typically involves valid requests, each of which consumes significant resources, thus limiting the ability of server to respond to requests from other users Example (1) DoS on Network Bandwidth

• Network bandwidth related to capacity of links connecting server to ISP • More traffic arrives at ISP’s routers over higher- capacity links than links to server -> packets dropped at ISP routers • Malicious traffic generated by DoS attacks overwhelms legitimate traffic -> denying legitimate users access to server (2) DoS on System Resources

• Overload/crash network handling software • Rather than consuming bandwidth with large volumes of traffic, – specific types of packets are sent that consume limited available resources • temporary buffer used to hold arriving packets • table of open connections: TCP SYN spoofing attack • similar memory data structures – packets whose structure triggers bugs in network handling software, causing it to crash: termed poison packet • ping of death and teardrop attacks target bugs in Windows 9x systems’ code than handles ICMP echo request and packet fragmentation (3) DoS on Application Resources

• Attacks on specific application (e.g., Web server) typically involves valid requests each of which consumes significant resources • This then limits ability of server to respond to requests from other users • Aka, cyberslam, e.g., database queries • Requests that trigger bugs in server program, causing it to crash Classic DoS Attack

(A) Flooding ping (ICMP echo request) • Aim to overwhelm the capacity of network connection to the target organization • Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases • Network performance is noticeably affected • Two disadvantages to attackers! • source of attack is identified unless a spoofed address is used • response packets back to attacker Source Address Spoofing

• Use forged source addresses – usually via raw socket interface [http://en.wikipedia.org/wiki/ Raw_socket] on OS to make attacking systems harder to identify • Attacker use randomly selected, usually different, source addresses for each packet • Congestion would still occur in router connected to the final, lower capacity link • Response back to different “sources” triggering even more “error” packets from real hosts or ICMP “destination unreachable” packet from unknown hosts [backscatter traffic] • To identify source needs to query flow information through routers • Egree filtering – filtering on router to ensure source address (or at least source network address) is valid Classic DoS Attack

(B) SYN spoofing • Attacks ability of server to respond to future connection requests by overflowing the tables used to manage such connections; thus legitimate users are denied access to server • An attack on system resources, specifically the network handling code in the operating system TCP 3-Way handshake

• Reliable transport protocol over best-effort (unreliable) IP – sequence number – timeout and retransmission – Need to maintain state TCP SYN Spoofing

• Attacker sends SYNs with spoofed source addresses • Server records states of TCP connection requests and respond SYN +ACK to “claimed” source addresses – for valid system at the forged address: it responds with RST to cancel unknown connection request; when server receives RST, it cancel connection request and remove saved state – for no system at forged address: no reply; server sends SYN+ACK several times • between when original SYN received and when server assumes connection failed, server is using one entry in TCP connection table • many forged connection requests -> many entries used Flooding vs. SYN Spoofing

• Volume of network traffic – SYN spoofing is lower • How much lower? – high enough to keep TCP connection table full Flooding Attacks

• Classified based on network protocol used • Aim to overload network capacity on some link to a server or server’s ability to handle/respond to traffic – valid traffic has low probability of surviving discard/accessing server • Virtually any type of network packet can be used

• ICMP echo request – traditionally network administrators allow such packets into networks because ping is a useful network diagnostic tool • UDP – directed to some port number on the target system • TCP SYN – total volume of packets is aim of attack rather than system code (1) ICMP Flooding

• Recently, ICMP echo requests Type Code description 0 0 echo reply (ping) are filtered by firewall 3 0 dest. network unreachable 3 1 dest host unreachable • As some ICMP packets are 3 2 dest protocol unreachable 3 3 dest port unreachable critical to the healthy operation 3 6 dest network unknown of Internet, filtering these 3 7 dest host unknown 4 0 source quench (congestion packets may degrade or break control - not used) 8 0 echo request (ping) normal Internet behavior 9 0 route advertisement 10 0 router discovery • e.g., ICMP destination 11 0 TTL expired unreachable and ICMP TTL 12 0 bad IP header

expired (2) UDP Flood

• Send UDP segment directly to some port #: e.g., 7 (echo service) • May use spoofed source addresses (3) TCP SYN Flood

• Total volume of packets is aim of attack, rather than system code – SYN flooding vs. SYN spoofing • TCP connection requests with either real or spoofed source addresses Indirect Flooding Attacks

• Flooding attacks are limited in total traffic volume generated on single system, where attacker is easier to trace • More sophisticated attacks involve multiple attackers • By directing attacks through intermediaries, attacker is distanced from target and harder to be located and identified

1. Distributed DoS attacks 2. Reflector attacks 3. Amplifier attacks Distributed DoS (DDoS)

• Use of multiple systems to generate attack traffic • Attacker uses a flaw in OS or in a common application to gain access and installs their program on zombies (via automated infection tools) • Large collections of such systems under control of one attacker’s control can be created, forming a botnet Architecture of DDoS Attack

Control hierarchy Example DDoS Tool

• Tribe Flood network (TFN) and TFN2K – two-layer command architecture – launch ICMP/SYN/UDP flood – communicate via encrypted TCP/UDP/ICMP packets • IRC-based • HTTP-based

• The best defense against being an unwitting participant in DDoS attack – prevent system from being compromised Reflector/Amplifier Attacks

• In contrast to DDoS, where intermediaries are compromised nodes running attacker’s programs, reflector/amplifier attacks use network systems functioning normally • Attacker sends packet to server with spoofed source IP address (target); server responds to spoofed source IP address • When many packets sent to many servers with the same spoofed source address, the resulting flood responses overwhelm target’s link • Normal server are being used and their response is entirely conventional, attacks can be easier to deploy and harder to trace back to actual attacker Reflection Attacks

• Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system • When intermediary responds, the response is sent to the target, i.e., “reflects” the attack off intermediary (reflector) • Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary – use service that creates larger response packets than original request; e.g., DNS (UDP) • How to defend against these attacks? – block spoofed source packets DNS Reflection Attack

• Between DNS and echo service (#7) – attacker sends query to DNS with spoofed IP source address (IP address of target): j.k.l.m – DNS responds to j.k.l.m:7 – target echoes back – DNS responds again, ……… Q: How reflector attacks are prevented ? A: network/host-based firewall rules to reject suspicious combination of source/destination ports TCP SYN Reflection Attack

• Attacker sends SYN packets to spoofed source address (i.e., the target) to intermediaries • Intermediaries respond with SYN+ACK to spoofed source address (the target) • Target responds with RST for any that get through • Overwhelm target’s network link (not to exhaust its network handling resources) Amplification Attacks

• A variant of reflection attacks, also involves sending a packet with spoofed source address for the target to intermediaries; they differ in generating multiple response packets for each original packet sent • Done by directing original packets to broadcast address for some network; all hosts on that network can potentially respond • E.g., ICMP echo request (smurf), echo service (fraggle)

Q: How to defend? • do not allow directed broadcast to be routed into a network from outside • block spoofed source address • limit service like ping and echo Attacks on Applications

• Force target to execute resource consuming operations that are disproportionate to attack effort • For example, web server may engage in lengthy operations such as search, database query, etc., in response to simple requests

1. SIP flood 2. Attacks on HTTP SIP Flood

• Session Initiation Protocol (SIP) – signaling protocol for call setup in VoIP • SIP INVITE request causes receiver’s phone to ring – a single SIP INVITE request triggers considerable resource consumption (e.g., DNS lookup) • Flood proxy server with numerous INVITE requests with spoofed IP address – Resources on proxy are depleted in processing INVITE – Network capacity is consumed Attacks on HTTP (1)

HTTP Flood • attack that bombards Web servers with HTTP requests • Each request consumes considerable resources (e.g., download huge file: read file from disk, store it in memory, convert it to packets, transmit packets) • Spidering (recursive HTTP flood) – bots starting from a given HTTP link and following all links on the provided Web site in a recursive way Attacks on HTTP (2)

• Slowloris - exploit common web server technique of multi- threading (supporting multiple requests) • Attempts to monopolize all available request handling threads by sending HTTP requests that never complete (how ?) – sends additional header lines periodically to keep connection alive, but never sends terminating new line sequence – eventually consumes Web server’s connection capacity (threads) and deny access to legitimate users • Utilizes legitimate HTTP traffic – no “bad” HTTP requests that exploit bugs in HTTP servers – existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris Format of HTTP Request

method sp URL sp version cr lf request line header field name value cr lf header ~ ~ lines

header field name value cr lf è cr lf

~ entity body ~ body

A blank line indicates end of header and beginning of body (if any) Sample HTTP Request

ASCII (human-readable format)

carriage return character line-feed character request line (GET, POST, GET /index.html HTTP/1.1\r\n HEAD commands) Host: www-net.cs.umass.edu\r\n User-Agent: Firefox/3.6.10\r\n header Accept: text/html,application/xhtml+xml\r\n Accept-Language: en-us,en;q=0.5\r\n lines Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7\r\n carriage return, Keep-Alive: 115\r\n line feed at start Connection: keep-alive\r\n \r\n of line indicates end of header lines telnet www.eecis.udel.edu 80 GET /~cshen/367.html HTTP/1.1 Host: www.eecis.udel.edu Defenses against DoS Attacks

• DoS attacks cannot be prevented entirely – high traffic volumes may be legitimate • high publicity about a specific site • activity on a very popular site described as slashdotted, flash crowd, or flash event – solutions • overprovisioning of network bandwidth and replicated distributed server • Four lines of defense against DoS attacks – attack prevention and preemption (before attack) • endure attack attempts without denying service to legitimate users – attack detection and filtering (during attack) – attack source traceback and identification (during and after attack) – attack reaction (after attack)

DoS Attack Prevention (1)

• Block spoofed source addresses – on routers as close to source as possible • Filters may be used to ensure path back to the claimed source address is the one being used by the current packet – filters must be applied to traffic before it leaves the ISP’s network or at the point of entry to their network • Use modified TCP connection handling code – cryptographically encode critical information in a cookie that is sent as the server’s initial sequence number (SYN cookies) • legitimate client responds with an ACK packet containing the incremented sequence number cookie – drop an entry for an incomplete connection from the TCP connections table when it overflows DoS Attack Prevention (2)

• block IP directed broadcasts • block suspicious services and combinations • manage application attacks with a form of graphical puzzle (captcha [Completely Automated Public Turing test to tell Computers and Humans Apart]) to distinguish legitimate human requests • good general system security practices • use mirrored and replicated servers when high-performance and reliability is required

SYN Cookies (1)

• Resist SYN spoofing (flood) attack Client Server • What is the fundamental problem with SYN spoofing/flood attacks? – State • Rules SYN bit=1, Seq=x – T - a slowly incrementing timestamp (time() logically right-shifted 6 positions - resolution of 64 seconds) SYN bit=1, Seq=y – M - maximum segment size ACK bit=1; ACKnum=x+1 – S - result of a cryptographic hash function computed over server IP address and port number, client IP address and port number, ACK bit=1, ACKnum=y+1 and T. Returned value S must be a 24-bit value. – Initial TCP sequence number (SYN cookie) is computed as follows: • top 5 bits: T mod 32 • middle 3 bits: an encoded value representing M • bottom 24 bits: S SYN Cookies (2)

• Upon receiving ACK, server performs the following operations – checks value T against the current time to see if connection has expired – recomputes S to determine whether this is, indeed, a valid SYN cookie – decodes value M from the 3-bit encoding in SYN cookie