denial of service (dos) attacks - york university completion of this material, you should be able...

CSE 3482Introduction to Computer Security

Instructor: N. Vlajic, Winter 2017

Denial of Service(DoS) Attacks

Upon completion of this material, you should be able to:

• Explain the basic concepts of a Denial-of-Service (DoS)and distributed Denial-of-Service (DDoS) attacks.

• Understand the nature of flooding attacks.

• Explain the concept of an application-based bandwidthattack.

• Present an overview of reflector and amplifier attacks.

• Summarize some of the common defences againstDenial-of-Service attacks.

Learning Objectives

Required Reading

Computer Security, Stallings: Chapter 7

Introduction

• NIST Computer Security Incident Handling Guide …“ A Denial of Service (DoS) is an action that preventsor impairs the authorized use of networks, systems,or applications by exhausting resources such as central processing unit (CPU), memory / disk-space,and bandwidth.“

http://realtimeprojecrtsdenniscodd.blogspot.ca/2012/01/denial-of-service-attacks-in-wireless.html

• Recent DDoS Attacks … Fall 2016 – 0.6 - 1 Tbps DDoS attack on various targets

(largest DDoS attack in history by 145,000 IoT devices)

Introduction (cont.)

https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/ http://securityskeptic.typepad.com/the-security

-skeptic/anatomy-of-dns-ddos-attack.html

type of attack:DNS reflection & amplification


• Recent DDoS Attacks … September 2015 – DDoS through unsuspected browsers

type of attack:browser hijacking(malicious JavaScriptinserted in a popularWebPage– all visitorsto this Web-sitebecome participantsin the DDoS …)

http://www.scmagazine.com/ddos-attack-used-mobile-devices-to-deliver-45-billion-requests/article/441456/


http://hackmageddon.com/category/security/cyber-attacks-statistics/

Categories of DoS Attacks

DDoS Attacks

targeted atBandwidth

targeted atComputing Resources

targeted atOS

Resources

targeted atApplicationResources

Direct Reflection

Categories of DoS Attacks (cont.)

• DoS Targeting Bandwidth bandwidth = capacity of network link connecting a server

typically, server bandwidth << ISP bandwidth hence, it is always possible to ‘congest’ server link =>

degraded/non-existent service for (some) legitimate users

http://flylib.com/books/en/2.295.1.24/1/


• DoS Targeting Bandwidth server/application throughput vs. incoming traffic rate

http://users.ece.cmu.edu/~dbrumley/courses/18487-f10/files/DDoS.pdf

Most of the key Internet protocol (e.g., TCP) ‘react’

to packet delay/loss by retransmitting packets.

100Mbps

(regular + attack traffic)

100Mbps


• DoS Targeting Bandwidth flooding – most common type of bandwidth DDoS

examples: Network Layer: ICMP Flood (e.g., ICMP Echo Request)

Transport Layer: UDP, TCP Flood (on open or closed ports)

Application Layer: HTTP Flood

http://localare.blogspot.ca/2012/10/protocol-tcp-ip.html


• DoS Targeting Bandwidth TCP vs. UDP reaction to bandwidth DoS attack

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6519235


• DoS Targeting System Resources aim to consume limited server’s OS-level resources

typically by misusing lower-layer protocols (TCP, IP, …) buffers holding arriving IP packets tables of open TCP connections

http://natsys-lab.blogspot.ca/2013/03/whats-wrong-with-sockets-performance.html

• DoS Targeting System Resources examples: TCP-SYN Flood attacker sends a flood of TCP-SYN requests in possibly

spoofed IP packets => 3-way handshake never completed

half-open connections bindserver resources – no newconnections can be made


normal 3-way TCP handshake TCP-SYN flood


• DoS Targeting Application Resources involve valid-looking application requests that

1) consume significant application resources, or2) cause application to crash

examples: HTTP attack requesting large PDF files from a server attack on a web server that makes database queries

using computationally-costly requests


• DoS vs. DDoS Attacks DoS attack – one attacking machine

Distributed DoS attack – employ numerous attackingmachines – so called botnets

http://www.tik.ee.ethz.ch/~ddosvax/talks/ddos_td.pdf

direct DDoS attacks reflector DDoS attacks amplification DDoS attacks

DDoS Attacks: Botnet

• Botnet for DDoS botnet – a network of compromised machines (bots,

zombies, or agents) controlled by the attacker

attacker / master – machine that is physically usedby the bot master / herder can be anywhere with any type of internet connection

stepping stone – attacker can use 1 or more steppingstones to hide his or her true identity and location typically, there is a telnet connection between botnet master

and its stepping stones due to legal issues and physical location, using stepping

stones located in foreign countries make it much more difficult to trace the original attacker

• Botnet for DDoS (cont.) handler – a computer that have been compromised

by the bot master and loaded with special applicationsto manage agents handlers accept commands from the attackers by way of

stepping stones and relay those commands to waiting agents each handler is responsible for (only) a group of agents if handlers communicate with their respective agents via TCP

connections, they will get/have a list of agents’ IP addresses

bot / zombie / agent – a compromised 3rd partymachine with the ‘injected’ malware ‘real power’ of the botnet – capable of launching attack

and/or propagating itself to other machines largest known botnet: Mariposa, 8-12 million bots (2008)

DDoS Attacks: Botnet (cont.)


http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.540&rep=rep1&type=pdf

hacker’s ‘PC’machines owned by hacker

but in different locations

compromised machinescontrolled by hacker

compromised machines

with malware


• Botnet Propagation vulnerability scan – manual propagation involving

systematic scanning / searching for hosts with particularvulnerabilities

worm exploits – automated propagation process viaworms that traverse the Internet infecting hosts andinstalling the agent software

web based malware exploits – automated propagationby means of ‘drive-by-download’ from compromised websites

botnet takeover – e.g., by sniffing the password thata bot herder users to log into its botnet handlers

• Mariposa Botnet 8 – 12 million bots at its peak spreading: via instant messages,

P2P connections, removabledrivers, …

primary purpose/operation:steal login info (banks, social-networking sites, …), stealimportant files found on hard drives, ‘hijack’ search results, …

secondary purpose - botnet wasalso available for rent and hasperformed other ‘underground’operations

takeover - May 2009, MariposaWorking Group temporarilyseized control of C&C servers

arrests - 2010, several Spanish &one Slovenian citizen arrested

http://community.trendmicro.com/t5/Web-Threat-Spotlight/Mariposa-Botnet-Uses-AutoRun-Worms-to-Spread/ba-p/4596


• Botnet: to Build or to Rent? building a botnet - ‘ready to use’ development kits

are available on the black market - packages containingC&C software & bot software Dirt Jumper – sophisticated software with a HTTP C&C

server & SQL database for keeping track of infected bots requires technical expertise and is time consuming

How To Build A Botnet In 15 Minuteshttp://readwrite.com/2013/07/31/how-to-build-a-botnet-in-15-minutes#awesm=~ozr0P2DBqFUHlU

A beginner’s guide to building botnets—with little assembly requiredhttp://arstechnica.com/security/2013/04/a-beginners-guide-to-building-botnets-with-little-assembly-required/


• Botnet: to Build or to Rent? renting a botnet – several $100 for a day of botnet rent

https://blog.damballa.com/archives/330

http://www.mportal.com/growing-cyber-threat-mobile-botnets/

Reflector & Amplified DDoS

• Direct DDoS attacks agents conducting the attack are compromised systems

running the attacker’s program the source IP addresses in attacking packets are often spoofed

=> the victim’s responses are scattered throughout the Internet

protocols used: any – ICMP, TCP, UDP, DNS, HTTP, …

destination IP = Victim’s IP

source IP = true or random IP

Amplified & Reflector DDoS (cont.)• Reflector DDoS attacks

indirect attack utilizing innocent uncompromised inter-mediate nodes and any simple ‘request-reply’ protocols the source IP address in attacking packet = spoofed victim’s IP

aims to obscure the identity of attacking machines

destination IP = Reflector’ IP

source IP = Victim’ IP

Amplified & Reflector DDoS (cont.)

Example: HTTP Reflector DDoS – possible or not?!

HTTP runs on top of an established TCP connection.Impossible to send an HTTP request to the Victim withouta valid 3-way TCP handshake.

HTTP is not a simple ‘request-reply’ protocol => reflectorattack not possible.

Attacker

source IP = Victim’ IP

Reflector Victim

SYN

SYN-ACKdestination IP = Reflector’ IP


Example: DNS Reflector DDoS – possible or not?!

DNS runs on top of UDP (or TCP), and acts as a simple ‘request-reply’ protocol => reflector attack possible.


• Amplified DDoS attacks variant of reflector attack – aim to generate multiple

reflector packets for each original packet set can be achieved by directing original requests to a broadcast

address of a large LAN

e.g., ICMP echo request to 129.1.0.0 => multiple echo replies

TCP cannot be used as it is ‘connection oriented’


Example: DNS Amplification DDoS using recursive resolution

http://blog.isc2.org/.a/6a00e54f109b6788340168e901b1c1970c-pi

https://isc.sans.edu/diary/When+attackers+use+your+DNS+to+check+for+the+sites+you+are+visiting/16955

http://www.expertsmind.com/questions/dns-message-application-layer-30140518.aspx

DDoS Defences

• Classical DDoS Defences Attack Prevention – before attack up-to-date anti-malware to prevent the creation of botnets

monitoring of traffic by ISP, or ‘cyber-spies’, to detect packetsbetween attackers and stepping-stones / handlers

DDoS Defences (cont.)

• Classical DDoS Defences (cont.) Attack Detection and Filtering – during attack firewall monitors for suspicious (blacklisted) IPs

or suspicious packets (e.g., SYN flood) and drops them

ISP monitors and drops packets with spoofed IP addr.


• Modern Lines of DDoS Defence Content Delivery Networks (Akamai) web-site content is placed on multiple/redundant locations

users are ‘directed’ to geographically closest servers

multiple server => no ‘single point of failure’

http://www.marketingtechblog.com/content-delivery-network/


• Modern Lines of DDoS Defence (cont.) Scrubbing Centers (Prolexic) packets destined for an enterprise are routed through, and

screened by, a special cloud-based network of routers

if an attack pattern is identified => suspicious packets aredropped before reaching the victim

http://www.prolexic.com/kcresources/attack-report/prolexic-quarterly-global-ddos-attack-report-q412-011713/Prolexic_Quarterly_Global_DDoS_Attack_Report_Q412_011413.pdf

Application-Layer DDoS

• Application-Layer DDoS Attacks fastest growing category of DDoS attacks hard to distinguish between legitimate & malicious HTTP

requests

Application-Layer DDoS

• How Browser Works base HTML page retrieved first then, HTML page parsed and individual objects (images,

scripts, videos, …) are subsequently retrieved

Application-Layer DDoS (cont.)

• Puppetnets mechanism of conducting HTTP DDoS by exploiting

(hijacking) legitimate / uninfected machines a popular 3rd party web-page is ‘infected’ with a malicious HTML

or JavaScript that generates HTTP requests to the victiminfected Web server (196.87.44.1)

attacktraffic

normal HTTP requests

attack instructionspiggybacked

HTML – page<img src=http://196.87.44.1/picture.jpg><img src=“http://128.7.35.9/picture.gif”>

…victim

site(128.7.35.9)


• Puppetnets (cont.) advantages for attacker minimal cost

puppet-bots are generally trusted with ‘good’ history - harderto detect, and not subject to black-listing or firewall blocking

disadvantages for attacker very ‘dynamic’ bot population

attacks cannot be fully controlled or predicted

How easy/complex it is to inject malicious puppetnet code??


• Million-Browser Botnet August 2013, researchers from White-Hat Security

managed to create a puppetnet consisting of a millionhijacked browsers using WWW Ad-s

Web server hosting a 3rd party Ad

victim site

(128.7.35.9)

attacktraffic

normal HTTP requests

attack instructionspiggybacked

JavaScript in HTML codevar i = 1;img = new Image();while(true) {

img.src = “128.7.35.9/picture.gif”;i++;

}


Example: Advertising on WWW

https://media.blackhat.com/us-13/us-13-Grossman-Million-Browser-Botnet.pdf

denial of service (dos) attacks - york university completion of this material, you should be able...

Documents