Denial of Service Wireless Multimedia EE 122 Intro to Communication Networks Fall 2006 MW 4 5 30 in Donner 155 Vern Paxson TAs Dilip Antony Joseph and Sukun Kim http inst eecs berkeley edu ee122 Materials with thanks to Jennifer Rexford Ion Stoica and colleagues at Princeton and UC Berkeley 1 Announcements Office hours this week by appointment I ll be giving a lecture on Experiences With Countering Internet Attacks next Wednesday 2 30 4PM in Cory 540 A B optional Next Lecture Final Review and course evaluation 2 1 Goals of Today s Lecture Denial of Service Transport layer SYN flooding Application layer CAPTCHAs Wireless link layers 802 X Bluetooth Issues for transmitting multimedia content Audio Video Voice over IP VOIP 3 Recap Defending Against Network Flooding How do we defend against such floods Techniques exist to filter traffic but a well designed flooding stream defies stateless filtering Best solutions to date Answer basically we don t Big problem today Techniques exist to trace spoofed traffic back to origins but this isn t useful in face of a large attack Overprovision have enough raw capacity that it s hard to flood your links Largest confirmed botnet to date 1 5 million hosts Floods seen to date 40 Gbps Distribute your services force attacker to flood many points E g the root name servers 4 2 Transport Level Denial of Service Recall TCP s 3 way connection establishment handshake Goal agree on initial sequence numbers Starting sequence numbers are based on clock random to prevent attacker from guessing them to establish connections using spoofed source addresses Server Client initiator SYN Seq Num x y Ack K SeqNum C A d n a N SY ACK Ack y x 1 Server creates state associated with connection here 1 5 SYN Flooding Attacker sends victim TCP SYNs with random client ports and spoofed source address Victim responds with SYN ACKs Victim also allocates memory for connection sets timers Holds memory until 3 way handshake completes Or until eventual timeout e g 3 minutes Victim quickly runs out of memory Newly arriving connections are denied Many of these are the attacker s bogus conn attempts But others are legitimate No one new can get to the site Note network capacity overprovisioning doesn t help 6 3 Flooding Defense SYN Cookies Server when SYN arrives encode connection state entirely within SYN ACK s sequence y y SHA 1 client addr client port ISN x server secret When ACK of SYN ACK arrives server only creates state if seq y in it agrees with hash Server Client initiator SYN Seq Num x k um y Ac CK SeqN SYN and A ACK Ack y x 1 1 Server only creates state here 7 SYN Cookies Discussion Illustrates general strategy rather than holding state encode it so that it is returned when needed For SYN cookies attacker must complete 3 way handshake in order to burden the server Can t use spoofed source addresses Note 1 strategy requires that you have enough bits to encode all the state This is just barely the case for SYN cookies You only have 32 bits to work with in server s ISN And not the case once connection is established Note 2 if it s expensive to generate or check the cookie then it s not a win 8 4 Application Layer Flooding Attacker makes a lot of expensive service requests E g http victim com back end database cgi search Expense of request gives attacker leverage It can also be very hard to tell legitimate requests from bogus CAPTCHAs Completely Automated Public Turing test to tell Computers and Humans Apart Idea Reverse Turing Test Prove that a client is a human rather than a machine Based on known hard AI problems that humans solve readily Drawbacks If visual discriminates against blind users Sometimes you want machines to be able to make legit requests Depending on the problem an arms race driving technology forward 9 10 5 Summary of Denial of Service Can occur at different semantic levels Network layer vs transport layer vs application layer Very hard to address if attacker has a lot of zombies Principle attacker finds bottleneck element and sends it more work than it can cope with E g Router s packets per second processing capability Link s bits per second transmission capability End host s memory available for new connections or cycles available to validate connections cookies Server s cycles for processing requests Defend via Overprovisioning Force sender to prove they re not spoofing cookies Force sender to prove they re not a robot CAPTCHAs 11 Wireless Links 12 6 Wireless Media Access courtesy of S Savage UCSD Wireless links are extremely convenient What makes wireless links more problematic than wired links Why not just use Ethernet algorithms It s technically difficult to detect collisions Transmitter swamps co located receiver even if we could it wouldn t work Different transmitters have different coverage areas In addition wireless links are much more prone to 13 loss than wired links Hidden Terminals A B C transmit range A and C can both send to B but can t hear each other A is a hidden terminal for C and vice versa CSMA CD will be ineffective need to sense at receiver 14 7 Exposed Terminals A B C D transmit range B C can hear each other But can safely send to A D 15 CSMA CA CSMA w Collision Avoidance Since we can t detect collisions we try to avoid them When medium busy choose random interval contention window Wait for that many idle timeslots to pass before sending When a collision is inferred retransmit with binary exponential backoff like Ethernet Use ACK from receiver to infer no collision Use exponential backoff to adapt contention window 16 8 RTS CTS Protocols MACA A B RTS CTS C D MACA Multiple Access with Collision Avoidance Overcome exposed hidden terminal problems with contention free protocol 1 2 3 4 5 B stimulates C with Request To Send RTS A hears RTS and defers to allow C to answer C replies to B with Clear To Send CTS D hears CTS and defers to allow the data B sends to C 17 MACA con t sender RTS receiver other node in sender s range CTS data ACK If sender doesn t get a CTS or ACK back it assumes collision If other nodes hear RTS but not CTS send Presumably destination for sender is out of node s range Can cause problems when a CTS is lost 18 9 IEEE 802 11 Wireless LAN etc 802 11b 2 4 5 GHz unlicensed radio spectrum E g microwave ovens cordless phones up to 11 Mbps direct sequence spread spectrum DSSS in physical layer All hosts use same code Widely deployed using base stations Base station provides gateway from wireless nodes to another hop Next hop
View Full Document
Unlocking...