routing and denial of service: attacks and defenses vyas sekar carnegie mellon university acks:...
TRANSCRIPT
Routing and Denial of Service: Attacks and Defenses
Vyas SekarCarnegie Mellon University
Acks: David Brumley, Adrian Perrig, Nicolas Christin, Srini Seshan
2
Recap so far
• We looked at firewalls and intrusion detection
• Offer “edge” security against Internet attacks– E.g., defense against infect/exfiltrate attacks
• But, network is not just about the “Edge”
Alice Bob
Public Channel
What is Network Security?
1. Providing a “reliable” channel If the network protocols have flaws, crypto may not save you
The Network, typically runs IP “protocol”
3
4
http://www.computerworld.com/article/2516953/enterprise-applications/a-chinese-isp-momentarily-hijacks-the-internet--again-.html
5
Alice Bob
Public Channel
What is Network Security?
2. Providing an “available” channel Can Alice talk to Bob? Can Eve deny service to Alice/Bob?
The Network, typically runs IP “protocol”
6
7
8
9
Goals of this lecture
• Understand routing attacks and defenses
• Understand denial of service and defenses
Routing Overview
Internet organization• The Internet comprises of Autonomous Routing
Domains (ARDs)• An ARD is a collection of resources under the
administrative control of a single entity– CMU network is an ARD– Routers, links, networks, etc– Policies, interconnections with other ARDs– Big or small: Campus, corporate, ISP networks– Allocated numbers, names and addresses
11
Autonomous Systems• An Autonomous System (AS) is an ARD
with an AS number assigned by IANA– 16-bit, 1 to 64511 are public, 64512 to 65535
are private– CMU has ASN 9, UUNet has ASN 701, 702,
703, 704, 705– Last count, there are more than 46,000 ASs
(CIDR report, mar 2014)• Not every ARD has a public AS number
– Only if talks to more than one ASs – Nowadays, must justify to IANA why you need
one
12
Internet routing• Internet relies on hierarchical routing
– An Interior Gateway Protocol (IGP) is used to route packets within an AS: Intra-domain routing
– An Exterior Gateway Protocol (EGP) to maintain Internet connectivity among ASs: Inter-domain routing
13
AS100
AS200
AS300BGP
AS400
BGPBGP
BGP
IGP
How does BGP work?Internet routers communicate using the Border Gateway Protocol (BGP):• Destinations are prefixes (CIDR blocks)
– Example: 128.2.0.0/16 (CMU)
• Routes through Autonomous Systems (ISPs)• Each ISP is uniquely identified by a number
– Example: 25 (UC Berkeley)
• Each route includes a list of traversed ISPs:– Example: 9 ← 5050 ← 11537 ← 2153
14
Principles of operation
• Exchange routes– AS100 announces 128.1.1.0/24 prefix to
AS200 and AS300, etc
• Incremental updates
15
128.1.1.0/24
AS100
AS200
AS300
AS400192.208.10.1
192.208.10.2
129.213.1.2
129.213.1.1
BGP UPDATE message
• Announced prefixes (aka NLRI) • Path attributes associated with annoucement• Withdrawn prefixes
16
128.1.1.0/24
AS100
AS200
AS300
AS400192.208.10.1
192.208.10.2
129.213.1.2
129.213.1.1
UPDATE message example
17
128.1.1.0/24
AS100
AS200
AS300
AS400192.208.10.1
192.208.10.2
129.213.1.2
129.213.1.1
NLRI: 128.1.1.0/24Nexthop: 192.208.10.1ASPath: 100
NRLI:128.1.1.0/24Nexthop: 129.213.1.2ASPath: 100
Route propagation
18
128.1.1.0/24
AS100
AS200
AS300
AS400192.208.10.1
192.208.10.2
129.213.1.2
129.213.1.1
NLRI: 128.1.1.0/24Nexthop: 192.208.10.1ASPath: 100
NRLI:128.1.1.0/24Nexthop: 129.213.1.2ASPath: 100
NLRI: 128.1.1.0/24Nexthop: 190.225.11.1ASPath: 200 100
190.225.11.1
NLRI: 128.1.1.0/24Nexthop: 150.212.1.1ASPath: 300 100
150.211.1.1
BGP route selection algorithm• Drop routes with inaccessible Nexthops• Prefer route with largest LocalPref• Prefer route with shortest ASPath• Prefer lowest origin type IGP<EGP<Incomplete• Prefer route with smallest MED Compare MEDs
from same AS only• Prefer path with lowest IGP metric• Prefer path by lowest BGP IDs• (vendor-specific hacks …)
19
BGP Attacks
21
All you need is onecompromised BGP speaker
Routers run an operating system, which hackers now
target
Potential attack objectives
• Blackholing – make something unreachable
• Redirection – e.g., congestion, eavesdropping
• Instability
22
Unauthorized origin ISP (prefix theft)
23
M
Destination Route
Google G←B
Destination Route
Google M
G CB
M’s route to G is better than B’s
AS-path truncation
24
M
Destination Route
Google G←B←C
Destination Route
Google G←B←M
G C
D
EB
M’s route to G is better than D’s
Destination Route
Google G←B←D
AS path alteration
25
M
Destination Route
Google G←B←C
Destination Route
Google G←B←X←M
G C EB
M’s route avoids C
Securing BGP
Authentication at BGP layer
• MD5 checksum option protects TCP layer connection in BGP, provides authentication between BGP speakers
• How much security does MD5 checksum option provide?– Prevents external attacker from injecting bogus
information into TCP connection, e.g., TCP poisoning– Does not provide authenticity for routing information,
all 3 attacks are still possible!
28
Route filtering
• Use Internet routing registries– Database of who owns what prefix
• Typically route filtering used for “business”– E.g., don’t want to go through this AS– E.g., don’t want to reveal route to this AS
• Can be used for security
• Ingress filters– Does AS own the prefix? If no, don’t accept
• Problem?29
BGP Security Requirements• Verification of address space “ownership”• Authentication of Autonomous Systems (AS)• Router authentication and authorization
(relative to an AS)• Route and address advertisement
authorization• Route withdrawal authorization• Integrity and authenticity of all BGP traffic on
the wire• Timeliness of BGP traffic
S-BGP design overview
• IPsec: authenticity and integrity of peer-to-peer communication, automated key management
• Public Key Infrastructures (PKIs): secure identification of BGP speakers and of owners of AS’s and of address blocks
• Attestations authorization of the subject (by the issuer) to advertise specified address blocks
• Validation of UPDATEs based on a new path attribute, using certificates and attestations
• Distribution of countermeasure data: certificates, CRLs, attestations
31
Certificates and route attestations
• ICANN issues certificates for AS ownership to ISPs and organizations that run BGP
• AS operators issue certificates to routers, as AS representatives
• Holders of AS (or router) certificates generate route attestations, authorizing advertisement of a route by a specified next hop AS
• Route attestations are used to express a secure route as a sequence of AS hops
32
Sample BGP Update Messages
33
R1
R2
R3
R4R5
R6
R7
R8
R10
R9
R11R12
R13
R14R15
C1 C2 C3
R16
Secure BGP Update Message
34
R1
R2
R3
R4R5
R6
R7
R8
R10
R9
R11R12
R13
R14R15
C1 C2 C3
35
Has this been adopted?
• Sadly, no
• Needs all AS-es to adopt
• Crypto still expensive at line rate
• Other options are still being explored– SO-BGP, RPKI
Take away slide• BGP was built on the assumption of cooperation
– Assumption does not apply anymore• Many routing misconfigurations, bugs, and even attacks (several per
day)
• Proposed fixes are many, but all have some limitations– TTL hacks, MD5 signatures– S-BGP
• Relies on a PKI• Potentially significant overhead
• Very hard to retrofit security in an existing model!
36
Denial of Service
DoS: General definition
• DoS is not access or theft of information or services
• Instead, goal is to stop the service from operating
• Deny service to legitimate users
• Why?– Economic, political, personal etc ..
38
DDoS Attacks
• Distributed Denial of Service (DDoS) attack is a coordinated DoS with many attackers
• Homogeneity of computing systems enables an attacker to compromise tens of thousands of hosts
39
Why is DDoS a hard problem
• Simple form of attack– No complex technique, just send a lot of traffic– Toolkits readily available
• Prey on the Internet’s strengths– Simplicity of processing in routers– Total reachability
• Attack machines readily available– Easy to find 10,000’s vulnerable machines of the Internet
• Attack can look like normal traffic– E.g., HTTP requests
• Lack of Internet enforcement tools– No traceability
• Lack of cooperation between targets– ISPs are competitive, and cooperation only at human timescales
• Effective solutions hard to deploy– We can’t change the core of the Internet easily
40
DoS Attacks Characteristics
• Link flooding causes high loss rates for incoming traffic
• TCPthroughput
• During DoS fewlegitimate clientsserved
41
qRTT
CMSSBW
42
DDoS Attack Taxonomy
• Exploited weakness– Semantic vs Brute Force
• Victim resource type– E.g., application vs host vs access link vs
infrastructure
• Detectability/Filterability
DoS can happen at any layer
• Sample DoS at different layers (by order):• Link• TCP/UDP• Application• Payment
43
Warm up: 802.11b DoS bugs
• Radio jamming attacks: trivial, not our focus.
• Protocol DoS bugs: [Bellardo, Savage, ’03]
– NAV (Network Allocation Vector):• 15-bit field. Max value: 32767• Any node can reserve channel for NAV seconds• No one else should transmit during NAV period• … but not followed by most 802.11b cards
– De-authentication bug:• Any node can send deauth packet to AP• Deauth packet unauthenticated• … attacker can repeatedly deauth anyone
44
Smurf amplification DoS attack
• Send ping request to broadcast addr (ICMP Echo Req) • Lots of responses:
– Every host on target network generates a ping reply (ICMP Echo Reply) to victim
45
Prevention: reject external packets to broadcast address
gatewayDoSSource
DoSTarget
1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr
3 ICMP Echo ReplyDest: Dos Target
Modern day example (May ’06)
46
580,000 open resolvers on Internet (Kaminsky-Shiffman’06)
DNSServer
DoSSource
DoSTarget
DNS QuerySrcIP: Dos Target (60 bytes)
EDNS Response
(3000 bytes)
DNS Amplification attack: ( 50 amplification )
Survey of amplificators (Rossow NDSS’14)
47
TCP SYN Flood I: low rate (DoS bug)
48
C
SYNC1
SYNC2
SYNC3
SYNC4
SYNC5
S Single machine:
• SYN Packets withrandom source IPaddresses
• Fills up backlog queueon server
• No further connectionspossible
SYN Floods (phrack 48, no 13, 1996)
OSBacklog
queue size
Linux 1.2.x 10
FreeBSD 2.1.5
128
WinNT 4.0 6
49
Backlog timeout: 3 minutes
Þ Attacker need only send 128 SYN packets every 3 minutes.
Þ Low rate SYN flood
Low rate SYN flood defenses
• Non-solution:– Increase backlog queue size or decrease timeout
• Correct solution (when under attack) : – Syncookies: remove state from server
– Small performance overhead
50
• Internet telescope/backscatter measurement
• By monitoring unused portion of address space, possibility to see evidence of backscatter and infer type/number of DDoS attacks
• Does this work with botnet-based attacks?
Backscatter analysis
51
SYN, from IP = A
SYN-ACK, to IP = A
Network “telescope”, e.g., empty /8 network
(example: SYN flood)
Attacker
Calculating attack rate from backscatter
52
Attack of m packetsn monitored addresses
2^32 = total IPv4
DNS DoS Attacks (e.g. bluesecurity ’06)
• DNS runs on UDP port 53– DNS entry for victim.com hosted at victim_isp.com
• DDoS attack:– flood victim_isp.com with requests for victim.com– Random source IP address in UDP packets
• Takes out entire DNS server: (collateral damage)– bluesecurity DNS hosted at Tucows DNS server– DNS DDoS took out Tucows hosting many many sites
53
Root level DNS attacks
• Feb. 6, 2007:– Botnet attack on the 13 Internet DNS root servers– Lasted 2.5 hours– None crashed, but two performed badly:
• g-root (DoD), l-root (ICANN)• Most other root servers use anycast
Attack in Oct. 2002 took out 9 of the 13 TLD servers
54
DoS at higher layers• SSL/TLS handshake [SD’03]
– RSA-encrypt speed 10 RSA-decrypt speed Single machine can bring down ten web servers
• Similar problem with application DoS:– Send HTTP request for some large PDF file Easy work for client, hard work for server.
55
WebServer
Client Hello
Server Hello (pub-key)
Client key exchangeRSAEncrypt RSA
Decrypt
Evolution of (D)DoS in history
– Point-to-point DoS attacks• TCP SYN floods, Ping of death,
etc..– Smurf (reflection) attacks– Coordinated DoS– Multi-stage DDoS– P2P botnets– Novel amplification attacks
(Return of the smurf)
56
Tim
e
Smurf attacks
57
1. Attacker spoofs victim’s IP address
2. Attacker sends error-generating packets to reflectors
3. Reflectors all report errors to victim
4. Victim is killed by error messages
(more on this in the next lecture – special case of “reflection attacks”)
Attacker’s machine
Victim
Reflectors (Amplifiers)
Coordinated DoS
• Simple extension of DoS
• Coordination between multiple parties– Can be done off-band– IRC channels,
email…
58
Attackers’ machines
Victims
Typical DDoS setup circa 2005
59
Attacker’s machine
Victim
Masters(Handlers)
Slaves(Agents)
Typical DDoS setup circa 2005
60
Attacker’s machine
Masters(Handlers)
Slaves(Agents)
Infection/recruitmentCommand & controlAssault
Victim
Modern Botnet setup
61
Zombies(P2P)
Peer-to-peer communicationCommand & controlAssault
Victim
AttackersAttackers
Attackers
62
DDoS Defense Taxonomy
• Location– Host vs network vs protocol
• Response timescale– Preventive vs Reactive
• Response action– E.g., filter, rate limit, multiply, bug fix/patch
Syncookies
• Idea: use secret key and data in packet to gen. server SN
• Server responds to Client with SYN-ACK cookie:– T = 5-bit counter incremented every 64 secs.
– L = MACkey (SAddr, SPort, DAddr, DPort, SNC, T) [24 bits]
• key: picked at random during boot
– SNS = (T . mss . L) ( |L| = 24 bits )
– Server does not save state (other TCP options are lost)
• Honest client responds with ACK ( AN=SNS , SN=SNC+1 )
– Server allocates space for socket only if valid SNS. 63
[Bernstein, Schenk]
DNS DoS solutions
• Generic DDoS solutions:– Later on. Require major changes to DNS.
• DoS resistant DNS design:
– CoDoNS: [Sirer’04]• Cooperative Domain Name System
– P2P design for DNS system:• DNS nodes share the load• Simple update of DNS entries• Backwards compatible with existing DNS
64
Client puzzles• Idea: slow down attacker
• Moderately hard problem:– Given challenge C find X such that
LSBn ( SHA-1( C || X ) ) = 0n
– Assumption: takes expected 2n time to solve– For n=16 takes about .3sec on 1GhZ machine– Main point: checking puzzle solution is easy.
• During DoS attack:– Everyone must submit puzzle solution with
requests– When no attack: do not require puzzle solution
65
Examples• TCP connection floods (RSA ‘99)
– Example challenge: C = TCP server-seq-num– First data packet must contain puzzle solution
• Otherwise TCP connection is closed
• SSL handshake DoS: (SD’03)– Challenge C based on TLS session ID– Server: check puzzle solution before RSA decrypt.
• Same for application layer DoS and payment DoS.
66
CAPTCHAs• Idea: verify that connection is from a human
• Applies to application layer DDoS [Killbots ’05]– During attack: generate CAPTCHAs and process request only if
valid solution– Present one CAPTCHA per source IP address.
67
Content Distribution Networks (CDNs)• CDN company installs hundreds of CDN servers throughout Internet• Replicated customers’ content origin server
in North America
CDN distribution node
CDN server
in S. America CDN server
in Europe
CDN server
in Asia
• How can this help DDoS?
• Legitimate requests can still go through
• Attack scale must be higher
69
What do net operators do?
• Best common operational practices:
• http://nabcop.org/index.php/DDoS-DoS-attack-BCOP
• Often, blackholing malicious looking IPs and rerouting to custom “Scrubbers”
Take home message:
• Denial of Service attacks are real. Must be considered at design time.
• Sad truth: – Current Internet is ill-equipped to handle DDoS
attacks
• Many good proposals for redesign– But threat still remains
70
71
Questions?
END
73
Thought