Distributed Denial of Service Attacks (DDoS) Christos Papadopoulos
Some Common Dos Attacks Smurf SYN flood UDP floods
Smurf Attack attacker target broadcast echo request source address is spoofed to be target’s address many echo replies are received by the target, since most machines on the amplifier network respond to the broadcast amplifier network
TCP SYN Flooding A potentially more powerful attack client (port = 33623/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for remainder of session] target (port = 23/tcp) SPOOFED SYN SYN - ACK FINAL ACK NEVER SENT nonexistent host
Protection against SYN Attacks SYN cookies: (D.J. Bernstein and Eric Schenk) avoid half- open TCP connections. Server responds to TCP SYN request with a cookie by SYN- ACK with: sqn =f (src addr, src port, dest addr, dst port, secret seed) Server releases all state. If an ACK comes from the client, server checks if it’s a response to former SYN-ACK. If yes, the server enters the TCP_ESTABLISHED state.
SYN Cookie Exchange SYN cookies firewall SYN cookies firewall adds a firewall feature in Linux. client firewall server 1. SYN 2. SYN-ACK(cookie) 3. ACK 4. SYN 5. SYN-ACK 6. ACK 7. relay the connection Under attack, step 3 will never occur.
What Is a Firewall? An access control device that performs perimeter security by deciding which packets are allowed or denied into or out of a network. May be a hardware device or a software program running on a secure host computer. Sits at a junction point or gateway between two networks (e.g., public internet and private intranet).
Why a Firewall? Analogy: a firewall keeps a fire from spreading from one part of the building to another. Prevents the dangers of the Internet from spreading to your internal network. Restricts packets to entering at a carefully controlled point. Prevents attackers from getting close to your other defenses.. Restricts packets to leaving at a carefully controlled point.
What Does a Firewall Do? A firewall is an aggregation point for security decisions. A firewall can enforce security policy. A firewall can log Internet activity efficiently. A firewall protects the network as a resource. A firewall limits your exposure. A firewall can provide protection for vulnerable services.
What Does a Firewall Not Do? A firewall can’t protect you against: malicious insiders careless employees connections that don’t go through it viruses and trojans, data-driven attacks illicit rendezvous (unauthorized tunneled connections) completely new threats Additional security measures must be incorporated along with the firewall. (Physical security, host security, user education)
Caveats Firewall technology can provide a false sense of security. May lead to lax security within the firewall perimeter. Analogy: firewalls provide “a hard, crunchy outside with a soft chewy center.” A misconfigured firewall is ineffective. Firewalls must be maintained and updated daily. Audit logs must be actively monitored.
What Is DDoS Distributed Denial of Service New, more pernicious type of attack Many hosts “gang” up to attack another host Network resource attack: Bandwidth State
Why Should We Care Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols It is relatively easy to do, but hard to detect and stop It is only going to get worse unless we develop adequate protection mechanisms
Anatomy of an Attack Compromise a large set of machines Install attack tools Instruct all attack machines to initiate attack against a victim Process highly automated
Phase 1: Compromise A (stolen) account is used as repository for attack tools. A scan is performed to identify potential victims. A script is used to compromise the victims.
Phase 2: Install Attack Tools An automated installation script is then run on the “ owned ” systems to download and install the attack tool(s) from the repository. Optionally, a “ root kit ” is installed on the compromised systems.
Phase 3: Launch attack Launch a coordinated DDoS from different sites against a single victim. Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe. Victim’s ISP may not notice elevated traffic. DDoS attacks are harder to track than a DoS.
Distributed SYN attack. Attacker connects to port 27665 on master machines using telnet. Master relays the commands to the daemons using UDP port 27444. Daemons carry out commands and respond on UDP port 31335. Trin00
General design similar to trin00. Capable of number of attacks such as ICMP flood, SYN flood, UDP flood and SMURF style attacks. Communication between clients and daemons is done via ICMP echo replies. Commands are hidden inside id field of ICMP packet. Traffic looks identical to the standard ping and hence impossible to block at a firewall without blocking outgoing pings. Absence of TCP and UDP traffic makes these packets difficult to detect. TFN
TFN2K communicates via TCP,UDP (random ports), ICMP Echo replies or all three at random. Daemon never responds to the master. The Master sends all commands twenty times for reliability. TFN2K sends out decoy packets to random machines to make it unclear, which machines are clients. All commands are encrypted via a compile time password. TFN2k daemons can randomly alternate different types of attacks. TFN2K
Combines features of the trin00 with those of TFN. Adds encryption of communication between the attacker and masters and automated update of agents. Communication between attacker and masters take place on tcp port 16660. Daemons receive commands from masters through ICMP echo replies (using data part of packet). Possible attacks are ICMP flood, UDP flood, SYN flood and SMURF attack. Stacheldraht
#./ client 192.168.0.1 [*] stacheldraht [*] (c) in 1999 by... trying to connect... connection established. -------------------------------------- enter the passphrase : sicken -------------------------------------- entering interactive session. ****************************** welcome to stacheldraht ****************************** type.help if you are lame stacheldraht( status: a!1 d!0)>
stacheldraht(status: a!1 d!0)>.help available commands in this version are: --------------------------------------------------.mtimer.mudp.micmp.msyn.msort.mping.madd.mlist.msadd.msrem.distro.help.setusize.setisize.mdie.sprange.mstop.killall.showdead.showalive -------------------------------------------------- stacheldraht(status: a!1 d!0)>
Some Commands --------.distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server", using the account "user" (e.g., "rcp user@server:linux.bin ttymon").madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..mdie Sends die request to all agents.
Spoof Testing The agent performs a test to find whether the system provides for spoofing or not. The agent sends out an ICMP packet with ID 666 and IP address 126.96.36.199. The IP address of the compromised machine - embedded in the data field. Handler gets the IP address of the agent and replies back with the ID 1000 and data field containing “spoofworks” and sets the spoof level to 0; Else it sets the spoof level to 3 suggesting that only last octet can be spoofed.
Defending Against DDoS Prevent compromise of machines with Intrusion Detection Systems (IDS) Trace back to the attacker Develop automated network defense mechanisms
Why Traceback Is Hard IP source address is spoofed: Form IP packets with forged source address. Send them using a socket of type SOCK_RAW. Requires root privilege.
Avoiding Spoofed Packets Ingress filtering Prohibits an attacker from forging an IP address At first hop router do If packet’s src IP address is within the predefined range Thenforward packet Else drop packet (-) Mobile hosts uses home network address in mobile IP
Logging (Audit Trailing ) Record packets at predetermined routers and use data-mining techniques to construct path traversed by the packet (+) Easy (+) Permits post-mortem analysis (-) Requires large amount of disk and computing resources (-) Requires Maps for reconstruction (-) Manual, Time – consuming
Link Testing Involves interactively testing the upstream links starting from the victim to determine the links used to carry the attacker’s traffic Two techniques :- Input debugging Controlled flooding
Link Testing (Input Debugging) Determine the attack signature. Filter packets at egress port and determine at which ingress port they arrived. Perform iteratively at all upstream routers till the source(s) are found. (-) Relies heavily on manual intervention and extremely slow. (-) Requires inter-ISP co-operation.
Link Testing (Controlled Flooding) Flood links with large amounts of UDP traffic (UDP- chargen). Observe changes in traffic pattern. Reconstruct path to attacker recursively. Victim R1R1 R3R3 R4R4 R2R2 R5R5 A B Attacker UDP chargen request chargen reply attack packets
Link Testing (Controlled Flooding) (+) Effective (-) Requires information about the internet topology (-) Inherently noisy (-) Difficult to discern the set of paths incase of DDoS attacks (-) DoS attack by itself (-) Requires co-operation from upstream routers
Node Append Record the route in the packet as it traverses the routers Each router appends its IP address to the end of the packet (+) Easy to implement (+) Single packet required to find attack path (-) Increases the packet size (4 bytes/hop) (-) Processing overhead (-) Fragmentation
Node Sampling Each router inserts its IP address in a static field with a probability p p(1 – p) d-1 is the probability of receiving a packet from a router at a distance d Reconstruction Algorithm : Rank each router by the number of samples received Reconstruct path using ranks (-) Need more than 42,000 samples for d=15 and p=0.51 before a single packet from the first hop router
CenterTrack IP Tunnels v a Create an overlay network using IP tunnels Tunnels are created between edge and transit routers Based on attack signature perform logging and/or corrective action in the overlay network
CenterTrack (Cont…) (+) Eliminates need for transit router input debugging (+) Required features available (+) Is not too expensive (+) Scales well (-) Still requires input debugging at edge (-) Changes route. (Attackers might notice.)
Edge Sampling Three fields :- Two IP’s (start and end of edge) Distance When a router decides to mark, it makes the distance field 0 Next router either rewrites and makes distance 0 or fills in remaining (end IP) information and increments distance Other routers increment distance field or start afresh p < 1
Edge Sampling Algorithm At router R for each packet pkt u [0, 1) if u > p pkt.distance 0 pkt.startIP R.IP else if (pkt.distance == 0) pkt.endIP R.IP pkt.distance pkt.distance + 1
ICMP Traceback Concept :- Generate packets with a probability p at intermediate routers destined for the victim Routers encode partial path information in packet Victim can reconstruct the attack path with sufficient number of trace packets
Create a new type of ICMP messages called ICMP Traceback (in IETF standards process). Packet size limited to 576 bytes. Traceback messages generated with probability of 1/20,000. Initial TTL of the new IP packet MUST be 255. ICMP Traceback
Cossack Overview Distributed set of watchdogs monitor the network Localized IDS for blind detection Topology information to pre-filter target Group communication for robustness Distributed coordination No centralized controller Attack-driven dynamic grouping of watchdogs Consult with other watchdogs to correlate attacks Selectively deploy countermeasures to suppress attacks
Cossack: A Simplified View WW W target watchdog attacker watchdog
Demo Goal: capture low-level pulsing attacks that elude normal SNMP statistics Scenario: Victim is attacked by many low-level pulsing streams SNMP sampling too coarse to isolate attackers Watchdog at victim asks watchdogs at source network to change sampling interval Attack stream detected Real life event faced by net admin at USC
Demo Testbed W W W A1 A2 A3 Target Traffic monitor (MRTG)
Attack Begins W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength MRTG sampling too slow to catch individual low-strength attacks, but sees full-strength attack.
Watchdogs Communicate W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength - Victim watchdog analyzes attack traffic and determines list source addresses. - Forms Yoid group with upstream watchdogs.
Watchdogs Scrutinize Traffic W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength -Watchdogs reduce monitoring interval and detect the attack streams
Watchdogs Install Filters W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength - Upstream Watchdogs install filters in router to block attack
Attack Neutralized W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength