DDoS and Traceback

1
DDoS and Traceback

• CS 6262 Fall 02

2
Denial-of-Service (DoS) Attacks(via
Resource/bandwidth consumption)
3
TCP Handshake
server
client
SYN seqx
SYN seqy, ACK x1
ACK y1
connection established
4
IP Spoofing SYN Flood

• X establishes a TCP connection with B assuming
  As IP address

(3) SYN(seqn) ACK(seqm1)
A
B
SYN(seqm),srcA
(1) SYN Flood
(2)
(4) ACK(seqn1)
(0) predict Bs TCP seq. behavior
X
5
ping
smurf
6
Distributed DoS (DDoS) Attacks
zombies
masters
attacker
victim
7
DDoS Common Steps

• Initiate a scan phase in which a large number of
  computers (100,000) on the internet are probed
  for known vulnerabilities.
• Exploit the vulnerabilities to compromised the
  computers to gain access.
• Install attack tools on each compromised host,
  and use the compromised hosts for further
  scanning/compromises.
• A subset of the compromised hosts with desired
  architecture/topology are chosen to form the
  attack network.
• Install attack and communication tools.
• Tell the masters to attack.

8
DDoS At Least 4 Versions

• Trinoo
• Attacker uses TCP Masters and zombies use UDP
  password authentication.
• TFN
• Attacker uses shell to invoke master Masters and
  zombies use ICMP echo reply.
• TFN2K
• A Combination of UDP, ICMP, and TCP.
• Stacheldraht
• Attacker uses encrypted TCP Masters and zombies
  use TCP and ICMP echo reply rcp used for
  auto-update.

9
DDoS Example Trinoo

• Scanning
• Buffer overflow bug in Solaris and Linux, e.g.,
  wu-ftpd, statd, amd, etc.
• A compromised node has a shell running as root
  and sends back confirmation.
• Installing attack program
• Use netcat (nc) to pipe a shell script to the
  shell (running as root) on the compromised host
• Attacker to master
• TCP Must provide password commands dos IP
  etc.
• Master to zombie
• UDP Command line includes password commands
  aaa pass IP rsz N, etc.

10
DDoS What to Do About It

• Not a whole lot!
• Prevention
• Detection
• Traceback

11
DDoS Prevention

• Authentication.
• Not feasible in practice.
• Ingress filtering on the routers.
• Traffic volume monitoring.
• Rate limit certain traffics, e.g., ICMP packets,
  SYN packets.
• Measure normal rates first!

12
DDoS Detection

• Surge in traffic volume
• Too much traffic to a particular destination
• Specific to current DDoS tools
• Control messages between attacker, masters, and
  zombies
• Footprints of attack programs running on
  masters and zombies
• What is after detection?
• Stop the flood

13
Traceback

• Why
• Stop the attacks
• Gather evidence for law enforcement
• Only to machines that directly generate the
  attack traffics
• For the real masters/attackers more forensic
  analysis necessary
• Difficulty
• Spoofed IP source addresses

14
Traceback Several Proposals

• Link Testing
• ICMP Traceback
• Probabilistic Marking

15
Link Testing Input Debugging

• Victim reports to upstream router, which installs
  debugging filter that reveals which upstream
  router originated the traffic.
• Repeat recursively until the the ISPs border
  is reached.
• The upstream ISP is contacted and repeats the
  process.
• Considerable management overhead.
• Relying on the availability and willingness of
  the network operators.

16
Link Testing Controlled Flooding

• Victim coerces selected hosts along the upstream
  route to iteratively flood each incoming link of
  the router closest to the victim.
• Infer which link the attack comes from by
  observing the attack packet rate changes
• Router buffers are shared.
• Repeat recursively
• A form of DoS itself!
• Need to have a good network topology map.

17
ICMP Traceback

• For a very few packets (about 1 in 20,000), each
  router will send the destination a new ICMP
  packet that includes the contents of that packet
  and information about previous hop for that
  packet.
• The flood victim can use these ICMP packets to
  reconstruct the path back to the attacker.
• Net traffic increase at end point is about 0.1 -
  probably acceptable.
• Issues authentication (attacker can falsify the
  ICMP packets), loss of traceback packets, load
  and cooperation on routers.

18
Probabilistic Marking

• Basic idea
• Probabilistically mark packets with partial path
  information as they arrive at routers.
• Each marked packet represents a sample of its
  path.
• But flooding attacks comprise a large number of
  packets.
• By combing a modest number of these marked
  packets, the entire path can be reconstructed.

19
The Node Append Algorithm

• Marking procedure at router R
• For each packet w, append R to w.
• Path reconstruction procedure at victim
• For any packet w from attacker
• Extract (Ri, , Rj) from suffix of w.
• High overhead at router.
• Not enough space at packet.

20
The Node Sampling Algorithm

• Marking procedure at router R
• For each packet w,
• Roll the dice let x be a random number in
  0..1.
• if x lt p then write R to w.node.
• Path reconstruction procedure at victim
• For any packet w from attacker
• Let NodeTbl be a table of (node,count)
• z lookup w.node in NodeTbl
• if z is not nil then increment z.count else
  insert (w.node,1) in NodeTbl
• Sort NodeTbl by the count field
• Extract path (Ri, , Rj) from ordered node fields.