Denial of Service Attacks

Understanding to Denial of Services

Using up resources is the most common approachSeveral ways..Crash the machinePut it into an infinite loopCrash routers on the path to the machineUse up a machine resourceUse up a network resourceDeny another service needed for this one (e.g. DNS)How can a service be denied?

What is Denial of Service?Denial of Service (DoS)Attack to disrupt the authorized use of networks, systems, or applicationsDistributed Denial of Service (DDoS)Employ multiple compromised computers to perform a coordinated and widely distributed DoS attack

DoS Single Source

DDoS

DDoS Attack Traffic (1)One Day Traffic Graph

DDoS Attack Traffic (2)One Week Traffic Graph

DDoS Attack Traffic (3)One Year Traffic Graph

How Severe?

DDoS BotnetsBotnet: Collection of compromised computers that are controlled for the purposes of carrying out DDoS attacks or other activitiesCan be large in numberSystems join a botnet when they become infected by certain types of malwareLike a virus, but instead of harming the system, it wants to take it over and control itThrough email attachments, website links, or IM linksThrough unpatched operating system vulnerabilities

Botnets Modus OperandiZombiesZombiesmulti-tier design

*Bot: Direct control

*Bot: Indirect control

Cost of DDoS AttacksVictims of (D)DoS attacks Service-providers (in terms of time, money, resources, good will)Legitimate users (deprived of availability of service)Hard to quantifyIncomplete data Companies reluctant to admit they have been victimizedLost businessLost productivity

Why? Who? Several motives Earlier attacks were proofs of conceptsPseudo-supremacy feelingEye-for-eye attitudePolitical issuesCompetitionHired Levels of attackers Highly proficient attackers who are rarely identified or caughtScript-kiddies*

The DDoS Landscape

DDoS Timeline

DoS Attacks Fast FactsEarly 1990s: Individual Attacks single source. First DoS ToolsLate 1990s: Botnets, First DDoS ToolsFeb 2000: First Large-Scale DDoS AttackCNN, Yahoo, E*Trade, eBay, Amazon.com, Buy.com2001: Microsofts name sever infrastructure was disabled2002: DDoD attack Root DNS2004: DDoS for hire and Extortion2007: DDoS against Estonia2008: DDoS against Georgia during military conflict with Russia2009: Ddos on Twitter and Facebook 2010: Ddos on VISA and Master Card

2000 DoS AttacksIn Feb 2000, series of massive DoS attacksYahoo, Amazon, eBay, CNN, E*Trade, ZDNet, Datek and Buy.com all hitAttacks allegedly perpetrated by teenagersUsed compromised systems at UCSBYahoo : 3 hours down with $500,000 lost revenueAmazon: 10 hours down with $600,000 lost revenue

2002 DNS DoS AttacksICMP floods 150 Kpps (primitive attack)Took down 7 root servers (two hours)

Hours-long service outage44 million users affectedAt the same time Facebook, LiveJournal, and YouTube were under attackedsome users experienced an outageReal target: a Georgian blogger

2009 DDoS on Twitter

December 2010Targets: MasterCard, Visa, Amazon, Paypal, Swiss Postal Finance, and moreDDoS on Mastercard and VisaAttack launched by a group of vigilantes called Anonymous (~5000 people)DDoS tool is called LOIC or Low Orbit Ion Cannon Bots recruited through social engineeringDirected to download DDoS software and take instructions from a masterMotivation: Payback, due to cut support of WikiLeaks after their founder was arrested on unrelated charges

The new DDoS tool by AnonymousNew operation is beginningA successor of LOICUsing SQL and .js vulnerability, remotely deface pageMay be available in this September 2011

V for Vendetta

Operation FacebookAnnouncement on YouTube to bomb Facebook on Nov. 5 2011Facebooks privacy reveals issues

Remember Remember poemRemember remember the fifth of NovemberGunpowder, treason and plot.I see no reason why gunpowder, treasonShould ever be forgot...Why Nov. 5?

DDoS Attack Classification

DOS attack listFlood attackTCP SYN flood UDP flood ICMP (PING) flood Amplification (Smurf, Fraggle since 1998)Vulnerability attackPing of Death (since 1990)Tear Drop (since 1997)Land (since 1997)

Flooding attackCommonly used DDoS attackSending a vast number of messages whose processing consumes some key resource at the targetThe strength lies in the volume, rather than the contentImplications :The traffic look legitimateLarge traffic flow large enough to consume victims resourcesHigh packet rate sending*

Vulnerability DoS attack Vulnerability : a bug in implementation or a bug in a default configuration of a service Malicious messages (exploits) : unexpected input that utilize the vulnerability are sentConsequences :The system slows down or crashes or freezes or reboots Target application goes into infinite loopConsumes a vast amount of memory *

TCP SYN floodclientserver

Smurf attack Amplification attackSends ICMP ECHO to networkAmplified network floodwidespread pings with faked return address (broadcast address)Network sends response to victim system

The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion*

DoS : SmurfPing BroadcastSrc Addr : BDst Addr : Broadcast

DoS : FraggleSrc Addr : BDst Addr : BroadcastWell known exploit Echo/Chargen

Ping of DeathSending over size ping packet to victim>65535 bytes ping violates IP packet length Causes buffer overflow and system crashProblem in implementation, not protocolHas been fixed in modern OSesWas a problem in late 1990s

TeardropA bug in their TCP/IP fragment reassembly codeMangle IP fragments with overlapping, over-sized payloads to the target machineCrash various operating systems

LANDA LAND (Local Area Network Denial) attackFirst discovered in 1997 by m3ltEffect several OS : AIX 3.0FressBSD 2.2.5IBM AS/400 OS7400 3.7 Mac OS 7.6.1SUN OS 4.1.3, 4.1.4Windows 95, NT and XP SP2IP packets where the source and destination address are set to address the same deviceThe machine replies to itself continuouslyPublished code land.c

LAND

Well known old DDoS Tools

BotnetCommunication TypeAttack TypeEncrypted Communication?Trinoo or trin00TCP/UDPUDP FloodNoTribe Flood Network (TFN)TCP/UDP/ICMPMultipleNoTFN2KTCP/UDP/ICMP RandomizedMultiple RandomizedNoStacheldrahtTCP/UDP/ICMP RandomizedMultiple RandomizedYes

DDoS Defense

Are we safe from DDoS?My machine are well securedIt does not matter. The problem is not your machine but everyone elseI have a FirewallIt does not matter. We slip with legitimate traffic or we bomb your firewallI use VPNIt does not matter. We can fill your VPN pipeMy system is very high provisionIt does not matter. We can get bigger resource than you have

*

Why DoS Defense is difficultConceptual difficultiesMostly random source packetMoving filtering upstream requires communication

Practical difficultiesRouters dont have many spare cycles for analysis/filteringNetworks must remain stablebias against infrastructure changeAttack tracking can cross administrative boundariesEnd-users/victims often see attack differently (more urgently) than network operators

Nonetheless, need to:Maximize filtering of bad trafficMinimize collateral damage

Defenses against DoS attacksDoS attacks cannot be prevented entirelyImpractical to prevent the flash crowds without compromising network performanceThree lines of defense against (D)DoS attacks Attack prevention and preemptionAttack detection and filteringAttack source traceback and identification

*

Attack preventionLimit ability of systems to send spoofed packetsFiltering done as close to source as possible by routers/gatewaysReverse-path filtering ensure that the path back to claimed source is same as the current packets pathEx: On Cisco router ip verify unicast reverse-path commandRate controls in upstream distribution netsOn specific packet typesEx: Some ICMP, some UDP, TCP/SYNBlock IP broadcasts

*

Responding to attacksNeed good incident response planWith contacts for ISPNeeded to impose traffic filtering upstreamDetails of response processIdeally have network monitors and IDSTo detect and notify abnormal traffic patterns *

Responding to attacks contd .Identify the type of attackCapture and analyze packetsDesign filters to block attack traffic upstreamIdentify and correct system application bugsHave ISP trace packet flow back to sourceMay be difficult and time consumingNecessary if legal action desiredImplement contingency planUpdate incident response plan

*

How are DDoS practical handled?*

Router Filtering*Server1VictimServer2R3R1R2R5R4RRR10001000FEpeering100

Cisco uRPF*Router ARouter BAccept pktReject pktUnicast Reverse Path ForwardingDoes routing back to the source go through same interface ?Cisco interface command: ip verify unicast rpf

Black hole Routing*Server1VictimServer2R3R1R2R5R4RRR10001000FEpeering100ip route A.B.C.0 255.255.255.0 Null0

Blackhole in Practice (I)*VictimNon-victimized servers Upstream = Not on the Critical PathGuardDetector

Blackhole in Practice (II)*GuardVictimNon-victimized servers 1. Detect2. Activate: Auto/Manual3. Divert only victims trafficDetector

Blackhole in Practice (III)*GuardVictimNon-victimized servers Detector

DDoS Epilogue*

Attackers follow defense approaches, adjust their code to bypass defensesUse of subnet spoofing defeats ingress filteringUse of encryption and decoy packets, IRC or P2P obscures master-slave communicationEncryption of attack packets defeats traffic analysis and signature detectionPulsing attacks defeat slow defenses and tracebackFlash-crowd attacks generate application traffic DDoS Attack Trends

More complex attacksRecently seen trends:Larger networks of attack machinesRolling attacks from large number of machinesAttacks at higher semantic levelsAttacks on different types of network entitiesAttacks on DDoS defense mechanismsNeed flexible defenses that evolve with attacksImplications For the Future

*Hello. I am Brian Pursley, and this presentation will provide a brief overview of Denial of Service attacks with a focus on Distributed Denial of Service attacks.*Denial of Service, abbreviated as DoS, is where an attacker degrades or completely disables an application or system. This is accomplished by depleting the resources of the system, such as CPU, memory, disk space, internal handles, or network bandwidth. Distributed Denial of Service, referred to as DDoS, is where an attacker enlists multiple machines to carry out a DoS attack against a single victim.***To carry out a Distributed Denial of Service attack, the attacker needs a group of systems, called a botnet. Botnets can range in size, and can be very large in number. A computer becomes part of a botnet when it is infected by a trojan application, which is similar to a virus, that runs in the background of the compromised computer. That program listens for commands and carries out the instructions of the attacker.*What is the cost of Denial of Service to the victim? It is hard to say because the available data is incomplete. Many companies who are victims of Denial of Service attacks are reluctant to report it because they fear the further harm that negative publicity will have on their business. However, it is easy to assume that lost sales or lost productivity are direct consequences of a Denial of Service attack.**********One more Denial of Service exploit is the Ping of Death. In this one, the attacker simply sends a larger Ping request than is allowed by the specification. Unfortunately, most operating systems in the late 1990s did not handle this situation and the result was a buffer overflow, which would eventually crash the system. This was a very easy way to carry out Denial of Service but it has sense been fixed in modern Operating Systems.*Here are some common types of botnet applications. Over time, botnets have become more sophisticated in their methods of attacking and how they communicate with each other.*********