Chapter 10Chapter 10

Denial of Service Attacks Denial of Service Attacks

OverviewOverview

1990s - Ping of Death, Smurf, etc.1990s - Ping of Death, Smurf, etc.– Crashed individual machines Crashed individual machines – Corrected with patchesCorrected with patches

20002000– DDoS (Distributed Denial of Service)DDoS (Distributed Denial of Service)– ExtortionExtortion– Zombie networksZombie networks

20082008

Link Ch Link Ch 10c10c

Common DOS Attack Common DOS Attack Techniques Techniques

Old-School DoS: Vulnerabilities Old-School DoS: Vulnerabilities

Oversized packets Oversized packets – Ping of Death – a packet larger than 65,535 Ping of Death – a packet larger than 65,535

bytesbytes

Fragmentation overlap Fragmentation overlap – Sending TCP/IP fragments that cannot be Sending TCP/IP fragments that cannot be

properly reassembledproperly reassembled– Attacks: teardrop, bonk, boink, and nestea Attacks: teardrop, bonk, boink, and nestea

Old-School DoS: Vulnerabilities Old-School DoS: Vulnerabilities

Loopback floods Loopback floods – Sends data back to the echo service, orSends data back to the echo service, or– Send TCP/IP Packets with the same source and Send TCP/IP Packets with the same source and

destination addressdestination address– Creating an endless loopCreating an endless loop– Attacks: Land and LaTierra Attacks: Land and LaTierra

Nukers Nukers – Sent out-of-band (OOB) packets (TCP segments with Sent out-of-band (OOB) packets (TCP segments with

the URG bit set) to a system, causing it to crash the URG bit set) to a system, causing it to crash

Old-School DoS: Vulnerabilities Old-School DoS: Vulnerabilities

Extreme fragmentation Extreme fragmentation – Forces target to waste time reassembling Forces target to waste time reassembling

packetspackets– Attack: Jolt2Attack: Jolt2

NetBIOS/SMB NetBIOS/SMB – Buffer overflows and other issuesBuffer overflows and other issues

Combos Combos – Send many DoS attacks at onceSend many DoS attacks at once– Attacks: targa and datapool Attacks: targa and datapool

Old-School DoS: CountermeasuresOld-School DoS: Countermeasures

Operating system patches have fixed Operating system patches have fixed these vulnerabilitiesthese vulnerabilities

This type of threat is less important nowThis type of threat is less important now

Modern DoS: Capacity Modern DoS: Capacity Depletion Depletion

Infrastructure-Layer DoS Infrastructure-Layer DoS

SYN Floods SYN Floods – Attacker sends SYN packets to a listening Attacker sends SYN packets to a listening

port, with a forged source address of a port, with a forged source address of a nonexistent systemnonexistent system

– Target sends back SYN/ACK packets and Target sends back SYN/ACK packets and maintains half-open connections until it times maintains half-open connections until it times out (75 sec. to 23 minutes)out (75 sec. to 23 minutes)

– This consumes resources (like RAM) on the This consumes resources (like RAM) on the target, often more than an established target, often more than an established connectionconnection

Effects of the SYN FloodEffects of the SYN Flood

Can completely stop a vulnerable server, Can completely stop a vulnerable server, even if the attacker has a low bandwidtheven if the attacker has a low bandwidth

Stealthy – no packets have a source Stealthy – no packets have a source address that leads back to the attackeraddress that leads back to the attacker

SYN floods are still the primary capacity SYN floods are still the primary capacity depletion methoddepletion method

SYN Flood DemoSYN Flood Demo

Win 98 TargetWin 98 Target

Ubuntu Ubuntu AttackerAttacker

UDP FloodsUDP Floods

UDP is connectionless, so there is no UDP is connectionless, so there is no handshakehandshake

Sending a lot of UDP packets burd3ens a Sending a lot of UDP packets burd3ens a system, but not as much as a SYN floodsystem, but not as much as a SYN flood

UDP floods are rarely usedUDP floods are rarely used– UDPFlood tool at link Ch 10aUDPFlood tool at link Ch 10a

Amplification: Smurf and Fraggle Amplification: Smurf and Fraggle

Send pings to a broadcast addressSend pings to a broadcast address– Ending in .255 (for a class C network)Ending in .255 (for a class C network)

Put the victim as the source addressPut the victim as the source address

Many replies go to the victimMany replies go to the victim

Fraggle uses UDP packets instead, Fraggle uses UDP packets instead, resulting in many ICMP Echo packetsresulting in many ICMP Echo packets

Not common anymore, because directed Not common anymore, because directed IP broadcasts are usually blocked nowIP broadcasts are usually blocked now

Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)

Poorly protected and unpatched systems Poorly protected and unpatched systems under the control of a botmaster are calledunder the control of a botmaster are called– Zombies Zombies or or DDoS Clients DDoS Clients or or BotsBots

Early clients were Tribe Flood Network, Early clients were Tribe Flood Network, Trinoo, and Stacheldraht Trinoo, and Stacheldraht

Most bots use IRC for Command & Most bots use IRC for Command & ControlControl

DDoS Clients and Bots DDoS Clients and Bots

Tribe Flood Network (TFN) Tribe Flood Network (TFN) – First Linux/UNIX-based distributed denial of First Linux/UNIX-based distributed denial of

service tool service tool – Found mostly on Solaris and Red Hat Found mostly on Solaris and Red Hat

computers computers – Could be used for ICMP, Smurf, UDP, and Could be used for ICMP, Smurf, UDP, and

SYN floodsSYN floods– In addition to the attacking components of In addition to the attacking components of

TFN, the product allows for a root shell bound TFN, the product allows for a root shell bound to a TCP port to a TCP port

DDoS Clients and Bots DDoS Clients and Bots

Trinoo Trinoo – Similar to TFNSimilar to TFN– Uses UDP ports 27444 & 31335Uses UDP ports 27444 & 31335

WinTrinooWinTrinoo– Windows version of TrinooWindows version of Trinoo– Trojan, named Trojan, named service.exeservice.exe– Adds itself to the Run registry key to autostartAdds itself to the Run registry key to autostart– Uses TCP and UDP port 34555 Uses TCP and UDP port 34555

DDoS Clients and Bots DDoS Clients and Bots

Stacheldraht Stacheldraht – Combines TFN and TrinooCombines TFN and Trinoo– Encrypted telnet session between the slaves Encrypted telnet session between the slaves

and the masters and the masters – Uses a combination of TCP and ICMP (ECHO Uses a combination of TCP and ICMP (ECHO

reply) packets for Command & Control (client-reply) packets for Command & Control (client-server communication)server communication)

– Can be remotely upgradedCan be remotely upgraded

DDoS Clients and Bots DDoS Clients and Bots

TFN2K TFN2K – Successor to TFN Successor to TFN – Uses random ports for communicationUses random ports for communication

Can't be stopped by blocking portsCan't be stopped by blocking ports

– Uses weak encryption (Base-64 encoding)Uses weak encryption (Base-64 encoding)Can't be stopped by network-based IDSCan't be stopped by network-based IDS

Application-Layer DoSApplication-Layer DoS

Not in BookNot in BookFrom Hacktics presentation at From Hacktics presentation at

OWASP (link Ch 10d)OWASP (link Ch 10d)

Application-Layer DoS Application-Layer DoS

Find small requests that consume a lot of Find small requests that consume a lot of server resourcesserver resources

Much easier for the attacker than DDoSMuch easier for the attacker than DDoS

DoS can be achieved in various ways:

Application Crashing

Data Destruction

Resource Depletion– Memory– CPU– Bandwidth– Disk Space

Application CrashingApplication Crashing

Send an input that causes an error in the application, causing it to crash– Buffer Overflows– Malformed data – causing parser exception– Terminating with error– SQL Injection (; shutdown --)

Data DestructionData Destruction

One way to cause a DoS attack is by tampering with the data instead of the service itselfIf a site is vulnerable to SQL Injection, for instance, it may be possible to DELETE all data from all tablesAlthough the Web site will keep being ‘online’, it will actually be useless without the information from the Database

Data Destruction – ExampleData Destruction – Example

Intentional User Lock

Any web application login page

Taking advantage of the application security mechanisms to cause DoS by abusing the login failure user lock mechanism

Intentionally failing multiple login attempts with each possible username, will eventually result in DoS, since all the application users will be locked

Resource DepletionResource Depletion

Classical Resource Depletion simply utilizes very large amounts of target resources

Sophisticated attacks pinpoint the weak points of the application to achieve maximum effect

Resource Depletion ExamplesResource Depletion Examples

CPU ConsumptionCPU Consumption– On a large forumOn a large forum– Create a complicated regular expression Create a complicated regular expression

searchsearch– Use a script to launch the search over and Use a script to launch the search over and

overover

Resource Depletion ExamplesResource Depletion Examples

CPU Consumption – The SQL Injection version– When SQL Injection is possible – can be used

for DoS even without permissions to Shutdown or Delete

– Creating very intense nested queries does the trick:

Resource Depletion ExamplesResource Depletion Examples

Memory ConsumptionMemory Consumption– Attack Web MailAttack Web Mail– Upload thousands of attachments, but never Upload thousands of attachments, but never

send themsend them

Disk ConsumptionDisk Consumption– Send a request that generates a large log Send a request that generates a large log

record, try to fill system diskrecord, try to fill system disk

Network ConsumptionNetwork Consumption– Send requests with large results (display all Send requests with large results (display all

items)items)

Real-World ResultReal-World Result

Hacktics, a security company, brought Hacktics, a security company, brought down a large corporate network with just down a large corporate network with just three laptops in an authorized testthree laptops in an authorized test– Global company Global company with branches in Israel,

Europe and the USA– Internet Connectivity – 3x50Mbps lines with

load balancing. ISPs provide Cisco (Riverhead) based Anti DDoS solutions

– High security network, 30+ Web servers, High security network, 30+ Web servers, backend servers, Mail Relay, databasesbackend servers, Mail Relay, databases

Hacktics ResultsHacktics Results

DoS was successful to all systems but one

Two applications crashed completely after a few dozen requests only

Most other applications stopped responding after 5-15 minutes of script execution from up to three laptops (though with most a single laptop was sufficient)

Main cause of DoS was CPU exhaustion

Application-Layer DoS Application-Layer DoS CountermeasuresCountermeasures

At the code level– Perform thorough input validations. Expect for

the worst!– Avoid highly CPU consuming operations– Avoid creating bottlenecks– Avoid operations which must wait for

completion of large tasks to proceed– Split operations into chunks– Set timeout timers for unreasonable time

Application-Layer DoS Application-Layer DoS CountermeasuresCountermeasures

At the deployment level– Prepare for performance peaks

More Load Balancing

Caching

– Always separate the data disks from the system disks

DoS Countermeasures DoS Countermeasures

Practical Goals Practical Goals

DoS cannot be fully preventedDoS cannot be fully prevented

The goal of DoS mitigation is to maintain The goal of DoS mitigation is to maintain the best level of service for the largest the best level of service for the largest number of customers number of customers

Security is defined as protectingSecurity is defined as protecting– Confidentiality, Integrity, and Availability Confidentiality, Integrity, and Availability

DoS attacks Availability, which is less DoS attacks Availability, which is less valued politically in organizationsvalued politically in organizations

DoS PoliticsDoS Politics

Increasing availability is not seen as Increasing availability is not seen as primarily a security issueprimarily a security issue– More a capacity and infrastructure issueMore a capacity and infrastructure issue– More servers, bandwidth, etc.More servers, bandwidth, etc.

Application-layer DoS is new, and Application-layer DoS is new, and application designers are often unaware of application designers are often unaware of it, and don't plan for itit, and don't plan for it

Anti-DoS Products Anti-DoS Products

Cisco GuardCisco Guard– Formerly from Formerly from

RiverheadRiverhead– Has a multi-layer Has a multi-layer

defense system to defense system to stop DDoS attacksstop DDoS attacks

Link Ch 10eLink Ch 10e

Top Layer and Top Layer and Juniper sell anti-Juniper sell anti-DDoS devices alsoDDoS devices also

SYN CookiesSYN Cookies

Instead of maintaining a list of half-open Instead of maintaining a list of half-open connections in RAMconnections in RAM– A server chooses an Initial Sequence Number using a A server chooses an Initial Sequence Number using a

cryptographic function and a secret keycryptographic function and a secret key– So the server can deduce from the ACK what the So the server can deduce from the ACK what the

SYN must have beenSYN must have been

This makes servers much less susceptible to This makes servers much less susceptible to SYN FloodsSYN Floods

Used in some anti-DDoS devicesUsed in some anti-DDoS devices– Link Ch 10fLink Ch 10f

Capacity Planning Capacity Planning

Buy enough infrastructure to handle large Buy enough infrastructure to handle large loadsloads

Work with Your Internet Service Provider Work with Your Internet Service Provider (ISP)(ISP)– Make sure they have DoS countermeasures, Make sure they have DoS countermeasures,

and DoS capacity planningand DoS capacity planning

Hardening the Network Edge Hardening the Network Edge

Block ICMP and UDPBlock ICMP and UDP– Except UDP 53 for DNSExcept UDP 53 for DNS

Ingress filteringIngress filtering– Blocking obviously invalid inbound traffic, such as Blocking obviously invalid inbound traffic, such as

packets from private and reserved address rangespackets from private and reserved address ranges

Egress filteringEgress filtering– Stop spoofed IP packets from leaving your network—Stop spoofed IP packets from leaving your network—

only allow packets with valid Source addressesonly allow packets with valid Source addresses– If more ISPs would simply implement egress filtering, If more ISPs would simply implement egress filtering,

DoS would probably be a much less significant threatDoS would probably be a much less significant threat

Disable directed IP broadcastDisable directed IP broadcast – So you are not an amplifier for Smurf attacksSo you are not an amplifier for Smurf attacks

Hardening the Network Edge Hardening the Network Edge

Implement Unicast Reverse Path Forwarding Implement Unicast Reverse Path Forwarding (RPF) (RPF) – A router examines compares the source address and A router examines compares the source address and

the source interface to make sure the source address the source interface to make sure the source address is plausibleis plausible

– This removes This removes Bogons—Bogons—packets with obviously forged packets with obviously forged source addresses (link Ch 10h)source addresses (link Ch 10h)

Rate limitRate limit– Limiting the rate of traffic you accept can prevent Limiting the rate of traffic you accept can prevent

some DoS attacks, but if sloppily done it will block some DoS attacks, but if sloppily done it will block legitimate trafficlegitimate traffic

Hardening the Network EdgeHardening the Network Edge

Authenticate routing updatesAuthenticate routing updates– Most routing protocols, such as Routing Most routing protocols, such as Routing

Information Protocol (RIP) v1 and Border Information Protocol (RIP) v1 and Border Gateway Protocol (BGP) v4, have no or very Gateway Protocol (BGP) v4, have no or very weak authenticationweak authentication

– Attackers can alter legitimate routes, often by Attackers can alter legitimate routes, often by spoofing their source IP address, to create a spoofing their source IP address, to create a DoS conditionDoS condition

– Victims of such attacks will either have their Victims of such attacks will either have their traffic routed through the attackers' network or traffic routed through the attackers' network or into a black hole, a network that does not into a black hole, a network that does not existexist

Hardening the Network EdgeHardening the Network Edge

Implement sink holesImplement sink holes– The network equivalent of a honey potThe network equivalent of a honey pot– A router that advertises routes to bogon A router that advertises routes to bogon

addressesaddresses– Redirects attacks away from the customer Redirects attacks away from the customer

See link Ch 10iSee link Ch 10i

Hardening Servers Hardening Servers

Keep Up with PatchesKeep Up with Patches

System-Level SYN ProtectionSystem-Level SYN Protection – Operating system patches adjust SYN queue length, Operating system patches adjust SYN queue length,

and timeout periods, to resist SYN floodsand timeout periods, to resist SYN floods– Linux kernels 2.0.30 and later employ Linux kernels 2.0.30 and later employ SYN cookiesSYN cookies

(although they are turned off by default)(although they are turned off by default)– Windows can increase the SYN queue size Windows can increase the SYN queue size

dynamicallydynamically

Disable responses to broadcast ECHO Disable responses to broadcast ECHO requestsrequests

DoS Testing DoS Testing

Get ethical hackers to test your network Get ethical hackers to test your network with DoS testswith DoS tests

DoS testing toolsDoS testing tools– WebLOAD (link Ch 10j)WebLOAD (link Ch 10j)– Many tools compared at link Ch 10kMany tools compared at link Ch 10k

Detecting DoS Detecting DoS

Read Current News About MalwareRead Current News About Malware– Subscribe to a good security newsletter, such as Subscribe to a good security newsletter, such as

Bugtraq, or antivirus vendor information servicesBugtraq, or antivirus vendor information services

DoS Detection Technology and TechniquesDoS Detection Technology and Techniques– Intrusion Detection Systems (IDS) aren't very good at Intrusion Detection Systems (IDS) aren't very good at

stopping DoS attacksstopping DoS attacks– Anomaly detection is better, like Peakflow from Arbor Anomaly detection is better, like Peakflow from Arbor

Networks (link Ch 10l)Networks (link Ch 10l)– The netstat -na command shows current connectionsThe netstat -na command shows current connections– Many connections in a SYN_RECV state may indicate Many connections in a SYN_RECV state may indicate

that a SYN attack is in progressthat a SYN attack is in progress

Detecting DoSDetecting DoS

Scan for DoS Bots on Your NetworksScan for DoS Bots on Your Networks– Deploy antivirus on every machineDeploy antivirus on every machine– Tools to detect DoS botsTools to detect DoS bots

DDOSPing (link Ch 10m)DDOSPing (link Ch 10m)– Finds Trinoo, Stacheldraht and Tribe Flood Network Finds Trinoo, Stacheldraht and Tribe Flood Network

programs running with their default settings programs running with their default settings

Responding to DoS Responding to DoS

Plan and Practice Your Response Process Plan and Practice Your Response Process – Have fire drillsHave fire drills– Prepare documented incident escalation Prepare documented incident escalation

procedures procedures See link Ch 10nSee link Ch 10n

– Key points:Key points:Rapid escalation, aggressive triage, thorough Rapid escalation, aggressive triage, thorough investigation, carefully orchestrated investigation, carefully orchestrated communication through resolution, and communication through resolution, and collaborative post-mortem collaborative post-mortem

Filter or Redirect Offending Traffic Filter or Redirect Offending Traffic

Blocking based on source IP works only if Blocking based on source IP works only if the source addresses aren't spoofedthe source addresses aren't spoofed

CiscoGuard uses multiple layers of filtering CiscoGuard uses multiple layers of filtering to weed out bad traffic from good to weed out bad traffic from good

Deploy sink holes to redirect malicious Deploy sink holes to redirect malicious DoS traffic DoS traffic

Call Your ISP and Initiate traceback Call Your ISP and Initiate traceback

You or your ISP will have to work closely You or your ISP will have to work closely with the ISPs who are the source of the with the ISPs who are the source of the attack attack

They are best positioned to filter the trafficThey are best positioned to filter the traffic

Move the TargetMove the Target

When microsoft.com was heavily attacked, theyWhen microsoft.com was heavily attacked, they– Changed the IP address in DNS to deflect static IP-Changed the IP address in DNS to deflect static IP-

targeted attackstargeted attacks– Shortened the time to live (TTL) on the targeted Shortened the time to live (TTL) on the targeted

domain name so DNS clients would rapidly receive domain name so DNS clients would rapidly receive updates updates

– Set up a CNAME entry in their DNS to point DoS Set up a CNAME entry in their DNS to point DoS attacks elsewhereattacks elsewhere

– Removed an unneeded DNS name from the DNS Removed an unneeded DNS name from the DNS entirely entirely

Cut Over to Alternate Infrastructure Cut Over to Alternate Infrastructure or Application Modes or Application Modes

HTTP Caching services can handle traffic HTTP Caching services can handle traffic for youfor you– Akamai (link Ch 10o)Akamai (link Ch 10o)– Savvis (link Ch10p)Savvis (link Ch10p)

Switch to alternative pages or techniques Switch to alternative pages or techniques to respond faster during heavy loadto respond faster during heavy load– Pages often switch to simple HTML during a Pages often switch to simple HTML during a

Digg storm, for exampleDigg storm, for example

– Last modified 4-18-08 10 pmLast modified 4-18-08 10 pm