ddos: distributed denial of service cs5090: advanced computer networks, fall 2004 department of...
TRANSCRIPT
DDoS: Distributed Denial of Service
Cs5090: Advanced Computer Networks, fall 2004Department of Computer ScienceMichigan Tech University
Rock K. C. ChangByung ChoiMark Schuchter
Outline
Introduction The DDOS Problems Solutions to the DDoS Problems Conclusion
Introduction (cont.)
DoS : Denial of service attack. System design weaknesses
Ping of death Teardrop
Computationally intensive tasks Encryption and decryption computation
DDoS attack ( Flooding-Based) CPU, Memory, bandwidth exhaustion
DDoS: Typical attack preparation
1. prepare attack 2. set up network 3. communication
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Why?
sub-cultural status
to gain access
political reasons economic reasons
revenge
nastiness
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Showing off
Timeline
1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption
2000: bundled with rootkits, controlled with talk or ÍRC
2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol)
2001: worms include DDos-features (i.e. Code Red), include time synchro.,
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)
2003: Mydoom infects thousands of victims to attack SCO and Microsoft
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
Development
Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
Conversation between Moms
Mom1: I’m so proud of Mike. Apparently he’s one of the world’s best at a new computer game!
Mom2: Oh really! Which game? Mom1: Something called “DDoS Attack”… Mike: (Keeping clicking…)
DDoS Tools and Their Attack Methods
Trin00 UDP Tribe Flood Network UDP, ICMP, SYN,
Smurf Stacheldracht UDP, ICMP, SYN, Smurf TFN 2K UDP, ICMP, SYN, Smurf Shaft UDP, ICMP, SYN TrinityUDP, SYN, RST, ACK
DDoS Problems : Direct Attacks Send out a large number of attack packets
directly toward a victim Packet types can be TCP, ICMP, UDP, or a
mixture of them. TCP SYN attacks
Spoofed random source address of attack packets
The victim respond by sending back SYN-ACK packets
Cause half-open connection consume all the memories for pending connections unable to accepting new requests.
Direct attack (cont.)
Direct Attacks (cont.)
To congest a victim’s incoming link. The victims usually responds with RST packets
Sets up a DDoS attack network. Attacker attack hosts ( compromised machine
s) masters agents victim
Direct Attacks
Direct Attack Example: Trinoo Discovered in August 1999 Daemons found on Solaris 2.x systems Attack a system in University of Minnesota Victim unusable for 2 days
Trinoo Attack type
UDP flooding Default size of UDP packet: 1000 bytes
malloc() buffer of this size and send uninitialized content
Default period of attack: 120 seconds Destination port: randomly chosen from 0 –
65534
Reflector Attacks (cont.)
An attacker sends packets that require responses to the reflectors with the packer’s inscribed source addresses set to a victim’s address.
The reflectors returns response packets to the victim according to the types of the attack packets.
Thus the reflected packets can flood the victim’s link if the number of reflectors is large enough.
Redirect Attacks (cont.)
Reflector Attacks (cont.)
Reflector behaves like a victim of SYN flooding attacks, because it also maintain a number of half-open connections.
SYN ACK flooding does not exhaust the victim’s ability to accept new connections but clog the victim’s network link.
Reflector Attacks
Reflector Attack Examples:
How Many Attack Packets Are Needed? (cont.)
SYN flooding: If each SYN packet is 84 bytes long (including the
Ethernet frame header and interframe gap) a 56 kb/s connection is sufficient to stall both Linu
x and BSD servers with N <= 6000 SYN ACK flooding:
A 1Mb/s connection is sufficient to stall all three servers with N <= 10000.
How Many Attack Packets Are Needed? (cont.)
How Many Attack Packets Are Needed? In other flooding attacks aimed at jamming a
victim’s incoming link, an aggregated attack traffic rate has to be at least 1.544 Mb/s to jam a T1 link. Direct ICMP flooding: 5000 agents ( 1 query/s) Reflect ICMP flooding: 5000 reflector ( # of agents
can be much fewer, if each agent is responsible for sending ICMP echo requests to a number of reflectors.)
Solutions to the DDoS Problems (cont.) Three lines of defense against the attack
Attack prevention and preemption( before the attack)
Attack detection and filtering (during the attack) Attack source traceback and identification (during
and after the attack) Attack avoidance by victims
Attack prevention and preemption On the passive side
Hosts may be securely protected from master and agent implants. Ultimate solution?
To monitor network traffic for known attack messages sent between attackers.
On the active side Cyber-informants and cyber spies to intercept atta
ck plans for known attacks only?
Virus example (Wed. 03 Mar. 2004) Hello User of mtu.edu-email server, Our main mailing server will be temporarily
unavailable for next two days for regular maintenance and upgrade. To continue receiving mail in these days, please configure our auto-forwarding service.
Further details can be obtained from attached file For security purposes the file is password protected.
Your password is “00461” Best Wishes, MTU email service team!
Attack Source traceback and Identification Two approach
For routers to record information Send additional information
Two reason of infeasible stop an ongoing attack Hard to trace packets’ origins
Those behind firewall & NAT Reflector attack
Hard to stop Scattered in various autonomous systems
Helpful in identifying the attacker and collecting for post-attack law enforcement
Attack Detection and Filtering (cont.) The detection part is responsible for identifyin
g DDoS attacks or attack packets The filtering part is responsible for classifying
those packets and then dropping them ( rate-limiting is another possible action).
Attack Detection and Filtering (cont.) Measure the effectiveness of the attack detec
tion and filtering FPR ( false positive ratio): # of packets classified
as attack packets (positive) by a detection system that are confirmed to be normal (negative) ,
FNR (false negative ratio): # of packets classified as normal (negative) by a detection system that are confirmed to be attack packets (positive),
NPSR (normal packet survival ratio): The percentage of normal packets that can make their w
ay to the victim in the midst of a DDoS attack.
Attack Detection and Filtering (cont.)
Attack Detection and Filtering (cont.) At Source Networks
ISP networks that are directly connected to source networks can effectively ingress-filter spoofed packets.
Can drop all attack packets in direct attacks and all attack packets indirect attacks.
The attack agents can be traced easily in direct attacks
Ensuring all ISP networks to install ingress filtering is an impossible task in itself.
Attack Detection and Filtering (cont.) At the Victim’s Network
A DDoS victim can detect a DDoS attack based on an unusually high volume of incoming traffic or degraded server and network performance.
IP hopping or the moving target defense: A host frequently changes its IP address or changes its I
P address when a DDoS attack is detected. To tackle SYN flooding attacks by proxying TCP c
onnection requests.
Attack Detection and Filtering (cont.) At a victim’s Upstream ISP network
Victim network may send to an upstream ISP router an intrusion alert message
Such intrusion alert protocol need to be design carefully
The message also have to be protected by strong authentication and encryption algorithms.
Similar to the victim networks, it isn’t effective to filter attack packets.
Attack Detection and Filtering (cont.) At further Upstream ISP networks
Packet filtering is pushed as upstream as possible if ISP networks are willing to install packet filters
upon receiving intrusion alerts.
Attack avoidance by victims
Online task migration Process Thread Object
CPU time depletion Bandwidth depletion Memory space depletion
Conclusion
Hard to design perfectly secure computers and networks….
There are (will be) still many insecure areas in the Internet today that can be compromised to launch large-scale DDoS attacks
Attack avoidance schemes at victims have not been fully investigated! Contributions are solicited! Task migration on-the-fly