1 / 17

Distributed Reflection Denial of Service

Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: http://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edu , UW-Madison Normal Connection Establishment

bernad
Download Presentation

Distributed Reflection Denial of Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: http://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edu, UW-Madison

  2. Normal Connection Establishment The Server sets up retransmission timers, allocates receive buffers, etc. Imagine a web server that can handle 12,000 connections. If the process fails, a timeout occurs after 120 seconds, freeing up the resources. Note: SYN packets are very small and take up very little bandwidth. Graphics stolen from http://grc.com/dos/drdos.htm

  3. CLOSED Active open /SYN Passive open Close Close LISTEN SYN/SYN + ACK Send/ SYN SYN/SYN + ACK SYN_RCVD SYN_SENT ACK SYN + ACK/ACK Close /FIN ESTABLISHED Close /FIN FIN/ACK FIN_WAIT_1 CLOSE_WAIT FIN/ACK ACK Close /FIN ACK + FIN/ACK FIN_WAIT_2 CLOSING LAST_ACK Timeout after two ACK ACK segment lifetimes FIN/ACK TIME_WAIT CLOSED State Transition Diagram

  4. SYN Flood • Each SYN creates one half-open connection • Half-open connections take minutes to time-out • Servers have finite connection tables • Perpetrator would be easily caught (Source IP) • Unless SourceIP is spoofed • See: CERT Advisory CA-1996-21 • http://www.cert.org/advisories/CA-1996-21.html 100 SYN packets per second fits in 56 Kbps Graphics stolen from http://grc.com/dos/drdos.htm

  5. Spoofed IP Address The SYN/ACK is delivered to the fake (spoofed) IP Address. The attacker doesn’t see it, and doesn’t care. (Backscatter) Graphics stolen from http://grc.com/dos/drdos.htm

  6. Example SYN Flood Attack • February 5th-11th, 2000 • Victims included CNN, eBay, Yahoo, Amazon • Attackers (allegedly) used simple, readily available tools (script-kiddies) • Law enforcement unable (unwilling?) to help • Under-age perpetrators have blanket immunity

  7. Defense against SYN Flood • Increase size of connection table • Add more servers • Trace attack back to source • Ask your ISP to filter malicious packets • Add firewall • Typically “SYN proxy” • Dave Parter will talk on firewalls later in the semester • Ultimate solution was “SYN-cookies” • Reply to SYN with SYN-cookie • Allocate no resources until SYN-cookie is returned

  8. Potential places to stop DoS flood Graphics stolen from http://grc.com/dos/drdos.htm

  9. Distributed DoS • Rather than filling connection table, fill all available bandwidth • Infect innocent bystanders (zombies) • Zombies listen (e.g. on IRC channel) for attack command (or simply attack at will) • Attacker need not have high bandwidth connection Typical Program: EvilGoat EvilBot Graphics stolen from http://grc.com/dos/drdos.htm

  10. Example Distributed DOS Attack • 6 attacks on 5 different days • One attack lasted for 17 hours • 474 infected windows PC as zombies • 2.4 billion malicious packets Goodput? Time (minutes?) Graphics stolen from http://grc.com/dos/grcdos.htm

  11. Flood-based Distributed DoS Attacks • Coordinate zombies to attack with big packets • Use up “last-hop” bandwidth • “Last-hop” router discards packets indiscriminately • Zombies need not spoof addresses See http://grc.com/dos/intro.htm for example horror story Graphics stolen from http://grc.com/dos/drdos.htm

  12. Newest Twist - Reflection • Many routers accept connections on port 179 (Border Gateway Protocol) • Although any big server and any port it listens on will work • Send a SYN to a router, claiming it came from the victim • The router will send a SYN/ACK to the victim • And then re-transmit several times before giving up (typically about 4X) Note: Tar-pits will not see any “Backscatter” but honey-pots might see the attacker’s commands.

  13. Reflection Mechanism Graphics stolen from http://grc.com/dos/drdos.htm

  14. Distributed Reflection DoS Graphics stolen from http://grc.com/dos/drdos.htm

  15. Other ports susceptible to DRDoS • 22 – Secure Shell • 23 – Telnet • 53 – DNS • 80 – HTTP / Web • 4001 – Proxy Servers • 6668 – Internet Relay Chat Easily detected ports 1-1023 “Well-Known” (so far) But reflection from port 179 is so powerful it easily overwhelms others

  16. Call to action • Ingress filtering at all ISPs would stop the spoofed SYN packets before they left home • Egress filtering at all ISPs would prevent spoofed IP addresses from traversing the Internet • Flagging multiply-tried, failed SYN/ACKs could be used to discover victims and filter further attack • Disable raw socket interface in client PCs

  17. Questions?

More Related