Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Transcription

1 Denial of Service Eduardo Cardoso Abreu - e.abreu@fe.up.pt Federico Matteo Bencic - up @fe.up.pt Pavel Alexeenko - ei11155@fe.up.pt

2 Index What is Denial of Service (DoS)? DoS vs DDoS (Distributed DoS) Types of attacks Network interface layer Network layer Transport layer Application layer Programming component: Slowloris script

3 What is DoS? «A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.» NIST Computer Security Incident Handling Guide

4 And what is DDoS?

5 DoS vs DDoS Efficiency Harder to detect

6 TCP/IP Model

7 Network interface layer

8 Physical attack Causing physical damage Solutions are putting the medium or the node in a safe environment Also having two or more physical external connection

9 Chattering host CSMA Attacker communicates when others communicate, making them back up Solution in using multiple collision domains (i.e.: Network switch)

10 Network layer

11 ARP spoofing Attacker MAC address associated to some other IP address The victim data is routed to the fake address Solution in static ARP tables and monitoring software

12 Smurf attack Send an echo request with a spoofed source address, belonging to the victim (Reflection attack) The unwitting accomplices respond to the victim IP Solution in network filtering for the accomplices For the targets, drop echo packets or use CAR, Cisco s solution

13 Ping of death Sends malformed ping packet to the victim Some OS weren t designed to handle large packets and crash when reassembling the packet fragments Solution in checking incoming fragments offset and length (in host or in firewall)

14 Teardrop attack Exploits reassembly of fragmented IP packets Some (old) OS crash when they receive a fragment which offset overlaps with others Solution in updating the OS

15 Transport layer

16 UDP storm Attacker sends a spoofed packet (with the victim IP address) to another victim small service A chain reaction is triggered where both victims send chargen responses to each other Solution in turning off small services or create a firewall rule against it

17 SYN Flooding Using spoofed addresses, the attacker sends SYNs without ever completing the 3-way handshake When the victim memory is filled, new connections are rejected, denying service to legit clients Solution by using SYN Cookies, that works by not saving the connection data, sends it to the client, restoring it in the final ACK

18 Application layer

19 DNS Cache poisoning DNS records may contain other records The attacker DNS can associate fake IPs with URLs like paypal.com, which can be used in credential harvesting (phishing) Solution by updating to only accept additional records from the same domain, or using DNSSEC, to check if it should be trusted

20 DNS Flooding Many DNS servers are available to public queries The attacker can send spoofed queries (using the victim IP) with verbose responses, generating immense traffic Effectiveness is increased using DDoS due to not being easily recognized by the firewall Solution in not avoid general public DNS

21 Starvation of available sessions on the web server The attacker keeps sessions at halt using never-ending transmissions Programming component: Slowloris.pl Script available on

22 How does it work? Slowloris works by making partial HTTP connections to the host. The TCP connection made by Slowloris during the attack is a full connection which is a legitimate TCP connection.

23 Targets Some of the eligible targets (Single process thread based servers): Apache 1.x Apache 2.x dhttpd Resistant implementations: Hiawatha IIS lighttpd Squid NGINX

24 Implementation Valid GET request GET / HTTP/1.0[CRLF] User-Agent: Wget/ (Red Hat modified)[crlf] Accept: */*[CRLF] Host: [CRLF] Connection: Keep-Alive[CRLF][CRLF]

25 How does it Slowloris do? my $primarypayload = "GET /$rand HTTP/1.1\r\n". "Host: $sendhost\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;. NET CLR ;.NET CLR l3;.NET CLR ;.NET CLR ; MSOffice 12)\r\n". "Content-Length: 42\r\n";

26 Let us see it then :D

27 Some usefull stuff Slowloris is mostly undetected by IDS due to the fact that it does not send malformed request. Furthermore, if the web server is frequently used, slowloris needs to wait for all the HTTP connections to become available. As soon as the attacker stops the execution of the script the resources are released and the web server becomes available.

28 Protection Hardware load balancers The load balancer can be configured accept only full HTTP connections. A firewall Using firewall rules to limit the number of connections from a particular host. A different timeout configuration Lowering the timeout makes it harder for slowloris to harvest connections. Modules against slowloris e.g mod_slowloris for apache

29 Thank you for your attention. Any questions?