Distributed Reflection Denial of Service

1
Distributed Reflection Denial of Service

• Networking Talks for the Insufficiently Paranoid
• Based on http//grc.com/dos/drdos.htm
• Jim Gast, CS-642 Security, Spring, 2003
• jgast_at_cs.wisc.edu, UW-Madison

2
Normal Connection Establishment
The Server sets up retransmission timers,
allocates receive buffers, etc. Imagine a web
server that can handle 12,000 connections. If
the process fails, a timeout occurs after 120
seconds, freeing up the resources.
Note SYN packets are very small and take up very
little bandwidth.
Graphics stolen from http//grc.com/dos/drdos.htm
3
State Transition Diagram
4
SYN Flood

• Each SYN creates one half-open connection
• Half-open connections take minutes to time-out
• Servers have finite connection tables
• Perpetrator would be easily caught (Source IP)
• Unless SourceIP is spoofed
• See CERT Advisory CA-1996-21
• http//www.cert.org/advisories/CA-1996-21.html

100 SYN packets per second fits in 56 Kbps
Graphics stolen from http//grc.com/dos/drdos.htm
5
Spoofed IP Address
The SYN/ACK is delivered to the fake (spoofed) IP
Address. The attacker doesnt see it, and doesnt
care. (Backscatter)
Graphics stolen from http//grc.com/dos/drdos.htm
6
Example SYN Flood Attack

• February 5th-11th, 2000
• Victims included CNN, eBay, Yahoo, Amazon
• Attackers (allegedly) used simple, readily
  available tools (script-kiddies)
• Law enforcement unable (unwilling?) to help
• Under-age perpetrators have blanket immunity

7
Defense against SYN Flood

• Increase size of connection table
• Add more servers
• Trace attack back to source
• Ask your ISP to filter malicious packets
• Add firewall
• Typically SYN proxy
• Dave Parter will talk on firewalls later in the
  semester
• Ultimate solution was SYN-cookies
• Reply to SYN with SYN-cookie
• Allocate no resources until SYN-cookie is
  returned

8
Potential places to stop DoS flood
Graphics stolen from http//grc.com/dos/drdos.htm
9
Distributed DoS

• Rather than filling connection table, fill all
  available bandwidth
• Infect innocent bystanders (zombies)
• Zombies listen (e.g. on IRC channel) for attack
  command (or simply attack at will)
• Attacker need not have high bandwidth connection

Typical Program EvilGoat EvilBot
Graphics stolen from http//grc.com/dos/drdos.htm
10
Example Distributed DOS Attack

• 6 attacks on 5 different days
• One attack lasted for 17 hours
• 474 infected windows PC as zombies
• 2.4 billion malicious packets

Goodput?
Time (minutes?)
Graphics stolen from http//grc.com/dos/grcdos.htm
11
Flood-based Distributed DoS Attacks

• Coordinate zombies to attack with big packets
• Use up last-hop bandwidth
• Last-hop router discards packets
  indiscriminately
• Zombies need not spoof addresses

See http//grc.com/dos/intro.htm for example
horror story
Graphics stolen from http//grc.com/dos/drdos.htm
12
Newest Twist - Reflection

• Many routers accept connections on port 179
  (Border Gateway Protocol)
• Although any big server and any port it listens
  on will work
• Send a SYN to a router, claiming it came from the
  victim
• The router will send a SYN/ACK to the victim
• And then re-transmit several times before giving
  up (typically about 4X)

Note Tar-pits will not see any Backscatter but
honey-pots might see the attackers commands.
13
Reflection Mechanism
Graphics stolen from http//grc.com/dos/drdos.htm
14
Distributed Reflection DoS
Graphics stolen from http//grc.com/dos/drdos.htm
15
Other ports susceptible to DRDoS

• 22 Secure Shell
• 23 Telnet
• 53 DNS
• 80 HTTP / Web
• 4001 Proxy Servers
• 6668 Internet Relay Chat

Easily detected ports 1-1023
Well-Known (so far)
But reflection from port 179 is so powerful it
easily overwhelms others
16
Call to action

• Ingress filtering at all ISPs would stop the
  spoofed SYN packets before they left home
• Egress filtering at all ISPs would prevent
  spoofed IP addresses from traversing the Internet
• Flagging multiply-tried, failed SYN/ACKs could be
  used to discover victims and filter further
  attack
• Disable raw socket interface in client PCs

17
Questions?