Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | phebe-doris-hubbard |
View: | 223 times |
Download: | 0 times |
Chapter 10Chapter 10
Denial of Service Attacks Denial of Service Attacks
OverviewOverview
1990s - Ping of Death, Smurf, etc.1990s - Ping of Death, Smurf, etc.– Crashed individual machines Crashed individual machines – Corrected with patchesCorrected with patches
20002000– DDoS (Distributed Denial of Service)DDoS (Distributed Denial of Service)– ExtortionExtortion– Zombie networksZombie networks
20082008
Link Ch Link Ch 10c10c
Common DOS Attack Common DOS Attack Techniques Techniques
Old-School DoS: Vulnerabilities Old-School DoS: Vulnerabilities
Oversized packets Oversized packets – Ping of Death – a packet larger than 65,535 Ping of Death – a packet larger than 65,535
bytesbytes
Fragmentation overlap Fragmentation overlap – Sending TCP/IP fragments that cannot be Sending TCP/IP fragments that cannot be
properly reassembledproperly reassembled– Attacks: teardrop, bonk, boink, and nestea Attacks: teardrop, bonk, boink, and nestea
Old-School DoS: Vulnerabilities Old-School DoS: Vulnerabilities
Loopback floods Loopback floods – Sends data back to the echo service, orSends data back to the echo service, or– Send TCP/IP Packets with the same source and Send TCP/IP Packets with the same source and
destination addressdestination address– Creating an endless loopCreating an endless loop– Attacks: Land and LaTierra Attacks: Land and LaTierra
Nukers Nukers – Sent out-of-band (OOB) packets (TCP segments with Sent out-of-band (OOB) packets (TCP segments with
the URG bit set) to a system, causing it to crash the URG bit set) to a system, causing it to crash
Old-School DoS: Vulnerabilities Old-School DoS: Vulnerabilities
Extreme fragmentation Extreme fragmentation – Forces target to waste time reassembling Forces target to waste time reassembling
packetspackets– Attack: Jolt2Attack: Jolt2
NetBIOS/SMB NetBIOS/SMB – Buffer overflows and other issuesBuffer overflows and other issues
Combos Combos – Send many DoS attacks at onceSend many DoS attacks at once– Attacks: targa and datapool Attacks: targa and datapool
Old-School DoS: CountermeasuresOld-School DoS: Countermeasures
Operating system patches have fixed Operating system patches have fixed these vulnerabilitiesthese vulnerabilities
This type of threat is less important nowThis type of threat is less important now
Modern DoS: Capacity Modern DoS: Capacity Depletion Depletion
Infrastructure-Layer DoS Infrastructure-Layer DoS
SYN Floods SYN Floods – Attacker sends SYN packets to a listening Attacker sends SYN packets to a listening
port, with a forged source address of a port, with a forged source address of a nonexistent systemnonexistent system
– Target sends back SYN/ACK packets and Target sends back SYN/ACK packets and maintains half-open connections until it times maintains half-open connections until it times out (75 sec. to 23 minutes)out (75 sec. to 23 minutes)
– This consumes resources (like RAM) on the This consumes resources (like RAM) on the target, often more than an established target, often more than an established connectionconnection
Effects of the SYN FloodEffects of the SYN Flood
Can completely stop a vulnerable server, Can completely stop a vulnerable server, even if the attacker has a low bandwidtheven if the attacker has a low bandwidth
Stealthy – no packets have a source Stealthy – no packets have a source address that leads back to the attackeraddress that leads back to the attacker
SYN floods are still the primary capacity SYN floods are still the primary capacity depletion methoddepletion method
SYN Flood DemoSYN Flood Demo
Win 98 TargetWin 98 Target
Ubuntu Ubuntu AttackerAttacker
UDP FloodsUDP Floods
UDP is connectionless, so there is no UDP is connectionless, so there is no handshakehandshake
Sending a lot of UDP packets burd3ens a Sending a lot of UDP packets burd3ens a system, but not as much as a SYN floodsystem, but not as much as a SYN flood
UDP floods are rarely usedUDP floods are rarely used– UDPFlood tool at link Ch 10aUDPFlood tool at link Ch 10a
Amplification: Smurf and Fraggle Amplification: Smurf and Fraggle
Send pings to a broadcast addressSend pings to a broadcast address– Ending in .255 (for a class C network)Ending in .255 (for a class C network)
Put the victim as the source addressPut the victim as the source address
Many replies go to the victimMany replies go to the victim
Fraggle uses UDP packets instead, Fraggle uses UDP packets instead, resulting in many ICMP Echo packetsresulting in many ICMP Echo packets
Not common anymore, because directed Not common anymore, because directed IP broadcasts are usually blocked nowIP broadcasts are usually blocked now
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
Poorly protected and unpatched systems Poorly protected and unpatched systems under the control of a botmaster are calledunder the control of a botmaster are called– Zombies Zombies or or DDoS Clients DDoS Clients or or BotsBots
Early clients were Tribe Flood Network, Early clients were Tribe Flood Network, Trinoo, and Stacheldraht Trinoo, and Stacheldraht
Most bots use IRC for Command & Most bots use IRC for Command & ControlControl
DDoS Clients and Bots DDoS Clients and Bots
Tribe Flood Network (TFN) Tribe Flood Network (TFN) – First Linux/UNIX-based distributed denial of First Linux/UNIX-based distributed denial of
service tool service tool – Found mostly on Solaris and Red Hat Found mostly on Solaris and Red Hat
computers computers – Could be used for ICMP, Smurf, UDP, and Could be used for ICMP, Smurf, UDP, and
SYN floodsSYN floods– In addition to the attacking components of In addition to the attacking components of
TFN, the product allows for a root shell bound TFN, the product allows for a root shell bound to a TCP port to a TCP port
DDoS Clients and Bots DDoS Clients and Bots
Trinoo Trinoo – Similar to TFNSimilar to TFN– Uses UDP ports 27444 & 31335Uses UDP ports 27444 & 31335
WinTrinooWinTrinoo– Windows version of TrinooWindows version of Trinoo– Trojan, named Trojan, named service.exeservice.exe– Adds itself to the Run registry key to autostartAdds itself to the Run registry key to autostart– Uses TCP and UDP port 34555 Uses TCP and UDP port 34555
DDoS Clients and Bots DDoS Clients and Bots
Stacheldraht Stacheldraht – Combines TFN and TrinooCombines TFN and Trinoo– Encrypted telnet session between the slaves Encrypted telnet session between the slaves
and the masters and the masters – Uses a combination of TCP and ICMP (ECHO Uses a combination of TCP and ICMP (ECHO
reply) packets for Command & Control (client-reply) packets for Command & Control (client-server communication)server communication)
– Can be remotely upgradedCan be remotely upgraded
DDoS Clients and Bots DDoS Clients and Bots
TFN2K TFN2K – Successor to TFN Successor to TFN – Uses random ports for communicationUses random ports for communication
Can't be stopped by blocking portsCan't be stopped by blocking ports
– Uses weak encryption (Base-64 encoding)Uses weak encryption (Base-64 encoding)Can't be stopped by network-based IDSCan't be stopped by network-based IDS
Application-Layer DoSApplication-Layer DoS
Not in BookNot in BookFrom Hacktics presentation at From Hacktics presentation at
OWASP (link Ch 10d)OWASP (link Ch 10d)
Application-Layer DoS Application-Layer DoS
Find small requests that consume a lot of Find small requests that consume a lot of server resourcesserver resources
Much easier for the attacker than DDoSMuch easier for the attacker than DDoS
DoS can be achieved in various ways:
Application Crashing
Data Destruction
Resource Depletion– Memory– CPU– Bandwidth– Disk Space
Application CrashingApplication Crashing
Send an input that causes an error in the application, causing it to crash– Buffer Overflows– Malformed data – causing parser exception– Terminating with error– SQL Injection (; shutdown --)
Data DestructionData Destruction
One way to cause a DoS attack is by tampering with the data instead of the service itselfIf a site is vulnerable to SQL Injection, for instance, it may be possible to DELETE all data from all tablesAlthough the Web site will keep being ‘online’, it will actually be useless without the information from the Database
Data Destruction – ExampleData Destruction – Example
Intentional User Lock
Any web application login page
Taking advantage of the application security mechanisms to cause DoS by abusing the login failure user lock mechanism
Intentionally failing multiple login attempts with each possible username, will eventually result in DoS, since all the application users will be locked
Resource DepletionResource Depletion
Classical Resource Depletion simply utilizes very large amounts of target resources
Sophisticated attacks pinpoint the weak points of the application to achieve maximum effect
Resource Depletion ExamplesResource Depletion Examples
CPU ConsumptionCPU Consumption– On a large forumOn a large forum– Create a complicated regular expression Create a complicated regular expression
searchsearch– Use a script to launch the search over and Use a script to launch the search over and
overover
Resource Depletion ExamplesResource Depletion Examples
CPU Consumption – The SQL Injection version– When SQL Injection is possible – can be used
for DoS even without permissions to Shutdown or Delete
– Creating very intense nested queries does the trick:
Resource Depletion ExamplesResource Depletion Examples
Memory ConsumptionMemory Consumption– Attack Web MailAttack Web Mail– Upload thousands of attachments, but never Upload thousands of attachments, but never
send themsend them
Disk ConsumptionDisk Consumption– Send a request that generates a large log Send a request that generates a large log
record, try to fill system diskrecord, try to fill system disk
Network ConsumptionNetwork Consumption– Send requests with large results (display all Send requests with large results (display all
items)items)
Real-World ResultReal-World Result
Hacktics, a security company, brought Hacktics, a security company, brought down a large corporate network with just down a large corporate network with just three laptops in an authorized testthree laptops in an authorized test– Global company Global company with branches in Israel,
Europe and the USA– Internet Connectivity – 3x50Mbps lines with
load balancing. ISPs provide Cisco (Riverhead) based Anti DDoS solutions
– High security network, 30+ Web servers, High security network, 30+ Web servers, backend servers, Mail Relay, databasesbackend servers, Mail Relay, databases
Hacktics ResultsHacktics Results
DoS was successful to all systems but one
Two applications crashed completely after a few dozen requests only
Most other applications stopped responding after 5-15 minutes of script execution from up to three laptops (though with most a single laptop was sufficient)
Main cause of DoS was CPU exhaustion
Application-Layer DoS Application-Layer DoS CountermeasuresCountermeasures
At the code level– Perform thorough input validations. Expect for
the worst!– Avoid highly CPU consuming operations– Avoid creating bottlenecks– Avoid operations which must wait for
completion of large tasks to proceed– Split operations into chunks– Set timeout timers for unreasonable time
Application-Layer DoS Application-Layer DoS CountermeasuresCountermeasures
At the deployment level– Prepare for performance peaks
More Load Balancing
Caching
– Always separate the data disks from the system disks
DoS Countermeasures DoS Countermeasures
Practical Goals Practical Goals
DoS cannot be fully preventedDoS cannot be fully prevented
The goal of DoS mitigation is to maintain The goal of DoS mitigation is to maintain the best level of service for the largest the best level of service for the largest number of customers number of customers
Security is defined as protectingSecurity is defined as protecting– Confidentiality, Integrity, and Availability Confidentiality, Integrity, and Availability
DoS attacks Availability, which is less DoS attacks Availability, which is less valued politically in organizationsvalued politically in organizations
DoS PoliticsDoS Politics
Increasing availability is not seen as Increasing availability is not seen as primarily a security issueprimarily a security issue– More a capacity and infrastructure issueMore a capacity and infrastructure issue– More servers, bandwidth, etc.More servers, bandwidth, etc.
Application-layer DoS is new, and Application-layer DoS is new, and application designers are often unaware of application designers are often unaware of it, and don't plan for itit, and don't plan for it
Anti-DoS Products Anti-DoS Products
Cisco GuardCisco Guard– Formerly from Formerly from
RiverheadRiverhead– Has a multi-layer Has a multi-layer
defense system to defense system to stop DDoS attacksstop DDoS attacks
Link Ch 10eLink Ch 10e
Top Layer and Top Layer and Juniper sell anti-Juniper sell anti-DDoS devices alsoDDoS devices also
SYN CookiesSYN Cookies
Instead of maintaining a list of half-open Instead of maintaining a list of half-open connections in RAMconnections in RAM– A server chooses an Initial Sequence Number using a A server chooses an Initial Sequence Number using a
cryptographic function and a secret keycryptographic function and a secret key– So the server can deduce from the ACK what the So the server can deduce from the ACK what the
SYN must have beenSYN must have been
This makes servers much less susceptible to This makes servers much less susceptible to SYN FloodsSYN Floods
Used in some anti-DDoS devicesUsed in some anti-DDoS devices– Link Ch 10fLink Ch 10f
Capacity Planning Capacity Planning
Buy enough infrastructure to handle large Buy enough infrastructure to handle large loadsloads
Work with Your Internet Service Provider Work with Your Internet Service Provider (ISP)(ISP)– Make sure they have DoS countermeasures, Make sure they have DoS countermeasures,
and DoS capacity planningand DoS capacity planning
Hardening the Network Edge Hardening the Network Edge
Block ICMP and UDPBlock ICMP and UDP– Except UDP 53 for DNSExcept UDP 53 for DNS
Ingress filteringIngress filtering– Blocking obviously invalid inbound traffic, such as Blocking obviously invalid inbound traffic, such as
packets from private and reserved address rangespackets from private and reserved address ranges
Egress filteringEgress filtering– Stop spoofed IP packets from leaving your network—Stop spoofed IP packets from leaving your network—
only allow packets with valid Source addressesonly allow packets with valid Source addresses– If more ISPs would simply implement egress filtering, If more ISPs would simply implement egress filtering,
DoS would probably be a much less significant threatDoS would probably be a much less significant threat
Disable directed IP broadcastDisable directed IP broadcast – So you are not an amplifier for Smurf attacksSo you are not an amplifier for Smurf attacks
Hardening the Network Edge Hardening the Network Edge
Implement Unicast Reverse Path Forwarding Implement Unicast Reverse Path Forwarding (RPF) (RPF) – A router examines compares the source address and A router examines compares the source address and
the source interface to make sure the source address the source interface to make sure the source address is plausibleis plausible
– This removes This removes Bogons—Bogons—packets with obviously forged packets with obviously forged source addresses (link Ch 10h)source addresses (link Ch 10h)
Rate limitRate limit– Limiting the rate of traffic you accept can prevent Limiting the rate of traffic you accept can prevent
some DoS attacks, but if sloppily done it will block some DoS attacks, but if sloppily done it will block legitimate trafficlegitimate traffic
Hardening the Network EdgeHardening the Network Edge
Authenticate routing updatesAuthenticate routing updates– Most routing protocols, such as Routing Most routing protocols, such as Routing
Information Protocol (RIP) v1 and Border Information Protocol (RIP) v1 and Border Gateway Protocol (BGP) v4, have no or very Gateway Protocol (BGP) v4, have no or very weak authenticationweak authentication
– Attackers can alter legitimate routes, often by Attackers can alter legitimate routes, often by spoofing their source IP address, to create a spoofing their source IP address, to create a DoS conditionDoS condition
– Victims of such attacks will either have their Victims of such attacks will either have their traffic routed through the attackers' network or traffic routed through the attackers' network or into a black hole, a network that does not into a black hole, a network that does not existexist
Hardening the Network EdgeHardening the Network Edge
Implement sink holesImplement sink holes– The network equivalent of a honey potThe network equivalent of a honey pot– A router that advertises routes to bogon A router that advertises routes to bogon
addressesaddresses– Redirects attacks away from the customer Redirects attacks away from the customer
See link Ch 10iSee link Ch 10i
Hardening Servers Hardening Servers
Keep Up with PatchesKeep Up with Patches
System-Level SYN ProtectionSystem-Level SYN Protection – Operating system patches adjust SYN queue length, Operating system patches adjust SYN queue length,
and timeout periods, to resist SYN floodsand timeout periods, to resist SYN floods– Linux kernels 2.0.30 and later employ Linux kernels 2.0.30 and later employ SYN cookiesSYN cookies
(although they are turned off by default)(although they are turned off by default)– Windows can increase the SYN queue size Windows can increase the SYN queue size
dynamicallydynamically
Disable responses to broadcast ECHO Disable responses to broadcast ECHO requestsrequests
DoS Testing DoS Testing
Get ethical hackers to test your network Get ethical hackers to test your network with DoS testswith DoS tests
DoS testing toolsDoS testing tools– WebLOAD (link Ch 10j)WebLOAD (link Ch 10j)– Many tools compared at link Ch 10kMany tools compared at link Ch 10k
Detecting DoS Detecting DoS
Read Current News About MalwareRead Current News About Malware– Subscribe to a good security newsletter, such as Subscribe to a good security newsletter, such as
Bugtraq, or antivirus vendor information servicesBugtraq, or antivirus vendor information services
DoS Detection Technology and TechniquesDoS Detection Technology and Techniques– Intrusion Detection Systems (IDS) aren't very good at Intrusion Detection Systems (IDS) aren't very good at
stopping DoS attacksstopping DoS attacks– Anomaly detection is better, like Peakflow from Arbor Anomaly detection is better, like Peakflow from Arbor
Networks (link Ch 10l)Networks (link Ch 10l)– The netstat -na command shows current connectionsThe netstat -na command shows current connections– Many connections in a SYN_RECV state may indicate Many connections in a SYN_RECV state may indicate
that a SYN attack is in progressthat a SYN attack is in progress
Detecting DoSDetecting DoS
Scan for DoS Bots on Your NetworksScan for DoS Bots on Your Networks– Deploy antivirus on every machineDeploy antivirus on every machine– Tools to detect DoS botsTools to detect DoS bots
DDOSPing (link Ch 10m)DDOSPing (link Ch 10m)– Finds Trinoo, Stacheldraht and Tribe Flood Network Finds Trinoo, Stacheldraht and Tribe Flood Network
programs running with their default settings programs running with their default settings
Responding to DoS Responding to DoS
Plan and Practice Your Response Process Plan and Practice Your Response Process – Have fire drillsHave fire drills– Prepare documented incident escalation Prepare documented incident escalation
procedures procedures See link Ch 10nSee link Ch 10n
– Key points:Key points:Rapid escalation, aggressive triage, thorough Rapid escalation, aggressive triage, thorough investigation, carefully orchestrated investigation, carefully orchestrated communication through resolution, and communication through resolution, and collaborative post-mortem collaborative post-mortem
Filter or Redirect Offending Traffic Filter or Redirect Offending Traffic
Blocking based on source IP works only if Blocking based on source IP works only if the source addresses aren't spoofedthe source addresses aren't spoofed
CiscoGuard uses multiple layers of filtering CiscoGuard uses multiple layers of filtering to weed out bad traffic from good to weed out bad traffic from good
Deploy sink holes to redirect malicious Deploy sink holes to redirect malicious DoS traffic DoS traffic
Call Your ISP and Initiate traceback Call Your ISP and Initiate traceback
You or your ISP will have to work closely You or your ISP will have to work closely with the ISPs who are the source of the with the ISPs who are the source of the attack attack
They are best positioned to filter the trafficThey are best positioned to filter the traffic
Move the TargetMove the Target
When microsoft.com was heavily attacked, theyWhen microsoft.com was heavily attacked, they– Changed the IP address in DNS to deflect static IP-Changed the IP address in DNS to deflect static IP-
targeted attackstargeted attacks– Shortened the time to live (TTL) on the targeted Shortened the time to live (TTL) on the targeted
domain name so DNS clients would rapidly receive domain name so DNS clients would rapidly receive updates updates
– Set up a CNAME entry in their DNS to point DoS Set up a CNAME entry in their DNS to point DoS attacks elsewhereattacks elsewhere
– Removed an unneeded DNS name from the DNS Removed an unneeded DNS name from the DNS entirely entirely
Cut Over to Alternate Infrastructure Cut Over to Alternate Infrastructure or Application Modes or Application Modes
HTTP Caching services can handle traffic HTTP Caching services can handle traffic for youfor you– Akamai (link Ch 10o)Akamai (link Ch 10o)– Savvis (link Ch10p)Savvis (link Ch10p)
Switch to alternative pages or techniques Switch to alternative pages or techniques to respond faster during heavy loadto respond faster during heavy load– Pages often switch to simple HTML during a Pages often switch to simple HTML during a
Digg storm, for exampleDigg storm, for example
– Last modified 4-18-08 10 pmLast modified 4-18-08 10 pm