denial of service
DESCRIPTION
Denial of Service. Distributed Denial Of Service?. Distributed Denial Of Service?. Denial of Service Attacks. Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is to stop the service from operating To deny service to legitimate users - PowerPoint PPT PresentationTRANSCRIPT
Denial of Service
Distributed Denial Of Service?
Distributed Denial Of Service?
Unlike other forms of computer attacks, goal isn’t access or theft of information or services
The goal is to stop the service from operatingo To deny service to legitimate userso Slowing down may be good enough
This is usually a temporary effect that passes as soon as the attack stops
Denial of Service Attacks
Lots of waysoCrash the machineoOr put it into an infinite loopoCrash routers on the path to the machineoUse up a key machine resourceoUse up a key network resourceoDeny another service needed for this one (DNS)
Using up resources is the most common approach
How Can a Service Be Denied?
FloodsCongestion control exploitsUnexpected header valuesInvalid contentInvalid fragmentsLarge packetsImpersonation attacks
High-level Attack Categorization
Simple Denial of Service
7
One machine tries to bring down another machine
There is a fundamental problem for the attacker:o The attack machine must be “more powerful”
than the target machine to overload it ORo Attacker uses approaches other than flooding
The target machine might be a powerful server
Simple Denial of Service
Sometimes generating a request is cheaper than formulating a response e.g. sending a bogus packet is cheaper than decrypting this packet and checking that it’s bogus
If so, one attack machine can generate a lot of requests, and effectively multiply its power
Not always possible to achieve this asymmetry
This is called amplification effect
Denial of Service and Asymmetry
Use multiple machines to generate the workload
For any server of fixed power, enough attack machines working together can overload it
Enlist lots of machines and coordinate their attack on a single machine
DDoS “Solves” That Problem
Distributed Computing
Typical Attack Modus Operandi
Yes, attacks happen every dayo One study reported ~4,000 per week1
On a wide variety of targetsTend to be highly successfulThere are very few mechanisms that can
stop certain attacksThere have been successful attacks on
major commercial sites
Is DDoS a Real Problem?
1”Inferring Internet Denial of Service Activity,” Moore, Voelker, and Savage, Usenix Security Symposium, 2002
August 2009, hours-long service outageo44 million users affected
At the same time Facebook, LiveJournal, YouTube and Blogger were under attackoOnly some users experienced an outage
Real target: a Georgian blogger
DDoS on Twitter
Image borrowed from Wired.comarticle. Originallyprovided by Arbor
Networks
December 2010Parts of services went down brieflyAttack launched by a group of vigilantes
called AnonymousoBots recruited through social engineeringoDirected to download DDoS software and take
instructions from a masteroMotivation: Payback to services that cut their
support of WikiLeaks after their founder was arrested on unrelated charges
Several other services affected
DDoS on Mastercard and Visa
Most (if not all) sites could be rendered non-operational
The Internet could be largely flooded with garbage traffic
Essentially, the Internet could grind to a halto In the face of a very large attack
Almost any site could be put out of businesso With a moderate sized attack
Potential Effects of DDoS Attacks
Everyone connected to the Internet can be attacked
Everyone who uses Internet for crucial operations can suffer damages
Who Is Vulnerable?
But My Machines Are Well Secured!
18
Doesn’t matter!The problem isn’t your vulnerability, it’s everyone elses’
But I Have a Firewall!Doesn’t matter! Either the attacker slips his
traffic into legitimate trafficOr he attacks the firewall
But I Use a VPN! Doesn’t matter!
The attacker can fill your tunnel with garbageSure, you’ll detect it and discard it . . .But you’ll be so busy doing so that you’ll have no time for your real work
But I’m Heavily ProvisionedDoesn’t matter!The attacker can probably get enough resources to overcome any level of resources you buy
Widely available on the neto Easily downloaded along with source codeo Easily deployed and used
Automated code for: o Scanning – detection of vulnerable machines o Exploit – breaking into the machine o Infection – placing the attack code
Rootkitso Hide the attack code o Restart the attack codeo Keep open backdoors for attacker access
DDoS attack code
Attack Toolkits
Attacker can customize:o Type of attack
UDP flood, ICMP flood, TCP SYN flood, Smurf attack (broadcast ping flood)
Web server request flood, authentication request flood, DNS flood
o Victim IP addresso Durationo Packet sizeo Source IP spoofingo Dynamics (constant rate or pulsing)o Communication between master and slaves
DDoS Attack Code
You don’t need much knowledge or great skills to perpetrate DDoS
Toolkits allow unsophisticated users to become DDoS perpetrators in little time
DDoS is, unfortunately, a game anyone can play
Implications Of Attack Toolkits
Attackers follow defense approaches, adjust their code to bypass defenses
Use of subnet spoofing defeats ingress filtering
Use of encryption and decoy packets, IRC or P2P obscures master-slave communication
Encryption of attack packets defeats traffic analysis and signature detection
Pulsing attacks defeat slow defenses and traceback
Flash-crowd attacks generate application
traffic
DDoS Attack Trends
If we solve simple attacks, DDoS perpetrators will move on to more complex attacks
Recently seen trends:o Larger networks of attack machineso Rolling attacks from large number of machineso Attacks at higher semantic levelso Attacks on different types of network entitieso Attacks on DDoS defense mechanisms
Need flexible defenses that evolve with attacks
Implications For the Future