Flood Denial of Service (DoS) Comp Sci 3600 Security
Outline Flood 1 2 3 4 5 Flood 6 7 8
Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space. The scale of has continued to rise over recent years, by 2016 exceeding a terabit per second! A common attack, which is often easy to execute, and hard to fully prevent extortion: Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid
Categories of resources that could be attacked: Flood Network bandwidth Dependent on the capacity of the network links connecting a server to the Internet For most organizations this is their connection to their Internet Service Provider (ISP) Overwhelm any legitimate traffic, denying legitimate users access to the server System resources Aims to overload or crash the network handling software Include temporary buffers used to hold arriving packets, tables of open connections, etc resources Typically involves a number of valid requests, which intentionally consume significant resources (e.g., database query), thus limiting the ability of the server to respond to requests from other users
Varieties of end users as both attackers and victims Broadband users Broadband subscribers Internet service provider (ISP) A Internet service provider (ISP) B Broadband subscribers Broadband users Flood Internet Router Large Company LAN Web Server Medium Size Company LAN Web Server LAN PCs and workstations Figure 7.1 Example Network to Illustrate
Outline Flood 1 2 3 4 5 Flood 6 7 8
Outline Flood 1 2 3 4 5 Flood 6 7 8
Attacks Flood Aim of this attack is to overwhelm the capacity of the network connection to the target organization Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases Example: ping command: use the large company s web server to target the medium-sized company with a lower-capacity network connection with a flooding ping command directed at the Web server in the target company. Source of the attack is clearly identified unless a spoofed address is used, enabling the sender to be DoS ed back, the sender s identity to be known, and to more easily halt the attack.
Outline Flood 1 2 3 4 5 Flood 6 7 8
Flood Use forged source addresses Usually via the raw socket interface on operating systems Makes attacking systems harder to identify Attacker generates large volumes of packets that have the target system as the destination address, but use randomly selected, usually different, source addresses echo response packets, generated in response to those packets reaching the target system, would no longer be reflected back to the source system, but are scattered across the Internet to all the various forged source addresses, as Backscatter traffic. To study this, one can advertise routes to unused IP addresses to monitor attack traffic Finding the attacker requires network engineers to specifically query flow log information from their routers
Outline Flood 1 2 3 4 5 Flood 6 7 8
3-way handshake: SYN, SYN-ACK, ACK Client Server Flood Send SYN (seq = x) Receive SYN-ACK (seq = y, ack = x+1) 1 2 Receive SYN (seq = x) Send SYN-ACK (seq = y, ack = x+1) Send ACK (ack = y+1) 3 Receive ACK (ack = y+1)
SYN Flood Reminder, is connection oriented, and keeps a table of all connections with the server Common DoS attack Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them Legitimate users are denied access to the server Classified as an attack on system resources, specifically the network handling code in the operating system Attacker generates a number of SYN connection request packets with forged source addresses. Better if spoofed source addresses do not correspond to real IP addresses, since a real computer might respond with a RST (reset) packet to cancel this unknown connection request
SYN Attack Attacker Server Spoofed Client Flood Send SYN with spoofed src (seq = x) 1 Send SYN-ACK (seq = y, ack = x+1) Resend SYN-ACK after timeouts 2 SYN-ACK s to non-existant client discarded Assume failed connection request
versus classic flooding Flood The actual volume of SYN traffic can be comparatively low, nowhere near the maximum capacity of the link to the server. It simply has to be high enough to keep the known connections table filled. Unlike the flooding attack, this means the attacker does not need access to a high-volume network connection.
Outline Flood 1 2 3 4 5 Flood 6 7 8
Attacks Flood Classified based on network protocol used Intent is to overload the network capacity on some link to a server Virtually any type of network packet can be used
Outline Flood 1 2 3 4 5 Flood 6 7 8
Attacks: Flood flood E.g., ping flood using echo request packets Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool More recently, block packets to pass through their firewalls. So, attackers use other packet types that are needed correct operation of /IP Filtering some of these critical packet types would degrade or break normal /IP network behavior. destination unreachable and time exceeded packets are examples of such critical packet types. Further, because these packets include part of some notional erroneous packet that supposedly caused the error being reported, they can be made comparatively large, increasing their effectiveness in flooding the link.
Outline Flood 1 2 3 4 5 Flood 6 7 8
Attacks: Flood flood For example, some servers and routers have diagnostic echo services running Uses packets directed to some port number on the target system Spoofed source addresses are normally used if the attack is generated using a single source system, for the same reasons as with flood. If multiple systems are used for the attack, often the real addresses of the compromised, zombie, systems are used. When multiple systems are used, the consequences of both the reflected flow of packets and the ability to identify the attacker are reduced.
Outline Flood 1 2 3 4 5 Flood 6 7 8
Attacks: Flood SYN flood Sends packets to the target system Total volume of packets is the aim of the attack rather than the system code Effect similar to the attack, but, it is the total volume of packets that is the aim of the attack rather than the system code. Check out python code!
Outline Flood 1 2 3 4 5 Flood 6 7 8
Singe versus multiple attackers Flood All of these flooding attack variants are limited in the total volume of traffic that can be generated if just a single system is used to launch the attack, which is also easy to trace By using multiple systems, the attacker can scale up the volume of attack scale By directing the attack through intermediaries, the attacker is further distanced from the target and significantly harder to locate and identify. Indirect attack types that utilize multiple systems include: Distributed denial-of-service Reflector Amplifier
Distributed Denial of Service D Flood Use of multiple systems to generate Attacker uses a flaw in operating system or in a common application to gain access and installs their program on it (zombie) Large collections of such systems under the control of one attacker s control can be created, forming a botnet
Outline Flood 1 2 3 4 5 Flood 6 7 8
Attacker can use handlers for efficiency and stealth Flood Attacker Handler Zombies Target Agent Zombies Figure 7.4 Attack Architecture
Outline Flood 1 2 3 4 5 Flood 6 7 8
based bandwidth attack Flood An application layer attack is done mainly for specific targeted purposes, including disrupting transactions and access to databases. It requires less resources and often accompanies network layer. For example, large or costly database queries could keep a server busy.
Outline Flood 1 2 3 4 5 Flood 6 7 8
DoS on a server Flood Proxy Server LAN 1 Returns IP address of bob s proxy server DNS Query: biloxi.com INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 3 2 DNS Server Internet INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 4 Proxy Server INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 5 Wireless Network User Agent alice User Agent bob
Outline Flood 1 2 3 4 5 Flood 6 7 8
Hypertext Transfer Protocol () Attacks Flood flood Bombards Web servers with requests Consumes considerable resources Spidering: Bots starting from a given link and following all links on the provided Web site recursively
Hypertext Transfer Protocol () Attacks Flood specs state a blank line indicates the end of request headers and the beginning of the payload, if any. Once the entire request is received, the Web server may then respond by sending the object. sends an incomplete request that does not include the terminating newline sequence. Then, send additional header lines to keep the connection alive, but never send terminating newline sequence. Web server keeps the connection open, expecting more information to complete the request. Eventually consumes Web server s connection capacity Utilizes legitimate traffic, not malformed or buggy Existing intrusion detection and prevention solutions that rely on signatures to detect will generally not recognize Can you easily program a bot to perform this attack?
Outline Flood 1 2 3 4 5 Flood 6 7 8
Attacks Flood Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system When intermediary responds, the response is sent to the target Reflects the attack off the intermediary (reflector) Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary The basic defense against these is blocking spoofed-source packets
using SYN Flood A variant of reflection attack uses SYN packets and exploits the normal three-way handshake used to establish a connection. The attacker sends a number of SYN packets with spoofed source addresses to the chosen intermediaries. In turn the intermediaries respond with a SYN-ACK packet to the spoofed source address, which is actually the target system. The attacker uses this attack with a number of intermediaries, to avoid detection and bandwidth constraints. The aim is to generate high enough volumes of packets to flood the link to the target system. The target system will respond with a RST packet for any that get through, but by then the attack has already succeeded in overwhelming the target s network link.
DNS reflection attack exploits recursive DNS Flood Normal on left Normal User From: a.b.c.d:1792 To: w.x.y.z.53 1 IP: a.b.c.d IP: w.x.y.z 2 From: w.x.y.z.53 To: a.b.c.d:1792 Attacker IP: a.b.c.d DNS Server Attack on right (port 7 is echo) IP: w.x.y.z DNS Server From: j.k.l.m:7 To: w.x.y.z.53 1 Loop possible 3 From: j.k.l.m:7 To: w.x.y.z.53 From: w.x.y.z.53 To: j.k.l.m:7 2 IP: j.k.l.m Victim Figure 7.6 DNS Attack
Outline Flood 1 2 3 4 5 Flood 6 7 8
attack Flood Like reflection, also involve sending a packet with a spoofed source address for the target system to intermediaries. However, intermediary amplifies either the number or size of the attackers messages Example: Send a ping flood to the broadcast address on a large subnetwork, with the source address spoofed as the victim s
attack Flood Broadcast to intermediaries who performs reflection attack Attacker Zombies Reflector intermediaries Target Figure 7.7 Attack
DNS Attacks Flood Example: Use packets directed at a legitimate DNS server as the intermediary system, with the source address spoofed as the victim s Attacker creates a series of DNS requests containing the spoofed source address of the target system Exploit DNS behavior to convert a small request to a much larger response of a big DNS resource record (amplification) Target is flooded with larger responses Basic defense against this attack is to prevent the use of spoofed source addresses
Denial-of-service as a service Flood Some vendors provide so-called booter or stresser services, which have simple web-based front ends, and accept payment over the web. Marketed and promoted as stress-testing tools, they can be used to perform unauthorized denial-of-service, and allow technically unsophisticated attackers access to sophisticated attack tools without the need for the attacker to understand their use.
Outline Flood 1 2 3 4 5 Flood 6 7 8
DoS Flood These cannot be prevented entirely High traffic volumes may be legitimate High publicity about a specific site Activity on a very popular site Described as slashdotted, flash crowd, or flash event Four areas of defense Attack prevention and preemption: Before the attack, coming up next slides Attack detection and filtering: During the attack, coming up next class Attack source traceback and identification: During and after the attack, coming up this semester Attack reaction: After the attack, briefly discuss today
Outline Flood 1 2 3 4 5 Flood 6 7 8
DoS Flood Block spoofed source addresses on routers as close to source as possible (i.e., ISP block addresses outgoing that they don t own) Filters may be used to ensure path back to the claimed source address is the one being used by the current packet Filters must be applied to traffic before it leaves the ISP s network or at the point of entry to their network Use modified connection handling code SYN cookie: encrypt in a cookie to send to client, what would have been stored it connection table, and legitimate client responds with an ACK packet containing the incremented sequence number and cookie, which allows the server to then continue the connection Drop an entry for an incomplete connection from the connections table when it overflows
DoS Flood Block IP directed broadcasts Block suspicious services and combinations Manage application with a captchas to distinguish legitimate human requests Good general system security practices Use mirrored and replicated servers when high-performance and reliability is required Antispoofing, directed broadcast, and rate limiting filters should be implemented Ideally have network monitors and IDS to detect and notify abnormal traffic patterns
Outline Flood 1 2 3 4 5 Flood 6 7 8
Responding to Flood Good Incident Plan, example Details on how to contact technical personal for ISP Needed to impose traffic filtering upstream Details of how to respond to the attack
Responding to Flood 1 Identify type of attack Capture and analyze packets Design filters to block attack traffic upstream Or identify and correct system/application bug 2 Have ISP trace packet flow back to source May be difficult and time consuming Necessary if planning legal action 3 Implement contingency plan Switch to alternate backup servers Commission new servers at a new site with new addresses 4 Update incident response plan Analyze the attack and the response for future handling