Distributed Denial of Service Attacks (DDoS) Christos Papadopoulos
Smurf Attack
attacker
target
broadcastecho request
source address is spoofed to be
target’s address
many echo replies are received by the target, since most machines
on the amplifier network respond to the broadcast
amplifiernetwork
TCP SYN FloodingA potentially more powerful attack
client(port = 33623/tcp)
server(port = 23/tcp)
SYN
SYN - ACK
ACK
[session proceeds][ACK set for remainder of session]
target(port = 23/tcp)
SPOOFED SYN
SYN - ACK
FINAL ACK NEVER SENT
nonexistent host
Protection against SYN Protection against SYN AttacksAttacksSYN cookies: (D.J. Bernstein and Eric Schenk) avoid
half-open TCP connections.
• Server responds to TCP SYN request with a cookie by SYN-ACK with:
sqn =f (src addr, src port, dest addr, dst port, secret seed)
•Server releases all state.
• If an ACK comes from the client, server checks if it’s a response to former SYN-ACK.
• If yes, the server enters the TCP_ESTABLISHED state.
SYN Cookie ExchangeSYN Cookie Exchange
SYN cookies firewall
SYN cookies firewall adds a firewall feature in Linux.
client firewall server 1. SYN2. SYN-ACK(cookie) 3. ACK4. SYN
5. SYN-ACK 6. ACK 7. relay the
connection
Under attack, step 3 will never occur.
What Is a Firewall?
An access control device that performs perimeter security by deciding which packets are allowed or denied into or out of a network. May be a hardware device or a software program
running on a secure host computer. Sits at a junction point or gateway between two
networks (e.g., public internet and private intranet).
Why a Firewall?
Analogy: a firewall keeps a fire from spreading from one part of the building to another.
Prevents the dangers of the Internet from spreading to your internal network.
• Restricts packets to entering at a carefully controlled point.
• Prevents attackers from getting close to your other defenses.
• Restricts packets to leaving at a carefully controlled point ..
What Does a Firewall Do?
A firewall is an aggregation point for security decisions.
A firewall can enforce security policy. A firewall can log Internet activity efficiently. A firewall protects the network as a resource. A firewall limits your exposure. A firewall can provide protection for vulnerable
services.
What Does a Firewall Not Do?
A firewall can’t protect you against: malicious insiders careless employees connections that don’t go through it viruses and trojans, data-driven attacks illicit rendezvous (unauthorized tunneled connections) completely new threats
Additional security measures must be incorporated along with the firewall. (Physical security, host security, user education)
Caveats
Firewall technology can provide a false sense of security. May lead to lax security within the firewall perimeter. Analogy: firewalls provide “a hard, crunchy outside
with a soft chewy center.”
A misconfigured firewall is ineffective. Firewalls must be maintained and updated daily. Audit logs must be actively monitored.
What Is DDoS
Distributed Denial of Service New, more pernicious type of attack Many hosts “gang” up to attack another host Network resource attack:
Bandwidth State
Why Should We Care
Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols
It is relatively easy to do, but hard to detect and stop
It is only going to get worse unless we develop adequate protection mechanisms
Anatomy of an Attack
Compromise a large set of machines Install attack tools Instruct all attack machines to initiate attack
against a victim
Process highly automated
Phase 1: Compromise
A (stolen) account is used as repository for attack tools.
A scan is performed to identify potential victims.
A script is used to compromise the victims.
Phase 2: Install Attack Tools
• An automated installation script is then run on the “owned” systems to download and install the attack tool(s) from the repository.
• Optionally, a “root kit” is installed on the compromised systems.
Phase 3: Launch attackPhase 3: Launch attack
•Launch a coordinated DDoS from different sites against a single victim.
•Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe.
•Victim’s ISP may not notice elevated traffic.
•DDoS attacks are harder to track than a DoS.
Some Known DDoS Attack Some Known DDoS Attack ToolsTools
Trin00
Tribal Flood Network (TFN)
Tribal Flood Network 2000 (TFN2K)
Stacheldraht
Distributed SYN attack.
Attacker connects to port 27665 on master machines using telnet.
Master relays the commands to the daemons using UDP port 27444.
Daemons carry out commands and respond on UDP port 31335.
Trin00Trin00
General design similar to trin00.
Capable of number of attacks such as ICMP flood, SYN flood, UDP flood and SMURF style attacks.
Communication between clients and daemons is done via ICMP echo replies. Commands are hidden inside id field of ICMP packet.
Traffic looks identical to the standard ping and hence impossible to block at a firewall without blocking outgoing pings.
Absence of TCP and UDP traffic makes these packets difficult to detect.
TFNTFN
TFN2K communicates via TCP,UDP (random ports), ICMP Echo replies or all three at random.
Daemon never responds to the master.
The Master sends all commands twenty times for reliability.
TFN2K sends out decoy packets to random machines to make it unclear, which machines are clients.
All commands are encrypted via a compile time password.
TFN2k daemons can randomly alternate different types of attacks.
TFN2KTFN2K
Combines features of the trin00 with those of TFN.
Adds encryption of communication between the attacker and masters and automated update of agents.
Communication between attacker and masters take place on tcp port 16660.
Daemons receive commands from masters through ICMP echo replies (using data part of packet).
Possible attacks are ICMP flood, UDP flood, SYN flood and SMURF attack.
StacheldrahtStacheldraht
# ./client 192.168.0.1[*] stacheldraht [*](c) in 1999 by ...trying to connect...connection established.--------------------------------------enter the passphrase : sicken--------------------------------------entering interactive session.******************************welcome to stacheldraht******************************type .help if you are lamestacheldraht(status: a!1 d!0)>
stacheldraht(status: a!1 d!0)>.helpavailable commands in this version are:--------------------------------------------------.mtimer .mudp .micmp .msyn .msort .mping.madd .mlist .msadd .msrem .distro .help.setusize .setisize .mdie .sprange .mstop .killall.showdead .showalive--------------------------------------------------stacheldraht(status: a!1 d!0)>
Some Commands--------.distro user server
Instructs the agent to install and run a new copy of itself
using the Berkeley "rcp" command, on the system "server",
using the account "user" (e.g., "rcp user@server:linux.bin ttymon")
.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.
.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.
.mdieSends die request to all agents.
Spoof Testing
The agent performs a test to find whether the system provides for spoofing or not.
The agent sends out an ICMP packet with ID 666 and IP address 3.3.3.3.
The IP address of the compromised machine - embedded in the data field.
Handler gets the IP address of the agent and replies back with the ID 1000 and data field containing “spoofworks” and sets the spoof level to 0; Else it sets the spoof level to 3 suggesting that only last octet can be spoofed.
Defending Against DDoS
Prevent compromise of machines with Intrusion Detection Systems (IDS)
Trace back to the attacker Develop automated network defense
mechanisms
Intrusion Detection: Snort
Packet sniffing network intrusion detection system
Libpcap-based sniffing interface Rules-based detection engine Multiple output options
Decoded logs, tcpdump formatted logs Real-time alerting to syslog, file, winpopup
© Copyright 1999, Martin Roesch
USENIX LISA ‘99 Conference
Detection Engine Rules form “signatures” Modular detection elements are combined
to form these signatures Anomalous activity detection is possible
Stealth scans, OS fingerprinting, invalid ICMP codes, etc
Rules system is very flexible, and creation of new rules is relatively simple
© Copyright 1999, Martin Roesch
USENIX LISA ‘99 Conference
Traceback Techniques
Logging Link testing Node append Node sampling Overlays Edge sampling Trace messages
Why Traceback Is Hard
IP source address is spoofed:Form IP packets with forged source
address.Send them using a socket of type
SOCK_RAW.Requires root privilege.
Avoiding Spoofed Packets
Ingress filtering Prohibits an attacker from forging an IP address At first hop router do
If packet’s src IP address is within the predefined range
Then forward packet
Else drop packet
(-) Mobile hosts uses home network address in mobile IP
Logging (Audit Trailing )
Record packets at predetermined routers and use data-mining techniques to construct path traversed by the packet (+) Easy (+) Permits post-mortem analysis (-) Requires large amount of disk and computing
resources (-) Requires Maps for reconstruction (-) Manual, Time – consuming
Link Testing
Involves interactively testing the upstream links starting from the victim to determine the links used to carry the attacker’s traffic
Two techniques :- Input debugging Controlled flooding
Link Testing (Input Debugging)
Determine the attack signature. Filter packets at egress port and determine
at which ingress port they arrived. Perform iteratively at all upstream routers
till the source(s) are found. (-) Relies heavily on manual intervention
and extremely slow. (-) Requires inter-ISP co-operation.
Link Testing (Controlled Flooding)
Flood links with large amounts of UDP traffic (UDP-chargen).
Observe changes in traffic pattern.
Reconstruct path to attacker recursively.
Victim
R1
R3 R4
R2
R5
A
B
Attacker
UDP chargen request
chargen reply
attack packets
Link Testing (Controlled Flooding)
(+) Effective
(-) Requires information about the internet topology
(-) Inherently noisy
(-) Difficult to discern the set of paths incase of DDoS attacks
(-) DoS attack by itself
(-) Requires co-operation from upstream routers
Node Append
Record the route in the packet as it traverses the routers
Each router appends its IP address to the end of the packet (+) Easy to implement (+) Single packet required to find attack path (-) Increases the packet size (4 bytes/hop) (-) Processing overhead (-) Fragmentation
Node Sampling
Each router inserts its IP address in a static field with a probability p
p(1 – p)d-1 is the probability of receiving a packet from a router at a distance d
Reconstruction Algorithm : Rank each router by the number of samples received Reconstruct path using ranks
(-) Need more than 42,000 samples for d=15 and p=0.51 before a single packet from the first hop router
CenterTrack
IP Tunnels
v
a
Create an overlay network using IP tunnels
Tunnels are created between edge and transit routers
Based on attack signature perform logging and/or corrective action in the overlay network
CenterTrack (Cont…)
(+) Eliminates need for transit router input debugging
(+) Required features available (+) Is not too expensive (+) Scales well (-) Still requires input debugging at edge (-) Changes route. (Attackers might notice.)
Edge Sampling
Three fields :- Two IP’s (start and end of edge) Distance
When a router decides to mark, it makes the distance field 0
Next router either rewrites and makes distance 0 or fills in remaining (end IP) information and increments distance
Other routers increment distance field or start afresh p < 1
Edge Sampling Algorithm
At router Rfor each packet pkt
u [0, 1)if u > p
pkt.distance 0pkt.startIP R.IP
elseif (pkt.distance == 0)
pkt.endIP R.IPpkt.distance pkt.distance + 1
ICMP Traceback
Concept :- Generate packets with a probability p at
intermediate routers destined for the victim Routers encode partial path information in
packet Victim can reconstruct the attack path with
sufficient number of trace packets
Create a new type of ICMP messages called ICMP Traceback (in IETF standards process).
Packet size limited to 576 bytes. Traceback messages generated with
probability of 1/20,000. Initial TTL of the new IP packet MUST be
255.
ICMP Traceback
Cossack Overview
Distributed set of watchdogs monitor the networkLocalized IDS for blind detectionTopology information to pre-filter targetGroup communication for robustness
Distributed coordinationNo centralized controllerAttack-driven dynamic grouping of watchdogsConsult with other watchdogs to correlate attacksSelectively deploy countermeasures to suppress
attacks
Cossack: A Simplified View
WW
W
target
watchdog
attacker
attacker
attacker
attacker
watchdog
watchdog
watchdog
watchdog
Attack No 4
Ping reflection attack (40-byte packets) Victim: Server at USC Attackers: 145 reflectors located in Brazil, Japan,
Korea, Singapore, United States. Zombie location unknown
Duration: 285 seconds Sample trace (anonymized):
1025390161.422173 192.168.123.4 > 10.12.30.4: icmp: echo reply (DF) 1025390161.422178 10.0.4.5 > 10.12.30.4: icmp: echo reply (DF) 1025390161.422757 192.168.3.5 > 10.12.30.4: icmp: echo reply (DF)
Attack 13: Attack Description
Attack Specification Victim: Server at Caltech Spoofed source addresses (> 100,000) Duration: 1794 seconds
Sample trace: 1026570396.847625 10.0.8.9.22803 > 10.2.2.1.44758: . ack 0 win 8459
1026570396.847630 192.168.123.4.59606 > 10.2.2.1.44649: . ack 0 win 3584
1026570396.847635 10.0.5.1.6616 > 10.2.2.1.44765: . ack 0 win 10
1026570396.847639 0.0.0.0.23139 > 10.2.2.1.44766: . ack 0 win 48231
Demo
Goal: capture low-level pulsing attacks that elude normal SNMP statistics
Scenario: Victim is attacked by many low-level pulsing streams SNMP sampling too coarse to isolate attackers Watchdog at victim asks watchdogs at source network
to change sampling interval Attack stream detected
Real life event faced by net admin at USC
Attack Begins
W
W
W
A1
A2
A3
TargetPulsing Attack 1% Strength
Pulsing Attack 98% Strength(Represents 98 other hosts)
Pulsing Attack 1% Strength
MRTG sampling too slow to catch individual low-strength attacks, but sees full-strength attack.
Watchdogs Communicate
W
W
W
A1
A2
A3
TargetPulsing Attack 1% Strength
Pulsing Attack 98% Strength(Represents 98 other hosts)
Pulsing Attack 1% Strength
- Victim watchdog analyzes attack traffic and determines list source addresses.- Forms Yoid group with upstream watchdogs.
Watchdogs Scrutinize Traffic
W
W
W
A1
A2
A3
TargetPulsing Attack 1% Strength
Pulsing Attack 98% Strength(Represents 98 other hosts)
Pulsing Attack 1% Strength
-Watchdogs reduce monitoring interval and detect the attack streams
Watchdogs Install Filters
W
W
W
A1
A2
A3
TargetPulsing Attack 1% Strength
Pulsing Attack 98% Strength(Represents 98 other hosts)
Pulsing Attack 1% Strength
- Upstream Watchdogs install filters in router to block attack