Bandwidth DoS Attacks and Defenses

1
Bandwidth DoS Attacks and Defenses

• Robert Morris
• Frans Kaashoek, Hari Balakrishnan, Students
• MIT LCS

2
What is a Denial of Service Attack?

• Goal make a service unusable.
• How overload a server, router, network link.
• Focus bandwidth attacks (trinoo, tfn).

3
Logical View of Attack Net
Attacker
Control Traffic
Master
Slave
Slave
Slave
Slave
Slave
Attack Traffic
Victim
4
Attack Targets
Link
Router
Customers Router
ISP
Host
Other ISPs
App
O/S
Other Customers
Customers LAN
5
Attacks use IP Packets
IP Header Source Address Destination
Address User Data

• Routers forward each packet independently.
• Routers dont know about connections.
• Complexity is in end hosts routers are simple.

6
Outline

• Case study Yahoo.
• What happened.
• Analysis.
• Our framework for defense RON.

7
Case Study Yahoo Attack

• Early February 2000.
• Took Yahoo off the net for hours.

8
Yahoos Point of View
ISP Router
1 Gbit/second of Ping Response packets.
Yahoos Router
www.yahoo.com
9
Yahoo Attack Overview
Co-location Centers
Other ISPs
Yahoos ISP
Yahoo
10
Attack Packet Generation
Leader
Slaves
Co-location Center
M
S1
S2

Sn
Ping, DSTbcast, SRCYahoo
Ping Responses, DSTYahoo
Internet
11
What did the attack depend on?

• Pervasive insecure hosts.
• Fake IP source addresses.
• Use of hosts as amplifiers.
• Weak router software.
• Difficulty of diagnosis.

12
Pervasive Insecure Hosts

• Required for disguise and to generate enough
  traffic.
• How do they break in?
• Buffer overruns.
• Typically Solaris and Linux.
• Highly automated.
• Defenses?
• Better programming practices.
• Disable services by default.
• Firewalls, intrusion detection.
• Motivation for deployment is not strong.

13
Fake IP Source Addresses

• Two uses
• Hide the source of attack.
• Part of weapon.
• Example SYN flooding.
• Defense
• Ingress/egress filtering.
• But motivation for deployment is not strong.

14
Ingress Filtering
Attacker SRCSite2
Site 1
Site 2
ISP 1
ISP 2
ISP 3
Victim
15
Use of Hosts as Amplifiers

• Attackers need this
• To avoid using their own machines.
• To generate lots of traffic.
• To avoid detection via load monitoring.
• Two approaches
• Break into 1000s of machines.
• Trick legitimate machines into generating traffic.

16
Weak Router Software

• Routers themselves are often victims.
• Why?
• Forwarding and management compete for CPU.
• Control and data traffic compete for net b/w.
• Solutions?
• Simplify and partition.

17
Difficulty of Diagnosis

• Very little automatic support for traffic
  analysis and correlation.
• Is the high load legitimate?
• What does the attack consist of?
• Where does the attack come from?
• How ask upstream routers to discard attack
  packets?
• Defense distributed analysis system.

18
Why are these attacks easy?

• Internet built around end-to-end principle
• Most functions done by end hosts.
• Examples reliable delivery.
• Advantages
• Simplifies network core.
• Example IP packet forwarding.
• Example its easy to start an ISP.
• Anyone can introduce new services.
• Result lots of innovation.

19
Why is defense hard?

• End-to-end principle conflicts with
• Centralized control.
• Centralized monitoring.
• Separation of data from control traffic.
• Mandatory authentication.
• Mandatory accounting.

20
RON Project

• End-to-end framework for
• Cooperative statistics collection.
• Cooperative reaction to attacks.
• Fault-tolerant control and data routing.
• How resilient overlay network (RON).
• Funded by DARPA/IA/FTN.

21
What is an Overlay Network?
N2
N3
N1
ISP1
ISP2
N4
N5

• Better routing functions built in end hosts.
• Can be used to build distributed defenses.

22
Why Distributed Defenses?

• Presence of attack obvious near victim.
• Not obvious near sources of attack.
• But control is easier near sources.
• Identifying attackers requires cooperation.
• Asymmetric routing.
• Fake source addresses.

23
Why Distribution is Hard

• RON itself is a target.
• Authorized communication between RON nodes.
• Bandwidth attacks on RON nodes.
• Application-level DoS attacks.
• Political / deployment problems.
• Needs cooperation? Or single-organization?

24
Monitoring Scenario
1. Measure
N2
N3
Victim
N1
Backbone B1
2. Communicate
Backbone B2
3. Control
N4
N5
Attacker
25
Fault-Tolerant Routing

• Use Internet to connect multiple sites.
• Inter-ISP routing
• Ignores link quality.
• Ignores many available paths due to policy.
• Chooses only one path.
• Reacts slowly.
• RON allows end-system control of routing.

26
Fault-tolerant Routing (2)
N2
N3
N1
Backbone B1
Peering Point Q
Peering Point P
Backbone B2
Attacker
N4
N5
27
Peer-to-Peer Networking

• Multi-organization overlays.
• Early work Gnutella and FreeNet.
• Data replicated at many sites.
• Queries traverse reliable overlay.
• Explicit protection of virtual infrastructure.

28
Summary

• Raise the bar
• Improve host security.
• Make it hard to fake IP addresses.
• Experiment with RON-like and peer-to-peer
  architectures.