lecture 3 dos attacks - university of strathclyde
TRANSCRIPT
Definition Denial of Service
• Denial of Service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space
• Attacks may be directed against – network bandwidth
– system resources
– application resources
• DoS is an established and continuing threat on the Internet
[StallingsB08] Ch8
DoS in Practice
3[Berinato05]
"I told you that if you try and f*** with us that your site will be down forever.... The excuse that you were in the hospital does not matter to me.
So here are your choices: 1) You have until 4pm est today to send us our $40K. 2) You have until 4pm est Wednesday to send us $50K if you can not send the $40K today. 3) You do not pay and your site will be down for 4 days starting Thursday and it will cost you $75K to come back up Monday. 4) You do nothing and do not respond to this email within an hour and we will make sure you are down forever....”
• Extortionists had more than 20,000 zombies.
• The victim needed great help from their ISP, which suffered heavily in the attack, affecting other customers as well as the target victim.
• Attack was pulsating and rotated its targets: DNS servers, mail servers, and web sites.
• Traffic went to 1.5Gb with bursts up to 3Gb.
• Victim’s ISP prepared for 6Gb, but attacks settled in at 1Gb. Attacker gave up after 4 weeks.
Attack Profile
4
• Why are DoS attacks hard to defend against?– End-to-end paradigm
• sender & receiver responsible for security• network optimized for simply making best effort
packet delivery - doesn't police traffic
– Internet security is highly inter-dependent– Internet resources are limited– Intelligence and resources are not collocated– Accountability is not enforced– Control is distributed
Overview of DoS/DDoS
5
• It is important to classify attack types.
• Example: appropriate defense may depend recognizing which attack is DoS (single or small number of sources) versus DDoS (many sources)
• Possibly recognized by:– attack packet header info
• IP Address, or Fragment ID and TTL fields
– attack packet stream dynamics• ramp-up behavior
– slower ramp-up implies multiple attackers
• spectral analysis– frequency analysis of packet trace
Defense Must Match Attack
[HussainHP03] 6
• Provides a map of the field– can help structure research efforts– provides a common vocabulary– may identify unexplored research areas– can speak to the completeness (or otherwise)
of a proposed defense
• It helps to "think like" someone designing a DoS attack
• insight into design may lead to insight in defense• more complete understanding may enable us to
anticipate features of new attacks
DDoS Taxonomy
[MirkovicR04] 7
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
8
• Manual– attacker manually scans, breaks in, installs attack code,
then directs the attack– Used by early DDoS attacks only
• Fully Automated– exploit/recruitment phase and attack phase both automated
• everything is preprogrammed in advance• no need for further communication between master & agent• minimal exposure for attacker• inflexible - attack specification is hard coded• hybrid of auto/semi-auto
– fully programmed in advance for auto, but leave a backdoor for future modification
Degree of Automation
10
• Semi-Automated– recruitment phase automated, attack phase
manually initiated– requires communication between master & agents
to initiate attack:• direct communication
– network packets exchanged between master & agent– need to know each other's IP address
» adds to risk of discovery– if agent is actively listening, maybe a network scanner can
find» may only listen at prearranged times
• indirect communication– use some pre-existing legitimate communication channel– IRC commonly used– discovery of agent may only tell us IRC server & channel– channel hopping used to further disguise
Degree of Automation
11
• Degree of Automation• Agent Recruitment Strategies
Scanning Strategy - Vulnerability Scanning - Attack Code Propagation
• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
12
• Random Scanning (Code Red)– high traffic volume of inter-network traffic - may aid detection– no coordination - increases likelihood of duplicate scans
• Hit List– splits off pieces of the list to give to newly recruited machines– can be very fast and efficient - no collisions– a large list will cause more traffic, possibly aiding detection
• Permutation Scanning– if an agent sees an already infected host, it chooses a new random starting
point– if an agent sees a certain threshold number of infected hosts, it becomes
dormant• Signpost Scanning
– uses communication patterns or data found on newly infected hosts to select next targets
• any email worm that spreads using address book of infected host– hard to detect based on traffic patterns– may be slow to spread
• Local Subnet (Code Red II, Nimda)
Scanning Strategy
13
• Horizontal– looks for specific port/vulnerability
• Vertical– look for multiple ports/vulnerabilities on the same
host
• Coordinated– scan multiple machines on the same subnet for a
specific vulnerability
• Stealthy– any of the above, but do it slowly to avoid
detection
Vulnerability Scanning
14
• Central Server (li0n worm)– all newly recruited agents contact a central server to get
attack code– single point of failure
• can be discovered and shut down• high load at central server may limit efficiency or enable
detection
• Back-chaining (Ramen, Morris worms)– attack code downloaded from machine that was used to
exploit the new host
• Autonomous – (Code Red, Warhol, various email worms)– attack code downloaded concurrently w/exploit
Attack code propagation
15
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
16
• Semantic (TCP SYN, NAPTHA)
– exploits a specific feature or bug of a protocol or application on the victim in order to consume excessive amounts of its resources
– can potentially be mitigated by deploying modified protocols/applications
• Brute Force– intermediate network has more resources than victim - can
deliver higher volume of packets than victim can handle– overwhelms victim resources using seemingly legitimate
packets• hard to filter without also harming legitimate traffic
– requires higher volume of attack packets• modifying protocols to counter semantic attacks raises the bar
somewhat for the attacker
Exploited Weakness
17
• Is it Semantic or Brute Force?– some attacks have the capacity to act like either one
• semantic attack like TCP SYN may be countered by protocol modification
• if attack is large enough, can still overwhelm through brute force– some attacks are a combination of both (SMURF)
• a protocol feature is exploited at a server (not the victim), which then overwhelms the intended target through brute force
• Packet Features– the exploited resource may determine some characteristics of the
packets• if the packets must contain some valid header & payload content, may
be easier to detect & filter– some attacks (more often semantic) must have some valid packet
features• aimed at one particular weakness
– however, if aim is just to consume network resources, packet features can be varied at will
• harder to detect & filter
Exploited Weakness
18
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
19
• Spoofed Address– avoids accountability, helps avoid detection
– required for reflector attacks – makes brute force attacks hard
• otherwise, could manage by intelligently allocating resources devoted to various flows
• Valid Address– some attacks (NAPTHA) require a valid source address,
since the attack mechanism requires several request/reply exchanges between agent & victim
– older Windows (NT) didn't allow user-level processes to modify packet headers
Source Address Validity
20
• Types of Spoofed Addresses– Routable vs. Non-Routable– Fixed
• reflector attacks, or an attack trying to place blame on a 3rd party
– Random • filtering techniques can be useful
– Subnet • choose an address randomly from same subnet as agent• defeats ingress filtering• subnet where agent is located may be able to detect & filter
– En Route• choose address from some host on the route from agent to
victim• not used by any known attack, but foreseeable, since it
counters some existing filtering techniques
Source Address Validity
21
• Attacker sends packets to some (non-hostile) intermediate entity– spoofed source address of the packets is the victim’s IP
address– response from the intermediate entities overwhelms the
victim
• SMURF (1998)– ICMP echo requests sent to various IP broadcast addresses– amplifier effect: many responses from a single packet– Feb. 2000 attack against Yahoo was based on SMURF
• DNS Reflector Flood (2000)– agents generate a large number of DNS requests, with the
spoofed source address of the victim– amplifier effect: DNS responses can be significantly larger
than the DNS request
Reflector Attacks
CERT Advisory CA-1998-01, Incident Note IN-2000-04 22
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
23
• Constant Rate (most)– agents send packets as fast as they can after attack is started– large traffic stream may aid detection
• Variable Rate– used in an attempt to avoid or delay detection– Increasing Rate
• start slow, gradually increase, perhaps over long period of time• harder to distinguish from a legitimate increase in traffic
– Fluctuating Rate• could respond to victim behavior or preprogrammed timing• could be used to pulse the attack intensity• agents could coordinate pulsing, so attack intensity is steady,
but set of agents attacking at any one time varies– makes it harder to detect & mitigate at the source network of the
agent
Attack Rate Dynamics
24
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
25
• Characterizable– Filterable vs. Non-Filterable
• Filterable:– packets may be malformed– protocol or application may not be needed by target
» ex: UDP flood against a web server, http flood against an SMTP server
» traffic can be filtered by a firewall• Non-Filterable:
– well formed packets that request legitimate/critical services» no way to distinguish attack packets from legitimate service
requests» ex: http flooding a web server
• Non-characterizable– attack packets use variety of protocols/applications
• may be randomly generated– some attacks characterizable in theory, but not in practice
Possibility of Characterization
26
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
27
• Constant - all agents behave the same– engage simultaneously in attack– may 'pulse' attack, but the 'on'/'off' periods
match
• Variable– agents don't act in unison– may be divided into groups, not all groups
active at the same time– different groups may take turns pulsing the
victim
Persistence of Agent Sets
28
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
29
• Specific Application– example: send bogus signature packets to an authentication
service • other services on the host may be unaffected
– detection difficult• attack volume usually small• host operates normally except for targeted application
– may be able to distinguish legit. from attack packets at application level (or maybe not)
• even if we can, a defense strategy would need to take into account each application we want to protect
• Host– aims to disable all legitimate access to target host
• overload or disable network communication subsystem• otherwise cause host to crash, freeze, or reboot
– hosts can try to limit their exposure by patching known holes, updating protocols w/DDoS resistant versions
• however, by themselves cannot defend against attacks that consume all of their network resources
– need upstream help - i.e., a firewall that can recognize and help filter the attack
Victim Type
30
• Resource– any resource critical to the victim (server, router, bottleneck link)
• Network– aims to consume all available incoming bandwidth for target
network• packet destination can be any host on target network
– packet volume, not content, is key– can be easy to detect due to high traffic volume– target network dependant on upstream network for help in
defending• even if it could detect & filter attack traffic, entire resources of ingress
routers may be consumed doing so• Infrastructure
– coordinated targeting of distributed services crucial to the global internet
• attacks on root DNS servers, core routers, etc.– from point of view of a single target, may be same as a host-type
attack
Victim Type
31
• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim
Categories
32
– Self-Recoverable• after influx of attack
packets ends, life returns to normal w/o human intervention
• a prompt defense (i.e., recognition & filtering) potentially can make these transparent to legitimate clients
– Human-Recoverable• after influx of attack
packets ends, rebooting or reconfiguration is required
– Non-Recoverable• inflict permanent
damage to hardware– conceivable, but none
are known
Impact on Victim
• Disruptive: completely deny access
33
• Degrading (subtle, or overt)– only consume a portion of the victims
resources– degrade service to legitimate clients– very hard to detect, may go undetected for
long period of time– could be very costly:
• lost customers due to poor service• money spent on unnecessary equipment upgrades
– most existing strategies for dealing w/DDoS have a hard time with this one
Impact on Victim
34
• [StallingsB08] Computer Security Principles and Practice, William Stallings and Lawrie Brown. Pearson Education 2008. Chapter 8 Denial of Service.
• [HussainHP03] A Framework for Classifying Denial of Service Attacks, Alefiya Hussain, John Heidemann, and Christos Papadopoulos. Applications, Technologies, Architectures, and Protocols for Computer Communication, 2003.
• [MirkovicR04] A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, Jelena Mirkovic and Peter Reiher. Computer Communications Review, Vol. 34, No. 2, April 2004.
Reading
35