DOC PREVIEW
Stanford CS 155 - Network Denial of Service

This preview shows page 1-2-3-4 out of 11 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 11 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 11 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 11 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 11 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 11 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1Network Denial of ServiceJohn MitchellCourse logisticsFour more lectures• Today: Network denial of service• Tues: Firewalls, intrusion detection, traffic shapers • Thurs: Network security protocols• May 31: Paul Kocher, Guest speakerProject: due June 2Homework: due June 2Final exam: June 6Outline Point-to-point network denial of service• Smurf, TCP syn flooding, TCP reset• Congestion control attack Distributed denial of service attacks• Coordinated attacks• Trin00, TFN, Stacheldraht, TFN2K• Bot networks Mitigation techniques• Firewall• IP traceback– Edge Sampling techniques• Overlay networks– Migration– AuthenticationSources Analysis of a Denial of Service Attack on TCP • Christoph L. Schuba, Ivan V. Krsul, Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundaram, Diego Zamboni, Security & Privacy 1997 Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)• Aleksandar Kuzmanovic and Edward W. Knightly, SIGCOM 2003 Practical Network Support for IP Traceback• Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson. SIGCOMM 2000 Advanced and Authenticated Marking Schemes for IP Traceback• Dawn X. Song, Adrian Perrig. Proceedings IEEE Infocomm 2001 MOVE: An End-to-End Solution To Network Denial of Service• A. Stavrou, A.D. Keromytis, J. Nieh, V.Misra, and D. Rubenstein TCP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkApplicationTransportNetworkLinkThis lecture is about attacks on transport layer and belowPoint-to-point attacksAttacker chooses victimSends network packets to isolate victimGoal of attacker• Small number of packets ⇒ big effect2TCP HandshakeCSSYNCSYNS, ACKCACKSListeningStore dataWaitConnectedSYN FloodingCSSYNC1 ListeningStore dataSYNC2SYNC3SYNC4SYNC5TCP Reset vulnerability [Watson’04]Attacker sends RST packet to reset connection• Need to guess seq. # for an existing connection– Naively, success prob. is 1/232for 32-bit seq. number– Most systems allow for a large window of acceptable seq. #’s ⇒ much higher success probabilityAttack is most effective against long lived connections, e.g. BGPBlock with stateful packet filtering?Smurf DoS Attack Send ping request to broadcast addr (ICMP Echo Req)  Lots of responses:• Every host on target network generates a ping reply (ICMP Echo Reply) to victim• Ping reply stream can overload victimPrevention: reject external packets to broadcast addressgatewayDoSSourceDoSTarget1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr3 ICMP Echo ReplyDest: Dos TargetTCP Congestion ControlSender estimates available bandwidth• Starts slow and increases based on ACKS• Reduces rate if congestion is observedTwo time scales• RTT is 10-100 ms ⇒ TCP performs AIMD– Additive Increase Multiplicative Decrease– Rises slowly, drops quickly (by half)• Severe congestion ⇒ Retransmission Timeout (RTO)– Send one packet and wait for period RTO– If further loss, RTO ← 2*RTO– If packet successfully received, TCP enters slow start– Minimum value for RTO is 1 secPattern3Congestion control attackGenerate TCP flow to force target to repeatedly enter retransmission timeout stateDifficult to detect because packet rate is low• Degrade throughput significantly• Existing solutions only mitigate the attackRTO 2*RTOCongestionCongestion CongestionUsing puzzles to prevent DOSBasic idea• Sender must solve a puzzle before sending• Takes some effort to solve, but easy to confirm solution (e.g., hash collision)Example use (RSA client puzzle protocol)• Normally, server accepts any connection request • If attack suspected, server responds with puzzle• Allows connection only for clients that solve puzzle within some regular TCP timeout periodhttp://www.rsasecurity.com/rsalabs/node.asp?id=2050Defense against “connection depletion” attacksThe client puzzle protocolBufferServerClientService request RO.K.http://www.rsasecurity.com/rsalabs/node.asp?id=2050Outline Point-to-point network denial of service• Smurf, TCP syn flooding, TCP reset• Congestion control attack Distributed denial of service attacks• Coordinated attacks• Trin00, TFN, Stacheldraht, TFN2K• Bot networks Mitigation techniques• Firewall• IP traceback– Edge Sampling techniques• Overlay networks– Migration– AuthenticationDistributed denial of serviceAttacker sets up network of machines• Break in by buffer overflow, etc.Attack machines bombard victimAttacker can be off line when attack occursInternetInternet coreISPISPserverclient4Distributed denial of serviceInternet coreISPISPVictimFeb 2000 Distributed DOS Attack Observable effect• Most of Yahoo unreachable for three hours• Experts did not understand why– “An engineer at another company … told Wired News the outage was due to misconfigured equipment” What happened• Coordinated effort from many sites• Attacking sites were compromised– According to Dittrich's DDoS analysis, trinoo and tfn daemons found on of Solaris 2.x systems– Systems compromised by exploitation of buffer overrunin the RPC services statd, cmsd and ttdbserverd• Compromised machines used to mount attackDDOS overlay networkHandlerAgent Agent Agent Agent Agent Agent AgentAgent Agent AgentVictimUnidirectional commandsAttack trafficCoordinating communicationBadGuyHandler HandlerTrin00Client to Handler to Agent to Victim• Multi-master support• Attacks through UDP floodRestarts agents periodicallyWarns of additional connectsPasswords protect handlers and agents of Trin00 network, though sent in clear textAttack using Trin00In August 1999, network of > 2,200 systems took University of Minessota offline for 3 days• Tools found cached at Canadian firm• Steps:– scan for known vulnerabilities, then attack– once host compromised, script the installation of the DDoS master agentsAccording to the incident report• Took about 3 seconds to get root access• In 4 hours, set up > 2,200 agentsTribal Flood Network (TFN)Client to Daemon to Victim• TCP, SYN and UDP floods• Fixed payload sizeClient-Daemon communication only in ICMP• No passwords for client• Does not authenticate incoming ICMP5StacheldrahtClient to Handler to Agent to Victim • Like Trin00Combines Trin00 and TFN features• Authenticates


View Full Document

Stanford CS 155 - Network Denial of Service

Documents in this Course
Lecture 5

Lecture 5

64 pages

Phishing

Phishing

31 pages

Load more
Download Network Denial of Service
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Network Denial of Service and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Network Denial of Service 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?