Course Notes-Denial of Service Attacks
Course Notes-Denial of Service Attacks
Attacks: Descriptions:
1. Generate 32-bit numbers and stamp
2 Subnet Spoofing
packets with them.
1 Random Spoofing
2. Generate random addresses within
3 Fixed Spoofing a given address space.
3. The spoofed address is the address
of the target.
DOS Taxonomy: Quiz Three
Match the DOS attack classification with its description.
Attacks: Descriptions:
2 Server Application 1. The motivation of this attack is a
crucial service of a global internet
3 Network Access
operation, for example core router
1 Infrastructure
2. The attack is targeted to a specific
application on a server
3. The attack is used to overload or
crash the communication mechanism of a
network.
Network DoS:
How:
Amplification
Small number of packets
BIG EFFECT
Network DoS:
Link
TCP/UDP
Application
Used to synchronize
machines and their
clocks.
Amplification Quiz
Which of these are reasons why the UDP-based NTP
protocol is particularly vulnerable to amplification attacks?
Select all that are true.
DoS DoS
Source Target
DNS Server
Other stuff
In order
delivery
TCP Handhake
C S
SNC randC
SYN:
ANC 0 Listening
SNS randS
SYN/ACK: Store SNC, SNS
ANS SNC +1
SNC SNC +1
ACK: Wait
AN SNS +1
Established
TCP SYN Flood I: low rate (DoS Bug)
C S
Single machine:
SYNC1
SYN Packets with random SYNC2
source IP addresses
SYNC3
Fills up backlog queue on server
SYNC4
No further connections possible
SYNC5
TCP SYN Flood I
A classic SYN flood example
Server responds to Client with SYN-ACK cookie: Honest client responds with
ACK ( AN=SNS +1, SN=SNC+1 ):
T = 5-bit counter incremented every 64 secs.
L = MACkey (SAddr, SPort, DAddr, DPort, SNC, T) Server allocates space for
[24 bits] socket only if valid SNS
key: picked at random during boot
SNS = (T . mss . L) ( |L| = 24 bits )
Server does not save state
Syn Cookies Quiz
Select all the true statements:
SYN cookies require modified versions of TCP
The server must reject all TCP options because the server
discards the SYN queue entry
SYN Floods II: Massive flood
Lots-of-SYNs
Javascript-based DDoS:
Github.com
Inject
Honest End Popular
imageFlood.js
User Server
A real-world example: GitHub(3/2015)
imageFlood.js
Function imgflood() {
var TARGET = ‘victim-website.com/index.php?’
var rand = Math.floor(Math.random() * 1000)
var pic = new Image()
Pic.src = ‘http://’+TARGET+rand+’=val’
}
setInterval(imgflood,10)
Flood Attack Quiz
With regards to a UDP flood attack, which of the
following statements are true:
AS 36561 AS 18173
AS 18173 AS 58467
YouTube Allied Bank Lahore Stock Aga Khan
AS 365561
208.65.153.0/22 Pakistan Exchange University
Includes 210 IP Addr
DoS via route hijacking DETOUR
Timeframe:
100% at 10:30am
0% at 10:45am
DoS via route hijacking DETOUR
LEGEND
LEVEL 3
PEER
CUSTOMER
NETWORK TRAFFIC
DoS at Higher Levels
Client Hello
RSA RSA
Encrypt Decrypt
DoS Mitigation
Client puzzles
Hardness of challenge: n
Limitations:
Requires changes to both clients and servers
Hurts low power legitimate clients during attack:
Clients on cell phones and tablets cannot connect
DoS Mitigation
Client puzzles: Memory-bound functions
Interesting observation:
Main memory access time ratio:
high end server / low end cell phone = 2
DoS Mitigation
Better puzzles
Are you
human?
DoS Mitigation - CAPTCHAs
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart
ISP
Internet
DoS Mitigation: Source Identification
Ingress Filtering
Drop all packets with source address
other than 204.69.207.0/24
Internet
204.69.207.0/24
Ingress filtering policy: ISP only forwards packets with legitimate source IP
DoS Mitigation: Source Identification
Ingress Filtering - Implementation problems
Goal:
How: change routers to
Given set of attack packets record info in packets
Determine path to source
Assumptions:
Most routers remain uncompromised
Attacker sends many packets
Route from attacker to victim remains relatively stable
DoS Mitigation: Traceback
Simple Method:
Problems:
Requires space in packet
Path can be long
No extra fields in current IP format
Changes to packet format too much to expect
DoS Mitigation: Traceback
Better Idea
Packet received
Packet s e d
R1 R2 R3
DoS Mitigation: Edge Sampling
Sets distance to 0
Packet R1 0
R1 R2 R3
DoS Mitigation: Edge Sampling
Packet R1 R2 1
R1 R2 R3
DoS Mitigation: Edge Sampling
Increment distance
R3 chooses not to overwrite edge
Distance > 0
Increment distance to 2
Packet R1 R2 2
R1 R2 R3
DoS Mitigation: Edge Sampling
Path reconstruction
Extract information from attack packets
Build graph rooted at victim
Each (start,end,distance) tuple provides an edge
# packets needed to reconstruct path
Victim is flooded by all of the data Attacker spoof’s Victim’s IP and sends
3 sent from the DNS Servers 1 DNS query to many DNS Servers
Examples:
VICTIM
MASTER
Reflectors
Control traffic send streams
Directs slaves of non-spoofed
at victim, but unsolicited
reflectors traffic to
victim.
Reflector Attack Quiz
Self defense against reflector attacks should
incorporate:
Filtering - filter DNS traffic as close to the victim as
possible.
Basic idea:
Receivers can specify what packets they want
How:
R1 R2 R3 R4
DEST
Source As Transit As Dest As
DoS Summary
Sad truth:
Internet is ill-equipped to handle DDoS attacks
Commercial solutions: CloudFlare, Prolexic