Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:

Similar presentations


Presentation on theme: "Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:"— Presentation transcript:

1 Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: Jim Gast, CS-642 Security, Spring, 2003 UW-Madison

2 2 Normal Connection Establishment The Server sets up retransmission timers, allocates receive buffers, etc. Imagine a web server that can handle 12,000 connections. If the process fails, a timeout occurs after 120 seconds, freeing up the resources. Note: SYN packets are very small and take up very little bandwidth. Graphics stolen from

3 3 State Transition Diagram CLOSED LISTEN SYN_RCVDSYN_SENT ESTABLISHED CLOSE_WAIT LAST_ACKCLOSING TIME_WAIT FIN_WAIT_2 FIN_WAIT_1 Passive openClose Send/SYN SYN/SYN + ACK SYN + ACK/ACK SYN/SYN + ACK ACK Close/FIN FIN/ACKClose/FIN FIN/ACK ACK + FIN/ACK Timeout after two segment lifetimes FIN/ACK ACK Close/FIN Close CLOSED Active open/SYN

4 4 SYN Flood Each SYN creates one half-open connection Half-open connections take minutes to time-out Servers have finite connection tables Perpetrator would be easily caught (Source IP) Unless SourceIP is spoofed See: CERT Advisory CA SYN packets per second fits in 56 Kbps Graphics stolen from

5 5 Spoofed IP Address The SYN/ACK is delivered to the fake (spoofed) IP Address. The attacker doesn’t see it, and doesn’t care. (Backscatter) Graphics stolen from

6 6 Example SYN Flood Attack February 5 th -11 th, 2000 Victims included CNN, eBay, Yahoo, Amazon Attackers (allegedly) used simple, readily available tools (script-kiddies) Law enforcement unable (unwilling?) to help Under-age perpetrators have blanket immunity

7 7 Defense against SYN Flood Increase size of connection table Add more servers Trace attack back to source Ask your ISP to filter malicious packets Add firewall Typically “SYN proxy” Dave Parter will talk on firewalls later in the semester Ultimate solution was “SYN-cookies” Reply to SYN with SYN-cookie Allocate no resources until SYN-cookie is returned

8 8 Potential places to stop DoS flood Graphics stolen from

9 9 Distributed DoS Rather than filling connection table, fill all available bandwidth Infect innocent bystanders (zombies) Zombies listen (e.g. on IRC channel) for attack command (or simply attack at will) Attacker need not have high bandwidth connection Typical Program: EvilGoat EvilBot Graphics stolen from

10 10 Example Distributed DOS Attack 6 attacks on 5 different days One attack lasted for 17 hours 474 infected windows PC as zombies 2.4 billion malicious packets Graphics stolen from Goodput? Time (minutes?)

11 11 Flood-based Distributed DoS Attacks Coordinate zombies to attack with big packets Use up “last-hop” bandwidth “Last-hop” router discards packets indiscriminately Zombies need not spoof addresses See for example horror storyhttp://grc.com/dos/intro.htm Graphics stolen from

12 12 Newest Twist - Reflection Many routers accept connections on port 179 (Border Gateway Protocol) Although any big server and any port it listens on will work Send a SYN to a router, claiming it came from the victim The router will send a SYN/ACK to the victim And then re-transmit several times before giving up (typically about 4X) Note: Tar-pits will not see any “Backscatter” but honey-pots might see the attacker’s commands.

13 13 Reflection Mechanism Graphics stolen from

14 14 Distributed Reflection DoS Graphics stolen from

15 15 Other ports susceptible to DRDoS 22 – Secure Shell 23 – Telnet 53 – DNS 80 – HTTP / Web 4001 – Proxy Servers 6668 – Internet Relay Chat But reflection from port 179 is so powerful it easily overwhelms others Easily detected ports “Well-Known” (so far)

16 16 Call to action Ingress filtering at all ISPs would stop the spoofed SYN packets before they left home Egress filtering at all ISPs would prevent spoofed IP addresses from traversing the Internet Flagging multiply-tried, failed SYN/ACKs could be used to discover victims and filter further attack Disable raw socket interface in client PCs

17 17 Questions?


Download ppt "Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:"

Similar presentations


Ads by Google