The Protocols that run the Internet Attack types in the Internet Seminarvortrag Sommersemester 2003 Jens Gerken
Content Internet Attacks Introduction Network Service Attacks Distributed Denial of Service Attacks Classification of DDoS Attacks Classification of DDoS Defends Conclusion
DNS Root Server Attack 22. October 2002 DDoS attack on 13 DNS root servers of the internet Only 4-5 survived without DoS
What causes Internet Attacks Conceptional Errors No standard encryption in protocols Programming Errors Basis for most attacks (overflow, etc) Configuration Errors Open ports which don t have to be open
Effect of Internet Attacks Loss of Confidentiality Data usually not encrypted Can be catched/read from 3rd persons Loss of Integrity Data can be manipulated Loss of Availability Denial of Service Attacks
Attack Techniques Social Engineering Viruses/Worms/Trojan horses Spoofing (IP, DNS, Web) Sniffing Connection Hijacking Email Attacks Network Service Attacks
Network Service Attacks Process Manipulation Overflow based attacks Non overflow-based attacks Denial of Service attacks Information Leaks System offers information to the attacker which can be used to compromise the system
Overflow based attacks Trying to pass extreme long query/argument to victim service programm Buffer overflow Attack Code attached Put on executable stack area of memory Code being run on the server
Overflow based attacks Example: MS Internet Information Services http://www.example.com/default.ida?nnnnnnn NNNNNNNNNNNNNNNNNNNNNNNNNNNN...attack_code 224 N s to fill up buffer Raw machine code put to executable Stack area
Non Overflow Based Attacks Uses insecure network service features Example: Web based CGI Exploits Attack on CIA Servers 1996 http://www.cia.gov/cgibin/phf?qualias=x%0a/bin/cat%20/etc/pass wd %0a = Shell Escape possibility to run every command locally on the server
Denial of Service Attacks Defintion: Explicit Attempt by attackers to prevent legitimate users of a service from using that service First widespread appearance of Distributed DoS in 1999 Continuous develepment of attack tools
DDoS Why Possible? Internet designed in terms of functionality not security Interdependence of Security Limitation of Resources Power of many > power of few
DDoS Attack Strategy Attacker recruits multiple agents/slaves Normally less secured machines easy to hack Agents can recruit new agents When DDoS Network is installed, agents run the attack on the victim
Classification of DDoS Attacks By Degree of automation Manual Semi automatic Automatic By exploited vulnerability Protocol Brute force
Classification of DDoS Attacks By Attack rate dynamics Continuous Variable By impact Disruptive degrading
Degree of Automation Manual Attacker scans for possible agents Hacks into and installs attack code Semi-automatic Attacker handler agents Direct and indirect communication possible Automated scripts for scanning and compromising Automatic Attacks
Degree of Automation Scanning Random Scanning Trial & error Scanning of possible agents Hitlist Scanning List with possible agents Topological Scanning Email Worms tactic
Degree of Automation Propagation Central Source Propagation
Degree of Automation Propagation Back Chaining Propagation
Degree of Automation Propagation Autonomous Propagation
Exploited Vulnerability Protocol Attacks Exploitation of Protocol Bugs/Features TCP SYN, Malformed Packets Brute Force Attack Filterable Attacks ICMP request Non filterable Attacks Attack packets request legitimate services (HTTP Flood) Filtering leads to DoS
Attack Rate Dynamics Continuous Rate Attacks Majority of Attacks Variable Rate Attacks Increasing Rate Attacks Fluctuation Rate Attacks
Impact of Attack Disruptive Attacks Goal: completely deny the victim s service to ist clients Currently all attacks aim to be disruptive Degrading Attacks Only partly DoS difficult to detect Nevertheless immense damage possible
Classification of DoS Defense By activity Level Preventive Attack prevention DoS prevention Reactive Detection strategy Response strategy
Preventive Mechanisms Attack Prevention System Security Firewalls Virus scanners Intrusion detection systems Protocol Security Problem: protocols designed being cheap for the client expensive for the server New or redesigned Protocols needed
Preventive Mechanisms Denial of Service Prevention Resource Accounting Mechanisms Access to resources depends on priviliges and behavior of the user Resource Multiplication Mechanisms Several servers Load Balancer High internal bandwith links
Reactive Mechanisms Detection Strategy Pattern Attack Detection Database with known attack signatures Anomaly Attack Detection Model of normal system behavior Unknown attacks can be detected
Reactive Mechanisms Response Strategy Agent Identification Traceback techniques Filtering Filter out the attack stream Reconfiguration Mechanisms Add more resources or isolate the attacked machine
DDoS & Final Conclusion No silver Bullet! Developing of new, easy to use attack tools continues As long as most systems are insecure, the whole internet is open to attacks Only global solutions can help