Denial-of-Service (DoS) Attacks

Chien-Chung Shen cshen@cis.udel.edu

Denial-of-Service (DoS) •  Defined in NIST Computer Security Incident

Handling Guide as “an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”

•  Attempt to compromise availability by hindering or blocking completely the provision of some service

•  Attempt to exhaust some critical resource associated with the service

•  Example: flooding a Web server with many spurious requests that it is unable to respond to valid requests from users in a timely manner

DoS Attacks •  Potency steadily increases over time due to

Internet bandwidth growth –  400 MBps (2000) -> 100 GBps (2010) -> 300 GBps

(Spamhaus [http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/], 2013)

–  thousands of attacks each day –  massive flooding attacks in 50 GBps are powerful

enough to exceed bandwidth capacity of most intended targets

•  A form of attack on the availability of some service

Categories of Resources 1.  Network bandwidth

relates to capacity of network links connecting a server to Internet (ISP)

2.  System resources aims to overload or crash network handling software

3.  Application resources typically involves valid requests, each of which consumes significant resources, thus limiting the ability of server to respond to requests from other users

Example

(1) DoS on Network Bandwidth •  Network bandwidth related to capacity of links

connecting server to ISP •  More traffic arrives at ISP’s routers over higher-

capacity links than links to server -> packets dropped at ISP routers

•  Malicious traffic generated by DoS attacks overwhelms legitimate traffic -> denying legitimate users access to server

(2) DoS on System Resources •  Overload/crash network handling software •  Rather than consuming bandwidth with large volumes

of traffic, –  specific types of packets are sent that consume limited

available resources •  temporary buffer used to hold arriving packets •  table of open connections: TCP SYN spoofing attack •  similar memory data structures

–  packets whose structure triggers bugs in network handling software, causing it to crash: termed poison packet

•  ping of death and teardrop attacks target bugs in Windows 9x systems’ code than handles ICMP echo request and packet fragmentation

(3) DoS on Application Resources •  Attacks on specific application (e.g., Web server)

typically involves valid requests each of which consumes significant resources

•  This then limits ability of server to respond to requests from other users

•  Aka, cyberslam, e.g., database queries •  Requests that trigger bugs in server program,

causing it to crash

Classic DoS Attack (A) Flooding ping (ICMP echo request) •  Aim to overwhelm the capacity of network

connection to the target organization •  Traffic can be handled by higher capacity

links on the path, but packets are discarded as capacity decreases

•  Network performance is noticeably affected •  Two disadvantages to attackers!

•  source of attack is identified unless a spoofed address is used

•  response packets back to attacker

Source Address Spoofing •  Use forged source addresses

–  usually via raw socket interface [http://en.wikipedia.org/wiki/Raw_socket] on OS to make attacking systems harder to identify

•  Attacker use randomly selected, usually different, source addresses for each packet

•  Congestion would still occur in router connected to the final, lower capacity link

•  Response back to different “sources” triggering even more “error” packets from real hosts or ICMP “destination unreachable” packet from unknown hosts [backscatter traffic]

•  To identify source needs to query flow information through routers

•  Egree filtering – filtering on router to ensure source address (or at least source network address) is valid

Classic DoS Attack

(B) SYN spoofing •  Attacks ability of server to respond to future

connection requests by overflowing the tables used to manage such connections; thus legitimate users are denied access to server

•  An attack on system resources, specifically the network handling code in the operating system

TCP 3-Way handshake •  Reliable transport protocol

over best-effort (unreliable) IP –  sequence number –  timeout and retransmission –  Need to maintain state

TCP SYN Spoofing •  Attacker sends SYNs with spoofed

source addresses •  Server records states of TCP

connection requests and respond SYN+ACK to “claimed” source addresses –  for valid system at the forged address: it

responds with RST to cancel unknown connection request; when server receives RST, it cancel connection request and remove saved state

–  for no system at forged address: no reply; server sends SYN+ACK several times

•  between when original SYN received and when server assumes connection failed, server is using one entry in TCP connection table

•  many forged connection requests -> many entries used

Flooding vs. SYN Spoofing •  Volume of network traffic

–  SYN spoofing is lower •  How much lower?

–  high enough to keep TCP connection table full

Flooding Attacks •  Classified based on network protocol used •  Aim to overload network capacity on some link to a server or

server’s ability to handle/respond to traffic –  valid traffic has low probability of surviving discard/accessing server

•  Virtually any type of network packet can be used

•  ICMP echo request –  traditionally network administrators allow such packets into

networks because ping is a useful network diagnostic tool •  UDP

–  directed to some port number on the target system •  TCP SYN

–  total volume of packets is aim of attack rather than system code

(1) ICMP Flooding •  Recently, ICMP echo requests

are filtered by firewall •  As some ICMP packets are

critical to the healthy operation of Internet, filtering these packets may degrade or break normal Internet behavior

•  e.g., ICMP destination unreachable and ICMP TTL expired

Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header

(2) UDP Flood •  Send UDP segment directly to some

port #: e.g., 7 (echo service) •  May use spoofed source addresses

(3) TCP SYN Flood •  Total volume of packets is aim of

attack, rather than system code –  SYN flooding vs. SYN spoofing

•  TCP connection requests with either real or spoofed source addresses

Indirect Flooding Attacks •  Flooding attacks are limited in total traffic volume

generated on single system, where attacker is easier to trace

•  More sophisticated attacks involve multiple attackers •  By directing attacks through intermediaries, attacker

is distanced from target and harder to be located and identified

1.  Distributed DoS attacks 2.  Reflector attacks 3.  Amplifier attacks

Distributed DoS (DDoS) •  Use of multiple systems to generate

attack traffic •  Attacker uses a flaw in OS or in a

common application to gain access and installs their program on zombies (via automated infection tools)

•  Large collections of such systems under control of one attacker’s control can be created, forming a botnet

Architecture of DDoS Attack Control hierarchy

Example DDoS Tool •  Tribe Flood network (TFN) and TFN2K

–  two-layer command architecture –  launch ICMP/SYN/UDP flood –  communicate via encrypted TCP/UDP/ICMP

packets •  IRC-based •  HTTP-based

•  The best defense against being an unwitting participant in DDoS attack –  prevent system from being compromised

Reflector/Amplifier Attacks •  In contrast to DDoS, where intermediaries are

compromised nodes running attacker’s programs, reflector/amplifier attacks use network systems functioning normally

•  Attacker sends packet to server with spoofed source IP address (target); server responds to spoofed source IP address

•  When many packets sent to many servers with the same spoofed source address, the resulting flood responses overwhelm target’s link

•  Normal server are being used and their response is entirely conventional, attacks can be easier to deploy and harder to trace back to actual attacker

Reflection Attacks •  Attacker sends packets to a known service on the

intermediary with a spoofed source address of the actual target system

•  When intermediary responds, the response is sent to the target, i.e., “reflects” the attack off intermediary (reflector)

•  Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary –  use service that creates larger response packets than original

request; e.g., DNS (UDP) •  How to defend against these attacks?

–  block spoofed source packets

DNS Reflection Attack

•  Between DNS and echo service (#7) –  attacker sends query to DNS with

spoofed IP source address (IP address of target): j.k.l.m

–  DNS responds to j.k.l.m:7 –  target echoes back –  DNS responds again, ………

Q: How reflector attacks are prevented ? A: network/host-based firewall rules to reject suspicious combination of source/destination ports

TCP SYN Reflection Attack •  Attacker sends SYN packets to spoofed

source address (i.e., the target) to intermediaries

•  Intermediaries respond with SYN+ACK to spoofed source address (the target)

•  Target responds with RST for any that get through

•  Overwhelm target’s network link (not to exhaust its network handling resources)

Amplification Attacks •  A variant of reflection attacks, also involves sending a packet with

spoofed source address for the target to intermediaries; they differ in generating multiple response packets for each original packet sent

•  Done by directing original packets to broadcast address for some network; all hosts on that network can potentially respond

•  E.g., ICMP echo request (smurf), echo service (fraggle)

Q: How to defend? •  do not allow directed

broadcast to be routed into a network from outside

•  block spoofed source address

•  limit service like ping and echo

Attacks on Applications •  Force target to execute resource

consuming operations that are disproportionate to attack effort

•  For example, web server may engage in lengthy operations such as search, database query, etc., in response to simple requests

1.  SIP flood 2.  Attacks on HTTP

SIP Flood

•  Session Initiation Protocol (SIP) – signaling protocol for call setup in VoIP

•  SIP INVITE request causes receiver’s phone to ring –  a single SIP INVITE request triggers

considerable resource consumption (e.g., DNS lookup)

•  Flood proxy server with numerous INVITE requests with spoofed IP address –  Resources on proxy are depleted in

processing INVITE –  Network capacity is consumed

Attacks on HTTP (1) HTTP Flood •  attack that bombards Web servers with

HTTP requests •  Each request consumes considerable

resources (e.g., download huge file: read file from disk, store it in memory, convert it to packets, transmit packets)

•  Spidering (recursive HTTP flood) –  bots starting from a given HTTP link and

following all links on the provided Web site in a recursive way

Attacks on HTTP (2) •  Slowloris - exploit common web server technique of multi-

threading (supporting multiple requests) •  Attempts to monopolize all available request handling

threads by sending HTTP requests that never complete (how ?) –  sends additional header lines periodically to keep connection

alive, but never sends terminating new line sequence –  eventually consumes Web server’s connection capacity

(threads) and deny access to legitimate users •  Utilizes legitimate HTTP traffic

–  no “bad” HTTP requests that exploit bugs in HTTP servers

–  existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris

Format of HTTP Request

request line

header lines

body

method sp sp cr lf version URL

cr lf value header field name

cr lf value header field name

~ ~ ~ ~

cr lf

entity body ~ ~ ~ ~

è

A blank line indicates end of header and beginning of body (if any)

Sample HTTP Request

ASCII (human-readable format)

request line (GET, POST, HEAD commands)

header lines

carriage return, line feed at start of line indicates end of header lines

GET /index.html HTTP/1.1\r\n Host: www-net.cs.umass.edu\r\n User-Agent: Firefox/3.6.10\r\n Accept: text/html,application/xhtml+xml\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7\r\n Keep-Alive: 115\r\n Connection: keep-alive\r\n \r\n

carriage return character line-feed character

telnet www.eecis.udel.edu 80 GET /~cshen/367.html HTTP/1.1 Host: www.eecis.udel.edu

Defenses against DoS Attacks •  DoS attacks cannot be prevented entirely

–  high traffic volumes may be legitimate •  high publicity about a specific site •  activity on a very popular site described as slashdotted, flash crowd, or flash event

–  solutions •  overprovisioning of network bandwidth and replicated distributed

server •  Four lines of defense against DoS attacks

–  attack prevention and preemption (before attack) •  endure attack attempts without denying service to legitimate users

–  attack detection and filtering (during attack) –  attack source traceback and identification (during and

after attack) –  attack reaction (after attack)

DoS Attack Prevention (1) •  Block spoofed source addresses

–  on routers as close to source as possible •  Filters may be used to ensure path back to the

claimed source address is the one being used by the current packet –  filters must be applied to traffic before it leaves the ISP’s

network or at the point of entry to their network •  Use modified TCP connection handling code

–  cryptographically encode critical information in a cookie that is sent as the server’s initial sequence number (SYN cookies)

•  legitimate client responds with an ACK packet containing the incremented sequence number cookie

–  drop an entry for an incomplete connection from the TCP connections table when it overflows

DoS Attack Prevention (2) •  block IP directed broadcasts •  block suspicious services and combinations •  manage application attacks with a form of

graphical puzzle (captcha [Completely Automated Public Turing test to tell Computers and Humans Apart]) to distinguish legitimate human requests

•  good general system security practices •  use mirrored and replicated servers when

high-performance and reliability is required

SYN Cookies (1) •  Resist SYN spoofing (flood) attack •  What is the fundamental problem with SYN

spoofing/flood attacks? –  State

•  Rules –  T - a slowly incrementing timestamp (time()

logically right-shifted 6 positions - resolution of 64 seconds)

–  M - maximum segment size –  S - result of a cryptographic hash function

computed over server IP address and port number, client IP address and port number, and T. Returned value S must be a 24-bit value.

–  Initial TCP sequence number (SYN cookie) is computed as follows:

•  top 5 bits: T mod 32 •  middle 3 bits: an encoded value representing M •  bottom 24 bits: S

SYN bit=1, Seq=x

SYN bit=1, Seq=y ACK bit=1; ACKnum=x+1

ACK bit=1, ACKnum=y+1

Client

Server

SYN Cookies (2) •  Upon receiving ACK, server performs

the following operations –  checks value T against the current time to

see if connection has expired –  recomputes S to determine whether this is,

indeed, a valid SYN cookie –  decodes value M from the 3-bit encoding in

SYN cookie