Denial of Service

advertisement
Denial of Service
• DoS attacks try to deny legimate users access to services,
networks, systems or to other resources.
• There are DoS tools available, thus DoS is relatively easy.
Hackers often consider DoS as the last resort, which
usually is always possible.
• DoS may be made in order to force the administrators to
restart a system, which enables some other attack.
• Types of DoS attacks in the Internet:
– Bandwidth consumption
– Resource starvation
– Programming flaws
– Routing and DNS attacks
• DoS is a problem in networks where a small number of
sources can generate large amount of traffic, especially if
there is no admission control.
Denial of Service
• Most of DoS attacks in the Internet use errors in protocols.
DDoS attacks do not and they are most dangerous.
• Maybe errors can be removed, DDoS attacks cannot.
• DoS attacks can be divided into simple DoS and
Distributed DoS (DDoS) attacks.
• Simple DoS examples:
–
–
–
–
–
Ping of Death
Land attack
Teardrop
Syn flood
Smurf attack
• DDoS attack examples
– Trin00, TFN, TFN2k, Stacheldraht
Denial of Service
• How could one protect the Internet against denial of service?
• How is it done in PSTN?
– call admission control (CAC)
– distributing traffic as a way to resolve congestion
– focused overloads: congestion control
• ACG, window mechanisms, percent thinning
– problems in concentrators
– why these will not work in the Internet but work in PSTN
(ISDN)?
• How is it done in B-ISDN?
– Source Traffic Descriptor is available for every source
(almost as in PSTN), but a small number of sources can
demand much bandwidth. Sill CAC protects from DoS.
– Why this almost works but will not work in the Internet?
Denial of Service
• Authenticate traffic (by IPsec etc.)
– stops spoofing?, attacking computers can be located by IP
address? No!
• Then attacker can make DoS by offering so much processing
that a computer checking authentication is jammed
• This is: you can make DoS in several ways:
– to overload network elements you can use
– traffic
– processing
– protocol timers, protocol behavior
• Currently people think, DoS attack using processing can be
stopped with cookie method. Is this true?
• What about port hopping? This could work with routing
protocols?
Denial of Service
• Active network DoS prevention, agents move back stream
close to attackers and program routers to discard traffic.
• How this works with IP address spoofing?
• Priority is always good:
• Communications on lower priority than internal processes,
fine, computer stays responsive but then communications is
congested.
• One possibility: recognize an attacker by looking at target
addresses, if there is much traffic to one target, router puts
traffic to lower Diffserv class.
• We can detect increase of traffic by observing queue length in
routers, then count to which targets in some time window is
directed much traffic, conclude that it looks like DoS.
• (DDoS version, traffic comes from many sources. One could
have routers exchanging information which 10 targets are
most popular.)
Denial of Service
• The mentioned Diffserv priority idea is not tried yet, maybe
could work?
• Back to existing methods:
• If the attacker is using known DoS tools, recognize traffic
generated by them, but then protection will not work against
new tools.
• Attacks against protocols (TCP SYN Flood) can be solved
by decreasing timers, or by improving the protocol, but the
timers are there for some reason so they cannot be set to
zero. This method will not solve the problem completely.
• Restrict the amount of traffic a source can send, but is it any
more the Internet we like (then we could go to B-ISDN, or to
other connection oriented networks)
• Require STD (Source Traffic Descriptor, Tspec etc.) but this
will lead us to ATM.
Denial of Service
• What about DoS made by dropping packets? This is always
possible unless the network is secure.
• Secure network leads to operator networks, again it is not the
Internet.
• Agent based Intruder Response System: these have been
tried and they have worked. It means intruder detection and
blocking or reducing priority of attacker’s traffic.
• Block the ports - then no attacks possible. This will protect
some sites, but cannot protect Web-servers which
anonymous users should be able to access.
• The same problem is with authentication- if anybody can
access a web-server, authentication is no good since
attackers also must be able to access. We cannot know which
of the users are attackers and all must have the right to
access, get credentials etc.
Denial of Service
• Load balancing, this cannot protect against sites which are
not duplicated. Currently services are being developed on
Parlay APIs etc. These will be centralized resources. Load
balancing will not help even though there is CORBA under
Parlay.
• Load balancing does not work that well either. In some
cases it works: multiprocessor service systems which are
not easily congested, but it is simply a matter of increasing
the load.
• Use police: locate and catch the attackers. This is a slow
process and can work for a society, but does not protect the
country from terrorists or foreign powers (as you cannot
catch them by a police, and the attack does not need to last
long).
Denial of Service
• Dimension so, that there is a bottleneck resource (link of limited
capacity, slow router etc.) before your network.
• The bottleneck resource gets congested, rest of your network
works fine.
• This works, but you lose communication possibilities. It is
certainly not a protection for Web-servers etc.
• Summary: DoS problems in the Internet are caused by the
connectionless operation where a user can send any amount of
data without reserving network resources.
• If one user only could send limited amount of traffic,like in
PSTN, making DoS would be harder.
• If the end systems were not so easily hacked we would not have
so large a problem, but even a small number of sources can
create congestion. In the Internet there will always be many
unsafe computers that can be used for DDoS.
Denial of Service
• Individual attacks, like TCP SYN flooding, ICMP-based DoS
attacks etc. can be alleviated by tuning protocols, but this will
not solve the DDoS problem.
• I think, one could try two ways.
• 1. Intruder response systems, which recognize an attack and
respond by blocking traffic or by lowering priority.
• 2. Change to a connection oriented network where there is
connection admission control, traffic spreading by alternative
routing and congestion control mechanisms.
• In order to solve DoS by dropping packets, the solution can
only be a closed network: operators run the network and the
routers in the core, packets do not wonder anywhere as they
do in the Internet, network has a far better management
system.
• Case 2 is not the Internet. Try if case 1 works.
Download