Bandwidth DoS Attacks and Defenses - PowerPoint PPT Presentation

About This Presentation
Title:

Bandwidth DoS Attacks and Defenses

Description:

Bandwidth DoS Attacks and Defenses. Robert Morris. Frans Kaashoek, Hari Balakrishnan, Students ... What is a Denial of Service Attack? Goal: make a service unusable. ... – PowerPoint PPT presentation

Number of Views:128
Avg rating:3.0/5.0
Slides: 29
Provided by: robert699
Category:

less

Transcript and Presenter's Notes

Title: Bandwidth DoS Attacks and Defenses


1
Bandwidth DoS Attacks and Defenses
  • Robert Morris
  • Frans Kaashoek, Hari Balakrishnan, Students
  • MIT LCS

2
What is a Denial of Service Attack?
  • Goal make a service unusable.
  • How overload a server, router, network link.
  • Focus bandwidth attacks (trinoo, tfn).

3
Logical View of Attack Net
Attacker
Control Traffic
Master
Slave
Slave
Slave
Slave
Slave
Attack Traffic
Victim
4
Attack Targets
Link
Router
Customers Router
ISP
Host
Other ISPs
App
O/S
Other Customers
Customers LAN
5
Attacks use IP Packets
IP Header Source Address Destination
Address User Data
  • Routers forward each packet independently.
  • Routers dont know about connections.
  • Complexity is in end hosts routers are simple.

6
Outline
  • Case study Yahoo.
  • What happened.
  • Analysis.
  • Our framework for defense RON.

7
Case Study Yahoo Attack
  • Early February 2000.
  • Took Yahoo off the net for hours.

8
Yahoos Point of View
ISP Router
1 Gbit/second of Ping Response packets.
Yahoos Router
www.yahoo.com
9
Yahoo Attack Overview
Co-location Centers
Other ISPs
Yahoos ISP
Yahoo
10
Attack Packet Generation
Leader
Slaves
Co-location Center
M
S1
S2

Sn
Ping, DSTbcast, SRCYahoo
Ping Responses, DSTYahoo
Internet
11
What did the attack depend on?
  • Pervasive insecure hosts.
  • Fake IP source addresses.
  • Use of hosts as amplifiers.
  • Weak router software.
  • Difficulty of diagnosis.

12
Pervasive Insecure Hosts
  • Required for disguise and to generate enough
    traffic.
  • How do they break in?
  • Buffer overruns.
  • Typically Solaris and Linux.
  • Highly automated.
  • Defenses?
  • Better programming practices.
  • Disable services by default.
  • Firewalls, intrusion detection.
  • Motivation for deployment is not strong.

13
Fake IP Source Addresses
  • Two uses
  • Hide the source of attack.
  • Part of weapon.
  • Example SYN flooding.
  • Defense
  • Ingress/egress filtering.
  • But motivation for deployment is not strong.

14
Ingress Filtering
Attacker SRCSite2
Site 1
Site 2
ISP 1
ISP 2
ISP 3
Victim
15
Use of Hosts as Amplifiers
  • Attackers need this
  • To avoid using their own machines.
  • To generate lots of traffic.
  • To avoid detection via load monitoring.
  • Two approaches
  • Break into 1000s of machines.
  • Trick legitimate machines into generating traffic.

16
Weak Router Software
  • Routers themselves are often victims.
  • Why?
  • Forwarding and management compete for CPU.
  • Control and data traffic compete for net b/w.
  • Solutions?
  • Simplify and partition.

17
Difficulty of Diagnosis
  • Very little automatic support for traffic
    analysis and correlation.
  • Is the high load legitimate?
  • What does the attack consist of?
  • Where does the attack come from?
  • How ask upstream routers to discard attack
    packets?
  • Defense distributed analysis system.

18
Why are these attacks easy?
  • Internet built around end-to-end principle
  • Most functions done by end hosts.
  • Examples reliable delivery.
  • Advantages
  • Simplifies network core.
  • Example IP packet forwarding.
  • Example its easy to start an ISP.
  • Anyone can introduce new services.
  • Result lots of innovation.

19
Why is defense hard?
  • End-to-end principle conflicts with
  • Centralized control.
  • Centralized monitoring.
  • Separation of data from control traffic.
  • Mandatory authentication.
  • Mandatory accounting.

20
RON Project
  • End-to-end framework for
  • Cooperative statistics collection.
  • Cooperative reaction to attacks.
  • Fault-tolerant control and data routing.
  • How resilient overlay network (RON).
  • Funded by DARPA/IA/FTN.

21
What is an Overlay Network?
N2
N3
N1
ISP1
ISP2
N4
N5
  • Better routing functions built in end hosts.
  • Can be used to build distributed defenses.

22
Why Distributed Defenses?
  • Presence of attack obvious near victim.
  • Not obvious near sources of attack.
  • But control is easier near sources.
  • Identifying attackers requires cooperation.
  • Asymmetric routing.
  • Fake source addresses.

23
Why Distribution is Hard
  • RON itself is a target.
  • Authorized communication between RON nodes.
  • Bandwidth attacks on RON nodes.
  • Application-level DoS attacks.
  • Political / deployment problems.
  • Needs cooperation? Or single-organization?

24
Monitoring Scenario
1. Measure
N2
N3
Victim
N1
Backbone B1
2. Communicate
Backbone B2
3. Control
N4
N5
Attacker
25
Fault-Tolerant Routing
  • Use Internet to connect multiple sites.
  • Inter-ISP routing
  • Ignores link quality.
  • Ignores many available paths due to policy.
  • Chooses only one path.
  • Reacts slowly.
  • RON allows end-system control of routing.

26
Fault-tolerant Routing (2)
N2
N3
N1
Backbone B1
Peering Point Q
Peering Point P
Backbone B2
Attacker
N4
N5
27
Peer-to-Peer Networking
  • Multi-organization overlays.
  • Early work Gnutella and FreeNet.
  • Data replicated at many sites.
  • Queries traverse reliable overlay.
  • Explicit protection of virtual infrastructure.

28
Summary
  • Raise the bar
  • Improve host security.
  • Make it hard to fake IP addresses.
  • Experiment with RON-like and peer-to-peer
    architectures.
Write a Comment
User Comments (0)
About PowerShow.com