1 distributed denial of service attacks steven m. bellovin [email protected] smb
TRANSCRIPT
![Page 2: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/2.jpg)
2
What Are DDoS Tools?
Clog victim’s network. Use many sources (“daemons”) for
attacking traffic. Use “master” machines to control
the daemon attackers. At least 4 different versions in use:
TFN, TFN2K, Trinoo, Stacheldraht.
![Page 3: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/3.jpg)
3
How They Work
Victim
Daemon
Daemon
DaemonDaemon
Daemon
Master
Real Attacker
![Page 4: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/4.jpg)
4
Agile Attackers
Attack daemons implement many different types of DoS.
“Smurf” – use directed broadcast to ask many remote machines to contact victim.
“SYN Flood” – block access to given port number.
UDP and ICMP flood – simply clog link.
![Page 5: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/5.jpg)
5
Source-Address Spoofing
Every Internet packet carries a return address.
These tools use forged return addresses, partly to hide and (in one case) to trick other machines into attacking the victim.
Attacks from legal source addresses are relatively easy to block.
![Page 6: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/6.jpg)
6
How They Talk
Trinoo: attacker uses TCP; masters and daemons use UDP; password authentication.
TFN: attacker uses shell to invoke master; masters and daemons use ICMP ECHOREPLY.
Stacheldraht: attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update.
![Page 7: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/7.jpg)
7
Deploying DDOS
Attackers seem to use standard, well-known holes (i.e., rpc.ttdbserver, amd, rpc.cmsd, rpc.mountd, rpc.statd, etc.).
They appear to have “auto-hack” tools – point, click, and invade.– Optional step: erase the log files; hide
program. Lesson: practice good computer
hygiene.
![Page 8: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/8.jpg)
8
Detecting DDOS Tools
Most current intrusion detection systems notice the current generation of tools.
They work by looking for DDOS control messages.
Naturally, these will change over time; in particular, more such messages will be properly encrypted. (A hacker PKI?)
![Page 9: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/9.jpg)
9
What are the Strong Defenses?
There aren’t any…
![Page 10: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/10.jpg)
10
What Can ISPs Do?
Deploy source address anti-spoof filters (very important!).
Turn off directed broadcasts. Develop security relationships with
neighbor ISPs. Set up mechanism for handling customer
security complaints. Develop traffic volume monitoring
techniques.
![Page 11: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/11.jpg)
11
Traffic Volume Monitoring
Look for too much traffic to a particular destination.
Learn to look for traffic to that destination at your border routers (access routers, peers, exchange points, etc.).
Can we automate the tools – too many queue drops on an access router will trigger source detection?
![Page 12: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/12.jpg)
12
Can We Do Better Some Day?
ICMP Traceback message. Enhance newer congestion control
techniques, i.e., RED. Warning – both of these are untested
ideas. The second is a research topic.
![Page 13: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/13.jpg)
13
ICMP Traceback
For a very few packets (about 1 in 20,000), each router will send the destination a new ICMP message indicating the previous hop for that packet.
Net traffic increase at endpoint is about .1% -- probably acceptable.
Issues: authentication, loss of traceback packets, load on routers.
![Page 14: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/14.jpg)
14
Enhanced Congestion Control
Define an attack as “too many packets drops on a particular access line”.
Send upstream node a message telling it to drop more packets for this destination.
Traditional RED+penalty box works on flows; this works on destination alone.
Issues: authentication, fairness, effect on legitimate traffic, implementability, etc.
![Page 15: 1 Distributed Denial of Service Attacks Steven M. Bellovin smb@research.att.com smb](https://reader036.vdocument.in/reader036/viewer/2022083005/56649f145503460f94c2965d/html5/thumbnails/15.jpg)
15
References
From CERT: CA-99-17, CA-2000-01, IN-99-07. http://www.cert.org/reports/dsit_workshop.pdf Dave Dittrich’s analyses:
– http://staff.washington.edu/dittrich/misc/trinoo.analysis
– http://staff.washington.edu/dittrich/misc/tfn.analysis– http://staff.washington.edu/dittrich/misc/
stacheldraht.analysis Scanning tool: http://www.fbi.gov/nipc/trinoo.
htm IDS vendors, ICSA, etc.