DDoS and Traceback 1

Transcription

1 DDoS and Traceback 1

2 Denial-of-Service (DoS) Attacks (via Resource/bandwidth consumption) malicious server legitimate Tecniche di Sicurezza dei Sistemi 2

3 TCP Handshake client SYN seq=x server SYN seq=y, ACK x+1 ACK y+1 connection established Tecniche di Sicurezza dei Sistemi 3

4 IP Spoofing & SYN Flood X establishes a TCP connection with B assuming A s IP address A (1) SYN Flood (3) (0) predict B s TCP seq. behavior SYN(seq=n)ACK(seq n)ack(seq=m+1) X (2) =A SYN(seq SYN(seq=m),src m),src=a Tecniche di Sicurezza dei Sistemi 4 B (4) ACK(seq ACK(seq=n+1) =n+1)

5 icmp echo request icmp echo reply ping icmp echo request to a broadcast address: from victim attacker victim icmp echo request from all hosts to victim smurf Tecniche di Sicurezza dei Sistemi 5

6 Distributed DoS (DDoS) Attacks masters zombies attacker victim Tecniche di Sicurezza dei Sistemi 6

7 DDoS Common Steps Initiate a scan phase in which a large number of computers (100,000+) on the internet are probed for known vulnerabilities. Exploit the vulnerabilities to compromised the computers to gain access. Install attack tools on each compromised host, and use the compromised hosts for further scanning/compromises. A subset of the compromised hosts with desired architecture/topology are chosen to form the attack network. Install attack and communication tools. Tell the masters to attack. Tecniche di Sicurezza dei Sistemi 7

8 DDoS: At Least 4 Versions Trinoo Attacker uses TCP; Masters and zombies use UDP; password authentication. TFN Attacker uses shell to invoke master; Masters and zombies use ICMP echo reply. TFN2K A Combination of UDP, ICMP, and TCP. Stacheldraht Attacker uses encrypted TCP; Masters and zombies use TCP and ICMP echo reply; rcp used for auto-update. update. Tecniche di Sicurezza dei Sistemi 8

9 DDoS Example: Trinoo Scanning: Buffer overflow bus in Solaris and Linux, e.g., wu-ftpd ftpd, statd, amd,, etc. A compromised node has a shell running as root and sends back confirmation. Installing attack program: Use netcat (nc)) to pipe a shell script to the shell (running as root) on the compromised host Attacker to master: TCP: Must provide password; commands: dos IP etc. Master to zombie: UDP: Command line includes password; commands: aaa pass IP; rsz N, etc. Tecniche di Sicurezza dei Sistemi 9

10 DDoS: What to Do About It Not a whole lot! Prevention Detection Traceback Tecniche di Sicurezza dei Sistemi 10

11 DDoS: Prevention Authentication. Not feasible in practice. Ingress filtering on the routers. Traffic volume monitoring. Rate limit certain traffics, e.g., ICMP packets, SYN packets. Measure normal rates first! Tecniche di Sicurezza dei Sistemi 11

12 DDoS: Detection Surge in traffic volume Too much traffic to a particular destination Specific to current DDoS tools Control messages between attacker, masters, and zombies Footprints of attack programs running on masters and zombies What is after detection? Stop the flood Tecniche di Sicurezza dei Sistemi 12

13 Traceback Why Stop the attacks Gather evidence for law enforcement Only to machines that directly generate the attack traffics For the real masters/attackers: more forensic analysis necessary Difficulty Spoofed IP source addresses Tecniche di Sicurezza dei Sistemi 13

14 Traceback: Several Proposals Link Testing ICMP Traceback Probabilistic Marking Tecniche di Sicurezza dei Sistemi 14

15 Link Testing: Input Debugging Victim reports to upstream router, which installs debugging filter that reveals which upstream router originated the traffic. Repeat recursively until the the ISP s border is reached. The upstream ISP is contacted and repeats the process. Considerable management overhead. Relying on the availability and willingness of the network operators. Tecniche di Sicurezza dei Sistemi 15

16 Link Testing: Controlled Flooding Victim coerces selected hosts along the upstream route to iterative flood each incoming link of the router closest to the victim. Infer which link the attack comes from by observing the attack packet rate changes Router buffers are shared. Repeat recursively A form of DoS itself! Need to have a good network topology map. Tecniche di Sicurezza dei Sistemi 16

17 ICMP Traceback For a very few packets (about 1 in 20,000), each router will send the destination a new ICMP packet that includes the contents of that packet and information about previous hop for that packet. The flood victim can use these ICMP packets to reconstruct the path back to the attacker. Net traffic increase at end point is about 0.1% - probably acceptable. Issues: authentication (attacker can falsify the ICMP packets), loss of traceback packets, load and cooperation on routers. Tecniche di Sicurezza dei Sistemi 17

18 Probabilistic Marking Basic idea: Probabilistically mark packets with partial path information as they arrive at routers. Each marked packet represents a sample of its path. But flooding attacks comprise a large number of packets. By combing a modest number of these marked packets, the entire path can be reconstructed. Tecniche di Sicurezza dei Sistemi 18

19 The Node Append Algorithm Marking procedure at router R: For each packet w,, append R to w. Path reconstruction procedure at victim: For any packet w from attacker Extract (R( i,, R j ) from suffix of w. High overhead at router. Not enough space at packet. Tecniche di Sicurezza dei Sistemi 19

20 The Node Sampling Algorithm Marking procedure at router R: For each packet w, Roll the dice: let x be a random number in [0..1]. if x < p then write R to w.node. Path reconstruction procedure at victim: For any packet w from attacker Let NodeTbl be a table of (node,count) z= = lookup w.node in NodeTbl if z is not nil then increment z.count else insert (w.node,1) in NodeTbl Sort NodeTbl by the count field Extract path (R( i,, R j ) from ordered node fields. Tecniche di Sicurezza dei Sistemi 20