Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Lecture 18Page 1Advanced Network Security

Distributed Denial of Service Attacks

Advanced Network Security Peter ReiherAugust, 2014


Outline

• Attacker solution #2: distributed denial of service attacks

• What are they?

• DDoS toolkits


A Flooding Attack

But does it actually deny service here?


The Problem With This Attack• The attacking computer is usually a home

machine or office workstation

• Maybe it’s got outgoing bandwidth of 10Mbps

• The target is usually a server

• Maybe it’s got incoming bandwidth of 1 Gbps

• The target barely notices the attack


“Solving” This Problem

• How can an attacker overwhelm a machine with more resources than his?

• Two possibilities:

– Find a way to make the target pay more per message than the attacker

– Use more than one machine to attack


Solution #2: Use Multiple Machines to Attack

• If one machine can’t generate enough traffic to overwhelm a server,

• Maybe two can

• Or three

• Or four

• Or forty thousand


Distributed Denial of Service Attacks


What Is Distributed Denial of Service?

• A concerted attack by multiple machines on a single target

– Usually a large number of machines

• Intended to make the target unable to service its regular customers

• By overwhelming some resource

– Typically bandwidth


How To Perform a DDoS Attack: Step 1

• Gain control of a lot of machines

• You could buy them

• But, if you’re going to use them to make an illegal attack, why buy them?

• Usually, you steal them

– Or, more precisely, take them over with malware



• Install software on all the machines to send packets to a specified target

• Usually the software has various options

– When to begin

– For how long

– What kind of packets



• Issue commands to your machines to start them sending packets

• If there are a lot of your machines, maybe use an efficient way to tell them

– Like some tree-structured distribution system

• They will then start attacking


Some Refinements to the Attack

• Vary the number of packets sent by each attacker over time

• Only use a fraction of your available machines at any given moment

– Cycling through the entire set

• Pulse the attack, turning it on and off


13

Typical Attack Modus Operandi


Typical Effects of a DDoS Attack• A sudden, vast flood of packets being sent

to a site

• Typically packets that are fairly clearly junk

– But could be close to real traffic

• These packets drown out the legitimate traffic

• So only junk gets delivered


DDoS Attacks in the Real World

• Very common

• Some are pretty small

– On small targets, often

• Occasionally we see a really big one

– Typically on a high profile target

• Often difficult to handle


Some Important Examples• Microsoft, Yahoo, etc. targeted

• Recent large DDoS attack on Hong Kong voting site

• 25 million packet per second attacks on domain hosting and online gaming sites

• At least one company went out of business due to a DDoS attack


DDoS Attack on DNS Root Servers

• Concerted ping flood attack on all 13 of the DNS root servers in October 2002

• Successfully halted operations on 9 of them• Lasted for 1 hour

– Turned itself off, was not defeated• Did not cause major impact on Internet

– DNS uses caching aggressively• Another (less effective) attack in February 2007


DDoS Attack on Estonia

• Occurred April-May 2007

• Estonia removed a statue that Russians liked

• Then somebody launched large DDoS attack on Estonian government sites

• Took much of Estonia off-line for ~ 3 weeks

• DDoS attack on Radio Free Europe sites in Belarus in 2008


DDoS Attack on Al Jazeera

• DNS name server floods of 200-300 Mbps on English language web site

• Successfully made Al Jazeera web site unreachable for two days– After which, their DNS name was hijacked

• Al Jazeera not easily able to recover from attack– As Al Jazeera added capacity, the attack got

stronger


Combining the Two Attacker “Solutions”

• Attackers can use both asymmetry and multiple machines

• Making the problem that much harder to solve

• Reflector attacks are one example

• Recent Hong Kong attack required SSL decryption from large number of attack machines


Attack Toolkits• Widely available on net

– Easily downloaded along with source code– Easily deployed and used

• Automated code for: – Scanning – detection of vulnerable machines – Exploit – breaking into the machine – Infection – placing the attack code

• Rootkit – Hides the attack code – Restarts the attack code– Keeps open backdoors for attacker access

• DDoS attack code:– Trinoo, TFN, TFN2K, Stacheldraht,

Shaft, mstream, Trinity


DDoS Attack Code• Attacker can customize:

– Type of attack • UDP flood, ICMP flood, TCP SYN flood, Smurf attack

• Web server request flood, authentication request flood, DNS flood

– Victim IP address

– Duration

– Packet size

– Source IP spoofing

– Dynamics (constant rate or pulsing)

– Communication between master and slaves


Implications of Attack Toolkits

• You don’t need much knowledge or many skills to perpetrate DDoS

• Toolkits allow unsophisticated users to become DDoS perpetrators in little time

• DDoS is, unfortunately, a game anyone can play


Conclusion • Distributed denial of service attacks

solve the attacker’s problem of asymmetric capabilities

• DDoS attacks harness multiple hosts to attack a single machine

• DDoS attacks are simple, yet hard to handle

Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Documents