1 Layer 3 Network Security. 2 Outline n How Layer 3 Routers Work ? n DDOS Attack l Classical DoS attacks l Flooding attacks l Distributed Denial-of-Service.

1 Layer 3 Network Security

2 Outline n How Layer 3 Routers Work ? n DDOS Attack l Classical DoS attacks l Flooding attacks l Distributed Denial-of-Service (DDoS) l How DDoS attacks are waged? l Reflector and amplifier attacks l Other DoS attacks l Detecting DoS attacks l Approaches to defense against DoS l Responding to a DoS attack n Conclusion

3 n Layer 3 router uses store and forward scheme to forward incoming IP packets (datagrams). l IP Address Lookup (Forwarding Table constructed by routing protocols, such as RIP, OSPF, BGP, etc) l IP/MAC mapping table l The IP address lookup is longest prefix matching lookup. n Forward IP packet into next hop if the destination IP is found in the Forwarding Table. Otherwise, forward to default port. n New router Architecture with L3 switching Fabric ASICs and IP address lookup ASICs (hardware lookup) n Wire-speed forwarding design Gbps, 10Gbps, 100Gbps, … n Not Plug-and-Play How Layer 3 Routers Work ? IP Next 140.114.77.0 Directly 140.114.78.0 Directly 140.114.79.0 Router Z IP MAC IP(A) MAC(A) IP(B) MAC(B) IP(Y) MAC(Y) IP(X) MAC(X)

4 IP Datagram Header Format version IHL Type of Service Total length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Address Destination IP Address Options + Padding Data 0 3 8 15 19 31

5 Type of Service (ToS) of IP Precedence D T R O O Precedence 111 Network Control 110 Internetwork Control 101 CRITIC/ECP 100 Flash Override 011 Flash 010 Immediate 001 Priority 000 Routine Delay 0 Normal 1 Low Throughput, Reliability 0 Normal 1 High 0 DF MF DF 0 May Fragment 1 Don't Fragment MF 0 Last Fragment 1 More Fragment 0 1 2 3 4 5 6 7 Flags 0 1 2

6 How datagrams are delivered in an Internet ? R H WAN LAN R R R R R B H H H A H H H H Datagram LAN

7 Routers MAC PHY HOST X LAN 1 LAN 2 Higher Layer Protocols MAC PHY HOST Y A B MAC PHY Network ROUTER Network LAN n IP MAC 140.114.78.69 140.114.78.68 IP = 140.114.78.0 Mask= 255.255.255.0 IP = 140.114.77.0 Mask= 255.255.255.0 140.114.78.66 140.114.77.65 140.114.77.60 140.114.77.62 IP(A) MAC(A) IP(B) MAC(B) IP(Y) MAC(Y) IP Next 140.114.77.0 Directly 140.114.78.0 Directly 140.114.79.0 Router Z A A B B ROUTER Z LAN m IP = 140.114.79.0 Mask= 255.255.255.0 IP(X) MAC(X) Higher Layer Protocols MAC PHY Network A A B B Y Y B B MAC(Y) MAC(B) IP(Y) IP(B) IP DatagramMAC(R) MAC(B) IP(A) IP(B) IP DatagramMAC(A) MAC(R) IP(A) IP(B) IP Datagram

8 Intra-LAN and Inter-LAN Communications n B -> Y (Intra LAN) n B -> A (Inter-LAN) MAC(Y) MAC(B) IP(Y) IP(B) IP Datagram MAC(R) MAC(B) IP(A) IP(B) IP DatagramMAC(A) MAC(R) IP(A) IP(B) IP Datagram

9 An Internet Routing Example Network 10.0.0.0 F Network 20.0.0.0 G Network 30.0.0.0 H Network 40.0.0.0 10.0.0.5 20.0.0.5 20.0.0.6 30.0.0.6 30.0.0.7 40.0.0.7 20.0.0.0 Deliver Direct 30.0.0.0 Deliver Direct 10.0.0.0 20.0.0.5 40.0.0.0 30.0.0.7 To reach hosts Route to on network this address Routing Table

10 Router Characteristics n Network Layer Routing l Network layer protocol dependent l Filter MAC broadcast and multicast packets l Easy to support mixed media l Packet fragmentation and reassembly l Filtering on network addresses and information l Accounting n Direct Communication Between Endpoints and Routers l Highly configurable and hard to get right l Handle speed mismatch l Congestion control and avoidance

11 Router Characteristics (Continued) n Routing Protocols l Interconnect layer 3 networks and exploit arbitrary topologies l Determine which route to take l Static routing l Dynamic routing protocol support  RIP: Routing Information Protocol  OSPF: Open Shortest Path First l Provides reliability with alternate routes n Router Management l Troubleshooting capabilities l Name-Address mapping services

12 Differences Between Bridges and Routers Bridges Routers Operation at Layer 2 Operation at Layer 3 Protocol IndependentProtocol Dependent Automatic Address Learning/Filtering Administration Required for Address,Interface and Routes Pass MAC Multicast/Broadcast MAC M/B can be Filtered Lower CostHigher Cost No Flow/Congestion Control Flow/Congestion Control Limited SecurityComplex Security Transparent to End Systems Non-Transparency Well Suited for Simple/Small Networks For WAN, Larger Networks No Frames Segmentation/Reassembly Frames Segmentation/Reassembly Spanning Tree Based Routing Optimal Routing and Load Sharing Plug and PlayRequires Central Administrator

Denial of service attack

14 Contents n DDOS Introduction n Classical DoS attacks n Flooding attacks n Distributed Denial-of-Service (DDoS) n How DDoS attacks are waged? n Reflector and amplifier attacks n Other DoS attacks n Detecting DoS attacks n Approaches to defense against DoS n Responding to a DoS attack n Conclusion

15 Definitions n Denial-of-service (DoS) attack aims at disrupting the authorized use of networks, systems, or applications l by sending messages which exhaust service provider’s resources (network bandwidth, system resources, application resources) n Distributed denial-of-service (DDoS) attacks employ multiple (dozens to millions) compromised computers to perform a coordinated and widely distributed DoS attack

16 Definitions n Victims of (D)DoS attacks l service-providers (in terms of time, money, resources, good will) l legitimate service-seekers (deprived of availability of service itself) l Zombie systems(Penultimate and previous layers of compromised systems in DDoS)

17 Analyzing the goal of DoS attacks n A (D)DoS attack usually has the following goals l Just deny availability l Can work on any port left open l No intention for stealing/theft of information  Although, in the process of denying service to/from victim, Zombie systems may be hijacked

18 Who? What for? n The motivations l Earlier attacks were proofs of concepts or simple pranks l Pseudo-supremacy feeling upon denying services in large scale to normal people  DoS attacks on Internet chat channel moderators l Political disagreements l Competitive edge l Hired n Levels of attackers l Highly proficient attackers who are rarely identified or caught l Script-kiddies

19 Why should we care? n As per 2006 CSI/FBI Computer Crime and Security Survey l 25% of respondents faced some form of DoS attacks in previous 12 months. This value varied from 25% to 40% over the course of time. l DoS attacks are the 5th most costly form of attacks n Internet is now a critical resource whose disruption has financial implications, or even dire consequences on human safety l Cybercrime and cyberwarfare might use of DoS or DDoS as a potential weapon to disrupt or degrade critical infrastructure l DDoS attacks are a major threat to the stability of the Internet

20 Fast facts n In Feb 2000, series of massive DoS attacks incapacitated several high-visibility Internet e-commerce sites, including Yahoo, Ebay and E*trade n In Jan 2001, Microsoft’s name sever infrastructure was disabled l 98% legitimate users could not get to any Microsoft’s servers n In Sept 2001, an attack by a UK-based teenager on the port of Houston’s Web server, made weather and scheduling information unavailable l No ships could dock at the world’s 8th busiest maritime facility due to lack of weather and scheduling information l Entire network performance was affected

21 Fast facts n In Oct 2002, all Domain Name System servers were attacked l Attack lasted only an hour l 9 of the 13 servers were seriously affected n In May 2007, the DDoS attack on Estonia (national attack) n In Aug 2009, the attack on Twitter and Facebook

22 Source: December 2008, Reader’s Digest 愛沙尼亞 DDoS 攻擊事件

23 愛沙尼亞 DDoS 攻擊事件 n In May 2007, the DDOS attack on Estonia (national attack) n 北歐國家愛沙尼亞國防部長雅克, 阿維克索 : “ 這起以愛沙尼亞主要網路基礎設施為目標的攻擊, 是殭屍網路第一次威脅到整個國家的安全 ” n 第一次網路大戰 (Web War One) 正式爆發了 !! Source: December 2008, Reader’s Digest

24 愛沙尼亞 DDoS 攻擊事件 n 27 th April, 2007, 愛沙尼亞當局將位於首都塔林的一尊兩公尺高銅像遷移. l 1947 年由前蘇聯將納粹黨趕走後建立之解放紀念碑. l 俄羅斯人在此定居, 大批愛沙尼亞人被放逐到西伯利亞 l 銅像是暴政佔領的象徵, 而愛沙尼亞於 1991 年獨立 n 郵差報科技主管亞東, 瓦西發現報社伺服器受到 230 萬次點閱, 已當機 20 次. 境內以及國際通往郵差報頻寬流量只剩下 20-30%, 且越來越少 n 愛沙尼亞是網路化程度高的小國 l 140 萬人口中, 四成每天閱讀網路報 l 九成以上銀行交易在網路上進行 l 當局已決定採用網路投票 l 境內遍佈無線網路 (WiFi) l 手機可支付停車費或餐費 l 塔林郊外的 Skype 總部已取代國際電話業務 Source: December 2008, Reader’s Digest

25 愛沙尼亞 DDoS 攻擊事件 n 殭屍網路的自動電腦程式繼續將無數訊息張貼到郵差報頻論網頁, 造成伺服器不堪負荷. 並避開了瓦西所撰寫的過濾軟體. n 2 nd May, 網站流量開始暴增, 主要來自國外訪客 : 埃及, 越南, 秘魯, 到了中午可用頻寬  0, 網站終於掛掉了. n 切斷國際連線是唯一的選擇, 瓦西輸入幾行代碼, 切斷國際通往郵差報的連線, 郵差報由國際上消失, 但境內可用頻寬立刻轉成綠燈 n 8pm, 2 nd May, 西拉. 艾瑞雷 ( 愛沙尼亞網路安全應變小組負責人, CERT) 與克提斯. 林科維司 ( 網路診療師, 瑞典 Netnod 負責人之一, Netod 是全球 13 個 root DNS servers 之一 ) 晚餐並請求協助 n 網路診療師 (the Vetted) 是全球 ISPs 所信賴的極少數人, 可請求 ISPs 將特定 IP 封鎖. l 瑞典派崔克. 法斯壯 ( 網路診療師 ) 與美國比爾. 伍考克 ( 網路診療師 ) 也同意伸出援手 Source: December 2008, Reader’s Digest

26 愛沙尼亞 DDoS 攻擊事件 n 接下來一星期網路攻擊時斷時續 n Script Kiddies ( 腳本小子 ) 利用大量的 ping 指令攻擊, 並在俄語聊天室熱烈討論, 呼籲在 9 th May 午夜 12 點 ( 俄羅斯慶祝二戰勝利日 ) 對指定的愛沙尼亞網站發動 ping 攻擊. n 僵屍網路會以垃圾郵件湧入指定的網址塞爆網路 n 駭客攻擊, 一名駭客說 “ 五月九日的大規模攻擊, 要將愛沙尼亞的網路 … 完全癱瘓 ” n 10pm, 8 th May, 愛沙尼亞網路安全應變小組總部 l 晚間進入愛沙尼亞流量維持正常 : 20k pps l 11pm, 流量飆升達 4m pps ( 兩百倍 ), 全球約 100 萬電腦同時登入愛沙尼亞網站 l 小組開始往上遊追蹤來源 IP, 並請求世界各地 ISPs 在源頭將這些僵屍 IP 封鎖,…, 找一個殺一個,…. l 6am, 9 th May, 流量終於恢復到略高於正常 Source: December 2008, Reader’s Digest

27 愛沙尼亞 DDoS 攻擊事件 n 9 th May, 莫斯科紅場, 慶祝俄羅斯戰勝納粹德國紀念日 l 俄羅斯總統普丁 : “ 那些想要褻瀆戰爭紀念碑的人, 是在汙辱自己的同胞, 並在國家與人民之間挑撥離間 ” n 當天僵屍網路又對愛沙尼亞相繼展開 58 次攻擊 n 俄羅斯當局否認發動攻擊 l 但有兩個發動攻擊的電腦來自俄羅斯 l 其中一個更來自普丁總統位於克里姆林宮外的辦公室 n 愛沙尼亞外交部長直指普丁政府直接參與此事 n 之前數星期, 有人對西洋棋大師蓋瑞. 卡斯珀洛夫領導的俄羅斯反對黨聯盟展開類似攻擊, 這些政黨網站都被癱瘓 n 國際網路保全公司 Arbor Networks 分析說與這兩次 DDOS 攻擊有關的網路發現重疊 – 攻擊俄羅斯反對黨派網站的僵屍網路, 有部分被用來攻擊愛沙尼亞 n 五月中旬, 僵屍網路突然停止攻擊. Source: December 2008, Reader’s Digest

28 Approaches to DoS attacks n Internet designed for minimal-processing and best- effort forwarding any packet l Make shrewd use of flaws in the Internet design and systems l Unregulated forwarding of Internet packets : Vulnerability, Flooding

29 Approaches to DoS attacks n Vulnerability attack l Vulnerability : a bug in implementation or a bug in a default configuration of a service l Malicious messages (exploits) : unexpected input that utilize the vulnerability are sent l Consequences :  The system slows down or crashes or freezes or reboots  Target application goes into infinite loop  Consumes a vast amount of memory l Ex : Ping of death, teardrop attacks, etc.

30 Approaches to DoS attacks cont’d …. n Flooding attack l Work by sending a vast number of messages whose processing consumes some key resource at the target l The strength lies in the volume, rather than the content l Implications :  Make the traffic look legitimate  Flow of traffic is large enough to consume victim’s resources  Send with high packet rate  These attacks are more commonly DDoS l Ex : SYN spoofing attack, Source address spoofing, cyberslam, etc.

32 Classical DoS attacks n Simplest classical DoS attack: Flooding attack on an organization l Ping flood attack Service denied to legitimate users

33 Ping flood attack n Use of ping command options -n –l Ping of Death Source: learn-networking.com

34 Ping flood attack cont’d …. n Generally useless on larger networks or websites

35 Disadvantage to attacker n Attacker’s source is easily identified n Chances of attack flow being reflected back to attacker

36 Source address spoofing n Falsification : Use of forged source IP address n Privileged access to network handling code via raw socket interface l Allows direct sending and receiving of information by applications l Not needed for normal network operation n In absence of privilege, install a custom device driver on the source system l Dependent on operating system version

37 Spoofing via raw socket interface Difficult to identify source

38 Spoofing via raw socket interface cont’d…. n Unfortunately removal of raw sockets API is not a solution to prevent DoS attacks l Microsoft’s removal of raw sockets API in the release of Windows XP Service Pack 2 in August 2004 was expected to break applications like the public domain nmap port scanner l In just a few days, a workaround was produced restoring the ability of nmap to craft custom packets  http://seclists.org/nmap-hackers/2004/0008.html

39 SYN spoofing n Takes advantage of the three-way handshake that occurs any time two systems across the network initiate a TCP connection request n Unlike usual brute-force attack, not done by exhausting network resources but done by overflowing the system resources (tables used to manage TCP connections) n Require fewer packets to deplete n Consequence: Failure of future connection requests, thereby denying access to the server for legitimate users n Example: land.c sends TCP SYN packet using target’s address as source as well as destination

40 TCP 3-way connection handshake Address, Port number, Seq x Recorded in a table of known TCP connections Server in LISTEN State Vulnerability: Unbounded ness of LISTEN state

41 SYN spoofing cont’d ….

42 Factors considered by attacker for SYN spoofing n The number of sent forged packets are just large enough to exhaust the table but small as compared to a typical flooding attack n Keep sufficient volume of forged requests flowing l Keep the table constantly full with no timed-out requests n Make sure to use addresses that will not respond to the SYN-ACK with a RST l Overloading the spoofed client l Using a wide range of random addresses l A collection of compromised hosts under the attacker's control (i.e., a "botnet") could be used

43 Detecting SYN spoof attack n After the target system has tried to send a SYN/ACK packet to the client and while it is waiting to receive an ACK packet, the existing connection is said to be half open or host in SYN_RECEIVED state n If your system is in this state, it may be experiencing SYN- spoof attack n To determine whether connections on your system are half open, type netstat –a command n This command gives a set of active connections. Check for those in the state SYN_RECEIVED which is an indication of the threat of SYN spoof attack

44 Analysing traffic n Spoofing makes it difficult to trace back to attackers n Analyzing flow of traffic required but not easy! l Requires cooperation of the network engineers managing routers l Query flow information: a manual process n How about filtering at source itself ? n Backscatter traffic : used to infer type and scale of DoS attacks l Utilize ICMP echo response packets generated in response to a spoofed ping flood

46 Flooding attacks n Goal : Bombarding large number of malicious packets at the victim, such that processing of these packets consumes resources n Any type of network packet can be used l Attack traffic made similar to legitimate traffic n Valid traffic has a lower probability to access the server n Some ways of flooding : l To overload network capacity on some link to a server l To overload server’s ability to handle and respond to this traffic n The larger the packet, the more effective the attack

47 Flooding attack within local network n Simply sending infinite messages from one computer to another on the local network. n Wasting the resources of the recipient computer to receive and tackle the messages

48 Types of flooding attacks n Classified based on type of network protocol used to attack n ICMP flood l Uses ICMP packets, ex: ping flood using echo request l Typically allowed through, some required n UDP flood l Exploits the target system’s diagnostic echo services to create an infinite loop between two or more UDP services n TCP SYN flood l Use TCP SYN (connection request packets) l But for volume packet

49 Indirect attacks n Single-sourced attacker would be traced n Scaling would be difficult n Instead use multiple and distributed sources l None of them generates traffic to bring down its own local network l The Internet delivers all attack traffic to the victim n Thus, victims service is denied while the attackers are still fully operational n Indirect attack types l Distributed DoS l Reflected and amplifier attacks

51 Distributed Denial-of-service n Attacker uses multiple compromised user work stations/PCs for DoS by: l Utilizing vulnerabilities to gain access to these systems l Installing malicious backdoor programs, thereby making zombies l Creating botnets: large collection of zombies under the control of attacker n Generally, a control hierarchy is used to create botnets l Handlers: The initial layer of zombies that are directly controlled by the attacker l Agent systems: Subordinate zombies that are controlled by handlers l Attacker sends a single command to handler, which then automatically forwards it to all agents under its control n Example: Tribe Flood Network (TFN), TFN2K

52 DDoS control hierarchy n Example: Tribe Flood Network (TFN) l Relied on large number of compromised systems and layered command structure Command- line program Trojan Program

55 How DDoS attacks are waged ? n Recruitment of the agent network n Controlling the DDoS agent network n Use of appropriate toolkits n Use of IP Spoofing

56 Recruitment of the agent network n Scanning n Breaking into vulnerable machines l Malware propagation

57 Scanning n Find sufficiently large number of vulnerable machines l Manual or semi-automatic or completely automatic process l Trinoo: discovery and compromise is manual but only installation is automated  http://staff.washington.edu/dittrich/misc/trinoo.analysi s.txt http://staff.washington.edu/dittrich/misc/trinoo.analysi s.txt l Slammer-,MyDoom- : automated process n Recruit machines that have sufficiently good connectivity n Netblock scans are initiated sometimes l Based on random or explicit rationale n Examples of scanning tools : IRC bot, worms

58 Scanning using IRC bot

59 Scanning using worms n Popular method of recruiting DDoS agents n Scan/infect cycle repeats on both the infected and infecting machines n Worms spread extremely fast because of their parallel propagation pattern n Worms choice of address for scanning l Random l Random within a specific range of addresses l Using hitlist l Using information found on infected machines n Worms are often not completely cleaned up l Some infected machines might continue serving as DDoS agents indefinitely! l Code Red – infected hosts still exist in the Internet

60 Scanning using worms cont’d ….

61 Breaking into vulnerable machines n Most vulnerabilities provide an attacker with administrative access to system n Attacker updates his DDoS toolkit with new exploits l Propagation Vectors

62 Malware propagation n Propagation with central repository or cache approach l Advantage for defender: central repositories can be easily identified and removed l Ex: trinoo, Shaft etc Source: www.cert.org/archive/pdf/DoS_trends.pdf

63 Malware propagation methods cont’d…. n Back chaining/pull approach n Autonomous/push approach Source: www.cert.org/archive/pdf/DoS_trends.pdf TFTP

64 Controlling DDoS agent network n Attacker communicates with agents using “many- to-many” communication tools n Twofold-purpose for attacker l To command the beginning/ending and specifics of attack l To gather statistics on agent behaviors n Strategies for establishing control l Direct command control l Indirect command control

65 Direct commands control

66 Drawbacks of direct command control n If one machine is captured, the whole DDoS network could be identified n Any anomalous event on network monitor could be easily spotted n Both handlers and agents need to be ready always to receive messages l Opening ports and listening to them l Easily caught

67 Indirect command control Where is the handler ?

68 Advantages of IRC to attacker n Server is maintained by others n The channel (handler) not easily recognizable amidst thousands of other channels n Even though channel is discovered, it can be removed only through cooperation of the server’s administrators n By turning compromised hosts to rogue IRC servers, attackers are a step ahead in concealing their identity

69 DDoS attack toolkits n Some popular DDoS programs l Trinoo,TFN,Stacheldraht,Shaft,TFN2K,Mstream,Trinity,Phatbot n Blended threat toolkits: Include some (all) of the following components l Windows network service program l Scanners l Single-threaded DoS programs l An FTP server l An IRC file service l An IRC DDoS Bot l Local exploit programs l Remote exploit programs l System log cleaners

70 DDoS attack toolkits cont’d …. l Trojan Horse Operating systems program replacements l Sniffers n Phatbot implements a large percentage of these functions in a single program

72 Reflector and amplifier attacks n Unlike DDoS attacks, the intermediaries are not compromised n R & A attacks use network systems functioning normally n Generic process: l A network packet with a spoofed source address is sent to a service running on some network server l A response to this packet is sent to the spoofed address(victim) by server l A number of such requests spoofed with same address are sent to various servers l A large flood of responses overwhelm the target’s network link n Spoofing utilized for reflecting traffic n These attacks are easier to deploy and harder to trace back

73 Reflection attacks n Direct implementation of the generic process explained before l Reflector : Intermediary where the attack is reflected l Make sure the packet flow is similar to legitimate flow n Attacker’s preference: response packet size > original request size n Various protocols satisfying this condition are preferred l UDP, chargen, DNS, etc n Intermediary systems are often high-capacity network servers/routers n Lack of backscatter traffic l No visible side-effect l Hard to quantify

74 Reflection attack using TCP/SYN n Exploits three-way handshake used to establish TCP connection l A number of SYN packets spoofed with target’s address are sent to the intermediary n Flooding attack but different from SYN spoofing attack n Continued correct functioning is essential n Many possible intermediaries can be used l Even if some intermediaries sense and block the attack, many other won’t

75 Further variation n Establish self-contained loop(s) between the intermediary and the target system using diagnostic network services (echo, chargen ) n Chargen service: Both UDP/TCP Chargens use Port 19. n UDP chargen server will send back one packet for each received packet. n TCP chargen server will continuously send packets to the client if it finds a connection is established between server and client. n Fairly easy to filter and block Large UDP Packet + spoofed source

76 Amplification attacks n Differ in intermediaries generate multiple response packets for each original packet sent

77 Amplification attacks possibilities n Utilize service handled by large number of hosts on intermediate network n A ping flood using ICMP echo request packets l Ex: smurf DoS program n Using suitable UDP service l Ex: fraggle program n TCP service cannot be used (only one-to-one response)

78 Defense from amplification attack n Not to allow directed broadcasts to be routed into a network from outside

79 Smurf DoS program n Two main components l Send source-forged ICMP echo packet requests from remote locations l Packets directed to IP broadcast addresses n If the intermediary does not filter this broadcast traffic, many of the machines on the network would receive and respond to these spoofed packets l When entire network responds, successful smurf DoS has been performed on the target network Source: http://www.cert.org/advisories/CA-1998-01.html

80 Smurf DoS program n Besides victim network, intermediary network might also suffer l Smurf DoS attack with single/multiple intermediary(s) l Analyze network routers that do not filter broadcast traffic l Look for networks where multiple hosts respond Source: http://www.cert.org/advisories/CA-1998-01.html

81 DNS amplification attacks n DNS servers is the intermediary system n Exploit DNS behavior to convert a small request to a much larger response l 60 byte request to 512 – 4000 byte response n Sending DNS requests with spoofed source address being the target to the chosen servers n Attacker sends requests to multiple well connected servers, which flood target l Moderate flow of packets from attacker is sufficient l Target overwhelmed with amplified responses from server

83 Teardrop n This DoS attack affects Windows 3.1, 95 and NT machines and Linux versions previous to 2.0.32 and 2.1.63 n Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network n Teardrop exploits an overlapping IP fragment bug l The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments l A 4000 bytes of data is sent as  Legitimately (Bytes 1-1500) (Bytes 1501 – 3000) (Bytes 3001-4500)  Overlapping (Bytes 1-1500) (Bytes 1501 – 3000) (Bytes 1001-3600) n This attack has not been shown to cause any significant damage to systems n The primary problem with this is loss of data

84 Cyberslam n DDoS attack in a different style n Zombies DO NOT launch a SYN Flood or issue dummy packets that will congest the Web server’s access link n Zombies fetch files or query search engine databases at the Web server n From the web server’s perspective, these zombie requests look exactly like legitimate requests n so the server ends up spending lot of its time serving zombies, causing DoS to legitimate users

85 Techniques to counter cyberslam n Password authentication l Cumbersome to manage for a site like Google l Attacker might simply DDoS the password checking mechanism n Computational puzzles l Computation burden quite heavy compared to service provided n Graphical puzzles n Kill-bots suggested in [Kandula 2005] S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Surviving Organized DDos Attacks That Mimic Flash Crowds,” in USENIX Symposium on Network Systems Design and Implementation, May 2005.

86 Attack tree: DoS against DNS Source: Cheung (2006)

87 How to protect DNS from (D)DoS ? n Multiple scattered name servers n Anycast routing l Multiple name servers sharing common IP address n Over-provisioning of host resources and network capacity n Diversity l DNS software implementation, OS, hardware platforms n TSIG : The transaction signature n Use of dedicated machines Source: Cheung (2006)

89 DoS detection techniques n Detector’s goal: To detect and distinguish malicious packet traffic from legitimate packet traffic n Flash crowds: High traffic volumes may also be accidental and legitimate l Highly publicised websites: (unpredictable) Slashdot news aggregation site l Much-awaited events: (Predictable) Olympics, MLB, etc. n There is no innate Internet mechanism for performing malicious traffic discrimination. Once detected, vulnerability attacks are easy to be addressed n If vulnerability attacks volume is so high that it manifests as flooding attack, very difficult to handle Source: Carl (2006)

90 Vulnerability attack detection techniques n Detection techniques can be installed locally or remotely l Locally : detectors placed at potential victim resource or at a router or firewall within the victim’s subnetwork l Remotely: To detect propagating attacks n Attack defined by detection methods: l an abnormal and noticeable deviation of some statistic of the monitored network traffic workload l Proper choice of statistic is crucial Source: Cheung (2006)

91 Statistical detection methods n Activity profiling: Monitoring network packet’s header information l Backscatter analysis n Sequential change-point detection l Chi-Square/Entropy Detector n Wavelet Analysis l Cusum and wavelet approaches Source: Cheung (2006)

92 Backscatter Analysis n The UCSD Network Telescope is a passive traffic monitoring system built on a globally routed, but lightly utilized /8 network. Under CAIDA stewardship, this unique resource provides valuable data for network security researchers. n The UCSD network telescope (aka a black hole, an Internet sink, darkspace, or a darknet) is a globally routed /8 network (approximately 1/256th of all IPv4 Internet addresses) that carries almost no legitimate traffic because there are few provider-allocated IP addresses in this prefix. http://www.caida.org/data/passive/network_telescope.xml

93 UCSD Network Telescope n After discarding the legitimate traffic from the incoming packets, the remaining data represent a continuous view of anomalous unsolicited traffic, or Internet Background Radiation (IBR). n IBR results from a wide range of events, such as l backscatter from randomly spoofed source denial-of- service attacks, l the automated spread of Internet worms and viruses, l scanning of address space by attackers or malware looking for vulnerable targets, and l various misconfigurations (e.g. mistyping an IP address). http://www.caida.org/data/passive/network_telescope.xml

94 UCSD Network Telescope n In recent years, traffic destined to darkspace has evolved to include longer-duration, low-intensity events intended to establish and maintain botnets. n CAIDA personnel maintains and expands the telescope instrumentation, collects, curates, archives, and analyzes the data, and enables data access for vetted security researchers. http://www.caida.org/data/passive/network_telescope.xml

95 UCSD Network Telescope

96 UCSD Network Telescope

97 Backscatter cont’d …. n The UCSD network telescope can be used to monitor the spread of random-source distributed denial-of-service attacks. n To make it difficult for the attack victim (and the victim's ISPs) to block an incoming attack, the attacker may use a fake source IP address (similar to a fake return address in postal mail) in each packet sent to the victim The attacker sends packets with spoofed source addresses to the denial-of-service attack victim.

98 Backscatter cont’d …. n Because the denial-of-service attack victim can't distinguish between incoming requests from an attacker and legitimate inbound requests, the victim tries to respond to every received request. The denial-of-service attack victim cannot differentiate between legitimate traffic and the attack packets, so the victim responds to as many of the attack packets as possible.

99 Backscatter cont’d …. n When the attacker spoofs a source address in the network telescope, we observe a response destined for a computer that doesn't exist (and therefore never sent the initial query) Because the network telescope composes 1/256th of the IPv4 address space, the telescope receives approximately 1/256th of the responses to spoofed packets generated by the denial-of-service attack victim.

100 Backscatter cont’d …. n By monitoring these unsolicited responses, researchers can identify denial-of-service attack victims and infer information about l the volume of the attack, l the bandwidth of the victim, l the location of the victim, and l the types of services the attacker targets. n Note that the network telescope can not monitor denial- of-service attacks utilizing not spoofed or non-randomly spoofed source IP addresses in attacking the victims.

101 Backscatter cont’d …. n Internet Worms n Many Internet worms spread by randomly generating an IP address to be the target of an infection attempt and sending the worm off to that IP address in the hope that it is in use by a vulnerable computer n Infected computers randomly attempt to infect other vulnerable computers. n The network telescope captures approximately one out of every 256 infection attempts.

102 Backscatter cont’d …. n Because the network telescope includes one out of every 256 IPv4 addresses, it receives approximately one out of every 256 probes from hosts infected with randomly scanning worms. n Many worms do not scan truly randomly, and network problems (both worm-induced and independent) may prevent the network telescope from receiving probes from all infected hosts. n In general, though, the telescope sees a newly infected hosts transmitting at the slow speed of 10 packets per second within 30 seconds of the infection.

103 Backscatter cont’d …. n Generally, source addresses chosen at random for spoofing based flooding attacks n Unsolicited Victim’s responses are equi-probably distributed (Backscattered) across the entire Internet address space l Received backscatter evidence of presence of attacker

105 Defenses against DoS attacks n DoS attacks cannot be prevented entirely n Impractical to prevent the flash crowds without compromising network performance n Three lines of defense against (D)DoS attacks l Attack prevention and preemption l Attack detection and filtering l Attack source traceback and identification

106 Attack prevention n Limit ability of systems to send spoofed packets l Filtering done as close to source as possible by routers l Reverse-path filtering ensure that the path back to claimed source is same as the current packet’s path  Ex: On Cisco router “ip verify unicast reverse-path” command n Rate controls in upstream distribution nets l On specific packet types l Ex: Some ICMP, some UDP, TCP/SYN n Use modified TCP connection handling l Use SYN-ACK cookies when table full l Or selective or random drop when table full

107 Attack prevention cont’d …. n Block IP broadcasts n Block suspicious services & combinations n Manage application attacks with “puzzles” to distinguish legitimate human requests n Good general system security practices n Use mirrored and replicated servers when high performance and reliability required

109 Responding to attacks n Need good incident response plan l With contacts for ISP l Needed to impose traffic filtering upstream l Details of response process n Have standard antispoofing, rate limiting, directed broadcast limiting filters n Ideally have network monitors and IDS l To detect and notify abnormal traffic patterns

110 Responding to attacks cont’d …. n Identify the type of attack l Capture and analyze packets l Design filters to block attack traffic upstream l Identify and correct system application bugs n Have ISP trace packet flow back to source l May be difficult and time consuming l Necessary if legal action desired n Implement contingency plan n Update incident response plan

112 Conclusion n (D)DoS attacks are genuine threats to many Internet users n Annoying < l < Debilitating ; l = losses n Level of loss is related to motivation as well shielding attempts from the defender l Attackers taking advantage of ignorance of the victims w.r.t. (D)DoS attacks n Defensive measures might not always work l Neither threat nor defensive methods are static

113 Conclusion n Prognosis for DDoS l Increase in size l Increase in sophistication l Increase in semantic DDoS attacks l Infrastructure attacks n DDoS are significant threats to the future growth and stability of Internet

114 Cloud-based DDoS Protection http://www.nexusguard.com/download/ClearDDoS%20Brochure-en.pdf

115 Cloud-based DDoS Protection

1 Layer 3 Network Security. 2 Outline n How Layer 3 Routers Work ? n DDOS Attack l Classical DoS attacks l Flooding attacks l Distributed Denial-of-Service.

Similar presentations

Presentation on theme: "1 Layer 3 Network Security. 2 Outline n How Layer 3 Routers Work ? n DDOS Attack l Classical DoS attacks l Flooding attacks l Distributed Denial-of-Service."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

1 Layer 3 Network Security. 2 Outline n How Layer 3 Routers Work ? n DDOS Attack l Classical DoS attacks l Flooding attacks l Distributed Denial-of-Service.

Similar presentations

Presentation on theme: "1 Layer 3 Network Security. 2 Outline n How Layer 3 Routers Work ? n DDOS Attack l Classical DoS attacks l Flooding attacks l Distributed Denial-of-Service."— Presentation transcript:

Similar presentations

About project

Feedback