Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Lecture 18Page 1Advanced Network Security

Distributed Denial of Service Attacks

Advanced Network Security Peter ReiherAugust, 2014

Lecture 18Page 2Advanced Network Security

Outline

• Attacker solution #2: distributed denial of service attacks

• What are they?

• DDoS toolkits

Lecture 18Page 3Advanced Network Security

A Flooding Attack

But does it actually deny service here?

Lecture 18Page 4Advanced Network Security

The Problem With This Attack• The attacking computer is usually a home

machine or office workstation

• Maybe it’s got outgoing bandwidth of 10Mbps

• The target is usually a server

• Maybe it’s got incoming bandwidth of 1 Gbps

• The target barely notices the attack

Lecture 18Page 5Advanced Network Security

“Solving” This Problem

• How can an attacker overwhelm a machine with more resources than his?

• Two possibilities:

– Find a way to make the target pay more per message than the attacker

– Use more than one machine to attack

Lecture 18Page 6Advanced Network Security

Solution #2: Use Multiple Machines to Attack

• If one machine can’t generate enough traffic to overwhelm a server,

• Maybe two can

• Or three

• Or four

• Or forty thousand

Lecture 18Page 7Advanced Network Security

Distributed Denial of Service Attacks

Lecture 18Page 8Advanced Network Security

What Is Distributed Denial of Service?

• A concerted attack by multiple machines on a single target

– Usually a large number of machines

• Intended to make the target unable to service its regular customers

• By overwhelming some resource

– Typically bandwidth

Lecture 18Page 9Advanced Network Security

How To Perform a DDoS Attack: Step 1

• Gain control of a lot of machines

• You could buy them

• But, if you’re going to use them to make an illegal attack, why buy them?

• Usually, you steal them

– Or, more precisely, take them over with malware

Lecture 18Page 10Advanced Network Security

How To Perform a DDoS Attack: Step 2

• Install software on all the machines to send packets to a specified target

• Usually the software has various options

– When to begin

– For how long

– What kind of packets

Lecture 18Page 11Advanced Network Security

How To Perform a DDoS Attack: Step 3

• Issue commands to your machines to start them sending packets

• If there are a lot of your machines, maybe use an efficient way to tell them

– Like some tree-structured distribution system

• They will then start attacking

Lecture 18Page 12Advanced Network Security

Some Refinements to the Attack

• Vary the number of packets sent by each attacker over time

• Only use a fraction of your available machines at any given moment

– Cycling through the entire set

• Pulse the attack, turning it on and off

Lecture 18Page 13Advanced Network Security

13

Typical Attack Modus Operandi

Lecture 18Page 14Advanced Network Security

Typical Effects of a DDoS Attack• A sudden, vast flood of packets being sent

to a site

• Typically packets that are fairly clearly junk

– But could be close to real traffic

• These packets drown out the legitimate traffic

• So only junk gets delivered

Lecture 18Page 15Advanced Network Security

DDoS Attacks in the Real World

• Very common

• Some are pretty small

– On small targets, often

• Occasionally we see a really big one

– Typically on a high profile target

• Often difficult to handle

Lecture 18Page 16Advanced Network Security

Some Important Examples• Microsoft, Yahoo, etc. targeted

• Recent large DDoS attack on Hong Kong voting site

• 25 million packet per second attacks on domain hosting and online gaming sites

• At least one company went out of business due to a DDoS attack

Lecture 18Page 17Advanced Network Security

DDoS Attack on DNS Root Servers

• Concerted ping flood attack on all 13 of the DNS root servers in October 2002

• Successfully halted operations on 9 of them• Lasted for 1 hour

– Turned itself off, was not defeated• Did not cause major impact on Internet

– DNS uses caching aggressively• Another (less effective) attack in February 2007

Lecture 18Page 18Advanced Network Security

DDoS Attack on Estonia

• Occurred April-May 2007

• Estonia removed a statue that Russians liked

• Then somebody launched large DDoS attack on Estonian government sites

• Took much of Estonia off-line for ~ 3 weeks

• DDoS attack on Radio Free Europe sites in Belarus in 2008

Lecture 18Page 19Advanced Network Security

DDoS Attack on Al Jazeera

• DNS name server floods of 200-300 Mbps on English language web site

• Successfully made Al Jazeera web site unreachable for two days– After which, their DNS name was hijacked

• Al Jazeera not easily able to recover from attack– As Al Jazeera added capacity, the attack got

stronger

Lecture 18Page 20Advanced Network Security

Combining the Two Attacker “Solutions”

• Attackers can use both asymmetry and multiple machines

• Making the problem that much harder to solve

• Reflector attacks are one example

• Recent Hong Kong attack required SSL decryption from large number of attack machines

Lecture 18Page 21Advanced Network Security

Attack Toolkits• Widely available on net

– Easily downloaded along with source code– Easily deployed and used

• Automated code for: – Scanning – detection of vulnerable machines – Exploit – breaking into the machine – Infection – placing the attack code

• Rootkit – Hides the attack code – Restarts the attack code– Keeps open backdoors for attacker access

• DDoS attack code:– Trinoo, TFN, TFN2K, Stacheldraht,

Shaft, mstream, Trinity

Lecture 18Page 22Advanced Network Security

DDoS Attack Code• Attacker can customize:

– Type of attack • UDP flood, ICMP flood, TCP SYN flood, Smurf attack

• Web server request flood, authentication request flood, DNS flood

– Victim IP address

– Duration

– Packet size

– Source IP spoofing

– Dynamics (constant rate or pulsing)

– Communication between master and slaves

Lecture 18Page 23Advanced Network Security

Implications of Attack Toolkits

• You don’t need much knowledge or many skills to perpetrate DDoS

• Toolkits allow unsophisticated users to become DDoS perpetrators in little time

• DDoS is, unfortunately, a game anyone can play

Lecture 18Page 24Advanced Network Security

Conclusion • Distributed denial of service attacks

solve the attacker’s problem of asymmetric capabilities

• DDoS attacks harness multiple hosts to attack a single machine

• DDoS attacks are simple, yet hard to handle