Defensive Measures for Defensive Measures for DDoSDDoS

ByByFarhan MirzaFarhan Mirza

ContentsContents

Survey TopicsSurvey Topics IntroductionIntroduction Common Target of DoS AttacksCommon Target of DoS Attacks DoS ToolsDoS Tools Defensive Measures & Their VulnerabilitiesDefensive Measures & Their Vulnerabilities Honeypot for DDoSHoneypot for DDoS Honeypot implementationHoneypot implementation Issues & ConcernsIssues & Concerns ConclusionConclusion

Survey TopicSurvey Topic

Paper 1Paper 1 Analysis of Denial-of-Service Attacks on Analysis of Denial-of-Service Attacks on

Denial-of-Service Defensive MeasuresDenial-of-Service Defensive Measures

Paper 2Paper 2 Honeypots for Distributed Denial of Honeypots for Distributed Denial of

Service AttacksService Attacks

IntroductionIntroductionDoS attacksDoS attacks Weapons of Mass DestructionWeapons of Mass Destruction Paralyze Internet systems with bogus trafficParalyze Internet systems with bogus traffic 44thth Major Attack in 2001 – Computer Crime & Survey Major Attack in 2001 – Computer Crime & Survey

ReportReport

Attacks on TargetsAttacks on Targets

Attacking tools - More offensiveAttacking tools - More offensive To discover and filter – More difficultTo discover and filter – More difficult Powerful automatic scanning & Powerful automatic scanning &

observing target’s vulnerabilityobserving target’s vulnerability Uses methods - Uses methods - TCP Syn, UDP, ICMP TCP Syn, UDP, ICMP

FloodingFlooding etc etc Includes Viruses & Worms - Includes Viruses & Worms - MS-SQL MS-SQL

Server Worm, Code RedServer Worm, Code Red etc etc

Code Red Worm AttackCode Red Worm Attack

Common Target of DoS Common Target of DoS attacks attacks

Bandwidth DOS AttackBandwidth DOS Attack Memory DOS AttacksMemory DOS Attacks Computation DOS AttacksComputation DOS Attacks

Bandwidth DoS AttacksBandwidth DoS Attacks

Target - Target - BandwidthBandwidth Example – Example – Slammer (MS-SQL Server Slammer (MS-SQL Server

Worm)Worm) Self Propagating malicious codeSelf Propagating malicious code Employs multiple vulnerabilities of SQL Employs multiple vulnerabilities of SQL

Server Resolution ServiceServer Resolution Service

Memory Dos AttacksMemory Dos Attacks

Target – Target – MemoryMemory Backscatter AnalysisBackscatter Analysis (Moore Investigation)(Moore Investigation): :

94% DoS attacks occurs on TCP Protocol94% DoS attacks occurs on TCP Protocol 49% of attacks are TCP Syn attacks 49% of attacks are TCP Syn attacks

targeting 3 way handshaketargeting 3 way handshake 2% on UDP2% on UDP 2% on ICMP2% on ICMP

Memory DoS Attacks Memory DoS Attacks (Cont..)(Cont..)

Every TCP connection establishment requires an Every TCP connection establishment requires an allocated memory resourceallocated memory resource

Limited number of concurrent TCP half-open Limited number of concurrent TCP half-open connectionsconnections

Attacker can disable service - Sending overdosed Attacker can disable service - Sending overdosed connection requests with spoofed source addressesconnection requests with spoofed source addresses

Computation DoS AttacksComputation DoS Attacks

Target – Target – Computational ResourcesComputational Resources Example: Example: Database Query AttacksDatabase Query Attacks

Sequence of queries requesting DBMS to Sequence of queries requesting DBMS to execute complex commands, execute complex commands, overwhelming the CPUoverwhelming the CPU

Software Bugs & ExploitsSoftware Bugs & Exploits

Exploit on 7xx routersExploit on 7xx routers – connecting – connecting with Telnet and typing very long with Telnet and typing very long passwordspasswords Effects – Effects –

Reboot the routerReboot the routerDeny service to users during reboot Deny service to users during reboot

periodperiod

Connecting with Telnet Connecting with Telnet and Typing long and Typing long

passwordspasswords

Software Bugs & Exploits Software Bugs & Exploits (Cont...)(Cont...)

Smurf DoS BugSmurf DoS Bug – uses ICMP Echo – uses ICMP Echo Request packet with spoofed source Request packet with spoofed source addressaddress Effects –Effects –

All machines on the subnet reply directly All machines on the subnet reply directly to victim’s addressto victim’s address

Congestion in the victim’s network Congestion in the victim’s network connectionconnection

DoS ToolsDoS Tools

Trin00Trin00 TFN – Tribe Flood NewtorkTFN – Tribe Flood Newtork StacheldrahtStacheldraht – “Barbed Wire” – “Barbed Wire”

Trin00Trin00

Distributed attacking tool Distributed attacking tool Installed on intermediate host using a Installed on intermediate host using a

buffer overrun bugbuffer overrun bug Compiled on Linux and Solaris Compiled on Linux and Solaris

operating systemsoperating systems Capable of generating a UDP packets Capable of generating a UDP packets

for attack for attack Target Ports – 0 to 65534Target Ports – 0 to 65534

TFN – Tribe Flood NetworkTFN – Tribe Flood Network

Launch Distributed Denial of Service Launch Distributed Denial of Service attacksattacks

Installed on Intermediate host and Installed on Intermediate host and based on buffer overrun bugbased on buffer overrun bug

Capable of launching ICMP floods, UDP Capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks floods, SYN attacks, Smurf attacks

Compiled on Linux and Solaris Compiled on Linux and Solaris operating systemsoperating systems

Stacheldraht ("barbed wire")Stacheldraht ("barbed wire")

Combines features of Trin00 and TFNCombines features of Trin00 and TFN Capable of producing ICMP flood, SYN Capable of producing ICMP flood, SYN

flood, UDP flood, and SMURF attacksflood, UDP flood, and SMURF attacks ICMP, UDP and TCP-SYN packets of sizes ICMP, UDP and TCP-SYN packets of sizes

up to 1024 bytes against multiple victim up to 1024 bytes against multiple victim hostshosts

TCP-SYN packets are generated against TCP-SYN packets are generated against random ports taken from selected range random ports taken from selected range of port numbersof port numbers

DDoS PatternDDoS Pattern

Setting up of a stolenSetting up of a stolenaccount as a repositoryaccount as a repository

for attack toolsfor attack tools

Scanning of largeScanning of largeranges for ranges for

potentialpotentialvulnerable vulnerable

targetstargets

Creation of scriptCreation of scriptto perform the exploitto perform the exploit

and to report the and to report the resultsresults

Choice of a subset ofChoice of a subset ofsuitable compromisedsuitable compromisedservers from the listservers from the list

Script automatedScript automatedinstallation of the installation of the

neededneededtools on the tools on the compromisedcompromised

serversservers

Optional installation of Optional installation of aa

root kit to hide theroot kit to hide thecompromisecompromise

Defensive MeasuresDefensive Measures System Self DefenseSystem Self Defense

Stop all unnecessary or non-essential system services Stop all unnecessary or non-essential system services and network ports.and network ports.

Reduce the timeout period for simultaneous half open Reduce the timeout period for simultaneous half open connectionsconnections

Vulnerability:Vulnerability: Reconfiguration may delay, or even deny, legitimate Reconfiguration may delay, or even deny, legitimate

access access Lead to a potential increase in resource usageLead to a potential increase in resource usage

Packet FilteringPacket Filtering

Most popular defensive mechanismMost popular defensive mechanism Selectively screens out suspicious or Selectively screens out suspicious or

malicious packetsmalicious packets Itself a deformed DoSItself a deformed DoS Vulnerability:Vulnerability:

If manipulated or abused - Most If manipulated or abused - Most convenient way to accomplish DOS attack convenient way to accomplish DOS attack

Packet Filtering Packet Filtering (Cont…)(Cont…)

Types of Packet FilteringTypes of Packet Filtering Egress/IngressEgress/Ingress

Manages the flow inside and outside the Manages the flow inside and outside the networknetwork

Ingress - Used to block packets with spoofed Ingress - Used to block packets with spoofed source addresssource address

Egress - manages the flow of traffic as it leaves a Egress - manages the flow of traffic as it leaves a networknetwork

VulnerabilityVulnerabilityEffective only if used in large-scale applicationsEffective only if used in large-scale applications

Packet Filtering Packet Filtering (Cont…)(Cont…)

FirewallsFirewallsVictims network mechanismVictims network mechanismEnable a form of protection against SYN FloodingEnable a form of protection against SYN FloodingExamine packets and maintain connection and Examine packets and maintain connection and

state information of session trafficstate information of session traffic Configured as a relay, as a semi-transparent Configured as a relay, as a semi-transparent

gatewaygateway VulnerabilityVulnerability

Cause delays for every connectionCause delays for every connectionFlood of 14k packets/sec can disable even Flood of 14k packets/sec can disable even

specialized firewallsspecialized firewalls

IP TracebackIP Traceback

Effective & aggressive way to Effective & aggressive way to terminate DoS attacks at their sourcesterminate DoS attacks at their sources

Vulnerability:Vulnerability: Doesn’t locate the attacker, if attacker is Doesn’t locate the attacker, if attacker is

attacking from reflectorsattacking from reflectors

State MonitoringState Monitoring

Uses software agents to continuously monitor TCP/IP Uses software agents to continuously monitor TCP/IP traffic in a networktraffic in a network

RealSecure –RealSecure – Monitors local network for SYN packets that are not Monitors local network for SYN packets that are not

acknowledged for a period of time defined by the acknowledged for a period of time defined by the usersusers

Vulnerabilities:Vulnerabilities: Need to maintain tremendous states to determine Need to maintain tremendous states to determine

malicious packets and consume system resourcesmalicious packets and consume system resources

Resource Allocation ControlResource Allocation Control

Way to prevent exhaustion of the victim’s Way to prevent exhaustion of the victim’s resources to limit the resource allocation resources to limit the resource allocation and usage for each user or serviceand usage for each user or service

Class Based Queuing –Class Based Queuing – Configures different traffic priority queues and Configures different traffic priority queues and

rules that determine which packets should be put rules that determine which packets should be put into which queueinto which queue

Vulnerability:Vulnerability: In case of DoS attacks - Cannot determine which In case of DoS attacks - Cannot determine which

packet belong to the same users or service for packet belong to the same users or service for sharing some quota or resources sharing some quota or resources

Congestion ControlCongestion Control Network Congestion -Network Congestion - Reduction in network Reduction in network

throughputthroughput PushbackPushback

Mechanism for defending against DDoS attacksMechanism for defending against DDoS attacks To identify most of the malicious packets, based To identify most of the malicious packets, based

on Aggregate-based Congestion Controlon Aggregate-based Congestion Control Vulnerability:Vulnerability:

Not an effective method to block bad traffic Not an effective method to block bad traffic under typical DDoS attackunder typical DDoS attack

Cannot differentiate good and bad traffic and will Cannot differentiate good and bad traffic and will drop them equallydrop them equally

Active NetworksActive Networks

Programs can perform customized Programs can perform customized computations and manipulations computations and manipulations

Allow users to inject customized programs into Allow users to inject customized programs into the nodes of the networkthe nodes of the network

Active edge-Tagging – Active edge-Tagging – One of the example, which tags the actual source IP One of the example, which tags the actual source IP

address into the active networks layer header for address into the active networks layer header for each incoming packets from the hosts with first-hop each incoming packets from the hosts with first-hop routersrouters

Vulnerability:Vulnerability: AN poses serious security threats as it is designed to AN poses serious security threats as it is designed to

run executable codes on remote hostsrun executable codes on remote hosts

Bandwidth Overhead of Bandwidth Overhead of Defensive MeasuresDefensive Measures

Memory Overhead of Memory Overhead of Defensive MeasuresDefensive Measures

Computational Overhead of Computational Overhead of Defensive MeasuresDefensive Measures

Attacks on Defensive Attacks on Defensive MeasuresMeasures

Firewalls -Firewalls - invincible and invincible and power unlimited resourcespower unlimited resources

Firewalls -Firewalls - still limited and still limited and causes the single-failure causes the single-failure point or bottleneckpoint or bottleneck

Network Congestion -Network Congestion - control messages delivered control messages delivered to destination efficiently to destination efficiently and successfullyand successfully

Network Congestion -Network Congestion - the the control messages dropped or control messages dropped or lost during transmissionlost during transmission

Defensive devices -Defensive devices - will not will not be targeted by attackerbe targeted by attacker

Defensive devices –Defensive devices – Many are Many are vulnerable to attackvulnerable to attack

Network devices -Network devices - Trustworthy and control Trustworthy and control messages will not be messages will not be tampered, eavesdropped tampered, eavesdropped or forgedor forged

Network Devices -Network Devices - Control Control messages might be messages might be tampered, eavesdropped or tampered, eavesdropped or forgedforged

AssumptionAssumption RealityReality

Honeypot for DDoSHoneypot for DDoS Vantages of System:Vantages of System:

Defending the operational network with high Defending the operational network with high probability against DDoS & new variantprobability against DDoS & new variant

Trapping attacker to record the compromise Trapping attacker to record the compromise to help in legal action against attackerto help in legal action against attacker

Devised System:Devised System: Implemented to lures the hacker to believe he Implemented to lures the hacker to believe he

successfully compromised the systemsuccessfully compromised the system To learn the tactics, tools, methods and To learn the tactics, tools, methods and

motive of an attacker in order to secure the motive of an attacker in order to secure the systemsystem

CharacterizationCharacterization

Should be a replica of operational Should be a replica of operational systemsystem

Consists of similar systems and Consists of similar systems and applicationapplication

Services such as Web, Mail, FTP, DNS Services such as Web, Mail, FTP, DNS should be accessible for attackershould be accessible for attacker

Must be located in DMZMust be located in DMZ

Local Network ProtectionLocal Network Protection

Must be located in another zone Must be located in another zone protected with Firewallprotected with Firewall

Encrypted Transmission - Inside the LANEncrypted Transmission - Inside the LAN Clients run trusted OSClients run trusted OS Services are managed by an indirect Services are managed by an indirect

authentication method – Kerberosauthentication method – Kerberos Detecting Systems like host based IDS Detecting Systems like host based IDS

& vulnerability scanner must be running& vulnerability scanner must be running

Honeypot Implementation in Honeypot Implementation in OrganizationOrganization

View for an AttackerView for an Attacker

Issues To Be ResolvedIssues To Be Resolved

Attack must be detectableAttack must be detectable Attack packets must be actively Attack packets must be actively

directed to the Honeypotdirected to the Honeypot Honeypot must be able to simulate the Honeypot must be able to simulate the

organization’s network infrastructureorganization’s network infrastructure

Concerns & IssuesConcerns & Issues

Not a good idea in real operational environmentNot a good idea in real operational environment Require expertiseRequire expertise Small configuration mistake or loophole will create a Small configuration mistake or loophole will create a

disasterdisaster Difficult to identify regular user and attacker in most Difficult to identify regular user and attacker in most

of the casesof the cases Uses DDoS signature type method while Uses DDoS signature type method while

authentication – Not as effective especially for first authentication – Not as effective especially for first time authenticationtime authentication

Hard to identify culprit – Attacker using compromised Hard to identify culprit – Attacker using compromised systemsystem

VPN and PKI as proposed – How both the environment VPN and PKI as proposed – How both the environment workwork

Conclusion Conclusion

Like a Game - Attacking and defending of Like a Game - Attacking and defending of networksnetworks

Defensive Measure are not always secure Defensive Measure are not always secure and valuable data is at risk with small effort and valuable data is at risk with small effort of attackerof attacker

Honeypot – Promising tool for luring attacker Honeypot – Promising tool for luring attacker for DDoS attackfor DDoS attack

To secure our network – Defensive To secure our network – Defensive measures with proper knowledge and measures with proper knowledge and expertise are requiredexpertise are required