Denial of Service Attacks

1. Denial of Service Attacks Brian Pursley Hofstra University CSC288, October 2008 Hello. I am Brian Pursley, and this presentation will provide a brief overview of Denial of Service attacks with a focus on Distributed Denial of Service attacks.Hello. I am Brian Pursley, and this presentation will provide a brief overview of Denial of Service attacks with a focus on Distributed Denial of Service attacks.

2. What is Denial of Service? Denial of Service (DoS) Attacker intentionally degrades or disables an application or computer system Distributed Denial of Service (DDoS) Attacker controls a large group of systems to coordinate a large scale DoS attack against a system Denial of Service, abbreviated as DoS, is where an attacker degrades or completely disables an application or system. This is accomplished by depleting the resources of the system, such as CPU, memory, disk space, internal handles, or network bandwidth. Distributed Denial of Service, referred to as DDoS, is where an attacker enlists multiple machines to carry out a DoS attack against a single victim.Denial of Service, abbreviated as DoS, is where an attacker degrades or completely disables an application or system. This is accomplished by depleting the resources of the system, such as CPU, memory, disk space, internal handles, or network bandwidth. Distributed Denial of Service, referred to as DDoS, is where an attacker enlists multiple machines to carry out a DoS attack against a single victim.

3. Cost of DDoS Attacks Hard to quantify Incomplete data � Companies reluctant to admit they have been victimized Lost business Lost productivity What is the cost of Denial of Service to the victim? It is hard to say because the available data is incomplete. Many companies who are victims of Denial of Service attacks are reluctant to report it because they fear the further harm that negative publicity will have on their business. However, it is easy to assume that lost sales or lost productivity are direct consequences of a Denial of Service attack.What is the cost of Denial of Service to the victim? It is hard to say because the available data is incomplete. Many companies who are victims of Denial of Service attacks are reluctant to report it because they fear the further harm that negative publicity will have on their business. However, it is easy to assume that lost sales or lost productivity are direct consequences of a Denial of Service attack.

4. History of Denial of Service Attacks Early 1990s: Individual Attacks. First DoS Tools Late 1990s: Botnets, First DDoS Tools Feb 2000: First Large-Scale DDoS Attack CNN, Yahoo, E*Trade, eBay, Amazon.com, Buy.com 2004: DDoS for hire and Extortion 2007: DDoS against Estonia 2008: DDoS against political dissident groups 2008: DDoS against Republic of Georgia during military conflict with Russia Here is a brief history of Denial of Service attacks. They started out as single attacks perpetrated from one user against another user, using applications that allowed the user to kick off an attack at the click of a button. Then in the late 90s the first botnets were formed and Distributed Denial of Service tools were created. In 2000, the first highly publicized DDoS attack was committed against several large companies who had a significant Internet presence. Then in 2004, online criminals began offering DDoS for hire and using the threat of DDoS attack for extortion. Most recently, in 2007 and 2008, Distributed Denial of Service attacks have been used for political purposes, and even in coordination with military operations.Here is a brief history of Denial of Service attacks. They started out as single attacks perpetrated from one user against another user, using applications that allowed the user to kick off an attack at the click of a button. Then in the late 90s the first botnets were formed and Distributed Denial of Service tools were created. In 2000, the first highly publicized DDoS attack was committed against several large companies who had a significant Internet presence. Then in 2004, online criminals began offering DDoS for hire and using the threat of DDoS attack for extortion. Most recently, in 2007 and 2008, Distributed Denial of Service attacks have been used for political purposes, and even in coordination with military operations.

5. DDoS Botnets Botnet: Collection of compromised computers that are controlled for the purposes of carrying out DDoS attacks or other activities Can be large in number Systems join a botnet when they become infected by certain types of malware Like a virus, but instead of harming the system, it wants to take it over and control it. Through email attachments, website links, or IM links. Through unpatched operating system vulnerabilities. Usually have multiple levels Client and Daemon components To carry out a Distributed Denial of Service attack, the attacker needs a group of systems, called a botnet. Botnets can range in size, and can be very large in number. A computer becomes part of a botnet when it is infected by a trojan application, which is similar to a virus, that runs in the background of the compromised computer. That program listens for commands and carries out the instructions of the attacker.To carry out a Distributed Denial of Service attack, the attacker needs a group of systems, called a botnet. Botnets can range in size, and can be very large in number. A computer becomes part of a botnet when it is infected by a trojan application, which is similar to a virus, that runs in the background of the compromised computer. That program listens for commands and carries out the instructions of the attacker.

6. DDoS Botnets (Continued) Current botnets typically have a multi-tier design, with client and daemon components. The attacker communicates with the client, which issues instructions to the daemon components, which then carry out the attack. Here is a diagram illustrating how an attacker might use a botnet to carry out a Distributed Denial of Service attack on a remote system.Current botnets typically have a multi-tier design, with client and daemon components. The attacker communicates with the client, which issues instructions to the daemon components, which then carry out the attack. Here is a diagram illustrating how an attacker might use a botnet to carry out a Distributed Denial of Service attack on a remote system.

7. DDoS Botnets (Continued) Here are some common types of botnet applications. Over time, botnets have become more sophisticated in their methods of attacking and how they communicate with each other.Here are some common types of botnet applications. Over time, botnets have become more sophisticated in their methods of attacking and how they communicate with each other.

8. Types of DoS Attacks Network / Transport Layer Attacks TCP SYN Flood Attack Smurf IP Attack UDP Flood Attack (Echo/Chargen) Ping of Death Application Layer Attacks No known pre-packaged attacks Can be performed individually, but gain power when used by a DDoS botnet There are several types of Denial of Service attacks. These attacks can be carried out by a single attacker, or used by a botnet to carry out a distributed attack. There are two main types of attacks, those that occur at the Network and Transport Layers, and a newer kind that occurs at the Application Layer. Network and Transport layer attacks work at the packet level and can affect servers as well as networking equipment. Application Layer attacks work against a specific application, such as a web server, VOIP, Instant Messenger, or streaming media.There are several types of Denial of Service attacks. These attacks can be carried out by a single attacker, or used by a botnet to carry out a distributed attack. There are two main types of attacks, those that occur at the Network and Transport Layers, and a newer kind that occurs at the Application Layer. Network and Transport layer attacks work at the packet level and can affect servers as well as networking equipment. Application Layer attacks work against a specific application, such as a web server, VOIP, Instant Messenger, or streaming media.

9. TCP SYN Flood Attack In the next 4 slides we will look at attacks that occur in the Network and Transport layers. In a TCP SYN Flood Attack, the attacker takes advantage of a vulnerability in some TCP/IP implementations where the server allocates and keeps open resources during the SYN-ACK exchange. The diagram on the left shows a normal exchange of messages between a client and server. The diagram on the right shows how an attacker can send many SYN requests to a server, and not respond with an ACK, thereby leaving the server waiting for the final ACK that will never come.In the next 4 slides we will look at attacks that occur in the Network and Transport layers. In a TCP SYN Flood Attack, the attacker takes advantage of a vulnerability in some TCP/IP implementations where the server allocates and keeps open resources during the SYN-ACK exchange. The diagram on the left shows a normal exchange of messages between a client and server. The diagram on the right shows how an attacker can send many SYN requests to a server, and not respond with an ACK, thereby leaving the server waiting for the final ACK that will never come.

10. Smurf IP Attack The Smurf IP Attack is named after an application that lets the attacker carry out the attack. In a Smurf IP attack, the attacker sends a ping request to the broadcast address, modifying the packet to have the victim�s IP address as the source. Because the ping was sent to a broadcast address, it was received by all other computers on the subnet. They read the source IP address, belonging to the victim, and all of them send replies to the victim, overwhelming it with replies.The Smurf IP Attack is named after an application that lets the attacker carry out the attack. In a Smurf IP attack, the attacker sends a ping request to the broadcast address, modifying the packet to have the victim�s IP address as the source. Because the ping was sent to a broadcast address, it was received by all other computers on the subnet. They read the source IP address, belonging to the victim, and all of them send replies to the victim, overwhelming it with replies.

11. UDP Flood Attack (Echo/Chargen) Flood the victim with continuous stream of UDP packets Well known exploit Echo/Chargen Chargen � writes continuous stream of characters to a network output (originally used for testing purposes) Echo � reads from the network and �echoes� back what it has read Attacker can pipe output from chargen to echo and cause a never ending stream of network activity. Another type of Denial of Service attack at the transport layer is the UDP Flood attack, where the attacker fires UDP packets at the victim, attempting to overload a service that is listening for UDP packets.Another type of Denial of Service attack at the transport layer is the UDP Flood attack, where the attacker fires UDP packets at the victim, attempting to overload a service that is listening for UDP packets.

12. Ping of Death Sends very large ping packet to victim Causes buffer overflow, system crash Problem in implementation, not protocol Has been fixed in modern OSes Was a problem in late 1990s One more Denial of Service exploit is the Ping of Death. In this one, the attacker simply sends a larger Ping request than is allowed by the specification. Unfortunately, most operating systems in the late 1990s did not handle this situation and the result was a buffer overflow, which would eventually crash the system. This was a very easy way to carry out Denial of Service but it has sense been fixed in modern Operating Systems.One more Denial of Service exploit is the Ping of Death. In this one, the attacker simply sends a larger Ping request than is allowed by the specification. Unfortunately, most operating systems in the late 1990s did not handle this situation and the result was a buffer overflow, which would eventually crash the system. This was a very easy way to carry out Denial of Service but it has sense been fixed in modern Operating Systems.

13. Application Layer Attacks Websites (HTTP) Example: Issuing a flood of fake search requests to an online retail website Could also affect other applications: VOIP, IM, Streaming Media Difficult to filter and block, since packets are �normal�. No packet-level signature In the past, denial of service attacks exploited vulnerabilities at the network or transport layer. A new type of Denial of Service attack is on the horizon that targets the Application layer. This type of attack does not require low-level manipulation of packets, but instead crafts application-specific requests that are meant to deplete the victim�s resources. Take for example an ecommerce website that has a searchable catalog. An attacker could examine the HTML of the search web page and find out how to issue his own search request directly to the server. He then could write a simple application to fire search requests at the website continuously with the hope of bringing down the website or making it really slow for legitimate customers to use.In the past, denial of service attacks exploited vulnerabilities at the network or transport layer. A new type of Denial of Service attack is on the horizon that targets the Application layer. This type of attack does not require low-level manipulation of packets, but instead crafts application-specific requests that are meant to deplete the victim�s resources. Take for example an ecommerce website that has a searchable catalog. An attacker could examine the HTML of the search web page and find out how to issue his own search request directly to the server. He then could write a simple application to fire search requests at the website continuously with the hope of bringing down the website or making it really slow for legitimate customers to use.

14. Preventing DDoS Attacks Challenges Requires coordination Incentive to secure systems Network/Transport Layer Attacks Can often filter or detect using network equipment Application Layer Attacks Highly specific to the victim�s application More difficult to use a generic solution So how do you prevent Denial of Service attacks? Some attacks can be prevented by filtering certain types of packets known to be used to carry out attacks. This is feasible for the lower layer attacks, but for Application layer attacks, it can be difficult to filter them out at the packet level. In that case it is often up to the application developers and system administrators to make sure an application is as secure as possible from denial of service attacks. One of the challenges in preventing denial of service attacks is that the users who have compromised machines in the botnet are not the ones who suffer at the hands of an attack. So in order to be effective, it will require the cooperation of many different parties. So how do you prevent Denial of Service attacks? Some attacks can be prevented by filtering certain types of packets known to be used to carry out attacks. This is feasible for the lower layer attacks, but for Application layer attacks, it can be difficult to filter them out at the packet level. In that case it is often up to the application developers and system administrators to make sure an application is as secure as possible from denial of service attacks. One of the challenges in preventing denial of service attacks is that the users who have compromised machines in the botnet are not the ones who suffer at the hands of an attack. So in order to be effective, it will require the cooperation of many different parties.

15. Preventing DDoS Attacks (Continued) Businesses Firewall and Router configuration Block unnecessary ports Filter broadcast messages Verify source IP address (prevent IP spoofing across subnets) Install DDoS protection equipment or services Monitor traffic under normal circumstances and detect anomalies Apply latest patches to servers and PCs, Use Antivirus software Maintain a redundant environment (hot swap server) End Users Use a home firewall/router Apply latest updates for operating system Use Antivirus software Use caution when opening email attachments or clicking on links Here are some measures that businesses and end users can take to help prevent denial of service attacks.Here are some measures that businesses and end users can take to help prevent denial of service attacks.

16. Preventing DDoS Attacks (Continued) OS and Application Developers Design with security in mind Don�t expose �performance-costly� functionality to public Network Equipment Manufacturers Add features to protect against Network/Transport layer attacks Specialized DDoS protection equipment Law Enforcement and Government FBI cyber division Fast growing responsible for investigating various Internet related crimes Legislation need to be updated and kept current to account for damage done by DDoS attacks Here are some considerations for Application developers, network equipment manufacturers, law enforcement agencies, and government officials.Here are some considerations for Application developers, network equipment manufacturers, law enforcement agencies, and government officials.

17. Additional Resources Dave Dittrich�s links to DDoS News, Books, Tools, and other Info http://staff.washington.edu/dittrich/misc/ddos US-CERT http://www.us-cert.gov CERT http://www.cert.org IETF http://www.ietf.org