1Network Denial of ServiceJohn MitchellCourse logisticsFour more lectures• Today: Network denial of service• Tues: Firewalls, intrusion detection, traffic shapers • Thurs: Network security protocols• May 31: Paul Kocher, Guest speakerProject: due June 2Homework: due June 2Final exam: June 6Outline Point-to-point network denial of service• Smurf, TCP syn flooding, TCP reset• Congestion control attack Distributed denial of service attacks• Coordinated attacks• Trin00, TFN, Stacheldraht, TFN2K• Bot networks Mitigation techniques• Firewall• IP traceback– Edge Sampling techniques• Overlay networks– Migration– AuthenticationSources Analysis of a Denial of Service Attack on TCP • Christoph L. Schuba, Ivan V. Krsul, Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundaram, Diego Zamboni, Security & Privacy 1997 Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)• Aleksandar Kuzmanovic and Edward W. Knightly, SIGCOM 2003 Practical Network Support for IP Traceback• Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson. SIGCOMM 2000 Advanced and Authenticated Marking Schemes for IP Traceback• Dawn X. Song, Adrian Perrig. Proceedings IEEE Infocomm 2001 MOVE: An End-to-End Solution To Network Denial of Service• A. Stavrou, A.D. Keromytis, J. Nieh, V.Misra, and D. Rubenstein TCP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkApplicationTransportNetworkLinkThis lecture is about attacks on transport layer and belowPoint-to-point attacksAttacker chooses victimSends network packets to isolate victimGoal of attacker• Small number of packets ⇒ big effect2TCP HandshakeCSSYNCSYNS, ACKCACKSListeningStore dataWaitConnectedSYN FloodingCSSYNC1 ListeningStore dataSYNC2SYNC3SYNC4SYNC5TCP Reset vulnerability [Watson’04]Attacker sends RST packet to reset connection• Need to guess seq. # for an existing connection– Naively, success prob. is 1/232for 32-bit seq. number– Most systems allow for a large window of acceptable seq. #’s ⇒ much higher success probabilityAttack is most effective against long lived connections, e.g. BGPBlock with stateful packet filtering?Smurf DoS Attack Send ping request to broadcast addr (ICMP Echo Req) Lots of responses:• Every host on target network generates a ping reply (ICMP Echo Reply) to victim• Ping reply stream can overload victimPrevention: reject external packets to broadcast addressgatewayDoSSourceDoSTarget1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr3 ICMP Echo ReplyDest: Dos TargetTCP Congestion ControlSender estimates available bandwidth• Starts slow and increases based on ACKS• Reduces rate if congestion is observedTwo time scales• RTT is 10-100 ms ⇒ TCP performs AIMD– Additive Increase Multiplicative Decrease– Rises slowly, drops quickly (by half)• Severe congestion ⇒ Retransmission Timeout (RTO)– Send one packet and wait for period RTO– If further loss, RTO ← 2*RTO– If packet successfully received, TCP enters slow start– Minimum value for RTO is 1 secPattern3Congestion control attackGenerate TCP flow to force target to repeatedly enter retransmission timeout stateDifficult to detect because packet rate is low• Degrade throughput significantly• Existing solutions only mitigate the attackRTO 2*RTOCongestionCongestion CongestionUsing puzzles to prevent DOSBasic idea• Sender must solve a puzzle before sending• Takes some effort to solve, but easy to confirm solution (e.g., hash collision)Example use (RSA client puzzle protocol)• Normally, server accepts any connection request • If attack suspected, server responds with puzzle• Allows connection only for clients that solve puzzle within some regular TCP timeout periodhttp://www.rsasecurity.com/rsalabs/node.asp?id=2050Defense against “connection depletion” attacksThe client puzzle protocolBufferServerClientService request RO.K.http://www.rsasecurity.com/rsalabs/node.asp?id=2050Outline Point-to-point network denial of service• Smurf, TCP syn flooding, TCP reset• Congestion control attack Distributed denial of service attacks• Coordinated attacks• Trin00, TFN, Stacheldraht, TFN2K• Bot networks Mitigation techniques• Firewall• IP traceback– Edge Sampling techniques• Overlay networks– Migration– AuthenticationDistributed denial of serviceAttacker sets up network of machines• Break in by buffer overflow, etc.Attack machines bombard victimAttacker can be off line when attack occursInternetInternet coreISPISPserverclient4Distributed denial of serviceInternet coreISPISPVictimFeb 2000 Distributed DOS Attack Observable effect• Most of Yahoo unreachable for three hours• Experts did not understand why– “An engineer at another company … told Wired News the outage was due to misconfigured equipment” What happened• Coordinated effort from many sites• Attacking sites were compromised– According to Dittrich's DDoS analysis, trinoo and tfn daemons found on of Solaris 2.x systems– Systems compromised by exploitation of buffer overrunin the RPC services statd, cmsd and ttdbserverd• Compromised machines used to mount attackDDOS overlay networkHandlerAgent Agent Agent Agent Agent Agent AgentAgent Agent AgentVictimUnidirectional commandsAttack trafficCoordinating communicationBadGuyHandler HandlerTrin00Client to Handler to Agent to Victim• Multi-master support• Attacks through UDP floodRestarts agents periodicallyWarns of additional connectsPasswords protect handlers and agents of Trin00 network, though sent in clear textAttack using Trin00In August 1999, network of > 2,200 systems took University of Minessota offline for 3 days• Tools found cached at Canadian firm• Steps:– scan for known vulnerabilities, then attack– once host compromised, script the installation of the DDoS master agentsAccording to the incident report• Took about 3 seconds to get root access• In 4 hours, set up > 2,200 agentsTribal Flood Network (TFN)Client to Daemon to Victim• TCP, SYN and UDP floods• Fixed payload sizeClient-Daemon communication only in ICMP• No passwords for client• Does not authenticate incoming ICMP5StacheldrahtClient to Handler to Agent to Victim • Like Trin00Combines Trin00 and TFN features• Authenticates
View Full Document