Académique Documents
Professionnel Documents
Culture Documents
Spring 2013
DoS bug: w Design flaw allowing one machine to disrupt a service DoS flood: w Command bot-net to generate flood of requests
2
Attacked sites: (started apr. 2007, lasted two weeks) Estonian ministerial sites Various Estonian commercial sites (more on this later)
3
n n
Sample Dos at different layers (by order): w Link w TCP/UDP w Application w Payment Generic DoS solutions Network DoS solutions
! Sad truth:
n
Warm up:
802.11b
DoS bugs
NAV (Network Allocation Vector): w 15-bit field. Max value: 32767 w Any node can reserve channel for NAV seconds w No one else should transmit during NAV period w but not followed by most 802.11b cards De-authentication bug: w Any node can send deauth packet to AP w Deauth packet unauthenticated w attacker can repeatedly deauth anyone
5
gateway
DoS Target
! Send ping request to broadcast addr (ICMP Echo Req) ! Lots of responses:
n
Every host on target network generates a ping reply (ICMP Echo Reply) to victim
6
(Mar 13)
( 50 amplification )
DNS Server
DoS Target
2006: 0.58M open resolvers on Internet (Kaminsky-Shiffman) 2013: 21.7M open resolvers (openresolverproject.org) 3/2013: DDoS attack generating 300 Gbps
7
strated in Figure 1 (page 5) and again in Figure 13, the highest-bandwidth attack observed by respondents du period was a 100 Gbps DNS reflection/amplification attack. This represents a 102 percent increase over the is also the single largest increase in attack bandwidth year over year since the first report in 2005 and a 100 se in attack bandwidth since the reports inception.
90 80
Bandwidth (Gbps)
Figure 13
Source: Arbor Networks, Inc.
! Connectionless
n n
Flags
31
Source Port Dest port SEQ Number ACK Number U A P P S F R C S S Y I G K H R N N Other stuff
10
SNSrandS ANSSNC
ACK:
SNSNC ANSNS
Established
11
(DoS bug)
Single machine: SYN Packets with random source IP addresses Fills up backlog queue on server No further connections possible
12
SYN Floods
OS Linux 1.2.x FreeBSD 2.1.5 WinNT 4.0
Backlog timeout:
Attacker need only send 128 SYN packets every 3 minutes. Low rate SYN flood
13
(2003)
! MS solution:
n n
Increase backlog queue size or decrease timeout : Syncookies: remove state from server
(when under attack)
! Correct solution
n n
15
Syncookies
[Bernstein, Schenk]
! Idea: use secret key and data in packet to gen. server SN ! Server responds to Client with SYN-ACK cookie:
n n
T = 5-bit counter incremented every 64 secs. L = MACkey (SAddr, SPort, DAddr, DPort, SNC, T)
w key: picked at random during boot
[24 bits]
n n
SNS = (T . mss . L) ( |L| = 24 bits ) Server does not save state (other TCP options are lost)
, SN=SNC+1 )
17
Backscatter measurement
/8 network
[MVS01]
20,000 bots can generate 2Gb/sec of SYNs (2003) At web site: w Saturates network uplink or network router
w Random source IP
What to do ???
19
Prolexic /
Verisign
Few ACKs
Forward to site
Web site
20
773
Estonia attack
! Attack types detected:
n
(ATLAS 07)
! Bandwidth:
n
12 attacks:
Estonias solution: w Estonian ISPs blocked all foreign traffic until attacks stopped => DoS attack had little impact inside Estonia
22
Complete TCP connection to web site Send short HTTP HEAD request Repeat
Attacker can no longer use random source IPs. w Reveals location of bot zombies Proxy can now block or rate-limit bots.
23
! DDoS attack:
n n
flood victim_isp.com with requests for victim.com Random source IP address in UDP packets (collateral damage) bluesecurity DNS hosted at Tucows DNS server DNS DDoS took out Tucows hosting many many sites
! What to do ???
24
Botnet attack on the 13 Internet DNS root servers Lasted 2.5 hours None crashed, but two performed badly: w g-root (DoD), l-root (ICANN) w Most other root servers use anycast
25
CoDoNS: [Sirer04] w Cooperative Domain Name System P2P design for DNS system: w DNS nodes share the load w Simple update of DNS entries w Backwards compatible with existing DNS
26
! Feb. 2008:
n
n n
Pakistan telecom advertised a BGP path for 208.65.153.0/24 (includes 28 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 is in Pakistan
RSA-encrypt speed 10 RSA-decrypt speed Single machine can bring down ten web servers
n
Google DoS
qFirefox phishing/malware protection:
List contains hashes of (prefixes) of badware sites Firefox consults list before following a URL Google adds / to blacklist
For 55 minutes, all web sites marked as malware Reason: human error
29
Google DoS:
results
DoS Mitigation
31
1. Client puzzles
! Idea: slow down attacker ! Moderately hard problem:
n
LSBn ( SHA-1( C || X ) ) = 0n
n n n
Assumption: takes expected 2n time to solve For n=16 takes about .3sec on 1GhZ machine Main point: checking puzzle solution is easy.
Everyone must submit puzzle solution with requests When no attack: do not require puzzle solution
32
Examples
! TCP connection floods (RSA 99)
n n
Example challenge: C = TCP server-seq-num First data packet must contain puzzle solution w Otherwise TCP connection is closed Challenge C based on TLS session ID Server: check puzzle solution before RSA decrypt.
33
! Limitations:
n n
Requires changes to both clients and servers Hurts low power legitimate clients during attack: w Clients on cell phones and tablets cannot connect
34
Memory-bound functions
! CPU power ratio:
high end server / low end cell phone = 8000 Impossible to scale to hard puzzles
n
! Interesting observation:
n
Main memory access time ratio: w high end server / low end cell phone = 2 Solution requires many main memory accesses w Dwork-Goldberg-Naor, Crypto 03 w Abadi-Burrows-Manasse-Wobber, ACM ToIT 05
35
! Better puzzles:
n
2. CAPTCHAs
! Idea: verify that connection is from a human
[Killbots 05] During attack: generate CAPTCHAs and process request only if valid solution Present one CAPTCHA per source IP address.
36
3. Source identification
Goal: identify packet source Ultimate goal: block attack at the source
37
1. Ingress filtering
! Big problem:
(RFC 2827,
2000)
ISP
Internet
38
Implementation problems
!
ALL ISPs must do this. Requires global trust. n If 10% of ISPs do not implement no defense
R2
R3
R4
dest Dest AS
Transit AS
2. Traceback
! Goal:
n n
Most routers remain uncompromised Attacker sends many packets Route from attacker to victim remains relatively stable
40
Simple method
! Write path into network packet
n n
Each router adds its own IP address to packet Victim reads path from packet
! Problem:
n
Requires space in packet w Path can be long w No extra fields in current IP format
n
41
Better idea
! DDoS involves many
packets on same path A1 A2 R6 A3 R7 A4 R8 R10 R12 V
42
A5
Each router probabilistically stores own address Fixed space regardless of path length
R9
Edge Sampling
! Data fields written to packet:
n n
Edge: start and end IP addresses Distance: number of hops since edge stored
R1 receives packet from source or another router Packet contains space for start, end, distance
packet R1
e d R2 R3
44
packet R1
R1
0 R2 R3
45
Edge Sampling
! Finish writing edge
n n
R2 chooses not to overwrite edge Distance is 0 w Write end of edge, increment distance to 1 packet R1 R1 R2 1 R2 R3
46
Edge Sampling
! Increment distance
n n
47
Path reconstruction
! Extract information from attack packets ! Build graph rooted at victim
n
48
Version
Flags
Header Length Type of Service Total Length Identification Identification Fragment Offset Time to Live Protocol Header Checksum
n n
Padding IP Data
49
! Hash-Based IP Traceback
n
[Paxson 01]
A network component that responds to packets Response sent to victim (spoofed source IP)
! Examples:
n
DNS Resolvers: UDP 53 with victim.com source w At victim: DNS response Web servers: TCP SYN 80 with victim.com source w At victim: TCP SYN ACK packet Gnutella servers
51
DoS Attack
! Single Master ! Many bots to
generate flood
! Zillions of reflectors to
hide bots n Kills traceback and pushback methods
52
53
Siff: A stateless internet flow filter to mitigate DDoS flooding attacks. IEEE S&P 04.
! How:
n
n n n
Sender requests capability in SYN packet w Path identifier used to limit # reqs from one source Receiver responds with capability Sender includes capability in all future packets Main point: Routers only forward: w Request packets, and w Packets with valid capability
55
R1 Source AS
R2
R3
R4
dest Dest AS
Transit AS
57
Pushback filtering
! Mahajan, Bellovin, Floyd, Ioannidis, Paxson, Shenker.
Controlling High Bandwidth Aggregates in the Network. Computer Communications Review 02.
! Ioannidis, Bellovin.
! Argyraki, Cheriton.
Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. USENIX 05.
58
Overlay filtering
60
Overlay filtering
! Keromytis, Misra, Rubenstein.
SOS: Secure Overlay Services. SIGCOMM 02.
! D. Andersen. Mayday.
Distributed Filtering for Internet Services. Usenix USITS 03.
61
! Sad truth:
n
62
THE END
63