Embed Size (px)
Citation preview
DOS
Overview
Denial of Service (DoS) is the act of performing an attack which prevents the system from providing services to legitimate users
When successful, the targeted host may stop providing any service, provide limited services only or provide services to some users only
Overview
DoS can be achieved in various ways:– Application Crashing
• Memory Access Violation (Buffer Overflow)
• Various Exceptions
– Data Destruction
– Resource Depletion
• Memory
• CPU
• Bandwidth
• Disk Space
Application Crashing
Common way of performing a Denial of Service attack
In many cases, certain types of inputs may yield an error in the application which it did not anticipate, and will cause it to crash:– Buffer Overflows
– Malformed data – causing parser exception
• Terminating with error
– SQL Injection (; shutdown --)
Data Destruction
One way to cause a DoS attack is by tampering with the data instead of the service itself
If a site is vulnerable to SQL Injection, for instance, it may be possible to DELETE all data from all tables
Although the Web site will keep being ‘online’, it will actually be useless without the information from the Database
Data Destruction
Intentional User Lock
– Any web application login page
– Taking advantage of the application security mechanisms to cause DoS by abusing the login failure user lock mechanism
– Intentionally failing multiple login attempts with each possible username, will eventually result in DoS, since all the application users will be locked
Resource Depletion
Sophisticated attacks pinpoint the weak points of the application to achieve maximum effect using minimal resources
CPU Consumption– An attacker can easily create complicated regular
expressions which consume a lot of CPU each time a search is initiated
– The attacker then writes a script to launch this request over and over again
Resource Depletion
CPU Consumption – The SQL Injection version
– When SQL Injection is possible – can be used for DoS even without permissions to Shutdown or Delete
– Creating very intense nested queries does the trick:
Resource Depletion
Memory Consumption– A Web Mail Application
– Allows uploading files for attachment
– All attachments are stored in the application’s memory until the ‘Send’ button is sent
– There is no limitation on the size or number of attachments
– Assuming the hacker has a lot of bandwidth, the hacker can upload thousands of attachments, consuming all free memory in the machine
Resource Depletion
Disk Consumption– Any web application
– Detailed logging is used for each application error
– An attacker identifies a light-weight request which can generate a few KB of log
– The attacker then repeats this until the Disk is full
– Application behavior once Disk is full is unexpected:
– Application might terminate when not being able to write to a file
– If the files are located on the system partitions, the entire machine might crash
Resource Depletion
Network Consumption– Any web application
– Attacker has wide Internet connection
– Attacker identifies small requests which result in large amounts of data (Display all items in system)
– Attacker can then launch the request over and over again, causing the database to send large amounts of data back to the web server in each request (potentially exhausting the connection pool as well)
DoS Type TCP DoS Attack
– LAND – a series of SYN, cause system to crash and/or restart. For example, when src address = dest address may crash some OS with vulnerability. New Window and Linux had improved to prevent LAND attack
– Teardrop – re-assembly of fragmented packet that is bigger or smaller that it suppose to be will cause system to crash or stop a certain service.
– TCP SYN – many 3-ways handshaking that consume system resource => system crashed or simply no response (out of memory)
UDP DoS AttackFraggle – similar to TCP SYN but with UDP.
ICMP DoS Attack– Ping of Death – small icmp echo request will cause server to response echo reply. Attack packet
add data in Option Data to make the packet very big. Victim’s resource will be consumpted due to the reply packets (i.e. need to resend when no response) cause significant resource starvation. In some case, the packet size is more than 65535bytes, causing the system to crash.. New OS has fixed this problem.
– Smurf – use IP Spoofed, that will cause a lot of flooded echo reply packet. DNS Replay Flooding
Why this problem ?
Because it's Protocol … Three way handshake
Three way handshake ?
Three way handshake in TCP Protocol
DoS MethodsAttack packets Reply packets
Smurf ICMP echo queries to broadcast address
ICMP echo replies
SYN flooding TCP SYN packets TCP SYN ACK packets
RST flooding TCP packets to closed ports TCP RST packets
ICMP flooding ICMP queries
UDP packets to closed ports
IP packets with low TTL
ICMP replies
Port unreachable
Time exceeded
DNS reply flooding
DNS queries (recursive) to DNS servers
DNS replies
DDoS
An attacker finds a group of computer that he/she can break into or installing software and running programs)
This collection computer are then taken over and turned into “zombies”
The zombies flood a web site with requests
Legitimate requests are blocked
Distributed Denial of Service (DDoS)
Victim
Daemon
Daemon
DaemonDaemon
Daemon
Master
Real Attacker
Asymmetry comes in the form of a large farm of machines.IP addresses no longer need to be spoofed
February 2000: DDoS
Traditional protection techniques no longer applicable.
DDoS Attack: Yahoo! • February 2000
• Intermittent outages for nearly three hours
• Estimated to have cost Yahoo $500,000 due to fewer page hits during the attack
• Attacker caught and successfully prosecuted
• Other companies (eBay, CNN) attacked in the same way the following days
DDoS Attack: Microsoft
• Target of multiple DDoS attacks
• Some successful, some not
• Successful one in January 2001• Attacked router in front of Microsoft’s DNS
servers• During attack, as few as 2% of web page
requests were being fulfilled
DDoS Attack: DNS Root Servers
• October 2002 for 1 hour• Ping flood to all 13 hour of the DNS root
servers • Successfully halted operations on 9 hour
• Did not cause major impact on Internet• DNS NS record caching at local resolvers
helped• Several root servers are very well-provisioned
DDoS: Setting up the Infrastructure
Zombies Slow-spreading installations can be difficult
to detect Can be spread quickly with worms
Indirection makes attacker harder to locate No need to spoof IP addresses
What is a Worm?
Code that replicates and propagates across the network Often carries a “payload”
Usually spread via exploiting flaws in open services “Viruses” require user action to spread
• First worm: Robert Morris, November 1988 6-10% of all Internet hosts infected (!)
Many more since, but none on that scale until July 2001
Example Worm: Code Red
Initial version: July 13, 2001
Exploited known ISAPI vulnerability in Microsoft IIS Web servers
1st through 20th of each month: spread20th through end of each month: attack
• Payload: Web site defacement• Scanning: Random IP addresses• Bug: failure to seed random number generator
Why Denial-of-Service “Works”
• Asymmetry: generating a request is cheaper than formulating a response
• One attack machine can generate a lot of requests, and effectively multiply its power
• Not always possible to achieve this asymmetry
Defense There are techniques to avoid some DoS attacks at the code level:
– Perform thorough input validations. Expect for the worst!
– Avoid highly CPU consuming operations
– Try to create as little as possible bottlenecks
– Avoid operations which must wait for completion of large tasks to proceed
– Split operations to chunks
– Set timeout timers for unreasonable time
Prepare for performance peaks– More Load Balancing
– Caching
Always separate the data disks from theSystem disks
Defense Example
Put limit on ping to prevent flood pingsiptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/s -i eth0 -j ACCEPT
Defense for SYN flood attacks–m limit sets maximum number of SYN packets
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
(*sorry example just in GNU/Linux)
