563'7'1 Classification of DoS Attacks - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

563'7'1 Classification of DoS Attacks

Description:

Denial of Service (DoS) is an attack designed to render a computer ... defeats ingress filtering. subnet where agent is located may be able to detect & filter ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 24
Provided by: C557
Category:

less

Transcript and Presenter's Notes

Title: 563'7'1 Classification of DoS Attacks


1
563.7.1Classification of DoS Attacks
  • Daniel Rebolledo
  • University of Illinois
  • Fall 2007

2
Definition
Denial of Service (DoS) is an attack designed to
render a computer or network incapable of
providing normal services.
W3C
A "denial-of-service" attack is characterized by
an explicit attempt by attackers to prevent
legitimate users of a service from using that
service.
  • CERT

3
Defense Challenge
  • Internet security is highly inter-dependent
  • The network is optimized for packet delivery, not
    monitoring nor accountability.
  • Security requires coordination between parties
  • DoS Attacks are hard to detect
  • It is hard to distinguish malicious packets from
    legitimate ones
  • Internet resources are limited
  • Automated tools exist
  • Environment is target-rich

Mitrokotsa, Dougligeris 03, 07
4
DoS vs. DDoS
  • DoS a few packets are enough to deny access to a
    service
  • DDoS the attack is performed by a network of
    compromised machines.
  • Possibly recognized by
  • attack packet header info
  • IP Address, or Fragment ID and TTL fields
  • attack packet stream dynamics
  • ramp-up behavior slower ramp-up suggests
    multiple attackers
  • spectral analysis frequency analysis of packet
    trace

Hussain, Heidemann, Papadopoulos, 04
5
(No Transcript)
6
Defining Characteristics
Who?
What?
When?
Where?
How?
  • Agent recruitment
  • Persistence of agent sets

7
Agent recruitment
  • Agents
  • select an IP address scanning strategy
  • random / hit list / signpost / permutation /
    local subnet
  • probe for vulnerabilities
  • horizontally / vertically / coordinated
    stealthily
  • may download attack code
  • from a centralized server (central source) / from
    the old host (back-chaining)
  • or code may be included (autonomous propagation)

Specht, Lee, 04
8
Persistence of Agent Sets
  • constant agent set
  • agent machines act in unison
  • may 'pulse' the attack, but the 'on'/'off'
    periods match
  • variable agent set
  • agents don't act in unison
  • agent set may be divided into groups
  • different groups take turns pulsing the victim
  • hinders traceback!

Mirkovic, Reiher 04
9
Defining Characteristics
Who?
What?
When?
Where?
How?
  • Victim Type

10
Victim Type
  • Specific Application
  • Detection is difficult
  • host operates normally except for targeted
    application
  • attack volume usually small and packets difficult
    to tell apart
  • Host
  • Disabling all legitimate access to target host by
    disable network communication subsystem or cause
    otherwise cause host to crash, freeze, or reboot
  • Patches help but defense requires help from
    upstream firewalls or routers.
  • Critical Network Resource (DNS server / router /
    link)
  • Network
  • Consume all available bandwidth
  • Infrastructure
  • Targets distributed systems critical to the
    operation of the Internet (extension of the
    host victim type)

Mirkovic, Reiher 04 Douligeris, Mitrokotsa 07
11
Defining Characteristics
Who?
What?
When?
Where?
How?
  • Attack rate dynamics

12
Attack Rate Dynamics
  • Constant Rate (most common)
  • agents send packets as fast as they can after
    attack is started
  • large traffic stream may aid detection
  • Variable Rate
  • used in an attempt to avoid or delay detection
  • Increasing Rate
  • Fluctuating Rate
  • based on e.g. victim behavior or preprogrammed
    timing
  • may confuse sysadmins

Mirkovic, Reiher 04
13
Defining Characteristics
Who?
What?
When?
From Where?
How?
  • Source address validity
  • Spoofed address selection
  • Reflector attacks

14
Source Address Validity
  • Spoofed Address
  • avoids accountability, helps avoid detection
  • makes brute force attacks hard to filter
  • otherwise, servers could manage by allocating
    resources intelligently
  • Valid Address
  • some attacks (NAPTHA) require a valid source
    address, since the attack mechanism requires
    several request/reply exchanges between agent
    victim
  • older Windows (NT) didn't allow user-level
    processes to modify packet headers

Mirkovic, Reiher 04
15
Spoofed Address Selection
  • Types of Spoofed Addresses
  • Routable vs. Non-Routable
  • Fixed
  • reflector attacks, or an attack trying to place
    blame on a 3rd party
  • Random
  • filtering techniques can be useful
  • Subnet
  • choose an address randomly from same subnet as
    agent
  • defeats ingress filtering
  • subnet where agent is located may be able to
    detect filter
  • En Route
  • choose address from some host on the route from
    agent to victim
  • not used by any known attack, but foreseeable,
    since it counters some existing filtering
    techniques

Mirkovic, Reiher 04
16
Reflector Attacks
  • Reflector any machine or service that responds
    to a packet with one or more packets.
  • Attacker sends packets to reflector
  • spoofed source address victims IP address
  • response from reflectors overwhelms the victim
  • SMURF (1998)
  • ICMP echo requests sent to various IP broadcast
    addresses
  • amplifier effect many responses from a single
    packet
  • DNS Reflector Flood (2000)
  • agents generate a large number of DNS requests,
    with the spoofed source address of the victim
  • amplifier effect DNS responses can be
    significantly larger than the DNS request

CERT Advisory CA-1998-01, Incident Note
IN-2000-04
17
Defining Characteristics
Who?
What?
When?
To Where?
How?
  • Exploited vulnerabilities

18
Exploited Vulnerabilities
  • Semantic (e.g. TCP SYN, NAPTHA)
  • exploits features or bugs of protocols/application
    s on the victim in order to deplete its resources
  • asymmetrically cheap for attacker but expensive
    for victim
  • targets buffers, network resources, process
    space, processor time
  • Brute Force (e.g. ping flood)
  • overwhelms the victim with seemingly legitimate
    transactions
  • intermediate network can deliver more packets
    than the victim can handle but more packets
    required (raises the bar)
  • attack packets are difficult to distinguish
  • Either / both (e.g. ping flood)
  • semantic attacks can become brute force attacks
    (e.g. SYN flood)
  • hybrid attacks e.g. SMURF

Mirkovic, Reiher 04
19
Defining Characteristics
Who?
What?
When?
Where?
How?
  • Degree of automation
  • Possibility of characterization
  • Impact on victim

20
Operation - Degree of Automation
  • Manual (early DDoS attacks)
  • The attacker manually scans, breaks in, installs
    attack code, then directs the attack
  • Fully Automatic (some viruses)
  • exploit/recruitment phase and attack phase both
    automated
  • Reduces the attackers exposure
  • Inflexible often they leave a backdoor for
    future modification
  • Semi-Automated
  • recruitment phase automated, attack phase
    manually initiated
  • requires master-agent communication
  • direct comm. is risky (e.g. hard-coding IP addr.)
  • indirect communication (e.g. through IRC)

Mirkovic, Reiher 04
21
Possibility of Characterization
  • Characterizable
  • Filterable vs. Non-Filterable
  • Filterable
  • packets may be malformed
  • protocol or application may not be needed by
    target
  • ex UDP flood against a web server, http flood
    against an SMTP server
  • Non-Filterable
  • well formed packets that request
    legitimate/critical services
  • no way to distinguish attack packets from
    legitimate service requests
  • ex http flooding a web server
  • Non-characterizable
  • attack packets use a variety of
    protocols/applications
  • may be randomly generated
  • some attacks characterizable in theory, but not
    in practice

Mirkovic, Reiher 04
22
Impact on Victim
  • Disruptive completely deny access
  • Self-recoverable
  • Service recovers without human intervention as
    soon as the attack ends.
  • Human-recoverable
  • Non-recoverable
  • Human-recoverable
  • Degrading
  • Consume a portion of the victims resources.
  • Hard to detect
  • Can be very costly (lost business)
  • Most existing DDoS countermeasures fail to
    address this threat

Mirkovic, Reiher 04
23
Learn More
  • Christos Douligeris and Aikaterini Mitrokotsa,
    DDoS attacks and defense mechanisms
    classification and state-of-the-art, Computer
    Networks, Volume 44, Issue 5, 5 April 2004, Pages
    643-666.Christos Douligeris and Aikaterini
    Mitrokotsa, Denial-of-Service Attacks, Network
    Security Current Status and Future Directions,
    Wiley, 2007, ISBN 978-0-471-70355-6Mirkovic, J.
    and Reiher, P. 2004. A taxonomy of DDoS attack
    and DDoS defense mechanisms. SIGCOMM Comput.
    Commun. Rev. 34, 2 (Apr. 2004), 39-53.Stephen
    M. Specht, Ruby B. Lee, Distributed Denial of
    Service Taxonomies of Attacks, Tools and
    Countermeasures, Proceedings of the 17th
    International Conference on Parallel and
    Distributed Computing Systems, 2004 International
    Workshop on Security in Parallel and Distributed
    Systems, pp. 543-550, September 2004.
Write a Comment
User Comments (0)
About PowerShow.com