distributed reflection denial of service l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Distributed Reflection Denial of Service PowerPoint Presentation
Download Presentation
Distributed Reflection Denial of Service

Loading in 2 Seconds...

play fullscreen
1 / 17

Distributed Reflection Denial of Service - PowerPoint PPT Presentation


  • 381 Views
  • Uploaded on

Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: http://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edu , UW-Madison Normal Connection Establishment

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Distributed Reflection Denial of Service' - bernad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
distributed reflection denial of service

Distributed Reflection Denial of Service

Networking Talks for the Insufficiently Paranoid

Based on: http://grc.com/dos/drdos.htm

Jim Gast, CS-642 Security, Spring, 2003

jgast@cs.wisc.edu, UW-Madison

normal connection establishment
Normal Connection Establishment

The Server sets up retransmission timers, allocates receive buffers, etc.

Imagine a web server that can handle 12,000 connections. If the process fails, a timeout occurs after 120 seconds, freeing up the resources.

Note: SYN packets are very small and take up very little bandwidth.

Graphics stolen from http://grc.com/dos/drdos.htm

state transition diagram

CLOSED

Active open

/SYN

Passive open

Close

Close

LISTEN

SYN/SYN + ACK

Send/

SYN

SYN/SYN + ACK

SYN_RCVD

SYN_SENT

ACK

SYN + ACK/ACK

Close

/FIN

ESTABLISHED

Close

/FIN

FIN/ACK

FIN_WAIT_1

CLOSE_WAIT

FIN/ACK

ACK

Close

/FIN

ACK + FIN/ACK

FIN_WAIT_2

CLOSING

LAST_ACK

Timeout after two

ACK

ACK

segment lifetimes

FIN/ACK

TIME_WAIT

CLOSED

State Transition Diagram
syn flood
SYN Flood
  • Each SYN creates one half-open connection
  • Half-open connections take minutes to time-out
  • Servers have finite connection tables
  • Perpetrator would be easily caught (Source IP)
    • Unless SourceIP is spoofed
  • See: CERT Advisory CA-1996-21
    • http://www.cert.org/advisories/CA-1996-21.html

100 SYN packets per second fits in 56 Kbps

Graphics stolen from http://grc.com/dos/drdos.htm

spoofed ip address
Spoofed IP Address

The SYN/ACK is delivered to the fake (spoofed) IP Address. The attacker doesn’t see it, and doesn’t care. (Backscatter)

Graphics stolen from http://grc.com/dos/drdos.htm

example syn flood attack
Example SYN Flood Attack
  • February 5th-11th, 2000
  • Victims included CNN, eBay, Yahoo, Amazon
  • Attackers (allegedly) used simple, readily available tools (script-kiddies)
  • Law enforcement unable (unwilling?) to help
    • Under-age perpetrators have blanket immunity
defense against syn flood
Defense against SYN Flood
  • Increase size of connection table
  • Add more servers
  • Trace attack back to source
  • Ask your ISP to filter malicious packets
  • Add firewall
    • Typically “SYN proxy”
    • Dave Parter will talk on firewalls later in the semester
  • Ultimate solution was “SYN-cookies”
    • Reply to SYN with SYN-cookie
    • Allocate no resources until SYN-cookie is returned
potential places to stop dos flood
Potential places to stop DoS flood

Graphics stolen from http://grc.com/dos/drdos.htm

distributed dos
Distributed DoS
  • Rather than filling connection table, fill all available bandwidth
  • Infect innocent bystanders (zombies)
  • Zombies listen (e.g. on IRC channel) for attack command (or simply attack at will)
  • Attacker need not have high bandwidth connection

Typical Program: EvilGoat EvilBot

Graphics stolen from http://grc.com/dos/drdos.htm

example distributed dos attack
Example Distributed DOS Attack
  • 6 attacks on 5 different days
  • One attack lasted for 17 hours
  • 474 infected windows PC as zombies
  • 2.4 billion malicious packets

Goodput?

Time (minutes?)

Graphics stolen from http://grc.com/dos/grcdos.htm

flood based distributed dos attacks
Flood-based Distributed DoS Attacks
  • Coordinate zombies to attack with big packets
  • Use up “last-hop” bandwidth
  • “Last-hop” router discards packets indiscriminately
  • Zombies need not spoof addresses

See http://grc.com/dos/intro.htm for example horror story

Graphics stolen from http://grc.com/dos/drdos.htm

newest twist reflection
Newest Twist - Reflection
  • Many routers accept connections on port 179 (Border Gateway Protocol)
    • Although any big server and any port it listens on will work
  • Send a SYN to a router, claiming it came from the victim
  • The router will send a SYN/ACK to the victim
    • And then re-transmit several times before giving up (typically about 4X)

Note: Tar-pits will not see any “Backscatter” but honey-pots might see the attacker’s commands.

reflection mechanism
Reflection Mechanism

Graphics stolen from http://grc.com/dos/drdos.htm

distributed reflection dos
Distributed Reflection DoS

Graphics stolen from http://grc.com/dos/drdos.htm

other ports susceptible to drdos
Other ports susceptible to DRDoS
  • 22 – Secure Shell
  • 23 – Telnet
  • 53 – DNS
  • 80 – HTTP / Web
  • 4001 – Proxy Servers
  • 6668 – Internet Relay Chat

Easily detected ports 1-1023

“Well-Known” (so far)

But reflection from port 179 is so powerful it easily overwhelms others

call to action
Call to action
  • Ingress filtering at all ISPs would stop the spoofed SYN packets before they left home
  • Egress filtering at all ISPs would prevent spoofed IP addresses from traversing the Internet
  • Flagging multiply-tried, failed SYN/ACKs could be used to discover victims and filter further attack
  • Disable raw socket interface in client PCs