comp 7320 internet security: prevention of ddos attacks by dack phillips

39
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Upload: jasmine-tucker

Post on 27-Mar-2015

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

COMP 7320

Internet Security:

Prevention of DDoS Attacks

By Dack Phillips

Page 2: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Presentation Overview

What are DoS Attacks?

DoS Facts and Figures

Current Solutions

Problems

Proposed Solutions

Conclusions

References

Questions

Page 3: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

What are DoS Attacks?

A malicious attack that consumes “resources of remote hosts or networks denying or degrading service to legitimate users,” [11].

Page 4: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Types of DoS Attacks

Bandwidth Consumption

Program Flaw Exploitation

Resource Starvation

Routing/DNS Attacks

SYN Floods

DDoS Attacks

Page 5: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Bandwidth Consumption

A computer having more bandwidth floods a smaller server with packets. The smaller server can not respond to the overwhelming load.

A computer with small bandwidth convinces a network to flood a host with more bandwidth

- A 56 Kbps modem can take down a T1 line like this

Page 6: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Program Flaw Exploitation

An attacker sends an operating system, application, or hardware exceptional conditions that it can’t handle.

- OOB Port 139 on Windows 95 boxen

- F00FC7C8 Pentium Instruction

Page 7: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Resource Starvation

Attacker aims to deplete system, rather than network resources.

- CPU

- Memory

- File System Quotas

Page 8: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Routing/DNS Attacks

Routing Information Protocol (RIP) and Border Gateway Protocol (BGP) have very weak authentication. Routing tables are changed to route traffic through an attacker’s network, another network, or a “black hole” (non-existent network)

DNS is similar except DNS tables are falsified

Page 9: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

SYN Floods

TCP Connection Handshakeclient sends server TCP SYNserver sends client TCP SYN ACKclient sends server ACK or RST

In case of a spoofed source address, server keeps trying to send SYN ACKs. Connection Queue fills up with these requests and no legitimate traffic is served

Page 10: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

DDoS Attacks

An attacker compromises many machines (agents or zombies) and installs DoS daemonsThe attacker uses a controlling machine (handler) to control the zombie machines to attack a server.More than one handler to prevent single point of failure

Page 11: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

DoS Facts and FiguresOne of the hardest security problemsSimple to implementDifficult to preventDifficult to trace1989 – 95: CERT reports DoS attacks increased 50% per yearTools are easy to find and use – Smurf, Fraggle, Teardrop, Stream, TFN, Trinoo Stacheldracht, Shaft, Plague, Trinity, et al.February 2000 – eBay, Yahoo, Amazon, etc.

Page 12: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Current Solutions

Preventative:Make the OS/IP stack more robustReactivePhone ISPs and trace back manually, call next ISP in the chain…This is time consuming and ISPs are often unwilling to spend time doing this. In addition, the trace has to be done while the attack is still in progress.

Page 13: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Problems

The Internet is stateless; destination drivenSource addresses can be easily falsified (spoofed)Attackers use connection chains to hide identitiesRouters can be compromisedLogin chains and address spoofing have legitimate uses

Page 14: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Proposed Solutions

Ingress Filtering

Upstream Router Mapping

Counter Flooding Trace

Probabilistic Packet Marking

ICMP Traceback Messages

Stepping Stone Tracking

Traceback Network (CenterTrack or STM)

Page 15: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Ingress Filtering

Defined in RFC 2267

Edge Routers drop and log packets with invalid Source IPs or those coming from outside the network

Border Routers should not be allowed to transmit broadcast packets (MAC address FF:FF:FF:FF:FF:FF) to other routers by default

Page 16: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Ingress Filtering (cont)

System Diagnostic UDP packets from outside domains should not be allowed into a network

Ingress filtering poses problems with Mobile IP. Currently the Mobile IP Working Group is investigating “reverse tunneling” to solve this problem.

Page 17: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Upstream Router Mapping

Network Administrators should make an upstream router map

Manually via traceroute

Mercator – program that uses hop limited probes and source routers to create upstream maps

Page 18: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Counter Flooding

Network Administrators send UDP chargen floods upstream (small scale DoS attack). If a router is perturbed then it is probably being used in the attack. Repeat upstream.

Ethical issue – If the trace causes more damage than the attack, should it be used?

Page 19: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

PPM

PPM – Probabilistic Packet Marking

4 schemesSavage, Wetherall, Karlin & AndersonSong & PerrigPark & LeeDean, Franklin & Stubblefield

Page 20: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

PPM (cont)

These schemes overload the IP Identification field used for packet fragmentationIn most schemes, a hashing function computes a hash of the router’s IP address and writes this hash to the Identification fieldA distance field is normally included as well that keeps track of how many hops a packet has travelled

Page 21: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

PPM (cont)

Typical IP Packet

Page 22: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

PPM (cont)

Dean, etc. employ an algebraic scheme rather than a hash based wherein routers stamp coefficients of their IP addresses % a prime number

Page 23: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

PPM (cont)

Assumptions:

Most paths are less than 25 hops

Packets can be addressed to more than one host

Duplicate Packets can exist

Routers can be compromised

Attackers know they can be traced

Page 24: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

PPM (cont)

PPM schemes must minimize false positives while eliminating false negatives

Adding bits to IP headers causes packet fragmentation

Page 25: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

PPM (cont)

Problems

Packets can take more than one path to a destination

IPSec requires IP Identification field

IP fragmentation is small (<0.25% of traffic) but does exist

Routers do not need more overhead

Page 26: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

ICMP Traceback

Traceroute only works in the forward direction, not in reverseRouters send out ICMP traceback information (interface name, Time stamp) probabilistically (1/1000 – 1/20000)Public key system used to authenticate packetsTTL set to 255 to show distanceProblem – ICMP is filtered in some networks

Page 27: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Stepping Stone Traceback

Stepping Stone – one link in a connection chainIf ON/OFF timing between 2 hosts is similar, it is probably a stepping stonePackets often encrypted, check headersCheck clear text packets to see if the text from one host is transmitted to anotherProblem – too much legitimate traffic, not an adequate solution

Page 28: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

CenterTrack

Edge routers are connected to a special overlay network composed of tracing routers via IP Tunnels

In case of attack, the packets are forwarded to the tracking routers which follow the stream back to the source of the attack

Page 29: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

CenterTrack (cont)

Full packet capture can be added easily to provide attack evidenceProblems – Attacks have to be detected to be reroutedTTL is modified and ICMP TTL exceeded messages are sent back, possibly alerting the attacker to the trace

Page 30: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

CenterTrack (contd)

GW – Gateway

CT – CenterTrack Router

TR/XR – Transfer Router

Page 31: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

STM Network

SPIEs (Source Path Isolation Engines) are installed in routers, or connected to them

These SPIEs generate packet digests from 28 non changing bits in the packet (20 from the header, 8 from the payload).

The digest is stored in router memory or external storage

Page 32: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

STM Network (cont)

SPIEs transfer data to SCARs (SPIE Collection and Reduction Agents) if interesting traffic occurs

A SCAR can produce an attack graph of a local network

STMs (SPIE Traceback Managers) can request information from one or more SCARs and generate a complete attack graph

Page 33: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Conclusions

ISPs, unless they offer Mobile IP should use Ingress Filtering

Network Administrators should make upstream router maps

IPv6 should employ better packet tracing methods

Page 34: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

References

[1] S. Bellovin. ICMP traceback messages. Internet Draft, IETF, Mar. 2000. draft-bellovin-itrace-05.txt (work in

progress). 

[2] H. Burch and B. Cheswick. “Tracing anonymous packets to their approximate source.” In Proc.

USENIX LISA ’00 (Dec. 2000).

[3] D. Dean, M. Franklin, and A. Stubblefield, "An Algebraic Approach to IP Traceback," in Network

and Distributed System Security Symposium, NDSS '01, February 2001. 

Page 35: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

References

[4] S. Dietrich, N. Long, and D. Dittrich, “Analyzing ditributed denial of service attack tools: The shaft case,” in 14th Systems Administration Conference, LISA 2000, 2000,

http://netsec.gsfc.nasa.gov/spock/lisa2000-shaft.pdf.

[7] P. Ferguson and D. Senie. “Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing.” May 2000.RFC 2827. IEEE INFOCOM 2001.

 [8] R. Govindan and H. Tangmunarunkit. “Heuristics for

Internet Map Discovery.” In Proc. of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.

Page 36: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

References

[10] K. Park and H. Lee. “On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack.” In Proc. IEEE INFOCOM 2001, pages 338-347, 2001.

 

[11] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. “Practical network support for IP traceback.” In

Proc. of ACM SIGCOMM ‘00, pages 295-306, Aug.2000.

 

[12] A. Snoeren, and C. Partridge. “Hash-based IP Traceback.” In Proc. ACM SIGCOMM ‘01, pages 3-

14, Aug. 2001.

Page 37: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

References

[13] D. Song and A. Perrig. “Advanced and authenticated marking schemes for IP traceback.” Technical Report UCB/CSD-00-1107, Computer Science Department,University of California, Berkeley, 2000. In Proc. IEEE

INFOCOM 2001. 

[14] R. Stone. “CenterTrack: An IP Overlay Network for Tracking DoS Floods.” In Proc. of the 2000 USENIX Security Symposium, Denver, CO, July 2000.

[15] *J. Scambray, S. McClure, and G. Kurtz. Hacking Exposed: Network Security Secrets and Solutions. Second Edition. New York: Osborne/McGraw-Hill, 2001. pages 484-506.

Page 38: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

References

[17] Y. Zhang and V. Paxson. “Stepping Stone Detection.” In Proc. of the 2000 USENIX Security Symposium, Denver, CO, July 2000.

Page 39: COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

Questions?