1CSE 123bCSE 123bCommunications Software Communications Software Spring 2004Spring 2004Lecture 16: Network Security IILecture 16: Network Security IIStefan SavageStefan SavageJune 1, 2004 CSE 123b – Lecture 16 – Network Security 2Project infoProject infoz There are some updates to the Project FAQ◆ http://www.cs.ucsd.edu/classes/sp04/cse123b/Project2.FAQz Server connection issues◆ UCSD only connects◆ Your own personal Mutella server (pointer in the FAQ)z Packet header formatting◆ Structure packing◆ Little-endian fields (the oppose of z More documentation◆ Gnutella v0.6 documentation much better than v0.4 (even for the 0.4-only parts). Pointers in the FAQ.June 1, 2004 CSE 123b – Lecture 16 – Network Security 3How do How do DoSDoSattacks work?attacks work?z Denial-of-service attacks◆ Logic: exploit bugs to cause crash» e.g. Ping-of-Death, Land◆ Flooding: overwhelm with spurious requests » e.g. SYN flood, Smurfz Distributed denial-of-service attacks◆ Flooding attack from multiple machines ◆ More potent & harder to defend againstJune 1, 2004 CSE 123b – Lecture 16 – Network Security 4Step 1:Step 1:Attacker infiltrates machinesAttacker infiltrates machinesz Scan machines via Internetz Exploit known bugs & vulnerabilitiesz Install backdoor software ◆ Zombie software (for attacking target)◆ Handler software (for controlling zombies) z Cover tracks (e.g. rootkit)z Repeat… (highly automated)June 1, 2004 CSE 123b – Lecture 16 – Network Security 5Step 2: Attacker sends Step 2: Attacker sends commands to handlercommands to handlerVictimZZZHZZZZZZAttackerJune 1, 2004 CSE 123b – Lecture 16 – Network Security 6Step 3: Handler sends Step 3: Handler sends commands to zombiescommands to zombiesVictimZZZHZZZZZZAttacker2June 1, 2004 CSE 123b – Lecture 16 – Network Security 7Step 4: Zombies attack targetStep 4: Zombies attack targetAttackerVictimZZZHZZZZZZ>1GbpsJune 1, 2004 CSE 123b – Lecture 16 – Network Security 8Step 5: Victim suffersStep 5: Victim suffersz Server CPU/Memory resources◆ Consumes connection state (e.g. SYN flood)◆ Time to evaluate messages (interrupt livelock)» Some messages take “slow path” (e.g. invalid ACK)◆ Can cause new connections to be dropped and existing connections to time-outz Network resources◆ Routers PPS limited, FIFO queuing◆ If attack is greater than forwarding capacity, good data will bedroppedJune 1, 2004 CSE 123b – Lecture 16 – Network Security 9Simple questionSimple questionHow prevalent are denial-of-service attacks?June 1, 2004 CSE 123b – Lecture 16 – Network Security 10Most data is Most data is anecdotalanecdotal“Losses … could total more than $1.2 billion”- Yankee Group report“38% of security professionals surveyed reported denial of service activity in 2000”- CSI/FBI surveyPress reports:Analysts:Surveys:June 1, 2004 CSE 123b – Lecture 16 – Network Security 11Quantitative data?Quantitative data?z Isn’t available (i.e. no one knows)z Inherently hard to acquire◆ Few content or service providers collect such data ◆ If they do, its usually considered sensitivez Infeasible to collect at Internet scale◆ How to monitor enough to the Internet to obtain a representativesample?June 1, 2004 CSE 123b – Lecture 16 – Network Security 12A good estimate:A good estimate:[Moore, Voelker, Savage01][Moore, Voelker, Savage01]z Backscatter analysis◆ New technique for estimating global denial-of-service activityz First data describing Internet-wide DoS activity◆ ~4,000 attacks per week (> 12,000 over 3 weeks)◆ Instantaneous loads above 600k pps◆ Characterization of attacks and victims3June 1, 2004 CSE 123b – Lecture 16 – Network Security 13Key ideaKey ideaz Flooding-style DoS attacks◆ e.g. SYN flood, ICMP floodz Attackers spoof source address randomly◆ True of all major attack toolsz Victims, in turn, respond to attack packetsz Unsolicited responses (backscatter) equally distributed across IP address spacez Received backscatter is evidence of an attacker elsewhereJune 1, 2004 CSE 123b – Lecture 16 – Network Security 14Random IP spoofing produces Random IP spoofing produces random backscatterrandom backscatterAttackBackscatterAttackerVictimBCDVB C VD VSYN packetsVVBSYN+ACK backscatterJune 1, 2004 CSE 123b – Lecture 16 – Network Security 15ExampleExampleJune 1, 2004 CSE 123b – Lecture 16 – Network Security 16Backscatter analysisBackscatter analysisz Monitor block of n IP addressesz Expected # of backscatter packets given an attack of m packets:z Extrapolated attack rate R’ is a function of measured backscatter rate R:322nmE(X) =nRR322'≥June 1, 2004 CSE 123b – Lecture 16 – Network Security 17Experimental apparatusExperimental apparatus……Quiescent /8 Network(224addresses)Monitor (w/big disk)InternetJune 1, 2004 CSE 123b – Lecture 16 – Network Security 18Attacks over timeAttacks over time4June 1, 2004 CSE 123b – Lecture 16 – Network Security 19Example 1: Periodic attack Example 1: Periodic attack (1hr per 24hrs)(1hr per 24hrs)June 1, 2004 CSE 123b – Lecture 16 – Network Security 20Example 2: Punctuated Example 2: Punctuated attack (1min interval)attack (1min interval)June 1, 2004 CSE 123b – Lecture 16 – Network Security 21Attack duration distributionAttack duration distributionJune 1, 2004 CSE 123b – Lecture 16 – Network Security 22Attack rate distributionAttack rate distributionJune 1, 2004 CSE 123b – Lecture 16 – Network Security 23Victim characterization Victim characterization by DNS nameby DNS namez Entire spectrum of commercial businesses◆ Yahoo, CNN, Amazon, etc and many smaller bizz Evidence that minor DoS attacks used for personal vendettas◆ 10-20% of attacks to home machines ◆ A few very large attacks against broadband◆ Many reverse mappings clearly compromised(e.g. is.on.the.net.illegal.ly and the.feds.cant.secure.their.shellz.ca)z 5% of attack target infrastructure◆ Routers (e.g. core2-core1-oc48.paol.above.net)◆ Name servers (e.g. ns4.reliablehosting.com)June 1, 2004 CSE 123b – Lecture 16 – Network Security 24Victim breakdown by TLDVictim breakdown by TLD05101520253035unknown net com ro br org edu ca de ukTop-Level DomainPercent of AttacksWeek 1Week 2Week 35June 1, 2004 CSE 123b – Lecture 16 – Network Security 25DenialDenial--ofof--Service summaryService summaryz Lots of attacks – some very large◆ >12,000 attacks against >5,000 targets in a week◆ Most < 1,000 pps, but some over