DENIAL OF SERVICE ATTACKS

Transcription

1 DENIAL OF SERVICE ATTACKS Ezell Frazier EIS 4316 November 6, 2016

2 Contents 7.1 Denial of Service Targets of DoS attacks Purpose of flood attacks Packets used during flood attacks DoS attacks using packets with spoofed source addresses Backscatter traffic Distributed denial-of-service attacks Architecture of DDoS attacks Reflection attacks Amplification attacks Primary defense against DoS attacks Defense against non-spoofed flooding Possible defenses against TCP SYN DoS attacks Defenses possible against DNS amplification attacks Defenses possible to prevent becoming an intermediary system Slash dotted and flash crowds Steps taken when DoS attacks occur Measures needed to trace DoS attacks... 6 References... 7

3 7.1 Denial of Service Denial-of-service (DoS) attacks occur when an individual or a group of individuals attacks any network or website with the sole purpose of denying access to the network or website for other legitimate users. Broadly, this process prohibits legitimate usage of networks, applications, or systems by any user while the attack occurs. 7.2 Targets of DoS attacks DoS attacks may target resources such as network connectivity, system resources, and or network bandwidth. In the case of network bandwidth, the overall capacity of network links between a server and the internet is vulnerable. System resources such as the software maintaining network connections are susceptible to DoS attacks. Application resources such as web servers are vulnerable to DoS attacks, as an overload of valid requests reduces the web server s ability to respond to any requests by other users. 7.3 Purpose of flood attacks Flooding attacks is a form of a DoS attack, slowing network speeds down, due to a traffic overload. Flooding attacks may arrive in a variety of forms, based on the network protocols used. However, the objectives of a flooding attack are much simpler in nature. The first objective is to overload network capacity. Alternatively, flooding attacks can overload server capacity. Additionally, the effectiveness of flooding attacks increases when packet sizes are larger than the attack itself. 7.4 Packets used during flood attacks There may be at least three types of packets used during flood attacks: Internet control message protocol (ICMP), user datagram protocol (UDP), and transmission control protocol (TCP SYN). ICMP involves sending error messages whenever a connection between networks are unable to connect. UDP provides a limited level of service during an exchange between messages in a network. TCP SYN involves the server-side rejection of TCP packets when they do not belong to any known connection.

4 7.5 DoS attacks using packets with spoofed source addresses Source address spoofing involves packets used in DoS attacks featuring forged source addresses. Multiple packets must reach the target system during an attack, thus multiple links from the system are required to induce massive congestion. Spoofed source addresses trick a system into accepting packets from one location, and sending responses to a spoofed source address, resulting in some error packet responses. The error packets contributes to the overall traffic to the system. Other spoofed addresses may not exist and results in the system attempting to retransmit packets or discarding them. However, such packets also contributes to the overall traffic to the system. 7.6 Backscatter traffic According to research by Moore, Shannon, Brown, Voelker, and Savage, backscatter traffic occurs when the generation and subsequent sending of response packets to spoofed addresses during a DoS attack (DAVID MOORE, 2006). The monitoring of backscatter traffic provides the opportunity to determine the type and size of a DoS attack. 7.7 Distributed denial-of-service attacks The purpose of distributed denial-of-service (DDoS) attacks is to disable or reduce the effectiveness of multiple systems connected to a network. DDoS attacks generally use personal computers or business workstations to accomplish required tasks. In addition, the attacker may exploit vulnerabilities within a system to install malware to control system functions. A botnet represents the collection of desktop and workstation computers controlled by an attacker. Botnets increase the effectiveness of a DoS attack by immense proportions, increasing traffic by large amounts. Botnets are capable of detection by the usage of intermediaries; however, locating the attacker is much more of a challenge.

5 7.8 Architecture of DDoS attacks (Stallings & Brown, 2015) DDoS attacks uses a control hierarchy, in which the attacker controls systems known as handlers. Handlers control zombie or agent systems within the botnet. This structure allows the attacker to send one command to a handler, which forwards the command to all other systems within the botnet. 7.9 Reflection attacks Reflection attacks occur when attackers trick a target system into using the same challenge-response protocol on itself. The attacker establishes a connection to a target, and receives a challenge. The attacker establishes another connection to the same target, sending the same challenge back to the system. Here, the system responds to its own challenge, allowing the attacker to send the same response back through its original connection Amplification attacks Amplification attacks occur when attackers use mediators to send packets via a spoofed source to a target. This process generates many responses for each original packet transmitted. In addition, the

6 network host responds to the request, generating many more responses. The domain name system may generate responses, which creates longer responses than the original requests Primary defense against DoS attacks The primary method of defense against DoS attacks requires the limiting of a system s ability to send packets with a spoofed source address. Implementation of this defensive method requires the installation of a filter to block spoofed addresses near the source packets. Specific routers and gateways can accomplish this task of validating appropriate addresses of incoming packets Defense against non-spoofed flooding The best defense against non-spoofed flooding involves the provision of significant spikes in network bandwidth, along with replicated distributed servers when overload is predictable. This restriction is can be costly, but often implemented on sporting websites, as results of major events create sudden traffic spikes. Because of this, complete prevention of non-spoofed flooding attacks is impossible, as it may occur naturally in the form of legitimate traffic overload Possible defenses against TCP SYN DoS attacks Defense against SYN spoofing is possible with the usage of modified TCP/IP network code. The results of such a modification means the connection will not save information present on the server, rather saving information encoded in a cookie, sent as an initial sequence number. The server sends the sequence number as a SYN-ACK packet to the client. A legitimate client will respond with an ACK packet, allowing the server to reconstruct important information about the connection. However, this process will require additional CPU power to calculate the cookie Defenses possible against DNS amplification attacks The basic defense against DNS amplification attacks are similar to defenses against reflection-based attacks. This process involves limiting a system s ability to send packets with a spoofed source address.

7 According to Damas and Neves, the appropriate configuration of DNS servers, or specifically limiting recursive responses to can reduce variations of this attack (Neves, 2008) Defenses possible to prevent becoming an intermediary system Blocking the usage of IP-directed broadcasts is the most effective method in reducing the possibility of a system becoming an intermediary in an amplification attack. Either the internet service provider or the organization itself practices this defensive method Slash dotted and flash crowds Slash dotted and flash crowds refers to large volumes of legitimate system traffic, ultimately slowing or rendering a connection temporarily useless. Slash dotted and or flash crowds may occur when an event occurs that draws attention to a specific web site. Defense against DoS attacks during predictable slash dotted events is possible, as systems may restrict usage of replicated distributed servers Steps taken when DoS attacks occur There are several steps to take after DoS attack detection. The first step involves identifying the type of attack and determine the appropriate countermeasure. Monitoring and capturing packets flowing into the system in search of common attacking types can achieve this task. An Internet service provider may also perform this task upon request if time, skill, and resources are limited. The second step involves applying packet filters appropriate for the type of attack packets coming through. Internet service providers or select routers provide such filters. Unfortunately, not all DoS attacks are preventable or capable of complete stoppage once initiated, without switching to back-up servers or applying new servers with alternative addresses, 7.18 Measures needed to trace DoS attacks There is a variety of measures usable in order to trace the source of packets used in DoS attacks. An Internet service provider may trace the flow of packets to identify the source upon request.

8 Unfortunately, packets used with spoofed addresses is a time consuming and costly practice for organizations and service providers alike. Overall, the process of tracing packets is not easy to accomplish due to the level of cooperation required between the corporation and owners of the victimized network and systems. References DAVID MOORE, C. S. (2006). Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems, Neves, J. D. (2008). Preventing Use of Recursive Nameservers in Reflector Attacks. Network Working Group. Stallings, W., & Brown, L. (2015). Computer Security: Principles and Practice. Upper Saddle River: Pearson.