network security: network floodingyongdaek/courses/is511/... · 2019-10-23 · more interesting...
Post on 10-Mar-2020
2 Views
Preview:
TRANSCRIPT
Network Security: Network Flooding
Seungwon Shin, KAIST
Most slides from Dr. Dan Boneh and Darren Anstee
What is a Denial of Service Attack?
Goal take out a large site with little computing work
Network Bandwidth
Computing Power Processor
Memory
How: Amplification Small number of packets ⇒ big effect
Two types of amplification attacks DoS bug:
Design flaw allowing one machine to disrupt a service
DoS flood: Command bot-net to generate flood of requests
What is a Denial of Service Attack
An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity Effects the availability and utility of computing and network resources Attacks can be distributed for even more significant effect The collateral damage caused by an attack can be as bad, if not worse, than the attack itself
Page 3 - Company Confidential
DDoS Primer
What is a Denial of Service attack? • An attempt to consume finite resources, exploit weaknesses in
software design or implementation, or exploit lack of infrastructure capacity
• Effects the availability and utility of computing and network resources
• Attacks can be distributed for even more significant effect
• The collateral damage caused by an attack can be as bad, if not worse, than the attack itself
DATA CENTER
IPS
Load Balancer
Application-Layer DDoS Impact
Volumetric DDoS Impact
DoS or DDoS
DoS (Denial of Service) A DoS attack is targeted at a particular node (machine). Attempts to deny service to that node
Source of the attack: Single node: DoS (Denial of Service) attack Multiple nodes: DDoS (Distributed Denial of Service) attack
Which Layer?
Sample Dos at different layers (by order) Link TCP/UDP Application
Sad truth: Current Internet… not designed to handle DDoS attacks
Smurf Attack
Send ping request to broadcast address (ICMP Echo Req) Lots of responses:
Every host on target network generates a ping reply (ICMP Echo Reply) to victim
Smurf amplification DoS attack
gatewayDoSSource
DoSTarget
1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr
3 ICMP Echo ReplyDest: Dos Target
6
Send ping request to broadcast addr (ICMP Echo Req) Lots of responses:
! Every host on target network generates a ping reply (ICMP Echo Reply) to victim
Prevention: reject external packets to broadcast address
DNS Amplification AttackModern day example (May ’06)
DNS QueryEDNS Reponse
DNS Amplification attack: ( ×50 amplification )
7
580,000 open resolvers on Internet (Kaminsky-Shiffman’06)
DNSServer
DoSSource
DoSTarget
DNS QuerySrcIP: Dos Target
(60 bytes)
EDNS Reponse
(3000 bytes)
TCP 3-way HandshakeReview: TCP Handshake
C S
SYN: ListeningSNC←randCANC←0
10
SYN/ACK:
ACK:
Store SNC , SNS
Wait
Established
SNS←randSANS←SNC
SN←SNCAN←SNS
TCP SYN FloodingTCP SYN Flood I: low rate (DoS bug)
C
SYNC1
SYN
S Single machine:
• SYN Packets withrandom source IPaddresses
11
SYNC2
SYNC3
SYNC4
SYNC5
addresses
• Fills up backlog queueon server
• No further connectionspossible
Why is it Vulnerable?
TCP backlog issue Backlog timeout:
3 minutes
Attacker need only send 128 SYN packets every 3 minutes. Low rate SYN flood
SYN Floods (phrack 48, no 13, 1996)
OSBacklog
queue size
Linux 1.2.x 10FreeBSD 2.1.5 128
12
FreeBSD 2.1.5 128WinNT 4.0 6
Backlog timeout: 3 minutes
⇒ Attacker need only send 128 SYN packets every 3 minutes.
⇒ Low rate SYN flood
Windows 2000 server: 80 Advanced Windows server: 400
Increase the backlog (Linux RedHat 7.3) # sysctl -w net.ipv4.tcp_max_syn_backlog="2048"
Backscatter Effect
SYN with forged source IP ⇒ SYN/ACK to random host
SYN floods: backscatter [MVS’01]
SYN with forged source IP ⇒ SYN/ACK to random host
16
TCP SYN Flood Case
MS Blaster worm (2003) Infected machines at noon on Aug 16th:
SYN flood on port 80 to windowsupdate.com
50 SYN packets every second.
each packet is 40 bytes.
Spoofed source IP: a.b.X.Y where X,Y random.
MS solution: new name: windowsupdate.microsoft.com Win update file delivered by Akamai
More Interesting Example: SQL Slammer
Damage history (extract): on Jan. 25, 2003
over 260,000 unique IP addresses infected by the Slammer worm within Internet Security Systems' monitored networks
Propagation of the worm overpowered Internet connections with millions of UDP/IP probes hours after the activity began.
ETH Zurich was not connected to the Internet for about 3 hours. Service for e-mail and web pages were only partially available.
On Feb. 5, 2003 (W)LAN for visitors and vendors at the Internet Expo in Zurich (with 330 vendors present) was not available due to SQL Slammer infections of vendor’s computers.
More Interesting Example: SQL Slammer
How the SQL Slammer DDoS attack works The amplifying network of zombies is built fast by worm spreading based on exploiting a system vulnerability System vulnerability
Exploit Microsoft SQL Servers and MSDE- enabled products vulnerable to the SQL Server resolution service buffer overflow.
Slammer's main function is propagation, sending 376 bytes of code across port 1434/UDP until the SQL Server shuts down
Scanning/infection/attack code is combined
Countermeasures: Patch the vulnerable SQL server installations Filter attack traffic to port 1434/UDP
SQL Slammer
DDoS with Botnet
DRDoS with Botnet
DRDoS Attack Distributed Reflector Denial of Service Reflectors are uncompromised machines. The slave zombies send packets to the reflectors with IP source addresses spoofed as the target
reflectors return packets to the target
The reflectors carry out the flooding rather than the slaves. More distributed than a typical DDoS attack.
DRDoS with Botnet
Application Level Attack
Command bot army to do the following operations make a TCP session send short HTTP HEAD request to a target keep sending
It can evade detection approaches TCP SYN flooding detection
However, attacker should use real IP addresses not spoofed ones reason why an attacker uses bots
DDoS classification
A Taxonomy of DDoS Attack and DDoS Defense Mechanisms Mirkovic et al., ACM CCR 2004
DDoS Attack Mechanisms�
Manual (DA-1)�
Semi-automatic (DA-2)�
Automatic (DA-3)�
Direct (CM-1)�
Indirect (CM-2)�
Random (HSS-1)�
Hitlist (HSS-2)�
Signpost (HSS-3)�
Permutation (HSS-4)�
Local subnet (HSS-5)�
Central (PM-1)�
Back-chaining (PM-2)�
Autonomous (PM-3)�
Semantic (EW-1)�
Brute-force (EW-2)�
Filterable (RAVS-1)�
Non-filterable (RAVS-2)�
Characterizable (PC-1)�
Non-characterizable (PC-2)�
Constant rate (ARD-1)�
Variable rate (ARD-2)�
Increasing (RCM-1)�
Fluctuating (RCM-2)�
Disruptive (IV-1)�
Degrading (IV-2)�
Host (VT-2)�
Application (VT-1)�
Network (VT-4)�
Infrastructure (VT-5)�
Constant set (PAS-1)�
Variable (PAS-2)�
Spoofed (SAV-1)�
Valid (SAV-2)�
Non-routable (AR-2)�
Routable (AR-1)�
Random (ST-1)�
Subnet (ST-2)�
En route (ST-3)�
Classification by�
degree of automation (DA)�
Classification by�host scanning strategy (HSS)�
Classification by�
propagation mechanism (PM)�
Classification by�
communication mechanism (CM)�
Classification by�
attack rate dynamics (ARD)�
Classification by�
rate change mechanism (RCM)�
Classification by�
possibility of characterization (PC)�
Classification by�
relation of attack�to victim services (RAVS)�
Classification by�
source address validity (SAV)�
Classification by�victim type (VT)�
Classification by�
persistence of agent set (PAS)�
Classification by�
impact on the victim (IV)�
Self-recoverable (PDR-1)�
Human-recoverable (PDR-2)�
Classification by�
possibility of�
dynamic recovery (PDR)�
Classification by�
exploited weakness (EW)�
Classification by�
address routability (AR)�
Classification by�spoofing technique (ST)�
Non-recoverable (PDR-3)�Fixed (ST-4)�
Resource (VT-3)�
Horizontal (VSS-1)�
Vertical (VSS-2)�
Coordinated (VSS-3)�
Stealthy (VSS-4)�
Classification by vulnerability�
scanning strategy (VSS)�
Figure 1: Taxonomy of DDoS Attack Mechanisms
we diÆerentiate between attacks that deploy random scan-ning, hitlist scanning, signpost scanning, permutation scan-ning and local subnet scanning, using material presented in[72, 70]. Based on the vulnerability scanning strategy, wediÆerentiate between attacks that deploy horizontal scan-ning, vertical scanning, coordinated scanning and stealthyscanning, using material presented in [75, 69]. Attackersusually combine the scanning and exploit phases and ourdescription of scanning techniques relates to this model.
DA-2 and DA-3:HSS-1: Random ScanningDuring random scanning, each compromised host probesrandom addresses in the IP address space3, using a diÆer-ent seed. Code Red (CRv2) performed random scanning[53]. Random scanning potentially creates a high tra±c vol-ume. Since many scanned addresses are likely to be in diÆer-ent networks, there is a high amount of internetwork tra±c.Also, as infection reaches saturation point (a high percent-age of vulnerable machines are infected), duplicate probesto the same addresses escalate, as there is no synchroniza-tion of scanning attempts from diÆerent infected hosts. Thehigh tra±c volume can lead to attack detection.
DA-2 and DA-3:HSS-2: Hitlist ScanningA machine performing hitlist scanning probes all addressesfrom an externally supplied list. When it detects a vul-nerable machine, it sends a portion of the initial hitlist tothe recipient and keeps the rest. Hitlist scanning allows forgreat propagation speed and no collisions during the scan-ning phase. If an attacker compiled a list of all vulnerable In-
3Some researchers have pointed out that this scanning isonly eÆective in densely populated IPv4 address space, andwould be less successful in a vast, sparsely populated IPv6address space.
ternet machines (flash worm [70]) he could infect entire pop-ulation within 30 seconds. The disadvantage to the attackeris that the hitlist needs to be assembled in advance. Theinformation is collected through some inconspicuous meanssuch as using public information on machines running vul-nerable software (e.g., found at netscan.org) or using slowscans over several months or years. Another disadvantageis that the portion of the hitlist needs to be transmitted tomachines that are being infected. If the list is too large, thistra±c might be of high volume and lead to attack detection;if it is too small, it will generate a small agent population.
DA-2 and DA-3:HSS-3: Signpost ScanningSignpost scanning (also called topological scanning in [72,70]) takes advantage of habitual communication patterns ofthe compromised host to select new targets. E-mail wormsuse signpost scanning, exploiting the information from ad-dress books of compromised machines for their spread. AWeb-server-based worm could spread by infecting each vul-nerable Web browser of clients that click on the server’s Webpage, and then further infecting servers of subsequent Webpages visited by these clients (this worm is called contagionworm in [70]). Signpost scanning does not generate a hightra±c load and thus reduces chances of attack detection.The drawback is that the spreading speed depends on agentmachines and their user behavior, i.e. it is not controllableby the attacker. The recruitment thus may be slower andless complete than with other scanning techniques.
DA-2 and DA-3:HSS-4: Permutation ScanningDuring permutation scanning, all compromised machinesshare a common pseudo-random permutation of the IP ad-dress space; each IP address is mapped to an index in thispermutation. Permutation scanning is preceded by small
ACM SIGCOMM Computer Communications Review Volume 34, Number 2: April 200442
DDoS Defense - next class
Attack Countermeasure Options
Example Description
Network Level Device
Software patches, packet filtering
Ingress and Egress Filtering
Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network.
OS Level SYN Cookies, drop backlog connections, shorten timeout time
SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks.
Application Level Attacks
Intrusion Detection System
GuardDog, other vendors.
Software used to detect illicit activity.
Data Flood (Amplification, Oscillation, Simple Flooding)
Replication and Load Balancing
Akami/Digital Island provide content distribution.
Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks.
Protocol Feature Attacks
Extend protocols to support security.
ITEF standard for itrace, DNSSEC
Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.
by Dr. Ruby Lee
DDoS Trend
DDoS Trend - CISCO
Manually (hack to servers) Non critical Protocols
(eg ICMP)
Distribution Management # Attackers
(Bandwidth) Type of attack Protection
Spoofed SYN • Enterprise level • Firewall/ • ACL access routers
X0-X00 attackers (X0 Mbps)
─ Email attach ─ Download from questionable site ─ via �chat� ─ ICQ, AIM, IRC ─ Worms
~X00-X,000 Attackers (X00 Mbps)
Via botnets
• ISP/IDC • Blackhole • ACL • DDoS solutions
• All type of applicatios (HTTP, DNS, SMTP) • Spoofed SYN
Manually
Manually ─ Email attach ─ via �chat� ICQ, AIM, IRC…
~X00,000 attackers (X-X0 Gbps)
• Legitimate requests • Infrastructure elements (DNS, SMTP, HTTP…)
• Blackhole (?) • ACL (?) • DDoS solutions • Anycast (?)
DDoS Trend - from Akamai Report (2015)
Summary DDoS attacks, Q4 2015 vs. Q4 2014
148.85% increase in total DDoS attacks 168.82% increase in infrastructure layer
DDoS attacks, Q4 2015 vs. Q3 2015 39.89% increase in total DDoS attacks 42.38% increase in infrastructure layer
Web application attacks, Q4 2015 vs. Q3 2015 28.10% increase in total web application attacks 28.65% increase in web application
12.19% increase in SQL attacks
13 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com
[SECTION]2 = DDOS ACTIVITY
Percentage
Infra
stru
ctur
e La
yer D
DoS
0 5 10 15 20 25
Other
UDPFragment
UDPFloods
NTP
SYN
SSDP
TCPAnomaly
ICMP
DNS
CHARGEN
ACK 3.36%
9.34%
13.27%
1.38%
3.17%
RIP 1.19%
RESET 1.00%
7.53%
10.40%
14.27%
9.40%
21.01%
1.58%
App
licat
ion
Laye
r DD
oS
PUSH
HTTP POST
HEAD 0.08%
HTTP GET 2.17%
0.35%
0.51%
FIN Floods (0.19%)RP (0.14%)RPC (0.46%)NetBIOS (0.35%)
Sentinel (0.03%)SNMP (0.30%)SYN PUSH (0.03%)XMAS (0.08%)
ApplicationLayer DDoS
3.11%
InfrastructureLayer DDoS
96.89%
DDoS Attack Vector Frequency, Q4 2015
Figure 2-1: Of the 24 DDoS attack vectors tracked this quarter, four — UDP Fragment, NTP, SYN and DNS — made up almost 60% of the attacks
24 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com
The xor and BillGates malware share similarities with the Spike DDoS toolkit,3 a multi-platform toolkit first profiled by Akamai sirt in 2014. Spike targets both Windows and Linux machines as well as routers and other Internet-enabled devices, for infection. While the xor and BillGates DDoS attacks have originated from Linux hosts, the possibility exists for Windows, embedded devices and routers to join in on the attacks.
2.4 / DDoS Attack Source Countries / The uk was the top source of attack traffic in q3 2015, but in q4 it fell to ninth place, as shown in Figure 2-9. China returned to the number one spot, while Turkey was the second-largest source of attack traffic. Attack traffic from the uk didn’t decrease overall, but traffic increased enough from China, Turkey and the us to affect the relative rankings.
A comparison of top source countries over the past five quarters is shown in Figure 2-10.
It is important to note that source country is based primarily on application traffic that requires a complete connection. Infrastructure traffic, such as udp, is easily spoofed, and therefore is not used in this metric.
24 akamai’s [state of the internet] / secur i ty / Q3 2015 / www.stateoftheinternet.com
[SECTION]2 = DDOS ACTIVITY
Top 10 Source Countries for DDoS Attacks, Q4 2015
Figure 2-9: In Q4 2015, DDoS attacks were most commonly observed coming from China, Turkey and the US
India 3%UK 3%
Spain 3%Taiwan 4%
Indonesia 5%
China28%
Turkey22%
US15%
Korea9%
Mexico8%
[SECTION]2 = DDOS ACTIVITY
Percentage
Figure 2-10: While the US and China have been in the top five every quarter, Q4 2015 marks the first time that Turkey has made the list
0 5 10 15 20 25 4030 35
Top 5 Source Countries for DDoS Attacks, Q4 2014 – Q4 2015
Mexico
Korea
US
Turkey
China
8.37%
8.52%
15.03%
21.99%
27.67%
Q4
2015
Spain
India
US
China
UK
6.87%
6.95%
17.04%
20.70%
25.60%
Q3
2015
Spain
India
UK
US
China
6.03%
7.43%
10.21%
17.88%
37.01%
Q2
2015
Spain
Italy
US
Germany
China
7.29%
8.38%
12.18%
17.39%
23.45%Q
1 20
15
France
Mexico
Germany
China
US
7.64%
11.69%
12.00%
17.60%
31.54%
Q4
2014
25 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com
26 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com
2.5 / DDoS Attacks by Industry / The online gaming sector was hit particularly hard in q4 2015, accounting for 54% of all DDoS attacks, as shown in Figure 2-11. Gaming was followed by software and technology, which suffered 23% of all attacks in q4. Financial services (7%), media and entertainment (5%), Internet and telecom (4%), retail and consumer goods (3%), education (3%), and the public sector (1%) rounded out the targeted industries.
Online gaming / Online gaming has remained the most targeted industry since q2 2014. In q4 2014, attacks were fueled by malicious actors seeking to gain media attention or notoriety from peer groups, to damage reputations and to cause disruptions in gaming services. Some of the largest console gaming networks were
[SECTION]2 = DDOS ACTIVITY
Software & Technology
Retail & Consumer Goods
Public Sector
Media & Entertainment
Internet & Telecom
Hotel & Travel
Gaming
Financial Services
Education
Business Services
0 5 10 15 20 25 30 35 50 55 604540
Q4 2015Q3 2015
25.33%23.03%
4.72%4.20%
0.40%0.05%
50.00%54.45%
2.66%2.50%
7.78%6.84%
0.15%0.07%
4.99%4.70%
1.06%1.35%
2.99%2.75%
Percentage
DDoS Attack Frequency by Industry
Figure 2-11: The gaming and software & technology industries were targeted 77% of the time in Q4 2015, up from 75% in Q3 2015
Another trend we’ve started exploring is the number of repeat attacks against the same organization. There were an average of 13 attack events per customer in q4 2014, 17 attack events per customer in q3 2015 and 24 attacks per customer in q4 2015. Where in the past, many attackers would see that a site or network was protected and move on, the latest trend is for attackers to keep hammering away at high-value organizations regardless of effect, looking for a moment when defenses might drop.
2.7 / Reflection DDoS Attacks, Q4 2014 – Q4 2015 / Last quarter, we introduced what is known as a Sankey graphic. Sankey diagrams help to visualize energy, material, or cost transfers between processes.
The Sankey graphic in Figure 2-14 shows how DDoS reflection attacks have trended during the past five quarters. Through the routed network, we tracked nine infrastructure layer DDoS reflection vectors. The most used vectors seem to correlate with the number of Internet devices that use these specific service protocols for legitimate purposes.
[SECTION]2 = DDOS ACTIVITY
Reflection DDoS Attacks, Q4 2014 – Q4 2015
Figure 2-14: SSDP, NTP, DNS and CHARGEN have consistently been used as the most common reflection attack vectors, as can be seen on the left axis, and the use of reflection attacks has increased dramatically since Q4 2014, as shown on the right axis
31 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com
Top 10 Reflection Sources by ASN, Q4 2015
Figure 4-2: Four of the top ASNs used in reflection attacks were based in Asia, four were based in the Americas and two were based in Europe
35%
23%
8%
7%
6%
5%
5%4%
4% 3%ASN 4837 (CNCGROUP China169 Backbone)
ASN 4134 (CHINANET-BACKBONE)
ASN 12874 (Fastweb SpA)
ASN 17676 (GIGAINFRA Softbank BB Corp.)
ASN 28573 (CLARO S.A.)
ASN 6327 (Shaw Communications Inc.)
ASN 22773 (Cox Communications Inc.)
ASN 20115 (Charter Communications)
ASN 9299 (Philippine Long Distance Telephone Company)ASN 9121 (TTNET Turk Telekomunikasyon Anonim Sirketi)
57 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com
DDoS Reflector Heat Map, Q4 2015
Figure 4-3: The location of vulnerable devices used in reflection-based attacks during Q4 2015 was concentrated in the US, Asia and Europe
[SECTION]4 = AKAMAI INTELLIGENT™ PLATFORM FIREWALL ACTIVITY
37 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com
SQLi was the second highest attack vector of the quarter (27%), followed by PHPi with 24%. SQLi is popularly linked in the public eye with database dumps. If an attack is successful, the actor may also gain the ability to modify the database tables or records themselves for their own malicious purposes.
Encrypting connections over https does not necessarily provide any additional protection mechanisms for web applications against the attackers, as they tend to shift to https to follow through on vulnerable applications. The distribution of attack vectors over https is shown in Figure 3-3.
Figure 3-1: Only 11% of the web application attacks observed in Q4 2015 were over encrypted (HTTPS) connections
Web Application Attacks Over HTTP vs. HTTPSHTTP (89%) HTTPS (11%)
LFI 41.05%SQLi 27.00%PHPi 24.32%XSS 4.70%Shellshock 1.28%
RFI 0.82%MFU 0.63%CMDi 0.17%JAVAi 0.02%
Web Application Attack Vectors Over HTTP, Q4 2015
Figure 3-2: The three most popular attack vectors — LFI, SQLi and PHPi — were used in more than 92% of the attacks over HTTP
[SECTION]3 = WEB APPLICATION ATTACK ACTIVITY
top related