ddos: distributed denial of service

DDoS: Distributed Denial of Service

Cs5090: Advanced Computer Networks, fall 2004Department of Computer ScienceMichigan Tech University

Rock K. C. ChangByung ChoiMark Schuchter

Outline

Introduction The DDOS Problems Solutions to the DDoS Problems Conclusion

Introduction (cont.)

DoS : Denial of service attack. System design weaknesses

Ping of death Teardrop

Computationally intensive tasks Encryption and decryption computation

DDoS attack ( Flooding-Based) CPU, Memory, bandwidth exhaustion

DDoS: Typical attack preparation

1. prepare attack 2. set up network 3. communication

Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk

Why?

sub-cultural status

to gain access

political reasons economic reasons

revenge

nastiness

Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk

Showing off

Timeline

1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption

2000: bundled with rootkits, controlled with talk or ÍRC

2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol)

2001: worms include DDos-features (i.e. Code Red), include time synchro.,

<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)

2003: Mydoom infects thousands of victims to attack SCO and Microsoft

Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk

Development

Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk

High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC

Conversation between Moms

Mom1: I’m so proud of Mike. Apparently he’s one of the world’s best at a new computer game!

Mom2: Oh really! Which game? Mom1: Something called “DDoS Attack”… Mike: (Keeping clicking…)

DDoS Tools and Their Attack Methods

Trin00 UDP Tribe Flood Network UDP, ICMP, SYN,

Smurf Stacheldracht UDP, ICMP, SYN, Smurf TFN 2K UDP, ICMP, SYN, Smurf Shaft UDP, ICMP, SYN TrinityUDP, SYN, RST, ACK

DDoS Problems : Direct Attacks Send out a large number of attack packets

directly toward a victim Packet types can be TCP, ICMP, UDP, or a

mixture of them. TCP SYN attacks

Spoofed random source address of attack packets

The victim respond by sending back SYN-ACK packets

Cause half-open connection consume all the memories for pending connections unable to accepting new requests.

Direct attack (cont.)

Direct Attacks (cont.)

To congest a victim’s incoming link. The victims usually responds with RST packets

Sets up a DDoS attack network. Attacker attack hosts ( compromised machine

s) masters agents victim

Direct Attacks

Direct Attack Example: Trinoo Discovered in August 1999 Daemons found on Solaris 2.x systems Attack a system in University of Minnesota Victim unusable for 2 days

Trinoo Attack type

UDP flooding Default size of UDP packet: 1000 bytes

malloc() buffer of this size and send uninitialized content

Default period of attack: 120 seconds Destination port: randomly chosen from 0 –

65534

Reflector Attacks (cont.)

An attacker sends packets that require responses to the reflectors with the packer’s inscribed source addresses set to a victim’s address.

The reflectors returns response packets to the victim according to the types of the attack packets.

Thus the reflected packets can flood the victim’s link if the number of reflectors is large enough.

Redirect Attacks (cont.)

Reflector Attacks (cont.)

Reflector behaves like a victim of SYN flooding attacks, because it also maintain a number of half-open connections.

SYN ACK flooding does not exhaust the victim’s ability to accept new connections but clog the victim’s network link.

Reflector Attacks

Reflector Attack Examples:

How Many Attack Packets Are Needed? (cont.)

SYN flooding: If each SYN packet is 84 bytes long (including the

Ethernet frame header and interframe gap) a 56 kb/s connection is sufficient to stall both Linu

x and BSD servers with N <= 6000 SYN ACK flooding:

A 1Mb/s connection is sufficient to stall all three servers with N <= 10000.

How Many Attack Packets Are Needed? (cont.)

How Many Attack Packets Are Needed? In other flooding attacks aimed at jamming a

victim’s incoming link, an aggregated attack traffic rate has to be at least 1.544 Mb/s to jam a T1 link. Direct ICMP flooding: 5000 agents ( 1 query/s) Reflect ICMP flooding: 5000 reflector ( # of agents

can be much fewer, if each agent is responsible for sending ICMP echo requests to a number of reflectors.)

Solutions to the DDoS Problems (cont.) Three lines of defense against the attack

Attack prevention and preemption( before the attack)

Attack detection and filtering (during the attack) Attack source traceback and identification (during

and after the attack) Attack avoidance by victims

Attack prevention and preemption On the passive side

Hosts may be securely protected from master and agent implants. Ultimate solution?

To monitor network traffic for known attack messages sent between attackers.

On the active side Cyber-informants and cyber spies to intercept atta

ck plans for known attacks only?

Virus example (Wed. 03 Mar. 2004) Hello User of mtu.edu-email server, Our main mailing server will be temporarily

unavailable for next two days for regular maintenance and upgrade. To continue receiving mail in these days, please configure our auto-forwarding service.

Further details can be obtained from attached file For security purposes the file is password protected.

Your password is “00461” Best Wishes, MTU email service team!

Attack Source traceback and Identification Two approach

For routers to record information Send additional information

Two reason of infeasible stop an ongoing attack Hard to trace packets’ origins

Those behind firewall & NAT Reflector attack

Hard to stop Scattered in various autonomous systems

Helpful in identifying the attacker and collecting for post-attack law enforcement

Attack Detection and Filtering (cont.) The detection part is responsible for identifyin

g DDoS attacks or attack packets The filtering part is responsible for classifying

those packets and then dropping them ( rate-limiting is another possible action).

Attack Detection and Filtering (cont.) Measure the effectiveness of the attack detec

tion and filtering FPR ( false positive ratio): # of packets classified

as attack packets (positive) by a detection system that are confirmed to be normal (negative) ,

FNR (false negative ratio): # of packets classified as normal (negative) by a detection system that are confirmed to be attack packets (positive),

NPSR (normal packet survival ratio): The percentage of normal packets that can make their w

ay to the victim in the midst of a DDoS attack.

Attack Detection and Filtering (cont.)

Attack Detection and Filtering (cont.) At Source Networks

ISP networks that are directly connected to source networks can effectively ingress-filter spoofed packets.

Can drop all attack packets in direct attacks and all attack packets indirect attacks.

The attack agents can be traced easily in direct attacks

Ensuring all ISP networks to install ingress filtering is an impossible task in itself.

Attack Detection and Filtering (cont.) At the Victim’s Network

A DDoS victim can detect a DDoS attack based on an unusually high volume of incoming traffic or degraded server and network performance.

IP hopping or the moving target defense: A host frequently changes its IP address or changes its I

P address when a DDoS attack is detected. To tackle SYN flooding attacks by proxying TCP c

onnection requests.

Attack Detection and Filtering (cont.) At a victim’s Upstream ISP network

Victim network may send to an upstream ISP router an intrusion alert message

Such intrusion alert protocol need to be design carefully

The message also have to be protected by strong authentication and encryption algorithms.

Similar to the victim networks, it isn’t effective to filter attack packets.

Attack Detection and Filtering (cont.) At further Upstream ISP networks

Packet filtering is pushed as upstream as possible if ISP networks are willing to install packet filters

upon receiving intrusion alerts.

Attack avoidance by victims

Online task migration Process Thread Object

CPU time depletion Bandwidth depletion Memory space depletion

Conclusion

Hard to design perfectly secure computers and networks….

There are (will be) still many insecure areas in the Internet today that can be compromised to launch large-scale DDoS attacks

Attack avoidance schemes at victims have not been fully investigated! Contributions are solicited! Task migration on-the-fly