DENIAL OF SERVICE VIA INTERNET OF THINGS DEVICES: ATTACK METHODOLOGIES AND MITIGATION TECHNIQUES

Transcription

1 DENIAL OF SERVICE VIA INTERNET OF THINGS DEVICES: ATTACK METHODOLOGIES AND MITIGATION TECHNIQUES by RICHARD ROE Advisor Dr. Joshua Eckroth A senior research proposal submitted in partial fulfillment of the requirements for the degree of Bachelor of Science in the Department of Mathematics and Computer Science in the College of Arts and Science at Stetson University DeLand, Florida Fall Term 2016 i

2 TABLE OF CONTENTS TABLE OF CONTENTS ii LIST OF FIGURES... iii ABSTRACT Introduction 2 2. Related Work. 4 2a. Attack Techniques. 5 2b. Mitigation Technologies 6 3. Proposed Work Initial Results Future Work Conclusion REFERENCES ii

3 LIST OF FIGURES Figure 1: Denial of Service Attack using Commodity Hardware.. 3 Figure 1: Denial of Service Attack using IoT Devices.. 4 Figure 3: Visualization of Probabilistic Models Figure 4: Density Plot of Service Response Time Figure 5: Comparison of Service Distributions iii

4 ABSTRACT The purpose of this research is to compare the effectiveness of traditional Denial of Service (DoS) attack vectors to a new attack method that is specifically designed for use in devices that have limited resources, such as Internet of Things (IoT) devices. New mitigation techniques will also be explored to help prevent, or reduce the effectiveness of, these attacks. While classical DoS attacks generally require both a large source of computing power and a specially crafted payload to be able to efficiently render the target machine or service inoperable, this research will focus on utilizing an attack that uses a generalized payload that targets a wide variety of internet services, and uses as little resources as possible. We will port the attack to common DoS utilities, as well as to a powerful IoT worm, so that the original tools attack methods can be compared to the new attack s effectiveness and resource consumption. Once done, they will again be compared, but when attacking new mitigation techniques specifically designed to thwart both these and other attacks of their class. The results of this research can be applied to helping defend internet-facing web services from attack in both the public and private sector, because a free and open local proxy is cheaper and easier to setup than an online, paid, cloud solution. We aim to study the effectiveness of different denial of service attacks, and to develop a mitigation solution that can help to prevent these attacks in a way that does not affect the performance of the target when under normal usage. 1

5 1. Introduction Traditional Distributed Denial of Service (DDoS) attacks rely on a malicious user having control of enough devices to be effective. This user can infect, either manually through the usage of some specially crafted malware or virus software, or through the victim computer s owner knowingly surrendering control of their machine over to the attacker, to create what is known as a botnet. A botnet is a collection of internet connected computers that an attacker uses to distribute the attack in effort to amplify their computing power and increases the effectiveness of DoS attacks. Recently, security researchers have applied a higher level of scrutiny on IoT devices and their relation to DDoS attacks due to the powerful attacks leveraged by the Mirai worm [1]. Today s prevalence of IoT enabled devices creates an interesting opportunity for internet users with malicious intent. IoT devices can easily be infected by discovering the default login information for each device manufacture. Once infected, the device can infect other machines as well as become part of a botnet of devices with limited resources, as with the Mirai worm [2]. Other botnets, such as the Low Orbital Ion Cannon (LOIC) [3], utilize commodity hardware like laptops and low-end desktops for their attacks, as shown in the figure below. We will include tools of this nature in our study as well. 2

6 Figure 1: Denial of Service Attack using Commodity Hardware Our novel attack method is specifically design for systems with limited memory and processing resources, like mobile hardware and microcomputers. By researching similar attack methods, a new payload and methodology was crafted that can achieve very high levels of effectiveness while utilizing relatively little memory while working within the bounds of the processing power of the device that the attack is running on. This makes performing an attack with IoT devices (as shown below) more effective, as it can be more effective, even given each device s limited resources. This attack will be ported to the Mirai worm, and to the LOIC. To compare the effectiveness of the attack, both the original and new versions of both tools will attack a virtual network running a basic web service, and we will measure the average response time and overall durability of the service. Once completed, work will be done in implementing new mitigation techniques in the form of a local TCP reverse proxy that acts as a protective layer over the target service, and will utilize probabilistic models to control connection between the 3

7 clients and the target system. Once these systems are developed, the virtual system will be tested again as before, but this time with the different mitigation services in place, to measure the effectiveness of each at reducing the potency of each attack. Figure 2: Denial of Service Attack using IoT Devices 2. Related Work DoS attacks, and their mitigation technologies, have been around for many years. However, new attacks like the one used in this research project, have only recently been discovered, and as such can thwart many of the existing popular mitigation technologies. In this section, we will first discuss many popular attack methodologies in a similar class to this attack, and then popular existing mitigation technologies. 4

8 2a. Attack Techniques Slowloris Attack Developed by Robert RSnake Hansen, this attack utilizes sending partial HTTP/S GET requests to a target machine to render web services inoperable while using minimal bandwidth. More specifically, the Slowloris attack attempts to keep as many concurrent HTTP/S connections open as possible so that the connection queue on the target device fills up and cannot accept new connections. This is done by establishing a valid HTTP/S connection, and sending partial or incomplete headers in the request. By never completing the actual GET request s handshake, the server is forced to hold the connection open for a very long time [4]. SlowDroid Developed by researchers for the IEIIT Institute of the National Research Council of Italy, SlowDroid is an android application that makes use of a similar attack to the Slowloris method. However, unlike the Slowloris attack, SlowDroid is not bound to a single protocol; by establishing a connection and instead sending single bytes of what accounts to an empty whitespace string (Unicode U+0020, ANSI number 32), SlowDroid can target a wider variety of protocols than just HTTP/S. SlowDroid s methodology also differs from the Slowloris attack in that it only sends a single byte at a time this still resets the server s timeout for the connection, while also reducing the overall bandwidth necessary to perform the attack [5]. Our Attack Originally developed as an android application but since ported to Rust, Go, the.net platform, and the Erlang BEAM VM, this attack takes a similar approach to the SlowDroid application s attack technique. However, instead of establishing a connection and sending empty 5

9 character bytes, our attack focuses on analyzing the response of each iterative step of the protocol s handshake. When attacking an encrypted protocol like SSH, the handshake must provide a legitimate SSH version to continue the handshake transaction. To account for this, the attack has valid information that it may return if it needs real information, otherwise it transmits a random byte. This allows handshake timeouts to be extended much longer than what can be achieved from the SlowDroid attack, and still works using minimal resources. 2b. Mitigation Technologies Cloudflare Cloudflare is a Content Delivery Network (CDN) that functions as a service for websites to deliver content to users and protect websites from Denial of Service attacks. Cloudflare is a proprietary system that works by acting as a middle layer between a client and a server. Cloudflare load balances traffic to the server by redirecting requests to different data centers based on location, and then analyzes incoming traffic identifying attributes like the client s physical IP address, the resource a client is requesting, and the frequency of requests made [6]. Independent analysis of web traffic to a web service hosted behind Cloudflare shows that Cloudflare also applies a singular timeout time to all connections, instead of a variable one based on web traffic. Cloudflare is limited in scope to only support HTTP/S traffic. The primary drawback to using Cloudflare to mitigate DDoS attacks is that the application server is only hidden behind a protective layer, but the service itself has no defense mechanism. If an attacker can discern the IP address of the application server instead of the address that routes traffic through Cloudflare, then the target is vulnerable to being attacked directly. This completely bypasses the protection offered by Cloudflare. 6

10 Apache ModQoS Apache ModQoS is a quality of service module for the Apache HTTP web server. This module grants the server administrator control mechanisms that allow for configuring rules that grant different priority to different types of web requests. It can be used to reject requests based on several factors, including concurrent connections and timeout time for reading requests. By configuring the module to not establish multiple requests from a single IP address, and lowering the overall timeout for HTTP handshakes, this module severely limits the attack potency of the Slowloris attack, and other more classical DoS attacks [7]. ModQoS can be bypassed with ease by an attacker if the traffic is distributed, or appears to be distributed. By anonymizing web traffic using proxies or Tor, traffic coming from a single address can be made to seem as if it is coming from many, which defeats the ability to block multiple concurrent connections from a single address. An attacker can also utilize a botnet to bypass the same defense mechanism. 3. Proposed Work Our proposed research is twofold we propose to compare existing implementations of DoS attacks in two popular utilities, and to compare those same attacks effectiveness when attacking the same service protected with new mitigation systems. For the initial research, our new DoS technique will be ported to the Mirai worm, which will be written in C, as well as the LOIC, which is written in C#. Both these new variants, and their original implementations, will target a virtual web service specifically, they will be attacking an Apache web server running in a Virtual Machine on Ubuntu. The state of the Virtual machine will be saved and replicated before each test to ensure that the system is the same before each test. As the web is subjected to 7

11 the attack, average response for normal web traffic will be recorded over time, until the system is no longer responsive. This will allow us to see how each attack affects both the responsiveness of the service, as well as to determine which attack is best at bringing the targeted system offline. The second stage will compare mitigation techniques. Using different probabilistic models, shown below, a reverse proxy will be implemented that closes connections based on a timeout determined by the given models. The reverse proxy will support five separate configurations, one for each model. As it establishes connections with clients, the system will begin closing connections based on the probability given by the. All initial responses at time = 0 will never be closed to ensure all connections can complete their handshakes if the initial connection provides the full request headers. The initial tests with the attack vectors will be replicated, but this time targeting the reverse proxy. The same criteria will be measured to determine each model s effectiveness at mitigating the attacks. Figure 3: Visualization of Probabilistic Models 8

12 4. Initial Results We developed an initial HTTP reverse proxy in the Rust language as a proof of concept. This system uses a concurrency model to be able to handle multiple HTTP handshakes in parallel, and proxy the connection to a local web server when the handshake is complete. The only function of the proxy is to wait until an HTTP handshakes is completed, proxy the request to a local webserver, and serve the response to the client. To gather data, we ran an Apache server locally on port 80 serving up a static HTML page that is 151 bytes in size. The developed proxy was also launched on port 88. We then created a script that requests the webpage from a specified source 250 times via the HTTP GET method, and records the roundtrip time for each request. This script was first configured to query the Apache webserver directly, and then performed the same test against the proxy. The response times of the two services, shown in the figure below, were very different. The Apache server had a mean response time of milliseconds, while the reverse proxy s response times had a mean of milliseconds. To test whether the distribution of the services response times have a normal distribution, we performed Shapiro-Wilk normality tests on their results, with a null hypothesis that states that the response times are normally distributed. Apache s distribution tested with a p-value of p = 2.2 * 10-16, which indicates that we must reject the null hypothesis that the distribution is normal. The proxy tested with the same p-value, p = 2.2 * While the response times were all much higher than Apache s, the proxy still ultimately routes web traffic to the Apache server. Given the same amount of computational overhead from the proxy per request, the distribution can be attributed to Apache itself, which helps to explain why the distributions are so similar. While the distributions themselves are not normal, they are consistent in distribution when compared to each other, shown in a side by side 9

13 comparison of the distributions below. When performing tests during the proposed research, the only significant difference to observe will be the relatively large overhead incurred by the proxy. We believe that this is due to poorly optimized code in the proxy. While the performance will be improved before further testing, there will be some form of difference in performance and quality of service for users that must be noted. Figure 4: Density Plot of Service Response Time 10

14 Figure 5: Comparison of Service Distributions 5. Future Work After this research is completed, we will have identified the efficiency of each different attack, as well as the effectiveness of our mitigation techniques in reducing each attack s potency. Because this reverse proxy will be focused on the HTTP handshake, future work may be done to compare each attack method s effectiveness against other common protocols like SSH, SMTP, and others, and the same mitigation philosophy could be applied to create similar systems to research effectiveness in protecting each protocol from such attacks. This research would also be interesting to view when applied to an entire network routing solution as opposed to a local reverse proxy. For example, if an Internet Service Provider were to automatically utilize an effective mitigation model and apply it to all their inbound internet requests, provided the models are effective at reducing the power of the attacks, what would the difference between the systems be when under attack? 11

15 6. Conclusion This research will focus primarily on the performance of a reverse proxy and its effectiveness in mitigating DoS attacks. To analyze its effectiveness, we will be comparing common DoS utilities to a new, novel attack method, and will determine the performance impact and overall stability of a vanilla system versus a system running behind the proxy. A proof of concept proxy has already been developed and has been tested to show that, while it maintains constant performance, it is much slower than a normal web service. Further optimizations will be done to help lower the overall request time to help lower the time difference between services. Testing will also be done on comparing the effectiveness of popular attack methods to the new method, and will focus on both the speed at which the attacks can bring a system to a halt, and the amount of resources needed to do so. We will be porting this attack to common DoS utilities including the Low Orbital Ion Cannon, and the Mirai worm, to focus on running attacks from systems with very limited memory and performance. 12

16 REFERENCES [1] Goodin D., Record-breaking DDoS Reportedly Delivered By >145k Hacked Cameras [Online]. Available: [Accessed ] [2] Prabhu, Hacker Release Source Code of Mirai DDOS Trojan [Online]. Available: [Accessed ] [3] Warren, How Operation Payback Executes Its Attacks [Online]. Available: [Accessed ] [4] Hansen, Slowloris HTTP DoS [Online]. Available: [Accessed ] [5] Cambiaso E., Papaleo G., and Aiello M., SlowDroid: Turning a Smartphone into a Mobile Attack Vector in 2014 International Conference on Future Internet of Things and Cloud (FiCloud). [6] Lai A., How Does Cloudflare Work? [Online]. Available: [Accessed ] [7] Unknown, How to Mitigate Slowloris Attacks [Online]. Available: gateslowlorisattacks-modqos [Accessed ] 13