An overview of Distributed Denial of Service DDoS Attacks - PowerPoint PPT Presentation

About This Presentation

Title:

An overview of Distributed Denial of Service DDoS Attacks

Description:

Zombie connects a remote pre-programmed IRC ( Internet Relay Chat) ... Master routinely download latest version of Sub7Server trojan into all zombies it has. ... – PowerPoint PPT presentation

Number of Views:839

Avg rating:3.0/5.0

Slides: 30

Provided by: wwwnetC

Learn more at: http://www-net.cs.umass.edu

Category:

more less

Transcript and Presenter's Notes

Title: An overview of Distributed Denial of Service DDoS Attacks

1
An overview of Distributed Denial of Service
(DDoS) Attacks

Presented by Changchun Zou
Feb. 6th, 2002

2
A funny cartoon
Feb. 7-11th, 2000 DDoS event
3
Outline

What is DoS and DDoS?
DoS attack methods
DDoS attack tools
Countermeasures against DDoS attacks
DDoS challenge in P2P and Anonymity network
Summary

4
What is Denial of Service attack?

Objective
shut down a server/network connection or some
services.
By ways of
Consume all network connection bandwidth.
Consume servers memory resource (queue
management), CPU resource.
Exploit software bugs to crash a server.

5
Distributed Denial of Service attack

DoS problem
One gun is not powerful to shoot down a giant
server.
Solution Distributed Denial of Service Attack
Attacker first compromises hundreds/thousands
computers.
Installs DDoS programs on those zombie computers.
Uses these zombies to launch attack to a server
together.

6
DDoS Attack network
Client/Handler/Agent
7
Example of DDoS network (an IRC Bot)

Master automatically scans and installs
rundIl.exe on vulnerable windows computer.
Zombie connects a remote pre-programmed IRC (
Internet Relay Chat) server and joins a secret
channel and wait for instruction.
Master routinely download latest version of
Sub7Server trojan into all zombies it has.
(Several times per day)
Sub7 advertise itself by
Joins a special Sub7 IRC chat server where it
posts a notice of itself.
Version, IP, username password, listening port.
Posts it on a newsgroup server through a web
server CGI script.

8
Outline

What is DoS?
DoS attack methods
DDoS attack tools
Countermeasures against DDoS attacks
DDoS challenge in P2P and Anonymity network
Summary

9
DoS attack methods ---- SYN Flood

TCP connection Three way handshake to setup
SYN flood attack
Only send SYN connection request without
response. ( half-open connection)
Server has to save the connection status in
connection request queue until its timeout.
Large SYN flood packets eat up the queue to
prevent normal users connection requests.

10
DoS attack methods ---- ICMP flood, UDP flood

ICMP flood
Attacker sends as much PING data as he can to a
server.
UDP flood (Why not TCP flood?)
Attacker sends as much garbage UDP packets as he
can to a server.
Use fake source IP address.
Prevent being detected
Get response back will flood attacker himself.

11
Other DoS attack methods

Smurf
Use ICMP echo request to remote IP broadcast
addresses (e.g., xxx.xxx.xxx.255)
All computers on that subnet listening broadcast
ICMP will send back echo response.
Attacker use fake source address as the victims
IP.
Fraggle use UDP instead of ICMP.
Setup Echo ---- Chargen loop.
Ping of Death Land attack Teardrop www request
with many http header or front slashes.

12
Outline

What is DoS?
DoS attack methods
DDoS attack tools
Countermeasures against DDoS attacks
DDoS challenge in P2P and Anonymity network
Summary

13
DDoS attack tools

Trinoo
Tribe Flood Network (TFN and TFN2K)
Stacheldraht
Shaft
Mstream
Worms type of DDoS (e.g. Code Red)

14
Primitive DDoS tools

Trinoo the first well-known DDoS tool
(primitive)
Solaris, Linux, windows
Only UDP flood
No source IP spoofing
Fixed communication port number. (TCP/UDP)
Plaintext communication with password.
Successfully cut off Univ. Minnesota for 3 days.

15
Advanced DDoS tools

Stacheldraht
SYN flood, UDP flood, ICMP flood, Smurf
Attacker to master
TCP 16660 encrypted telnet-like session.
Master to Zombie
TCP 65000 (blowfish) and ICMP_ECHOREPLY

16
Advanced DDoS tools (cont.)

Tribe Flood Network 2000 (TFN2K)
Solaris, Linux, WinNT
All control communications are unidirectional.
Commands are sent via TCP, UDP, ICMP randomly.
TFN2K daemon is silent to receive commands. (
master issues each command 20 times).
Command packets are interspersed with random
number of decoy packets sent to random IP
addresses. ( Advantage of silent receiver).
All encrypted commands are Base 64 encoded (ASCII
printable).
All packets including command can use fake source
IP.

17
Outline

What is DoS?
DoS attack methods
DDoS attack tools
Countermeasures against DDoS attacks
DDoS challenge in P2P and Anonymity network
Summary

18
Countermeasures --- Robust server

Increase TCP request queue on server.
Use multiple identical servers for redundancy.
Widely used by major Web providers.
Akamai-like web content delivery systems can
alleviate the effects of UDP or ICMP flood.
The DoS resistance of Publius is also provided
by redundancy.
Rate limit or block UDP and ICMP traffic.
You can ping yahoo.com but not cnn.com, ebay.com,
amazon.com. ( Is yahoo more robust or less
secure?)

19
Countermeasures --- Filtering

Ingress filtering
Routers prohibit invalid IP, downstream IP.
Problem Valid fake IP packets affect mobile IP
service.
Egress filtering Only packets with valid source
IP leave the network
Useful when deployed close to end user
Lower the attackers incentive to compromise your
computer.
Rely on global implementation to prevent DDoS.
Difficult or impossible for large ISPs. ( mobile
IP, forward traffic)
Disable broadcast amplification ( for
smurf/fraggle attack)
Broadcast is a useful diagnostic tool problem
with WINS server.

20
Practical countermeasures in all

Use firewalls to prevent scanning.
Put egress filtering, packet filtering and
rate-limiting functions on routers.
Close all unused services on every computers.
Install patches regularly. ( nightmare ! )
Use Intrusion Detection and traffic monitor to
prevent or detect attacks in the beginning.

21
Countermeasures Research ---Traceback

Assumption
DDoS attack will send large amount of packets
Routes are relatively stable during DDoS attack
Itrace ICMP traceback
Every router with a small probability to sample a
packet, add router information and send to
recipient as ICMP packet.
Generate overhead traffic
Authentication problem.( Attacker can fake it)

22
Countermeasures Research ---Traceback ( Cont.)

Stefans Probabilistic packet marking IP
traceback
Use the rarely used fragmentation 16bit in IP
header for marking.
Every router with a small probability to mark a
packet with its compressed ID and information.
Victim reconstruct the path
Impossible to use up all 16 bits in IP header
just for this purpose.
Authentication Traceback degrades for multi-path
attack.
Micahs 1-bit packet marking
Prove that only using 1-bit we can reconstruct
attack path.
If a router needs 16-bit for ID, then one hop
path reconstruction will need O(232) packets.

23
Countermeasures Research ---OS and software
improvement

Brute force ( for SYN flood)
Use priority queues to grant requests originating
from addresses that have given successful
handshakes in the past.
Server response time is slower due to the large
past connection table it needs to search.
Random request dropping ( for SYN flood)
Keep client performance losses below 10
An attacker can occasionally deny a legitimate
connection request

24
Countermeasures Research ---OS and software
improvement (cont.)

Cookie-based TCP connection ( for fake source IP
attack)
Using one-way hash to verify the authenticity of
connection request.
Packet loss will break TCP semantics
Need change of protocol
Stateless protocol
TCP connection state information is stored on the
client side.
Vulnerable to re-play attacks
Need change of protocol
Client-Puzzle protocol
Small cryptographic puzzles are sent back to
clients who make requests.
Request client-side software to support.

25
DDoS challenge in P2P and Anonymity networks

Peer to peer network
Broadcast search and request forwarding ( amplify
)
Every node in the middle needs to store the
search state
Easy to distribute Trojan by file download ( Do
you check every mp3 you download?)
Easy to gather other computers information( Link
speed, OS, IP address, etc.)
Anonymity network Crowds
Every node in the request path need to store
state vulnerable for SYN flood
Impossible or very hard to traceback and catch
the bad guy
Dilemma Anonymity ?? Accountability

26
Summary

DDoS is the result of
Lack of security concern in the Internet design.
No easy and automatic patching available for most
software.
Lack of security concern and knowledge for most
people
No simple solution for DDoS
Egress filtering
Global concentrated effort
Social recognition
Relative quiet in these 2 years
No incentive
Major web providers has more robust servers,
higher bandwidth.

27
Appendix WinXP problem ( from GRC.com )

Applications under Win98/ME/NT can not spoof
source IP or generate SYN or ACK flood without
modify OS.
Non-spoofing attacks are almost all generated by
windows PCs.
Win2000 and WinXP support full raw socket
programming
WinXP also removes raw socket safety restriction
imposed by all other OS.
When most home users use WinXP and Broadband
Internet connection

28
Reference

The attack on GRC.com
http//members.thegateway.net/compclub/grcdos/grcd
osindex.html
Distributed Denial of Service (DDoS)
Attacks/tools
http//staff.washington.edu/dittrich/misc/ddos
http//www.hideaway.net/Server_Security/Library/De
nial_of_Service/denial_of_service.html
Slides on DDoS
http//www.itso.iu.edu/staff/krulewit/ddos/index.e
pl
http//www.research.att.com/smb/talks/nanog-dos/i
ndex.htm
Hacking Docs
http//www.fallout2.f2s.com/lotd/docs/
Survey of Denial of Service Countermeasures
http//www.lasierra.edu/dlin/classes/cpsc433/cpsc
433.htm