denial of service (dos) attacks - york university completion of this material, you should be able...
TRANSCRIPT
CSE 3482Introduction to Computer Security
Instructor: N. Vlajic, Winter 2017
Denial of Service(DoS) Attacks
Upon completion of this material, you should be able to:
• Explain the basic concepts of a Denial-of-Service (DoS)and distributed Denial-of-Service (DDoS) attacks.
• Understand the nature of flooding attacks.
• Explain the concept of an application-based bandwidthattack.
• Present an overview of reflector and amplifier attacks.
• Summarize some of the common defences againstDenial-of-Service attacks.
Learning Objectives
Introduction
• NIST Computer Security Incident Handling Guide …“ A Denial of Service (DoS) is an action that preventsor impairs the authorized use of networks, systems,or applications by exhausting resources such as central processing unit (CPU), memory / disk-space,and bandwidth.“
http://realtimeprojecrtsdenniscodd.blogspot.ca/2012/01/denial-of-service-attacks-in-wireless.html
• Recent DDoS Attacks … Fall 2016 – 0.6 - 1 Tbps DDoS attack on various targets
(largest DDoS attack in history by 145,000 IoT devices)
Introduction (cont.)
https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/ http://securityskeptic.typepad.com/the-security
-skeptic/anatomy-of-dns-ddos-attack.html
type of attack:DNS reflection & amplification
Introduction (cont.)
• Recent DDoS Attacks … September 2015 – DDoS through unsuspected browsers
type of attack:browser hijacking(malicious JavaScriptinserted in a popularWebPage– all visitorsto this Web-sitebecome participantsin the DDoS …)
http://www.scmagazine.com/ddos-attack-used-mobile-devices-to-deliver-45-billion-requests/article/441456/
Categories of DoS Attacks
DDoS Attacks
targeted atBandwidth
targeted atComputing Resources
targeted atOS
Resources
targeted atApplicationResources
Direct Reflection
Categories of DoS Attacks (cont.)
• DoS Targeting Bandwidth bandwidth = capacity of network link connecting a server
typically, server bandwidth << ISP bandwidth hence, it is always possible to ‘congest’ server link =>
degraded/non-existent service for (some) legitimate users
http://flylib.com/books/en/2.295.1.24/1/
Categories of DoS Attacks (cont.)
• DoS Targeting Bandwidth server/application throughput vs. incoming traffic rate
http://users.ece.cmu.edu/~dbrumley/courses/18487-f10/files/DDoS.pdf
Most of the key Internet protocol (e.g., TCP) ‘react’
to packet delay/loss by retransmitting packets.
100Mbps
(regular + attack traffic)
100Mbps
Categories of DoS Attacks (cont.)
• DoS Targeting Bandwidth flooding – most common type of bandwidth DDoS
examples: Network Layer: ICMP Flood (e.g., ICMP Echo Request)
Transport Layer: UDP, TCP Flood (on open or closed ports)
Application Layer: HTTP Flood
http://localare.blogspot.ca/2012/10/protocol-tcp-ip.html
Categories of DoS Attacks (cont.)
• DoS Targeting Bandwidth TCP vs. UDP reaction to bandwidth DoS attack
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6519235
Categories of DoS Attacks (cont.)
• DoS Targeting System Resources aim to consume limited server’s OS-level resources
typically by misusing lower-layer protocols (TCP, IP, …) buffers holding arriving IP packets tables of open TCP connections
http://natsys-lab.blogspot.ca/2013/03/whats-wrong-with-sockets-performance.html
• DoS Targeting System Resources examples: TCP-SYN Flood attacker sends a flood of TCP-SYN requests in possibly
spoofed IP packets => 3-way handshake never completed
half-open connections bindserver resources – no newconnections can be made
Categories of DoS Attacks (cont.)
normal 3-way TCP handshake TCP-SYN flood
Categories of DoS Attacks (cont.)
• DoS Targeting Application Resources involve valid-looking application requests that
1) consume significant application resources, or2) cause application to crash
examples: HTTP attack requesting large PDF files from a server attack on a web server that makes database queries
using computationally-costly requests
Categories of DoS Attacks (cont.)
• DoS vs. DDoS Attacks DoS attack – one attacking machine
Distributed DoS attack – employ numerous attackingmachines – so called botnets
http://www.tik.ee.ethz.ch/~ddosvax/talks/ddos_td.pdf
direct DDoS attacks reflector DDoS attacks amplification DDoS attacks
DDoS Attacks: Botnet
• Botnet for DDoS botnet – a network of compromised machines (bots,
zombies, or agents) controlled by the attacker
attacker / master – machine that is physically usedby the bot master / herder can be anywhere with any type of internet connection
stepping stone – attacker can use 1 or more steppingstones to hide his or her true identity and location typically, there is a telnet connection between botnet master
and its stepping stones due to legal issues and physical location, using stepping
stones located in foreign countries make it much more difficult to trace the original attacker
• Botnet for DDoS (cont.) handler – a computer that have been compromised
by the bot master and loaded with special applicationsto manage agents handlers accept commands from the attackers by way of
stepping stones and relay those commands to waiting agents each handler is responsible for (only) a group of agents if handlers communicate with their respective agents via TCP
connections, they will get/have a list of agents’ IP addresses
bot / zombie / agent – a compromised 3rd partymachine with the ‘injected’ malware ‘real power’ of the botnet – capable of launching attack
and/or propagating itself to other machines largest known botnet: Mariposa, 8-12 million bots (2008)
DDoS Attacks: Botnet (cont.)
DDoS Attacks: Botnet (cont.)
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.540&rep=rep1&type=pdf
hacker’s ‘PC’machines owned by hacker
but in different locations
compromised machinescontrolled by hacker
compromised machines
with malware
DDoS Attacks: Botnet (cont.)
• Botnet Propagation vulnerability scan – manual propagation involving
systematic scanning / searching for hosts with particularvulnerabilities
worm exploits – automated propagation process viaworms that traverse the Internet infecting hosts andinstalling the agent software
web based malware exploits – automated propagationby means of ‘drive-by-download’ from compromised websites
botnet takeover – e.g., by sniffing the password thata bot herder users to log into its botnet handlers
• Mariposa Botnet 8 – 12 million bots at its peak spreading: via instant messages,
P2P connections, removabledrivers, …
primary purpose/operation:steal login info (banks, social-networking sites, …), stealimportant files found on hard drives, ‘hijack’ search results, …
secondary purpose - botnet wasalso available for rent and hasperformed other ‘underground’operations
takeover - May 2009, MariposaWorking Group temporarilyseized control of C&C servers
arrests - 2010, several Spanish &one Slovenian citizen arrested
http://community.trendmicro.com/t5/Web-Threat-Spotlight/Mariposa-Botnet-Uses-AutoRun-Worms-to-Spread/ba-p/4596
DDoS Attacks: Botnet (cont.)
• Botnet: to Build or to Rent? building a botnet - ‘ready to use’ development kits
are available on the black market - packages containingC&C software & bot software Dirt Jumper – sophisticated software with a HTTP C&C
server & SQL database for keeping track of infected bots requires technical expertise and is time consuming
How To Build A Botnet In 15 Minuteshttp://readwrite.com/2013/07/31/how-to-build-a-botnet-in-15-minutes#awesm=~ozr0P2DBqFUHlU
A beginner’s guide to building botnets—with little assembly requiredhttp://arstechnica.com/security/2013/04/a-beginners-guide-to-building-botnets-with-little-assembly-required/
DDoS Attacks: Botnet (cont.)
• Botnet: to Build or to Rent? renting a botnet – several $100 for a day of botnet rent
https://blog.damballa.com/archives/330
Reflector & Amplified DDoS
• Direct DDoS attacks agents conducting the attack are compromised systems
running the attacker’s program the source IP addresses in attacking packets are often spoofed
=> the victim’s responses are scattered throughout the Internet
protocols used: any – ICMP, TCP, UDP, DNS, HTTP, …
destination IP = Victim’s IP
source IP = true or random IP
Amplified & Reflector DDoS (cont.)• Reflector DDoS attacks
indirect attack utilizing innocent uncompromised inter-mediate nodes and any simple ‘request-reply’ protocols the source IP address in attacking packet = spoofed victim’s IP
aims to obscure the identity of attacking machines
destination IP = Reflector’ IP
source IP = Victim’ IP
Amplified & Reflector DDoS (cont.)
Example: HTTP Reflector DDoS – possible or not?!
HTTP runs on top of an established TCP connection.Impossible to send an HTTP request to the Victim withouta valid 3-way TCP handshake.
HTTP is not a simple ‘request-reply’ protocol => reflectorattack not possible.
Attacker
source IP = Victim’ IP
Reflector Victim
SYN
SYN-ACKdestination IP = Reflector’ IP
Amplified & Reflector DDoS (cont.)
Example: DNS Reflector DDoS – possible or not?!
DNS runs on top of UDP (or TCP), and acts as a simple ‘request-reply’ protocol => reflector attack possible.
Amplified & Reflector DDoS (cont.)
• Amplified DDoS attacks variant of reflector attack – aim to generate multiple
reflector packets for each original packet set can be achieved by directing original requests to a broadcast
address of a large LAN
e.g., ICMP echo request to 129.1.0.0 => multiple echo replies
TCP cannot be used as it is ‘connection oriented’
Amplified & Reflector DDoS (cont.)
Example: DNS Amplification DDoS using recursive resolution
http://blog.isc2.org/.a/6a00e54f109b6788340168e901b1c1970c-pi
https://isc.sans.edu/diary/When+attackers+use+your+DNS+to+check+for+the+sites+you+are+visiting/16955
http://www.expertsmind.com/questions/dns-message-application-layer-30140518.aspx
DDoS Defences
• Classical DDoS Defences Attack Prevention – before attack up-to-date anti-malware to prevent the creation of botnets
monitoring of traffic by ISP, or ‘cyber-spies’, to detect packetsbetween attackers and stepping-stones / handlers
DDoS Defences (cont.)
• Classical DDoS Defences (cont.) Attack Detection and Filtering – during attack firewall monitors for suspicious (blacklisted) IPs
or suspicious packets (e.g., SYN flood) and drops them
ISP monitors and drops packets with spoofed IP addr.
DDoS Defences (cont.)
• Modern Lines of DDoS Defence Content Delivery Networks (Akamai) web-site content is placed on multiple/redundant locations
users are ‘directed’ to geographically closest servers
multiple server => no ‘single point of failure’
http://www.marketingtechblog.com/content-delivery-network/
DDoS Defences (cont.)
• Modern Lines of DDoS Defence (cont.) Scrubbing Centers (Prolexic) packets destined for an enterprise are routed through, and
screened by, a special cloud-based network of routers
if an attack pattern is identified => suspicious packets aredropped before reaching the victim
http://www.prolexic.com/kcresources/attack-report/prolexic-quarterly-global-ddos-attack-report-q412-011713/Prolexic_Quarterly_Global_DDoS_Attack_Report_Q412_011413.pdf
Application-Layer DDoS
• Application-Layer DDoS Attacks fastest growing category of DDoS attacks hard to distinguish between legitimate & malicious HTTP
requests
Application-Layer DDoS
• How Browser Works base HTML page retrieved first then, HTML page parsed and individual objects (images,
scripts, videos, …) are subsequently retrieved
Application-Layer DDoS (cont.)
• Puppetnets mechanism of conducting HTTP DDoS by exploiting
(hijacking) legitimate / uninfected machines a popular 3rd party web-page is ‘infected’ with a malicious HTML
or JavaScript that generates HTTP requests to the victiminfected Web server (196.87.44.1)
attacktraffic
normal HTTP requests
attack instructionspiggybacked
HTML – page<img src=http://196.87.44.1/picture.jpg><img src=“http://128.7.35.9/picture.gif”>
…victim
site(128.7.35.9)
Application-Layer DDoS (cont.)
• Puppetnets (cont.) advantages for attacker minimal cost
puppet-bots are generally trusted with ‘good’ history - harderto detect, and not subject to black-listing or firewall blocking
disadvantages for attacker very ‘dynamic’ bot population
attacks cannot be fully controlled or predicted
How easy/complex it is to inject malicious puppetnet code??
Application-Layer DDoS (cont.)
• Million-Browser Botnet August 2013, researchers from White-Hat Security
managed to create a puppetnet consisting of a millionhijacked browsers using WWW Ad-s
Web server hosting a 3rd party Ad
victim site
(128.7.35.9)
attacktraffic
normal HTTP requests
attack instructionspiggybacked
JavaScript in HTML codevar i = 1;img = new Image();while(true) {
img.src = “128.7.35.9/picture.gif”;i++;
}