DDoS: Distributed Denial of Service

1
DDoS Distributed Denial of Service

• Cs5090 Advanced Computer Networks, fall 2004
• Department of Computer Science
• Michigan Tech University
• Rock K. C. Chang
• Byung Choi
• Mark Schuchter

2
Outline

• Introduction
• The DDOS Problems
• Solutions to the DDoS Problems
• Conclusion

3
Introduction (cont.)

• DoS Denial of service attack.
• System design weaknesses
• Ping of death
• Teardrop
• Computationally intensive tasks
• Encryption and decryption computation
• DDoS attack ( Flooding-Based)
• CPU, Memory, bandwidth exhaustion

4
DDoS Typical attack preparation
2. set up network
3. communication
1. prepare attack
5
Why?
sub-cultural status
nastiness
revenge

• Showing off

to gain access
economic reasons
political reasons
6
Timeline
lt1999 Point2Point (SYN flood, Ping of death,
...), first distributed attack tools (fapi)
1999 more robust tools (trinoo, TFN,
Stacheldraht), auto-update, added encryption
2000 bundled with rootkits, controlled with talk
or ÍRC
2001 worms include DDos-features (i.e. Code
Red), include time synchro.,
2002 DrDos (reflected) attack tools, (179/TCP
BGPBorder Gateway Protocol)
2003 Mydoom infects thousands of victims to
attack SCO and Microsoft
7
Development
8
Conversation between Moms

• Mom1 Im so proud of Mike. Apparently hes one
  of the worlds best at a new computer game!
• Mom2 Oh really! Which game?
• Mom1 Something called DDoS Attack
• Mike (Keeping clicking)

9
DDoS Tools and Their Attack Methods

• Trin00 UDP
• Tribe Flood Network UDP, ICMP, SYN, Smurf
• Stacheldracht UDP, ICMP, SYN, Smurf
• TFN 2K UDP, ICMP, SYN, Smurf
• Shaft UDP, ICMP, SYN
• Trinity UDP, SYN, RST, ACK

10
DDoS Problems Direct Attacks

• Send out a large number of attack packets
  directly toward a victim
• Packet types can be TCP, ICMP, UDP, or a mixture
  of them.
• TCP SYN attacks
• Spoofed random source address of attack packets
• The victim respond by sending back SYN-ACK
  packets
• Cause half-open connection ? consume all the
  memories for pending connections ? unable to
  accepting new requests.

11
Direct attack (cont.)
12
Direct Attacks (cont.)

• To congest a victims incoming link.
• The victims usually responds with RST packets
• Sets up a DDoS attack network.
• Attacker ? attack hosts ( compromised machines) ?
  masters ? agents ? victim

13
Direct Attacks
14
Direct Attack Example Trinoo

• Discovered in August 1999
• Daemons found on Solaris 2.x systems
• Attack a system in University of Minnesota
• Victim unusable for 2 days

15
Trinoo Attack type

• UDP flooding
• Default size of UDP packet 1000 bytes
• malloc() buffer of this size and send
  uninitialized content
• Default period of attack 120 seconds
• Destination port randomly chosen from 0 65534

16
Reflector Attacks (cont.)

• An attacker sends packets that require responses
  to the reflectors with the packers inscribed
  source addresses set to a victims address.
• The reflectors returns response packets to the
  victim according to the types of the attack
  packets.
• Thus the reflected packets can flood the victims
  link if the number of reflectors is large enough.

17
Redirect Attacks (cont.)
18
Reflector Attacks (cont.)

• Reflector behaves like a victim of SYN flooding
  attacks, because it also maintain a number of
  half-open connections.
• SYN ACK flooding does not exhaust the victims
  ability to accept new connections but clog the
  victims network link.

19
Reflector Attacks
20
Reflector Attack Examples
21
How Many Attack Packets Are Needed? (cont.)
22
How Many Attack Packets Are Needed? (cont.)

• SYN flooding
• If each SYN packet is 84 bytes long (including
  the Ethernet frame header and interframe gap)
• a 56 kb/s connection is sufficient to stall both
  Linux and BSD servers with N lt 6000
• SYN ACK flooding
• A 1Mb/s connection is sufficient to stall all
  three servers with N lt 10000.

23
How Many Attack Packets Are Needed?

• In other flooding attacks aimed at jamming a
  victims incoming link, an aggregated attack
  traffic rate has to be at least 1.544 Mb/s to jam
  a T1 link.
• Direct ICMP flooding 5000 agents ( 1 query/s)
• Reflect ICMP flooding 5000 reflector ( of
  agents can be much fewer, if each agent is
  responsible for sending ICMP echo requests to a
  number of reflectors.)

24
Solutions to the DDoS Problems (cont.)

• Three lines of defense against the attack
• Attack prevention and preemption( before the
  attack)
• Attack detection and filtering (during the
  attack)
• Attack source traceback and identification
  (during and after the attack)
• Attack avoidance by victims

25
Attack prevention and preemption

• On the passive side
• Hosts may be securely protected from master and
  agent implants.
• Ultimate solution?
• To monitor network traffic for known attack
  messages sent between attackers.
• On the active side
• Cyber-informants and cyber spies to intercept
  attack plans
• for known attacks only?

26
Virus example (Wed. 03 Mar. 2004)

• Hello User of mtu.edu-email server,
• Our main mailing server will be temporarily
  unavailable for next two days for regular
  maintenance and upgrade. To continue receiving
  mail in these days, please configure our
  auto-forwarding service.
• Further details can be obtained from attached
  file
• For security purposes the file is password
  protected. Your password is 00461
• Best Wishes,
• MTU email service team!

27
Attack Source traceback and Identification

• Two approach
• For routers to record information
• Send additional information
• Two reason of infeasible stop an ongoing attack
• Hard to trace packets origins
• Those behind firewall NAT
• Reflector attack
• Hard to stop
• Scattered in various autonomous systems
• Helpful in identifying the attacker and
  collecting for post-attack law enforcement

28
Attack Detection and Filtering (cont.)

• The detection part is responsible for identifying
  DDoS attacks or attack packets
• The filtering part is responsible for classifying
  those packets and then dropping them (
  rate-limiting is another possible action).

29
Attack Detection and Filtering (cont.)

• Measure the effectiveness of the attack detection
  and filtering
• FPR ( false positive ratio) of packets
  classified as attack packets (positive) by a
  detection system that are confirmed to be normal
  (negative) ,
• FNR (false negative ratio) of packets
  classified as normal (negative) by a detection
  system that are confirmed to be attack packets
  (positive),
• NPSR (normal packet survival ratio)
• The percentage of normal packets that can make
  their way to the victim in the midst of a DDoS
  attack.

30
Attack Detection and Filtering (cont.)
31
Attack Detection and Filtering (cont.)

• At Source Networks
• ISP networks that are directly connected to
  source networks can effectively ingress-filter
  spoofed packets.
• Can drop all attack packets in direct attacks and
  all attack packets indirect attacks.
• The attack agents can be traced easily in direct
  attacks
• Ensuring all ISP networks to install ingress
  filtering is an impossible task in itself.

32
Attack Detection and Filtering (cont.)

• At the Victims Network
• A DDoS victim can detect a DDoS attack based on
  an unusually high volume of incoming traffic or
  degraded server and network performance.
• IP hopping or the moving target defense
• A host frequently changes its IP address or
  changes its IP address when a DDoS attack is
  detected.
• To tackle SYN flooding attacks by proxying TCP
  connection requests.

33
Attack Detection and Filtering (cont.)

• At a victims Upstream ISP network
• Victim network may send to an upstream ISP router
  an intrusion alert message
• Such intrusion alert protocol need to be design
  carefully
• The message also have to be protected by strong
  authentication and encryption algorithms.
• Similar to the victim networks, it isnt
  effective to filter attack packets.

34
Attack Detection and Filtering (cont.)

• At further Upstream ISP networks
• Packet filtering is pushed as upstream as
  possible
• if ISP networks are willing to install packet
  filters upon receiving intrusion alerts.

35
Attack avoidance by victims

• Online task migration
• Process
• Thread
• Object
• CPU time depletion
• Bandwidth depletion
• Memory space depletion

36
Conclusion

• Hard to design perfectly secure computers and
  networks.
• There are (will be) still many insecure areas in
  the Internet today that can be compromised to
  launch large-scale DDoS attacks
• Attack avoidance schemes at victims have not been
  fully investigated!
• Contributions are solicited!
• Task migration on-the-fly