Denial of Service Eduardo Cardoso Abreu - e.abreu@fe.up.pt Federico Matteo Bencic - up201501013@fe.up.pt Pavel Alexeenko - ei11155@fe.up.pt
Index What is Denial of Service (DoS)? DoS vs DDoS (Distributed DoS) Types of attacks Network interface layer Network layer Transport layer Application layer Programming component: Slowloris script
What is DoS? «A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.» NIST Computer Security Incident Handling Guide
And what is DDoS?
DoS vs DDoS Efficiency Harder to detect
TCP/IP Model
Network interface layer
Physical attack Causing physical damage Solutions are putting the medium or the node in a safe environment Also having two or more physical external connection
Chattering host CSMA Attacker communicates when others communicate, making them back up Solution in using multiple collision domains (i.e.: Network switch)
Network layer
ARP spoofing Attacker MAC address associated to some other IP address The victim data is routed to the fake address Solution in static ARP tables and monitoring software
Smurf attack Send an echo request with a spoofed source address, belonging to the victim (Reflection attack) The unwitting accomplices respond to the victim IP Solution in network filtering for the accomplices For the targets, drop echo packets or use CAR, Cisco s solution
Ping of death Sends malformed ping packet to the victim Some OS weren t designed to handle large packets and crash when reassembling the packet fragments Solution in checking incoming fragments offset and length (in host or in firewall)
Teardrop attack Exploits reassembly of fragmented IP packets Some (old) OS crash when they receive a fragment which offset overlaps with others Solution in updating the OS
Transport layer
UDP storm Attacker sends a spoofed packet (with the victim IP address) to another victim small service A chain reaction is triggered where both victims send chargen responses to each other Solution in turning off small services or create a firewall rule against it
SYN Flooding Using spoofed addresses, the attacker sends SYNs without ever completing the 3-way handshake When the victim memory is filled, new connections are rejected, denying service to legit clients Solution by using SYN Cookies, that works by not saving the connection data, sends it to the client, restoring it in the final ACK
Application layer
DNS Cache poisoning DNS records may contain other records The attacker DNS can associate fake IPs with URLs like paypal.com, which can be used in credential harvesting (phishing) Solution by updating to only accept additional records from the same domain, or using DNSSEC, to check if it should be trusted
DNS Flooding Many DNS servers are available to public queries The attacker can send spoofed queries (using the victim IP) with verbose responses, generating immense traffic Effectiveness is increased using DDoS due to not being easily recognized by the firewall Solution in not avoid general public DNS
Starvation of available sessions on the web server The attacker keeps sessions at halt using never-ending transmissions Programming component: Slowloris.pl Script available on https://github.com/llaera/slowloris.pl
How does it work? Slowloris works by making partial HTTP connections to the host. The TCP connection made by Slowloris during the attack is a full connection which is a legitimate TCP connection.
Targets Some of the eligible targets (Single process thread based servers): Apache 1.x Apache 2.x dhttpd Resistant implementations: Hiawatha IIS lighttpd Squid NGINX
Implementation Valid GET request GET / HTTP/1.0[CRLF] User-Agent: Wget/1.10.2 (Red Hat modified)[crlf] Accept: */*[CRLF] Host: 192.168.0.103[CRLF] Connection: Keep-Alive[CRLF][CRLF]
How does it Slowloris do? my $primarypayload = "GET /$rand HTTP/1.1\r\n". "Host: $sendhost\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;. NET CLR 1.1.4322;.NET CLR 2.0.503l3;.NET CLR 3.0.4506.2152;.NET CLR 3.5.30729; MSOffice 12)\r\n". "Content-Length: 42\r\n";
Let us see it then :D
Some usefull stuff Slowloris is mostly undetected by IDS due to the fact that it does not send malformed request. Furthermore, if the web server is frequently used, slowloris needs to wait for all the HTTP connections to become available. As soon as the attacker stops the execution of the script the resources are released and the web server becomes available.
Protection Hardware load balancers The load balancer can be configured accept only full HTTP connections. A firewall Using firewall rules to limit the number of connections from a particular host. A different timeout configuration Lowering the timeout makes it harder for slowloris to harvest connections. Modules against slowloris e.g mod_slowloris for apache http://sourceforge.net/projects/mod-antiloris/
Thank you for your attention. Any questions?