Professional Documents
Culture Documents
SERVICE ATTACK
1
DEFINITION
2
ANALYZING THE GOAL OF DOS
ATTACKS
3
WHO? WHAT FOR?
4
WHY SHOULD WE CARE?
5
FAST FACTS
6
APPROACHES TO DOS ATTACKS
7
APPROACHES TO DOS ATTACKS CONT’D ….
• FLOODING ATTACK
• WORK BY SENDING A VAST NUMBER OF MESSAGES WHOSE PROCESSING
CONSUMES SOME KEY RESOURCE AT THE TARGET
• THE STRENGTH LIES IN THE VOLUME, RATHER THAN THE CONTENT
• IMPLICATIONS :
• MAKE THE TRAFFIC LOOK LEGITIMATE
• FLOW OF TRAFFIC IS LARGE ENOUGH TO CONSUME VICTIM’S RESOURCES
• SEND WITH HIGH PACKET RATE
• THESE ATTACKS ARE MORE COMMONLY DDOS
• EX : SYN SPOOFING ATTACK, SOURCE ADDRESS SPOOFING, ETC.
8
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
9
DDOS ARCHICECTURE
10
• THOSE WHO PERFORM DDOS ATTACKS USUALLY AMPLIFY THEIR ATTACKS BY TAKING ADVANTAGE
OF A POORLY MANAGED SERVER ON THE INTERNET. SOMEONE MIGHT BE RUNNING A DNS SERVER
THAT IS NOT FULLY SECURE. DNS IS A HELPFUL PROTOCOL THAT ENSURES THE INTERNET AS WE
KNOW IT RUNS THE WAY WE DO. BUT IF MISCONFIGURED, THIS CAN ALSO LEAD TO
AMPLIFICATION OF A DDOS ATTACK
• THE ATTACKER USUALLY HAS A SINGLE COMPUTER FROM WHICH HE OR SHE CAN CONTROL MANY
OTHER HACKED COMPUTERS. THESE HACKED COMPUTERS ARE CAN BE CALLED ZOMBIE BOTS, AND
THEY FORM A BOTNET. A BOTNET IS A GROUP OF COMPUTERS WHICH ARE CONTROLLED BY A
MALICIOUS HACKER. MANY PEOPLE DO NOT REALIZE THAT THEIR COMPUTER IS HACKED AND IS
BEING USED AS A ZOMBIE IN PART OF A BOTNET
• THE ATTACKER SENDS A MESSAGE TO HIS OR HER BOTNET TELLING THEM TO ATTACK TARGET X. BUT
TO MAKE THE ATTACK EVEN MORE POWERFUL, THE BOTNET IS INSTRUCTED TO GO THROUGH A
COMPROMISED SERVER, WHICH AMPLIFIES THE ATTACK
11
12
….
• AT LEAST ONE OF TWO THINGS HAPPEN DURING A SUCCESSFUL DDOS ATTACK:
• THE SECOND SCENARIO IS WORSE THAN THE FIRST. IF IT IS JUST THE ONE SERVER BEING
TARGETED AND IT GOES OFFLINE, THAT IS BAD. BUT IF THE WHOLE INTERNET CONNECTION
BECOMES CONGESTED FULL OF FAKE TRAFFIC, THEN NO SERVERS USING THAT CONNECTION
CAN OPERATE. THIS MIGHT MEAN EVERY SERVICE BECOMES UNAVAILABLE. IF THE INTERNET
CONNECTION IS SHARED, THEN A SINGLE TARGET CAN AFFECT EVERYONE ON THE SAME
CONNECTION. WHAT THIS MEANS IS THAT IF YOU BUY INTERNET FROM AN ISP, AND THE ISP
HAS ANOTHER CUSTOMER THAT SHARES A SWITCH OR ROUTER WITH YOU, THEN AN ATTACK
ON THAT OTHER CUSTOMER CAN AFFECT YOUR INTERNET CONNECTION
13
• THE LARGEST SINGLE PORTS COMMONLY IN USE ARE 100GBPS
BANDWIDTH PORTS. AND THOSE ARE USUALLY RESERVED FOR THE
INTERNET'S LARGEST PLAYERS. THE LARGEST DDOSES HAVE GONE WELL
BEYOND THIS NUMBER, MEANING THAT A DDOS CAN BE POWERFUL
ENOUGH TO AFFECT EVEN THE LARGEST OF INTERNET COMPANIES
• A DDOS TAKES LITTLE EFFORT FROM THE ATTACKERS POINT OF VIEW,
AND IS INCREDIBLY EFFICIENT AT CAUSING DISRUPTIONS. TIMES AGO
LINODE, ONE OF THE MOST POPULAR VPS PROVIDERS SUFFERED A
TERRIBLE DDOS ATTACK. IT WAS EXTREMELY DISRUPTIVE AND IT COST
LINODE A LOT OF MONEY
14
BOTNET BASED DDOS ATTACK
ARCHITECTURE
• BOTNET BASED DDOS ATTACK NETWORKS FALL UNDER THREE
CATEGORIES :
• THE AGENT-HANDLER,
• IRC-BASED
• WEB BASED MODELS
15
AGENT-HANDLER MODEL
• THE AGENT-HANDLER MODEL OF A DDOS ATTACK COMPRISES
CLIENTS, HANDLERS, AND AGENTS
16
• THE CLIENT IS ONE WITH WHOM THE ATTACKER COMMUNICATES IN
THE DDOS ATTACK SYSTEM
• THE HANDLERS ARE SOFTWARE PACKAGES LOCATED THROUGHOUT
THE INTERNET
• THE CLIENT USES THESE PACKAGES TO COMMUNICATE WITH THE
AGENTS
• THE AGENT SOFTWARE THRIVES IN COMPROMISED SYSTEMS,
EVENTUALLY CONDUCTING THE ATTACK AT THE APPROPRIATE TIME
17
• THE ATTACKER COMMUNICATES WITH ANY OF THE HANDLERS TO IDENTIFY OPERATIONAL AGENTS
AND TO DETERMINE WHEN TO ATTACK OR TO UPGRADE AGENTS
• OWNERS AND USERS OF AGENT SYSTEMS ARE TYPICALLY UNAWARE THAT THEIR SYSTEM HAS BEEN
COMPROMISED AND IS UNDER A DDOS ATTACK
• DEPENDING ON THE CONFIGURATION OF THE DDOS ATTACK NETWORK, AGENTS CAN BE
INSTRUCTED TO COMMUNICATE WITH ONE HANDLER OR WITH MULTIPLE HANDLERS
• ATTACKERS OFTEN ATTEMPT TO INSTALL THE HANDLER SOFTWARE ON A COMPROMISED ROUTER
OR NETWORK SERVER
• THE TARGET TYPICALLY HANDLES LARGE VOLUMES OF TRAFFIC, MAKING MESSAGE IDENTIFICATION
DIFFICULT BETWEEN THE CLIENT AND THE HANDLER AND BETWEEN THE HANDLER AND THE AGENTS.
THE TERMS ―HANDLER‖ AND ―AGENTS‖ ARE SOMETIMES REPLACED WITH ―MASTER‖ AND
―DEMONS,‖ RESPECTIVELY, IN DESCRIPTIONS OF DDOS TOOLS
18
INTERNET RELAY CHAT (IRC) MODEL
19
• THE ATTACKER DOES NOT NECESSARILY MAINTAIN A LIST OF THE
AGENTS BECAUSE IT CAN IMMEDIATELY ENTER THE IRC SERVER AND
VIEW ALL AVAILABLE AGENTS
• THE AGENT SOFTWARE IN THE IRC NETWORK SENDS AND RECEIVES
MESSAGES THROUGH THE IRC CHANNEL AND INFORMS THE
ATTACKER WHEN AN AGENT BECOMES OPERATIONAL.
20
21
IRC SERVER
• IRC (INTERNET RELAY CHAT) IS A PROTOCOL FOR REAL-TIME TEXT MESSAGING BETWEEN
INTERNET-CONNECTED COMPUTERS CREATED IN 1988
• IT IS MAINLY USED FOR GROUP DISCUSSION IN CHAT ROOMS CALLED “CHANNELS”
ALTHOUGH IT SUPPORTS PRIVATE MESSAGES BETWEEN TWO USERS, DATA TRANSFER,
AND VARIOUS SERVER-SIDE AND CLIENT-SIDE COMMANDS
• IRC IS A POPULAR METHOD USED BY BOTNET OWNERS TO SEND COMMANDS TO THE
INDIVIDUAL COMPUTERS IN THEIR BOTNET.
• THIS IS DONE EITHER ON A SPECIFIC CHANNEL, ON A PUBLIC IRC NETWORK, OR ON A
SEPARATE IRC SERVER
• THE IRC SERVER CONTAINING THE CHANNEL(S) THAT ARE USED TO CONTROL BOTS IS
REFERRED TO AS A “COMMAND AND CONTROL” OR C2 SERVER
22
• IRC NETWORKS USE SIMPLE, LOW BANDWIDTH COMMUNICATION
METHODS, MAKING THEM WIDELY USED TO HOST BOTNETS
• THEY TEND TO BE RELATIVELY SIMPLE IN CONSTRUCTION, AND HAVE
BEEN USED WITH MODERATE SUCCESS FOR COORDINATING DDOS
ATTACKS AND SPAM CAMPAIGNS WHILE BEING ABLE TO
CONTINUALLY SWITCH CHANNELS TO AVOID BEING TAKEN DOWN
23
WEB-BASED MODEL
24
THE ADVANTAGES OF WEB-BASED
CONTROLS OVER IRC
• EASE OF SET-UP AND WEBSITE CONFIGURATION
• IMPROVED REPORTING AND COMMAND FUNCTIONS
• LESS BANDWIDTH REQUIREMENT AND THE ACCEPTANCE OF LARGE
BOTNETS FOR THE DISTRIBUTED LOAD
• CONCEALMENT OF TRAFFIC AND HINDRANCE OF FILTERING
THROUGH THE USE OF PORT 80/443
• RESISTANCE TO BOTNET HIJACKING VIA CHAT-ROOM HIJACKING
• EASE OF USE AND OF ACQUISITION
25
BOTNETS BASED DDOS ATTACK TOOLS
26
AGENT-BASED DDOS ATTACK TOOLS
• AGENT-BASED DDOS ATTACK TOOLS ARE BASED ON THE AGENT– HANDLER DDOS
ATTACK MODEL COMPRISING HANDLERS, AGENTS, AND VICTIMS
• EXAMPLES OF AGENT-BASED DDOS TOOLS ARE TRINOO, TRIBE FLOOD NETWORK
(TFN), TFN2K, STACHELDRAHT, MSTREAM, AND SHAFT
• AMONG THE ABOVE MENTIONED AGENT-BASED DDOS TOOLS, TRINOO IS THE
MOST POPULAR AND THE MOST WIDELY USED FOR ITS CAPABILITY FOR
BANDWIDTH DEPLETION AND FOR LAUNCHING UDP FLOOD ATTACKS AGAINST
ONE OR NUMEROUS INTERNET PROTOCOL (IP) ADDRESSES
• SHAFT IS SIMILAR TO TRINOO IN THAT IT CAN LAUNCH PACKET FLOODING
ATTACKS. SHAFT CAN ALSO CONTROL THE DURATION OF THE ATTACK, AS WELL
AS THE SIZE OF THE FLOODING PACKETS
27
• TFN IS ANOTHER DDOS ATTACK TOOL THAT CAN CONDUCT BANDWIDTH AND
RESOURCE DEPLETION ATTACKS. TFN CAN PERFORM SMURF, UDP FLOODING, TCP SYN
FLOODING, ICMP ECHO REQUEST FLOODING, AND ICMP DIRECTED BROADCAST. TFN2K
[15], AS A DERIVATIVE OF TFN, CAN PERFORM SMURF, SYN, UDP, AND ICMP FLOOD
ATTACKS
• TFN2K HAS THE SPECIAL CAPABILITY OF ADDING ENCRYPTED MESSAGES BETWEEN
ATTACK COMPONENTS. STACHELDRAHT IS A PRODUCT OF PREVIOUS TFN ATTEMPTS.
STACHELDRAHT STRENGTHENS A NUMBER OF TFN‘S WEAK POINTS AND IS CAPABLE OF
IMPLEMENTING SMURF, SYN FLOOD, UDP FLOOD, AND ICMP FLOOD ATTACKS
• MSTREAM IS A SIMPLE POINT-TO-POINT TCP ACK FLOODING TOOL THAT CAN
OVERWHELM FAST-ROUTING ROUTINE TABLES IN SOME SWITCHES
28
IRC-BASED DDOS ATTACK TOOLS
• IRC-BASED DDOS ATTACK TOOLS WERE DEVELOPED AFTER THE EMERGENCE OF AGENT–
HANDLER ATTACK TOOLS
• MORE SOPHISTICATED IRC-BASED TOOLS HAVE BEEN DEVELOPED, AND THESE TOOLS
INCLUDE THE IMPORTANT FEATURES OF SEVERAL AGENT-HANDLER ATTACK TOOLS
• THE TRINITY IS ONE OF THE BEST-KNOWN IRC-BASED DDOS TOOLS ON TOP OF UDP,
TCP SYN, TCP ACK, AND TCP NUL PACKET FLOODS
• THE TRINITY V3 INTRODUCES TCP RANDOM FLAG PACKET FLOODS, TCP FRAGMENT
FLOODS, TCP ESTABLISHED FLOODS, AND TCP RST PACKET FLOODS. ALONG WITH THE
DEVELOPMENT OF THE TRINITY CAME THE MYSERVER , THAT RELY ON EXTERNAL
PROGRAMS TO CONDUCT DOS AND PLAGUE TO SIMULATE TCP ACK AND TCP SYN
FLOODING.
29
• KNIGHT IS ANOTHER LIGHT-WEIGHT AND POWERFUL IRC-BASED
DDOS ATTACK TOOL THAT CAN PERFORM UDP FLOOD ATTACKS AND
SYN ATTACKS. KNIGHT CAN BE CONSIDERED AN URGENT POINTER
FLOODER
• AN IRC-BASED DDOS TOOL BASED ON KNIGHT IS KAITEN , WHICH
CONDUCTS UDP, TCP FLOOD ATTACKS, SYN, AND
30
WEB-BASED DDOS ATTACK TOOLS
31
• UNLIKE CURRENTLY POPULAR ATTACK TOOLS THAT CAN LAUNCH DDOS ATTACKS,
MOST ORGANIZATIONS ARE UNAWARE OF THE BROAD DEVELOPMENT OVER THE
LAST FEW YEARS AND ARE VULNERABLE TO ATTACKERS, ACCORDING TO THE
ARBOR NETWORKS
• COMMERCIAL SERVICES, ALONG WITH DOWNLOADABLE TOOLS, CAN LAUNCH
ATTACKS FOR A FEE
• APPROXIMATELY 20,000 INFECTED COMPUTERS WITH MULTIPLE TARGETS CAN
DESTROY OVER 90% OF INTERNET SITES [21]. A DDOS ATTACK ON THE
APPLICATION LAYER IS HIGHLY COMPARABLE TO CALLING SOMEONE IN THE
WORLD FROM ONE WEBSITE, WHILE THE WEB SITE INDICATES BEING OUT OF
SERVICE OR DISPLAYS ―THE PAGE CANNOT FOUND
32
• THREE WEB-BASED DDOS ATTACK TOOLS ARE:
• BLACKENERGY
• LOW-ORBIT ION CANNON (LOIC)
• ALDI BOTNET
33
BLACKENERGY
34
LOW-ORBIT ION CANNON (LOIC)
35
ALDI BOTNET
36
HOW DO YOU KNOW WHEN A DDOS
ATTACK IS OCCURRING
• THE HARDEST PART ABOUT A DDOS ATTACK IS THAT THERE ARE NO
WARNINGS
• BETWEEN THE TIME IT TAKES FOR YOU TO REALIZE IT’S A DDOS
ATTACK AND THE TIME IT TAKES TO MITIGATE THE DAMAGE, SEVERAL
HOURS CAN GO BY
• THIS MEANS SEVERAL HOURS OF MISSED SERVICE AND INCOME,
WHICH ESSENTIALLY TAKES A MAJOR CUT IN YOUR REVENUE
37
• THE MOST EFFECTIVE WAY TO MITIGATE A DDOS ATTACK IS TO KNOW WHEN IT’S
HAPPENING IMMEDIATELY WHEN THE ATTACK BEGINS. THERE ARE SEVERAL CLUES
THAT INDICATE AN ONGOING DDOS ATTACK IS HAPPENING:
• AN IP ADDRESS MAKES X REQUESTS OVER Y SECONDS
• YOUR SERVER RESPONDS WITH A 503 DUE TO SERVICE OUTAGES
• THE TTL (TIME TO LIVE) ON A PING REQUEST TIMES OUT
• IF YOU USE THE SAME CONNECTION FOR INTERNAL SOFTWARE, EMPLOYEES NOTICE
SLOWNESS ISSUES
• LOG ANALYSIS SOLUTIONS SHOW A HUGE SPIKE IN TRAFFIC
• MOST OF THESE SIGNS CAN BE USED TO AUTOMATE A NOTIFICATION SYSTEM THAT
SENDS AN EMAIL OR TEXT TO YOUR ADMINISTRATORS
38
TOO MANY REQUESTS FOR ONE IP
• YOU CAN TEMPORARILY SET UP THE ROUTER TO SEND TRAFFIC TO NULL ROUTES
FROM SPECIFIC IPS. THIS ESSENTIALLY SENDS THE ATTACKING IP ADDRESSES TO A
VOID OR DEAD END, SO THAT IT CANNOT AFFECT YOUR SERVERS
• THIS IS SOMEWHAT DIFFICULT, BECAUSE YOU CAN EASILY BLOCK A LEGITIMATE IP
ADDRESS AS YOU ATTEMPT TO STOP THE ATTACK
• ANOTHER ISSUE IS THAT THE SOURCE IP IS USUALLY SPOOFED, SO THE CONNECTION IS
NEVER COMPLETED BETWEEN YOUR SERVER AND THE SOURCE MACHINE
39
…
40
SERVER RESPONDS WITH A 503
41
• THIS OPENS A CONFIGURATION SCREEN WHERE YOU CAN
CONFIGURE THE EVENT TO SEND AN EMAIL TO AN ADMINISTRATOR
OR TO A TEAM OF PEOPLE.
42
TTL TIMES OUT
43
• SOME SITES THAT OFFER PINGING SERVICES
• UPTIMEROBOT
• NUMBER OF SITES YOU CAN MONITOR: 50
REGULARITY OF CHECKS: EVERY 5 MINUTES
METHODS OF ALERTS: E-MAIL, SMS, RSS, TWITTER COMING SOON
• PINGDOM
• NUMBER OF SITES YOU CAN MONITOR: 1
REGULARITY OF CHECKS: USER SET, FROM 1 MINUTE UPWARDS
METHODS OF ALERTS: E-MAIL, SMS (UP TO 20 PER MONTH), PUSH ALERTS VIA IPHONE APP
• INTERNETSEER
• NUMBER OF SITES YOU CAN MONITOR: 1
REGULARITY OF CHECKS: EVERY HOUR
METHODS OF ALERTS: E-MAIL, SMS,
• MONTASTIC
• NUMBER OF SITES YOU CAN MONITOR: 3
REGULARITY OF CHECKS: EVERY 30 MINUTES
METHODS OF ALERTS: E-MAIL, STATUS VIA RSS AND WIDGETS FOR MACS AND PCS
44
• WITH THESE SERVICES, YOUR SITE IS MONITORED 24/7 FOR UPTIME,
SO YOUR IT TEAM CAN RESPOND SHOULD YOUR SERVER EXPERIENCE
ISSUES
• BECAUSE A DDOS ATTACK EATS AWAY AT YOUR BANDWIDTH, THE
PING TIME WILL BE TOO LONG OR TIME OUT. THE SERVICE SENDS AN
ALERT TO YOUR TEAM, SO THEY CAN START MITIGATION TECHNIQUES
AND TROUBLESHOOT THE ISSUE
45
LOG MANAGEMENT SYSTEMS AND
DDOS ATTACK MONITORING
• THIS SOLUTIONS DISPLAY YOUR TRAFFIC STATISTICS ACROSS YOUR
ENTIRE STACK AND HELP YOU IDENTIFY IF THERE ARE ANY ANOMALIES
24/7
• THE ADVANTAGE TO USING THESE LOGS IS THAT YOU CAN NOT ONLY
IDENTIFY TRAFFIC SPIKES, BUT YOU CAN IDENTIFY THE SERVERS AFFECTED,
THE ERRORS RETURNED TO YOUR USERS, AND THE PRECISE DATE AND
TIME THE TRAFFIC SPIKES OCCURRED
• ANALYZING TOOLS DO MUCH MORE THAN JUST TELL YOU THERE IS A
PROBLEM. THEY ALSO TELL YOU THE SERVERS AFFECTED TO SAVE YOU
TROUBLESHOOTING TIME
46
DEALING WITH DDOS
47
MITIGATE DDOS
• THE FIRST OPTIONS IS PREVENTATIVE. DO NOT BECOME A TARGET IF YOU CAN HELP IT. THIS MEANS BOTH,
HIDING IP ADDRESSES TO YOUR ESSENTIAL SERVICES, BUT ALSO NOT UPSETTING PEOPLE
• ANOTHER STEP IS TO HAVE A GOOD FIREWALL WHICH WILL DROP CERTAIN TYPES OF TRAFFIC. IF YOU
HAVE A SERVER WHICH DOES NOT HOST WEBSITES, THERE IS NO NEED FOR THE FIREWALL TO ALLOW
CONNECTIONS TO THAT SERVER ON TCP PORT 80. A SYSTEM ADMINISTRATOR SHOULD BE ABLE TO SETUP
AN EFFICIENT FIREWALL WHICH PREVENTS MANY TYPES OF FAKE TRAFFIC
• FINALLY, THE MOST DIFFICULT THING TO DO IS TO PROTECT YOUR NETWORK. THE EASIEST, BUT USUALLY
MOST EXPENSIVE STEP IS TO INCREASE THE BANDWIDTH OF YOUR INTERNET CONNECTION. THE MORE
BANDWIDTH YOUR CONNECTION CAN HANDLE, THE LARGER THE ATTACK MUST BE FOR IT TO MAKE ANY
SORT OF EFFECT
• A SECOND, MORE COST EFFECTIVE METHOD MAY BE TO USE A SPECIFIC DDOS MITIGATION SERVICE. THESE
SERVICES ACT AS A PROXY BETWEEN YOU AND THE INTERNET, AND WHEN YOU BECOME A TARGET OF AN
ATTACK THEY HELP TO FILTER OUT THAT ATTACK TRAFFIC. INSTEAD ALL THEY SEND YOU IS THE LEGITIMATE
TRAFFIC WHICH WAS BOUND TO YOUR SERVER.
48
• A DDOS IS A PAIN IN THE BUTT BECAUSE IT WORKS. IT'S EASY TO
IMPLEMENT AND DIFFICULT TO MITIGATE !!!!
49
CLASSICAL DOS ATTACKS
• SIMPLEST CLASSICAL DOS ATTACK: FLOODING ATTACK ON AN
ORGANIZATION
• PING FLOOD ATTACK
Service
denied to
legitimate
users
50
PING FLOOD ATTACK
Ping of Death
51
Source: learn-networking.com
PING OF DEATH
• THE SIZE OF A CORRECTLY-FORMED IPV4 PACKET INCLUDING THE IP HEADER IS 65,535 BYTES,
INCLUDING A TOTAL PAYLOAD SIZE OF 84 BYTES.
• MANY HISTORICAL COMPUTER SYSTEMS SIMPLY COULD NOT HANDLE LARGER PACKETS, AND
WOULD CRASH IF THEY RECEIVED ONE
• HIS BUG WAS EASILY EXPLOITED IN EARLY TCP/IP IMPLEMENTATIONS IN A WIDE RANGE OF
OPERATING SYSTEMS INCLUDING WINDOWS, MAC, UNIX, LINUX, AS WELL AS NETWORK DEVICES
LIKE PRINTERS AND ROUTERS
• SINCE SENDING A PING PACKET LARGER THAN 65,535 BYTES VIOLATES THE INTERNET PROTOCOL,
ATTACKERS WOULD GENERALLY SEND MALFORMED PACKETS IN FRAGMENTS
• WHEN THE TARGET SYSTEM ATTEMPTS TO REASSEMBLE THE FRAGMENTS AND ENDS UP WITH AN
OVERSIZED PACKET, MEMORY OVERFLOW COULD OCCUR AND LEAD TO VARIOUS SYSTEM
PROBLEMS INCLUDING CRASH
• PING OF DEATH ATTACKS WERE PARTICULARLY EFFECTIVE BECAUSE THE ATTACKER’S IDENTITY
COULD BE EASILY SPOOFED. MOREOVER, A PING OF DEATH ATTACKER WOULD NEED NO DETAILED
52
KNOWLEDGE OF THE MACHINE HE/SHE WAS ATTACKING, EXCEPT FOR ITS IP ADDRESS
METHODS OF MITIGATION
• TO AVOID PING OF DEATCH ATTACKS, AND ITS VARIANTS, MANY SITES BLOCK
ICMP PING MESSAGES ALTOGETHER AT THEIR FIREWALLS. HOWEVER, THIS
APPROACH IS NOT VIABLE IN THE LONG TERM
• FIRSTLY, INVALID PACKET ATTACKS CAN BE DIRECTED AT ANY LISTENING PORT—
LIKE FTP PORTS—AND YOU MAY NOT WANT TO BLOCK ALL OF THESE, FOR
OPERATIONAL REASONS
• MOREOVER, BY BLOCKING PING MESSAGES, YOU PREVENT LEGITIMATE PING USE
– AND THERE ARE STILL UTILITIES THAT RELY ON PING FOR CHECKING THAT
CONNECTIONS ARE LIVE
• THE SMARTER APPROACH WOULD BE TO SELECTIVELY BLOCK FRAGMENTED
PINGS, ALLOWING ACTUAL PING TRAFFIC TO PASS THROUGH UNHINDERED
53
SOURCE ADDRESS SPOOFING
Difficult to
identify
55
source
SYN SPOOFING
56
TCP 3-WAY CONNECTION HANDSHAKE
Address,
Port number,
Seq x
Recorded in
a table of
known TCP
connections
Server in
LISTEN State
Vulnerability:
Unbounded ness 57
of LISTEN state
SYN SPOOFING CONT’D ….
58
FACTORS CONSIDERED BY ATTACKER
FOR SYN SPOOFING
• THE NUMBER OF SENT FORGED PACKETS ARE JUST LARGE ENOUGH TO EXHAUST
THE TABLE BUT SMALL AS COMPARED TO A TYPICAL FLOODING ATTACK
• KEEP SUFFICIENT VOLUME OF FORGED REQUESTS FLOWING
• KEEP THE TABLE CONSTANTLY FULL WITH NO TIMED-OUT REQUESTS
• MAKE SURE TO USE ADDRESSES THAT WILL NOT RESPOND TO THE SYN-ACK WITH
A RST
• OVERLOADING THE SPOOFED CLIENT
• USING A WIDE RANGE OF RANDOM ADDRESSES
• A COLLECTION OF COMPROMISED HOSTS UNDER THE ATTACKER'S CONTROL (I.E., A
"BOTNET") COULD BE USED
59
DETECTING SYN SPOOF ATTACK
• AFTER THE TARGET SYSTEM HAS TRIED TO SEND A SYN/ACK PACKET TO THE
CLIENT AND WHILE IT IS WAITING TO RECEIVE AN ACK PACKET, THE EXISTING
CONNECTION IS SAID TO BE HALF OPEN OR HOST IN SYN_RECEIVED STATE
• IF YOUR SYSTEM IS IN THIS STATE, IT MAY BE EXPERIENCING SYN-SPOOF ATTACK
• TO DETERMINE WHETHER CONNECTIONS ON YOUR SYSTEM ARE HALF OPEN, TYPE
NETSTAT –A COMMAND
• THIS COMMAND GIVES A SET OF ACTIVE CONNECTIONS .CHECK FOR THOSE IN
THE STATE SYN_RECEIVED WHICH IS AN INDICATION OF THE THREAT OF SYN
SPOOF ATTACK
60
61
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
62
FLOODING ATTACKS
64
TYPES OF FLOODING ATTACKS
• UDP FLOOD
• EXPLOITS THE TARGET SYSTEM’S DIAGNOSTIC ECHO SERVICES TO CREATE AN
INFINITE LOOP BETWEEN TWO OR MORE UDP SERVICES
65
UDP FLOOD ATTACK
66
HOW DOES A UDP FLOOD ATTACK
WORK
• A UDP FLOOD WORKS PRIMARILY BY EXPLOITING THE STEPS THAT A
SERVER TAKES WHEN IT RESPONDS TO A UDP PACKET SENT TO ONE OF
IT’S PORTS. UNDER NORMAL CONDITIONS, WHEN A SERVER RECEIVES A
UDP PACKET AT A PARTICULAR PORT, IT GOES THROUGH TWO STEPS IN
RESPONSE :
• THE SERVER FIRST CHECKS TO SEE IF ANY PROGRAMS ARE RUNNING WHICH
ARE PRESENTLY LISTENING FOR REQUESTS AT THE SPECIFIED PORT
• IF NO PROGRAMS ARE RECEIVING PACKETS AT THAT PORT, THE SERVER
RESPONDS WITH A ICMP (PING) PACKET TO INFORM THE SENDER THAT THE
DESTINATION WAS UNREACHABLE
67
SIMILARITY OF UDP FLOOD
68
• AS EACH NEW UDP PACKET IS RECEIVED BY THE SERVER, IT GOES THROUGH STEPS IN
ORDER TO PROCESS THE REQUEST, UTILIZING SERVER RESOURCES IN THE PROCESS.
WHEN UDP PACKETS ARE TRANSMITTED, EACH PACKET WILL INCLUDE THE IP ADDRESS
OF THE SOURCE DEVICE
• DURING THIS TYPE OF DDOS ATTACK, AN ATTACKER WILL GENERALLY NOT USE THEIR
OWN REAL IP ADDRESS, BUT WILL INSTEAD SPOOF THE SOURCE IP ADDRESS OF THE
UDP PACKETS, IMPEDING THE ATTACKER’S TRUE LOCATION FROM BEING EXPOSED AND
POTENTIALLY SATURATED WITH THE RESPONSE PACKETS FROM THE TARGETED SERVER
• AS A RESULT OF THE TARGETED SERVER UTILIZING RESOURCES TO CHECK AND THEN
RESPOND TO EACH RECEIVED UDP PACKET, THE TARGET’S RESOURCES CAN BECOME
QUICKLY EXHAUSTED WHEN A LARGE FLOOD OF UDP PACKETS ARE RECEIVED,
RESULTING IN DENIAL-OF-SERVICE TO NORMAL TRAFFIC
69
70
HOW IS A UDP FLOOD ATTACK
MITIGATED
• MOST OPERATING SYSTEMS LIMIT THE RESPONSE RATE OF ICMP PACKETS IN PART TO DISRUPT DDOS
ATTACKS THAT REQUIRE ICMP RESPONSE
• TRADITIONALLY, UDP MITIGATION METHOD ALSO RELIED ON FIREWALLS THAT FILTERED OUT OR
BLOCK MALICIOUS UDP PACKETS. SUCH METHODS ARE NOW BECOMING IRRELEVANT, AS MODERN
HIGH-VOLUME ATTACKS CAN SIMPLY OVERBEAR FIREWALLS, WHICH ARE NOT DESIGNED WITH
OVERPROVISIONING IN MIND
• IF THE UDP FLOOD HAS A VOLUME HIGH ENOUGH TO SATURATE THE STATE TABLE OF THE
TARGETED SERVER’S FIREWALL, ANY MITIGATION THAT OCCURS AT THE SERVER LEVEL WILL BE
INSUFFICIENT AS THE BOTTLENECK WILL OCCUR UPSTREAM FROM THE TARGETED DEVICE
• USING MECHANISM, DESIGNED FOR INLINE TRAFFIC PROCESSING, IDENTIFYING AND FILTERS OUT
MALICIOUS DDOS PACKETS, BASED ON COMBINATION OF FACTORS LIKE IP REPUTATION,
ABNORMAL ATTRIBUTES AND SUSPICIOUS BEHAVIOR
71
WHAT IS A SYN FLOOD ATTACK
72
HOW DOES A SYN FLOOD ATTACK
WORK?
• SYN FLOOD ATTACKS WORK BY EXPLOITING THE HANDSHAKE PROCESS OF
A TCP CONNECTION. UNDER NORMAL CONDITIONS, TCP CONNECTION EXHIBITS
THREE DISTINCT PROCESSES IN ORDER TO MAKE A CONNECTION.
• FIRST, THE CLIENT SENDS A SYN PACKET TO THE SERVER IN ORDER TO INITIATE THE
CONNECTION.
• THE SERVER THAN RESPONDS TO THAT INITIAL PACKET WITH A SYN/ACK PACKET, IN
ORDER TO ACKNOWLEDGE THE COMMUNICATION.
• FINALLY, THE CLIENT RETURNS AN ACK PACKET TO ACKNOWLEDGE THE RECEIPT OF THE
PACKET FROM THE SERVER. AFTER COMPLETING THIS SEQUENCE OF PACKET SENDING
AND RECEIVING, THE TCP CONNECTION IS OPEN AND ABLE TO SEND AND RECEIVE
DATA
73
74
• TO CREATE DENIAL-OF-SERVICE, AN ATTACKER EXPLOITS THE FACT THAT AFTER AN
INITIAL SYN PACKET HAS BEEN RECEIVED, THE SERVER WILL RESPOND BACK WITH
ONE OR MORE SYN/ACK PACKETS AND WAIT FOR THE FINAL STEP IN THE
HANDSHAKE. HERE’S HOW IT WORKS:
• THE ATTACKER SENDS A HIGH VOLUME OF SYN PACKETS TO THE TARGETED SERVER,
OFTEN WITH SPOOFED IP ADDRESSES.
• THE SERVER THEN RESPONDS TO EACH ONE OF THE CONNECTION REQUESTS AND
LEAVES AN OPEN PORT READY TO RECEIVE THE RESPONSE
• WHILE THE SERVER WAITS FOR THE FINAL ACK PACKET, WHICH NEVER ARRIVES, THE
ATTACKER CONTINUES TO SEND MORE SYN PACKETS. THE ARRIVAL OF EACH NEW SYN
PACKET CAUSES THE SERVER TO TEMPORARILY MAINTAIN A NEW OPEN PORT
CONNECTION FOR A CERTAIN LENGTH OF TIME, AND ONCE ALL THE AVAILABLE PORTS
HAVE BEEN UTILIZED THE SERVER IS UNABLE TO FUNCTION NORMALLY.
75
76
• IN NETWORKING, WHEN A SERVER IS LEAVING A
CONNECTION OPEN BUT THE MACHINE ON THE OTHER
SIDE OF THE CONNECTION IS NOT, THE CONNECTION IS
CONSIDERED HALF OPEN. IN THIS TYPE OF DDOS ATTACK,
THE TARGETED SERVER IS CONTINUOUSLY LEAVING
OPEN CONNECTIONS AND WAITING FOR EACH
CONNECTION TO TIMEOUT BEFORE THE PORTS BECOME
AVAILABLE AGAIN. THE RESULT IS THAT THIS TYPE OF
ATTACK CAN BE CONSIDERED A “HALF-OPEN ATTACK”
77
A SYN FLOOD CAN OCCUR IN THREE
DIFFERENT WAYS:
• DIRECT ATTACK: A SYN FLOOD WHERE THE IP ADDRESS IS NOT SPOOFED IS KNOWN AS A DIRECT ATTACK. IN THIS ATTACK,
THE ATTACKER DOES NOT MASK THEIR IP ADDRESS AT ALL. AS A RESULT OF THE ATTACKER USING A SINGLE SOURCE DEVICE
WITH A REAL IP ADDRESS TO CREATE THE ATTACK, THE ATTACKER IS HIGHLY VULNERABLE TO DISCOVERY AND MITIGATION. IN
ORDER TO CREATE THE HALF-OPEN STATE ON THE TARGETED MACHINE, THE HACKER PREVENTS THEIR MACHINE FROM
RESPONDING TO THE SERVER’S SYN-ACK PACKETS. THIS IS OFTEN ACHIEVED BY FIREWALL RULES THAT STOP OUTGOING
PACKETS OTHER THAN SYN PACKETS OR BY FILTERING OUT ANY INCOMING SYN-ACK PACKETS BEFORE THEY REACH THE
MALICIOUS USERS MACHINE. IN PRACTICE THIS METHOD IS USED RARELY (IF EVER), AS MITIGATION IS FAIRLY
STRAIGHTFORWARD – JUST BLOCK THE IP ADDRESS OF EACH MALICIOUS SYSTEM. IF THE ATTACKER IS USING A BOTNET SUCH
AS THE MIRAI BOTNET THEY WON’T CARE ABOUT MASKING THE IP OF THE INFECTED DEVICE
• SPOOFED ATTACK: A MALICIOUS USER CAN ALSO SPOOF THE IP ADDRESS ON EACH SYN PACKET THEY SEND IN ORDER TO
INHIBIT MITIGATION EFFORTS AND MAKE THEIR IDENTITY MORE DIFFICULT TO DISCOVER. WHILE THE PACKETS MAY BE
SPOOFED, THOSE PACKETS CAN POTENTIALLY BE TRACED BACK TO THEIR SOURCE. IT’S DIFFICULT TO DO THIS SORT OF
DETECTIVE WORK BUT IT’S NOT IMPOSSIBLE, ESPECIALLY IF INTERNET SERVICE PROVIDERS (ISPS) ARE WILLING TO HELP.
• DISTRIBUTED ATTACK (DDOS): IF AN ATTACK IS CREATED USING A BOTNET THE LIKELIHOOD OF TRACKING THE ATTACK BACK
TO ITS SOURCE IS LOW. FOR AN ADDED LEVEL OF OBFUSCATION, AN ATTACKER MAY HAVE EACH DISTRIBUTED DEVICE ALSO
SPOOF THE IP ADDRESSES FROM WHICH IT SENDS PACKETS. IF THE ATTACKER IS USING A BOTNET SUCH AS THE MIRAI BOTNET,
THEY GENERALLY WON’T CARE ABOUT MASKING THE IP OF THE INFECTED DEVICE
78
• BY USING A SYN FLOOD ATTACK, A BAD ACTOR CAN ATTEMPT TO CREATE
DENIAL-OF-SERVICE IN A TARGET DEVICE OR SERVICE WITH SUBSTANTIALLY LESS
TRAFFIC THAN OTHER DDOS ATTACKS. INSTEAD OF VOLUMETRIC ATTACKS, WHICH
AIM TO SATURATE THE NETWORK INFRASTRUCTURE SURROUNDING THE TARGET,
SYN ATTACKS ONLY NEED TO BE LARGER THAN THE AVAILABLE BACKLOG IN THE
TARGET’S OPERATING SYSTEM. IF THE ATTACKER IS ABLE TO DETERMINE THE SIZE
OF THE BACKLOG AND HOW LONG EACH CONNECTION WILL BE LEFT OPEN
BEFORE TIMING OUT, THE ATTACKER CAN TARGET THE EXACT PARAMETERS NEEDED
TO DISABLE THE SYSTEM, THEREBY REDUCING THE TOTAL TRAFFIC TO THE
MINIMUM NECESSARY AMOUNT TO CREATE DENIAL-OF-SERVICE
79
HOW IS A SYN FLOOD ATTACK
MITIGATED
• SYN FLOOD VULNERABILITY HAS BEEN KNOWN FOR A LONG TIME AND A
NUMBER OF MITIGATION PATHWAYS HAVE BEEN UTILIZED. A FEW APPROACHES
INCLUDE:
• INCREASING BACKLOG QUEUE
• EACH OPERATING SYSTEM ON A TARGETED DEVICE HAS A CERTAIN NUMBER OF HALF-
OPEN CONNECTIONS THAT IT WILL ALLOW. ONE RESPONSE TO HIGH VOLUMES OF
SYN PACKETS IS TO INCREASE THE MAXIMUM NUMBER OF POSSIBLE HALF-OPEN
CONNECTIONS THE OPERATING SYSTEM WILL ALLOW. IN ORDER TO SUCCESSFULLY
INCREASE THE MAXIMUM BACKLOG, THE SYSTEM MUST RESERVE ADDITIONAL MEMORY
RESOURCES TO DEAL WITH ALL THE NEW REQUESTS. IF THE SYSTEM DOES NOT HAVE
ENOUGH MEMORY TO BE ABLE TO HANDLE THE INCREASED BACKLOG QUEUE SIZE,
SYSTEM PERFORMANCE WILL BE NEGATIVELY IMPACTED, BUT THAT STILL MAY BE BETTER
THAN DENIAL-OF-SERVICE
80
• RECYCLING THE OLDEST HALF-OPEN TCP CONNECTION
• ANOTHER MITIGATION STRATEGY INVOLVES OVERWRITING THE OLDEST HALF-OPEN
CONNECTION ONCE THE BACKLOG HAS BEEN FILLED. THIS STRATEGY REQUIRES THAT THE
LEGITIMATE CONNECTIONS CAN BE FULLY ESTABLISHED IN LESS TIME THAN THE BACKLOG
CAN BE FILLED WITH MALICIOUS SYN PACKETS. THIS PARTICULAR DEFENSE FAILS WHEN THE
ATTACK VOLUME IS INCREASED, OR IF THE BACKLOG SIZE IS TOO SMALL TO BE PRACTICAL.
• SYN COOKIES
• THIS STRATEGY INVOLVES THE CREATION OF A COOKIE BY THE SERVER. IN ORDER TO AVOID
THE RISK OF DROPPING CONNECTIONS WHEN THE BACKLOG HAS BEEN FILLED, THE SERVER
RESPONDS TO EACH CONNECTION REQUEST WITH A SYN-ACK PACKET BUT THEN DROPS THE
SYN REQUEST FROM THE BACKLOG, REMOVING THE REQUEST FROM MEMORY AND LEAVING
THE PORT OPEN AND READY TO MAKE A NEW CONNECTION. IF THE CONNECTION IS A
LEGITIMATE REQUEST, AND A FINAL ACK PACKET IS SENT FROM THE CLIENT MACHINE BACK TO
THE SERVER, THE SERVER WILL THEN RECONSTRUCT (WITH SOME LIMITATIONS) THE SYN
BACKLOG QUEUE ENTRY. WHILE THIS MITIGATION EFFORT DOES LOSE SOME INFORMATION
ABOUT THE TCP CONNECTION, IT IS BETTER THAN ALLOWING DENIAL-OF-SERVICE TO OCCUR 81
TO LEGITIMATE USERS AS A RESULT OF AN ATTACK.
MITIGATION
82
SYN COOKIE
83
84
SHOULD I IMPLEMENT SYN COOKIES
85
• SYN COOKIES IS A SIMPLE DDOS DEFENSE TODAY, AND PROBABLY SUITABLE FOR
ALL INTERNET HOSTING INCLUDING MAIL SERVER AND CORPORATE WEB SERVERS
• ANY DDOS ATTACKS WILL SIMPLY OVERRUN YOUR INTERNET CONNECTIONS
WITH VOLUME SINCE A 100 MB ETHERNET CONNECTION IS NOW VERY SMALL
COMPARED TO, FOR EXAMPLE, 500 COMPROMISED DESKTOPS WITH AN AVERAGE
200 KBS OF BANDWIDTH EACH LAUNCHING AN ATTACK WILL SATURATE YOUR
100MBS LINK AND THERE IS NOTHING YOU CAN DO
• BUT A SYN ATTACK CAN BE ACCOMPLISHED WITH A 2MBS DSL LINE AND IS
UNLIKELY TO OVERRUN YOUR BANDWIDTH (SINCE A SYN PACKET IS 64 BYTES)
86
ALTERNATIVES TO SYN COOKIES
• YOU DON’T HAVE TO USE SYN COOKIES TO DEFEND AGAINST A SYN FLOOD
BECAUSE MOST MODERN FIREWALLS WILL MONITOR THE STATE TABLE, AND
DISCARD CONNECTIONS ONCE A HIGH WATER MARK HAS BEEN REACHED
• SMARTER FIREWALLS WILL LOOK AT SYN PACKETS PER SECOND PER PROTOCOL
AND START TO FLAG AN ATTACK PLUS START TO PURGE HALF OPEN
CONNECTIONS TO ENSURE RESOURCE AVAILABILITY
• BUT THEY OFTEN DO NOT HAVE INTELLIGENT ROUTINES AND MAY ACTUALLY
DISCARD GOOD TCP SESSIONS, ESPECIALLY WITH HIGH VOLUME ATTACKS) AND
THUS CAUSE A DEGRADED SERVICE WHILE THE ATTACK CONTINUES
87
PING FLOOD ATTACK CONT’D ….
88
PING FLOOD (ICMP FLOOD)
89
• ATTACKS CAN THEREFORE BE BROKEN DOWN INTO THREE CATEGORIES, BASED ON THE TARGET
AND HOW ITS IP ADDRESS IS RESOLVED
• A TARGETED LOCAL DISCLOSED PING FLOOD TARGETS A SINGLE COMPUTER ON A LOCAL
NETWORK. AN ATTACKER NEEDS TO HAVE PHYSICAL ACCESS TO THE COMPUTER IN ORDER TO
DISCOVER ITS IP ADDRESS. A SUCCESSFUL ATTACK WOULD RESULT IN THE TARGET COMPUTER
BEING TAKEN DOWN
• A ROUTER DISCLOSED PING FLOOD TARGETS ROUTERS IN ORDER TO DISRUPT COMMUNICATIONS
BETWEEN COMPUTERS ON A NETWORK. IT IS RELIANT ON THE ATTACKER KNOWING THE INTERNAL
IP ADDRESS OF A LOCAL ROUTER. A SUCCESSFUL ATTACK WOULD RESULT IN ALL COMPUTERS
CONNECTED TO THE ROUTER BEING TAKEN DOWN
• A BLIND PING FLOOD INVOLVES USING AN EXTERNAL PROGRAM TO UNCOVER THE IP ADDRESS OF
THE TARGET COMPUTER OR ROUTER BEFORE EXECUTING AN ATTACK
90
• NOTE THAT IN ORDER FOR A PING FLOOD TO BE SUSTAINED, THE
ATTACKING COMPUTER MUST HAVE ACCESS TO MORE BANDWIDTH
THAN THE VICTIM. THIS LIMITS THE ABILITY TO CARRY OUT A DOS
ATTACK, ESPECIALLY AGAINST A LARGE NETWORK
• ADDITIONALLY, A DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK
EXECUTED WITH A THE USE OF A BOTNET HAS A MUCH GREATER
CHANCE OF SUSTAINING A PING FLOOD AND OVERWHELMING A
TARGET’S RESOURCES
91
METHODS OF MITIGATION
92
SMURF ATTACK
93
HOW DOES A SMURF ATTACK WORK
94
…
• FIRST THE SMURF MALWARE BUILDS A SPOOFED PACKET THAT HAS ITS SOURCE
ADDRESS SET TO THE REAL IP ADDRESS OF THE TARGETED VICTIM.
• THE PACKET IS THEN SENT TO AN IP BROADCAST ADDRESS OF A ROUTER OR FIREWALL,
WHICH IN TURN SENDS REQUESTS TO EVERY HOST DEVICE ADDRESS INSIDE THE
BROADCASTING NETWORK, INCREASING THE NUMBER OF REQUESTS BY THE NUMBER
OF NETWORKED DEVICES ON THE NETWORK.
• EACH DEVICE INSIDE THE NETWORK RECEIVES THE REQUEST FROM THE BROADCASTER
AND THEN RESPONDS TO THE SPOOFED ADDRESS OF THE TARGET WITH AN ICMP
ECHO REPLY PACKET.
• THE TARGET VICTIM THEN RECEIVES A DELUGE OF ICMP ECHO REPLY PACKETS,
POTENTIALLY BECOMING OVERWHELMED AND RESULTING IN DENIAL-OF-SERVICE TO
LEGITIMATE TRAFFIC.
95
HOW CAN A SMURF ATTACK BE
MITIGATED
• SEVERAL MITIGATION STRATEGIES FOR THIS ATTACK VECTOR HAVE
BEEN DEVELOPED AND IMPLEMENTED OVER THE YEARS, AND THE
EXPLOIT IS LARGELY CONSIDERED SOLVED. ON A LIMITED NUMBER OF
LEGACY SYSTEMS, MITIGATION TECHNIQUES MAY STILL NEED TO BE
APPLIED
• A SIMPLE SOLUTION IS TO DISABLE IP BROADCASTING ADDRESSES AT
EACH NETWORK ROUTER AND FIREWALL. OLDER ROUTERS ARE LIKELY
TO ENABLE BROADCASTING BY DEFAULT, WHILE NEWER ROUTERS
WILL LIKELY ALREADY HAVE IT DISABLED
96
FRAGGLE ATTACK
97
DNS FLOOD
98
ATTACK DESCRIPTION
99
100
• TO ATTACK A DNS SERVER WITH A DNS FLOOD, THE ATTACKER RUNS A SCRIPT , GENERALLY FROM
MULTIPLE SERVERS. THESE SCRIPTS SEND MALFORMED PACKETS FROM SPOOFED IP ADDRESSES
• SINCE LAYER 7 ATTACKS LIKE DNS FLOOD REQUIRE NO RESPONSE TO BE EFFECTIVE, THE ATTACKER
CAN SEND PACKETS THAT ARE NEITHER ACCURATE NOR EVEN CORRECTLY FORMATTED
• THE ATTACKER CAN SPOOF ALL PACKET INFORMATION, INCLUDING SOURCE IP AND MAKE IT
APPEAR THAT THE ATTACK IS COMING FROM MULTIPLE SOURCES. RANDOMIZED PACKET DATA ALSO
HELPS OFFENDERS TO AVOID COMMON DDOS PROTECTION MECHANISMS, WHILE ALSO LIKE IP
FILTERING (E.G., USING LINUX IPTABLES) COMPLETELY USELESS
• ANOTHER COMMON TYPE OF DNS FLOOD ATTACK IS DNS NXDOMAIN FLOOD ATTACK, IN WHICH
THE ATTACKER FLOODS THE DNS SERVER WITH REQUESTS FOR RECORDS THAT ARE NONEXISTENT
OR INVALID
• THE DNS SERVER EXPENDS ALL ITS RESOURCES LOOKING FOR THESE RECORDS, ITS CACHE FILLS
WITH BAD REQUESTS, AND IT EVENTUALLY HAS NO RESOURCES TO SERVE LEGITIMATE REQUESTS
101
METHODS OF MITIGATION
• LARGE LAYER 3 ATTACKS LIKE DNS FLOODS ARE VERY DIFFICULT FOR
ON-PREMISES SOLUTIONS TO MITIGATE
• USE OF CLOUD SECURITY LIKE WAF
• CONFIGURING MECHANISM TO LIMIT THE NUMBER OF DNS PACKETS
AND THE RATE OF PACKETS
• LIMIT THE LOCATIONS WHERE THIS DNS PACKETS COME FROM
102
UPD AMPLIFICATION
103
NTP AMPLIFICATION
• NTP AMPLIFICATION IS A TYPE OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK IN WHICH THE
ATTACKER EXPLOITS PUBLICALLY-ACCESSIBLE NETWORK TIME PROTOCOL (NTP) SERVERS TO
OVERWHELM THE TARGETED WITH USER DATAGRAM PROTOCOL (UDP) TRAFFIC
• NETWORK TIME PROTOCOL (NTP) IS ONE OF THE OLDEST NETWORK PROTOCOLS, AND IS USED BY
INTERNET-CONNECTED MACHINES TO SYNCHRONIZE THEIR CLOCKS. IN ADDITION TO CLOCK
SYNCHRONIZATION, OLDER VERSIONS OF NTP SUPPORT A MONITORING SERVICE THAT ENABLES
ADMINISTRATORS TO QUERY A GIVEN NTP SERVER FOR A TRAFFIC COUNT. THIS COMMAND, CALLED
“MONLIST,” SENDS THE REQUESTER A LIST OF THE LAST 600 HOSTS THAT CONNECTED TO THE
QUERIED SERVER
• IN THE MOST BASIC TYPE OF NTP AMPLIFICATION ATTACK, AN ATTACKER REPEATEDLY SENDS THE
“GET MONLIST” REQUEST TO AN NTP SERVER, WHILE SPOOFING THE REQUESTING SERVER’S IP
ADDRESS TO THAT OF THE VICTIM SERVER. THE NTP SERVER RESPONDS BY SENDING THE LIST TO THE
SPOOFED IP ADDRESS.
• THIS RESPONSE IS CONSIDERABLY LARGER THAN THE REQUEST, AMPLIFYING THE AMOUNT OF
TRAFFIC DIRECTED AT THE TARGET SERVER AND ULTIMATELY LEADING TO A DEGRADATION OF
SERVICE FOR LEGITIMATE REQUESTS. 104
AN NTP AMPLIFICATION ATTACK CAN BE
BROKEN DOWN INTO FOUR STEPS:
• THE ATTACKER USES A BOTNET TO SEND UDP PACKETS WITH SPOOFED
IP ADDRESSES TO A NTP SERVER WHICH HAS ITS MONLIST COMMAND
ENABLED. THE SPOOFED IP ADDRESS ON EACH PACKET POINTS TO THE
REAL IP ADDRESS OF THE VICTIM.
• EACH UDP PACKET MAKES A REQUEST TO THE NTP SERVER USING ITS
MONLIST COMMAND, RESULTING IN A LARGE RESPONSE
• THE SERVER THEN RESPONDS TO THE SPOOFED ADDRESS WITH THE
RESULTING DATA.
• THE IP ADDRESS OF THE TARGET RECEIVES THE RESPONSE AND THE
SURROUNDING NETWORK INFRASTRUCTURE BECOMES OVERWHELMED
WITH THE DELUGE OF TRAFFIC, RESULTING IN A DENIAL-OF-SERVICE 105
• AS A RESULT OF THE ATTACK TRAFFIC LOOKING LIKE LEGITIMATE TRAFFIC COMING
FROM VALID SERVERS, MITIGATING THIS SORT OF ATTACK TRAFFIC WITHOUT
BLOCKING REAL NTP SERVERS FROM LEGITIMATE ACTIVITY IS DIFFICULT. BECAUSE UDP
PACKETS DO NOT REQUIRE A HANDSHAKE, THE NTP SERVER WILL SEND LARGE
RESPONSES TO THE TARGETED SERVER WITHOUT VERIFYING THAT THE REQUEST IS
AUTHENTIC. THESE FACTS COUPLED WITH A BUILT-IN COMMAND, WHICH BY DEFAULT
SENDS A LARGE RESPONSE, MAKES NTP SERVERS AN EXCELLENT REFLECTION SOURCE 106
FOR DDOS AMPLIFICATION ATTACKS
METHODS OF MITIGATION
107
…
• DISABLE MONLIST - REDUCE THE NUMBER OF NTP SERVERS WHICH SUPPORT THE MONLIST
COMMAND
• A SIMPLE SOLUTION TO PATCHING THE MONLIST VULNERABILITY IS TO DISABLE THE COMMAND. ALL
VERSION OF THE NTP SOFTWARE PRIOR TO VERSION 4.2.7 ARE VULNERABLE BY DEFAULT. BY
UPGRADING A NTP SERVER TO 4.2.7 OR ABOVE, THE COMMAND IS DISABLED, PATCHING THE
VULNERABILITY. IF UPGRADING IS NOT POSSIBLE, FOLLOWING THE US-CERT INSTRUCTIONS WILL
ALLOW A SERVER’S ADMIN TO MAKE THE NECESSARY CHANGES
• SOURCE IP VERIFICATION – STOP SPOOFED PACKETS LEAVING THE NETWORK
• BECAUSE THE UDP REQUESTS BEING SENT BY THE ATTACKER’S BOTNET MUST HAVE A SOURCE IP
ADDRESS SPOOFED TO THE VICTIM’S IP ADDRESS, A KEY COMPONENT IN REDUCING THE
EFFECTIVENESS OF UDP-BASED AMPLIFICATION ATTACKS IS FOR INTERNET SERVICE PROVIDERS (ISPS)
TO REJECT ANY INTERNAL TRAFFIC WITH SPOOFED IP ADDRESSES
• IF A PACKET IS BEING SENT FROM INSIDE THE NETWORK WITH A SOURCE ADDRESS THAT MAKES IT
APPEAR LIKE IT ORIGINATED OUTSIDE THE NETWORK, IT’S LIKELY A SPOOFED PACKET AND CAN BE
DROPPED. CLOUDFLARE HIGHLY RECOMMENDS THAT ALL PROVIDERS IMPLEMENT INGRESS 108
FILTERING, AND AT TIMES WILL REACH OUT TO ISPS WHO ARE UNKNOWINGLY TAKING PART IN
DDOS ATTACKS (IN VIOLATION OF BCP38) AND HELP THEM REALIZE THEIR VULNERABILITY
• THE COMBINATION OF DISABLING MONLIST ON NTP SERVERS AND
IMPLEMENTING INGRESS FILTERING ON NETWORKS WHICH
PRESENTLY ALLOW IP SPOOFING IS AN EFFECTIVE WAY TO STOP THIS
TYPE OF ATTACK BEFORE IT REACHES ITS INTENDED NETWORK
• WITH A PROPERLY CONFIGURED FIREWALL AND SUFFICIENT
NETWORK CAPACITY IT'S TRIVIAL TO BLOCK REFLECTION ATTACKS
SUCH AS NTP AMPLIFICATION ATTACKS
109
DNS AMPLIFICATION ATTACK
114
MITIGATE DNS AMPLIFICATION ATTACK
115
• SOURCE IP VERIFICATION – STOP SPOOFED PACKETS LEAVING NETWORK
• BECAUSE THE UDP REQUESTS BEING SENT BY THE ATTACKER’S BOTNET MUST HAVE A
SOURCE IP ADDRESS SPOOFED TO THE VICTIM’S IP ADDRESS, A KEY COMPONENT IN
REDUCING THE EFFECTIVENESS OF UDP-BASED AMPLIFICATION ATTACKS IS FOR
INTERNET SERVICE PROVIDERS (ISPS) TO REJECT ANY INTERNAL TRAFFIC WITH SPOOFED
IP ADDRESSES.IF A PACKET IS BEING SENT FROM INSIDE THE NETWORK WITH A SOURCE
ADDRESS THAT MAKES IT APPEAR LIKE IT ORIGINATED OUTSIDE THE NETWORK, IT’S
LIKELY A SPOOFED PACKET AND CAN BE DROPPED. CLOUDFLARE HIGHLY RECOMMENDS
THAT ALL PROVIDERS IMPLEMENT INGRESS FILTERING, AND AT TIMES WILL REACH OUT
TO ISPS WHO ARE UNKNOWINGLY TAKING PART IN DDOS ATTACKS AND HELP THEM
REALIZE THEIR VULNERABILITY.
116
• WITH A PROPERLY CONFIGURED FIREWALL AND SUFFICIENT
NETWORK CAPACITY, IT'S TRIVIAL TO BLOCK REFLECTION ATTACKS
SUCH AS DNS AMPLIFICATION ATTACKS
117
LOW AND SLOW ATTACK
• A LOW AND SLOW ATTACK IS A TYPE OF DOS OR DDOS ATTACK THAT RELIES ON
A SMALL STREAM OF VERY SLOW TRAFFIC WHICH CAN TARGET APPLICATION OR
SERVER RESOURCES
• UNLIKE MORE TRADITIONAL BRUTE-FORCE ATTACKS, LOW AND SLOW ATTACKS
REQUIRE VERY LITTLE BANDWIDTH AND CAN BE HARD TO MITIGATE, AS THEY
GENERATE TRAFFIC THAT IS VERY DIFFICULT TO DISTINGUISH FROM NORMAL
TRAFFIC
• BECAUSE THEY DON’T REQUIRE A LOT OF RESOURCES TO PULL OFF, LOW AND
SLOW ATTACKS CAN BE SUCCESSFULLY LAUNCHED USING A SINGLE COMPUTER;
TWO OF THE MOST POPULAR TOOLS FOR LAUNCHING A LOW AND SLOW
ATTACK ARE CALLED SLOWLORIS AND R.U.D.Y
118
HOW DOES A LOW AND SLOW
ATTACK WORK?
• LOW AND SLOW ATTACKS TARGET THREAD-BASED WEB SERVERS
WITH THE AIM OF TYING UP EVERY THREAD WITH SLOW REQUESTS,
THEREBY PREVENTING GENUINE USERS FROM ACCESSING THE
SERVICE. THIS IS ACCOMPLISHED BY TRANSMITTING DATA VERY
SLOWLY, BUT JUST FAST ENOUGH TO PREVENT THE SERVER FROM
TIMING OUT
119
SIMILARITY
120
….
• ATTACKERS CAN USE HTTP HEADERS, HTTP POST REQUESTS, OR TCP TRAFFIC TO
CARRY OUT LOW AND SLOW ATTACKS. HERE ARE 3 COMMON ATTACK EXAMPLES:
• THE SLOWLORIS TOOL CONNECTS TO A SERVER AND THEN SLOWLY SENDS PARTIAL
HTTP HEADERS. THIS CAUSES THE SERVER TO KEEP THE CONNECTION OPEN SO THAT IT
CAN RECEIVE THE REST OF THE HEADERS, TYING UP THE THREAD.
• ANOTHER TOOL CALLED R.U.D.Y. (R-U-DEAD-YET?) GENERATES HTTP POST REQUESTS TO
FILL OUT FORM FIELDS. IT TELLS THE SERVERS HOW MUCH DATA TO EXPECT, BUT THEN
SENDS THAT DATA IN VERY SLOWLY. THE SERVER KEEPS THE CONNECTION OPEN
BECAUSE IT IS ANTICIPATING MORE DATA
• YET ANOTHER TYPE OF LOW AND SLOW ATTACK IS THE SOCKSTRESS ATTACK, WHICH
EXPLOITS A VULNERABILITY IN THE TCP/IP 3-WAY HANDSHAKE, CREATING AN
INDEFINITE CONNECTION.
121
HOW TO STOP A LOW AND SLOW
ATTACK
• THE RATE DETECTION TECHNIQUES USED TO STOP TRADITIONAL DDOS ATTACKS
WON’T PICK UP ON A LOW AND SLOW ATTACK
• ONE WAY TO MITIGATE A LOW AND SLOW ATTACK IS TO UPGRADE YOUR
SERVER AVAILABILITY; THE MORE CONNECTIONS YOUR SERVER CAN
SIMULTANEOUSLY MAINTAIN, THE MORE DIFFICULT IT WILL BE FOR AN ATTACK TO
CLOG YOUR SERVER. THE PROBLEM WITH THIS APPROACH IS THAT AN ATTACKER
CAN ATTEMPT TO SCALE THEIR ATTACK TO MEET YOUR SERVER’S AVAILABILITY
• ANOTHER SOLUTION IS REVERSE-PROXY BASED PROTECTION, WHICH WILL
MITIGATE LOW AND SLOW ATTACKS BEFORE THEY EVER REACH YOUR ORIGIN
SERVER.
122
APPLICATION LAYER DDOS ATTACK
123
HOW DO APPLICATION LAYER ATTACKS
WORK?
• THE UNDERLYING EFFECTIVENESS OF MOST DDOS ATTACKS COMES
FROM THE DISPARITY BETWEEN THE AMOUNT OF RESOURCES IT TAKES
TO LAUNCH AN ATTACK RELATIVE TO THE AMOUNT OF RESOURCES IT
TAKES TO ABSORB OR MITIGATE ONE
• WHILE THIS IS STILL THE CASE WITH L7 ATTACKS, THE EFFICIENCY OF
AFFECTING BOTH THE TARGETED SERVER AND THE NETWORK
REQUIRES LESS TOTAL BANDWIDTH TO ACHIEVE THE SAME DISRUPTIVE
EFFECT; AN APPLICATION LAYER ATTACK CREATES MORE DAMAGE
WITH LESS TOTAL BANDWIDTH
124
• TO EXPLORE WHY THIS IS THE CASE, LET'S TAKE A LOOK AT THE DIFFERENCE IN RELATIVE RESOURCE
CONSUMPTION BETWEEN A CLIENT MAKING A REQUEST AND A SERVER RESPONDING TO THE
REQUEST. WHEN A USER SENDS A REQUEST LOGGING INTO AN ONLINE ACCOUNT SUCH AS A
GMAIL ACCOUNT, THE AMOUNT OF DATA AND RESOURCES THE USER’S COMPUTER MUST UTILIZE
ARE MINIMAL AND DISPROPORTIONATE TO THE AMOUNT OF RESOURCES CONSUMED IN THE
PROCESS OF CHECKING LOGIN CREDENTIALS, LOADING THE RELEVANT USER DATA FROM A
DATABASE, AND THEN SENDING BACK A RESPONSE CONTAINING THE REQUESTED WEBPAGE
• EVEN IN THE ABSENCE OF A LOGIN, MANY TIMES A SERVER RECEIVING A REQUEST FROM A CLIENT
MUST MAKE DATABASE QUERIES OR OTHER API CALLS IN ORDER TO PRODUCE A WEBPAGE. WHEN
THIS DISPARITY IS MAGNIFIED AS A RESULT OF MANY DEVICES TARGETING A SINGLE WEB
PROPERTY LIKE DURING A BOTNET ATTACK, THE EFFECT CAN OVERWHELM THE TARGETED SERVER,
RESULTING IN DENIAL-OF-SERVICE TO LEGITIMATE TRAFFIC. IN MANY CASES SIMPLY TARGETING AN
API WITH A L7 ATTACK IS ENOUGH TO TAKE THE SERVICE OFFLINE
125
WHY IS IT DIFFICULT TO STOP
APPLICATION LAYER DDOS ATTACKS?
• DISTINGUISHING BETWEEN ATTACK TRAFFIC AND NORMAL TRAFFIC IS DIFFICULT,
ESPECIALLY IN THE CASE OF A APPLICATION LAYER ATTACK SUCH AS A BOTNET
PERFORMING A HTTP FLOOD ATTACK AGAINST A VICTIM’S SERVER. BECAUSE EACH
BOT IN A BOTNET MAKES SEEMINGLY LEGITIMATE NETWORK REQUESTS THE
TRAFFIC IS NOT SPOOFED AND MAY APPEAR “NORMAL” IN ORIGIN
• APPLICATION LAYER ATTACKS REQUIRE AN ADAPTIVE STRATEGY INCLUDING THE
ABILITY TO LIMIT TRAFFIC BASED ON PARTICULAR SETS OF RULES, WHICH MAY
FLUCTUATE REGULARLY. TOOLS SUCH AS A PROPERLY CONFIGURED WAF CAN
MITIGATE THE AMOUNT OF BOGUS TRAFFIC THAT IS PASSED ON TO AN ORIGIN
SERVER, GREATLY DIMINISHING THE IMPACT OF THE DDOS ATTEMPT.
126
MITIGATE APPLICATION LAYER ATTACKS
• HTTP FLOOD IS A TYPE OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK IN WHICH THE
ATTACKER EXPLOITS SEEMINGLY-LEGITIMATE HTTP GET OR POST REQUESTS TO ATTACK A WEB
SERVER OR APPLICATION
• HTTP FLOOD ATTACKS ARE VOLUMETRIC ATTACKS, OFTEN USING A BOTNET “ZOMBIE ARMY”—A
GROUP OF INTERNET-CONNECTED COMPUTERS, EACH OF WHICH HAS BEEN MALICIOUSLY TAKEN
OVER, USUALLY WITH THE ASSISTANCE OF MALWARE LIKE TROJAN HORSES
• A SOPHISTICATED LAYER 7 ATTACK, HTTP FLOODS DO NOT USE MALFORMED PACKETS, SPOOFING
OR REFLECTION TECHNIQUES, AND REQUIRE LESS BANDWIDTH THAN OTHER ATTACKS TO BRING
DOWN THE TARGETED SITE OR SERVER
• AS SUCH, THEY DEMAND MORE IN-DEPTH UNDERSTANDING ABOUT THE TARGETED SITE OR
APPLICATION, AND EACH ATTACK MUST BE SPECIALLY-CRAFTED TO BE EFFECTIVE. THIS MAKES HTTP
FLOOD ATTACKS SIGNIFICANTLY HARDER TO DETECT AND BLOCK
128
129
ATTACK DESCRIPTION
• WHEN AN HTTP CLIENT LIKE A WEB BROWSER “TALKS” TO AN APPLICATION OR SERVER, IT SENDS
AN HTTP REQUEST – GENERALLY ONE OF TWO TYPES OF REQUESTS: GET OR POST. A GET REQUEST
IS USED TO RETRIEVE STANDARD, STATIC CONTENT LIKE IMAGES WHILE POST REQUESTS ARE USED
TO ACCESS DYNAMICALLY GENERATED RESOURCES
• THE ATTACK IS MOST EFFECTIVE WHEN IT FORCES THE SERVER OR APPLICATION TO ALLOCATE THE
MAXIMUM RESOURCES POSSIBLE IN RESPONSE TO EACH SINGLE REQUEST. THUS, THE PERPETRATOR
WILL GENERALLY AIM TO INUNDATE THE SERVER OR APPLICATION WITH MULTIPLE REQUESTS THAT
ARE EACH AS PROCESSING-INTENSIVE AS POSSIBLE
• FOR THIS REASON HTTP FLOOD ATTACKS USING POST REQUESTS TEND TO BE THE MOST
RESOURCE-EFFECTIVE FROM THE ATTACKER’S PERSPECTIVE; AS POST REQUESTS MAY INCLUDE
PARAMETERS THAT TRIGGER COMPLEX SERVER-SIDE PROCESSING. ON THE OTHER HAND, HTTP GET-
BASED ATTACKS ARE SIMPLER TO CREATE, AND CAN MORE EFFECTIVELY SCALE IN
A BOTNET SCENARIO
130
THERE ARE TWO VARIETIES OF HTTP
FLOOD ATTACKS:
• HTTP GET ATTACK - IN THIS FORM OF ATTACK, MULTIPLE COMPUTERS OR OTHER
DEVICES ARE COORDINATED TO SEND MULTIPLE REQUESTS FOR IMAGES, FILES, OR
SOME OTHER ASSET FROM A TARGETED SERVER. WHEN THE TARGET IS INUNDATED
WITH INCOMING REQUESTS AND RESPONSES, DENIAL-OF-SERVICE WILL OCCUR TO
ADDITIONAL REQUESTS FROM LEGITIMATE TRAFFIC SOURCES.
• HTTP POST ATTACK - TYPICALLY WHEN A FORM IS SUBMITTED ON A WEBSITE, THE
SERVER MUST HANDLE THE INCOMING REQUEST AND PUSH THE DATA INTO A
PERSISTENCE LAYER, MOST OFTEN A DATABASE. THE PROCESS OF HANDLING THE FORM
DATA AND RUNNING THE NECESSARY DATABASE COMMANDS IS RELATIVELY INTENSIVE
COMPARED TO THE AMOUNT OF PROCESSING POWER AND BANDWIDTH REQUIRED TO
SEND THE POST REQUEST. THIS ATTACK UTILIZES THE DISPARITY IN RELATIVE RESOURCE
CONSUMPTION, BY SENDING MANY POST REQUESTS DIRECTLY TO A TARGETED SERVER
UNTIL IT'S CAPACITY IS SATURATED AND DENIAL-OF-SERVICE OCCURS
131
METHODS OF MITIGATION
• HTTP FLOOD ATTACKS ARE VERY DIFFICULT TO DIFFERENTIATE FROM VALID TRAFFIC BECAUSE THEY USE STANDARD URL
REQUESTS. THIS MAKES THEM ONE OF THE MOST ADVANCED NON-VULNERABILITY SECURITY CHALLENGES FACING SERVERS
AND APPLICATIONS TODAY
• TRADITIONAL RATE-BASED DETECTION IS INEFFECTIVE IN DETECTING HTTP FLOOD ATTACKS, SINCE TRAFFIC VOLUME IN HTTP
FLOODS IS OFTEN UNDER DETECTION THRESHOLDS
• THE MOST HIGHLY-EFFECTIVE MITIGATION MECHANISM RELY ON A COMBINATION OF TRAFFIC PROFILING METHODS,
INCLUDING IDENTIFYING IP REPUTATION, KEEPING TRACK ABNORMAL ACTIVITY AND EMPLOYING PROGRESSIVE SECURITY
CHALLENGES (E.G., ASKING TO PARSE JAVASCRIPT). ONE METHOD IS TO IMPLEMENT A CHALLENGE TO THE REQUESTING
MACHINE IN ORDER TO TEST WHETHER OR NOT IT IS A BOT, MUCH LIKE A CAPTCHA TEST COMMONLY FOUND WHEN
CREATING AN ACCOUNT ONLINE. BY GIVING A REQUIREMENT SUCH AS A JAVASCRIPT COMPUTATIONAL CHALLENGE, MANY
ATTACKS CAN BE MITIGATED
• ANOTHER SOLUTION RELIES ON A UNIQUE CLIENT CLASSIFICATION ENGINE THAT ANALYZES AND CLASSIFIES ALL INCOMING
SITE TRAFFIC. THIS ANTI-DDOS SOLUTION IS SPECIFICALLY DESIGNED TO TRANSPARENTLY IDENTIFY MALICIOUS BOT TRAFFIC—
STOPPING ALL HTTP FLOODS AND OTHER APPLICATION LAYER (OSI LAYER 7) DDOS ATTACKS
• OTHER AVENUES FOR STOPPING HTTP FLOODS INCLUDE THE USE OF A WEB APPLICATION FIREWALL (WAF), MANAGING AN IP
REPUTATION DATABASE IN ORDER TO TRACK AND SELECTIVELY BLOCK MALICIOUS TRAFFIC, AND ON-THE-FLY ANALYSIS BY
ENGINEERS
132
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
133
DISTRIBUTED DENIAL-OF-SERVICE
134
DDOS CONTROL HIERARCHY
Trojan Program
135
CONTENTS
• INTRODUCTION
• CLASSICAL DOS ATTACKS
• FLOODING ATTACKS
• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)
• HOW DDOS ATTACKS ARE WAGED?
• REFLECTOR AND AMPLIFIER ATTACKS
• OTHER DOS ATTACKS
• (D)DOS ATTACK TRENDS
• DETECTING DOS ATTACKS
• APPROACHES TO DEFENSE AGAINST DOS
• RESPONDING TO A DOS ATTACK
• CONCLUSION
136
HOW DDOS ATTACKS ARE WAGED ?
137
Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
RECRUITMENT OF THE AGENT
NETWORK
• SCANNING
• BREAKING INTO VULNERABLE MACHINES
• MALWARE PROPAGATION
138
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
SCANNING
139
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
SCANNING USING IRC BOT
140
141
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
SCANNING USING WORMS CONT’D ….
142
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
BREAKING INTO VULNERABLE
MACHINES
143
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
MALWARE PROPAGATION
144
Source: www.cert.org/archive/pdf/DoS_trends.pdf
MALWARE PROPAGATION METHODS
CONT’D….
TFTP
• BACK CHAINING/PULL APPROACH
• AUTONOMOUS/PUSH APPROACH
145
Source: www.cert.org/archive/pdf/DoS_trends.pdf
CONTROLLING DDOS AGENT
NETWORK
• ATTACKER COMMUNICATES WITH AGENTS USING “MANY-TO-MANY”
COMMUNICATION TOOLS
• TWOFOLD-PURPOSE FOR ATTACKER
• TO COMMAND THE BEGINNING/ENDING AND SPECIFICS OF ATTACK
• TO GATHER STATISTICS ON AGENT BEHAVIOUR
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DIRECT COMMANDS CONTROL
147
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DRAWBACKS OF DIRECT
COMMAND CONTROL
• IF ONE MACHINE IS CAPTURED, THE WHOLE DDOS NETWORK COULD
BE IDENTIFIED
• ANY ANOMALOUS EVENT ON NETWORK MONITOR COULD BE EASILY
SPOTTED
• BOTH HANDLERS AND AGENTS NEED TO BE READY ALWAYS TO
RECEIVE MESSAGES
• OPENING PORTS AND LISTENING TO THEM
• EASILY CAUGHT
148
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
INDIRECT COMMAND CONTROL
149
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
ADVANTAGES OF IRC TO ATTACKER
150
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DDOS ATTACK TOOLKITS
151
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DDOS ATTACK TOOLKITS CONT’D ….
152
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
153
REFLECTOR AND AMPLIFIER ATTACKS
154
REFLECTION ATTACKS
155
REFLECTION ATTACK USING TCP/SYN
156
FURTHER VARIATION
157
AMPLIFICATION ATTACKS
158
AMPLIFICATION ATTACKS POSSIBILITIES
159
DEFENSE FROM AMPLIFICATION ATTACK
• IF THE INTERMEDIARY DOES NOT FILTER THIS BROADCAST TRAFFIC, MANY OF THE MACHINES ON
THE NETWORK WOULD RECEIVE AND RESPOND TO THESE SPOOFED PACKETS
• WHEN ENTIRE NETWORK RESPONDS, SUCCESSFUL SMURF DOS HAS BEEN PERFORMED ON THE
TARGET NETWORK
161
Source: http://www.cert.org/advisories/CA-1998-01.html
DNS AMPLIFICATION ATTACKS
• SENDING DNS REQUESTS WITH SPOOFED SOURCE ADDRESS BEING THE TARGET
TO THE CHOSEN SERVERS
• ATTACKER SENDS REQUESTS TO MULTIPLE WELL CONNECTED SERVERS, WHICH
FLOOD TARGET
• MODERATE FLOW OF PACKETS FROM ATTACKER IS SUFFICIENT
• TARGET OVERWHELMED WITH AMPLIFIED RESPONSES FROM SERVER
162
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
163
TEARDROP
• THIS DOS ATTACK AFFECTS WINDOWS 3.1, 95 AND NT MACHINES AND LINUX VERSIONS PREVIOUS
TO 2.0.32 AND 2.1.63
• TEARDROP IS A PROGRAM THAT SENDS IP FRAGMENTS TO A MACHINE CONNECTED TO THE
INTERNET OR A NETWORK
• TEARDROP EXPLOITS AN OVERLAPPING IP FRAGMENT BUG
• THE BUG CAUSES THE TCP/IP FRAGMENTATION RE-ASSEMBLY CODE TO IMPROPERLY HANDLE
OVERLAPPING IP FRAGMENTS
• A 4000 BYTES OF DATA IS SENT AS
• LEGITIMATELY (BYTES 1-1500) (BYTES 1501 – 3000) (BYTES 3001-4500)
• OVERLAPPING (BYTES 1-1500) (BYTES 1501 – 3000) (BYTES 1001-3600)
• THIS ATTACK HAS NOT BEEN SHOWN TO CAUSE ANY SIGNIFICANT DAMAGE TO SYSTEMS
• THE PRIMARY PROBLEM WITH THIS IS LOSS OF DATA
164
Source: Fadia (2007)
CYBERSLAM
165
Source: Kandula (2005)
TECHNIQUES TO COUNTER CYBERSLAM
• PASSWORD AUTHENTICATION
• CUMBERSOME TO MANAGE FOR A SITE LIKE GOOGLE
• ATTACKER MIGHT SIMPLY DDOS THE PASSWORD CHECKING MECHANISM
• COMPUTATIONAL PUZZLES
• COMPUTATION BURDEN QUITE HEAVY COMPARED TO SERVICE PROVIDED
• GRAPHICAL PUZZLES
• KILL-BOTS SUGGESTED IN [KANDULA 2005]
166
Source: Kandula (2005)
ATTACK TREE: DOS AGAINST DNS
167
HOW TO PROTECT DNS FROM (D)DOS ?
168
Source: Cheung (2006)
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
169
DOS DETECTION TECHNIQUES
170
Source: Carl (2006)
VULNERABILITY ATTACK DETECTION
TECHNIQUES
DETECTION TECHNIQUES CAN BE INSTALLED LOCALLY OR REMOTELY
LOCALLY : DETECTORS PLACED AT POTENTIAL VICTIM RESOURCE OR AT A
ROUTER OR FIREWALL WITHIN THE VICTIM’S SUBNETWORK
REMOTELY: TO DETECT PROPAGATING ATTACKS
171
Source: Cheung (2006)
STATISTICAL DETECTION METHODS
• WAVELET ANALYSIS
• CUSUM AND WAVELET APPROACHES
172
Source: Cheung (2006)
BACKSCATTER
173
http://www.caida.org/data/passive/network_telescope.xml
BACKSCATTER CONT’D ….
174
Source: Moor (2006)
BACKSCATTER ANALYSIS
• BACKSCATTER ANALYSIS USED TO
QUANTIFY THE PREVALENCE OF
DOS ATTACKS AND IDENTIFY THE
TYPE OF ATTACK
• ASSUMPTIONS :
• ADDRESS UNIFORMITY
• RELIABLE DELIVERY
• ONE RESPONSE GENERATED FOR
EVERY PACKET IN AN ATTACK
• BACKSCATTER HYPOTHESIS
• UNSOLICITED PACKETS OBSERVED
BY THE MONITOR REPRESENT
175
BACKSCATTER
Source: Moor (2006)
QUANTIFICATION USING BACKSCATTER
Network Telescope : Monitoring block of n IP addresses
Probability of a given host receiving at least one unsolicited
response from victim during an attack of m packets
Probability of n hosts receiving at least one unsolicited
response from victim during an attack of m packets
Expected # of backscatter packets given an attack of m
packets at a single host
Expected # of backscatter packets given an attack of m
packets at n hosts
Average arrival rate of unsolicited responses
(R’ is the measured avg. inter-arrival backscatter rate R is the
extrapolated attack rate in pps) 176
Moor (2006)
WHAT TYPES OF MACHINES ARE
ATTACKED?
177
Moor (2006)
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
178
DEFENSES AGAINST DOS ATTACKS
179
ATTACK PREVENTION
180
ATTACK PREVENTION CONT’D ….
• BLOCK IP BROADCASTS
• BLOCK SUSPICIOUS SERVICES & COMBINATIONS
• MANAGE APPLICATION ATTACKS WITH “PUZZLES” TO DISTINGUISH
LEGITIMATE HUMAN REQUESTS
• GOOD GENERAL SYSTEM SECURITY PRACTICES
• USE MIRRORED AND REPLICATED SERVERS WHEN HIGH PERFORMANCE
AND RELIABILITY REQUIRED
181
OCTOBER 2009
182
RESPONDING TO ATTACKS
183
RESPONDING TO ATTACKS CONT’D ….
184
CONTENTS
• INTRODUCTION
• FLOODING ATTACKS
• CONCLUSION
185
CONCLUSION
• DDOS ARE SIGNIFICANT THREATS TO THE FUTURE GROWTH AND STABILITY OF INTERNET
186
THANK YOU!
QUESTIONS ?
187