Vitaly Shmatikov

1
Network Attacks and Defense
CS 378

• Vitaly Shmatikov

2
User Datagram Protocol (UDP)

• We already talked about TCP, IP and ICMP
• UDP is a connectionless protocol
• Simply send datagram to application process at
  the specified port of the IP address
• Source port number provides return address
• Applications media streaming, broadcast
• No acknowledgement, no flow control, no message
  continuation

3
Denial of Service (DoS) Redux

• Goal overwhelm victim machine and deny service
  to its legitimate clients
• DoS often exploits networking protocols
• Smurf ICMP echo request to broadcast address
  with spoofed victims address as source
• Ping of death ICMP packets with payloads greater
  than 64K crash older versions of Windows
• SYN flood open TCP connection request from a
  spoofed address
• UDP flood exhaust bandwidth by sending thousands
  of bogus UDP packets

4
Distributed Denial of Service (DDoS)

• First, scan hundreds of thousands of computers on
  the Internet for known vulnerabilities
• Similar to worm propagation
• Turn vulnerable computers into zombies
• Exploit vulnerabilities to gain root access,
  install attack and communication tools, use them
  for further scans
• Form a distributed attack network from zombies
• Choose a subset of compromised machines with
  desired network topology and characteristics
• Command zombies to stage a coordinated attack on
  the victim

5
DDoS Architecture
Attacker
Master machines
Zombie machines
Victim
6
DDoS Tools

• Trin00
• Attacker uses TCP, masters and zombies use UDP,
  network members authenticate using passwords
• Tribal Flood Network (TFN)
• Attacker uses shell access to invoke master,
  masters and zombies communicate using ICMP
• TFN2K
• Combines UDP, ICMP, an TCP
• Stacheldraht
• Attacker uses encrypted TCP, masters and zombies
  communicate using TCP and ICMP

7
Trin00

• Scan for known buffer overflows in Linux
  Solaris
• Unpatched versions of wu-ftpd, statd, amd,
• Root shell on compromised host returns
  confirmation
• Install attack daemon using remote shell access
• Send commands (victim IP, attack parameters,
  etc.), using plaintext passwords for
  authentication
• Attacker to master TCP, master to zombie UDP
• To avoid detection, daemon issues warning if
  someone connects when master is already
  authenticated
• In August of 1999, a network of 227 Trin00
  zombies took U. of Minnesota offline for 3 days

8
TFN (Tribal Flood Network)

• Supports multiple DoS attack types
• Smurf ICMP, SYN, UDP floods
• Attacker runs masters directly via root backdoor
  masters talk to zombies using ICMP echo reply
• No authentication of masters commands, but
  commands are encoded as 16-bit binary numbers
  inside ICMP packets to prevent accidental
  triggering
• Vulnerable to connection hijacking and RST
  sniping
• List of zombie daemons IP addresses is encrypted
  in later versions of TFN master scripts
• Protects identities of zombies if master is
  discovered

9
Stacheldraht

• Combines best features of Trin00 and TFN
• Multiple attack types (like TFN)
• Symmetric encryption for attacker-master
  connections
• Master daemons can be upgraded on demand
• February 2000 crippled Yahoo, eBay, Amazon,
  Schwab, ETrade, CNN, Buy.com, ZDNet
• Smurf-like attack on Yahoo consumed more than a
  Gigabit/sec of bandwidth
• Sources of attack still unknown

10
U. of Toronto, 2004 (from David Lies slides)

• Date Fri, 19 Mar 2004
• Quote from email
• The campus switches have been bombarded with
  these packets and apparently 3Com switches
  reset when they get these packets. This has
  caused the campus backbone to be up and down most
  of yesterday. The attack seems to start with
  connection attempts to port 1025 (Active
  Directory logon, which fails), then 6129
  (DameWare backdoor, which fails), then 80 (which
  works as the 3Coms support a web server, which
  cant be disabled as far as we know). The HTTP
  command starts with SEARCH /\x90\x02\xb1\x02
  then goes off into a continual pattern of
  \x90

11
Defending Against DDoS

• Authenticate packet sources
• Not feasible with current IP (unless IPSec is
  used)
• Filter incoming traffic on access routers or
  rate-limit certain traffic types (ICMP and SYN
  packets)
• Need to correctly measure normal rates first!
• Force clients to do an expensive computation or
  to prove that they are human
• If connection requested, ask client to solve a
  puzzle
• E.g., invert a short hash value or solve a
  graphical Turing test
• Honest clients can easily do this, but zombies
  cant
• Requires modification of TCP/IP stack (not
  feasible)

12
Finding Attack Sources

• Note this will only locate zombies
• Forensics on zombie machines can help find
  masters and the attacker who remotely controls
  them
• Can use existing IP routing infrastructure
• Link testing (while attack is in progress)
• Packet logging (for post-mortem path
  reconstruction)
• or propose changes to routing infrastructure
• IP traceback (e.g., via packet marking)
• and dozens of other proposals
• Changing routing infrastructure is hard!

13
Link Testing

• Only works while attack is in progress
• Input debugging
• Victim reports attack to upstream router
• Router installs a filter for attack traffic,
  determines which upstream router originated it
• Repeat upstream (requires inter-ISP cooperation)
• Controlled flooding
• Iteratively flood each incoming link of the
  router if attack traffic decreases, this must be
  the guilty link
• Use a form of DoS to throttle DoS traffic (!!)
• Need a good network map and router cooperation

14
IP Traceback Problem

• How to determine the path traversed by attack
  packets?
• Assumptions
• Most routers remain uncompromised
• Attacker sends many packets
• Route from attacker to victim remains relatively
  stable

A4
A5
A1
A2
A3
R6
R7
R8
R9
R10
R12
Victim
15
Obvious Solution Doesnt Work

• Obvious solution have each router on the path
  add its IP address to packet victim will read
  path from the packet
• Problem requires space in the packet
• Paths can be long
• Current IP format provides no extra fields to
  store path information
• Changes to packet format are not feasible

16
Probabilistic Packet Marking

• DDoS involves many packets on the same path
• With some probability, each router marks packet
  with routers address
• Fixed space per packet
• Large number of packets means that each router on
  the path will appear in some packet

A4
A5
A1
A2
A3
R6
R7
R8
R9
R10
R12
Victim
17
Node and Edge Sampling

• Node sampling
• With probability p, router stores its address in
  packet
• Router at distance d shows up with probability
  p(1-p)d
• Edge sampling
• Packet stores an edge and distance since it was
  stored
• More space per packet, but fewer packets to
  reconstruct path
• With probability p, router stores the current
  edge and sets distance to 0, else increments
  distance by 1

p
1-p
1-p
1-p
R
V
d
18
Storing Edges in IP Packets
Version
Header length

• 16-bit Identification field
• Used for fragmentation
• Fragmentation is rare
• Storing an edge in 16 bits
• Store start?end
• Work backwards to get path (start?end)?end
  start

Type of service
Total length
Identification
Identification
Flags
Fragment offset
Time to live
Protocol
Header checksum
offset
distance
edge chunk
Source address of originating host
0 2 3 7 8 15
Destination address of target host
Options
Padding
b ? c
c ? d
d
IP Data
a ? b
a
b
c
d
V
19
Stepping Stones (courtesy of Yin Zhang)

• IP traceback helps discover machines from which
  attack packets originates
• These often have remote-controlled zombie daemons
• Analysis of zombies can help trace back to
  masters
• Compromised host often has a root backdoor
• E.g., attacker runs TFN masters through root
  shell
• Standard service on a non-standard port or
  standard port associated with a different service
• Attacker connects from yet another machine
• Stepping stone compromised intermediary host
  used by attacker to hide his identity

20
General Principle

• Find invariant or at least highly correlated
  characteristics of network links used by attacker
• Leverage particulars of how interactive traffic
  behaves

Network monitor observes inbound and outbound
traffic
21
Indirect Stepping Stones

• Indirect stepping stone A-B C-D vs. A-B-C

B
Internet
C
22
Timing Correlation of Idle Periods
A?B
C?D
lt 80ms?

• Idle period no activity for ? 0.5 sec
• Consider only when idle periods end to reduce
  analysis possibilities
• Two idle periods are considered correlated if
  their ending times differ by lt 80ms
• Works even on encrypted traffic!
• Detection criteria
• of coincidences / of idle periods
• of consecutive coincidences
• of consecutive coincidences / of idle periods

23
Calibration Algorithms

• Brute-force search for common strings
• Extract the aggregate telnet/rlogin output
• Find connections with similar content by looking
  at common lines using standard Unix utilities
• Additional manual inspection
• Two Unix-centric hacks
• Look for propagated DISPLAY
• Look for propagated status line in the login
  dialog
• Last login Fri Jun 18 125658 from
  host.x.y.z.com

24
Performance Evaluation

• Very low false positives and negatives
• LBNL telnet trace FalsePos 0, FalseNeg 2/21
• Berkeley telnet trace FalsePos 0, FalseNeg
  5/79
• Brute-force scheme missed 32
• Capable of real-time detection
• 1.1 real-time minutes for LBNL traces (1.5M
  packets)
• Contains 21 stepping stones
• 24 real-time minutes for Berkeley traces (5M
  packets)
• Contains 79 stepping stones
• Attacker can evade if detection algorithm is
  known, but detector can vary parameters

25
Failures

• Large number of legitimate stepping stones
• Very small stepping stones evade detection
• Limits attackers to a few keystrokes
• Message broadcast applications lead to
  correlations that are not stepping stones
• Can filter these out
• Phase-drift in periodic traffic leads to false
  coincidences
• Can filter these out, too

26
IP Routing

• Routing of IP packets is based on IP addresses
• Routers use a forwarding table
• Entry destination, next hop, network interface,
  metric
• For each packet, a table look-up is performed to
  determine how to route it
• Routing information exchange allows update of old
  routes and creation of new ones
• RIP (Routing Information Protocol)
• OSPF (Open Shortest Path First Protocol)
• BGP (Border Gateway Protocol)

27
Routing Attacks

• Source routing
• Source of the packet specifies a particular route
• For example, because the automatic route is dead
• Attacker can spoof source IP address and use
  source routing to direct response through a
  compromised host
• Solution reject packets with source routing!
• More heavy-duty allow source route only via
  trusted gateways
• Routing Information Protocol (RIP)
• Use bogus routing updates to intercept traffic
• RIP implicitly assumes that routers are trusted
• Black hole attacks and many others

28
DNS Attacks

• Domain Name System (DNS) is a distributed
  database mapping host names to IP addresses
• For example, www.cs.utexas.edu ? 128.83.120.155
• Network services trust host-address mappings
  returned in response to DNS queries
• But DNS responses are not authenticated!
• If attacker takes over DNS server, can respond
  with addresses of attacker-controlled machines
• Some DNS services have known buffer overflows
• Can use zone transfer requests to download a
  chunk of DNS database and map out the network

29
Reverse DNS Spoofing

• Trusted access is often based on host names
• E.g., permit all hosts in .rhosts to run remote
  shell
• Network requests such as rsh or rlogin arrive
  from numeric source addresses
• System performs reverse DNS lookup to determine
  requesters host name and checks if its in
  .rhosts
• If attacker can spoof the answer to reverse DNS
  query, he can fool target machine into thinking
  that request comes from an authorized host
• No authentication for DNS responses and typically
  no double-checking (numeric ? symbolic ? numeric)

30
Announcements

• Glen Nuckolls substituting on Thursday
• No Vitalys office hours on Thursday
• Vitalys office hours rescheduled to Monday,
  April 18, 330-430pm