1 / 45

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems. Denial of Service . Topics. Introduction History of DoS Modes of Attack Technical Attacks Distributed DOS (DDOS) Botnets Defending against DoS. Denial of Service. Attacks against availability of services. Common attacks:

jara
Download Presentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIT 380: Securing Computer Systems Denial of Service CIT 380: Securing Computer Systems

  2. Topics • Introduction • History of DoS • Modes of Attack • Technical Attacks • Distributed DOS (DDOS) • Botnets • Defending against DoS CIT 380: Securing Computer Systems

  3. Denial of Service • Attacks against availability of services. • Common attacks: • CAIDA conservatively estimated 4000/week. • Attacks have increased since 2001 estimate. CIT 380: Securing Computer Systems

  4. Denial of Service • Most DoS vs. small site for short duration. • However, DoS attacks can be very big • Millions of packets/second. • Many thousands of hosts involved. • DoS attacks are very difficult to stop. CIT 380: Securing Computer Systems

  5. Denial of Service Motives Attacker Competitions • Take over IRC channels. • Fame: take down a well-known target. • Revenge for being DoSed. Political • Take down computers of political opponents. Financial • Take down competitor web site. • Extortion: pay attacker or be DoSed. CIT 380: Securing Computer Systems

  6. History of Denial of Service 1988: Morris Worm brings down most of Internet. 1996: SYN flood attacks take out IRC networks. 1997: Fragment attacks used to DoS Windows systems. 1998: Distributed DoS attack tools appear. 1999: Heavy use of DDoS tools. 2000: DDoS attacks takes down Amazon, eBay, Yahoo. 2001: Reflected DDoS attacks appear. 2002: DDoS takes down 9 of 13 root DNS servers. 2003: DDoS downs Al-Jazeera for pics of captured soldiers. CIT 380: Securing Computer Systems

  7. History of Denial of Service 2004: Spammers vs anti-spam orgs. DDoS extortion attacks. 2007: Estonia taken off network due to DDoS attacks, Storm botnet attacks researchers, admins who defend against it. CIT 380: Securing Computer Systems

  8. DoS: Modes of Attack • Technical Attacks • Fragment attacks. • SYN Floods • Smurf. • Bandwidth Consumption • DDoS, amplifier-based attacks. • Other Resource Consumption • Email bombs. • Disk filling by syslog spoofing/anonymous ftp. • Computational attacks. CIT 380: Securing Computer Systems

  9. Packet Fragmentation Occurs at IP layer Each fragment has own IP header Characteristics: • Each fragment of a packet has same identification field. • More Fragments flag set (except on final frag). • Fragment Offset is offset (8-byte units) of fragment from beginning of original datagram. • Total Length field is length of fragment. CIT 380: Securing Computer Systems

  10. Fragment Security Issues Large Datagrams • Use multiple fragments that will be re-assembled into a packet larger than the maximum IP packet size of 64KB. • example: ping of death Incomplete Datagrams • Jolt2: stream of fragments, with no first fragment. CIT 380: Securing Computer Systems

  11. Fragment Security Issues Overlapping Fragments • Fragment offsets overlap, so during reassembly, second packet is copied over part of TCP header, allowing true header to be hidden in second packet while firewall reads misleading header data from first packet. • Denial of Service: Teardrop attack uses overlapping fragments to overflow integer in memory copy to crash Windows 95/NT and Linux <2.0.32 hosts. CIT 380: Securing Computer Systems

  12. SYN Floods Create many half-open connections to target • Send SYN packet from spoofed, invalid IP address. • Ignore SYN+ACK response Target connection table fills up • all new TCP connections refused SYN a, ACK x SYN x SYN b, ACK y SYN y SYN c, ACK z SYN z Target Attacker CIT 380: Securing Computer Systems

  13. SYN Flood Defenses • Micro-connections: Allocate few resources (~16 bytes) micro-record until ACK recv’d • RST Cookies: • Server sends incorrect SYN+ACK to first client connection request, eliciting RST as response. Thereafter, connections from that client are accepted. • SYN Cookies: Store state in ISN, not on server. • Compute ISN using hash of src + dst IP addresses and ports. • Valid clients will respond with ISN+1, allowing server to compute connection table entry. CIT 380: Securing Computer Systems

  14. Reflector Network SRC=Target IP, DST=10.0.0.255 10.0.0.* Target Smurf Attack Attacker CIT 380: Securing Computer Systems

  15. Smurf Attack Build special ICMP/UDP echo packet Forge IP source address to be that of target. Destination address is a broadcast address. Each host that receives broadcast will respond to the spoofed target address with an echo packet, overwhelming target host. Most current routers refuse to pass on directed broadcast packets. CIT 380: Securing Computer Systems

  16. DNS Amplification • http://www.isotf.org/news/DNS-Amplification-Attacks.pdf CIT 380: Securing Computer Systems

  17. DNS Amplification Spoof DNS query from victim • 60-byte query returns 512-byte response (1999) • Extended DNS allows up to 4320 byte response. • 73:1 amplification of traffic Requires open resolvers • DNS servers that will recursively resolve requests from any host on Internet. DNS servers should: • Return authoritative answers to anyone. • Recursively resolve for local authenticated hosts. CIT 380: Securing Computer Systems

  18. Computational Attacks • Goal: Exhaust CPU resources of target. • Target: Application Layer • Examples: • 2002. BBCode markup language of phpBB could consume 100% CPU in infinite expansion of multiply nested tags. • 2003. Crosby and Wallach show how to select input to reduce hash (O(1) performance) to linked list (O(n) performance). Attacks vs. Bro IDS, perl. • 2005. Tomcat 5.5 directory listing of large directories could use large amounts of CPU. CIT 380: Securing Computer Systems

  19. Z Z Z Z Z Z Z Z Z • Provider Infrastructure: • DNS, routers, and links Access Line DDoS Attacks Z Attack zombies: • Use valid protocols • Spoof source IP • Massively distributed • Variety of attacks • Entire Data Center: • Servers, security devices, routers • Ecommerce, web, DNS, email,… CIT 380: Securing Computer Systems

  20. Timeline of a DDOS Attack • Set up DDOS Network (Botnet) • Manual compromise by group of crackers. • Automated comprise by a worm. • Launch Attack • Victim networks become unresponsive Identification difficult due to router/host failures and lack of logging of packets. • Third party effects Victim responses sent to spoofed IP addresses. CIT 380: Securing Computer Systems

  21. Distributed Reflection DOS Combine SYN Flood + DDOS attacks • Forge target’s IP address in SYN flood on multiple reflection servers. • Amplification: most OSes send multiple SYN+ACK responses to SYN packet. • Concealment: packets come from multiple reflection servers, not actual attacker host. • Difficult to block: attacker may rotate attacks from large pool of reflection servers, many of which may be important hosts which you need to receive traffic from. CIT 380: Securing Computer Systems

  22. Botnet DDoS Attack CIT 380: Securing Computer Systems

  23. Botnet Applications • DDoS for extortion • Spamming • Proxying • Phishing • Spreading malware • Spying • keylogging • network sniffing CIT 380: Securing Computer Systems

  24. Roles and Responsibilities • Botherd • Collects and manages bots (zombies.) • Rents botnet to users. • Sponsors • Recruits and employs spammers, cashers, etc. • Spammers • Developers • Develop bot code. • Develop exploits used by bots to compromise PCs. • Casher • Launders goods/money for sponsors. CIT 380: Securing Computer Systems

  25. Making money with your botnet CIT 380: Securing Computer Systems

  26. Bot Lifecycle • Old agent scanner selects target host. • Old agent attempts exploit against target. • If exploit ok, agent transfers self to target. • Agent begins running on target. CIT 380: Securing Computer Systems

  27. Bot Lifecycle • Agent registers itself with master server. • Master accepts agent as member w/ pw. • Agent logs into communication channel with provided password. • Agent waits for commands from master. CIT 380: Securing Computer Systems

  28. DDOS Attacks SYN floods Smurf UDP floods ICMP floods Mixed Recruitment Scanning engine. Many exploits. Use other bot backdoors. File transfer Proxying E-mail harvesting Sniffing Spamming Self-defence Anti-virus Polymorphism Rootkit. Bot Capabilities CIT 380: Securing Computer Systems

  29. Command & Control Systems Single static C&C server • Use IRC to control bots via text commands. • Botnet can be disabled by taking down C&C svr. CIT 380: Securing Computer Systems

  30. Command & Control Systems Dynamic DNS • Bots access C&C through dDNS address. • If C&C down, use dDNS to point to new C&C. Decentralized DNS • Use bots as dynamic DNS servers. • Change DNS results regularly. • Change DNS servers regularly. CIT 380: Securing Computer Systems

  31. Botnet Families • Agobot/Phatbot • Over 500 variants. • Modular structure: easy to add features. • Some use WASTE p2p communication. • SDBot • Simpler than Agobot, but common. • GTBot • Script mIRC client for Windows. CIT 380: Securing Computer Systems

  32. Storm Worm • http://en.wikipedia.org/wiki/Storm_Worm CIT 380: Securing Computer Systems

  33. From: www.postcards.com Services [mailto:services@postcards.com] Sent: Monday, July 02, 2007 2:24 PMTo: Charles FrankSubject: Read this message now. You have just recive a postcard from www.postcards.com Hello! Postcards can be one of the most powerful marketing tools for a business. It conveys an important image of your brand because it is a tangible / visible representation of the message that you are sending!A friend sent to you one of our best postcard. I think that he miss you because he also send to you a message from www.postcards.com !A part of the message is:"Hy my dear friend. Take this postcard from me until i will come home and be happy because i will come home soon!It`s verry good here but i`m so tired and i wanna come home. Somebody tell me about this website and i belive that ..."If you'd like to read the rest of the message and to see the postcard click on the next link http://www.postcards.com/Postcard-287.gif===================Thank you for your time and you can visit www.postcards.com if you want to see other postcards! !!!Let peoples hear about us by sending them a postcard from our collection !================== CIT 380: Securing Computer Systems

  34. Storm Worm • Command & Control • Encrypted edonkey p2p. • Fast flux DNS network. • Bots hidden via rootkits. • Spreading techniques • Browser vulnerabilities • Malware sent via e-mail, IM, blog/forum posts CIT 380: Securing Computer Systems

  35. Storm Worm • Activities • Pump-n-dump scams. • Phishing. • DDOS. CIT 380: Securing Computer Systems

  36. Why DDoS is Hard to Stop • Usability of DDoS tools Attackers can d/l user friendly advanced tools. • IP spoofing DDoS attacks can always be spoofed. • Numerous agents Attacker agents spread across networks. • Variety of traffic DDoS attacks can be launched with any protocol. • High-volume traffic At DDoS traffic volumes, firewalls and IDS must analyze each packet quickly, i.e. without deep packet inspection or cross-packet correlations. CIT 380: Securing Computer Systems

  37. Filterable and non-Filterable Attacks Filterable Attacks • Attack non-essential services (ICMP echo) or ports (random UDP flood.) Non-filterable Attacks • Attack essential services (email or web.) • Packets may be partially valid for targeted protocol. CIT 380: Securing Computer Systems

  38. DDOS Prevention • Apply patches against technical attacks. • Firewall rules to drop known attacks at perimeter. • Overprovisioning • Network bandwidth, NICs • Memory, disk • CPU CIT 380: Securing Computer Systems

  39. DDOS Prevention • Load balancing • Caching • Create static page frequently instead of dynamically creating page whenever accessed. CIT 380: Securing Computer Systems

  40. DDOS Detection Detecting zombie hosts • DDOSPing • http://www.foundstone.com/us/resources/proddesc/ddosping.htm • Zombie Zapper • http://www.securiteam.com/tools/5HP0D1P0KE.html Detecting a DDOS attack • Performance monitoring: network and host • Network intrusion detection systems CIT 380: Securing Computer Systems

  41. DDOS Reaction • Filter out identifiable DDOS traffic. • Contact ISP for help with • Filtering and rate limiting. • Tracking down source of attack. • Move the target • White House avoided by changing IP address. CIT 380: Securing Computer Systems

  42. DDOS Reaction • Use Alternate Infrastructure • Use caching to decrease server load. • Use anti-ddos provider like Akamai, Prolexic CIT 380: Securing Computer Systems

  43. Key Points • Types of denial of service attack • Technical attacks (SYN flood, DNS amp, smurf) • Bandwidth attacks (DDOS) • DOS attacks are a serious threat • Can take down large sites (often for money.) • DDOS prevention techniques. CIT 380: Securing Computer Systems

  44. Key Points • Botnets make DDOS easy and effective • Command & control techniques. CIT 380: Securing Computer Systems

  45. References • “Al-Jazeera Hobbled by DDOS Attack,” InfoWorld, http://www.infoworld.com/article/03/03/26/HNjazeera_1.html, March 26, 2003. • Scott Berinato, “How a Bookmaker and a Whiz Kid Took On an Extortionist—and Won,” CSO Online, http://www.csoonline.com/read/050105/extortion_pf.html, Nov 22 2003. • CERT Coordination Center, “Results of the Distributed-Systems Intruder Tools Workshop,” December 1999, http://www.cert.org/reports/dsit_workshop-final.html • David Dagon et. al., “A Taxonomy of Botnets,” http://www.ensl.cs.gwu.edu/csnetsec/CS-NetSec?action=AttachFile&do=get&target=taxonomy_botnets.pdf • Dancho Danchev, http://ddanchev.blogspot.com/2007/03/botnet-communication-platforms.html, 2007. • David Dittrich, DDOS Archives, http://staff.washington.edu/dittrich/misc/ddos/, 2006. • Brandon Enright, “Exposing Stormworm,” http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt, 2007. • Gadi Evron and Ronald Vaugn, “DNS Amplification Attacks,” http://www.isotf.org/news/DNS-Amplification-Attacks.pdf , 2006. • Greene, “ISP Security 101 Primer,” http://www.nanog.org/mtg-0602/greene.html, 2003. • The Honeynet Project, “Know Your Enemy: Tracking Botnets,” http://www.honeynet.org/papers/bots/, 2005. • Steve Gibson, “Distributed Reflection Denial of Service,” http://www.grc.com/dos/drdos.htm, Feb 22 2002. • Jim Lippard, “Botnets 101,” http://www.arizonatele.com/atic/show/lippard-botnets-0605.ppt • Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5/e, McGraw-Hill, 2005. • Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall, 2005. • C. Nuttall, “Crime Gangs Extort Money with Hacking Threat,” The Financial Times, 11 Dec 2003, http://www.rense.com/general44/hack.htm • Andy Patrizio, “The Storm that Keeps Blowing,” http://www.internetnews.com/bus-news/article.php/3707106, Oct 24 2007. • Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006. • Secure Computing, “Zombie Statistics,” http://www.ciphertrust.com/resources/statistics/zombie.php • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. • Scott A Crosby and Dan S Wallach, “Denial of Service via Algorithmic Complexity Attacks,” USENIX Security 2003, http://www.cs.rice.edu/~scrosby/hash/, 2003. CIT 380: Securing Computer Systems

More Related