Denial of Service • DoS attacks try to deny legimate users access to services, networks, systems or to other resources. • There are DoS tools available, thus DoS is relatively easy. Hackers often consider DoS as the last resort, which usually is always possible. • DoS may be made in order to force the administrators to restart a system, which enables some other attack. • Types of DoS attacks in the Internet: – Bandwidth consumption – Resource starvation – Programming flaws – Routing and DNS attacks • DoS is a problem in networks where a small number of sources can generate large amount of traffic, especially if there is no admission control. Denial of Service • Most of DoS attacks in the Internet use errors in protocols. DDoS attacks do not and they are most dangerous. • Maybe errors can be removed, DDoS attacks cannot. • DoS attacks can be divided into simple DoS and Distributed DoS (DDoS) attacks. • Simple DoS examples: – – – – – Ping of Death Land attack Teardrop Syn flood Smurf attack • DDoS attack examples – Trin00, TFN, TFN2k, Stacheldraht Denial of Service • How could one protect the Internet against denial of service? • How is it done in PSTN? – call admission control (CAC) – distributing traffic as a way to resolve congestion – focused overloads: congestion control • ACG, window mechanisms, percent thinning – problems in concentrators – why these will not work in the Internet but work in PSTN (ISDN)? • How is it done in B-ISDN? – Source Traffic Descriptor is available for every source (almost as in PSTN), but a small number of sources can demand much bandwidth. Sill CAC protects from DoS. – Why this almost works but will not work in the Internet? Denial of Service • Authenticate traffic (by IPsec etc.) – stops spoofing?, attacking computers can be located by IP address? No! • Then attacker can make DoS by offering so much processing that a computer checking authentication is jammed • This is: you can make DoS in several ways: – to overload network elements you can use – traffic – processing – protocol timers, protocol behavior • Currently people think, DoS attack using processing can be stopped with cookie method. Is this true? • What about port hopping? This could work with routing protocols? Denial of Service • Active network DoS prevention, agents move back stream close to attackers and program routers to discard traffic. • How this works with IP address spoofing? • Priority is always good: • Communications on lower priority than internal processes, fine, computer stays responsive but then communications is congested. • One possibility: recognize an attacker by looking at target addresses, if there is much traffic to one target, router puts traffic to lower Diffserv class. • We can detect increase of traffic by observing queue length in routers, then count to which targets in some time window is directed much traffic, conclude that it looks like DoS. • (DDoS version, traffic comes from many sources. One could have routers exchanging information which 10 targets are most popular.) Denial of Service • The mentioned Diffserv priority idea is not tried yet, maybe could work? • Back to existing methods: • If the attacker is using known DoS tools, recognize traffic generated by them, but then protection will not work against new tools. • Attacks against protocols (TCP SYN Flood) can be solved by decreasing timers, or by improving the protocol, but the timers are there for some reason so they cannot be set to zero. This method will not solve the problem completely. • Restrict the amount of traffic a source can send, but is it any more the Internet we like (then we could go to B-ISDN, or to other connection oriented networks) • Require STD (Source Traffic Descriptor, Tspec etc.) but this will lead us to ATM. Denial of Service • What about DoS made by dropping packets? This is always possible unless the network is secure. • Secure network leads to operator networks, again it is not the Internet. • Agent based Intruder Response System: these have been tried and they have worked. It means intruder detection and blocking or reducing priority of attacker’s traffic. • Block the ports - then no attacks possible. This will protect some sites, but cannot protect Web-servers which anonymous users should be able to access. • The same problem is with authentication- if anybody can access a web-server, authentication is no good since attackers also must be able to access. We cannot know which of the users are attackers and all must have the right to access, get credentials etc. Denial of Service • Load balancing, this cannot protect against sites which are not duplicated. Currently services are being developed on Parlay APIs etc. These will be centralized resources. Load balancing will not help even though there is CORBA under Parlay. • Load balancing does not work that well either. In some cases it works: multiprocessor service systems which are not easily congested, but it is simply a matter of increasing the load. • Use police: locate and catch the attackers. This is a slow process and can work for a society, but does not protect the country from terrorists or foreign powers (as you cannot catch them by a police, and the attack does not need to last long). Denial of Service • Dimension so, that there is a bottleneck resource (link of limited capacity, slow router etc.) before your network. • The bottleneck resource gets congested, rest of your network works fine. • This works, but you lose communication possibilities. It is certainly not a protection for Web-servers etc. • Summary: DoS problems in the Internet are caused by the connectionless operation where a user can send any amount of data without reserving network resources. • If one user only could send limited amount of traffic,like in PSTN, making DoS would be harder. • If the end systems were not so easily hacked we would not have so large a problem, but even a small number of sources can create congestion. In the Internet there will always be many unsafe computers that can be used for DDoS. Denial of Service • Individual attacks, like TCP SYN flooding, ICMP-based DoS attacks etc. can be alleviated by tuning protocols, but this will not solve the DDoS problem. • I think, one could try two ways. • 1. Intruder response systems, which recognize an attack and respond by blocking traffic or by lowering priority. • 2. Change to a connection oriented network where there is connection admission control, traffic spreading by alternative routing and congestion control mechanisms. • In order to solve DoS by dropping packets, the solution can only be a closed network: operators run the network and the routers in the core, packets do not wonder anywhere as they do in the Internet, network has a far better management system. • Case 2 is not the Internet. Try if case 1 works.