(Distributed) Denial of Service
CS-576 Systems Security
Instructor: Georgios Portokalidis
Fall 2018
Fall 2018 Stevens Institute of Technology 2
Denial-of-Service (DoS) Attack
“An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”
Denial-of-Service (DoS)
A form of attack on the availability of some service
Categories of resources that could be attacked are:
Fall 2018 Stevens Institute of Technology 3
Network bandwidth
Relates to the capacity of the network links
connecting a server to the Internet
For most organizations this is their connection to their Internet Service
Provider (ISP)
System resources
Aims to overload or crash the network handling software
Application resources
Typically involves a number of valid
requests, each of which consumes significant
resources, thus limiting the ability of the server to respond to requests
from other users
Network Flooding Attacks
Attacker generates large volumes of packets that have the target system as the destination address
Intent is to overload the network capacity on some link to a server
Congestion would result in the router connected to the final, lower capacity link
Virtually any type of network packet can be used
Fall 2018 Stevens Institute of Technology 4
Network Flooding Attacks
Classified based on network protocol used
Virtually any type of network packet can be used
Fall 2018 Stevens Institute of Technology 5
•Ping flood using ICMP echo request packets
•Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool
ICMP flood
•Uses UDP packets directed to some port number on the target systemUDP flood
• Sends TCP packets to the target system
•Total volume of packets is the aim of the attack rather than the system code
TCP SYN flood
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 6
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 7
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 8
Link capacity X
Link capacity Y
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 9
Link capacity X
Link capacity Y
X > YPossible to flood
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 10
Link capacity X
Link capacity Y
X > Y
Not possible to flood
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 11
Link capacity X
Link capacity Z
Link capacity Y
X > YX > Z
X > YY + Z > X
Possible to flood
Attacker
Target
Handler
Zombies
Agent
Zombies
Figure 7.4 DDoS Attack Architecture
Distributed Denial-of-Service
Botnets are frequently used to perform network-based DDoS attacks
Fall 2018 Stevens Institute of Technology 12
Simple Solution
Block subnets participating in DDoS▪ Can affect many non-participating nodes
Fall 2018 Stevens Institute of Technology 13
Less Simple Solution
Block individual IPs participating in DDoS▪ Can still affect infected and, otherwise, innocent users
▪ Maintaining large lists of IPs is cumbersome
Fall 2018 Stevens Institute of Technology 14
Where to Block?
Blocking near the target does not solve the problem
Fall 2018 Stevens Institute of Technology 15
Network edge can still be saturated
Where to Block?
It is better to clock closer to the source
Fall 2018 Stevens Institute of Technology 16
• Router needs to support filtering
• Owner/controller needs to be cooperative
Where to Block?
Best case scenario (but probably unrealistic)
Fall 2018 Stevens Institute of Technology 17
Source Address Spoofing
Use forged source addresses▪ E.g., via the raw socket interface
Identifying culprits and blocking IPs is harder
Local routers can potentially filter such packets▪ For example, by checking that the packets’ IPs match the one
given to the host▪ Not done my many networks
Fall 2018 Stevens Institute of Technology 18
Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server
Fall 2018 Stevens Institute of Technology 19
Fake SRC in network C
Fake SRC in network C
You cannot be in C
SYN Packet Tricks
SYN is one of the first packets sent to establish a TCP connection
Fall 2018 Stevens Institute of Technology 20
Client Server
Send SYN
(seq = x)
Receive SYN
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
(seq = y, ack = x+1)
Send ACK
(ack = y+1)Receive ACK
(ack = y+1)
1
2
3
Figure 7.2 TCP Three-Way Connection Handshake
SYN Floods Targeting the System
Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them
Thus legitimate users are denied access to the server
Hence an attack on system resources, specifically the network handling code in the operating system
Fall 2018 Stevens Institute of Technology 21
Client Server
Send SYN
(seq = x)
Receive SYN
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
(seq = y, ack = x+1)
Send ACK
(ack = y+1)Receive ACK
(ack = y+1)
1
2
3
Figure 7.2 TCP Three-Way Connection Handshake
Fall 2018 Stevens Institute of Technology 22
Wait
Client Server
Send SYN
(seq = x)
Receive SYN
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
(seq = y, ack = x+1)
Send ACK
(ack = y+1)Receive ACK
(ack = y+1)
1
2
3
Figure 7.2 TCP Three-Way Connection Handshake
Fall 2018 Stevens Institute of Technology 23
Wait
SYN Spoofing
Spoof the source address of the SYN packet▪ It can hide the true sender of a packet
The destination will try to establish a connection with the spoofed address
Fall 2018 Stevens Institute of Technology 24
AttackerServer
Send SYN
with spoofed src
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
1
2
Spoofed Client
Resend SYN-ACK
after timeouts
Assume failed
connection
request
SYN-ACK’s to
non-existant client
discarded
Figure7.3 TCP SYN Spoofing Attack
Fall 2018 Stevens Institute of Technology 25
Reflection Attacks
Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system
When intermediary responds, the response is sent to the target → It “Reflects” the attack off the intermediary (reflector)
Fall 2018 Stevens Institute of Technology 26
Figure 7.6 DNS Reflection Attack
IP: a.b.c.d
IP: a.b.c.dIP: j.k.l.m
Victim
Looppossible
DNSServer
NormalUser
Attacker
DNSServer
IP: w.x.y.z
From: a.b.c.d:1792To: w.x.y.z.53
From: w.x.y.z.53To: a.b.c.d:1792
From: j.k.l.m:7To: w.x.y.z.53
From: w.x.y.z.53To: j.k.l.m:7
From: j.k.l.m:7To: w.x.y.z.53
1
1
2
2
3
IP: w.x.y.z
Fall 2018 Stevens Institute of Technology 27
Reflection Through DNS
Amplification Attacks
Single spoofed packet results in multiple packets to target
Fall 2018 Stevens Institute of Technology 28
AttackerServer
Send SYN
with spoofed src
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
1
2
Spoofed Client
Resend SYN-ACK
after timeouts
Assume failed
connection
request
SYN-ACK’s to
non-existant client
discarded
Figure7.3 TCP SYN Spoofing Attack
1 packetmultiple packets
Attacker
Reflector
intermediaries
Target
Zombies
Figure 7.7 Amplification Attack
Amplification Attacks
Higher-layer protocols, like DNS, can also be used
Fall 2018 Stevens Institute of Technology 29
DNS Amplification Attacks
Spoofed DNS query packets are sent to legitimate DNS server
DNS generates one larger packet which it sends to the spoofed address
Amplification occurs because response is larger in size than the original query
Fall 2018 Stevens Institute of Technology 30
HTTP flood
Attack that bombards Web servers with HTTP requests
Consumes considerable resources
Slowloris
Create many HTTP requests to server that never complete
▪ Send partial requests as slowly as possible
Consumes Web server’s connection capacity
Hard to differentiate from client with limited connectivity
Fall 2018 Stevens Institute of Technology 31
HTTP-Based Attacks
Internet of Things
Internet connected devices/objects
Fall 2018 Stevens Institute of Technology 32
Mirai Botnet
Fall 2018 Stevens Institute of Technology 33
Exploited vulnerable CCTV cameras
Multiple vulnerabilities found on CCTV cameras:
▪ Weak authentication, stack overflow, etc.
Estimated to control more than 100k devices
Fall 2018 Stevens Institute of Technology 34
IoT Botnet-Driven DDoS
Reading: https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html