Defending against Flooding-Based Distributed Denial-of

advertisement
DDoS: Distributed Denial of Service
Cs5090: Advanced Computer Networks, fall 2004
Department of Computer Science
Michigan Tech University
Rock K. C. Chang
Byung Choi
Mark Schuchter
Outline




Introduction
The DDOS Problems
Solutions to the DDoS Problems
Conclusion
Introduction (cont.)

DoS : Denial of service attack.

System design weaknesses



Computationally intensive tasks


Ping of death
Teardrop
Encryption and decryption computation
DDoS attack ( Flooding-Based)

CPU, Memory, bandwidth exhaustion
DDoS: Typical attack preparation
1. prepare attack
Introduction
Why?
2. set up network
Timeline
How?
3. communication
Typ. UNIX atk
Typ. Windows atk
Why?
sub-cultural status
nastiness
revenge

Showing off
to gain access
economic reasons
political reasons
Introduction
Why?
Timeline
How?
Typ. UNIX atk
Typ. Windows atk
Timeline
<1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’)
1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption
2000: bundled with rootkits, controlled with talk or ÍRC
2001: worms include DDos-features (i.e. Code Red), include time synchro.,
2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol)
2003: Mydoom infects thousands of victims to attack SCO and Microsoft
Introduction
Why?
Timeline
How?
Typ. UNIX atk
Typ. Windows atk
Development
binary encryption
“stealth” / advanced
scanning techniques
High
Tools
packet spoofing denial of service
distributed
attack tools
www attacks
automated probes/scans
GUI
sniffers
Intruder
Knowledge
back doors
disabling audits
network mgmt. diagnostics
hijacking
burglaries sessions
exploiting known vulnerabilities
Attack
Sophistication
password cracking
Attackers
password guessing
Low
1980
1985
1990
1995
2001
:
Source CERT/CC
Introduction
Why?
Timeline
How?
Typ. UNIX atk
Typ. Windows atk
Conversation between Moms




Mom1: I’m so proud of Mike. Apparently he’s
one of the world’s best at a new computer
game!
Mom2: Oh really! Which game?
Mom1: Something called “DDoS Attack”…
Mike: (Keeping clicking…)
DDoS Tools and Their Attack
Methods

Trin00
UDP
Tribe Flood Network UDP, ICMP, SYN, Smurf
Stacheldracht UDP, ICMP, SYN, Smurf
TFN 2K UDP, ICMP, SYN, Smurf
Shaft
UDP, ICMP, SYN

Trinity




UDP, SYN, RST, ACK
DDoS Problems : Direct Attacks

Send out a large number of attack packets
directly toward a victim


Packet types can be TCP, ICMP, UDP, or a
mixture of them.
TCP SYN attacks



Spoofed random source address of attack packets
The victim respond by sending back SYN-ACK
packets
Cause half-open connection  consume all the
memories for pending connections  unable to
accepting new requests.
Direct attack (cont.)
Direct Attacks (cont.)

To congest a victim’s incoming link.


The victims usually responds with RST packets
Sets up a DDoS attack network.

Attacker  attack hosts ( compromised machines)
 masters  agents  victim
Direct Attacks
Direct Attack Example: Trinoo




Discovered in August 1999
Daemons found on Solaris 2.x systems
Attack a system in University of Minnesota
Victim unusable for 2 days
Trinoo Attack type


UDP flooding
Default size of UDP packet: 1000 bytes



malloc() buffer of this size and send uninitialized
content
Default period of attack: 120 seconds
Destination port: randomly chosen from 0 –
65534
Reflector Attacks (cont.)



An attacker sends packets that require
responses to the reflectors with the packer’s
inscribed source addresses set to a victim’s
address.
The reflectors returns response packets to
the victim according to the types of the attack
packets.
Thus the reflected packets can flood the
victim’s link if the number of reflectors is large
enough.
Redirect Attacks (cont.)
Reflector Attacks (cont.)


Reflector behaves like a victim of SYN
flooding attacks, because it also maintain a
number of half-open connections.
SYN ACK flooding does not exhaust the
victim’s ability to accept new connections but
clog the victim’s network link.
Reflector Attacks
Reflector Attack Examples:
How Many Attack Packets Are Needed?
(cont.)
How Many Attack Packets Are Needed?
(cont.)

SYN flooding:



If each SYN packet is 84 bytes long (including the
Ethernet frame header and interframe gap)
a 56 kb/s connection is sufficient to stall both
Linux and BSD servers with N <= 6000
SYN ACK flooding:

A 1Mb/s connection is sufficient to stall all three
servers with N <= 10000.
How Many Attack Packets Are Needed?

In other flooding attacks aimed at jamming a
victim’s incoming link, an aggregated attack
traffic rate has to be at least 1.544 Mb/s to
jam a T1 link.


Direct ICMP flooding: 5000 agents ( 1 query/s)
Reflect ICMP flooding: 5000 reflector ( # of agents
can be much fewer, if each agent is responsible
for sending ICMP echo requests to a number of
reflectors.)
Solutions to the DDoS Problems (cont.)

Three lines of defense against the attack




Attack prevention and preemption( before the
attack)
Attack detection and filtering (during the attack)
Attack source traceback and identification (during
and after the attack)
Attack avoidance by victims
Attack prevention and preemption

On the passive side

Hosts may be securely protected from master and
agent implants.



Ultimate solution?
To monitor network traffic for known attack
messages sent between attackers.
On the active side

Cyber-informants and cyber spies to intercept
attack plans

for known attacks only?
Virus example (Wed. 03 Mar. 2004)






Hello User of mtu.edu-email server,
Our main mailing server will be temporarily
unavailable for next two days for regular
maintenance and upgrade. To continue receiving
mail in these days, please configure our autoforwarding service.
Further details can be obtained from attached file
For security purposes the file is password protected.
Your password is “00461”
Best Wishes,
MTU email service team!
Attack Source traceback and Identification

Two approach



For routers to record information
Send additional information
Two reason of infeasible stop an ongoing attack

Hard to trace packets’ origins



Hard to stop


Those behind firewall & NAT
Reflector attack
Scattered in various autonomous systems
Helpful in identifying the attacker and collecting for
post-attack law enforcement
Attack Detection and Filtering (cont.)


The detection part is responsible for
identifying DDoS attacks or attack packets
The filtering part is responsible for classifying
those packets and then dropping them ( ratelimiting is another possible action).
Attack Detection and Filtering (cont.)

Measure the effectiveness of the attack
detection and filtering



FPR ( false positive ratio): # of packets classified
as attack packets (positive) by a detection system
that are confirmed to be normal (negative) ,
FNR (false negative ratio): # of packets classified
as normal (negative) by a detection system that
are confirmed to be attack packets (positive),
NPSR (normal packet survival ratio):

The percentage of normal packets that can make their
way to the victim in the midst of a DDoS attack.
Attack Detection and Filtering (cont.)
Attack Detection and Filtering (cont.)

At Source Networks




ISP networks that are directly connected to source
networks can effectively ingress-filter spoofed
packets.
Can drop all attack packets in direct attacks and
all attack packets indirect attacks.
The attack agents can be traced easily in direct
attacks
Ensuring all ISP networks to install ingress
filtering is an impossible task in itself.
Attack Detection and Filtering (cont.)

At the Victim’s Network


A DDoS victim can detect a DDoS attack based
on an unusually high volume of incoming traffic or
degraded server and network performance.
IP hopping or the moving target defense:


A host frequently changes its IP address or changes its
IP address when a DDoS attack is detected.
To tackle SYN flooding attacks by proxying TCP
connection requests.
Attack Detection and Filtering (cont.)

At a victim’s Upstream ISP network




Victim network may send to an upstream ISP
router an intrusion alert message
Such intrusion alert protocol need to be design
carefully
The message also have to be protected by strong
authentication and encryption algorithms.
Similar to the victim networks, it isn’t effective to
filter attack packets.
Attack Detection and Filtering (cont.)

At further Upstream ISP networks


Packet filtering is pushed as upstream as possible
if ISP networks are willing to install packet filters
upon receiving intrusion alerts.
Attack avoidance by victims

Online task migration






Process
Thread
Object
CPU time depletion
Bandwidth depletion
Memory space depletion
Conclusion



Hard to design perfectly secure computers
and networks….
There are (will be) still many insecure areas
in the Internet today that can be
compromised to launch large-scale DDoS
attacks
Attack avoidance schemes at victims have
not been fully investigated!


Contributions are solicited!
Task migration on-the-fly
Download