Distributed reflection denial of service
Download
1 / 17

drdos - PowerPoint PPT Presentation


  • 351 Views
  • Updated On :

Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: http://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edu , UW-Madison Normal Connection Establishment

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'drdos' - bernad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Distributed reflection denial of service l.jpg

Distributed Reflection Denial of Service

Networking Talks for the Insufficiently Paranoid

Based on: http://grc.com/dos/drdos.htm

Jim Gast, CS-642 Security, Spring, 2003

jgast@cs.wisc.edu, UW-Madison


Normal connection establishment l.jpg
Normal Connection Establishment

The Server sets up retransmission timers, allocates receive buffers, etc.

Imagine a web server that can handle 12,000 connections. If the process fails, a timeout occurs after 120 seconds, freeing up the resources.

Note: SYN packets are very small and take up very little bandwidth.

Graphics stolen from http://grc.com/dos/drdos.htm


State transition diagram l.jpg

CLOSED

Active open

/SYN

Passive open

Close

Close

LISTEN

SYN/SYN + ACK

Send/

SYN

SYN/SYN + ACK

SYN_RCVD

SYN_SENT

ACK

SYN + ACK/ACK

Close

/FIN

ESTABLISHED

Close

/FIN

FIN/ACK

FIN_WAIT_1

CLOSE_WAIT

FIN/ACK

ACK

Close

/FIN

ACK + FIN/ACK

FIN_WAIT_2

CLOSING

LAST_ACK

Timeout after two

ACK

ACK

segment lifetimes

FIN/ACK

TIME_WAIT

CLOSED

State Transition Diagram


Syn flood l.jpg
SYN Flood

  • Each SYN creates one half-open connection

  • Half-open connections take minutes to time-out

  • Servers have finite connection tables

  • Perpetrator would be easily caught (Source IP)

    • Unless SourceIP is spoofed

  • See: CERT Advisory CA-1996-21

    • http://www.cert.org/advisories/CA-1996-21.html

100 SYN packets per second fits in 56 Kbps

Graphics stolen from http://grc.com/dos/drdos.htm


Spoofed ip address l.jpg
Spoofed IP Address

The SYN/ACK is delivered to the fake (spoofed) IP Address. The attacker doesn’t see it, and doesn’t care. (Backscatter)

Graphics stolen from http://grc.com/dos/drdos.htm


Example syn flood attack l.jpg
Example SYN Flood Attack

  • February 5th-11th, 2000

  • Victims included CNN, eBay, Yahoo, Amazon

  • Attackers (allegedly) used simple, readily available tools (script-kiddies)

  • Law enforcement unable (unwilling?) to help

    • Under-age perpetrators have blanket immunity


Defense against syn flood l.jpg
Defense against SYN Flood

  • Increase size of connection table

  • Add more servers

  • Trace attack back to source

  • Ask your ISP to filter malicious packets

  • Add firewall

    • Typically “SYN proxy”

    • Dave Parter will talk on firewalls later in the semester

  • Ultimate solution was “SYN-cookies”

    • Reply to SYN with SYN-cookie

    • Allocate no resources until SYN-cookie is returned


Potential places to stop dos flood l.jpg
Potential places to stop DoS flood

Graphics stolen from http://grc.com/dos/drdos.htm


Distributed dos l.jpg
Distributed DoS

  • Rather than filling connection table, fill all available bandwidth

  • Infect innocent bystanders (zombies)

  • Zombies listen (e.g. on IRC channel) for attack command (or simply attack at will)

  • Attacker need not have high bandwidth connection

Typical Program: EvilGoat EvilBot

Graphics stolen from http://grc.com/dos/drdos.htm


Example distributed dos attack l.jpg
Example Distributed DOS Attack

  • 6 attacks on 5 different days

  • One attack lasted for 17 hours

  • 474 infected windows PC as zombies

  • 2.4 billion malicious packets

Goodput?

Time (minutes?)

Graphics stolen from http://grc.com/dos/grcdos.htm


Flood based distributed dos attacks l.jpg
Flood-based Distributed DoS Attacks

  • Coordinate zombies to attack with big packets

  • Use up “last-hop” bandwidth

  • “Last-hop” router discards packets indiscriminately

  • Zombies need not spoof addresses

See http://grc.com/dos/intro.htm for example horror story

Graphics stolen from http://grc.com/dos/drdos.htm


Newest twist reflection l.jpg
Newest Twist - Reflection

  • Many routers accept connections on port 179 (Border Gateway Protocol)

    • Although any big server and any port it listens on will work

  • Send a SYN to a router, claiming it came from the victim

  • The router will send a SYN/ACK to the victim

    • And then re-transmit several times before giving up (typically about 4X)

Note: Tar-pits will not see any “Backscatter” but honey-pots might see the attacker’s commands.


Reflection mechanism l.jpg
Reflection Mechanism

Graphics stolen from http://grc.com/dos/drdos.htm


Distributed reflection dos l.jpg
Distributed Reflection DoS

Graphics stolen from http://grc.com/dos/drdos.htm


Other ports susceptible to drdos l.jpg
Other ports susceptible to DRDoS

  • 22 – Secure Shell

  • 23 – Telnet

  • 53 – DNS

  • 80 – HTTP / Web

  • 4001 – Proxy Servers

  • 6668 – Internet Relay Chat

Easily detected ports 1-1023

“Well-Known” (so far)

But reflection from port 179 is so powerful it easily overwhelms others


Call to action l.jpg
Call to action

  • Ingress filtering at all ISPs would stop the spoofed SYN packets before they left home

  • Egress filtering at all ISPs would prevent spoofed IP addresses from traversing the Internet

  • Flagging multiply-tried, failed SYN/ACKs could be used to discover victims and filter further attack

  • Disable raw socket interface in client PCs



ad