Denial of Service

Distributed Denial Of Service?

Distributed Denial Of Service?

Unlike other forms of computer attacks, goal isn’t access or theft of information or services

The goal is to stop the service from operatingo To deny service to legitimate userso Slowing down may be good enough

This is usually a temporary effect that passes as soon as the attack stops

Denial of Service Attacks

Lots of waysoCrash the machineoOr put it into an infinite loopoCrash routers on the path to the machineoUse up a key machine resourceoUse up a key network resourceoDeny another service needed for this one (DNS)

Using up resources is the most common approach

How Can a Service Be Denied?

FloodsCongestion control exploitsUnexpected header valuesInvalid contentInvalid fragmentsLarge packetsImpersonation attacks

High-level Attack Categorization

Simple Denial of Service

7

One machine tries to bring down another machine

There is a fundamental problem for the attacker:o The attack machine must be “more powerful”

than the target machine to overload it ORo Attacker uses approaches other than flooding

The target machine might be a powerful server

Simple Denial of Service

Sometimes generating a request is cheaper than formulating a response e.g. sending a bogus packet is cheaper than decrypting this packet and checking that it’s bogus

If so, one attack machine can generate a lot of requests, and effectively multiply its power

Not always possible to achieve this asymmetry

This is called amplification effect

Denial of Service and Asymmetry

Use multiple machines to generate the workload

For any server of fixed power, enough attack machines working together can overload it

Enlist lots of machines and coordinate their attack on a single machine

DDoS “Solves” That Problem

Distributed Computing

Typical Attack Modus Operandi

Yes, attacks happen every dayo One study reported ~4,000 per week1

On a wide variety of targetsTend to be highly successfulThere are very few mechanisms that can

stop certain attacksThere have been successful attacks on

major commercial sites

Is DDoS a Real Problem?

1”Inferring Internet Denial of Service Activity,” Moore, Voelker, and Savage, Usenix Security Symposium, 2002

August 2009, hours-long service outageo44 million users affected

At the same time Facebook, LiveJournal, YouTube and Blogger were under attackoOnly some users experienced an outage

Real target: a Georgian blogger

DDoS on Twitter

Image borrowed from Wired.comarticle. Originallyprovided by Arbor

Networks

December 2010Parts of services went down brieflyAttack launched by a group of vigilantes

called AnonymousoBots recruited through social engineeringoDirected to download DDoS software and take

instructions from a masteroMotivation: Payback to services that cut their

support of WikiLeaks after their founder was arrested on unrelated charges

Several other services affected

DDoS on Mastercard and Visa

Most (if not all) sites could be rendered non-operational

The Internet could be largely flooded with garbage traffic

Essentially, the Internet could grind to a halto In the face of a very large attack

Almost any site could be put out of businesso With a moderate sized attack

Potential Effects of DDoS Attacks

Everyone connected to the Internet can be attacked

Everyone who uses Internet for crucial operations can suffer damages

Who Is Vulnerable?

But My Machines Are Well Secured!

18

Doesn’t matter!The problem isn’t your vulnerability, it’s everyone elses’

But I Have a Firewall!Doesn’t matter! Either the attacker slips his

traffic into legitimate trafficOr he attacks the firewall

But I Use a VPN! Doesn’t matter!

The attacker can fill your tunnel with garbageSure, you’ll detect it and discard it . . .But you’ll be so busy doing so that you’ll have no time for your real work

But I’m Heavily ProvisionedDoesn’t matter!The attacker can probably get enough resources to overcome any level of resources you buy

Widely available on the neto Easily downloaded along with source codeo Easily deployed and used

Automated code for: o Scanning – detection of vulnerable machines o Exploit – breaking into the machine o Infection – placing the attack code

Rootkitso Hide the attack code o Restart the attack codeo Keep open backdoors for attacker access

DDoS attack code

Attack Toolkits

Attacker can customize:o Type of attack

UDP flood, ICMP flood, TCP SYN flood, Smurf attack (broadcast ping flood)

Web server request flood, authentication request flood, DNS flood

o Victim IP addresso Durationo Packet sizeo Source IP spoofingo Dynamics (constant rate or pulsing)o Communication between master and slaves

DDoS Attack Code

You don’t need much knowledge or great skills to perpetrate DDoS

Toolkits allow unsophisticated users to become DDoS perpetrators in little time

DDoS is, unfortunately, a game anyone can play

Implications Of Attack Toolkits

Attackers follow defense approaches, adjust their code to bypass defenses

Use of subnet spoofing defeats ingress filtering

Use of encryption and decoy packets, IRC or P2P obscures master-slave communication

Encryption of attack packets defeats traffic analysis and signature detection

Pulsing attacks defeat slow defenses and traceback

Flash-crowd attacks generate application

traffic

DDoS Attack Trends

If we solve simple attacks, DDoS perpetrators will move on to more complex attacks

Recently seen trends:o Larger networks of attack machineso Rolling attacks from large number of machineso Attacks at higher semantic levelso Attacks on different types of network entitieso Attacks on DDoS defense mechanisms

Need flexible defenses that evolve with attacks

Implications For the Future