denial-of-service (dos) attacks - university of delawarecshen/367/notes/dos.pdfsystems’ code than...
TRANSCRIPT
Denial-of-Service (DoS) • Defined in NIST Computer Security Incident
Handling Guide as “an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”
• Attempt to compromise availability by hindering or blocking completely the provision of some service
• Attempt to exhaust some critical resource associated with the service
• Example: flooding a Web server with many spurious requests that it is unable to respond to valid requests from users in a timely manner
DoS Attacks • Potency steadily increases over time due to
Internet bandwidth growth – 400 MBps (2000) -> 100 GBps (2010) -> 300 GBps
(Spamhaus [http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/], 2013)
– thousands of attacks each day – massive flooding attacks in 50 GBps are powerful
enough to exceed bandwidth capacity of most intended targets
• A form of attack on the availability of some service
Categories of Resources 1. Network bandwidth
relates to capacity of network links connecting a server to Internet (ISP)
2. System resources aims to overload or crash network handling software
3. Application resources typically involves valid requests, each of which consumes significant resources, thus limiting the ability of server to respond to requests from other users
(1) DoS on Network Bandwidth • Network bandwidth related to capacity of links
connecting server to ISP • More traffic arrives at ISP’s routers over higher-
capacity links than links to server -> packets dropped at ISP routers
• Malicious traffic generated by DoS attacks overwhelms legitimate traffic -> denying legitimate users access to server
(2) DoS on System Resources • Overload/crash network handling software • Rather than consuming bandwidth with large volumes
of traffic, – specific types of packets are sent that consume limited
available resources • temporary buffer used to hold arriving packets • table of open connections: TCP SYN spoofing attack • similar memory data structures
– packets whose structure triggers bugs in network handling software, causing it to crash: termed poison packet
• ping of death and teardrop attacks target bugs in Windows 9x systems’ code than handles ICMP echo request and packet fragmentation
(3) DoS on Application Resources • Attacks on specific application (e.g., Web server)
typically involves valid requests each of which consumes significant resources
• This then limits ability of server to respond to requests from other users
• Aka, cyberslam, e.g., database queries • Requests that trigger bugs in server program,
causing it to crash
Classic DoS Attack (A) Flooding ping (ICMP echo request) • Aim to overwhelm the capacity of network
connection to the target organization • Traffic can be handled by higher capacity
links on the path, but packets are discarded as capacity decreases
• Network performance is noticeably affected • Two disadvantages to attackers!
• source of attack is identified unless a spoofed address is used
• response packets back to attacker
Source Address Spoofing • Use forged source addresses
– usually via raw socket interface [http://en.wikipedia.org/wiki/Raw_socket] on OS to make attacking systems harder to identify
• Attacker use randomly selected, usually different, source addresses for each packet
• Congestion would still occur in router connected to the final, lower capacity link
• Response back to different “sources” triggering even more “error” packets from real hosts or ICMP “destination unreachable” packet from unknown hosts [backscatter traffic]
• To identify source needs to query flow information through routers
• Egree filtering – filtering on router to ensure source address (or at least source network address) is valid
Classic DoS Attack
(B) SYN spoofing • Attacks ability of server to respond to future
connection requests by overflowing the tables used to manage such connections; thus legitimate users are denied access to server
• An attack on system resources, specifically the network handling code in the operating system
TCP 3-Way handshake • Reliable transport protocol
over best-effort (unreliable) IP – sequence number – timeout and retransmission – Need to maintain state
TCP SYN Spoofing • Attacker sends SYNs with spoofed
source addresses • Server records states of TCP
connection requests and respond SYN+ACK to “claimed” source addresses – for valid system at the forged address: it
responds with RST to cancel unknown connection request; when server receives RST, it cancel connection request and remove saved state
– for no system at forged address: no reply; server sends SYN+ACK several times
• between when original SYN received and when server assumes connection failed, server is using one entry in TCP connection table
• many forged connection requests -> many entries used
Flooding vs. SYN Spoofing • Volume of network traffic
– SYN spoofing is lower • How much lower?
– high enough to keep TCP connection table full
Flooding Attacks • Classified based on network protocol used • Aim to overload network capacity on some link to a server or
server’s ability to handle/respond to traffic – valid traffic has low probability of surviving discard/accessing server
• Virtually any type of network packet can be used
• ICMP echo request – traditionally network administrators allow such packets into
networks because ping is a useful network diagnostic tool • UDP
– directed to some port number on the target system • TCP SYN
– total volume of packets is aim of attack rather than system code
(1) ICMP Flooding • Recently, ICMP echo requests
are filtered by firewall • As some ICMP packets are
critical to the healthy operation of Internet, filtering these packets may degrade or break normal Internet behavior
• e.g., ICMP destination unreachable and ICMP TTL expired
Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header
(2) UDP Flood • Send UDP segment directly to some
port #: e.g., 7 (echo service) • May use spoofed source addresses
(3) TCP SYN Flood • Total volume of packets is aim of
attack, rather than system code – SYN flooding vs. SYN spoofing
• TCP connection requests with either real or spoofed source addresses
Indirect Flooding Attacks • Flooding attacks are limited in total traffic volume
generated on single system, where attacker is easier to trace
• More sophisticated attacks involve multiple attackers • By directing attacks through intermediaries, attacker
is distanced from target and harder to be located and identified
1. Distributed DoS attacks 2. Reflector attacks 3. Amplifier attacks
Distributed DoS (DDoS) • Use of multiple systems to generate
attack traffic • Attacker uses a flaw in OS or in a
common application to gain access and installs their program on zombies (via automated infection tools)
• Large collections of such systems under control of one attacker’s control can be created, forming a botnet
Example DDoS Tool • Tribe Flood network (TFN) and TFN2K
– two-layer command architecture – launch ICMP/SYN/UDP flood – communicate via encrypted TCP/UDP/ICMP
packets • IRC-based • HTTP-based
• The best defense against being an unwitting participant in DDoS attack – prevent system from being compromised
Reflector/Amplifier Attacks • In contrast to DDoS, where intermediaries are
compromised nodes running attacker’s programs, reflector/amplifier attacks use network systems functioning normally
• Attacker sends packet to server with spoofed source IP address (target); server responds to spoofed source IP address
• When many packets sent to many servers with the same spoofed source address, the resulting flood responses overwhelm target’s link
• Normal server are being used and their response is entirely conventional, attacks can be easier to deploy and harder to trace back to actual attacker
Reflection Attacks • Attacker sends packets to a known service on the
intermediary with a spoofed source address of the actual target system
• When intermediary responds, the response is sent to the target, i.e., “reflects” the attack off intermediary (reflector)
• Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary – use service that creates larger response packets than original
request; e.g., DNS (UDP) • How to defend against these attacks?
– block spoofed source packets
DNS Reflection Attack
• Between DNS and echo service (#7) – attacker sends query to DNS with
spoofed IP source address (IP address of target): j.k.l.m
– DNS responds to j.k.l.m:7 – target echoes back – DNS responds again, ………
Q: How reflector attacks are prevented ? A: network/host-based firewall rules to reject suspicious combination of source/destination ports
TCP SYN Reflection Attack • Attacker sends SYN packets to spoofed
source address (i.e., the target) to intermediaries
• Intermediaries respond with SYN+ACK to spoofed source address (the target)
• Target responds with RST for any that get through
• Overwhelm target’s network link (not to exhaust its network handling resources)
Amplification Attacks • A variant of reflection attacks, also involves sending a packet with
spoofed source address for the target to intermediaries; they differ in generating multiple response packets for each original packet sent
• Done by directing original packets to broadcast address for some network; all hosts on that network can potentially respond
• E.g., ICMP echo request (smurf), echo service (fraggle)
Q: How to defend? • do not allow directed
broadcast to be routed into a network from outside
• block spoofed source address
• limit service like ping and echo
Attacks on Applications • Force target to execute resource
consuming operations that are disproportionate to attack effort
• For example, web server may engage in lengthy operations such as search, database query, etc., in response to simple requests
1. SIP flood 2. Attacks on HTTP
SIP Flood
• Session Initiation Protocol (SIP) – signaling protocol for call setup in VoIP
• SIP INVITE request causes receiver’s phone to ring – a single SIP INVITE request triggers
considerable resource consumption (e.g., DNS lookup)
• Flood proxy server with numerous INVITE requests with spoofed IP address – Resources on proxy are depleted in
processing INVITE – Network capacity is consumed
Attacks on HTTP (1) HTTP Flood • attack that bombards Web servers with
HTTP requests • Each request consumes considerable
resources (e.g., download huge file: read file from disk, store it in memory, convert it to packets, transmit packets)
• Spidering (recursive HTTP flood) – bots starting from a given HTTP link and
following all links on the provided Web site in a recursive way
Attacks on HTTP (2) • Slowloris - exploit common web server technique of multi-
threading (supporting multiple requests) • Attempts to monopolize all available request handling
threads by sending HTTP requests that never complete (how ?) – sends additional header lines periodically to keep connection
alive, but never sends terminating new line sequence – eventually consumes Web server’s connection capacity
(threads) and deny access to legitimate users • Utilizes legitimate HTTP traffic
– no “bad” HTTP requests that exploit bugs in HTTP servers
– existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris
Format of HTTP Request
request line
header lines
body
method sp sp cr lf version URL
cr lf value header field name
cr lf value header field name
~ ~ ~ ~
cr lf
entity body ~ ~ ~ ~
è
A blank line indicates end of header and beginning of body (if any)
Sample HTTP Request
ASCII (human-readable format)
request line (GET, POST, HEAD commands)
header lines
carriage return, line feed at start of line indicates end of header lines
GET /index.html HTTP/1.1\r\n Host: www-net.cs.umass.edu\r\n User-Agent: Firefox/3.6.10\r\n Accept: text/html,application/xhtml+xml\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7\r\n Keep-Alive: 115\r\n Connection: keep-alive\r\n \r\n
carriage return character line-feed character
telnet www.eecis.udel.edu 80 GET /~cshen/367.html HTTP/1.1 Host: www.eecis.udel.edu
Defenses against DoS Attacks • DoS attacks cannot be prevented entirely
– high traffic volumes may be legitimate • high publicity about a specific site • activity on a very popular site described as slashdotted, flash crowd, or flash event
– solutions • overprovisioning of network bandwidth and replicated distributed
server • Four lines of defense against DoS attacks
– attack prevention and preemption (before attack) • endure attack attempts without denying service to legitimate users
– attack detection and filtering (during attack) – attack source traceback and identification (during and
after attack) – attack reaction (after attack)
DoS Attack Prevention (1) • Block spoofed source addresses
– on routers as close to source as possible • Filters may be used to ensure path back to the
claimed source address is the one being used by the current packet – filters must be applied to traffic before it leaves the ISP’s
network or at the point of entry to their network • Use modified TCP connection handling code
– cryptographically encode critical information in a cookie that is sent as the server’s initial sequence number (SYN cookies)
• legitimate client responds with an ACK packet containing the incremented sequence number cookie
– drop an entry for an incomplete connection from the TCP connections table when it overflows
DoS Attack Prevention (2) • block IP directed broadcasts • block suspicious services and combinations • manage application attacks with a form of
graphical puzzle (captcha [Completely Automated Public Turing test to tell Computers and Humans Apart]) to distinguish legitimate human requests
• good general system security practices • use mirrored and replicated servers when
high-performance and reliability is required
SYN Cookies (1) • Resist SYN spoofing (flood) attack • What is the fundamental problem with SYN
spoofing/flood attacks? – State
• Rules – T - a slowly incrementing timestamp (time()
logically right-shifted 6 positions - resolution of 64 seconds)
– M - maximum segment size – S - result of a cryptographic hash function
computed over server IP address and port number, client IP address and port number, and T. Returned value S must be a 24-bit value.
– Initial TCP sequence number (SYN cookie) is computed as follows:
• top 5 bits: T mod 32 • middle 3 bits: an encoded value representing M • bottom 24 bits: S
SYN bit=1, Seq=x
SYN bit=1, Seq=y ACK bit=1; ACKnum=x+1
ACK bit=1, ACKnum=y+1
Client
Server