distributed denial-of-services (ddos)
Post on 16-Jan-2016
29 Views
Preview:
DESCRIPTION
TRANSCRIPT
Distributed Denial-of-Services (DDoS)Ho Jeong ANCSE 525 – Adv. NetworkingReading Group #8
Reading Group # 8 – DDoS
Papers F. Kargl, J. Maier, M. Weber “Protecting Web Servers fr
om Distributed Denial of Service Attacks”, WWW 2001 V. Paxson, “An Analysis of Using Reflectors for Distribu
ted Denail-of-Service Attacks”, CCR vol. 31, no. 3, July 2001
Catherine Meadows, “A cost-based framework for analysis of denial of service in network”, Journal of Computer Security, 9(1—2):143-164, 20012
Classification of IT Attacks
Denial of Service (DoS) Main goal of the attack is the disruption of
service Intrusion
Intension is simply to get access to system and to circumvent certain barriers
Information Theft Main goal of attack is access to restricted,
sensitive information Modification
Attacker tries to alter information.
Definition of DoS
WWW Security FAQ (http://www.w3.org/Security/FAQ) … an attack designed to render a computer or network
incapable of providing normal services …
J.D. Howard (http://www.cert.org) … Denial-of-service can be conceived to include both
intentional and unintentional assaults on a system's availability. The most comprehensive perspective would be that regardless of the cause, if a service is supposed to be available and it is not, then service has been denied ...
Definition of DDoS
WWW Security FAQ (http://www.w3.org/Security/FAQ) … A Distributed
Denial of Service attack uses many computer to launch a coordinated DoS attack against one or more targets. …
DoS attack Classification System Attacked
Router Firewall Load-balancer Individual web server Supporting services (i.e. database servers)
Part of the system attacked Hardware failure OS or TCP/IP stack of host/router Application level (i.e. web server, database servers)
Bug or overload Bugs Overload
DoS attack Classification
Example Cisco 7xxx routers with IOS/700 Software
version 4.1(1)/4.1(2) Jolt2 – targeting most Microsoft Windows
Systems (98/NT4/2000) MIIS version 4.0/5.0 Smurf SYN Flood Apache MIME flooding/Apache Sioux Attack
DDoS tools
Trinoo Known to the first DDoS tools UDP flooding
Tribe Flood Network (TFN) Trinoo’s UDP flooding, TCP SYN and ICMP flood
TFN2K Encrypted communication between components TARGA attack
stacheldraht ICMP, UDP and TCP SYN flooding Update to agents automatically
DDoS Protection Environment
Linux Kernel Immune to
Teardrop, TARGA
tcp_syn_cookie enabled against SYN flood attack
Load Balancer Linux Virtual
Server against overload attack
DDoS Protection Environment ipchains Firewall
Only port 80 is reachable directly Only ICMP host unreachable messages are
accepted Class Based Queuing
Function of the Linux kernel Setup different traffic queues Determines what packets to put in what queue Assign a bandwidth to each of the queue
DDoS Protection Environment Traffic Monitor
Monitor Thread 1: monitors in and out packet Thread 2: checks the hashtable Thread 3: server thread
Manager Analyzes the supplied data Sorts the IPs in one of several classes, class
1 through class 4
Test 1: http-attack using http_load and static html database
DDoS attacks are substantial threat to today’s Internet infrastructure
Solution to the problem of handling massive http overload requests is based on class based routing and active traffic monitoring
Conclusion
DDoS attack by using reflector Reflector
Any IP host that will return a packet if it receives request
All web server, DNS server, router
ICMP Victim eventually receive
“huge” number of message and clogging every single path to victim from the rest of the Internet
Defense against Reflector
Ingress filtering Traffic generated by reflector
Our pick Reflector enable filtering
Require widespread deployment of filtering Deploy trace back mechanism
Enormous deployment difficulties IDS
Widespread deployment of security technology
Filtering out reflector replies IP
version, header length TOS/DSCP length ID fragments TTL, protocol, checksum source destination
Filtering out reflector replies ICMP
Request/response Generated ICMP messages
TCP source port SYN ACK RST guessable sequence number T/TCP
Filtering out reflector replies UDP DNS
DNS reply DNS recursive query
SNMP HTTP proxy server Gnutella (TCP application) Other UPD application
Implications of reflector attacks for traceback A major advantage to attackers in
using reflectors in DDOS attack is difficult traceback
Low volume flows – SPIE HTTP proxies Logging Reverse ITRACE
Conclusion
DDoS attack by using reflector have a several significant threat
Most major threats areTCP guessable sequence numberDNS query to name serverGnutella
Defender vs. Attacker
Defense against attack Increase the resources of the defender Introduce authentication
Goal of attacker Waste resource of defender Keep the defender from learning attacker’s
identity Formal method are good way to addressing
problems.
Station to Station protocol
Station to station protocol is a protocol that was makes use of the Diffie-Hellman protocol together with digital signatures in order to exchange and authenticate keys between two principals.
:
: , ( ( , ))
: ( ( , ))
A
B B A
A B
X
X X XK B
X XK A
A B
B A E S
A B E S
Station to Station protocol1, 1
1 2 1
1 1 1 1
1 1 2 1 1 2
2 2
: preeexp storename ||
||
storeonce ,storename ,accept
: preexp , sign , exp , encrypt ||
, ( ( , )) ||
checkname , retrivevenonce , exp , decrypt , checksig , accept
: sign , encrypt |
A
B B A
X
X X XK B
A B
B A
E S
A B
2 2 2 2 3
|
( ( , )) ||
checkname , retrivevenonce , decrypt , checksig , accept
A BX XK AE S
Station to Station protocol
Compute the attack cost functions and the protocol engagement cost functions for each accept events
Compute the attack cost functions and the message processing cost functions for each verification event
Station to Station protocol
It is vulnerable to DOS attack in several placesFirst messageIntruder could mount Lowe’s attack
SolutionCookie exchangeLowe’s attack – including the identity of
intended receiver
Conclusion
This framework shows how existing tools and methods could be modified against DoS attack.
top related