lecture 3 dos attacks - university of strathclyde

Lecture 3DoS Attacks

Network Securitymod-net-sec

University of Birmingham

Definition Denial of Service

• Denial of Service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space

• Attacks may be directed against – network bandwidth

– system resources

– application resources

• DoS is an established and continuing threat on the Internet

[StallingsB08] Ch8

DoS in Practice

3[Berinato05]

"I told you that if you try and f*** with us that your site will be down forever.... The excuse that you were in the hospital does not matter to me.

So here are your choices: 1) You have until 4pm est today to send us our $40K. 2) You have until 4pm est Wednesday to send us $50K if you can not send the $40K today. 3) You do not pay and your site will be down for 4 days starting Thursday and it will cost you $75K to come back up Monday. 4) You do nothing and do not respond to this email within an hour and we will make sure you are down forever....”

• Extortionists had more than 20,000 zombies.

• The victim needed great help from their ISP, which suffered heavily in the attack, affecting other customers as well as the target victim.

• Attack was pulsating and rotated its targets: DNS servers, mail servers, and web sites.

• Traffic went to 1.5Gb with bursts up to 3Gb.

• Victim’s ISP prepared for 6Gb, but attacks settled in at 1Gb. Attacker gave up after 4 weeks.

Attack Profile

4

• Why are DoS attacks hard to defend against?– End-to-end paradigm

• sender & receiver responsible for security• network optimized for simply making best effort

packet delivery - doesn't police traffic

– Internet security is highly inter-dependent– Internet resources are limited– Intelligence and resources are not collocated– Accountability is not enforced– Control is distributed

Overview of DoS/DDoS

5

• It is important to classify attack types.

• Example: appropriate defense may depend recognizing which attack is DoS (single or small number of sources) versus DDoS (many sources)

• Possibly recognized by:– attack packet header info

• IP Address, or Fragment ID and TTL fields

– attack packet stream dynamics• ramp-up behavior

– slower ramp-up implies multiple attackers

• spectral analysis– frequency analysis of packet trace

Defense Must Match Attack

[HussainHP03] 6

• Provides a map of the field– can help structure research efforts– provides a common vocabulary– may identify unexplored research areas– can speak to the completeness (or otherwise)

of a proposed defense

• It helps to "think like" someone designing a DoS attack

• insight into design may lead to insight in defense• more complete understanding may enable us to

anticipate features of new attacks

DDoS Taxonomy

[MirkovicR04] 7

• Degree of Automation• Agent Recruitment Strategies• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim

Categories

8

Mirkovic and Reiher Classification for DDoS Attack Mechanisms

9

• Manual– attacker manually scans, breaks in, installs attack code,

then directs the attack– Used by early DDoS attacks only

• Fully Automated– exploit/recruitment phase and attack phase both automated

• everything is preprogrammed in advance• no need for further communication between master & agent• minimal exposure for attacker• inflexible - attack specification is hard coded• hybrid of auto/semi-auto

– fully programmed in advance for auto, but leave a backdoor for future modification

Degree of Automation

10

• Semi-Automated– recruitment phase automated, attack phase

manually initiated– requires communication between master & agents

to initiate attack:• direct communication

– network packets exchanged between master & agent– need to know each other's IP address

» adds to risk of discovery– if agent is actively listening, maybe a network scanner can

find» may only listen at prearranged times

• indirect communication– use some pre-existing legitimate communication channel– IRC commonly used– discovery of agent may only tell us IRC server & channel– channel hopping used to further disguise

Degree of Automation

11

• Degree of Automation• Agent Recruitment Strategies

Scanning Strategy - Vulnerability Scanning - Attack Code Propagation

• Exploited Weakness (to deny service)• Source Address Validity• Attack Rate Dynamics• Possibility of Characterization• Persistence of Agent Set• Victim Type• Impact on the Victim

Categories

12

• Random Scanning (Code Red)– high traffic volume of inter-network traffic - may aid detection– no coordination - increases likelihood of duplicate scans

• Hit List– splits off pieces of the list to give to newly recruited machines– can be very fast and efficient - no collisions– a large list will cause more traffic, possibly aiding detection

• Permutation Scanning– if an agent sees an already infected host, it chooses a new random starting

point– if an agent sees a certain threshold number of infected hosts, it becomes

dormant• Signpost Scanning

– uses communication patterns or data found on newly infected hosts to select next targets

• any email worm that spreads using address book of infected host– hard to detect based on traffic patterns– may be slow to spread

• Local Subnet (Code Red II, Nimda)

Scanning Strategy

13

• Horizontal– looks for specific port/vulnerability

• Vertical– look for multiple ports/vulnerabilities on the same

host

• Coordinated– scan multiple machines on the same subnet for a

specific vulnerability

• Stealthy– any of the above, but do it slowly to avoid

detection

Vulnerability Scanning

14

• Central Server (li0n worm)– all newly recruited agents contact a central server to get

attack code– single point of failure

• can be discovered and shut down• high load at central server may limit efficiency or enable

detection

• Back-chaining (Ramen, Morris worms)– attack code downloaded from machine that was used to

exploit the new host

• Autonomous – (Code Red, Warhol, various email worms)– attack code downloaded concurrently w/exploit

Attack code propagation

15


Categories

16

• Semantic (TCP SYN, NAPTHA)

– exploits a specific feature or bug of a protocol or application on the victim in order to consume excessive amounts of its resources

– can potentially be mitigated by deploying modified protocols/applications

• Brute Force– intermediate network has more resources than victim - can

deliver higher volume of packets than victim can handle– overwhelms victim resources using seemingly legitimate

packets• hard to filter without also harming legitimate traffic

– requires higher volume of attack packets• modifying protocols to counter semantic attacks raises the bar

somewhat for the attacker

Exploited Weakness

17

• Is it Semantic or Brute Force?– some attacks have the capacity to act like either one

• semantic attack like TCP SYN may be countered by protocol modification

• if attack is large enough, can still overwhelm through brute force– some attacks are a combination of both (SMURF)

• a protocol feature is exploited at a server (not the victim), which then overwhelms the intended target through brute force

• Packet Features– the exploited resource may determine some characteristics of the

packets• if the packets must contain some valid header & payload content, may

be easier to detect & filter– some attacks (more often semantic) must have some valid packet

features• aimed at one particular weakness

– however, if aim is just to consume network resources, packet features can be varied at will

• harder to detect & filter

Exploited Weakness

18


Categories

19

• Spoofed Address– avoids accountability, helps avoid detection

– required for reflector attacks – makes brute force attacks hard

• otherwise, could manage by intelligently allocating resources devoted to various flows

• Valid Address– some attacks (NAPTHA) require a valid source address,

since the attack mechanism requires several request/reply exchanges between agent & victim

– older Windows (NT) didn't allow user-level processes to modify packet headers

Source Address Validity

20

• Types of Spoofed Addresses– Routable vs. Non-Routable– Fixed

• reflector attacks, or an attack trying to place blame on a 3rd party

– Random • filtering techniques can be useful

– Subnet • choose an address randomly from same subnet as agent• defeats ingress filtering• subnet where agent is located may be able to detect & filter

– En Route• choose address from some host on the route from agent to

victim• not used by any known attack, but foreseeable, since it

counters some existing filtering techniques

Source Address Validity

21

• Attacker sends packets to some (non-hostile) intermediate entity– spoofed source address of the packets is the victim’s IP

address– response from the intermediate entities overwhelms the

victim

• SMURF (1998)– ICMP echo requests sent to various IP broadcast addresses– amplifier effect: many responses from a single packet– Feb. 2000 attack against Yahoo was based on SMURF

• DNS Reflector Flood (2000)– agents generate a large number of DNS requests, with the

spoofed source address of the victim– amplifier effect: DNS responses can be significantly larger

than the DNS request

Reflector Attacks

CERT Advisory CA-1998-01, Incident Note IN-2000-04 22


Categories

23

• Constant Rate (most)– agents send packets as fast as they can after attack is started– large traffic stream may aid detection

• Variable Rate– used in an attempt to avoid or delay detection– Increasing Rate

• start slow, gradually increase, perhaps over long period of time• harder to distinguish from a legitimate increase in traffic

– Fluctuating Rate• could respond to victim behavior or preprogrammed timing• could be used to pulse the attack intensity• agents could coordinate pulsing, so attack intensity is steady,

but set of agents attacking at any one time varies– makes it harder to detect & mitigate at the source network of the

agent

Attack Rate Dynamics

24


Categories

25

• Characterizable– Filterable vs. Non-Filterable

• Filterable:– packets may be malformed– protocol or application may not be needed by target

» ex: UDP flood against a web server, http flood against an SMTP server

» traffic can be filtered by a firewall• Non-Filterable:

– well formed packets that request legitimate/critical services» no way to distinguish attack packets from legitimate service

requests» ex: http flooding a web server

• Non-characterizable– attack packets use variety of protocols/applications

• may be randomly generated– some attacks characterizable in theory, but not in practice

Possibility of Characterization

26


Categories

27

• Constant - all agents behave the same– engage simultaneously in attack– may 'pulse' attack, but the 'on'/'off' periods

match

• Variable– agents don't act in unison– may be divided into groups, not all groups

active at the same time– different groups may take turns pulsing the

victim

Persistence of Agent Sets

28


Categories

29

• Specific Application– example: send bogus signature packets to an authentication

service • other services on the host may be unaffected

– detection difficult• attack volume usually small• host operates normally except for targeted application

– may be able to distinguish legit. from attack packets at application level (or maybe not)

• even if we can, a defense strategy would need to take into account each application we want to protect

• Host– aims to disable all legitimate access to target host

• overload or disable network communication subsystem• otherwise cause host to crash, freeze, or reboot

– hosts can try to limit their exposure by patching known holes, updating protocols w/DDoS resistant versions

• however, by themselves cannot defend against attacks that consume all of their network resources

– need upstream help - i.e., a firewall that can recognize and help filter the attack

Victim Type

30

• Resource– any resource critical to the victim (server, router, bottleneck link)

• Network– aims to consume all available incoming bandwidth for target

network• packet destination can be any host on target network

– packet volume, not content, is key– can be easy to detect due to high traffic volume– target network dependant on upstream network for help in

defending• even if it could detect & filter attack traffic, entire resources of ingress

routers may be consumed doing so• Infrastructure

– coordinated targeting of distributed services crucial to the global internet

• attacks on root DNS servers, core routers, etc.– from point of view of a single target, may be same as a host-type

attack

Victim Type

31


Categories

32

– Self-Recoverable• after influx of attack

packets ends, life returns to normal w/o human intervention

• a prompt defense (i.e., recognition & filtering) potentially can make these transparent to legitimate clients

– Human-Recoverable• after influx of attack

packets ends, rebooting or reconfiguration is required

– Non-Recoverable• inflict permanent

damage to hardware– conceivable, but none

are known

Impact on Victim

• Disruptive: completely deny access

33

• Degrading (subtle, or overt)– only consume a portion of the victims

resources– degrade service to legitimate clients– very hard to detect, may go undetected for

long period of time– could be very costly:

• lost customers due to poor service• money spent on unnecessary equipment upgrades

– most existing strategies for dealing w/DDoS have a hard time with this one

Impact on Victim

34

• [StallingsB08] Computer Security Principles and Practice, William Stallings and Lawrie Brown. Pearson Education 2008. Chapter 8 Denial of Service.

• [HussainHP03] A Framework for Classifying Denial of Service Attacks, Alefiya Hussain, John Heidemann, and Christos Papadopoulos. Applications, Technologies, Architectures, and Protocols for Computer Communication, 2003.

• [MirkovicR04] A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, Jelena Mirkovic and Peter Reiher. Computer Communications Review, Vol. 34, No. 2, April 2004.

Reading

35

• Can DoS occur at application layer?• Besides extortion, what are other

possible motives for DoS attacks?

Discussion Points

36

lecture 3 dos attacks - university of strathclyde

Documents