260 likes | 689 Views
Denial of Service Attacks: Detection and Reaction. Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on Information Security 2002 October 12, 2002. What is " Denial of Service "?. An attack to suspend the availability of a service
E N D
Denial of Service Attacks:Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on Information Security 2002 October 12, 2002
What is "Denial of Service"? • An attack to suspend the availability of a service • Until recently the "bad guys" tried to enter our systems. Now it’s: "If not us, then Nobody" • No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems. • No easy solutions! DoS still mostly a research issue DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Main Characteristics of DoS • Variable targets: • Single hosts or whole domains • Computer systems or networks • Important: Active network components (e.g. routers) also vulnerable and possible targets! • Variable uses & effects: • Hacker "turf" wars • High profile commercial targets (or just competitors…). • Useful in cyber-warfare, terrorism etc… DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Brief History First Phase (starting in the '90s): DoS • Started as bug/vulnerability exploitation • Single hosts - single services were the first targets • Single malicious packets Second Phase (1996-2000) • Resource consuming requests from many sources • Internet infrastructure used for attack amplification Third Phase (after 2000): Distributed DoS • Bandwidth of network connections is the main target • Use of many pirated machines, possibly many attack stages, escalation effect to saturate the victims DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Brief History (cont.) Important Events: • February 7-11 2000: Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks. • The attacks capture the attention of the media • The US President assembles emergency council members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security • January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity. DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Host DoS Attacks • Usually one attacker - one target • Methods used are derivatives of ones used for unauthorized access: • Buffer Overflows on wrongly designed input fields can overwrite parts of the memory stack. The results: open doors or failure of the service/system • Ambiguities in network protocols and their implementations. Specially designed packets can halt the protocol stack or the whole system DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Examples of Host DoS Attacks • Land IP DoS attack: Special SYN packets with same source and destination • Teardrop attack: It sends IP fragments to a network-connected machine. It exploits an overlapping IP fragment bug present in various TCP/IP implementations. DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Host Resource DoS Attacks • Target continues (most of the times) operation but cannot offer any useful services. • Resource exhaustion through legitimate requests to the target host • SYN Flooding attack • Ping Flooding attack • Smurf attack: the ping flow is "amplified" by being first sent to a number of network broadcast addresses with the victim’s return address in the packets DoS Attacks: Detection and Reaction. CSC, October 12, 2002
ICMP Echo request Destination: LAN broadcast Source: victim.host AdminProblem: Router allows Ping to LAN broadcast Example of a "Smurf " Attack Target (web Server) victim.host Attacker ICMP Echo reply Destination:victim.host ICMP Echo reply Destination:victim.host ICMP Echo reply Destination:victim.host Unsecured LAN DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Pirated machines Domain A 2. Commanding the attack 1. Taking Control "zombies" Pirated machines Domain B Network Attacks: Distributed DoS Target domain Attacker X Admin Problem 2: The network allows outgoing packets with wrong source addresses Admin Problem 1: Active "zombies" DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Main Characteristics of DDoS • Some hundred of persistent flows are enough to knock a large network off the Internet • Incoming traffic has to be controlled, outside the victim’s domain, at the upstream providers • Usually source IPs spoofed on attack packets • Offending systems may be controlled without their users suspecting it • Possible many levels of command & control: • Attacker-Manager-Agents • Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Multi-tier attack Attack Master Admin Problem: No detection of malicious activities Target domain "zombies" Attack Agents X Attacker Attack Master DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Reflection DDoS Attack Attack Master Legitimate TCP SYN requests Web or other servers Target domain X Attacker TCP SYN-ACK answers "zombies" Routers DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Detection • Host DoS attacks: • Border Defenses must be kept up to date • Host and Network based Intrusion Detection Systems • Investigate suspicious activity indications DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Detection (cont.) • Distributed DoS attacks - on the Network • Offensive flows must be identified quickly • Tip: set generalized Pass filters on the border routers and see what they catch (high number of matches: attack) • Use Netflow or other monitoring tool • Follow router indications • Tip: Check router load for abnormal signs • Distributed DoS attacks - in the Domain • Perform often security audits for hidden malicious code ("zombies") or attack rootkits • Install an anti-virus package DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Reaction to DDoS • The malicious flows have to be determined. Timely reaction is critical! • The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure. • Filters that will block attack traffic must be set up and maintained. The effectiveness of the actions must be verified. • The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks on the attack path DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Reaction to DDoS (cont.) • Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack! • Trace-back efforts: • Following the routing (if sources not spoofed) • Step by step through ISPs. Difficult to convince them if not concerned about the bandwidth penalty • The conclusion: not a matter of a single site DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Prevention - Preperation • Good administrative practices: a must • Backup! • Have a recovery plan, possibly a stand-by system • Train your personnel, have someone aware of security issues available at all times • Have emergency contact points with your ISPs and CERTs, know beforehand whom to call and have clear service policies on what they are obliged to do • Care for the rest of the world • Prevent spoofed traffic from exiting your network • Filter pings to broadcast addresses (smurf amplifier) DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Main DoS Research Problems • DoS • Is mostly an Intusion Detection / Prevention Problem • Not many things possible since a single packet can do all the damage • Some efforts to have an "Immune System" type of detection for anomalous system call sequenses. • DDoS • Timely attack detection • Source tracing • Traffic flow control and attack suppression • Intrusion Detection Systems not very helpful DoS Attacks: Detection and Reaction. CSC, October 12, 2002
CenterTrack Target domain • R Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods", 9th USENIX Security Symposium, Denver Col., USA, August 2000 X DoS Attacks: Detection and Reaction. CSC, October 12, 2002
PushBack Target domain 4. Continue to the next router in the attack path using the Pushback protocol • J. Ioannidis and S. Bellovin, "Pushback: Router-Based Defense Against DDoS Attacks", NDSS, February 2002 3. Containment filter set locally X 1. Aggregate characteristics determined 2. Incoming traffic I/f determined DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Panoptis 3. Automatic filter configuration Panoptis Analysis Engine Target domain • C. Kotsokalis, D.Kalogeras, and B. Maglaris, "Router-Based Detection of DoS and DDoS Attacks", HP OpenView University association (HPOVUA) Conference '01, Berlin, Ger-many, June 2001 X 1. Aggregate characteristics determined NetFlowBorder Routers 2. Traffic I/fs determined DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Trans-Domain Cooperative IDS Entities Cooperative IDS Entity Activation of filters and reaction according to local Policies • G. Koutepas, F. Stamatelopoulos, B. Maglaris "A Trans-Domain Framework Against Denial of Service Attacks", Submitted to the 10th Annual Network and Distributed System Security Symposium, San Diego, California, February 2003 Participating Domain Non-participating Domain Notification Propagation (Multicast) DoS Attacks: Detection and Reaction. CSC, October 12, 2002