Denial of Service. EJ Jung 11/08/10

Similar documents
Network Security. Tadayoshi Kohno

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

DDoS and Traceback 1

CSE 565 Computer Security Fall 2018

ELEC5616 COMPUTER & NETWORK SECURITY

CE Advanced Network Security Botnets

Configuring attack detection and prevention 1

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

DDoS Testing with XM-2G. Step by Step Guide

Configuring attack detection and prevention 1

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

CSC 574 Computer and Network Security. TCP/IP Security

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Denial of Service and Distributed Denial of Service Attacks

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Denial of Service (DoS) attacks and countermeasures

Why to talk about Botnets

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CS 134 Winter 2018 Lecture 16. Network Threats & Attacks

Computer Security: Principles and Practice

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

What are attackers after? Distributed Denial of Service and information flow, if time. How disaster strikes. Steal money. Use computer resources

Internet Protocol and Transmission Control Protocol

NETWORK SECURITY. Ch. 3: Network Attacks

ET4254 Communications and Networking 1

CSc 466/566. Computer Security. 18 : Network Security Introduction

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Chapter 7. Denial of Service Attacks

network security s642 computer security adam everspaugh

Denial of Service (DoS)

Network Security. Thierry Sans

Hands-On Ethical Hacking and Network Defense

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Internet Infrastructure

CS670: Network security

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Introduction to Internetworking

QUIZ: Longest Matching Prefix

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

CSCI 680: Computer & Network Security

TCP /IP Fundamentals Mr. Cantu

Computer and Network Security

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

CIS 551 / TCOM 401 Computer and Network Security

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Distributed Denial of Service (DDoS)

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Different Layers Lecture 20

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

20-CS Cyber Defense Overview Fall, Network Basics

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

COMPUTER NETWORK SECURITY

CSE Computer Security (Fall 2006)

HP High-End Firewalls

EEC-682/782 Computer Networks I

Closed book. Closed notes. No electronic device.

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

Network Layer: Internet Protocol

ECE 650 Systems Programming & Engineering. Spring 2018

Networking interview questions

Networking: Network layer

Chapter 10: Denial-of-Services

Configuring Flood Protection

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Configuring IP Services

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Anatomy and Mechanism of DOS attack

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Attack Prevention Technology White Paper

ICS 451: Today's plan

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

CS 161 Computer Security

CS 457 Lecture 11 More IP Networking. Fall 2011

Chapter 2 Advanced TCP/IP

9th Slide Set Computer Networks

CS Paul Krzyzanowski

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Computer Networks. Wenzhong Li. Nanjing University

CS244a: An Introduction to Computer Networks

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

DENIAL OF SERVICE ATTACKS

Chapter 8 roadmap. Network Security

Transcription:

Denial of Service EJ Jung 11/08/10

Pop Quiz 3 Write one thing you learned from today s reading Write one thing you liked about today s reading Write one thing you disliked about today s reading

Announcements Quiz 2 distributed today Service lab progress report due this Wednesday Lab 2? CS Night service lab presentations lab 2 reports

Denial of Service (DoS) Goal: overwhelm victim machine and deny service to its legitimate clients Exploits vulnerabilities in many network protocols, anywhere in the stack

Internet Infrastructure backbone local network local network Internet service provider (ISP) ISP TCP/IP for packet routing and connections Border Gateway Protocol (BGP) for route discovery Domain Name System (DNS) for IP address discovery

OSI Protocol Stack application presentation session transport network data link email, Web, NFS RPC TCP IP Ethernet physical

Data Formats application layer Application data message transport layer TCP header data TCP header data TCP header data segment network layer IP header TCP header data packet data link layer Ethernet header IP header TCP header data Ethernet trailer frame

TCP (Transmission Control Protocol) Sender: break data into packets Sequence number is attached to every packet Receiver: reassemble packets in correct order Acknowledge receipt; lost packets are re-sent Connection state maintained on both sides book mail each page remember received pages and reassemble

IP (Internet Protocol) Connectionless Unreliable, best-effort protocol Uses numeric addresses for routing Typically several hops in the route Alice s computer Bob s ISP Alice s ISP Packet Source 128.255.44.135 128.255.44.135 Dest Seq 72.14.203.104 3 Bob s computer 72.14.203.104

ICMP (Internet Control Message Protocol) Extension of IP by RFC 792 Provides feedback about network operation Out-of-band messages carried in IP packets Error reporting, congestion control, reachability, etc. Example messages: Destination unreachable Time exceeded Redirect to better gateway Reachability test (echo / echo reply) Message transit delay (timestamp request / reply)

DoS attacks in TCP/IP IP addresses are public Smurf attacks TCP connection requires state SYN flooding TCP state is easy to guess TCP spoofing and connection hijacking

Smurf Attack 1 ICMP Echo Req Src: victim s address Dest: broadcast address Looks like a legitimate Are you alive? ping request from the victim Stream of ping replies overwhelms victim Every host on the network generates a ping (ICMP Echo Reply) to victim gateway victim Solution: reject external packets to broadcast addresses at router

Ping of Death If an old Windows machine received an ICMP packet with a payload longer than 64K, machine would crash or reboot Programming error in older versions of Windows Packets of this length are illegal, so programmers of Windows code did not account for them Solution: patch OS, filter out ICMP packets

TCP Handshake C S SYN C SYN S, ACK C Listening Store data (connection state, etc.) Wait ACK S Connected

SYN Flooding Attack S SYN C1 SYN C2 SYN C3 SYN C4 SYN C5 Listening Store data and more data and more and more and more and more

SYN Flooding Explained Attacker sends many connection requests with spoofed source addresses Victim allocates resources for each request Connection state maintained until timeout Fixed bound on half-open connections Once resources exhausted, requests from legitimate clients are denied This is a classic denial of service (DoS) attack Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must allocate state for each request (asymmetry!)

Preventing Denial of Service DoS is caused by asymmetric state allocation If responder opens a state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses Cookies ensure that the responder is stateless until initiator produced at least 2 messages Responder s state (IP addresses and ports of the connection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator

SYN Cookies C S [Bernstein & Schenk] Compatible with standard TCP; simply a weird sequence number scheme SYN C SYN S, ACK C sequence # = cookie Listening Does not store state F=Rijndael or crypto hash F(source addr, source port, dest addr, dest port, coarse time, server secret) Cookie must be unforgeable and tamper-proof (why?) Client should not be able to invert a cookie (why?) ACK S (cookie) More info: http://cr.yp.to/syncookies.html Recompute cookie, compare with with the one received, only establish connection if they match

Anti-Spoofing Cookies: Basic Pattern Client sends request (message #1) to server Typical protocol: Server sets up connection, responds with message #2 Client may complete session or not (potential DoS) Cookie version: Server sends hashed connection data back Send message #2 later, after client confirms he is listening Client confirms by returning hashed data If source IP address is bogus, attacker can t confirm Need an extra step to send postponed message #2 Ok in TCP since the extra step (SYN-ACK) is already there

Another Defense: Random Deletion SYN C half-open connections 121.17.182.45 231.202.1.16 121.100.20.14 5.17.95.155 If SYN queue is full, delete random entry Legitimate connections have a chance to complete Fake addresses will be eventually deleted Easy to implement

TCP Connection Spoofing Each TCP connection has an associated state Sequence number, port number TCP state is easy to guess Port numbers are standard, sequence numbers are often predictable Can inject packets into existing connections If attacker knows initial sequence number and amount of traffic, can guess likely current number Send a flood of packets with likely sequence numbers

DoS by Connection Reset If attacker can guess current sequence number for an existing connection, can send Reset packet to close it With 32-bit sequence numbers, probability of guessing correctly is 1/2 32 (not practical) Most systems accept large windows of sequence numbers much higher probability of success Need large windows to handle massive packet losses Especially effective against long-lived connections For example, BGP (Border Gateway Protocol)

User Datagram Protocol (UDP) UDP is a connectionless protocol Simply send datagram to application process at the specified port of the IP address Source port number provides return address Applications: media streaming, broadcast No acknowledgement, no flow control, no message continuation Denial of service by UDP data flood

Countermeasures Above transport layer: SSL/TLS and SSH Protects against connection hijacking and injected data Does not protect against DoS by spoofed packets Above transport layer: Kerberos Provides authentication, protects against spoofing Does not protect against connection hijacking Network (IP) layer: IPSec Protects against hijacking, injection, DoS using connection resets, IP address spoofing

Distributed Denial of Service (DDoS) First, scan hundreds of thousands of computers on the Internet for known vulnerabilities Turn vulnerable computers into zombies Exploit vulnerabilities to gain root access, install attack and communication tools, use them for further scans Form a distributed attack network from zombies Choose a subset of compromised machines with desired network topology and characteristics Command zombies to stage a coordinated attack on the victim

DDoS Architecture Attacker Master machines Zombie machines Victim

DDoS Tools: Trin00 Scan for known buffer overflows in Linux & Solaris Unpatched versions of wu-ftpd, statd, amd, Root shell on compromised host returns confirmation Install attack daemon using remote shell access Send commands (victim IP, attack parameters, etc.), using plaintext passwords for authentication Attacker to master: TCP, master to zombie: UDP To avoid detection, daemon issues warning if someone connects when master is already authenticated In August of 1999, a network of 227 Trin00 zombies took U. of Minnesota offline for 3 days

DDoS Tools: Tribal Flood Network Supports multiple DoS attack types Smurf; ICMP, SYN, UDP floods Attacker runs masters directly via root backdoor; masters talk to zombies using ICMP echo reply No authentication of master s commands, but commands are encoded as 16-bit binary numbers inside ICMP packets to prevent accidental triggering Vulnerable to connection hijacking and RST sniping List of zombie daemons IP addresses is encrypted in later versions of TFN master scripts Protects identities of zombies if master is discovered

DDoS Tools: Stacheldraht Combines best features of Trin00 and TFN Multiple attack types (like TFN) Symmetric encryption for attacker-master connections Master daemons can be upgraded on demand February 2000: crippled Yahoo, ebay, Amazon, Schwab, E*Trade, CNN, Buy.com, ZDNet Smurf-like attack on Yahoo consumed more than a Gigabit/sec of bandwidth Sources of attack still unknown

U. of Toronto, 2004(from David Lie s slides) Date: Fri, 19 Mar 2004 Quote from email: The campus switches have been bombarded with these packets [ ] and apparently 3Com switches reset when they get these packets. This has caused the campus backbone to be up and down most of yesterday. The attack seems to start with connection attempts to port 1025 (Active Directory logon, which fails), then 6129 (DameWare backdoor, which fails), then 80 (which works as the 3Com s support a web server, which can t be disabled as far as we know). The HTTP command starts with SEARCH /\x90\x02\xb1\x02 [ ] then goes off into a continual pattern of \x90

Defending Against DDoS Authenticate packet sources Not feasible with current IP (unless IPSec is used) Filter incoming traffic on access routers or ratelimit certain traffic types (ICMP and SYN packets) Need to correctly measure normal rates first! Force clients to do an expensive computation or to prove that they are human If connection requested, ask client to solve a puzzle E.g., invert a short hash value or solve a graphical Turing test Honest clients can easily do this, but zombies can t Requires modification of TCP/IP stack (not feasible?)

Finding Attack Sources Note: this will only locate zombies Forensics on zombie machines can help find masters and the attacker who remotely controls them Can use existing IP routing infrastructure Link testing (while attack is in progress) Packet logging (for post-mortem path reconstruction) or propose changes to routing infrastructure IP traceback (e.g., via packet marking) and dozens of other proposals Changing routing infrastructure is hard!

Link Testing Only works while attack is in progress Input debugging Victim reports attack to upstream router Router installs a filter for attack traffic, determines which upstream router originated it Repeat upstream (requires inter-isp cooperation) Controlled flooding Iteratively flood each incoming link of the router; if attack traffic decreases, this must be the guilty link Use a form of DoS to throttle DoS traffic (!!) Need a good network map and router cooperation

IP Traceback Problem How to determine the path traversed by attack packets? Assumptions: Most routers remain uncompromised Attacker sends many packets Route from attacker to victim remains relatively stable A 1 A 2 A 3 A 4 A 5 R 6 R 7 R 8 R 9 R 10 R 12 Victim

Obvious Solution Doesn t Work Obvious solution: have each router on the path add its IP address to packet; victim will read path from the packet Problem: requires space in the packet Paths can be long Current IP format provides no extra fields to store path information Changes to packet format are not feasible

Probabilistic Packet Marking DDoS involves many packets on the same path With some probability, each router marks packet with router s address Fixed space per packet Large number of packets means that each router on the path will appear in some packet A 1 A 2 A 3 A 4 A 5 R 6 R 7 R 8 R 9 R 10 R 12 Victim

Node and Edge Sampling Node sampling With probability p, router stores its address in packet Router at distance d shows up with probability p(1-p) d p 1-p 1-p 1-p R V Edge sampling Packet stores an edge and distance since it was stored More space per packet, but fewer packets to reconstruct path With probability p, router stores the current edge and sets distance to 0, else increments distance by 1 d

Storing Edges in IP Packets 16-bit Identification field Used for fragmentation Fragmentation is rare Storing an edge in 16 bits offset distance Store start end edge chunk 0 2 3 7 8 15 Work backwards to get path: (start end) end = start a b b c c d d a b c d V Version Flags Header length Type of service Total length Identification Fragment offset Time to live Protocol Header checksum Source address of originating host Destination address of target host Options Padding IP Data

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback