Computer Security: Principles and Practice, 1/e

Download Report

Transcript Computer Security: Principles and Practice, 1/e

Computer Security: Principles and Practice Chapter 8 – Denial of Service

by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown 1

Denial of Service

• • • denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space. -- NIST attacks – network bandwidth – system resources – application resources have been an issue for some time 2

Classical “ping flooding” Denial of Service Attack • • • • use ping command (ICMP echo request) from higher capacity link to lower an attack on network bandwidth source of flood traffic can be easily identified 3

Source Address Spoofing

• • • • • use forged source addresses – easy to create with “raw socket interface” of OS generate large volumes of packets with different, random, source addresses directed at target to cause congestion responses are scattered across Internet real source is much harder to identify by simply checking packet headers 4

Classical SYN Spoofing DoS Attack

• • • attacks the ability of a server to respond to future TCP connection requests overflows the tables used to manage TCP connections an attack on system resources 5

TCP Three-Way Connection Handshake

6

TCP SYN Spoofing Attack

• attacker often uses source addresses that will not respond to the SYN-ACK with a RST – random source addresses – source addresses of overloaded servers • has much lower traffic volume – attacker can be on a much lower capacity link 7

An illustration of Backscatter in Action

(Inferring Internet Denial-of-Service Activity, by David Moore, Geoffrey M. Voelker, and Stefan Savage, USENIX Security 2001) Backscatter traffic can be monitored to analyze the type and scale of attacks being used 8

Types of Flooding Attacks

• • • • Overload the network capacity on some link to a server ICMP Flooding – uses ICMP packets, e.g., echo request – typically allowed through (e.g., ping), some required (e.g., destination unreachable, time exceeded) UDP Flooding – uses UDP packets directed to ports of some services TCP SYN Flooding – – use TCP SYN (connection request) packets but with a much larger volume of traffic 9

Distributed Denial of Service Attacks (DDoS)

• • • • have limited volume if single source used multiple systems allow much higher traffic volumes to form a DDoS attack often compromised PC’s / workstations – zombies with backdoor programs installed – forming a botnet e.g. Tribe Flood Network (TFN) tool, TFN2K 10

Structure of a DDoS Attack

11

Reflection Attacks

• • • • • • • • use normal behavior of network attacker sends packet with – spoofed source address being that of an actual attack target – destination address being that of a normal server (reflector) server response is directed at target if send many requests to multiple reflectors, response can flood target various protocols e.g. ICMP, UDP or TCP/SYN, … ideally want response larger than request harder to trace back, harder to quantify prevent if block source spoofed packets 12

Structure of a Reflection Attack

( An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, by Vern Paxson, ACM SIGCOMM Computer Communication Review, vol. 31, no. 3, pp. 38-47, July 2001) 13

Amplification Attacks

14

DNS Amplification Attacks

• • • use DNS requests with spoofed source address being the target exploit DNS behavior to convert a small request to a much larger response – 60 byte request to 512 - 4000 byte response attacker sends requests to multiple well connected servers, which flood the link to the target – need only moderate flow of request packets – DNS servers will also be loaded 15

DoS Attack Defenses

• high traffic volumes may be legitimate – result of high publicity – results of expected/unexpected flash events (flash crowds) (Jaeyeon Jung et. al, “Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites”, WWW 2002) • three lines of defense against (D)DoS: – attack prevention and preemption – attack detection and filtering – attack source traceback and identification 16

Attack Prevention

• • • block spoofed source addresses – RFC 2827 egress filtering – on routers as close to source as possible – still far too rarely implemented rate controls in upstream distribution nets – on specific packets types – e.g. some ICMP, some UDP, TCP/SYN use modified TCP connection handling – use SYN cookies when table full – or selective or random drop when table full 17

Attack Prevention Cont.

• • • • • block IP directed broadcasts block suspicious services & combinations use CAPTCHA to tell computers and human apart good general system security practices – IPS, IDS – detect and notify abnormal traffic patterns use mirrored and replicated servers when high performance and reliability required 18

Responding to Attacks

• • • • • a good incident response plan identify type of attack – capture and analyze packets – design filters to block attack traffic – or identify and correct system/application bug have ISP trace packet flow back to source – may be difficult and time consuming – necessary if legal action desired implement contingency plan update incident response plan 19

(D)DoS Attack Research Examples

• David Moore et. al, “Inferring Internet Denial-of-Service Activity”, USENIX Security 2001 • Vern Paxson, “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks”, SIGCOMM 2001 • Jaeyeon Jung et. al, “Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites”, WWW 2002 • Cheng Jin et. al, “Hop-count filtering: an effective defense against spoofed DDoS traffic”, CCS 2003 20

(D)DoS Attack Research Examples Cont.

• • • • • Abraham Yaar et. Al, “Pi: a path identification mechanism to defend against DDoS attacks”, IEEE S&P 2003 Srikanth Kandula et. al, “Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds”, NSDI 2005 Michael Walfish et. al, “DDoS defense by offense”, SIGCOMM 2006 Vinh The Lam et. al, “Puppetnets: misusing web browsers as a distributed attack infrastructure”, CCS 2006 Marti Motoyama et. al, “Re: CAPTCHAs—Understanding CAPTCHA-Solving Services in an Economic Context”, USENIX Security 2010 21

Summary

• • • • • • • introduced denial of service (DoS) attacks classic flooding and SYN spoofing attacks ICMP, UDP, TCP SYN floods distributed denial of service (DDoS) attacks reflection and amplification attacks defenses against DoS attacks responding to DoS attacks 22