low-intensity dos attacks on bgp infrastructure - ripe dos attacks on... · low-intensity dos...
Post on 21-Mar-2018
224 Views
Preview:
TRANSCRIPT
Low-intensity DoS attacks on BGP infrastructure
Paul Neumann
One need not fear superior numbers if the opposing force has been properly scouted and appraised.
George Armstrong Custer
pneumann@umt.edu.al
DoS attacks
Aim:Wholenetworksand/orsystems,aswellasindividualhosts.
Goals:Toconsumeresourcesinorderofshu=ngdownorsubstan@aldeteriora@ngservicestothelegi@mateusers.
Resources:Bandwidth,servers/routerscompu@ng@me,protocolimplementa@ons.Stackoverflow,DNSflood,pingflood,packetdrop,etc.
DoS attack detection
AnomaliesinthetrafficpaIern:Eventsorcondi@onswithsignificantsta@s@caldevia@onfromtheusualpaIernbasedonthedatapreviouslycollectedinstandardcondi@ons.
SIEM:Anydevia@onoverthethresholdmeantriggersincidentalert.
Inefficientforthelow-intensityDoSaIacks.
Tradi@onalmeansofdefence(firewalls,IDS,etc.)areinefficient.
Low-intensity DoS attacks
Newtrendinthecyberwarfare:Low-intensityDoSaIacksindis@nguishablefromregulartraffic.
Low-intensityDoSaIacksmaybeadaptedagainstHTTP,SMTP,and/orDNStraffic.
Apache-andMicroso,IIS-basedsystemsmostvulnerable.
Communica@onchannelsnotoverloadedbuthavesignificantdroppageoftherequest/acknowledgementpackets.
Low-intensity DoS attacks
Requireanumberofpar@cipa@ngorcompromisedhostsforroguefloodingofthetargetwithuselesspackets.
Rogueimplementa@onoftheDoSmethodswillfailifamassiveamountofanomaloustrafficisdetectedbythefirewalls.
Low-intensityDoSaIackimplementperiodicincrease(splashes)oftheroguetraffic.
Low-intensity DoS attacks ForbeIerefficiencysplashesaremadeclosetothe@me-outoftheopensessiontokeepthesessionalive.
Server/routerbuffersbecomegraduallyoverloaded,leadingtothedenialofservicecondi@on.
Low-intensityDoSaIacksdonotrequiresignificantlybigbandwidthorcompu@ngpower.
TCP stack vulnerability Addi@ve-Increase/Mul@plica@ve-Decrease(AIMD)algorithmcombineslineargrowthoftheconges@onwindowwithanexponen@alreduc@onwhenaconges@ontakesplace.Whenconges@onisdetected,transmiIerdecreasestransmissionratebyamul@plica@vefactor.
Mul@plica@vedecreaseistriggeredwhena@meoutoracknowledgementmessageindicatesapacketwaslost.
Itispossibletoenforcezero-bandwidththroughinjec@ngDoStrafficintotheregulartraffic.
Network bandwidth DoS DoSconsistsofshortpeaksofrogueimpulseswithcarefullysynchronizedperiod.
Ifcombinedtrafficduringthepeaksisbigenoughtocausepacketdroppage,transmissionwillfail.
RetransmissionwillbeaIempteda[erRetransmissionTime-Out(RTO).
IftheDoSperiodcoincideswithRTO,regulartrafficwillconstantlyencounter@me-out.
Packetlosseswillcloseto100%,andbandwidthto0.
Experimental topology VirtualmachinesbasedonVirtualBoxplaaorm.
EmulatedIntel Core i5-5200CPU@2.20GHZ.
Opera@ngsystem:Ubuntu Linux 14.04.HTTPservers:Apache2andnginx.DNSservers:bind9.ICMPandBGProuters:ZebraandQuagga.Networktopology:PacketTracer.AIackingOS:Kali Linux.
Network topology
Branchedtopology:emulatereal-worldsystems.
Dynamicrou@ng:availabilityofnodesandservices.
Model of DoS attack Att==0rogueusersendsthefirstimpulse,shutsdownthesystem.
Legi@mateuserencounters@me-out,forcedtowaitforretransmission,anddoubletheRTO.
RogueuserrepeatsaIackatt==1+2RTT(Round-TripTime).
Iegi@mateuserencounters@me-out,forcedtowaitforretransmissiondoublethe@me,anddoubletheRTO.
Rogueuserwillshutdowntheservicebysendingpacketsatlowrate–everyoddpointin@me.
PC12,PC13–sourcesofaIack.MethodofaIack:SlowLoris.
HTTP attack
PC10–target; Main–monitorclient.
HTTP attack AIackmadewiththeslowhttptestDoSsimulator:
where:-H–SlowLorismode;-u–aIackedURL;-p–@me-out;-cnumberofconnec@ons;-knumberofaIempts.
where:-c–concurrentnumberofsimulatedusers;-t–selectedperiodoftest@me.
Monitoringwasmadewithsiegestresstester:
Losses vs. availability
SuccessfulDoSaIackw/oseriousinvestmentinthebandwithofaIackinghosts.
DoS attack on BGP system
AIackwasdrivenagainstthenetworksegmentonRouter3andRouter4.
DoS attack on BGP system Networkthroughputmeasuredwithiperfu@lity.
AIack:
Scenario1:DirectaIackonQuagga.
Scenario2:AIackonBGPinfrastructurebehindRouter4tocompromiserou@ngchannel.
Attack on Quagga SYN-ACKpacketssentwith5sec.@me-out.
UsingscapyPythonscrip@ngu@lity:
Attack on Quagga Handshakeini@alizedandprocessedexcepttheESTABLISHEDstatus.
QuaggarespondswithRSTpackettotheroguerequests.
Changingtime.sleep()parameterinthe1to300rangeresultedinclosingconnec@onwithSYN-RECVstatus.
Noproblemswithavailability:
Analysis Successfullow-intensityDoSaIackrequiresBGPemula@ngso[ware.
Legi@mateconnec@ontoroguerequestspossibleonlyonmisconfiguredservers.
DataexchangebetweenBGPneighboursbasedonAccessLists(ACL):
- permissiontotransmitroutestoaneighbour,- permissiontoreceiveroutesfromaneighbour.
Router-in-the-Middle attack AIackdrivenattheserverbehindaIackedrouter.
Goal:Toforcetheroutertolowerthebandwidthduetoprocessingroguetrafficgeneratedfromlow-intensityDoSaIack.
AIackedwasPC13behindRouter4:
Networkthroughputmeasuredwithiperfu@lity.
Analysis Nochangesinthethroughput:
Slightdroppageofthespeedresultsfrominterfaceset-uptomatchreal-worldcondi@ons.Trafficgeneratedfromlow-intensityDoSaIackdoesn’taffecttheborderrouter’sbandwidth.Networkthroughputmeasuredwithiperfu@lity.
Analysis AIacksonsystemswithdefaultconfigura@onweresuccessful.
Low-intensityDoSaIacksdeterioratechannelbandwidth.
Asaruledefaultconfigura@onsignoreparameterstocounter-actaIacks.Quaggaisaremarkableexcep@on.
ItresultsindenialofHTTPservicestolegi@mateusers.
Comparison
Normaltraffic.
TrafficunderaIack.
Conclusions Aleksandar Kuzmanovic, Edward W. Knightly. Low-rate TCP-targeted denial of service attacks and counter strategies. IEEE/ACM Trans. Netw. – 2006. – No 14 (4). – С. 683-696.
discusseshowlow-intensityDoSaIacksonrou@ngprotocolsmaycauseavalancheeffectanddestroysubstan@alsegmentsoftheInternet.
ExperimentprovesthatsuchanaIackmaysucceedonlyinthepresenceofmanyfactors,includingroutersmisconfigura@on,substan@alamountofcompu@ngresources,andwell-coordinatedscenariooftheaIack.
Questions?
Thank you for your attention!
top related