Document 7270629
Download
Report
Transcript Document 7270629
Distributed Reflection
Denial of Service
Networking Talks for the Insufficiently Paranoid
Based on: http://grc.com/dos/drdos.htm
Jim Gast, CS-642 Security, Spring, 2003
[email protected], UW-Madison
Normal Connection Establishment
The Server sets up retransmission timers, allocates receive buffers, etc.
Imagine a web server that can handle 12,000 connections. If the process
fails, a timeout occurs after 120 seconds, freeing up the resources.
Note: SYN packets are very small and take up very little bandwidth.
2
Graphics stolen from http://grc.com/dos/drdos.htm
State Transition Diagram
CLOSED
Active open/SYN
Passive open
Close
Close
LISTEN
SYN_RCVD
SYN/SYN + ACK
Send/SYN
SYN/SYN + ACK
ACK
Close/FIN
SYN_SENT
SYN + ACK/ACK
ESTABLISHED
Close/FIN
FIN/ACK
FIN_WAIT_1
CLOSE_WAIT
FIN/ACK
ACK
Close/FIN
FIN_WAIT_2
CLOSING
FIN/ACK
3
ACK Timeout after two
segment lifetimes
TIME_WAIT
LAST_ACK
ACK
CLOSED
SYN Flood
Each SYN creates one half-open
connection
Half-open connections take minutes to
time-out
Servers have finite connection tables
Perpetrator would be easily caught
(Source IP)
Unless SourceIP is spoofed
See: CERT Advisory CA-1996-21
http://www.cert.org/advisories/CA-1996-21.html
100 SYN packets per second fits in 56 Kbps
4
Graphics stolen from http://grc.com/dos/drdos.htm
Spoofed IP Address
The SYN/ACK is delivered to the fake (spoofed) IP Address.
The attacker doesn’t see it, and doesn’t care. (Backscatter)
5
Graphics stolen from http://grc.com/dos/drdos.htm
Example SYN Flood Attack
February 5th-11th, 2000
Victims included CNN, eBay, Yahoo, Amazon
Attackers (allegedly) used simple, readily
available tools (script-kiddies)
Law enforcement unable (unwilling?) to help
6
Under-age perpetrators have blanket immunity
Defense against SYN Flood
Increase size of connection table
Add more servers
Trace attack back to source
Ask your ISP to filter malicious packets
Add firewall
Ultimate solution was “SYN-cookies”
7
Typically “SYN proxy”
Dave Parter will talk on firewalls later in the semester
Reply to SYN with SYN-cookie
Allocate no resources until SYN-cookie is returned
Potential places to stop DoS flood
8
Graphics stolen from http://grc.com/dos/drdos.htm
Distributed DoS
Rather than filling connection
table, fill all available
bandwidth
Infect innocent bystanders
(zombies)
Zombies listen (e.g. on IRC
channel) for attack command
(or simply attack at will)
Attacker need not have high
bandwidth connection
Typical Program: EvilGoat EvilBot
9
Graphics stolen from http://grc.com/dos/drdos.htm
Example Distributed DOS Attack
6 attacks on 5 different days
One attack lasted for 17 hours
474 infected windows PC as zombies
2.4 billion malicious packets
Goodput?
Time (minutes?)
10
Graphics stolen from http://grc.com/dos/grcdos.htm
Flood-based Distributed DoS Attacks
Coordinate zombies to
attack with big packets
Use up “last-hop”
bandwidth
“Last-hop” router
discards packets
indiscriminately
Zombies need not
spoof addresses
See http://grc.com/dos/intro.htm for example horror story
11
Graphics stolen from http://grc.com/dos/drdos.htm
Newest Twist - Reflection
Many routers accept connections on port 179
(Border Gateway Protocol)
Send a SYN to a router, claiming it came
from the victim
The router will send a SYN/ACK to the victim
12
Although any big server and any port it listens on will
work
And then re-transmit several times before giving up
(typically about 4X)
Note: Tar-pits will not see any “Backscatter” but honey-pots might
see the attacker’s commands.
Reflection Mechanism
13
Graphics stolen from
http://grc.com/dos/drdos.htm
Distributed Reflection DoS
14
Graphics stolen from http://grc.com/dos/drdos.htm
Other ports susceptible to DRDoS
22 – Secure Shell
23 – Telnet
53 – DNS
80 – HTTP / Web
4001 – Proxy Servers
6668 – Internet Relay Chat
Easily detected
ports 1-1023
“Well-Known”
(so far)
But reflection from port 179 is so powerful it easily overwhelms others
15
Call to action
16
Ingress filtering at all ISPs would stop the
spoofed SYN packets before they left home
Egress filtering at all ISPs would prevent
spoofed IP addresses from traversing the
Internet
Flagging multiply-tried, failed SYN/ACKs
could be used to discover victims and filter
further attack
Disable raw socket interface in client PCs
Questions?
17