Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22Page 1Advanced Network Security

Other Types of DDoS AttacksAdvanced Network Security

Peter ReiherAugust, 2014

Lecture 22Page 2Advanced Network Security

Outline

• Reflector attacks

• Shrew attacks

• Crossfire attacks

Lecture 22Page 3Advanced Network Security

Reflector Attacks

• A type of DDoS attack that addresses issue of asymmetry

• Use a third party site to change a small attack message to a big one

• Relies on IP spoofing

• Can make use of several different protocols for reflection

Lecture 22Page 4Advanced Network Security

A Reflector Attack

Attacker Target

Reflector

SYN

SYN/ACK

Spoofing the IP address of the

target

Lecture 22Page 5Advanced Network Security

The Attack Multiplied

Lecture 22Page 6Advanced Network Security

Why Is This Helpful to the Attacker?

• Packets arrive at target with many source IP addresses

– Which are legitimate

– Makes it harder to defend

• The reflector’s response might be bigger than the attacker’s request

– Leading to amplification

Lecture 22Page 7Advanced Network Security

Common Types of Reflectors• DNS servers

– Small requests can give large results

– 100X amplification factor

• NTP

– A protocol flaw made reflector attacks worthwhile

– Can amplify 200X

• Some DHT implementations

Lecture 22Page 8Advanced Network Security

The Core Reflector Problem

• Attackers can spoof target IP address

• May be difficult to detect attackers– Attackers can use botnets to hide traffic volume

• Reflectors cannot easily distinguish between legitimate and illegitimate requests– Large number of possible reflectors

• Victim’s provider ISP can see the attack but can do little about it

Lecture 22Page 9Advanced Network Security

Defending Against Reflector Attacks

• Cut down on IP spoofing

– That’s often hard

• Make reflecting sites less available

– Most DNS servers are only intended for local use, anyway

• Change reflector site behavior

– Either in protocol or site

• Research approaches

Lecture 22Page 10Advanced Network Security

One Research Approach - RAD

• Basic idea: reflected messages are replies to request

• If the target remembers what he requested

• He knows what replies he should see

• Drop “unexpected” replies

Lecture 22Page 11Advanced Network Security

RAD Deployment Choices• Local

– Only sees the false replies– Validate replies correspond to requests– Reply volume may overwhelm a local defense– Only requires local cooperation

• Core– Can see all traffic– Validate that packets correspond to source AS– Requires core cooperation

Lecture 22Page 12Advanced Network Security

Local RAD• Validate that replies correspond to a request• Most reflectable protocols have a repeated field

from the request in the reply– Initial sequence number between SYN and SYN/ACK– ID number in DNS query and DNS response– ID and sequence number in ICMP ECHO and ICMP

ECHOREPLY• Place a message authentication code (MAC) in

these fields• Validate the reply’s MAC, proving the reply

corresponds to a legitimate request

Lecture 22Page 13Advanced Network Security

What Is In the MAC?

• Create MAC with 512-bit SHA-1• Use src. IP, dest. IP, src. port, dest. port, a

counter and a 384-bit secret– IP addresses and ports allow us to generate

different MACs for different destinations and data flows

– Counter allows us to generate different MACs for the same destination over time

– Secret is unique to source

Lecture 22Page 14Advanced Network Security

Using Local RAD

Sender Gateway

Reflector

Attacker

Internet Internet

REQ + MAC

RPL + MAC

BAD REQ

BAD RPL

No correct MAC!

Lecture 22Page 15Advanced Network Security

Core RAD• Local RAD can be overwhelmed by sheer traffic

volume• Move filtering farther from the target, into the

core• Core RAD:

– Have edge ASes mark all their outbound traffic– Have core nodes validate marks

• If a invalid mark is detected, drop the packet

Lecture 22Page 16Advanced Network Security

Marking the Packets in Core RAD

• Generate a HMAC using the source address, destination address, packet contents and a secret key

– Source and Destination prevent replays of one valid packet to many targets

– Packet contents makes it easier to detect replays

• Place the HMAC into the IP ID field

Lecture 22Page 17Advanced Network Security

Core RAD in Operation

Sender Edge AS

Reflector

Attacker

Core AS

PKT PKT + MAC BAD PKT

Lecture 22Page 18Advanced Network Security

Core RAD and DNS Reflector Attacks

Lecture 22Page 19Advanced Network Security

RAD Lessons

• Local RAD – Provides a defense that only requires local

cooperation– Limited by local bandwidth or ISPs bandwidth

• Core RAD– Provides nearly complete protection– Requires core ASes to participate– Core ASes can sell as a service

Lecture 22Page 20Advanced Network Security

Shrew Attacks

• Classic DDoS attacks have high volume

• Which makes their presence pretty obvious

• And requires lots of attacker resources

• Shrew attacks deny service more stealthily, requiring fewer resources

Lecture 22Page 21Advanced Network Security

TCP and Packet Losses• TCP responds to losses by assuming they are

caused by congestion

– Detected by packets not ACKed

– Due to timeout waiting for the ACK

• TCP’s response is to send less data

• The more losses, the less data sent

• Length of timeouts defined in the TCP protocol

Lecture 22Page 22Advanced Network Security

Causing the Shrew Attacks• Send brief bursts of high volume traffic

• At specifically chosen intervals

• To match timeouts of TCP’s expectation of ACK delivery

• The bursts cause ACKs to be dropped

• The other party thinks that there’s persistent congestion and backs off

Lecture 22Page 23Advanced Network Security

Effect of a Shrew Attack• The attacker’s average sending rate

isn’t too high

– E.g., ~900 Kbps

• The target’s sending rate drops to near zero

– Because he keeps missing ACKs at critical moments

Lecture 22Page 24Advanced Network Security

Handling Shrew Attacks• Hard to detect this shrew behavior using

existing methods

–So figuring out that someone is doing it isn’t too likely

• Randomizing the TCP wait time helps

• But good choices don’t match nicely with behavior in face of real congestion

Lecture 22Page 25Advanced Network Security

Crossfire Attacks

• Traditional DDoS flooding attacks involve sending packets to the target

• You could instead send packets “across” the target’s nearby networks

• Congest those networks without ever sending packets to the target at all

Lecture 22Page 26Advanced Network Security

The Crossfire Concept

Cut off a part of the Internet (the target area) that

contains your victim (the

public server)

By congesting a set of target

links

Create the congestion by sending from your attack machines to

decoy servers you set up near the target links

Lecture 22Page 27Advanced Network Security

Crossfire Effectiveness

• Can seriously degrade performance in the attacked area

• While targeting a relatively low number of links

– 10-50, in the original experiments

• With sufficient attack nodes, each need only send a few Mbps

Lecture 22Page 28Advanced Network Security

Crossfire Countermeasures

• Difficult to defend against

• Either design networks with higher internal connectivity

• Or get ISPs and core providers to work together quickly and closely

• Neither is ideal

Lecture 22Page 29Advanced Network Security

Conclusion • There are many interesting variations of

DDoS attacks

• More are discovered all the time

• Most real world attacks aren’t exotic

• But only because they don’t need to be

• If we can stop the basic ones, we’ll need to tackle the advanced ones