Distributed Denial-of-Services (DDoS)Ho Jeong ANCSE 525 – Adv. NetworkingReading Group #8

Reading Group # 8 – DDoS

Papers F. Kargl, J. Maier, M. Weber “Protecting Web Servers fr

om Distributed Denial of Service Attacks”, WWW 2001 V. Paxson, “An Analysis of Using Reflectors for Distribu

ted Denail-of-Service Attacks”, CCR vol. 31, no. 3, July 2001

Catherine Meadows, “A cost-based framework for analysis of denial of service in network”, Journal of Computer Security, 9(1—2):143-164, 20012

Classification of IT Attacks

Denial of Service (DoS) Main goal of the attack is the disruption of

service Intrusion

Intension is simply to get access to system and to circumvent certain barriers

Information Theft Main goal of attack is access to restricted,

sensitive information Modification

Attacker tries to alter information.

Definition of DoS

WWW Security FAQ (http://www.w3.org/Security/FAQ) … an attack designed to render a computer or network

incapable of providing normal services …

J.D. Howard (http://www.cert.org) … Denial-of-service can be conceived to include both

intentional and unintentional assaults on a system's availability. The most comprehensive perspective would be that regardless of the cause, if a service is supposed to be available and it is not, then service has been denied ...

Definition of DDoS

WWW Security FAQ (http://www.w3.org/Security/FAQ) … A Distributed

Denial of Service attack uses many computer to launch a coordinated DoS attack against one or more targets. …

DoS attack Classification System Attacked

Router Firewall Load-balancer Individual web server Supporting services (i.e. database servers)

Part of the system attacked Hardware failure OS or TCP/IP stack of host/router Application level (i.e. web server, database servers)

Bug or overload Bugs Overload

DoS attack Classification

Example Cisco 7xxx routers with IOS/700 Software

version 4.1(1)/4.1(2) Jolt2 – targeting most Microsoft Windows

Systems (98/NT4/2000) MIIS version 4.0/5.0 Smurf SYN Flood Apache MIME flooding/Apache Sioux Attack

DDoS tools

Trinoo Known to the first DDoS tools UDP flooding

Tribe Flood Network (TFN) Trinoo’s UDP flooding, TCP SYN and ICMP flood

TFN2K Encrypted communication between components TARGA attack

stacheldraht ICMP, UDP and TCP SYN flooding Update to agents automatically

DDoS Protection Environment

Linux Kernel Immune to

Teardrop, TARGA

tcp_syn_cookie enabled against SYN flood attack

Load Balancer Linux Virtual

Server against overload attack

DDoS Protection Environment ipchains Firewall

Only port 80 is reachable directly Only ICMP host unreachable messages are

accepted Class Based Queuing

Function of the Linux kernel Setup different traffic queues Determines what packets to put in what queue Assign a bandwidth to each of the queue

DDoS Protection Environment Traffic Monitor

Monitor Thread 1: monitors in and out packet Thread 2: checks the hashtable Thread 3: server thread

Manager Analyzes the supplied data Sorts the IPs in one of several classes, class

1 through class 4

Test 1: http-attack using http_load and static html database

DDoS attacks are substantial threat to today’s Internet infrastructure

Solution to the problem of handling massive http overload requests is based on class based routing and active traffic monitoring

Conclusion

DDoS attack by using reflector Reflector

Any IP host that will return a packet if it receives request

All web server, DNS server, router

ICMP Victim eventually receive

“huge” number of message and clogging every single path to victim from the rest of the Internet

Defense against Reflector

Ingress filtering Traffic generated by reflector

Our pick Reflector enable filtering

Require widespread deployment of filtering Deploy trace back mechanism

Enormous deployment difficulties IDS

Widespread deployment of security technology

Filtering out reflector replies IP

version, header length TOS/DSCP length ID fragments TTL, protocol, checksum source destination

Filtering out reflector replies ICMP

Request/response Generated ICMP messages

TCP source port SYN ACK RST guessable sequence number T/TCP

Filtering out reflector replies UDP DNS

DNS reply DNS recursive query

SNMP HTTP proxy server Gnutella (TCP application) Other UPD application

Implications of reflector attacks for traceback A major advantage to attackers in

using reflectors in DDOS attack is difficult traceback

Low volume flows – SPIE HTTP proxies Logging Reverse ITRACE

Conclusion

DDoS attack by using reflector have a several significant threat

Most major threats areTCP guessable sequence numberDNS query to name serverGnutella

Defender vs. Attacker

Defense against attack Increase the resources of the defender Introduce authentication

Goal of attacker Waste resource of defender Keep the defender from learning attacker’s

identity Formal method are good way to addressing

problems.

Station to Station protocol

Station to station protocol is a protocol that was makes use of the Diffie-Hellman protocol together with digital signatures in order to exchange and authenticate keys between two principals.

:

: , ( ( , ))

: ( ( , ))

A

B B A

A B

X

X X XK B

X XK A

A B

B A E S

A B E S

Station to Station protocol1, 1

1 2 1

1 1 1 1

1 1 2 1 1 2

2 2

: preeexp storename ||

||

storeonce ,storename ,accept

: preexp , sign , exp , encrypt ||

, ( ( , )) ||

checkname , retrivevenonce , exp , decrypt , checksig , accept

: sign , encrypt |

A

B B A

X

X X XK B

A B

B A

E S

A B

2 2 2 2 3

|

( ( , )) ||

checkname , retrivevenonce , decrypt , checksig , accept

A BX XK AE S

Station to Station protocol

Compute the attack cost functions and the protocol engagement cost functions for each accept events

Compute the attack cost functions and the message processing cost functions for each verification event

Station to Station protocol

It is vulnerable to DOS attack in several placesFirst messageIntruder could mount Lowe’s attack

SolutionCookie exchangeLowe’s attack – including the identity of

intended receiver

Conclusion

This framework shows how existing tools and methods could be modified against DoS attack.