Denial of Service DoS CS 161 Computer Security Profs Vern Paxson David Wagner TAs John Bethencourt Erika Chin Matthew Finifter Cynthia Sturton Joel Weinberger http inst eecs berkeley edu cs161 Feb 22 2010 Announcements Section 108 Tu 2 3PM TA Joel is being moved from 70 Evans to 122 Barrows for the next three weeks Will go back to 70 Evans on March 16 The Threat of Denial of Service Denial of Service DoS or doss keeping someone from using a computing service Two basic approaches available to an attacker Deny service based on a program flaw E g supply an input that crashes a server Deny service based on resource exhaustion E g consume CPU memory disk network How broad is this sort of threat Very huge attack surface We do though need to consider our threat model What might motivate a DoS attack Motivations for DoS Showing off entertainment ego Competitive advantage Maybe commercial maybe just to win Vendetta denial of money Extortion Political statements Impair defenses Warfare DoS Defense in General Terms Defending resources from exhaustion can be really hard Requires Isolation mechanisms Reliable identification of different users Need to beware of asymmetries where attackers can consume victim resources with little comparable effort Makes DoS easier to launch One dangerous form of asymmetry amplification Attacker leverages system s structure to pump up the load they induce on a resource DoS Operating Systems How could you DoS a multi user Unix system on which you have a login rm rf if you have root but then just halt works well char buf 1024 int f open tmp junk while 1 write f buf sizeof buf Gobble up all the disk space while 1 fork Create a zillion processes Create zillions of files keep opening reading writing deleting Thrash the disk doubtless many more Defenses Isolate users impose quotas DoS Networks How could you DoS a target s Internet access Send a zillion packets at them Internet lacks isolation between traffic of different users What resources does attacker need to pull this off At least as much sending capacity bandwidth as the bottleneck link of the target s Internet connection Attacker sends maximum sized packets Or overwhelm the rate at which the bottleneck router can process packets Attacker sends minimum sized packets in order to maximize the packet arrival rate Defending Against Network DoS Suppose an attacker has access to a beefy system with high speed Internet access a big pipe They pump out packets towards the target at a very high rate What might the target do to defend against the onslaught Install a network filter to discard any packets that arrive with attacker s IP address as their source Or it can leverage any other pattern in the flooding traffic that s not in benign traffic Filter isolation mechanism Attacker s IP address means of identifying misbehaving user Filtering Sounds Pretty Easy but it s not What steps can the attacker take to defeat the filtering Make traffic appear as though it s from many hosts Spoof the source address so it can t be used to filter Just pick a random 32 bit number of each packet sent How does a defender filter this They don t Best they can hope for is that operators around the world implement anti spoofing mechanisms today about 75 do Use many hosts to send traffic rather than just one Distributed Denial of Service DDoS dee doss Requires defender to install complex filters How many hosts is enough for the attacker Today they are very cheap to acquire Amplification Network DoS One technique for magnifying flood traffic leverage Internet s broadcast functionality Amplification Network DoS One technique for magnifying flood traffic leverage Internet s broadcast functionality How does an attacker exploit this Send traffic to the broadcast address and spoof it as though the DoS victim sent it All of the replies then go to the victim rather than the attacker s machine Each attacker pkt yields dozens of flooding pkts Another example DNS lookups Reply is often much bigger than request So attacker spoofs request seemingly from the target Small attacker packet yields large flooding packet Transport Level Denial of Service Recall TCP s 3 way connection establishment handshake Goal agree on initial sequence numbers So a single SYN from an attacker suffices to force the server to spend some memory Server Client initiator SYN Seq Num x SYN and A Attacker doesn t even need to send this ack CK x k c A y S eqNum ACK A c k y 1 1 Server creates state associated with connection here TCP SYN Flooding Attacker targets memory rather than network capacity Every unique SYN attacker sends burdens the target What should target do when it has no more memory for a new connection No good answer Refuse new connection Legit new users can t access service Evict old connections to make room Legit old users get kicked off TCP SYN Flooding con t How can the target defend itself Approach 1 make sure they have tons of memory How much is enough Depends on resources attacker can bring to bear Approach 2 identify bad actors refuse their connections Hard because only way to identify them is based on IP address We can t for example require them to send a password because doing so requires we have an established connection For a public Internet service who knows which addresses customers might come from Plus attacker can spoof addresses since they don t need to complete TCP 3 way handshake Approach 3 don t keep state We ll see such a technique later in the course SYN cookies Application Layer DoS Rather than exhausting network or memory resources attacker can overwhelm a service s processing capacity There are many ways to do so often at little expense to attacker compared to target asymmetry Application Layer DoS Rather than exhausting network or memory resources attacker can overwhelm a service s processing capacity There are many ways to do so often at little expense to attacker compared to target asymmetry Defenses against such attacks Approach 1 Only let legit users to issue expensive requests Relies on being able to identify authenticate them Note that this itself might be expensive Approach 2 At least require request to come from a human rather than a program bot CAPTCHAs Reverse Turing Test present user a challenge that s easy for a human to solve hard for a program to solve One common approach distorted text that s difficult for character recognition algorithms to decipher Issues with CAPTCHAs Inevitable arms race as solving algorithms get better defense
View Full Document
Unlocking...