1 / 39

COMP 7320

COMP 7320. Internet Security:. Prevention of DDoS Attacks. By Dack Phillips. Presentation Overview. What are DoS Attacks? DoS Facts and Figures Current Solutions Problems Proposed Solutions Conclusions References Questions. What are DoS Attacks?.

Télécharger la présentation

COMP 7320

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips

  2. Presentation Overview • What are DoS Attacks? • DoS Facts and Figures • Current Solutions • Problems • Proposed Solutions • Conclusions • References • Questions

  3. What are DoS Attacks? • A malicious attack that consumes “resources of remote hosts or networks denying or degrading service to legitimate users,” [11].

  4. Types of DoS Attacks • Bandwidth Consumption • Program Flaw Exploitation • Resource Starvation • Routing/DNS Attacks • SYN Floods • DDoS Attacks

  5. Bandwidth Consumption • A computer having more bandwidth floods a smaller server with packets. The smaller server can not respond to the overwhelming load. • A computer with small bandwidth convinces a network to flood a host with more bandwidth - A 56 Kbps modem can take down a T1 line like this

  6. Program Flaw Exploitation • An attacker sends an operating system, application, or hardware exceptional conditions that it can’t handle. - OOB Port 139 on Windows 95 boxen - F00FC7C8 Pentium Instruction

  7. Resource Starvation • Attacker aims to deplete system, rather than network resources. - CPU - Memory - File System Quotas

  8. Routing/DNS Attacks • Routing Information Protocol (RIP) and Border Gateway Protocol (BGP) have very weak authentication. Routing tables are changed to route traffic through an attacker’s network, another network, or a “black hole” (non-existent network) • DNS is similar except DNS tables are falsified

  9. SYN Floods • TCP Connection Handshake client sends server TCP SYN server sends client TCP SYN ACK client sends server ACK or RST • In case of a spoofed source address, server keeps trying to send SYN ACKs. Connection Queue fills up with these requests and no legitimate traffic is served

  10. DDoS Attacks • An attacker compromises many machines (agents or zombies) and installs DoS daemons • The attacker uses a controlling machine (handler) to control the zombie machines to attack a server. • More than one handler to prevent single point of failure

  11. DoS Facts and Figures • One of the hardest security problems • Simple to implement • Difficult to prevent • Difficult to trace • 1989 – 95: CERT reports DoS attacks increased 50% per year • Tools are easy to find and use – Smurf, Fraggle, Teardrop, Stream, TFN, Trinoo Stacheldracht, Shaft, Plague, Trinity, et al. • February 2000 – eBay, Yahoo, Amazon, etc.

  12. Current Solutions • Preventative: Make the OS/IP stack more robust • Reactive Phone ISPs and trace back manually, call next ISP in the chain… This is time consuming and ISPs are often unwilling to spend time doing this. In addition, the trace has to be done while the attack is still in progress.

  13. Problems • The Internet is stateless; destination driven • Source addresses can be easily falsified (spoofed) • Attackers use connection chains to hide identities • Routers can be compromised • Login chains and address spoofing have legitimate uses

  14. Proposed Solutions • Ingress Filtering • Upstream Router Mapping • Counter Flooding Trace • Probabilistic Packet Marking • ICMP Traceback Messages • Stepping Stone Tracking • Traceback Network (CenterTrack or STM)

  15. Ingress Filtering • Defined in RFC 2267 • Edge Routers drop and log packets with invalid Source IPs or those coming from outside the network • Border Routers should not be allowed to transmit broadcast packets (MAC address FF:FF:FF:FF:FF:FF) to other routers by default

  16. Ingress Filtering (cont) • System Diagnostic UDP packets from outside domains should not be allowed into a network • Ingress filtering poses problems with Mobile IP. Currently the Mobile IP Working Group is investigating “reverse tunneling” to solve this problem.

  17. Upstream Router Mapping • Network Administrators should make an upstream router map • Manually via traceroute • Mercator – program that uses hop limited probes and source routers to create upstream maps

  18. Counter Flooding • Network Administrators send UDP chargen floods upstream (small scale DoS attack). If a router is perturbed then it is probably being used in the attack. Repeat upstream. • Ethical issue – If the trace causes more damage than the attack, should it be used?

  19. PPM • PPM – Probabilistic Packet Marking • 4 schemes • Savage, Wetherall, Karlin & Anderson • Song & Perrig • Park & Lee • Dean, Franklin & Stubblefield

  20. PPM (cont) • These schemes overload the IP Identification field used for packet fragmentation • In most schemes, a hashing function computes a hash of the router’s IP address and writes this hash to the Identification field • A distance field is normally included as well that keeps track of how many hops a packet has travelled

  21. PPM (cont) Typical IP Packet

  22. PPM (cont) • Dean, etc. employ an algebraic scheme rather than a hash based wherein routers stamp coefficients of their IP addresses % a prime number

  23. PPM (cont) • Assumptions: Most paths are less than 25 hops Packets can be addressed to more than one host Duplicate Packets can exist Routers can be compromised Attackers know they can be traced

  24. PPM (cont) • PPM schemes must minimize false positives while eliminating false negatives • Adding bits to IP headers causes packet fragmentation

  25. PPM (cont) • Problems Packets can take more than one path to a destination IPSec requires IP Identification field IP fragmentation is small (<0.25% of traffic) but does exist Routers do not need more overhead

  26. ICMP Traceback • Traceroute only works in the forward direction, not in reverse • Routers send out ICMP traceback information (interface name, Time stamp) probabilistically (1/1000 – 1/20000) • Public key system used to authenticate packets • TTL set to 255 to show distance • Problem – ICMP is filtered in some networks

  27. Stepping Stone Traceback • Stepping Stone – one link in a connection chain • If ON/OFF timing between 2 hosts is similar, it is probably a stepping stone • Packets often encrypted, check headers • Check clear text packets to see if the text from one host is transmitted to another • Problem – too much legitimate traffic, not an adequate solution

  28. CenterTrack • Edge routers are connected to a special overlay network composed of tracing routers via IP Tunnels • In case of attack, the packets are forwarded to the tracking routers which follow the stream back to the source of the attack

  29. CenterTrack (cont) • Full packet capture can be added easily to provide attack evidence • Problems – Attacks have to be detected to be rerouted • TTL is modified and ICMP TTL exceeded messages are sent back, possibly alerting the attacker to the trace

  30. CenterTrack (contd) GW – Gateway CT – CenterTrack Router TR/XR – Transfer Router

  31. STM Network • SPIEs (Source Path Isolation Engines) are installed in routers, or connected to them • These SPIEs generate packet digests from 28 non changing bits in the packet (20 from the header, 8 from the payload). • The digest is stored in router memory or external storage

  32. STM Network (cont) • SPIEs transfer data to SCARs (SPIE Collection and Reduction Agents) if interesting traffic occurs • A SCAR can produce an attack graph of a local network • STMs (SPIE Traceback Managers) can request information from one or more SCARs and generate a complete attack graph

  33. Conclusions • ISPs, unless they offer Mobile IP should use Ingress Filtering • Network Administrators should make upstream router maps • IPv6 should employ better packet tracing methods

  34. References [1] S. Bellovin. ICMP traceback messages. Internet Draft, IETF, Mar. 2000. draft-bellovin-itrace-05.txt (work in progress). [2] H. Burch and B. Cheswick. “Tracing anonymous packets to their approximate source.” In Proc. USENIX LISA ’00 (Dec. 2000). [3]D. Dean, M. Franklin, and A. Stubblefield, "An Algebraic Approach to IP Traceback," in Network and Distributed System Security Symposium, NDSS '01, February 2001. 

  35. References [4] S. Dietrich, N. Long, and D. Dittrich, “Analyzing ditributed denial of service attack tools: The shaft case,” in 14th Systems Administration Conference, LISA 2000, 2000, http://netsec.gsfc.nasa.gov/spock/lisa2000-shaft.pdf. [7] P. Ferguson and D. Senie. “Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing.” May 2000.RFC 2827. IEEE INFOCOM 2001. [8] R. Govindan and H. Tangmunarunkit. “Heuristics for Internet Map Discovery.” In Proc. of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.

  36. References [10] K. Park and H. Lee. “On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack.” In Proc. IEEE INFOCOM 2001, pages 338-347, 2001. [11] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. “Practical network support for IP traceback.” In Proc. of ACM SIGCOMM ‘00, pages 295-306, Aug.2000. [12] A. Snoeren, and C. Partridge. “Hash-based IP Traceback.” In Proc. ACM SIGCOMM ‘01, pages 3-14, Aug. 2001.

  37. References [13] D. Song and A. Perrig. “Advanced and authenticated marking schemes for IP traceback.” Technical Report UCB/CSD-00-1107, Computer Science Department, University of California, Berkeley, 2000. In Proc. IEEE INFOCOM 2001. [14] R. Stone. “CenterTrack: An IP Overlay Network for Tracking DoS Floods.” In Proc. of the 2000 USENIX Security Symposium, Denver, CO, July 2000. [15] *J. Scambray, S. McClure, and G. Kurtz. Hacking Exposed: Network Security Secrets and Solutions. Second Edition. New York: Osborne/McGraw-Hill, 2001. pages 484-506.

  38. References [17] Y. Zhang and V. Paxson. “Stepping Stone Detection.” In Proc. of the 2000 USENIX Security Symposium, Denver, CO, July 2000.

  39. Questions?

More Related