1. Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

2. Lecture 17 Page 2 Advanced Network Security Outline Denial of service in networks –Basic methods Non-distributed denial of service attacks

3. Lecture 17 Page 3 Advanced Network Security Denial of Service Attacks Unlike other forms of hacking, the goal isn’t access Or theft of information or services The goal is to stop your service from operating –To deny service to legitimate users Generally temporarily –Usually during duration of attack

4. Lecture 17 Page 4 Advanced Network Security Attacker Motivations Sometimes extortion Sometimes political in nature Sometimes personal feuds Sometimes as distractions Many other possible motivations

5. Lecture 17 Page 5 Advanced Network Security How Can Service Be Denied? Lots of ways –Crash your machine –Crash routers on the path to your machine –Fool a protocol into behaving badly –Use up a key machine resource –Use up a key network resource Using up resources is the most common approach

6. Lecture 17 Page 6 Advanced Network Security What Resources Can Be Used Up? Network bandwidth Processing power RAM Network stack resources –E.g., records of open connections Operating system or application resources –E.g., entries in a hash table

7. Lecture 17 Page 7 Advanced Network Security Simple Denial of Service Attacks One machine tries to overload another machine E.g., send more packets than the target can handle There is a fundamental problem for the attacker: –The attack machine must be “more powerful” than the target machine –Otherwise, the attack machine can’t generate enough packets The target machine might be a powerful server Can one typical client machine generate enough work to overcome a powerful server?

8. Lecture 17 Page 8 Advanced Network Security A Flooding Attack But does it actually deny service here?

9. Lecture 17 Page 9 Advanced Network Security The Problem With This Attack The attacking computer is usually a home machine or office workstation Maybe it’s got outgoing bandwidth of 10Mbps The target is usually a server Maybe it’s got incoming bandwidth of 1 Gbps The target barely notices the attack

10. Lecture 17 Page 10 Advanced Network Security “Solving” This Problem How can an attacker overwhelm a machine with more resources than his? Two possibilities: –Find a way to make the target pay more per message than the attacker –Use more than one machine to attack

11. Lecture 17 Page 11 Advanced Network Security Solution 1: Make The Target Pay More Usually the attacker’s limited resource is bandwidth –Sometimes processor power Try to attack some other resource –Using small amount of bandwidth to use a lot of this resource Another option: a reflector attack

12. Lecture 17 Page 12 Advanced Network Security Denial of Service and Asymmetry Sometimes generating a request is cheaper than formulating a response If so, one attack machine can generate a lot of requests And effectively multiply its power E.g., send random garbage packets to a machine expecting encrypted packets Not always possible to achieve this asymmetry But often can be done

13. Lecture 17 Page 13 Advanced Network Security An Example: SYN Flood TCP is connection-oriented Endpoints must keep information about current TCP connections –To detect packet loss –For flow control and congestion management Typically kept in a table Of fixed size... So attack this table, not the bandwidth!

14. Lecture 17 Page 14 Advanced Network Security The TCP Open Connection Table Designed to support many TCP connections at a time –E.g., for high volume web server One entry per connection Reuse an entry once the connection ends Some legitimate connections will be slow –So must not discard seemingly inactive connection too soon But some legitimate connections will be dropped –Eventually get rid of unused open connection

15. Lecture 17 Page 15 Advanced Network Security The Basic Attack Attacker uses initial request/response to start TCP sessions Then he abandons them Target keeps them open for a while Filling up the server’s open connection table Preventing new real TCP sessions

16. Lecture 17 Page 16 Advanced Network Security Why Is This Better Than Simple Flooding? You can reserve a connection table slot with one short message The slot will be used for a significant period of time –Even if you never make progress Provides attacker with good asymmetry

17. Lecture 17 Page 17 Advanced Network Security Normal SYN Behavior SYN SYN/ACK ACK Table of open TCP connections

18. Lecture 17 Page 18 Advanced Network Security A SYN Flood SYN SYN/ACK Table of open TCP connections SYN SYN/ACK SYN Server can’t fill request! SYN

19. Lecture 17 Page 19 Advanced Network Security Why Doesn’t the Attacker Send an ACK? The attacker could send the second message (the ACK) –Then send no more messages Why wouldn’t he do that? Two reasons: –Can you figure out what they are?

20. Lecture 17 Page 20 Advanced Network Security How To Defend? Don’t let the attacker take too many open connection slots –Maybe restrict to three or four per IP address Doesn’t help if attacker has a lot of machines Doesn’t help if attacker spoofs IP address

21. Lecture 17 Page 21 Advanced Network Security Another Defensive Option Drop unused connections more aggressively –So half-open connections don’t waste the resource as long Bad impact for slow legitimate clients Only requires slight speed-up by attacker

22. Lecture 17 Page 22 Advanced Network Security A Third Defensive Option Preferred clients Save most of your slots for their known good IP addresses If attacker uses up the rest, doesn’t impact your core clients Often not an option Problematic in face of IP spoofing

23. Lecture 17 Page 23 Advanced Network Security A Fourth Defensive Option Increase the attacker’s cost Make him pay something for getting the open connection table entry If the cost is high enough, he can’t afford to fill my table What “currency” can we make him pay in, though?

24. Lecture 17 Page 24 Advanced Network Security Some Constraints on This Option We can’t change the TCP protocol –A common theme when trying to protect the Internet –You can never change a widely deployed protocol We can’t expect users to change the software on their machines We can’t save information about connection requests

25. Lecture 17 Page 25 Advanced Network Security SYN Cookies SYN No room in the table, so send back a SYN cookie, instead SYN/ACK SYN/ACK number is secret function of various information ACK Server recalculates cookie to determine if proper response + 1 Client IP address & port, server’s IP address and port, and a timer KEY POINT: Server doesn’t need to save cookie value! And no changes to TCP protocol itself

26. Lecture 17 Page 26 Advanced Network Security Good Aspects of This Approach Doesn’t change TCP protocol Doesn’t require clients to do anything they would not usually do Doesn’t require server to save any information Can be turned on and off easily We would like many network security solutions to be like this one

27. Lecture 17 Page 27 Advanced Network Security General Single Machine Denial of Service Usually dangerous only if there is an asymmetry in resource use Usually easy to defeat if you figure out what site is doing it –Just drop all packets from that site Not typically a major threat on the Internet

28. Lecture 17 Page 28 Advanced Network Security Denial of Service as a Distraction Attackers sometimes perform denial of service attacks just to distract Sysadmins will be occupied dealing with them While attackers do their real work somewhere else As defender, be aware that this could happen

29. Lecture 17 Page 29 Advanced Network Security Conclusion Denial of service attacks availability –Sometimes used for other purposes Most often based on exhausting a resource at the victim –Any resource is a possible target Defense mechanisms must operate well with ordinary behaviors