Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014
Post on 07-Jan-2016
28 Views
Preview:
DESCRIPTION
Transcript
Lecture 18Page 1Advanced Network Security
Distributed Denial of Service Attacks
Advanced Network Security Peter ReiherAugust, 2014
Lecture 18Page 2Advanced Network Security
Outline
• Attacker solution #2: distributed denial of service attacks
• What are they?
• DDoS toolkits
Lecture 18Page 3Advanced Network Security
A Flooding Attack
But does it actually deny service here?
Lecture 18Page 4Advanced Network Security
The Problem With This Attack• The attacking computer is usually a home
machine or office workstation
• Maybe it’s got outgoing bandwidth of 10Mbps
• The target is usually a server
• Maybe it’s got incoming bandwidth of 1 Gbps
• The target barely notices the attack
Lecture 18Page 5Advanced Network Security
“Solving” This Problem
• How can an attacker overwhelm a machine with more resources than his?
• Two possibilities:
– Find a way to make the target pay more per message than the attacker
– Use more than one machine to attack
Lecture 18Page 6Advanced Network Security
Solution #2: Use Multiple Machines to Attack
• If one machine can’t generate enough traffic to overwhelm a server,
• Maybe two can
• Or three
• Or four
• Or forty thousand
Lecture 18Page 7Advanced Network Security
Distributed Denial of Service Attacks
Lecture 18Page 8Advanced Network Security
What Is Distributed Denial of Service?
• A concerted attack by multiple machines on a single target
– Usually a large number of machines
• Intended to make the target unable to service its regular customers
• By overwhelming some resource
– Typically bandwidth
Lecture 18Page 9Advanced Network Security
How To Perform a DDoS Attack: Step 1
• Gain control of a lot of machines
• You could buy them
• But, if you’re going to use them to make an illegal attack, why buy them?
• Usually, you steal them
– Or, more precisely, take them over with malware
Lecture 18Page 10Advanced Network Security
How To Perform a DDoS Attack: Step 2
• Install software on all the machines to send packets to a specified target
• Usually the software has various options
– When to begin
– For how long
– What kind of packets
Lecture 18Page 11Advanced Network Security
How To Perform a DDoS Attack: Step 3
• Issue commands to your machines to start them sending packets
• If there are a lot of your machines, maybe use an efficient way to tell them
– Like some tree-structured distribution system
• They will then start attacking
Lecture 18Page 12Advanced Network Security
Some Refinements to the Attack
• Vary the number of packets sent by each attacker over time
• Only use a fraction of your available machines at any given moment
– Cycling through the entire set
• Pulse the attack, turning it on and off
Lecture 18Page 13Advanced Network Security
13
Typical Attack Modus Operandi
Lecture 18Page 14Advanced Network Security
Typical Effects of a DDoS Attack• A sudden, vast flood of packets being sent
to a site
• Typically packets that are fairly clearly junk
– But could be close to real traffic
• These packets drown out the legitimate traffic
• So only junk gets delivered
Lecture 18Page 15Advanced Network Security
DDoS Attacks in the Real World
• Very common
• Some are pretty small
– On small targets, often
• Occasionally we see a really big one
– Typically on a high profile target
• Often difficult to handle
Lecture 18Page 16Advanced Network Security
Some Important Examples• Microsoft, Yahoo, etc. targeted
• Recent large DDoS attack on Hong Kong voting site
• 25 million packet per second attacks on domain hosting and online gaming sites
• At least one company went out of business due to a DDoS attack
Lecture 18Page 17Advanced Network Security
DDoS Attack on DNS Root Servers
• Concerted ping flood attack on all 13 of the DNS root servers in October 2002
• Successfully halted operations on 9 of them• Lasted for 1 hour
– Turned itself off, was not defeated• Did not cause major impact on Internet
– DNS uses caching aggressively• Another (less effective) attack in February 2007
Lecture 18Page 18Advanced Network Security
DDoS Attack on Estonia
• Occurred April-May 2007
• Estonia removed a statue that Russians liked
• Then somebody launched large DDoS attack on Estonian government sites
• Took much of Estonia off-line for ~ 3 weeks
• DDoS attack on Radio Free Europe sites in Belarus in 2008
Lecture 18Page 19Advanced Network Security
DDoS Attack on Al Jazeera
• DNS name server floods of 200-300 Mbps on English language web site
• Successfully made Al Jazeera web site unreachable for two days– After which, their DNS name was hijacked
• Al Jazeera not easily able to recover from attack– As Al Jazeera added capacity, the attack got
stronger
Lecture 18Page 20Advanced Network Security
Combining the Two Attacker “Solutions”
• Attackers can use both asymmetry and multiple machines
• Making the problem that much harder to solve
• Reflector attacks are one example
• Recent Hong Kong attack required SSL decryption from large number of attack machines
Lecture 18Page 21Advanced Network Security
Attack Toolkits• Widely available on net
– Easily downloaded along with source code– Easily deployed and used
• Automated code for: – Scanning – detection of vulnerable machines – Exploit – breaking into the machine – Infection – placing the attack code
• Rootkit – Hides the attack code – Restarts the attack code– Keeps open backdoors for attacker access
• DDoS attack code:– Trinoo, TFN, TFN2K, Stacheldraht,
Shaft, mstream, Trinity
Lecture 18Page 22Advanced Network Security
DDoS Attack Code• Attacker can customize:
– Type of attack • UDP flood, ICMP flood, TCP SYN flood, Smurf attack
• Web server request flood, authentication request flood, DNS flood
– Victim IP address
– Duration
– Packet size
– Source IP spoofing
– Dynamics (constant rate or pulsing)
– Communication between master and slaves
Lecture 18Page 23Advanced Network Security
Implications of Attack Toolkits
• You don’t need much knowledge or many skills to perpetrate DDoS
• Toolkits allow unsophisticated users to become DDoS perpetrators in little time
• DDoS is, unfortunately, a game anyone can play
Lecture 18Page 24Advanced Network Security
Conclusion • Distributed denial of service attacks
solve the attacker’s problem of asymmetric capabilities
• DDoS attacks harness multiple hosts to attack a single machine
• DDoS attacks are simple, yet hard to handle
top related