comp 7320 internet security: prevention of ddos attacks by dack phillips
TRANSCRIPT
COMP 7320
Internet Security:
Prevention of DDoS Attacks
By Dack Phillips
Presentation Overview
What are DoS Attacks?
DoS Facts and Figures
Current Solutions
Problems
Proposed Solutions
Conclusions
References
Questions
What are DoS Attacks?
A malicious attack that consumes “resources of remote hosts or networks denying or degrading service to legitimate users,” [11].
Types of DoS Attacks
Bandwidth Consumption
Program Flaw Exploitation
Resource Starvation
Routing/DNS Attacks
SYN Floods
DDoS Attacks
Bandwidth Consumption
A computer having more bandwidth floods a smaller server with packets. The smaller server can not respond to the overwhelming load.
A computer with small bandwidth convinces a network to flood a host with more bandwidth
- A 56 Kbps modem can take down a T1 line like this
Program Flaw Exploitation
An attacker sends an operating system, application, or hardware exceptional conditions that it can’t handle.
- OOB Port 139 on Windows 95 boxen
- F00FC7C8 Pentium Instruction
Resource Starvation
Attacker aims to deplete system, rather than network resources.
- CPU
- Memory
- File System Quotas
Routing/DNS Attacks
Routing Information Protocol (RIP) and Border Gateway Protocol (BGP) have very weak authentication. Routing tables are changed to route traffic through an attacker’s network, another network, or a “black hole” (non-existent network)
DNS is similar except DNS tables are falsified
SYN Floods
TCP Connection Handshakeclient sends server TCP SYNserver sends client TCP SYN ACKclient sends server ACK or RST
In case of a spoofed source address, server keeps trying to send SYN ACKs. Connection Queue fills up with these requests and no legitimate traffic is served
DDoS Attacks
An attacker compromises many machines (agents or zombies) and installs DoS daemonsThe attacker uses a controlling machine (handler) to control the zombie machines to attack a server.More than one handler to prevent single point of failure
DoS Facts and FiguresOne of the hardest security problemsSimple to implementDifficult to preventDifficult to trace1989 – 95: CERT reports DoS attacks increased 50% per yearTools are easy to find and use – Smurf, Fraggle, Teardrop, Stream, TFN, Trinoo Stacheldracht, Shaft, Plague, Trinity, et al.February 2000 – eBay, Yahoo, Amazon, etc.
Current Solutions
Preventative:Make the OS/IP stack more robustReactivePhone ISPs and trace back manually, call next ISP in the chain…This is time consuming and ISPs are often unwilling to spend time doing this. In addition, the trace has to be done while the attack is still in progress.
Problems
The Internet is stateless; destination drivenSource addresses can be easily falsified (spoofed)Attackers use connection chains to hide identitiesRouters can be compromisedLogin chains and address spoofing have legitimate uses
Proposed Solutions
Ingress Filtering
Upstream Router Mapping
Counter Flooding Trace
Probabilistic Packet Marking
ICMP Traceback Messages
Stepping Stone Tracking
Traceback Network (CenterTrack or STM)
Ingress Filtering
Defined in RFC 2267
Edge Routers drop and log packets with invalid Source IPs or those coming from outside the network
Border Routers should not be allowed to transmit broadcast packets (MAC address FF:FF:FF:FF:FF:FF) to other routers by default
Ingress Filtering (cont)
System Diagnostic UDP packets from outside domains should not be allowed into a network
Ingress filtering poses problems with Mobile IP. Currently the Mobile IP Working Group is investigating “reverse tunneling” to solve this problem.
Upstream Router Mapping
Network Administrators should make an upstream router map
Manually via traceroute
Mercator – program that uses hop limited probes and source routers to create upstream maps
Counter Flooding
Network Administrators send UDP chargen floods upstream (small scale DoS attack). If a router is perturbed then it is probably being used in the attack. Repeat upstream.
Ethical issue – If the trace causes more damage than the attack, should it be used?
PPM
PPM – Probabilistic Packet Marking
4 schemesSavage, Wetherall, Karlin & AndersonSong & PerrigPark & LeeDean, Franklin & Stubblefield
PPM (cont)
These schemes overload the IP Identification field used for packet fragmentationIn most schemes, a hashing function computes a hash of the router’s IP address and writes this hash to the Identification fieldA distance field is normally included as well that keeps track of how many hops a packet has travelled
PPM (cont)
Typical IP Packet
PPM (cont)
Dean, etc. employ an algebraic scheme rather than a hash based wherein routers stamp coefficients of their IP addresses % a prime number
PPM (cont)
Assumptions:
Most paths are less than 25 hops
Packets can be addressed to more than one host
Duplicate Packets can exist
Routers can be compromised
Attackers know they can be traced
PPM (cont)
PPM schemes must minimize false positives while eliminating false negatives
Adding bits to IP headers causes packet fragmentation
PPM (cont)
Problems
Packets can take more than one path to a destination
IPSec requires IP Identification field
IP fragmentation is small (<0.25% of traffic) but does exist
Routers do not need more overhead
ICMP Traceback
Traceroute only works in the forward direction, not in reverseRouters send out ICMP traceback information (interface name, Time stamp) probabilistically (1/1000 – 1/20000)Public key system used to authenticate packetsTTL set to 255 to show distanceProblem – ICMP is filtered in some networks
Stepping Stone Traceback
Stepping Stone – one link in a connection chainIf ON/OFF timing between 2 hosts is similar, it is probably a stepping stonePackets often encrypted, check headersCheck clear text packets to see if the text from one host is transmitted to anotherProblem – too much legitimate traffic, not an adequate solution
CenterTrack
Edge routers are connected to a special overlay network composed of tracing routers via IP Tunnels
In case of attack, the packets are forwarded to the tracking routers which follow the stream back to the source of the attack
CenterTrack (cont)
Full packet capture can be added easily to provide attack evidenceProblems – Attacks have to be detected to be reroutedTTL is modified and ICMP TTL exceeded messages are sent back, possibly alerting the attacker to the trace
CenterTrack (contd)
GW – Gateway
CT – CenterTrack Router
TR/XR – Transfer Router
STM Network
SPIEs (Source Path Isolation Engines) are installed in routers, or connected to them
These SPIEs generate packet digests from 28 non changing bits in the packet (20 from the header, 8 from the payload).
The digest is stored in router memory or external storage
STM Network (cont)
SPIEs transfer data to SCARs (SPIE Collection and Reduction Agents) if interesting traffic occurs
A SCAR can produce an attack graph of a local network
STMs (SPIE Traceback Managers) can request information from one or more SCARs and generate a complete attack graph
Conclusions
ISPs, unless they offer Mobile IP should use Ingress Filtering
Network Administrators should make upstream router maps
IPv6 should employ better packet tracing methods
References
[1] S. Bellovin. ICMP traceback messages. Internet Draft, IETF, Mar. 2000. draft-bellovin-itrace-05.txt (work in
progress).
[2] H. Burch and B. Cheswick. “Tracing anonymous packets to their approximate source.” In Proc.
USENIX LISA ’00 (Dec. 2000).
[3] D. Dean, M. Franklin, and A. Stubblefield, "An Algebraic Approach to IP Traceback," in Network
and Distributed System Security Symposium, NDSS '01, February 2001.
References
[4] S. Dietrich, N. Long, and D. Dittrich, “Analyzing ditributed denial of service attack tools: The shaft case,” in 14th Systems Administration Conference, LISA 2000, 2000,
http://netsec.gsfc.nasa.gov/spock/lisa2000-shaft.pdf.
[7] P. Ferguson and D. Senie. “Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing.” May 2000.RFC 2827. IEEE INFOCOM 2001.
[8] R. Govindan and H. Tangmunarunkit. “Heuristics for
Internet Map Discovery.” In Proc. of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.
References
[10] K. Park and H. Lee. “On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack.” In Proc. IEEE INFOCOM 2001, pages 338-347, 2001.
[11] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. “Practical network support for IP traceback.” In
Proc. of ACM SIGCOMM ‘00, pages 295-306, Aug.2000.
[12] A. Snoeren, and C. Partridge. “Hash-based IP Traceback.” In Proc. ACM SIGCOMM ‘01, pages 3-
14, Aug. 2001.
References
[13] D. Song and A. Perrig. “Advanced and authenticated marking schemes for IP traceback.” Technical Report UCB/CSD-00-1107, Computer Science Department,University of California, Berkeley, 2000. In Proc. IEEE
INFOCOM 2001.
[14] R. Stone. “CenterTrack: An IP Overlay Network for Tracking DoS Floods.” In Proc. of the 2000 USENIX Security Symposium, Denver, CO, July 2000.
[15] *J. Scambray, S. McClure, and G. Kurtz. Hacking Exposed: Network Security Secrets and Solutions. Second Edition. New York: Osborne/McGraw-Hill, 2001. pages 484-506.
References
[17] Y. Zhang and V. Paxson. “Stepping Stone Detection.” In Proc. of the 2000 USENIX Security Symposium, Denver, CO, July 2000.
Questions?