Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt
Denial of Service Attacks A distributed denial of service attack involves overloading a company’s Internet connection with more traffic than it can handle. A distributed denial of service attack involves overloading a company’s Internet connection with more traffic than it can handle. Once the connection is overloaded, the company is unable to function on the Internet. Once the connection is overloaded, the company is unable to function on the Internet.
Denial of Service Attacks Banks, academic institutions, and small businesses have become dependent on the Internet for even the most fundamental of daily functions. Banks, academic institutions, and small businesses have become dependent on the Internet for even the most fundamental of daily functions. Therefore, the cost of a disruption in service and the subsequent recovery can be truly enormous. Therefore, the cost of a disruption in service and the subsequent recovery can be truly enormous.
Denial of Service Attacks Distributed Denial of Service Attacks are one of the most difficult security threats. Distributed Denial of Service Attacks are one of the most difficult security threats. Network administrators typically cannot stop a DDoS attack without contacting the ISP. Network administrators typically cannot stop a DDoS attack without contacting the ISP. Failure to stop a DDoS attack can result in a complete network overload and shutdown. Failure to stop a DDoS attack can result in a complete network overload and shutdown.
Denial of Service Attacks Any skilled hacker can gain control of a large number of proxy computer systems and use them to flood a targeted server. Any skilled hacker can gain control of a large number of proxy computer systems and use them to flood a targeted server. It is virtually impossible to discover the identity of the hacker. It is virtually impossible to discover the identity of the hacker. Once the targeted server is flooded, it will shut down, thereby halting even the legitimate traffic of the organization. Once the targeted server is flooded, it will shut down, thereby halting even the legitimate traffic of the organization.
Physical Layout Because there is a large physical distance between the ISP router and the company network that an ISP services, the ISP usually has to use cheaper, low-bandwidth cable for this part of the connection. Because there is a large physical distance between the ISP router and the company network that an ISP services, the ISP usually has to use cheaper, low-bandwidth cable for this part of the connection. This is typically the slowest part of the connection line, and it is called a “bottleneck”. This is typically the slowest part of the connection line, and it is called a “bottleneck”.
Bottleneck To shut down the company’s connection, a hacker only has to overload this relatively slow part of the line. To shut down the company’s connection, a hacker only has to overload this relatively slow part of the line. To stop DDoS attacks, illegitimate traffic must never be allowed to reach the bottleneck. To stop DDoS attacks, illegitimate traffic must never be allowed to reach the bottleneck.
ISP Cable connection (Bottleneck) Normal connection Firewall (Bad traffic stopped here)
Strategic Firewall Placement In the strategic firewall placement method, the company’s firewall is placed on the ISP’s premises. In the strategic firewall placement method, the company’s firewall is placed on the ISP’s premises. This means that the line connecting the ISP router to the firewall is very short, and a much higher bandwidth line (ex. Ethernet) can be used for this connection at very little extra cost. This means that the line connecting the ISP router to the firewall is very short, and a much higher bandwidth line (ex. Ethernet) can be used for this connection at very little extra cost.
ISP Firewall Ethernet connection Bottleneck Strategic Firewall Placement ISP Firewall (Bad traffic stopped here) Ethernet connection Bottleneck
Strategic Firewall Placement Firewall remains under the control of the company. Firewall remains under the control of the company. Now the company is able to control exactly which traffic is allowed into the bottleneck part of the connection. Now the company is able to control exactly which traffic is allowed into the bottleneck part of the connection.
Strategic Firewall Placement Attack packets are dropped before they can reach the bottleneck. Attack packets are dropped before they can reach the bottleneck. A hacker could still run a denial of service attack, but would require a huge amount of bandwidth to overwhelm the system. A hacker could still run a denial of service attack, but would require a huge amount of bandwidth to overwhelm the system.
Strategic Firewall Placement In the old setup, to thwart a DDoS attack, the company had to call the ISP and tell them which kinds of packets to filter. In the old setup, to thwart a DDoS attack, the company had to call the ISP and tell them which kinds of packets to filter. The company’s internet connection remained inoperative until the ISP was able to complete the company’s request. The company’s internet connection remained inoperative until the ISP was able to complete the company’s request. When the company controls the firewall, as in strategic firewall placement, they can instead filter unwanted packets almost immediately. When the company controls the firewall, as in strategic firewall placement, they can instead filter unwanted packets almost immediately.
Additional Requirements Moving the firewall is helpful, but, to completely protect against DDoS attacks, the company also has to change the way its firewall handles inbound connection requests. Moving the firewall is helpful, but, to completely protect against DDoS attacks, the company also has to change the way its firewall handles inbound connection requests.
Default Deny The changes deal with how the company’s firewall handles inbound connections. The changes deal with how the company’s firewall handles inbound connections. When a computer wants to connect to the company’s server, it sends a packet called a TCP/SYN packet requesting the connection. When a computer wants to connect to the company’s server, it sends a packet called a TCP/SYN packet requesting the connection. The normal response to this packet is a SYN/ACK packet from the company’s server, acknowledging that the connection is open. The normal response to this packet is a SYN/ACK packet from the company’s server, acknowledging that the connection is open.
Spoofed TCP/SYN SYN/ACK Blocked Connection Default Deny If every TCP/SYN packet is allowed to reach the company server, hackers can still flood the company’s server with these packets, and overload the connection. If every TCP/SYN packet is allowed to reach the company server, hackers can still flood the company’s server with these packets, and overload the connection. Instead, the firewall sends back a SYN/ACK packet that only looks like it came from the company’s server. Instead, the firewall sends back a SYN/ACK packet that only looks like it came from the company’s server. Firewall Spoofed TCP/SYN SYN/ACK Blocked Connection Spoofed TCP/SYN SYN/ACK Blocked Connection Real TCP/SYN SYN/ACK Connection Allowed Server
Default Deny Once the firewall sends out the SYN/ACK packet, it only allows a connection from the IP address that sent the original TCP/SYN packet. Once the firewall sends out the SYN/ACK packet, it only allows a connection from the IP address that sent the original TCP/SYN packet. A hacker has to have control of that IP address to be able to connect to the company. A hacker has to have control of that IP address to be able to connect to the company.
Default Deny This helps prevent a technique known as “spoofing” IP addresses. This helps prevent a technique known as “spoofing” IP addresses. Spoofing allows a hacker to send the server connection requests from IP addresses that he is not actually using. Spoofing allows a hacker to send the server connection requests from IP addresses that he is not actually using. The default deny policy prevents hackers from using multiple spoofed addresses at once, and using them to flood the network. The default deny policy prevents hackers from using multiple spoofed addresses at once, and using them to flood the network.
Firewall Capabilities Maintaining these policies could require a lot of computational power from the firewall. Maintaining these policies could require a lot of computational power from the firewall. Firewall may not be able to handle the entire job itself. Firewall may not be able to handle the entire job itself. The processing work of the firewall can be spread among multiple computers if necessary, and those computers would feed directly into the firewall. The processing work of the firewall can be spread among multiple computers if necessary, and those computers would feed directly into the firewall.
Simulation of Strategic Firewall Placement Used network simulation program NS-2 to simulate DDoS traffic. Used network simulation program NS-2 to simulate DDoS traffic. Red – legitimate packets Red – legitimate packets Blue – DDoS attack packets Blue – DDoS attack packets
Simulation of Strategic Firewall Placement DDoS attack Legitimate traffic Router Firewall Target Buildup of packets in queue on high-speed link 1.5 mbps
Simulation Results Attack Traffic 100 Mbps50 Mbps10 Mbps1.5 Mbps Bottleneck Link 100 Mbps 1.24 Mbps 50 Mbps1.24 Mbps 10 Mbps816 bps32 Kbps57 Kbps1.23 Mbps 1.5 Mbps0 bps 816 bps6.5 Kbps
Simulation of Strategic Firewall Placement When the link leading up to the firewall is too slow, a DDoS attack basically shuts down the system. When the link leading up to the firewall is too slow, a DDoS attack basically shuts down the system. When the link leading up to the firewall is fast enough, the system continues running through a DDoS attack, even after the attack is increased in intensity from 50 to 100 mbps. When the link leading up to the firewall is fast enough, the system continues running through a DDoS attack, even after the attack is increased in intensity from 50 to 100 mbps.
Conclusion Strategic firewall placement allows companies to use the Internet during a DDoS attack, and it allows them to continue receiving the packets they want. Strategic firewall placement allows companies to use the Internet during a DDoS attack, and it allows them to continue receiving the packets they want.
Sources S. Gibson, “Distributed Reflection Denial of Service. Description and analysis of a potent, increasingly prevalent, and worrisome Internet attack,” February 22, 2002, S. Gibson, “Distributed Reflection Denial of Service. Description and analysis of a potent, increasingly prevalent, and worrisome Internet attack,” February 22, 2002, Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge and Data Engineering, IEEE Educational Activities Department, vol 40, no 5, (September): pp 1307 – 1315, Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge and Data Engineering, IEEE Educational Activities Department, vol 40, no 5, (September): pp 1307 – 1315, Chatam, W. Rice, J. and Hamilton, J.A. Jr., "Using Simulation to Analyze Denial of Service Attacks" 2004 Advanced Simulation Technology Conference, April , Arlington, VA Chatam, W. Rice, J. and Hamilton, J.A. Jr., "Using Simulation to Analyze Denial of Service Attacks" 2004 Advanced Simulation Technology Conference, April , Arlington, VA