Denial of Service Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi Outline Introduction Types of denial of service Protocol based ICMP based denial of service attack DHCP based denial of service attack Logic based Flood based SYN flood denial of service attacks Distributed denial of service attacks Defense Mechanisms IIT Indore © Neminath Hubballi Denial of Service Making a resource unavailable or deliberately withholding it to make it unavailable Example: 1. Deliberate calls made to a person where he spends lot of time in just answering 2. Putting a road blocker so that no vehicles are able to use a particular road 3. Cutting a fiber cable and disrupting the communication Denial of service do occur in many situations we particularly study computer or data network related denial of services Ex. SBI online banking service going offline IIT Indore © Neminath Hubballi History of Denial Of Service In Dec 1987 an employee of IBM sent an email greeting for Christmas.This email message had some malicious code in it which automatically sent copies of itself to all in the contact book of recipient IBM mail server was exhausted of memory Many DoS attacks of 90 were simple and launched from a single computer In 1997 – trinoo In 1998 – TFN In 2000 – TFN2K Year 2000 witnessed several massive scale attacks on sites like Yahoo Amazon Ebay and CNN.com American government and military sites have experienced attacks in the past Most recently wikileaks site had a massive DoS attack against its web server IIT Indore © Neminath Hubballi ICMP based Denial of Service ICMP messages are used for sending error messages They are also used for status information PING utility uses ICMP ECHO REQUEST and ICMP ECHO REPLY messages In this case a powerful machine can send too many ping messages and hog the slower machine One of the earliest discovered attacks in networks Normally ping reply messages are more than request messages IIT Indore © Neminath Hubballi Smurf Attack IIT Indore © Neminath Hubballi Smurf Attack A variation of ICMP based attack Normally happens due to misconfigured network Many networks allow ICMP broadcast request messages An attacker creates a spoofed ECHO REQUEST message with spoofed IP address (using IP of a victim) Every machine on the network will hear the ping message All these messages go to victim instead of attacker For the victim all these are unsolicited messages Spends significant amount of processing power, memory and time in handling these ping replies Can not do any useful computation there by deny services to users IIT Indore © Neminath Hubballi DHCP Operation IIT Indore © Neminath Hubballi DHCP Starvation Attack Consuming the IP address space allocated by a DHCP server An attacker broadcasts a large number of DHCP requests using spoofed MAC addresses The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients Leads to DoS Can easily be achieved with tools such as gobbler Prevention Do not allow more than certain number of requests per port IIT Indore © Neminath Hubballi 10 Flooding based Denial Of Service Send too many packets to overwhelm the recipient Victim spends lot of time in responding and processing There are different types of flooding attacks SYN flood UDP flood Random flood IIT Indore © Neminath Hubballi SYN Flood Attack Uses TCP connections Obviously too many of them to make victim irresponsive IIT Indore © Neminath Hubballi Three-way Handshake Initialize sequence numbers for a new connection (SEQ1, SEQ2) SYN SEQ1 LISTEN Resources allocated SYN_RCVD SYN SEQ2 +ACK SEQ1+1 ACK SEQ2+1 CONNECTED C S IIT Indore © Neminath Hubballi How SYN Flooding Attack Works? Client connecting to TCP port Uses spoofed addresses SYN Resources allocated for every half open connection SYN + ACK SYN SYN + ACK SYN Limit on number of half open connections SYN + ACK IIT Indore © Neminath Hubballi Attacker Victim I have ACKed these connections but I have not received an ACK back! Types of SYN Floods Direct attack Use your own machine to send SYN packets Need to somehow make OS not respond to SYN-ACK packets coming from server Connect() socket call can be used to do this kind of attack Spoofing based attack Hide the identity of attacker Shields the attacker from receiving SYN-ACKs Spoofed source should not respond with SYN-ACK They will not respond in anyway It is more effective if a non existent IP address is chosen Ingress and egress filtering can be a deterrent IIT Indore © Neminath Hubballi Distributed Denial of Service IIT Indore © Neminath Hubballi Transmission Control Block TCB is a data structure holding resources in many Operating Systems The state of connection is stored in this data structure How much memory each TCB takes Actual memory footprint depends on implementations Usually it will be more than 280 bytes In some OS it is 1300 bytes TCB is created upon arrival of a SYN packet i.e., before a legitimate connection is established Opens scope for denial of service IIT Indore © Neminath Hubballi SYN Flood Attack Parameters TCB becomes inactive or deleted after a timeout called as backlog Different OS use different timeouts How does knowing the timeout help Can send burst of SYN packets once and exhaust memory at victim and wait till timeout Periodically send such bursts equal to timeout period Default backlog timeout is 1028 Seconds You can change the value IIT Indore © Neminath Hubballi Shrew Attacks Works on TCP Adds some intelligence to SYN flooding attack TCP waits for sometime before retransmitting the packets for lost ones Use this timing to generate large number of packets Many connections drop Repeat the flood after RTT time IIT Indore © Neminath Hubballi Other Flooding based DoS Attacks UDP Flood- send many UDP packets to the target ICMP Flood- send many ICMP packets to the target Random Flood- send packets randomly generated IIT Indore © Neminath Hubballi Symptoms of Manifestation Slow network performance Non availability of certain online services and websites Increase in number of useless network traffic Consistent new IP addresses showing up Unusually high number of packets from a source Disconnection of a wired or wireless connection IIT Indore © Neminath Hubballi Logic Based DoS : User Specified Object Allocation String TotalObjects = request.getParameter(“numberofobjects”); int NumOfObjects = Integer.parseInt(TotalObjects); ComplexObject[] anArray = new ComplexObject[NumOfObjects]; IIT Indore © Neminath Hubballi Logic Based DoS : User Input as a Loop Counter public class MyServlet extends ActionServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {... String [] values = request.getParameterValues("CheckboxField"); // Process the data without length check for reasonable range – wrong! for ( int i=0; i<values.length; i++) { // lots of logic to process the request } . . . } . . . } IIT Indore © Neminath Hubballi Other Logic based Denial of Service Attacks –Appeared around 2000 Teardrop- send oversized fragments which overlaps on each other portions Crashed many OSs in the past Land- send a IP packet with same source and destination IP address Many OSs crashed On a router it can create a loop consuming lot of processing power and badwidth 10.10.10.10 10.10.10.10 IIT Indore © Neminath Hubballi Defending SYN Flood Attacks End Host Mechanisms Increase the backlog period More connections open means - refusal to new requests Slightly counter intuitive SYN Cache - initially do not create a full fledged TCB SYN cookie Completely stateless - do not create any state or TCB till connection is completely established Make the initial sequence number a function of parameters of packet Almost all IP spoofing mitigation techniques will also help mitigate DoS attacks IIT Indore © Neminath Hubballi Playing With /proc Parameters /proc is a virtual file system created by kernel when it boots Has different data structures and information gathered from the kernel at runtime Several configurable and non configurable parameters are there /proc/sys/net/ipv4 which contains all the configurable settings for the IPv4 stack, including TCP, UDP, ICMP and ARP tunable settings IIT Indore © Neminath Hubballi Playing With /proc Parameters tcp_abort_on_overflow 1000 tcp_adv_win_scale – Amount of socket buffer space to be used for TCP window size tcp_fin_timeout – 60 seconds , how long to wait for an acknowledgement for FIN request tcp_keepalive_probes- 50 , tells the kernel how many TCP keepalive probes to send out before it decides a specific connection is broken tcp_keepalive_intvl- tells the kernel how long to wait for a reply on each keepalive probe tcp_keepalive_time- 7200 seconds, or 2 hours , how often to send TCP keepalive packets to keep a connection alive if it is currently unused tcp_max_orphans- 8192 tells the kernel how many TCP sockets that are not attached to any user file handle to maintain. IIT Indore © Neminath Hubballi Playing With /proc Parameters tcp_max_syn_backlog- 1028 how many SYN requests to keep in memory that we have yet to get the third packet in a 3-way handshake tcp_syncookies- 0/1 used to send out so called syncookies to hosts when the kernels syn backlog queue for a specific socket is overflowed IIT Indore © Neminath Hubballi