Low-intensity DoS attacks on BGP infrastructure

Paul Neumann

One need not fear superior numbers if the opposing force has been properly scouted and appraised.

George Armstrong Custer

pneumann@umt.edu.al

DoS attacks

Aim:Wholenetworksand/orsystems,aswellasindividualhosts.

Goals:Toconsumeresourcesinorderofshu=ngdownorsubstan@aldeteriora@ngservicestothelegi@mateusers.

Resources:Bandwidth,servers/routerscompu@ng@me,protocolimplementa@ons.Stackoverflow,DNSflood,pingflood,packetdrop,etc.

DoS attack detection

AnomaliesinthetrafficpaIern:Eventsorcondi@onswithsignificantsta@s@caldevia@onfromtheusualpaIernbasedonthedatapreviouslycollectedinstandardcondi@ons.

SIEM:Anydevia@onoverthethresholdmeantriggersincidentalert.

Inefficientforthelow-intensityDoSaIacks.

Tradi@onalmeansofdefence(firewalls,IDS,etc.)areinefficient.

Low-intensity DoS attacks

Newtrendinthecyberwarfare:Low-intensityDoSaIacksindis@nguishablefromregulartraffic.

Low-intensityDoSaIacksmaybeadaptedagainstHTTP,SMTP,and/orDNStraffic.

Apache-andMicroso,IIS-basedsystemsmostvulnerable.

Communica@onchannelsnotoverloadedbuthavesignificantdroppageoftherequest/acknowledgementpackets.

Low-intensity DoS attacks

Requireanumberofpar@cipa@ngorcompromisedhostsforroguefloodingofthetargetwithuselesspackets.

Rogueimplementa@onoftheDoSmethodswillfailifamassiveamountofanomaloustrafficisdetectedbythefirewalls.

Low-intensityDoSaIackimplementperiodicincrease(splashes)oftheroguetraffic.

Low-intensity DoS attacks ForbeIerefficiencysplashesaremadeclosetothe@me-outoftheopensessiontokeepthesessionalive.

Server/routerbuffersbecomegraduallyoverloaded,leadingtothedenialofservicecondi@on.

Low-intensityDoSaIacksdonotrequiresignificantlybigbandwidthorcompu@ngpower.

TCP stack vulnerability Addi@ve-Increase/Mul@plica@ve-Decrease(AIMD)algorithmcombineslineargrowthoftheconges@onwindowwithanexponen@alreduc@onwhenaconges@ontakesplace.Whenconges@onisdetected,transmiIerdecreasestransmissionratebyamul@plica@vefactor.

Mul@plica@vedecreaseistriggeredwhena@meoutoracknowledgementmessageindicatesapacketwaslost.

Itispossibletoenforcezero-bandwidththroughinjec@ngDoStrafficintotheregulartraffic.

Network bandwidth DoS DoSconsistsofshortpeaksofrogueimpulseswithcarefullysynchronizedperiod.

Ifcombinedtrafficduringthepeaksisbigenoughtocausepacketdroppage,transmissionwillfail.

RetransmissionwillbeaIempteda[erRetransmissionTime-Out(RTO).

IftheDoSperiodcoincideswithRTO,regulartrafficwillconstantlyencounter@me-out.

Packetlosseswillcloseto100%,andbandwidthto0.

Experimental topology VirtualmachinesbasedonVirtualBoxplaaorm.

EmulatedIntel Core i5-5200CPU@2.20GHZ.

Opera@ngsystem:Ubuntu Linux 14.04.HTTPservers:Apache2andnginx.DNSservers:bind9.ICMPandBGProuters:ZebraandQuagga.Networktopology:PacketTracer.AIackingOS:Kali Linux.

Network topology

Branchedtopology:emulatereal-worldsystems.

Dynamicrou@ng:availabilityofnodesandservices.

Model of DoS attack Att==0rogueusersendsthefirstimpulse,shutsdownthesystem.

Legi@mateuserencounters@me-out,forcedtowaitforretransmission,anddoubletheRTO.

RogueuserrepeatsaIackatt==1+2RTT(Round-TripTime).

Iegi@mateuserencounters@me-out,forcedtowaitforretransmissiondoublethe@me,anddoubletheRTO.

Rogueuserwillshutdowntheservicebysendingpacketsatlowrate–everyoddpointin@me.

PC12,PC13–sourcesofaIack.MethodofaIack:SlowLoris.

HTTP attack

PC10–target; Main–monitorclient.

HTTP attack AIackmadewiththeslowhttptestDoSsimulator:

where:-H–SlowLorismode;-u–aIackedURL;-p–@me-out;-cnumberofconnec@ons;-knumberofaIempts.

where:-c–concurrentnumberofsimulatedusers;-t–selectedperiodoftest@me.

Monitoringwasmadewithsiegestresstester:

Losses vs. availability

SuccessfulDoSaIackw/oseriousinvestmentinthebandwithofaIackinghosts.

DoS attack on BGP system

AIackwasdrivenagainstthenetworksegmentonRouter3andRouter4.

DoS attack on BGP system Networkthroughputmeasuredwithiperfu@lity.

AIack:

Scenario1:DirectaIackonQuagga.

Scenario2:AIackonBGPinfrastructurebehindRouter4tocompromiserou@ngchannel.

Attack on Quagga SYN-ACKpacketssentwith5sec.@me-out.

UsingscapyPythonscrip@ngu@lity:

Attack on Quagga Handshakeini@alizedandprocessedexcepttheESTABLISHEDstatus.

QuaggarespondswithRSTpackettotheroguerequests.

Changingtime.sleep()parameterinthe1to300rangeresultedinclosingconnec@onwithSYN-RECVstatus.

Noproblemswithavailability:

Analysis Successfullow-intensityDoSaIackrequiresBGPemula@ngso[ware.

Legi@mateconnec@ontoroguerequestspossibleonlyonmisconfiguredservers.

DataexchangebetweenBGPneighboursbasedonAccessLists(ACL):

- permissiontotransmitroutestoaneighbour,- permissiontoreceiveroutesfromaneighbour.

Router-in-the-Middle attack AIackdrivenattheserverbehindaIackedrouter.

Goal:Toforcetheroutertolowerthebandwidthduetoprocessingroguetrafficgeneratedfromlow-intensityDoSaIack.

AIackedwasPC13behindRouter4:

Networkthroughputmeasuredwithiperfu@lity.

Analysis Nochangesinthethroughput:

Slightdroppageofthespeedresultsfrominterfaceset-uptomatchreal-worldcondi@ons.Trafficgeneratedfromlow-intensityDoSaIackdoesn’taffecttheborderrouter’sbandwidth.Networkthroughputmeasuredwithiperfu@lity.

Analysis AIacksonsystemswithdefaultconfigura@onweresuccessful.

Low-intensityDoSaIacksdeterioratechannelbandwidth.

Asaruledefaultconfigura@onsignoreparameterstocounter-actaIacks.Quaggaisaremarkableexcep@on.

ItresultsindenialofHTTPservicestolegi@mateusers.

Comparison

Normaltraffic.

TrafficunderaIack.

Conclusions Aleksandar Kuzmanovic, Edward W. Knightly. Low-rate TCP-targeted denial of service attacks and counter strategies. IEEE/ACM Trans. Netw. – 2006. – No 14 (4). – С. 683-696.

discusseshowlow-intensityDoSaIacksonrou@ngprotocolsmaycauseavalancheeffectanddestroysubstan@alsegmentsoftheInternet.

ExperimentprovesthatsuchanaIackmaysucceedonlyinthepresenceofmanyfactors,includingroutersmisconfigura@on,substan@alamountofcompu@ngresources,andwell-coordinatedscenariooftheaIack.

Questions?

Thank you for your attention!