100 likes | 235 Vues
(Distributed) Denial of Service. Nick Feamster CS 4251 Spring 2008. Distributed Denial of Service (DDoS). Daemon. Master. Daemon. Daemon. Daemon. Daemon. Real Attacker. Victim. Asymmetry comes in the form of a large farm of machines. IP addresses no longer need to be spoofed.
E N D
(Distributed) Denial of Service Nick FeamsterCS 4251Spring 2008
Distributed Denial of Service (DDoS) Daemon Master Daemon Daemon Daemon Daemon Real Attacker Victim Asymmetry comes in the form of a large farm of machines.IP addresses no longer need to be spoofed
February 2000: DDoS Traditional protection techniques no longer applicable.
DDoS Attack: Yahoo! • February 2000 • Intermittent outages for nearly three hours • Estimated to have cost Yahoo $500,000 due to fewer page hits during the attack • Attacker caught and successfully prosecuted • Other companies (eBay, CNN) attacked in the same way the following days
DDoS Attack: Microsoft • Target of multiple DDoS attacks • Some successful, some not • Successful one in January 2001 • Attacked router in front of Microsoft’s DNS servers • During attack, as few as 2% of web page requests were being fulfilled
DDoS Attack: DNS Root Servers • October 2002 for 1 hour • Ping flood to all 13 of the DNS root servers • Successfully halted operations on 9 • Did not cause major impact on Internet • DNS NS record caching at local resolvers helped • Several root servers are very well-provisioned
DDoS: Setting up the Infrastructure • Zombies • Slow-spreading installations can be difficult to detect • Can be spread quickly with worms • Indirection makes attacker harder to locate • No need to spoof IP addresses
What is a Worm? • Code that replicates and propagates across the network • Often carries a “payload” • Usually spread via exploiting flaws in open services • “Viruses” require user action to spread • First worm: Robert Morris, November 1988 • 6-10% of all Internet hosts infected (!) • Many more since, but none on that scale until July 2001
Example Worm: Code Red • Initial version: July 13, 2001 • Exploited known ISAPI vulnerability in Microsoft IIS Web servers • 1st through 20th of each month: spread20th through end of each month: attack • Payload: Web site defacement • Scanning: Random IP addresses • Bug: failure to seed random number generator
Why Denial-of-Service “Works” • Asymmetry: generating a request is cheaper than formulating a response • One attack machine can generate a lot of requests, and effectively multiply its power • Not always possible to achieve this asymmetry