(distributed) denial of service - portokalidis · distributed denial-of-service botnets are...
TRANSCRIPT
-
(Distributed) Denial of Service
CS-576 Systems Security
Instructor: Georgios Portokalidis
Fall 2018
-
Fall 2018 Stevens Institute of Technology 2
Denial-of-Service (DoS) Attack
“An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”
-
Denial-of-Service (DoS)
A form of attack on the availability of some service
Categories of resources that could be attacked are:
Fall 2018 Stevens Institute of Technology 3
Network bandwidth
Relates to the capacity of the network links
connecting a server to the Internet
For most organizations this is their connection to their Internet Service
Provider (ISP)
System resources
Aims to overload or crash the network handling software
Application resources
Typically involves a number of valid
requests, each of which consumes significant
resources, thus limiting the ability of the server to respond to requests
from other users
-
Network Flooding Attacks
Attacker generates large volumes of packets that have the target system as the destination address
Intent is to overload the network capacity on some link to a server
Congestion would result in the router connected to the final, lower capacity link
Virtually any type of network packet can be used
Fall 2018 Stevens Institute of Technology 4
-
Network Flooding Attacks
Classified based on network protocol used
Virtually any type of network packet can be used
Fall 2018 Stevens Institute of Technology 5
•Ping flood using ICMP echo request packets
•Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool
ICMP flood
•Uses UDP packets directed to some port number on the target systemUDP flood
• Sends TCP packets to the target system
•Total volume of packets is the aim of the attack rather than the system code
TCP SYN flood
-
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 6
-
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 7
-
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 8
Link capacity X
Link capacity Y
-
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 9
Link capacity X
Link capacity Y
X > YPossible to flood
-
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 10
Link capacity X
Link capacity Y
X > Y
Not possible to flood
-
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 11
Link capacity X
Link capacity Z
Link capacity Y
X > YX > Z
X > YY + Z > X
Possible to flood
-
Attacker
Target
Handler
Zombies
Agent
Zombies
Figure 7.4 DDoS Attack Architecture
Distributed Denial-of-Service
Botnets are frequently used to perform network-based DDoS attacks
Fall 2018 Stevens Institute of Technology 12
-
Simple Solution
Block subnets participating in DDoS▪ Can affect many non-participating nodes
Fall 2018 Stevens Institute of Technology 13
-
Less Simple Solution
Block individual IPs participating in DDoS▪ Can still affect infected and, otherwise, innocent users
▪ Maintaining large lists of IPs is cumbersome
Fall 2018 Stevens Institute of Technology 14
-
Where to Block?
Blocking near the target does not solve the problem
Fall 2018 Stevens Institute of Technology 15
Network edge can still be saturated
-
Where to Block?
It is better to clock closer to the source
Fall 2018 Stevens Institute of Technology 16
• Router needs to support filtering
• Owner/controller needs to be cooperative
-
Where to Block?
Best case scenario (but probably unrealistic)
Fall 2018 Stevens Institute of Technology 17
-
Source Address Spoofing
Use forged source addresses▪ E.g., via the raw socket interface
Identifying culprits and blocking IPs is harder
Local routers can potentially filter such packets▪ For example, by checking that the packets’ IPs match the one
given to the host▪ Not done my many networks
Fall 2018 Stevens Institute of Technology 18
-
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 19
Fake SRC in network C
Fake SRC in network C
You cannot be in C
-
SYN Packet Tricks
SYN is one of the first packets sent to establish a TCP connection
Fall 2018 Stevens Institute of Technology 20
Client Server
Send SYN
(seq = x)
Receive SYN
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
(seq = y, ack = x+1)
Send ACK
(ack = y+1)Receive ACK
(ack = y+1)
1
2
3
Figure 7.2 TCP Three-Way Connection Handshake
-
SYN Floods Targeting the System
Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them
Thus legitimate users are denied access to the server
Hence an attack on system resources, specifically the network handling code in the operating system
Fall 2018 Stevens Institute of Technology 21
-
Client Server
Send SYN
(seq = x)
Receive SYN
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
(seq = y, ack = x+1)
Send ACK
(ack = y+1)Receive ACK
(ack = y+1)
1
2
3
Figure 7.2 TCP Three-Way Connection Handshake
Fall 2018 Stevens Institute of Technology 22
Wait
-
Client Server
Send SYN
(seq = x)
Receive SYN
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
(seq = y, ack = x+1)
Send ACK
(ack = y+1)Receive ACK
(ack = y+1)
1
2
3
Figure 7.2 TCP Three-Way Connection Handshake
Fall 2018 Stevens Institute of Technology 23
Wait
-
SYN Spoofing
Spoof the source address of the SYN packet▪ It can hide the true sender of a packet
The destination will try to establish a connection with the spoofed address
Fall 2018 Stevens Institute of Technology 24
-
AttackerServer
Send SYN
with spoofed src
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
1
2
Spoofed Client
Resend SYN-ACK
after timeouts
Assume failed
connection
request
SYN-ACK’s to
non-existant client
discarded
Figure7.3 TCP SYN Spoofing Attack
Fall 2018 Stevens Institute of Technology 25
-
Reflection Attacks
Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system
When intermediary responds, the response is sent to the target → It “Reflects” the attack off the intermediary (reflector)
Fall 2018 Stevens Institute of Technology 26
-
Figure 7.6 DNS Reflection Attack
IP: a.b.c.d
IP: a.b.c.dIP: j.k.l.m
Victim
Looppossible
DNSServer
NormalUser
Attacker
DNSServer
IP: w.x.y.z
From: a.b.c.d:1792To: w.x.y.z.53
From: w.x.y.z.53To: a.b.c.d:1792
From: j.k.l.m:7To: w.x.y.z.53
From: w.x.y.z.53To: j.k.l.m:7
From: j.k.l.m:7To: w.x.y.z.53
1
1
2
2
3
IP: w.x.y.z
Fall 2018 Stevens Institute of Technology 27
Reflection Through DNS
-
Amplification Attacks
Single spoofed packet results in multiple packets to target
Fall 2018 Stevens Institute of Technology 28
AttackerServer
Send SYN
with spoofed src
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
1
2
Spoofed Client
Resend SYN-ACK
after timeouts
Assume failed
connection
request
SYN-ACK’s to
non-existant client
discarded
Figure7.3 TCP SYN Spoofing Attack
1 packetmultiple packets
-
Attacker
Reflector
intermediaries
Target
Zombies
Figure 7.7 Amplification Attack
Amplification Attacks
Higher-layer protocols, like DNS, can also be used
Fall 2018 Stevens Institute of Technology 29
-
DNS Amplification Attacks
Spoofed DNS query packets are sent to legitimate DNS server
DNS generates one larger packet which it sends to the spoofed address
Amplification occurs because response is larger in size than the original query
Fall 2018 Stevens Institute of Technology 30
-
HTTP flood
Attack that bombards Web servers with HTTP requests
Consumes considerable resources
Slowloris
Create many HTTP requests to server that never complete
▪ Send partial requests as slowly as possible
Consumes Web server’s connection capacity
Hard to differentiate from client with limited connectivity
Fall 2018 Stevens Institute of Technology 31
HTTP-Based Attacks
-
Internet of Things
Internet connected devices/objects
Fall 2018 Stevens Institute of Technology 32
-
Mirai Botnet
Fall 2018 Stevens Institute of Technology 33
Exploited vulnerable CCTV cameras
Multiple vulnerabilities found on CCTV cameras:
▪ Weak authentication, stack overflow, etc.
Estimated to control more than 100k devices
-
Fall 2018 Stevens Institute of Technology 34
IoT Botnet-Driven DDoS
Reading: https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html