Download
distributed reflection denial of service n.
Skip this Video
Loading SlideShow in 5 Seconds..
Distributed Reflection Denial of Service PowerPoint Presentation
Download Presentation
Distributed Reflection Denial of Service

Distributed Reflection Denial of Service

415 Views Download Presentation
Download Presentation

Distributed Reflection Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: http://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edu, UW-Madison

  2. Normal Connection Establishment The Server sets up retransmission timers, allocates receive buffers, etc. Imagine a web server that can handle 12,000 connections. If the process fails, a timeout occurs after 120 seconds, freeing up the resources. Note: SYN packets are very small and take up very little bandwidth. Graphics stolen from http://grc.com/dos/drdos.htm

  3. CLOSED Active open /SYN Passive open Close Close LISTEN SYN/SYN + ACK Send/ SYN SYN/SYN + ACK SYN_RCVD SYN_SENT ACK SYN + ACK/ACK Close /FIN ESTABLISHED Close /FIN FIN/ACK FIN_WAIT_1 CLOSE_WAIT FIN/ACK ACK Close /FIN ACK + FIN/ACK FIN_WAIT_2 CLOSING LAST_ACK Timeout after two ACK ACK segment lifetimes FIN/ACK TIME_WAIT CLOSED State Transition Diagram

  4. SYN Flood • Each SYN creates one half-open connection • Half-open connections take minutes to time-out • Servers have finite connection tables • Perpetrator would be easily caught (Source IP) • Unless SourceIP is spoofed • See: CERT Advisory CA-1996-21 • http://www.cert.org/advisories/CA-1996-21.html 100 SYN packets per second fits in 56 Kbps Graphics stolen from http://grc.com/dos/drdos.htm

  5. Spoofed IP Address The SYN/ACK is delivered to the fake (spoofed) IP Address. The attacker doesn’t see it, and doesn’t care. (Backscatter) Graphics stolen from http://grc.com/dos/drdos.htm

  6. Example SYN Flood Attack • February 5th-11th, 2000 • Victims included CNN, eBay, Yahoo, Amazon • Attackers (allegedly) used simple, readily available tools (script-kiddies) • Law enforcement unable (unwilling?) to help • Under-age perpetrators have blanket immunity

  7. Defense against SYN Flood • Increase size of connection table • Add more servers • Trace attack back to source • Ask your ISP to filter malicious packets • Add firewall • Typically “SYN proxy” • Dave Parter will talk on firewalls later in the semester • Ultimate solution was “SYN-cookies” • Reply to SYN with SYN-cookie • Allocate no resources until SYN-cookie is returned

  8. Potential places to stop DoS flood Graphics stolen from http://grc.com/dos/drdos.htm

  9. Distributed DoS • Rather than filling connection table, fill all available bandwidth • Infect innocent bystanders (zombies) • Zombies listen (e.g. on IRC channel) for attack command (or simply attack at will) • Attacker need not have high bandwidth connection Typical Program: EvilGoat EvilBot Graphics stolen from http://grc.com/dos/drdos.htm

  10. Example Distributed DOS Attack • 6 attacks on 5 different days • One attack lasted for 17 hours • 474 infected windows PC as zombies • 2.4 billion malicious packets Goodput? Time (minutes?) Graphics stolen from http://grc.com/dos/grcdos.htm

  11. Flood-based Distributed DoS Attacks • Coordinate zombies to attack with big packets • Use up “last-hop” bandwidth • “Last-hop” router discards packets indiscriminately • Zombies need not spoof addresses See http://grc.com/dos/intro.htm for example horror story Graphics stolen from http://grc.com/dos/drdos.htm

  12. Newest Twist - Reflection • Many routers accept connections on port 179 (Border Gateway Protocol) • Although any big server and any port it listens on will work • Send a SYN to a router, claiming it came from the victim • The router will send a SYN/ACK to the victim • And then re-transmit several times before giving up (typically about 4X) Note: Tar-pits will not see any “Backscatter” but honey-pots might see the attacker’s commands.

  13. Reflection Mechanism Graphics stolen from http://grc.com/dos/drdos.htm

  14. Distributed Reflection DoS Graphics stolen from http://grc.com/dos/drdos.htm

  15. Other ports susceptible to DRDoS • 22 – Secure Shell • 23 – Telnet • 53 – DNS • 80 – HTTP / Web • 4001 – Proxy Servers • 6668 – Internet Relay Chat Easily detected ports 1-1023 “Well-Known” (so far) But reflection from port 179 is so powerful it easily overwhelms others

  16. Call to action • Ingress filtering at all ISPs would stop the spoofed SYN packets before they left home • Egress filtering at all ISPs would prevent spoofed IP addresses from traversing the Internet • Flagging multiply-tried, failed SYN/ACKs could be used to discover victims and filter further attack • Disable raw socket interface in client PCs

  17. Questions?