Denial-of-Service (DoS)CS 161 - Computer SecurityProfs. Vern Paxson & David WagnerTAs: John Bethencourt, Erika Chin, MatthewFinifter, Cynthia Sturton, Joel Weinbergerhttp://inst.eecs.berkeley.edu/~cs161/Feb 22, 2010Announcements• Section 108 (Tu 2-3PM, TA: Joel) is being movedfrom 70 Evans to 122 Barrows for the next threeweeks– Will go back to 70 Evans on March 16The Threat of Denial-of-Service• Denial-of-Service (DoS, or “doss”): keepingsomeone from using a computing service• Two basic approaches available to an attacker:– Deny service based on a program flaw• E.g., supply an input that crashes a server– Deny service based on resource exhaustion• E.g., consume CPU, memory, disk, network• How broad is this sort of threat?– Very: huge attack surface• We do though need to consider our threat model …– What might motivate a DoS attack?Motivations for DoS• Showing off / entertainment / ego• Competitive advantage– Maybe commercial, maybe just to win• Vendetta / denial-of-money• Extortion• Political statements• Impair defenses• WarfareDoS Defense in General Terms• Defending resources from exhaustion can bereally hard. Requires:– Isolation mechanisms– Reliable identification of different users• Need to beware of asymmetries, whereattackers can consume victim resources withlittle comparable effort– Makes DoS easier to launch• One dangerous form of asymmetry:amplification– Attacker leverages system’s structure to pump upthe load they induce on a resourceDoS & Operating Systems• How could you DoS a multi-user Unix system on whichyou have a login?– #"rm"%rf"/• (if you have root - but then just “halt” works well!)– char"buf[1024];int"f"="open("/tmp/junk");while"(1)"write(f,"buf,"sizeof(buf));• Gobble up all the disk space!– while"(1)"fork();• Create a zillion processes!– Create zillions of files, keep opening, reading, writing, deleting• Thrash the disk– … doubtless many more• Defenses?– Isolate users / impose quotasDoS & Networks• How could you DoS a target’s Internet access?– Send a zillion packets at them– Internet lacks isolation between traffic of differentusers!• What resources does attacker need to pull thisoff?– At least as much sending capacity (“bandwidth”) asthe bottleneck link of the target’s Internet connection• Attacker sends maximum-sized packets– Or: overwhelm the rate at which the bottleneckrouter can process packets• Attacker sends minimum-sized packets! (in order tomaximize the packet arrival rate)Defending Against Network DoS• Suppose an attacker has access to a beefysystem with high-speed Internet access (a “bigpipe”). They pump out packets towards thetarget at a very high rate.• What might the target do to defend against theonslaught?– Install a network filter to discard any packets thatarrive with attacker’s IP address as their source• Or it can leverage any other pattern in the flooding trafficthat’s not in benign traffic– Filter = isolation mechanism– Attacker’s IP address = means of identifyingmisbehaving userFiltering Sounds Pretty Easy …• … but it’s not. What steps can the attacker taketo defeat the filtering?– Make traffic appear as though it’s from many hosts• Spoof the source address so it can’t be used to filter– Just pick a random 32-bit number of each packet sent• How does a defender filter this?– They don’t!– Best they can hope for is that operators around the worldimplement anti-spoofing mechanisms (today about 75% do)– Use many hosts to send traffic rather than just one• Distributed Denial-of-Service = DDoS (“dee-doss”)• Requires defender to install complex filters• How many hosts is “enough” for the attacker?– Today they are very cheap to acquire … :-(Amplification: Network DoS• One technique for magnifying flood traffic:leverage Internet’s broadcast functionalityAmplification: Network DoS• One technique for magnifying flood traffic:leverage Internet’s broadcast functionality• How does an attacker exploit this?– Send traffic to the broadcast address and spoof itas though the DoS victim sent it– All of the replies then go to the victim rather than theattacker’s machine– Each attacker pkt yields dozens of flooding pkts• Another example: DNS lookups– Reply is often much bigger than request– So attacker spoofs request seemingly from the target• Small attacker packet yields large flooding packetTransport-Level Denial-of-Service• Recall TCP’s 3-way connection establishmenthandshake– Goal: agree on initial sequence numbers• So a single SYN from an attacker suffices to forcethe server to spend some memoryClient (initiator)SYN, SeqNum = xSYN and ACK, SeqNum = y, Ack = x + 1ACK, Ack = y + 1ServerServer creates stateassociated withconnection hereAttacker doesn’teven need tosend this ackTCP SYN Flooding• Attacker targets memory rather than networkcapacity• Every (unique) SYN attacker sends burdens thetarget• What should target do when it has no morememory for a new connection?• No good answer!– Refuse new connection? Legit new users can’t accessservice– Evict old connections to make room? Legit old usersget kicked offTCP SYN Flooding, conʼ t• How can the target defend itself?• Approach #1: make sure they have tons of memory!– How much is enough? Depends on resources attacker can bringto bear• Approach #2: identify bad actors & refuse theirconnections– Hard because only way to identify them is based on IP address We can’t for example require them to send a password becausedoing so requires we have an established connection!– For a public Internet service, who knows which addressescustomers might come from?– Plus: attacker can spoof addresses since they don’t need tocomplete TCP 3-way handshake• (Approach #3: don’t keep state! We’ll see such a technique later inthe course, “SYN cookies”)Application-Layer DoS• Rather than exhausting network or memory resources,attacker can overwhelm a service’s processing capacity• There are many ways to do so, often at little expense toattacker compared to target (asymmetry)Application-Layer DoS• Rather than exhausting network or memory resources,attacker can overwhelm a service’s processing capacity• There are many ways to do so, often at little expense toattacker compared to target (asymmetry)• Defenses against such attacks?• Approach #1: Only let
View Full Document
Unlocking...