563'7'1 Classification of DoS Attacks

1
563.7.1Classification of DoS Attacks

• Daniel Rebolledo
• University of Illinois
• Fall 2007

2
Definition
Denial of Service (DoS) is an attack designed to
render a computer or network incapable of
providing normal services.
W3C
A "denial-of-service" attack is characterized by
an explicit attempt by attackers to prevent
legitimate users of a service from using that
service.

• CERT

3
Defense Challenge

• Internet security is highly inter-dependent
• The network is optimized for packet delivery, not
  monitoring nor accountability.
• Security requires coordination between parties
• DoS Attacks are hard to detect
• It is hard to distinguish malicious packets from
  legitimate ones
• Internet resources are limited
• Automated tools exist
• Environment is target-rich

Mitrokotsa, Dougligeris 03, 07
4
DoS vs. DDoS

• DoS a few packets are enough to deny access to a
  service
• DDoS the attack is performed by a network of
  compromised machines.
• Possibly recognized by
• attack packet header info
• IP Address, or Fragment ID and TTL fields
• attack packet stream dynamics
• ramp-up behavior slower ramp-up suggests
  multiple attackers
• spectral analysis frequency analysis of packet
  trace

Hussain, Heidemann, Papadopoulos, 04
5
(No Transcript)
6
Defining Characteristics
Who?
What?
When?
Where?
How?

• Agent recruitment
• Persistence of agent sets

7
Agent recruitment

• Agents
• select an IP address scanning strategy
• random / hit list / signpost / permutation /
  local subnet
• probe for vulnerabilities
• horizontally / vertically / coordinated
  stealthily
• may download attack code
• from a centralized server (central source) / from
  the old host (back-chaining)
• or code may be included (autonomous propagation)

Specht, Lee, 04
8
Persistence of Agent Sets

• constant agent set
• agent machines act in unison
• may 'pulse' the attack, but the 'on'/'off'
  periods match
• variable agent set
• agents don't act in unison
• agent set may be divided into groups
• different groups take turns pulsing the victim
• hinders traceback!

Mirkovic, Reiher 04
9
Defining Characteristics
Who?
What?
When?
Where?
How?

• Victim Type

10
Victim Type

• Specific Application
• Detection is difficult
• host operates normally except for targeted
  application
• attack volume usually small and packets difficult
  to tell apart
• Host
• Disabling all legitimate access to target host by
  disable network communication subsystem or cause
  otherwise cause host to crash, freeze, or reboot
• Patches help but defense requires help from
  upstream firewalls or routers.
• Critical Network Resource (DNS server / router /
  link)
• Network
• Consume all available bandwidth
• Infrastructure
• Targets distributed systems critical to the
  operation of the Internet (extension of the
  host victim type)

Mirkovic, Reiher 04 Douligeris, Mitrokotsa 07
11
Defining Characteristics
Who?
What?
When?
Where?
How?

• Attack rate dynamics

12
Attack Rate Dynamics

• Constant Rate (most common)
• agents send packets as fast as they can after
  attack is started
• large traffic stream may aid detection
• Variable Rate
• used in an attempt to avoid or delay detection
• Increasing Rate
• Fluctuating Rate
• based on e.g. victim behavior or preprogrammed
  timing
• may confuse sysadmins

Mirkovic, Reiher 04
13
Defining Characteristics
Who?
What?
When?
From Where?
How?

• Source address validity
• Spoofed address selection
• Reflector attacks

14
Source Address Validity

• Spoofed Address
• avoids accountability, helps avoid detection
• makes brute force attacks hard to filter
• otherwise, servers could manage by allocating
  resources intelligently
• Valid Address
• some attacks (NAPTHA) require a valid source
  address, since the attack mechanism requires
  several request/reply exchanges between agent
  victim
• older Windows (NT) didn't allow user-level
  processes to modify packet headers

Mirkovic, Reiher 04
15
Spoofed Address Selection

• Types of Spoofed Addresses
• Routable vs. Non-Routable
• Fixed
• reflector attacks, or an attack trying to place
  blame on a 3rd party
• Random
• filtering techniques can be useful
• Subnet
• choose an address randomly from same subnet as
  agent
• defeats ingress filtering
• subnet where agent is located may be able to
  detect filter
• En Route
• choose address from some host on the route from
  agent to victim
• not used by any known attack, but foreseeable,
  since it counters some existing filtering
  techniques

Mirkovic, Reiher 04
16
Reflector Attacks

• Reflector any machine or service that responds
  to a packet with one or more packets.
• Attacker sends packets to reflector
• spoofed source address victims IP address
• response from reflectors overwhelms the victim
• SMURF (1998)
• ICMP echo requests sent to various IP broadcast
  addresses
• amplifier effect many responses from a single
  packet
• DNS Reflector Flood (2000)
• agents generate a large number of DNS requests,
  with the spoofed source address of the victim
• amplifier effect DNS responses can be
  significantly larger than the DNS request

CERT Advisory CA-1998-01, Incident Note
IN-2000-04
17
Defining Characteristics
Who?
What?
When?
To Where?
How?

• Exploited vulnerabilities

18
Exploited Vulnerabilities

• Semantic (e.g. TCP SYN, NAPTHA)
• exploits features or bugs of protocols/application
  s on the victim in order to deplete its resources
• asymmetrically cheap for attacker but expensive
  for victim
• targets buffers, network resources, process
  space, processor time
• Brute Force (e.g. ping flood)
• overwhelms the victim with seemingly legitimate
  transactions
• intermediate network can deliver more packets
  than the victim can handle but more packets
  required (raises the bar)
• attack packets are difficult to distinguish
• Either / both (e.g. ping flood)
• semantic attacks can become brute force attacks
  (e.g. SYN flood)
• hybrid attacks e.g. SMURF

Mirkovic, Reiher 04
19
Defining Characteristics
Who?
What?
When?
Where?
How?

• Degree of automation
• Possibility of characterization
• Impact on victim

20
Operation - Degree of Automation

• Manual (early DDoS attacks)
• The attacker manually scans, breaks in, installs
  attack code, then directs the attack
• Fully Automatic (some viruses)
• exploit/recruitment phase and attack phase both
  automated
• Reduces the attackers exposure
• Inflexible often they leave a backdoor for
  future modification
• Semi-Automated
• recruitment phase automated, attack phase
  manually initiated
• requires master-agent communication
• direct comm. is risky (e.g. hard-coding IP addr.)
• indirect communication (e.g. through IRC)

Mirkovic, Reiher 04
21
Possibility of Characterization

• Characterizable
• Filterable vs. Non-Filterable
• Filterable
• packets may be malformed
• protocol or application may not be needed by
  target
• ex UDP flood against a web server, http flood
  against an SMTP server
• Non-Filterable
• well formed packets that request
  legitimate/critical services
• no way to distinguish attack packets from
  legitimate service requests
• ex http flooding a web server
• Non-characterizable
• attack packets use a variety of
  protocols/applications
• may be randomly generated
• some attacks characterizable in theory, but not
  in practice

Mirkovic, Reiher 04
22
Impact on Victim

• Disruptive completely deny access
• Self-recoverable
• Service recovers without human intervention as
  soon as the attack ends.
• Human-recoverable
• Non-recoverable
• Human-recoverable
• Degrading
• Consume a portion of the victims resources.
• Hard to detect
• Can be very costly (lost business)
• Most existing DDoS countermeasures fail to
  address this threat

Mirkovic, Reiher 04
23
Learn More

• Christos Douligeris and Aikaterini Mitrokotsa,
  DDoS attacks and defense mechanisms
  classification and state-of-the-art, Computer
  Networks, Volume 44, Issue 5, 5 April 2004, Pages
  643-666.Christos Douligeris and Aikaterini
  Mitrokotsa, Denial-of-Service Attacks, Network
  Security Current Status and Future Directions,
  Wiley, 2007, ISBN 978-0-471-70355-6Mirkovic, J.
  and Reiher, P. 2004. A taxonomy of DDoS attack
  and DDoS defense mechanisms. SIGCOMM Comput.
  Commun. Rev. 34, 2 (Apr. 2004), 39-53.Stephen
  M. Specht, Ruby B. Lee, Distributed Denial of
  Service Taxonomies of Attacks, Tools and
  Countermeasures, Proceedings of the 17th
  International Conference on Parallel and
  Distributed Computing Systems, 2004 International
  Workshop on Security in Parallel and Distributed
  Systems, pp. 543-550, September 2004.