Denial-of-Service (DoS) Attacks Chien-Chung Shen [email protected] Denial-of-Service (DoS) • Defined in NIST Computer Security Incident Handling Guide as “an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.” • Attempt to compromise availability by hindering or blocking completely the provision of some service • Attempt to exhaust some critical resource associated with the service • Example: flooding a Web server with many spurious requests that it is unable to respond to valid requests from users in a timely manner DoS Attacks • Potency steadily increases over time due to Internet bandwidth growth – 400 MBps (2000) -> 100 GBps (2010) -> 300 GBps (Spamhaus [http://www.theregister.co.uk/ 2013/03/27/spamhaus_ddos_megaflood/], 2013) – thousands of attacks each day – massive flooding attacks in 50 GBps are powerful enough to exceed bandwidth capacity of most intended targets • A form of attack on the availability of some service Categories of Resources 1. Network bandwidth relates to capacity of network links connecting a server to Internet (ISP) 2. System resources aims to overload or crash network handling software 3. Application resources typically involves valid requests, each of which consumes significant resources, thus limiting the ability of server to respond to requests from other users Example (1) DoS on Network Bandwidth • Network bandwidth related to capacity of links connecting server to ISP • More traffic arrives at ISP’s routers over higher- capacity links than links to server -> packets dropped at ISP routers • Malicious traffic generated by DoS attacks overwhelms legitimate traffic -> denying legitimate users access to server (2) DoS on System Resources • Overload/crash network handling software • Rather than consuming bandwidth with large volumes of traffic, – specific types of packets are sent that consume limited available resources • temporary buffer used to hold arriving packets • table of open connections: TCP SYN spoofing attack • similar memory data structures – packets whose structure triggers bugs in network handling software, causing it to crash: termed poison packet • ping of death and teardrop attacks target bugs in Windows 9x systems’ code than handles ICMP echo request and packet fragmentation (3) DoS on Application Resources • Attacks on specific application (e.g., Web server) typically involves valid requests each of which consumes significant resources • This then limits ability of server to respond to requests from other users • Aka, cyberslam, e.g., database queries • Requests that trigger bugs in server program, causing it to crash Classic DoS Attack (A) Flooding ping (ICMP echo request) • Aim to overwhelm the capacity of network connection to the target organization • Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases • Network performance is noticeably affected • Two disadvantages to attackers! • source of attack is identified unless a spoofed address is used • response packets back to attacker Source Address Spoofing • Use forged source addresses – usually via raw socket interface [http://en.wikipedia.org/wiki/ Raw_socket] on OS to make attacking systems harder to identify • Attacker use randomly selected, usually different, source addresses for each packet • Congestion would still occur in router connected to the final, lower capacity link • Response back to different “sources” triggering even more “error” packets from real hosts or ICMP “destination unreachable” packet from unknown hosts [backscatter traffic] • To identify source needs to query flow information through routers • Egree filtering – filtering on router to ensure source address (or at least source network address) is valid Classic DoS Attack (B) SYN spoofing • Attacks ability of server to respond to future connection requests by overflowing the tables used to manage such connections; thus legitimate users are denied access to server • An attack on system resources, specifically the network handling code in the operating system TCP 3-Way handshake • Reliable transport protocol over best-effort (unreliable) IP – sequence number – timeout and retransmission – Need to maintain state TCP SYN Spoofing • Attacker sends SYNs with spoofed source addresses • Server records states of TCP connection requests and respond SYN +ACK to “claimed” source addresses – for valid system at the forged address: it responds with RST to cancel unknown connection request; when server receives RST, it cancel connection request and remove saved state – for no system at forged address: no reply; server sends SYN+ACK several times • between when original SYN received and when server assumes connection failed, server is using one entry in TCP connection table • many forged connection requests -> many entries used Flooding vs. SYN Spoofing • Volume of network traffic – SYN spoofing is lower • How much lower? – high enough to keep TCP connection table full Flooding Attacks • Classified based on network protocol used • Aim to overload network capacity on some link to a server or server’s ability to handle/respond to traffic – valid traffic has low probability of surviving discard/accessing server • Virtually any type of network packet can be used • ICMP echo request – traditionally network administrators allow such packets into networks because ping is a useful network diagnostic tool • UDP – directed to some port number on the target system • TCP SYN – total volume of packets is aim of attack rather than system code (1) ICMP Flooding • Recently, ICMP echo requests Type Code description 0 0 echo reply (ping) are filtered by firewall 3 0 dest. network unreachable 3 1 dest host unreachable • As some ICMP packets are 3 2 dest protocol unreachable 3 3 dest port unreachable critical to the healthy operation 3 6 dest network unknown of Internet, filtering these 3 7 dest host unknown 4 0 source quench (congestion packets may degrade or break control - not used) 8 0 echo request (ping) normal Internet behavior 9 0 route advertisement 10 0 router discovery • e.g., ICMP destination 11 0 TTL expired unreachable and ICMP TTL 12 0 bad IP header expired (2) UDP Flood • Send UDP segment directly to some port #: e.g., 7 (echo service) • May use spoofed source addresses (3) TCP SYN Flood • Total volume of packets is aim of attack, rather than system code – SYN flooding vs. SYN spoofing • TCP connection requests with either real or spoofed source addresses Indirect Flooding Attacks • Flooding attacks are limited in total traffic volume generated on single system, where attacker is easier to trace • More sophisticated attacks involve multiple attackers • By directing attacks through intermediaries, attacker is distanced from target and harder to be located and identified 1. Distributed DoS attacks 2. Reflector attacks 3. Amplifier attacks Distributed DoS (DDoS) • Use of multiple systems to generate attack traffic • Attacker uses a flaw in OS or in a common application to gain access and installs their program on zombies (via automated infection tools) • Large collections of such systems under control of one attacker’s control can be created, forming a botnet Architecture of DDoS Attack Control hierarchy Example DDoS Tool • Tribe Flood network (TFN) and TFN2K – two-layer command architecture – launch ICMP/SYN/UDP flood – communicate via encrypted TCP/UDP/ICMP packets • IRC-based • HTTP-based • The best defense against being an unwitting participant in DDoS attack – prevent system from being compromised Reflector/Amplifier Attacks • In contrast to DDoS, where intermediaries are compromised nodes running attacker’s programs, reflector/amplifier attacks use network systems functioning normally • Attacker sends packet to server with spoofed source IP address (target); server responds to spoofed source IP address • When many packets sent to many servers with the same spoofed source address, the resulting flood responses overwhelm target’s link • Normal server are being used and their response is entirely conventional, attacks can be easier to deploy and harder to trace back to actual attacker Reflection Attacks • Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system • When intermediary responds, the response is sent to the target, i.e., “reflects” the attack off intermediary (reflector) • Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary – use service that creates larger response packets than original request; e.g., DNS (UDP) • How to defend against these attacks? – block spoofed source packets DNS Reflection Attack • Between DNS and echo service (#7) – attacker sends query to DNS with spoofed IP source address (IP address of target): j.k.l.m – DNS responds to j.k.l.m:7 – target echoes back – DNS responds again, ……… Q: How reflector attacks are prevented ? A: network/host-based firewall rules to reject suspicious combination of source/destination ports TCP SYN Reflection Attack • Attacker sends SYN packets to spoofed source address (i.e., the target) to intermediaries • Intermediaries respond with SYN+ACK to spoofed source address (the target) • Target responds with RST for any that get through • Overwhelm target’s network link (not to exhaust its network handling resources) Amplification Attacks • A variant of reflection attacks, also involves sending
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages38 Page
-
File Size-