Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Denial of Service Attacks (DDoS) Christos Papadopoulos.

Similar presentations

Presentation on theme: "Distributed Denial of Service Attacks (DDoS) Christos Papadopoulos."— Presentation transcript:


2 Distributed Denial of Service Attacks (DDoS) Christos Papadopoulos

3 Some Common Dos Attacks  Smurf  SYN flood  UDP floods

4 Smurf Attack attacker target broadcast echo request source address is spoofed to be target’s address many echo replies are received by the target, since most machines on the amplifier network respond to the broadcast amplifier network

5 TCP SYN Flooding A potentially more powerful attack client (port = 33623/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for remainder of session] target (port = 23/tcp) SPOOFED SYN SYN - ACK FINAL ACK NEVER SENT nonexistent host

6 Protection against SYN Attacks SYN cookies: (D.J. Bernstein and Eric Schenk) avoid half- open TCP connections. Server responds to TCP SYN request with a cookie by SYN- ACK with: sqn =f (src addr, src port, dest addr, dst port, secret seed) Server releases all state. If an ACK comes from the client, server checks if it’s a response to former SYN-ACK. If yes, the server enters the TCP_ESTABLISHED state.

7 SYN Cookie Exchange SYN cookies firewall SYN cookies firewall adds a firewall feature in Linux. client firewall server 1. SYN 2. SYN-ACK(cookie) 3. ACK 4. SYN 5. SYN-ACK 6. ACK 7. relay the connection Under attack, step 3 will never occur.

8 What Is a Firewall? An access control device that performs perimeter security by deciding which packets are allowed or denied into or out of a network. –May be a hardware device or a software program running on a secure host computer. –Sits at a junction point or gateway between two networks (e.g., public internet and private intranet).

9 Firewall Location

10 Firewall Types

11 Why a Firewall? Analogy: a firewall keeps a fire from spreading from one part of the building to another. Prevents the dangers of the Internet from spreading to your internal network. Restricts packets to entering at a carefully controlled point. Prevents attackers from getting close to your other defenses.. Restricts packets to leaving at a carefully controlled point.

12 What Does a Firewall Do?  A firewall is an aggregation point for security decisions.  A firewall can enforce security policy.  A firewall can log Internet activity efficiently.  A firewall protects the network as a resource.  A firewall limits your exposure.  A firewall can provide protection for vulnerable services.

13 What Does a Firewall Not Do? A firewall can’t protect you against:  malicious insiders  careless employees  connections that don’t go through it  viruses and trojans, data-driven attacks  illicit rendezvous (unauthorized tunneled connections)  completely new threats Additional security measures must be incorporated along with the firewall. (Physical security, host security, user education)

14 Caveats  Firewall technology can provide a false sense of security.  May lead to lax security within the firewall perimeter.  Analogy: firewalls provide “a hard, crunchy outside with a soft chewy center.”  A misconfigured firewall is ineffective.  Firewalls must be maintained and updated daily.  Audit logs must be actively monitored.

15 What Is DDoS Distributed Denial of Service  New, more pernicious type of attack  Many hosts “gang” up to attack another host  Network resource attack:  Bandwidth  State

16 Why Should We Care  Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols  It is relatively easy to do, but hard to detect and stop  It is only going to get worse unless we develop adequate protection mechanisms

17 Anatomy of an Attack  Compromise a large set of machines  Install attack tools  Instruct all attack machines to initiate attack against a victim Process highly automated

18 Phase 1: Compromise A (stolen) account is used as repository for attack tools. A scan is performed to identify potential victims. A script is used to compromise the victims.

19 Phase 2: Install Attack Tools An automated installation script is then run on the “ owned ” systems to download and install the attack tool(s) from the repository. Optionally, a “ root kit ” is installed on the compromised systems.

20 Phase 3: Launch attack Launch a coordinated DDoS from different sites against a single victim. Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe. Victim’s ISP may not notice elevated traffic. DDoS attacks are harder to track than a DoS.


22 Some Known DDoS Attack Tools  Trin00  Tribal Flood Network (TFN)  Tribal Flood Network 2000 (TFN2K)  Stacheldraht

23  Distributed SYN attack.  Attacker connects to port 27665 on master machines using telnet.  Master relays the commands to the daemons using UDP port 27444.  Daemons carry out commands and respond on UDP port 31335. Trin00

24  General design similar to trin00.  Capable of number of attacks such as ICMP flood, SYN flood, UDP flood and SMURF style attacks.  Communication between clients and daemons is done via ICMP echo replies. Commands are hidden inside id field of ICMP packet.  Traffic looks identical to the standard ping and hence impossible to block at a firewall without blocking outgoing pings.  Absence of TCP and UDP traffic makes these packets difficult to detect. TFN

25  TFN2K communicates via TCP,UDP (random ports), ICMP Echo replies or all three at random.  Daemon never responds to the master.  The Master sends all commands twenty times for reliability.  TFN2K sends out decoy packets to random machines to make it unclear, which machines are clients.  All commands are encrypted via a compile time password.  TFN2k daemons can randomly alternate different types of attacks. TFN2K

26  Combines features of the trin00 with those of TFN.  Adds encryption of communication between the attacker and masters and automated update of agents.  Communication between attacker and masters take place on tcp port 16660.  Daemons receive commands from masters through ICMP echo replies (using data part of packet).  Possible attacks are ICMP flood, UDP flood, SYN flood and SMURF attack. Stacheldraht

27 #./ client [*] stacheldraht [*] (c) in 1999 by... trying to connect... connection established. -------------------------------------- enter the passphrase : sicken -------------------------------------- entering interactive session. ****************************** welcome to stacheldraht ****************************** if you are lame stacheldraht( status: a!1 d!0)>

28 stacheldraht(status: a!1 d!0)>.help available commands in this version are: -------------------------------------------------- stacheldraht(status: a!1 d!0)>

29 Some Commands --------.distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server", using the account "user" (e.g., "rcp user@server:linux.bin ttymon").madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..mdie Sends die request to all agents.

30 Spoof Testing •The agent performs a test to find whether the system provides for spoofing or not. •The agent sends out an ICMP packet with ID 666 and IP address •The IP address of the compromised machine - embedded in the data field. •Handler gets the IP address of the agent and replies back with the ID 1000 and data field containing “spoofworks” and sets the spoof level to 0; Else it sets the spoof level to 3 suggesting that only last octet can be spoofed.

31 Defending Against DDoS •Prevent compromise of machines with Intrusion Detection Systems (IDS) •Trace back to the attacker •Develop automated network defense mechanisms

32 Intrusion Detection: Snort •Packet sniffing network intrusion detection system •Libpcap-based sniffing interface •Rules-based detection engine •Multiple output options –Decoded logs, tcpdump formatted logs –Real-time alerting to syslog, file, winpopup © Copyright 1999, Martin RoeschUSENIX LISA ‘ 99 Conference

33 Detection Engine  Rules form “signatures” •Modular detection elements are combined to form these signatures •Anomalous activity detection is possible –Stealth scans, OS fingerprinting, invalid ICMP codes, etc •Rules system is very flexible, and creation of new rules is relatively simple © Copyright 1999, Martin RoeschUSENIX LISA ‘ 99 Conference

34 Traceback Techniques •Logging •Link testing •Node append •Node sampling •Overlays •Edge sampling •Trace messages

35 Why Traceback Is Hard •IP source address is spoofed: –Form IP packets with forged source address. –Send them using a socket of type SOCK_RAW. –Requires root privilege.

36 Avoiding Spoofed Packets •Ingress filtering –Prohibits an attacker from forging an IP address –At first hop router do If packet’s src IP address is within the predefined range Thenforward packet Else drop packet –(-) Mobile hosts uses home network address in mobile IP

37 Logging (Audit Trailing ) •Record packets at predetermined routers and use data-mining techniques to construct path traversed by the packet –(+) Easy –(+) Permits post-mortem analysis –(-) Requires large amount of disk and computing resources –(-) Requires Maps for reconstruction –(-) Manual, Time – consuming

38 Link Testing •Involves interactively testing the upstream links starting from the victim to determine the links used to carry the attacker’s traffic •Two techniques :- –Input debugging –Controlled flooding

39 Link Testing (Input Debugging) •Determine the attack signature. •Filter packets at egress port and determine at which ingress port they arrived. •Perform iteratively at all upstream routers till the source(s) are found. •(-) Relies heavily on manual intervention and extremely slow. •(-) Requires inter-ISP co-operation.

40 Link Testing (Controlled Flooding) •Flood links with large amounts of UDP traffic (UDP- chargen). •Observe changes in traffic pattern. •Reconstruct path to attacker recursively. Victim R1R1 R3R3 R4R4 R2R2 R5R5 A B Attacker UDP chargen request chargen reply attack packets

41 Link Testing (Controlled Flooding) •(+) Effective •(-) Requires information about the internet topology •(-) Inherently noisy •(-) Difficult to discern the set of paths incase of DDoS attacks •(-) DoS attack by itself •(-) Requires co-operation from upstream routers

42 Node Append •Record the route in the packet as it traverses the routers •Each router appends its IP address to the end of the packet –(+) Easy to implement –(+) Single packet required to find attack path –(-) Increases the packet size (4 bytes/hop) –(-) Processing overhead –(-) Fragmentation

43 Node Sampling •Each router inserts its IP address in a static field with a probability p •p(1 – p) d-1 is the probability of receiving a packet from a router at a distance d •Reconstruction Algorithm : –Rank each router by the number of samples received –Reconstruct path using ranks •(-) Need more than 42,000 samples for d=15 and p=0.51 before a single packet from the first hop router

44 CenterTrack IP Tunnels v a •Create an overlay network using IP tunnels •Tunnels are created between edge and transit routers •Based on attack signature perform logging and/or corrective action in the overlay network

45 CenterTrack (Cont…) –(+) Eliminates need for transit router input debugging –(+) Required features available –(+) Is not too expensive –(+) Scales well –(-) Still requires input debugging at edge –(-) Changes route. (Attackers might notice.)

46 Edge Sampling •Three fields :- –Two IP’s (start and end of edge) –Distance •When a router decides to mark, it makes the distance field 0 •Next router either rewrites and makes distance 0 or fills in remaining (end IP) information and increments distance •Other routers increment distance field or start afresh •p < 1

47 Edge Sampling Algorithm •At router R for each packet pkt u  [0, 1) if u > p pkt.distance  0 pkt.startIP  R.IP else if (pkt.distance == 0) pkt.endIP  R.IP pkt.distance  pkt.distance + 1

48 ICMP Traceback •Concept :- –Generate packets with a probability p at intermediate routers destined for the victim –Routers encode partial path information in packet –Victim can reconstruct the attack path with sufficient number of trace packets

49 ICMP Traceback

50 •Create a new type of ICMP messages called ICMP Traceback (in IETF standards process). •Packet size limited to 576 bytes. •Traceback messages generated with probability of 1/20,000. •Initial TTL of the new IP packet MUST be 255. ICMP Traceback

51 Cossack

52 Cossack Overview  Distributed set of watchdogs monitor the network  Localized IDS for blind detection  Topology information to pre-filter target  Group communication for robustness  Distributed coordination  No centralized controller  Attack-driven dynamic grouping of watchdogs  Consult with other watchdogs to correlate attacks  Selectively deploy countermeasures to suppress attacks

53 Cossack: A Simplified View WW W target watchdog attacker watchdog

54 Attacks Begin WW W target watchdog attacker

55 Watchdogs Communicate Using YOID WW W target watchdog attacker YOID

56 Attacks Detected WW W target watchdog attacker YOID

57 Watchdogs Install Filters and Eliminate Attack WW W target watchdog attacker

58 Attack No 4 •Ping reflection attack (40-byte packets) •Victim: Server at USC •Attackers: 145 reflectors located in Brazil, Japan, Korea, Singapore, United States. Zombie location unknown •Duration: 285 seconds  Sample trace (anonymized): 1025390161.422173 > icmp: echo reply (DF) 1025390161.422178 > icmp: echo reply (DF) 1025390161.422757 > icmp: echo reply (DF)

59 Attack 4: Packet Rate

60 Attack 4: Bandwidth

61 Attack 4: Transient Behavior

62 Attack 13: Attack Description • Attack Specification – Victim: Server at Caltech – Spoofed source addresses (> 100,000) – Duration: 1794 seconds  Sample trace : 1026570396.847625 > ack 0 win 8459 1026570396.847630 > ack 0 win 3584 1026570396.847635 > ack 0 win 10 1026570396.847639 > ack 0 win 48231

63 Attack 13: Packet Rate

64 Attack 13 Transient Behavior

65 FFT Analysis Attack 4 Attack 13

66 Demo •Goal: capture low-level pulsing attacks that elude normal SNMP statistics •Scenario: –Victim is attacked by many low-level pulsing streams –SNMP sampling too coarse to isolate attackers –Watchdog at victim asks watchdogs at source network to change sampling interval –Attack stream detected •Real life event faced by net admin at USC

67 Demo Testbed W W W A1 A2 A3 Target Traffic monitor (MRTG)

68 Attack Begins W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength MRTG sampling too slow to catch individual low-strength attacks, but sees full-strength attack.

69 Watchdogs Communicate W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength - Victim watchdog analyzes attack traffic and determines list source addresses. - Forms Yoid group with upstream watchdogs.

70 Watchdogs Scrutinize Traffic W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength -Watchdogs reduce monitoring interval and detect the attack streams

71 Watchdogs Install Filters W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength - Upstream Watchdogs install filters in router to block attack

72 Attack Neutralized W W W A1 A2 A3 Target Pulsing Attack 1% Strength Pulsing Attack 98% Strength (Represents 98 other hosts) Pulsing Attack 1% Strength

Download ppt "Distributed Denial of Service Attacks (DDoS) Christos Papadopoulos."

Similar presentations

Ads by Google