24
COMPSCI 316 Denial-of-Service Attacks (DoS and DDoS) Manoranjan Mohanty [email protected] 8/10/2019 1
COMPSCI 316
Denial-of-Service Attacks
(DoS and DDoS)Manoranjan Mohanty
8/10/2019 1
8/10/2019 2
When can it happen? Legitimate case Attack!
DoS Attack
8/10/2019 3
“An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”
-- NIST Computer Security Incident Handling Guide
Alice UoA Server
DoS Attack Cont.
8/10/2019 4
Attack on the availability of some services.
Network bandwidth
Relates to the capacity of the network links connecting a
server to the Internet
For most organizations this is their connection to their Internet Service Provider
(ISP)
Alice UoA Server
Attacker Bob
Internet
Flooding attack.
Bob sends more data than what the connection to the UoA server can handle.
DoS Attack Cont.
8/10/2019 5
Attack on the availability of some services.
System resources
Aims to overload or crash the network handling software
UoA Server
Attacker Bob
Poison Packet
Crashing system hardware resource (e.g., buffer) and software (e.g., exploiting a bug) using special packets. E.g. SYN spoofing, ping of death (poison packet).
SYN Spoofing
DoS Attack Cont.
8/10/2019 6
Attack on the availability of some services.
Application resources
Typically involves a number of valid requests, each of
which consumes significant resources, thus limiting the
ability of the server to respond to requests from
other users
UoA Server
Attacker BobLarge number of
time taking queries
Attack on specific application, e.g., web server. Cyberslam (a large number of time-taking queries)
Classic DoS Attacks
8/10/2019 7
Flooding Attack
Source Address Spoofing
SYN Spoofing
Flooding Attack
8/10/2019 8
Attack packets must be useful
Large packets preferred
UoA Server
Internet
• Ping flood using ICMP echo request packets
• Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool
ICMP flood
• Uses UDP packets directed to some port number on the target system
UDP flood
• Sends a large number of TCP connection requests to the target systemTCP SYN flood
Attacker Bob
Flooding Attack
8/10/2019 9
Source of the attack is clearly identified unless a spoofed address is used – legal case can be taken
Network performance of the attacker is noticeably affected due to victim’s response to the received packets – Attack can be affected!
UoA Server
InternetAttacker Bob
Source Address Spoofing
8/10/2019 10
Forging source address and other packet attributes
UoA Server
Internet
Attacker Bob
AliceEve
DoS: Source Address Spoofing
8/10/2019 11
A target system receives a large number of (forged) packets from different sources The attacker is much harder to be identified
The attacker is no more congested with a large number of response packets from the target (as response packets will be distributed)
Some response packets may generate error packets (more flood) to be sent to the target (as some source may not exist or may not expecting a packet)
Filtering of forged packets at destination router a practical countermeasure – but, ISPs do not care about this (DoS attack)
SYN Spoofing
8/10/2019 12
Common DoS attack
Attack on network system resource of a server (rather than network bandwidth)
Attacks the ability of a server to respond to future TCP connection requests by overflowing the tables used (by server) to manage them
Let’s first understand what is TCP SYN
TCP Three-way Handshake
13
Client Server 1. Client sends SYN packet with seq x
2. Server records all details about the connection request in a table (buffer), and sends SYN-ACK packet
3. After receiving SYN-ACK packet, client sends ACK packet
Since packets must be sent over IP, if there is no response by the receiver of the packet till a timeout, the sender resends the packet (overhead for making TCP reliable)
SYN Spoofing
14
Exploits three-way handshake
1. Attacker generates many SYN connection requests with forged source address
2. Server stores all the connections parameters in buffer, and sends SYN-ACK to the source addresses
If system in spoofed address is busy or does not exist, no reply
Server resends the packet a number of times while also storing details of this fake connection request
SYN Spoofing
15
Server has limited buffer size
If it has got a large number of fake connection requests, the buffer will fill quickly
Legitimate request will be denied
Other DoS Attacks
8/10/2019 16
Distributed DoS (DDoS)
Reflector Attack
Amplifier Attack
DDoS
8/10/2019 17
Many systems (some can be ours) to generate attack Attacker uses malware to take
control of a “good system”. Such systems are known as zombies Botnet: A large collection of
zombies controlled by an attacker40% DoS attacks in 2015 came
from botnet Botnet on hire – Underground
economy!Your system can be one of many without your knowledge!!!
DDoS
8/10/2019 18
DDoS Cont.
Well organized botnet architecture
Reflector Attack
8/10/2019 19
Attacker sends packets to a known service of an intermediary with a spoofed source address of the actual target system
Unlike DDoS, intermediaries are not compromised
When intermediary responds, the response is sent to the target – can flood the target system
https://blog.cloudflare.com/reflections-on-reflections/
Attack by flooding
Reflector Attack
8/10/2019 20
“Reflects” the attack off the intermediary (reflector)
Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary
The basic defense against these attacks is blocking spoofed-source packets
Amplification Attack
8/10/2019 21
A variant of reflection attack that also depends on address spoofing
They differ in sending multiple response packets per each original packet sent (e.g., by sending a request to broadcast address of a network so that all hosts of the network respond)
These attacks cannot be prevented
entirely
High traffic volumes may be legitimate
High publicity about a specific site
flash crowd, or flash event
Dos Attack Defences
Attack prevention and preemption
• Before attack
Attack detection and filtering
• During the attack
Attack source traceback and identification
• During and after the attack
Attack reaction
• After the attack
Four lines of defense against DDoS attacks
Dos Attack Defences Cont.
Prevent attack without affecting normal operations.
Detect from suspicious pattern. Filter attack packets
Identify the attack source for preventing future attacks
Minimize the effect of the attack.
Slides are based on the following book and its accompanying slides Computer Security Principle and Practice by William Stallings
and Lawrie Brown. Pearson.
Some images are taken from Google Images
Acknowledgement
