COMP 7320 - PowerPoint PPT Presentation

About This Presentation
Title:

COMP 7320

Description:

A computer having more bandwidth floods a smaller server with packets. ... [12] A. Snoeren, and C. Partridge. ' Hash-based IP Traceback.' In Proc. ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 40
Provided by: dackralp
Category:
Tags: comp | partridge

less

Transcript and Presenter's Notes

Title: COMP 7320


1
COMP 7320
Internet Security
Prevention of DDoS Attacks
By Dack Phillips
2
Presentation Overview
  • What are DoS Attacks?
  • DoS Facts and Figures
  • Current Solutions
  • Problems
  • Proposed Solutions
  • Conclusions
  • References
  • Questions

3
What are DoS Attacks?
  • A malicious attack that consumes resources of
    remote hosts or networks denying or degrading
    service to legitimate users, 11.

4
Types of DoS Attacks
  • Bandwidth Consumption
  • Program Flaw Exploitation
  • Resource Starvation
  • Routing/DNS Attacks
  • SYN Floods
  • DDoS Attacks

5
Bandwidth Consumption
  • A computer having more bandwidth floods a smaller
    server with packets. The smaller server can not
    respond to the overwhelming load.
  • A computer with small bandwidth convinces a
    network to flood a host with more bandwidth
  • - A 56 Kbps modem can take down a T1 line
    like this

6
Program Flaw Exploitation
  • An attacker sends an operating system,
    application, or hardware exceptional conditions
    that it cant handle.
  • - OOB Port 139 on Windows 95 boxen
  • - F00FC7C8 Pentium Instruction

7
Resource Starvation
  • Attacker aims to deplete system, rather than
    network resources.
  • - CPU
  • - Memory
  • - File System Quotas

8
Routing/DNS Attacks
  • Routing Information Protocol (RIP) and Border
    Gateway Protocol (BGP) have very weak
    authentication. Routing tables are changed to
    route traffic through an attackers network,
    another network, or a black hole (non-existent
    network)
  • DNS is similar except DNS tables are falsified

9
SYN Floods
  • TCP Connection Handshake
  • client sends server TCP SYN
  • server sends client TCP SYN ACK
  • client sends server ACK or RST
  • In case of a spoofed source address, server keeps
    trying to send SYN ACKs. Connection Queue fills
    up with these requests and no legitimate traffic
    is served

10
DDoS Attacks
  • An attacker compromises many machines (agents or
    zombies) and installs DoS daemons
  • The attacker uses a controlling machine (handler)
    to control the zombie machines to attack a
    server.
  • More than one handler to prevent single point of
    failure

11
DoS Facts and Figures
  • One of the hardest security problems
  • Simple to implement
  • Difficult to prevent
  • Difficult to trace
  • 1989 95 CERT reports DoS attacks increased 50
    per year
  • Tools are easy to find and use Smurf, Fraggle,
    Teardrop, Stream, TFN, Trinoo Stacheldracht,
    Shaft, Plague, Trinity, et al.
  • February 2000 eBay, Yahoo, Amazon, etc.

12
Current Solutions
  • Preventative
  • Make the OS/IP stack more robust
  • Reactive
  • Phone ISPs and trace back manually, call next
    ISP in the chain
  • This is time consuming and ISPs are often
    unwilling to spend time doing this. In addition,
    the trace has to be done while the attack is
    still in progress.

13
Problems
  • The Internet is stateless destination driven
  • Source addresses can be easily falsified
    (spoofed)
  • Attackers use connection chains to hide
    identities
  • Routers can be compromised
  • Login chains and address spoofing have legitimate
    uses

14
Proposed Solutions
  • Ingress Filtering
  • Upstream Router Mapping
  • Counter Flooding Trace
  • Probabilistic Packet Marking
  • ICMP Traceback Messages
  • Stepping Stone Tracking
  • Traceback Network (CenterTrack or STM)

15
Ingress Filtering
  • Defined in RFC 2267
  • Edge Routers drop and log packets with invalid
    Source IPs or those coming from outside the
    network
  • Border Routers should not be allowed to transmit
    broadcast packets (MAC address FFFFFFFFFFFF)
    to other routers by default

16
Ingress Filtering (cont)
  • System Diagnostic UDP packets from outside
    domains should not be allowed into a network
  • Ingress filtering poses problems with Mobile IP.
    Currently the Mobile IP Working Group is
    investigating reverse tunneling to solve this
    problem.

17
Upstream Router Mapping
  • Network Administrators should make an upstream
    router map
  • Manually via traceroute
  • Mercator program that uses hop limited probes
    and source routers to create upstream maps

18
Counter Flooding
  • Network Administrators send UDP chargen floods
    upstream (small scale DoS attack). If a router
    is perturbed then it is probably being used in
    the attack. Repeat upstream.
  • Ethical issue If the trace causes more damage
    than the attack, should it be used?

19
PPM
  • PPM Probabilistic Packet Marking
  • 4 schemes
  • Savage, Wetherall, Karlin Anderson
  • Song Perrig
  • Park Lee
  • Dean, Franklin Stubblefield

20
PPM (cont)
  • These schemes overload the IP Identification
    field used for packet fragmentation
  • In most schemes, a hashing function computes a
    hash of the routers IP address and writes this
    hash to the Identification field
  • A distance field is normally included as well
    that keeps track of how many hops a packet has
    travelled

21
PPM (cont)
  • Typical IP Packet

22
PPM (cont)
  • Dean, etc. employ an algebraic scheme rather than
    a hash based wherein routers stamp coefficients
    of their IP addresses a prime number

23
PPM (cont)
  • Assumptions
  • Most paths are less than 25 hops
  • Packets can be addressed to more than one host
  • Duplicate Packets can exist
  • Routers can be compromised
  • Attackers know they can be traced

24
PPM (cont)
  • PPM schemes must minimize false positives while
    eliminating false negatives
  • Adding bits to IP headers causes packet
    fragmentation

25
PPM (cont)
  • Problems
  • Packets can take more than one path to a
    destination
  • IPSec requires IP Identification field
  • IP fragmentation is small (lt0.25 of traffic)
    but does exist
  • Routers do not need more overhead

26
ICMP Traceback
  • Traceroute only works in the forward direction,
    not in reverse
  • Routers send out ICMP traceback information
    (interface name, Time stamp) probabilistically
    (1/1000 1/20000)
  • Public key system used to authenticate packets
  • TTL set to 255 to show distance
  • Problem ICMP is filtered in some networks

27
Stepping Stone Traceback
  • Stepping Stone one link in a connection chain
  • If ON/OFF timing between 2 hosts is similar, it
    is probably a stepping stone
  • Packets often encrypted, check headers
  • Check clear text packets to see if the text from
    one host is transmitted to another
  • Problem too much legitimate traffic, not an
    adequate solution

28
CenterTrack
  • Edge routers are connected to a special overlay
    network composed of tracing routers via IP
    Tunnels
  • In case of attack, the packets are forwarded to
    the tracking routers which follow the stream back
    to the source of the attack

29
CenterTrack (cont)
  • Full packet capture can be added easily to
    provide attack evidence
  • Problems Attacks have to be detected to be
    rerouted
  • TTL is modified and ICMP TTL exceeded messages
    are sent back, possibly alerting the attacker to
    the trace

30
CenterTrack (contd)
GW Gateway CT CenterTrack Router TR/XR
Transfer Router
31
STM Network
  • SPIEs (Source Path Isolation Engines) are
    installed in routers, or connected to them
  • These SPIEs generate packet digests from 28 non
    changing bits in the packet (20 from the header,
    8 from the payload).
  • The digest is stored in router memory or external
    storage

32
STM Network (cont)
  • SPIEs transfer data to SCARs (SPIE Collection and
    Reduction Agents) if interesting traffic occurs
  • A SCAR can produce an attack graph of a local
    network
  • STMs (SPIE Traceback Managers) can request
    information from one or more SCARs and generate a
    complete attack graph

33
Conclusions
  • ISPs, unless they offer Mobile IP should use
    Ingress Filtering
  • Network Administrators should make upstream
    router maps
  • IPv6 should employ better packet tracing methods

34
References
  • 1 S. Bellovin. ICMP traceback messages.
    Internet Draft, IETF, Mar. 2000.
    draft-bellovin-itrace-05.txt (work in progress).
  •  
  • 2 H. Burch and B. Cheswick. Tracing
    anonymous packets to their approximate source.
    In Proc. USENIX LISA 00 (Dec. 2000).
  • 3 D. Dean, M. Franklin, and A. Stubblefield,
    "An Algebraic Approach to IP Traceback," in
    Network and Distributed System Security
    Symposium, NDSS '01, February 2001. 

35
References
  • 4 S. Dietrich, N. Long, and D. Dittrich,
    Analyzing ditributed denial of service attack
    tools The shaft case, in 14th Systems
    Administration Conference, LISA 2000, 2000,
    http//netsec.gsfc.nasa.gov/spock/lisa2000-shaft.
    pdf.
  • 7 P. Ferguson and D. Senie. Network ingress
    filtering Defeating denial of service attacks
    which employ IP source address spoofing. May
    2000.RFC 2827. IEEE INFOCOM 2001.
  •  
  • 8 R. Govindan and H. Tangmunarunkit.
    Heuristics for Internet Map Discovery. In
    Proc. of the 2000 IEEE INFOCOM Conference, Tel
    Aviv, Israel, Mar. 2000.

36
References
  • 10 K. Park and H. Lee. On the effectiveness
    of probabilistic packet marking for IP traceback
    under denial of service attack. In Proc. IEEE
    INFOCOM 2001, pages 338-347, 2001.
  •  
  • 11 S. Savage, D. Wetherall, A. Karlin, and T.
    Anderson. Practical network support for IP
    traceback. In Proc. of ACM SIGCOMM 00, pages
    295-306, Aug.2000.
  •  
  • 12 A. Snoeren, and C. Partridge. Hash-based
    IP Traceback. In Proc. ACM SIGCOMM 01, pages
    3-14, Aug. 2001.

37
References
  • 13 D. Song and A. Perrig. Advanced and
    authenticated marking schemes for IP traceback.
    Technical Report UCB/CSD-00-1107, Computer
    Science Department,
  • University of California, Berkeley, 2000. In
    Proc. IEEE INFOCOM 2001.
  •  
  • 14 R. Stone. CenterTrack An IP Overlay
    Network for Tracking DoS Floods. In Proc. of
    the 2000 USENIX Security Symposium, Denver, CO,
    July 2000.
  • 15 J. Scambray, S. McClure, and G. Kurtz.
    Hacking Exposed Network Security Secrets and
    Solutions. Second Edition. New York
    Osborne/McGraw-Hill, 2001. pages 484-506.

38
References
  • 17 Y. Zhang and V. Paxson. Stepping Stone
    Detection. In Proc. of the 2000 USENIX Security
    Symposium, Denver, CO, July 2000.

39
Questions?
Write a Comment
User Comments (0)
About PowerShow.com