Professional Documents
Culture Documents
DDo S
DDo S
Prepared For: Prof. Ruby Lee ELE 572 Prepared By: Ali Bayazit abayazit@princeton.edu (609) 986September 23, 2002
Qiang Huang Stephen Specht qhuang@princeton.edu sspecht@princeton.edu (609) 947-3131 (609) 986-9572
Presentation Overview
Introduction to DDoS
Overview of DoS - Specht Overview of DDoS Specht Case Study of DDoS victim GRC.com - Specht
Introduction to DDoS
Overview of DoS
Background Information: Denial of Service Attacks Classification of Denial of Service Attacks Countermeasures for Denial of Service Attacks Denial of Service Attacks Shortfalls
Overview of DDoS
Distributed Denial of Service Attacks Distributed Denial of Service Attack Architecture Widely Used Distributed Denial of Service Tools
Trinoo TFN/TFN2K Stacheldraht
Specht
Specht
Affected Area
Routers, IP Switches, Firewalls Equipment Vendor OS, EndUser Equipment. Finger Bomb
Example
Ascend Kill II, Christmas Tree Packets Ping of Death, ICMP Echo Attacks, Teardrop Finger Bomb, Windows NT RealServer G2 6.0 Smurf Attack (amplifier attack) UDP Echo (oscillation attack) SYN (connection depletion)
Description
Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug. Attack takes advantage of the way operating systems implement protocols.
Attack a service or machine by using an application attack to exhaust resources. Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources. Attack in which bugs in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.
Specht
Example
Description
Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network. Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks. Software used to detect illicit activity. Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks. Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.
GuardDog, other vendors. Akami/Digital Island provide content distribution. ITEF standard for itrace, DNSSEC
Specht
DoS Shortfalls
DoS attacks are unable to attack large bandwidth websites one upstream client cannot generate enough bandwidth to cripple major megabit websites. New distributed server architecture makes it harder for one DoS to take down an entire site. New software protections neutralize existing DoS attacks quickly Service Providers know how to prevent these attacks from effecting their networks. Old Internet Technology something new needs to take its place (Hackers want the challenge of a new technology).
September 23, 2002 Princeton University Electrical Engineering Department
Specht
Specht
DDoS Architecture
Client Client
Handler
Handler
Handler
Handler
Agents
Specht
Specht
Trinoo
First DDoS Tool widely available[2]. Uses UDP flooding attack strategy [2]. TCP connectivity between master and hosts [2]. UDP connectivity between master and agents [2].
Specht
Analysis of trinoo[4]
1. A stolen account is set up as a repository for pre-compiled versions of attack tools including trinoo daemon and master programs. This would include a list of vulnerable hosts. (it would ideally have high bandwidth and little administrative oversight). 2. A scan is performed to identify potential targets (large network blocks are scanned). Systems running services known to have exploitable buffer overflow bugs (Solaris 2.x / Linux) are ideal. 3. The list of vulnerable systems is used to create a script that performs the exploit (on the TCP port, commonly 1524 ingresslock service port) and connects to this port to verify the exploit is successful. From this exploit, a list of owned systems gets generated. These systems will be candidates for the trinoo system. 4. A subset of owned systems with desirable attributes is selected for the attack network. Precompiled binaries of the trinoo daemon are created and stored on a stolen account somewhere. 5. A new script is written to automatically install the trinoo daemon on the selected systems. Some systems will fail to install, but all successful installations create the attacking network. 6. Next, the master system is set up (typically on a service providers primary name server). Remote control to the master is set up via TCP port 27665. The master system can communicate with the agents via UDP on port 27444 and the agents send responses to the master on UDP port 31335. 7. The user can now use the master system to launch DDoS attacks against select targets. 8. Master and Agents are password protected. 9. Commands are three bit letters in binary wont show up as strings.
September 23, 2002 Princeton University Electrical Engineering Department
Specht
Specht
Analysis of TFN[5]
Installation steps similar to trinoo. Commands to the agents are sent in the form of a 16 bit binary number in the id field of an ICMP_ECHO_REPLY packet. (The sequence number is a constant 0x0000, which would make it look like the response to the initial packet sent out by the "ping" command) Difficulty in stopping this attack one method is to stop ICMP_ECHO_REPLY packets, however this effectively stops all ICMP traffic. Provides no authentication, so that only one packet captured will identify the source.
September 23, 2002 Princeton University Electrical Engineering Department
Specht
TFN2K
The successor to TFN, also written by Mixter [2]. Allows for encrypted messaging between components [2]. Handlers and agents can communicate using ICMP, UDP, or TCP. Random protocol selection is possible [2]. Adds an additional attack form called TARGA (sends malformed IP packets known to slow down or hang up the network stacks) [2]. Also adds a MIX attack which uses UDP, SYN, and ICMP_Echo_Reply Flooding [2].
September 23, 2002 Princeton University Electrical Engineering Department
Specht
stacheldraht
German for barbed wire Based on early TFN versions[2]. Provides ICMP, UDP, and TCP SYN attack options[2]. Has the ability to perform daemon updates automatically[2].
Specht
Analysis of stacheldraht[6]
Combines trinoo and TFN tools and adds encryption of communication between the attacker and stacheldraht masters Provides automatic updates to agents on demand (using Berkley rcp command (514) all agents will log on to a server and upload a new version). Includes a secure telnet (symmetric key encryption) connection between attacker and master (prevents session hijacking). Built in limit of 1000 agents so as to not exceed the maximum number of open file handles (1024). Agents and handlers continually send ICMP_ECHORPLY packets between each other. These can be used to identify stacheldraht with a packet sniffer. Agents can also perform an ID test to handlers.
Specht
Specht
Specht
Specht
GRC.com Network[7]
Internet
100Mbps
T1 Trunk
Router Firewall
100Mbps
Verio Router Internet
T1 Trunk
GRC.COM
Specht
Specht
Specht
Specht
Specht
GRC.COM Case Study: Difficulty in Getting Help Stopping DDoS Attacks [7] GRC contacts Earthlink but receives no help. GRC contact @Home (over 100 @Home PCs were identified as hosts for the attack). @Home however did not want to help. FBI unable to help GRC either. GRC then receives an anonymous e-mail in their web-based Spyware drop box which contains the Zombie (DDoS Daemon).
September 23, 2002 Princeton University Electrical Engineering Department
Specht
Specht
IRC Servers
Internet Finland
September 23, 2002 Princeton University Electrical Engineering Department
Specht
Internet
T1 Trunk
2. Zombie bots or DDoS tools that were previously inserted to PCs out in the network wake up and connect to IRC server waiting for instructions.
T1 Trunk
Verio Router
GRC.COM
Specht
Internet
T1 Trunk
2. Each DDoS daemon begins to attack the selected website.
T1 Trunk
Verio Router
September 23, 2002 Princeton University Electrical Engineering Department
GRC.COM
Specht
Huang
1.
We need two things, suitable technological solutions in the Internet and suitable incentives upon the users of the Internet. The machinery and the incentives interlock and must be designed together. We also need to consider the cost-effective issue: to construct technical solutions and incentive structures in a cost-effective way. The biggest barrier in defending against DDoS attacks is the lack of economic incentives for Internet users to cooperate. Sample research by icsa.net shows that less than 15 percent of all corporate users are filtering source IP addresses. An even smaller percentage of Internet service providers less than 8 percent are doing this type of filtering.
2.
Huang
Huang
Huang
Different solutions can coexist to achieve a better defense and coordination is often required to be global.
Huang
It is not practical, nor potentially beneficial, to secure all computers on the wired Internet. Alternatively, an effective and efficient solution would be to selectively secure those computers that have high traffic throughput such as routers or high performance and high bandwidth workstations so that the marginal benefit for each dollar spent on security is optimized.
September 23, 2002 Princeton University Electrical Engineering Department
Huang
Huang
If there is no legitimate need for UDP packets to pass, then a firewall or router can block them. Multicasts from one subnet to another are not always needed. A firewall or router can block these.
Huang
Huang
In any case, when a zombie is used in the attack, it is very hard to trace past the zombie and find the attacker. Our concern here is not catch the attacker as to stop the attack. The attacker can stay anonymous as long as the attack is stopped. IP routers can apply address filtering, discarding packets when the source address does not match the wire on which the packet arrived. This will limit IP forgery at least to a sub-network. So the tracing system should be efficient to prevent zombies.
Huang
If the traffic monitor in the load balancer detects a possible DoS attack it gradually slows down all incoming traffic from the origination IP address by assigning it to more and more slower queues. If even this does not stop the attack, the IP address is blocked in a firewall list for a configurable amount of time. Otherwise, after a certain interval of normal activity, the downgraded IP can be upgraded to better queues. To decide whether a potential attacker is indeed malicious, we will use Bayesian estimation method.
Huang
p ( x y ) w L( y x ) p ( x )
If multiple observations are made of the target, and each filter has an independent likelyhood function (L1, L2,Ln), the overall probability can be calculated as
p ( x y1 , y 2 ) w L2 ( y 2 x ) L1 ( y1 x ) p ( x ) w L2 ( y 2 x ) p ( x y1 )
This process may be repeated any number of times.
Huang
Huang
Huang
Huang
The figure represents a possible configuration of IDIP and a possible attack. The attacker a is flooding the victim v. The flood is taking just one route through the network, passing through BCs r4, r3, r2, and r1. They are probably routers. IV0-IV4 is each a set of indirect victims - those who cannot communicate with v because of the attack. S1, S2, S3, S4 are other sets of BCs in the network. The intrusion detector w can be part of v or another program.
Huang
To stop the Million Zombie Flood we must make it much harder to hijack zombies. If hosts used well known cures to well known vulnerabilities, then they would be much harder to hijack and the Million Zombie Flood would be much more expensive to mount. A great challenge is to induce everyone to protect their hosts.
Huang
Huang
Huang
Huang
Huang
Possible forms of DDoS attacks for wireless network: 1. Ones that are found on the wired Internet 2. Attacking the radio spectrum that is naturally a scarce resource 3. the attack across both the wireless and wired Internet. Given the differences in computational power and the bandwidth between wired and wireless devices, it is easier for an attacker to use wired devices to initiate cross platform attacks toward wireless devices.
Huang
Huang
Huang
Huang
Huang
Huang
Huang
A dynamic usage-based fee scheme deals with unpredictable congestions, including those caused by DDoS attacks. The characteristic of a dynamic usagebased fee is the increase in unit price when congestion happens or will happen. So the wireless device owners are more likely to set up traffic control rules in their device to instruct to delay or cancel the data transmission when the network is congested or approaching congestion. Therefore, even if an attacker instruct all zombie devices to send attacking traffic at the same time, an effectively synchronized attack is unlikely to occur.
Huang
Huang
A monetary incentive structure may not be available for the Wireless Ad Hoc Network, simply because of the lack of a charging system. Instead, other incentive mechanisms, e.g., a voting mechanism which effectively rules out a member upon heavy radio frequency usage, can serve the same purpose.
For defending the Wireless Extended Internet, a usage-based fee plan is also needed for the wired Internet, which is mainly used to prevent DDoS attacks inside the wired Internet.
Huang
Huang
Huang
Remarks
When DDoS attacks came to the wired Internet, the infrastructure of the wired Internet had been stable for decades, lacking reliable mechanisms for QoS control and incentive structures for traffic control. As a result, it was repeatedly targeted by DDoS attacks. In comparison, the wireless Internet industry has a chance to address DDoS attacks before it fully matures.
Huang
Bayazit
Motivation
The first computers in DARPAnet failed in communicating, bacuase of a hand-shaking problem, which was nothing but DoS. Examples:
Code Red (July 2001) EFNet.org (July 2001) Microsoft (January 2001)
Bayazit
Backward Tracing
Probabilistic Packet Marking Itrace SPIE
Bayazit
Disadvantages
Requires High Volume of Traffic Some applications use ID Field Low Probability/Heavy Processing Hardware Acceleration? IPv6 doesnt have ID field
September 23, 2002 Princeton University Electrical Engineering Department
Bayazit
ITrace
Send a Packet Why Low Probability? Why probability pseudo random? Why not just a counter? Higher volume of traffic
Bayazit
SPIE
Traffic Logging Bloom Filtering Hash Function (k functions map to n bit target space) High correlation between the headers?
Bayazit
Bayazit
Bayazit
Operating System
Windows NT5/XP? Spoofing Linux
Bayazit
Filtering
Ingress Filtering Egress Filtering
ISP Responsibility Good Neighbor Network
Bayazit
Bayazit
Filtering In Detail
What can be filtered? Case Study on Reflectors
Bayazit
Signature Catch
Wide screen deployment of Filtering Complex, heavy processing Impractical for large volume of traffic
Trace Back
Heavy Deployment of new Software There are many different Software Vendors
September 23, 2002 Princeton University Electrical Engineering Department
Bayazit
Comments
Insignificant Insignificant Could Be Useful Insignificant If Not Using NFS, AFS, GRE None (is it?) None None ???? ????
Princeton University Electrical Engineering Department
Bayazit
Comments
TCP
Source Port SYN ACK RST Sequence numbers
Comments
Not Much, Depends Not Much, Depends Dangerous DANGEROUS!
Bayazit
Comments
Bayazit
Defending Against DDoS Traffic Tracking Network Traffic Tracking Systems (NTTS) Model of Network Anonymity Desirable Properties of an NTTS Three Model Environments
Specht
Network Traffic Tracking Systems [8] NTTS (Network Traffic Tracking Systems)
System to track network traffic Difficult to track network traffic due to:
Spoofing (network traffic source is a lie) Redirection (network entity receives traffic and edits it in some way before resending)
Issues
NTTS can be successful in a closed environment with strong infrastructure In an open, global network (Internet) it is not possible to deploy a perfect NTTS
September 23, 2002 Princeton University Electrical Engineering Department
Specht
User Session Layer Application Layer Presentation Layer Network Session Layer Transport Layer Network/Internetwork Layer Data Link Layer Physical Layer
Privacy Sensitivity
Specht
Specht
Academic Model
Internet Model
Specht
References
1. 2. 3. 4. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001. Kargl, Frank, Joern Maier, and Michael Weber. Protecting Web Servers from Distributed Denial of Service Attacks. WWW10, May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005. Stein, Lincoln. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002. http://www.s3.org/security/faq/ - visited on October 1, 2002. Dittrich, David. The DoS Projects trinoo Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt visited on October 1, 2002 Dittrich, David. The Tribe Flood Network Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt visited on October 1, 2002 Dittrich, David. The stacheldraht Distributed Denial of Service Attack Tool. University of Washington, December 31, 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt visited on October 1, 2002 Gibson, Steve. The Strange Tale of the Denial of Service Attacks Against GRC.com. Gibson Research Corporation, March 5, 2002. http://grc.com/dos/grcdos.htm Daniels, Thomas E. and Eugene H. Spafford. Network Traffic Tracking Systems: Folly in the Large? Center for Education and Research in Information Assurance and Security (CERIAS). Lafayette, IN, 2001. Princeton University Electrical Engineering Department
5.
6.
7. 8.
Specht