Unwanted Traffic: Denial of Service Attacks

Transcription

1 CS 155 Uwated Traffic: Deial of Service Attacks Da Boeh 1

2 What is etwork DoS? Goal: take out a large site with little computig work How: Amplificatio Small umber of packets big effect Two types of amplificatio attacks: DoS bug: w Desig flaw allowig oe machie to disrupt a service DoS flood: w Commad bot-et to geerate flood of requests 2

3 DoS ca happe at ay layer This lecture: Sample Dos at differet layers (by order): w Lik w TCP/UDP w Applicatio DoS mitigatios Sad truth: Curret Iteret ot desiged to hadle DDoS attacks 3

4 Warm up: b DoS bugs Radio jammig attacks: Protocol DoS bugs: trivial, ot our focus. [Bellardo, Savage, 03] NAV (Network Allocatio Vector): w 15-bit field. Max value: w Ay ode ca reserve chael for NAV secods w No oe else should trasmit durig NAV period but ot followed by most b cards De-autheticatio bug: w Ay ode ca sed deauth packet to AP w Deauth packet uautheticated attacker ca repeatedly deauth ayoe 4

5 Smurf amplificatio DoS attack 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target DoS Source gateway DoS Target Sed pig request to broadcast addr (ICMP Echo Req) Lots of resposes: Every host o target etwork geerates a pig reply (ICMP Echo Reply) to victim Prevetio: reject exteral packets to broadcast address 5

6 Moder day example (Feb 18) memcached amplificatio attack: ( 51K amplificatio ) memcached query SrcIP: Dos Target respose DoS Source (15 bytes UDP) request for a large file memcached server (750 KB) DoS Target 2018: 87,000 exposed memcached servers Feb. 2018: 1.35 Tbps attack o GitHub Simple solutio: disable Memcached over UDP (o attack over TCP) 6

7 Moder day example Same attack usig other protocols: DNS, NTP, (over UDP) DNS amplificatio: short DNS query, large respose 2006: 0.58M ope resolvers o Iteret (Kamisky-Shiffma) 2017: 15M ope resolvers (operesolverproject.org) 3/2013: DDoS attack geeratig 309 Gbps for 28 mis. 31,000 ope DNS resolvers, each outputtig 10Mbps. Source: 3 etworks that allowed source IP spoofig. NTP amplificatio: 2014: 400 Gbps (4500 NTP servers) 7

8 Scale, Targetig ad Frequecy of Attacks 100 Gbps Badwidth (Gbps) Figure 13 Source: Arbor Networks, Ic. Feb. 2014: 400 Gbps via NTP amplificatio (4500 NTP servers) 8

9 Review: IP Header format Coectioless Ureliable Best effort 0 31 Versio Flags Header Legth Type of Service Total Legth Idetificatio Fragmet Offset Time to Live Protocol Header Checksum Source Address of Origiatig Host Destiatio Address of Target Host Optios Paddig IP Data 9

10 Review: TCP Header format TCP: Sessio based Cogestio cotrol I order delivery 0 31 Source Port Dest port SEQ Number ACK Number U A P P S F R C SH S YN IN G K R Other stuff 10

11 Review: TCP Hadshake C S SYN: SN C rad C AN C 0 Listeig SYN/ACK: SN S rad S AN S SN C Store SN C, SN S ACK: SN SN C AN SN S Wait Established 11

12 TCP SYN Flood I: low rate (DoS bug) C SYN C1 SYN C2 SYN C3 SYN C4 SYN C5 S Sigle machie: SYN Packets with radom source IP addresses Fills up backlog queue o server No further coectios possible 12

13 SYN Floods (phrack 48, o 13, 1996) OS Backlog queue size Liux 1.2.x 10 FreeBSD WiNT Backlog timeout: 3 miutes Attacker eeds oly 128 SYN packets every 3 miutes Low rate SYN flood 13

14 Low rate SYN flood defeses The problem: server commits resources (memory) before cliet respods No-solutio: Icrease backlog queue size or decrease timeout Correct solutio (whe uder attack) : Sycookies: remove state from server Small performace overhead 15

15 Sycookies [Berstei, Schek] Idea: use secret key ad data i packet to ge. server SN Server respods to Cliet with SYN-ACK cookie: T = 5-bit couter icremeted every 64 secs. L = MAC key (SAddr, SPort, DAddr, DPort, SN C, T) [24 bits] w key: picked at radom durig boot SN S = (T. mss. L) ( L = 24 bits ) Server does ot save state (other TCP optios are lost) Hoest cliet respods with ACK (AN=SN S, SN=SN C +1) Server allocates space for socket oly if valid SN S 16

16 SYN floods: backscatter [MVS 01] SYN with forged source IP Þ SYN/ACK to radom host 17

17 Backscatter measuremet Liste to uused IP addresss space (darket) /8 etwork 0 moitor 2 32 Loely SYN/ACK packet likely to be result of SYN attack 2001: 400 SYN attacks/week 2013: 773 SYN attacks/24 hours (arbor etworks ATLAS) Larger experimets: (moitor may ISP darkets) w Arbor etworks 18

18 Estoia attack (ATLAS 07) Attack types detected: 115 ICMP floods, 4 TCP SYN floods Badwidth: 12 attacks: Mbps for over 10 hours All attack traffic was comig from outside Estoia Estoia s solutio: w Estoia ISPs blocked all foreig traffic util attacks stopped DoS attack had little impact iside Estoia 19

19 Massive floods (e.g. Mirai 9/2016 o Krebs) Commad bot army to flood specific target: (DDoS) Flood with SYN, ACK, UDP, ad GRE packets 623 Gbps (peak) from 100K compromised IoT devices At web site: Saturates etwork uplik or etwork router Radom source IP attack SYNs look the same as real SYNs What to do??? 20

20 src: icapsula.com 21

21 Google project shield Protectig ews orgaizatios. (Commercial service: Akamai, Cloudlare, ) Idea: oly forward established TCP coectios to site Lots-of-SYNs Lots-of-SYN/ACKs Few ACKs Project Shield Proxy Forward to site Web site 22

22 Stroger attacks: GET flood Commad bot army to: Complete TCP coectio to web site Sed short HTTP GET request Repeat Will bypass SYN flood protectio proxy but: Attacker ca o loger use radom source IPs. w Reveals locatio of bot zombies Proxy ca ow block or rate-limit bots. 24

23 A real-world example: GitHub (3/2015) Javascript-based DDoS: popular server github.com hoest ed user iject imageflood.js imageflood.js fuctio imgflood() { var TARGET = 'victim-website.com/idex.php? var rad = Math.floor(Math.radom() * 1000) var pic = ew Image() pic.src = ' } setiterval(imgflood, 10) Would HTTPS prevet this DDoS? 25

24 DNS DoS Attacks (e.g. Dy attack 10/2016) DNS rus o UDP port 53 DNS etry for victim.com hosted at DNSProvider.com DDoS attack: flood DNSProvider.com with DNS queries Radom source IP address i UDP packets Takes out etire DNS server (collateral damage) Dy attack: used some Mirai-based bots At least 100,000 malicious ed poits Dy caot aswer may legit DNS queries Disrupted service at Netflix, Github, Twitter, 26

25 DoS via route hijackig YouTube is /22 (icludes 2 10 IP addr) youtube.com is , Feb. 2008: Pakista telecom advertised a BGP path for /24 (icludes 2 8 IP addr) Routig decisios use most specific prefix The etire Iteret ow thiks is i Pakista Outage resolved withi two hours but demostrates huge DoS vul. with o solutio! 27

26 DoS Mitigatio 29

27 1. Igress filterig (RFC 2827, 3704) Big problem: DDoS with spoofed source IPs ISP Iteret Igress filterig policy: ISP oly forwards packets with legitimate source IP (see also SAVE protocol) 30

28 Implemetatio problems ALL ISPs must do this. Requires global trust. If 10% of ISPs do ot implemet o defese No icetive for deploymet 2017: 33% of Auto. Systems are fully spoofable (spoofer.caida.org) 23% of aouced IP address space is spoofable Recall: 309 Gbps attack used oly 3 etworks (3/2013)

29 2. Cliet puzzles Idea: slow dow attacker Moderately hard problem: Give challege C fid X such that LSB ( SHA-1( C X ) ) = 0 Assumptio: takes expected 2 time to solve For =16 takes about.3sec o 1GhZ machie Mai poit: checkig puzzle solutio is easy. Durig DoS attack: Everyoe must submit puzzle solutio with requests Whe o attack: do ot require puzzle solutio 32

30 Examples GET floods (RSA 99) Example challege: C = TCP server-seq-um First data packet must cotai puzzle solutio w Otherwise TCP coectio is closed SSL hadshake DoS: (SD 03) Challege C based o TLS sessio ID Server: check puzzle solutio before RSA decrypt. 33

31 Beefits ad limitatios Hardess of challege: Decided based o DoS attack volume. Limitatios: Requires chages to both cliets ad servers Hurts low power legitimate cliets durig attack: w Cliets o cell phoes ad tablets caot coect 34

32 Memory-boud fuctios CPU power ratio: high ed server / low-ed IoT device = 8000 Impossible to scale to hard puzzles Iterestig observatio: Mai memory access time ratio: w high ed server / low-ed IoT device = 2 Better puzzles: Solutio requires may mai memory accesses w Dwork-Goldberg-Naor, Crypto 03 w Abadi-Burrows-Maasse-Wobber, ACM ToIT 05 35

33 3. CAPTCHAs Idea: verify that coectio is from a huma Applies to applicatio layer DDoS Durig attack: geerate CAPTCHAs ad process request oly if valid solutio Preset oe CAPTCHA per source IP address. 36

34 4. Source idetificatio Goal: idetify packet source Ultimate goal: block attack at the source 37

35 Traceback [Savage et al. 00] Goal: Give set of attack packets Determie path to source How: chage routers to record ifo i packets Assumptios: Most routers remai ucompromised Attacker seds may packets Route from attacker to victim remais relatively stable 38

36 Simple method Write path ito etwork packet Each router adds its ow IP address to packet Victim reads path from packet Problem: Requires space i packet w Path ca be log w No extra fields i curret IP format Chages to packet format too much to expect 39

37 Better idea DDoS ivolves may packets o same path A 1 A 2 A 3 A 4 A 5 Store oe lik i each packet Each router probabilistically stores ow address Fixed space regardless of path legth R 6 R 7 R 8 R 9 R 10 R 12 V 40

38 Edge Samplig Data fields writte to packet: Edge: start ad ed IP addresses Distace: umber of hops sice edge stored Markig procedure for router R if coi turs up heads (with probability p) the write R ito start address write 0 ito distace field else if distace == 0 write R ito ed field icremet distace field 41

39 Edge Samplig: picture Packet received R 1 receives packet from source or aother router Packet cotais space for start, ed, distace packet s e d R 1 R 2 R 3 42

40 Edge Samplig: picture Begi writig edge R 1 chooses to write start of edge Sets distace to 0 packet R 1 0 R 1 R 2 R 3 43

41 Edge Samplig Fiish writig edge R 2 chooses ot to overwrite edge Distace is 0 w Write ed of edge, icremet distace to 1 packet R 1 R 2 1 R 1 R 2 R 3 44

42 Edge Samplig Icremet distace R 3 chooses ot to overwrite edge Distace >0 w Icremet distace to 2 packet R 1 R 2 2 R 1 R 2 R 3 45

43 Path recostructio Extract iformatio from attack packets Build graph rooted at victim Each (start,ed,distace) tuple provides a edge # packets eeded to recostruct path l(d) E(X) < p(1-p) d-1 where p is markig probability, d is legth of path 46

44 Problem: Reflector attacks [Paxso 01] Reflector: A etwork compoet that respods to packets Respose set to victim (spoofed source IP) Examples: DNS Resolvers: UDP 53 with victim.com source w At victim: DNS respose Web servers: TCP SYN 80 with victim.com source w At victim: TCP SYN ACK packet NTP servers 49

45 DoS Attack Sigle Master May bots to geerate flood Zillios of reflectors to hide bots Kills traceback ad pushback methods 50

46 Take home message: Deial of Service attacks are real: Must be cosidered at desig time Sad truth: Iteret is ill-equipped to hadle DDoS attacks May commercial solutios: CloudFlare, Akamai, May proposals for core redesig 60

47 THE END 61