Presentation on theme: "Denial of Service (DoS) By Vijay C Uyyuru, Prateek Arora, & Terry Griffin."— Presentation transcript:
Denial of Service (DoS) By Vijay C Uyyuru, Prateek Arora, & Terry Griffin
Overview Introduction Background Benchmarks and Metrics Requirements Summary of Methods Conclusion Vijay C Uyyuru Prateek Arora Terry Griffin
What is denial of service attack? When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like and the Internet. An attack can be directed at an operating system or at the network.
Denial of Service DoS Bad guy Victim Compromised host Third parties
What is distributed denial of service? A distributed denial of service (DDoS) attack is accomplished by using the Internet to break into computers and using them to attack a network. Hundreds or thousands of computer systems across the Internet can be turned into “zombies” and used to attack another system or website.
Distributed Denial of Service DDoS Bad guy Master agent Victim (s) Slave agents (zombies, bots) Third parties Owned host
Brief history and trends DoS attacks started at around early ’90s. At the first stage they were quite "primitive", involving only one attacker exploiting maximum bandwidth from the victim, denying others the ability to be served. This was done mainly by using simple methods of ping floods, SYN floods and UDP floods. These attacks had to be "manually" synchronized by a lot of attackers in order to cause an effective damage.
Brief history and trends The shift to automating this synchronization, coordination and generating a parallel massive attack became public in 1997, with the release of the first publicly available DDoS attacks tool, Trinoo. In the following years, few more tools were published – TFN (tribe flood network), TFN2K, and Stacheldraht ("Barbed wire" in German).
Massive attack on public sites
The subject came to public awareness only after a massive attack on public sites on February During a period of three days the sites of Yahoo.com, amazon.com, buy.com, cnn.com & eBay.com were under attack. Analysts estimated that Yahoo! Lost $500,000 in e-commerce and advertising revenue when it was knocked offline for three hours.
Interesting Facts It turned out that about fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in these DoS attacks. A study during a period of three weeks in February 2001 showed that there were about 4000 DoS attacks each week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts.
Other major attack May hackers overloaded Weather.com routers and those of its Web hosting company with bogus traffic. To counter the attack, weather.com moved to another dedicated router and installed filtering software to protect switches and servers, as well as intrusion detection software to record all ongoing activity. It took the company 7 hours to bring the site back up.
How does an attack work? One way to attack a company’s network or website is to flood its systems with information. Web and servers can only handle a finite amount of traffic and an attacker overloads the targeted system with packets of data.
Impact Denial-of service attacks can essentially disable the computer or the network. Depending on the nature of the enterprise, this can disable your organization. Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an “asymmetric attack”. For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or network.
Dollar amount of losses by type!
Attack classification DoS attacks exploit the asymmetric nature of certain types of network traffic. One attack method seeks to cause the target to use more resources processing traffic than the attacker does sending the traffic. Another method is to control multiple attackers. Therefore DoS attacks can be classified into three categories 1.Bandwidth/Throughput Attacks 2.Protocol Attacks 3.Software Vulnerability Attacks
Ping Flood Attack An attempt by an attacker on a high bandwidth connection to saturate a network with ICMP echo request packets in order to slow or stop legitimate traffic going through the network.
SYN Flood Attack
DDoS Attack The idea behind this attack is focusing Internet connection bandwidth of many machines upon one or a few machines. This way it is possible to use a large array of smaller (or “weaker”) widely distributed computers to create the big flood effect.
UDP Flood Attacks UDP protocol is a connectionless unreliable protocol which doesn't require session negotiation between client and server application. UDP provides easy to use interface for producing large quantity of packets. A common attack which exploits UDP simply floods the network with UDP packets destined to a victim's host. Due to the relative simplicity of this protocol an attacker can produce large bandwidth capacity with relatively small effort.
Protocol Attacks Smurf Attack DNS name server Attack
Smurf Attack In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to that of the attacked system and a broadcast destination address are sent to the intermediate network. Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to respond with an ICMP response packet, thus creating a large mass of packets which are routed to the victim's spoofed address.
Smurf Attack (contd.)
DNS name server Attack The most common method seen involves an intruder sending a large number of UDP-based DNS requests to a Nameserver using a spoofed source IP address. Any Nameserver response is sent back to the spoofed IP address as the destination. In this scenario, the spoofed IP address represents the victim of the denial of service attack. The Nameserver is an intermediate party in the attack. The true source of the attack is difficult for an intermediate or a victim site to determine due to the use of spoofed source addresses.
DNS name server Attack (contd.)
Software Vulnerability Attacks Land Attack Ping of Death Attack Fragmentation Attack and Teardrop Attack
Land Attack In this attack, an attacker sends spoofed TCP SYN packets, with the same source and destination addresses as the victim's host address. In some TCP/IP stack implementations those kinds of packets may cause the victim's host to crash. Any remote user that can send spoofed packets to a host can crash or "hang" that host. Possible solution for this attack is to block IP-spoofed packets. Attacks like those of the Land tool rely on the use of forged packets, that is, packets where the attacker deliberately falsifies the origin address. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can reduce the likelihood of your site's networks being used to initiate forged packets by filtering outgoing packets that have a source address different from that of your internal network.
Land Attack (contd.) In cases where the victim's host is a router, this attack may result in a routing loop consuming large quantities of bandwidth (unless filtered in advance). One of the variations of this attack targets a certain TCP service provided by the victim. In this case the attacker uses the same source and destination ports which used by the victim's service. This may consume the victim's host CPU resources.
Land Attack (contd.) Here DUT is the Device Under Test
Ping of Death Attack Ping of Death is an attempt by an attacker to crash, reboot or freeze a system by sending an illegal ICMP (over IP) packet to the host under attack. The TCP/IP specification allows for a maximum packet size of up to octets. In some TCP stack implementation encountering packets of greater size may cause the victim's host to crash.
Ping of Death Attack (contd.) Most implementations of the ICMP protocol use packet header size of 8 octets but allow the user to specify larger packet header sizes. In the attack, the ICMP packet is sent in the form of a fragmented message which, when reassembled is larger than the maximum legal IP packet size.
Ping of Death Attack (contd.)
Teardrop Attack A normal packet is sent. A second packet is sent which has a fragmentation offset claiming to be inside the first fragment. This second fragment is too small to even extend outside the first fragment. This may cause an unexpected error condition to occur on the victim host which can cause a buffer overflow and possible system crash on many operating systems. Teardrop attacks target a vulnerability in the way fragmented IP packets are reassembled. Fragmentation is necessary when IP Datagrams are larger than the maximum transmission unit (MTU) of a network segment across which the Datagrams must traverse. In order to successfully reassemble packets at the receiving end, the IP header for each fragment includes an offset to identify the fragment's position in the original un-fragmented packet. In a Teardrop attack, packet fragments are deliberately fabricated with overlapping offset fields causing the host to hang or crash when it tries to reassemble them.
Teardrop Attack (contd.) In the following figure, a source test port simulates a Teardrop attack by sending one, and then many IP packet fragments with overlapping Fragment Offset fields. This attack traffic is first sent to the Device Under Test (DUT) interface connected to the source test port and then to the DUT's loopback address. The DUT's ability to drop this attack traffic is verified. Finally, normal background traffic is sent at the same time as attack traffic, so the DUT's performance during a Teardrop attack can be measured.
Frequency & Scope How prevalent are denial-of-service attacks in the Internet today? Researchers at the Cooperative Association for Internet Data Analysis (CAIDA) address this question in their paper, “Inferring Internet Denial-of-Service Activity”. Using a technique called backscatter analysis, the researchers monitored unsolicited traffic to unpopulated address space. Their theory is that DoS traffic that uses random spoofed source addresses will generate some response traffic to the entire Internet address space, including unpopulated space.
Frequency & Scope (contd.) Their results in February’ 2001 were that using backscatter analysis, they observed 12,805 attacks on over 5,000 distinct Internet hosts belonging to more than 2,000 distinct organizations during a three-week period. In addition, CAIDA reports that 90% of attacks last for one hour or less; 90% are TCP based attacks, and around 40% reach rates of 500 Packets Per Second (PPS) or greater. Analyzed attacks peaked at around 500,000 PPS. Other anecdotal sources report larger attacks consuming 35 megabits per second (Mbps) for periods of around 72 hours, with high-volume attacks reaching 800 Mbps.
Damage & Costs Hidden Costs: There may be hidden costs associated with denial- of-service attacks. For example, the direct target of a DoS attack may not be the only victim. An attack against one site may affect network resources that serve multiple sites. Bandwidth wastage: Resources we share with other parties (upstream bandwidth) may be consumed by an attack on someone else—another customer of our Internet service provider is attacked, so our upstream connections and routers are not as available to handle our legitimate traffic. Thus, even when we are not the target of an attack, we might experience increased network latency and packet loss, or possibly a complete outage.
Damage & Costs (contd.) Logging costs: We may have additional costs because of the need to size notification resources (such as logs, mail spools, and paging services) to absorb attack- related events. Logging systems need to cope with significant deviations in the amount of data logged during attacks. Extra network channels: Ideally, logging systems should use an out-of-band channel so that logging traffic does not add to the volume of DoS traffic that may be passed to the internal network. Centralized logging systems, considered a best security practice, may be stressed by receiving log data from multiple locations. Mail queues may fill up during a prolonged outage.
Damage & Costs (contd.) Insurance & Bandwidth cost: Network traffic generated by the attack can result in incremental bandwidth costs—when we pay per byte, we also pay for the increased traffic caused by the attack. In addition, our upstream Internet provider might or might not be amenable to waiving penalty charges caused by flood traffic. Other issues that create hidden costs are insurance or legal fees or possible third-party liability resulting from our involvement in an attack.
How to handle DoS Protecting – Among the aspects of protecting our systems and our business, are looking at network design, discussing our agreement with your ISP, putting detection mechanisms and a response plan in place, and perhaps taking out an insurance policy. Proper preparation is essential for effective detection and reaction. Unfortunately, some sites begin their cycle with detection and reaction, triggering preparation steps after a “lessons learned” experience. Detecting – Our ability to detect attacks directly affects our ability to react appropriately and to limit damages. Among the approaches we can take are instituting procedures for analyzing logs and using automated intrusion detection systems. Reacting – Reaction steps, hopefully put in place as part of preparing for an attack, include following our response plan, implementing specific steps based on the type of attack, calling our ISP, enabling backup links, moving content, and more. Technical steps include traffic limiting, blocking, and filtering.
Real world targets and metrics Following are few real world examples of various targets of DOS attacks: A worm called MyDoom started propagating which had a real target in mind - It was engineered to launch a Denial Of Service (DOS) attack against SCO starting on February 1. Damage and total cost estimates from MyDoom are still in progress, but CEI now estimates the total may exceed $ 4 billion, making it one of the most costly cyber attacks on record. In January 2001 a series of DoS attacks overwhelmed the multicast infrastructure with an unusually large number of Source Active messages. An Internet worm, called the Ramen Worm, triggered these attacks with the simple attack mechanism.
Summary Flood Attacks TCP SYN Flood Attack Smurf IP Attack UDP Flood Attack ICMP Flood Attack
Summary TCP SYN Flood Attack Graphic: Taking advantage of the flaw of TCP three-way handshaking behavior, an attacker makes connection requests aimed at the victim server with packets with unreachable source addresses. The server is not able to complete the connection requests and, as a result, the victim wastes all of its network resources. A relatively small flood of bogus packets will tie up memory, CPU, and applications, resulting in shutting down a server.
Summary Smurf IP Attack An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.
Summary UDP Flood Attack UDP is a connectionless protocol and it does not require any connection setup procedure to transfer data. A UDP Flood Attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down.
Summary ICMP Flood Attack An ICMP flood occurs when ICMP pings overload a system with so many echo requests that the system expends all its resources responding until it can no longer process valid network traffic. icmp
Summary Ping of DeathTeardropLandEcho/Chargen Logic / Software Attacks
Summary Ping of Death An attacker sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to victim. Since the received ICMP echo request packet is bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may be crashed or rebooted as a result. Expected Packet Size Actual Packet Size
Summary Teardrop An attacker sends two fragments that cannot be reassembled properly by manipulating the offset value of packet and cause reboot or halt of victim system. Many other variants such as targa, SYNdrop, Boink, Nestea Bonk, TearDrop2 and NewTear are available.
Summary Land An attacker sends a forged packet with the same source and destination IP address. The victim system will be confused and crashed or rebooted
Summary Echo/Chargen The character generator (CharGen) service is designed is primarily used for testing purposes. Remote users/intruders can abuse this service by exhausting system resources. Spoofed network sessions that appear to come from that local system's echo service can be pointed at the CharGen service to form a "loop." This session will cause huge amounts of data to be passed in an endless loop that causes heavy load to the system. When this spoofed session is pointed at a remote system's echo service, this denial of service attack will cause heavy network traffic/overhead that considerably slows your network down.
Conclusion / Question What makes DoS attacks possible?
middle is passive (packet forwarding) sender and receiver to all the work end-to-end paradigm
Keeping your machine secure may not be enough Your security relies too much on other machines on the net What makes DoS attacks possible? Internet security is highly interdependent.
Each Internet entity (host, network, service) has limited resources that can be consumed by too many users. What makes DoS attacks possible? Internet resources are limited.
Intelligence mostly in the hosts middle mostly worried about high throughput, not decision making (like filtering) What makes DoS attacks possible? Intelligence and resources are not collocated
IP spoofing gives attackers a powerful mechanism to escape accountability What makes DoS attacks possible? Accountability is not enforced.
Internet management is distributed each network is run according to local policies no way to enforce global deployment of a particular security mechanism or security policy often impossible to investigate cross-network traffic behavior What makes DoS attacks possible? Control is distributed.
Dos Defense How do we defend against a Dos attack??
The IP address space can be divided into a set of client addresses and a set of server addresses. allow clients to initiate connections to servers, but not vice versa nor servers to initiate connections to servers. Dos Defense Separate Client and Server Addresses
Dos Defense –path based addressing Nonglobal Client Addresses
–Using path-based client addresses severely restricts source-address spoofing by a client, but it does not restrict spoofing by servers. –Reverse Path Forwarding largely prevents a server from spoofing the address of a server in a different domain. Dos Defense RPF Checking of Server Addresses
simple special-purpose high-speed firewalls being deployed in the core of the Internet at inter-domain boundaries to serve as a filter of sorts Gives Upstream access control to a server under stress Dos Defense Middlewalls
Susceptibility to attacks could be alleviated with better Internet Architectures (goal of class). Don’t leave all the decision making to the machines on either end of a connection Provide ‘intelligent’ support along the path ( e.g. No Blind forwarding of packets ) Create “Hardened” networks Conclusion
References rbage%20Collection%20Dependable.pdfhttp://www.itoc.usma.edu/workshop/2005/Papers/Follow%20ups/Making%20Ga rbage%20Collection%20Dependable.pdf 03b.ps.gzwww.caida.org/tools/measurement/Mantra/mantra-publications/INFOCOM- 03b.ps.gz A taxonomy of DDoS attack and DDoS defense mechanisms advanced.comms.agilent.com