CS 155 Spring 2008 Unwanted Traffic Denial of Service and Spam email 1 What is network DoS Goal take out a large site with little computing work How Amplification Small number of packets big effect Two types of amplification attacks DoS bug Design flaw allowing one machine to disrupt a service DoS flood Command bot net to generate flood of requests 2 A high profile example Estonia Attacked sites started apr 2007 lasted two weeks Estonian ministerial sites Various Estonian commercial sites more on this later 3 DoS can happen at any layer This lecture Sample Dos at different layers by order Link TCP UDP Application Payment Generic DoS solutions Network DoS solutions Sad truth Current Internet not designed to handle DDoS attacks 4 Warm up bugs 802 11b Radio jamming attacks Protocol DoS bugs DoS trivial not our focus Bellardo Savage 03 NAV Network Allocation Vector 15 bit field Max value 32767 Any node can reserve channel for NAV seconds No one else should transmit during NAV period but not followed by most 802 11b cards De authentication bug Any node can send deauth packet to AP Deauth packet unauthenticated attacker can repeatedly deauth anyone 5 Smurf amplification DoS attack 1 ICMP Echo Req Src Dos Target Dest brdct addr DoS Source 3 ICMP Echo Reply Dest Dos Target gateway DoS Target Send ping request to broadcast addr ICMP Echo Req Lots of responses Every host on target network generates a ping reply ICMP Echo Reply to victim Prevention reject external packets to broadcast address 6 Modern day example May 06 DNS Amplification attack 50 amplification DNS Query SrcIP Dos Target 60 bytes DoS Source EDNS Reponse 3000 bytes DNS Server DoS Target 580 000 open resolvers on Internet KaminskyShiffman 06 7 Review IP Header format 0 Connectionless Unreliable Best effort 31 Version Flags Header Length Type of Service Total Length Identification Fragment Offset Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data 8 Review TCP Header format TCP Session based Congestion control In order delivery 0 31 Source Port Dest port SEQ Number ACK Number U A P P S F R C S S Y I G K H R N N Other stuff 9 Review TCP Handshake C S SYN SNC randC ANC 0 SNS randS SYN ACK AN SN S C SN SNC ACK AN SN S Listening Store SNC SNS Wait Established 10 TCP SYN Flood I low rate DoS bug C S Single machine SYNC2 SYN Packets with random source IP addresses SYNC3 Fills up backlog queue on server SYNC1 SYNC4 SYNC5 No further connections possible 11 SYN Floods phrack 48 no 13 1996 OS Linux 1 2 x FreeBSD 2 1 5 WinNT 4 0 Backlog timeout Backlog queue size 10 128 6 3 minutes Attacker need only send 128 SYN packets every 3 minutes Low rate SYN flood 12 A classic SYN flood example MS Blaster worm 2003 Infected machines at noon on Aug 16 th SYN flood on port 80 to windowsupdate com 50 SYN packets every second each packet is 40 bytes Spoofed source IP a b X Y where X Y random MS solution new name windowsupdate microsoft com Win update file delivered by Akamai 13 Low rate SYN flood defenses Non solution Increase backlog queue size or decrease timeout Correct solution Syncookies remove state from server Small performance overhead 14 Syncookies Bernstein Schenk Idea Remove SYN state from server Server responds to Client with SYN ACK cookie T 5 bit counter incremented every 64 secs L F key SAddr SPort DAddr DPort T SN C In practice Fkey X MD5 key X key Key picked at random during boot SNS T L Server does not save state L 24 bits Honest client responds with ACK AN SN S Server allocates space for socket only if valid SN S 15 SYN floods backscatter MVS 01 SYN with forged source IP SYN ACK to random host 16 Backscatter measurement MVS 01 Listen to unused IP addresss space darknet 8 network monitor 0 232 Lonely SYN ACK packet likely to be result of SYN attack 2001 2008 400 SYN attacks week 4425 SYN attacks 24 hours arbor networks ATLAS Larger experiments monitor many ISP darknets Arbor networks Network telescope UCSD 17 SYN Floods II Massive flood e g BetCris com 03 Command bot army to flood specific target DDoS 20 000 bots can generate 2Gb sec of SYNs 2003 At web site Saturates network uplink or network router Random source IP attack SYNs look the same as real SYNs What to do 18 Prolexic Idea only forward established TCP connections to site Lots of SYNs Lots of SYN ACKs Prolexic Proxy Few ACKs Forward to site Web site Prolexic capacity 20Gb sec link can handle 40 106 SYN sec 19 Other junk packets Attack Packet Victim Response Rate 2008 ATLAS TCP SYN to open port TCP SYN ACK 4425 TCP SYN to closed port TCP RST TCP ACK or TCP DATA TCP RST TCP RST No response TCP NULL TCP RST 2821 ICMP ECHO Request ICMP ECHO Response 8352 276 UDP to closed port ICMP Port Proxy must keep floods of these away from web site unreachable 20 Estonia attack ATLAS 07 Attack types detected 115 ICMP floods 4 TCP SYN floods Bandwidth 12 attacks 70 95 Mbps for over 10 hours All attack traffic was coming from outside Estonia Estonia s solution Estonian ISPs blocked all foreign traffic until attacks stopped DoS attack had little impact inside Estonia 21 Stronger attacks TCP con flood Command bot army to Complete TCP connection to web site Send short HTTP HEAD request Repeat Will bypass SYN flood protection proxy but Attacker can no longer use random source IPs Reveals location of bot zombies Proxy can now block or rate limit bots 22 DNS DoS Attacks e g bluesecurity 06 DNS runs on UDP port 53 DNS entry for victim com hosted at victim isp com DDoS attack flood victim isp com with requests for victim com Random source IP address in UDP packets Takes out entire DNS server collateral damage bluesecurity DNS hosted at Tucows DNS server DNS DDoS took out Tucows hosting many many sites What to do 23 Root level DNS attacks Feb 6 2007 Botnet attack on the 13 Internet DNS root servers Lasted 2 5 hours None crashed but two performed badly g root DoD l root ICANN Most other root servers use anycast Attack in Oct 2002 took out 9 of the 13 TLD servers 24 DNS DoS solutions Generic DDoS solutions Later on Require major changes to DNS DoS resistant DNS design CoDoNS Sirer 04 Cooperative Domain Name System P2P design for DNS system DNS nodes share the load Simple update of DNS entries Backwards compatible with existing DNS 25 DoS via route hijacking YouTube is 208 65 152 0 22 includes 210 IP addr youtube com is 208 65 153 238 Feb 2008 Pakistan telecom advertised a BGP path for 208 65 153 0 24 includes 28 IP addr
View Full Document
Unlocking...