Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National...
-
Upload
gladys-briggs -
Category
Documents
-
view
215 -
download
1
Transcript of Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National...
Denial of Service Attacks:Denial of Service Attacks:Detection and ReactionDetection and Reaction
Georgios Koutepas, Basil MaglarisNational Technical University of Athens,
Greece
Cyprus Conference on Information Security Cyprus Conference on Information Security 20022002
October 12, 2002
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
What is "What is "Denial of ServiceDenial of Service"?"?
• An attack to suspend the availability of a service• Until recently the "bad guys" tried to enter our
systems. Now it’s:
""If not us, then NobodyIf not us, then Nobody""• No break-in attempts, no information stealing,
although they can be combined with other attacks to confuse Intrusion Detection Systems.
• No easy solutions! DoS still mostly a research issue
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Main Characteristics of DoSMain Characteristics of DoS
• Variable targets: – Single hosts or whole domains– Computer systems or networks– ImportantImportant: Active network components (e.g.
routers) also vulnerable and possible targets!• Variable uses & effects:
– Hacker "turf" wars– High profile commercial targets (or just
competitors…).– Useful in cyber-warfare, terrorism etc…
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Brief HistoryBrief History
First Phase (starting in the '90s): DoS• Started as bug/vulnerability exploitation• Single hosts - single services were the first targets• Single malicious packetsSecond Phase (1996-2000)• Resource consuming requests from many sources• Internet infrastructure used for attack amplificationThird Phase (after 2000): Distributed DoS• Bandwidth of network connections is the main target• Use of many pirated machines, possibly many attack
stages, escalation effect to saturate the victims
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Brief History (cont.)Brief History (cont.)
Important Events:• February 7-11 2000: Big commercial sites (CNN,
Yahoo, E-Bay) are taken down by flooding of their networks.– The attacks capture the attention of the media– The US President assembles emergency council
members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security
• January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Host DoS AttacksHost DoS Attacks
• Usually one attacker - one target• Methods used are derivatives of ones used for
unauthorized access:Buffer Overflows on wrongly designed input
fields can overwrite parts of the memory stack. The results: open doors or failure of the service/system
Ambiguities in network protocols and their implementations. Specially designed packets can halt the protocol stack or the whole system
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Examples of Host DoS AttacksExamples of Host DoS Attacks
– Land IP DoS attack: Special SYN packets with same source and destination
– Teardrop attack: It sends IP fragments to a network-connected machine. It exploits an overlapping IP fragment bug present in various TCP/IP implementations.
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Host Resource DoS AttacksHost Resource DoS Attacks
• Target continues (most of the times) operation but cannot offer any useful services.
• Resource exhaustion through legitimate requests to the target host
– SYN Flooding attack– Ping Flooding attack– Smurf attack: the ping flow is "amplified" by
being first sent to a number of network broadcast addresses with the victim’s return address in the packets
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Example of a "Example of a "SmurfSmurf " Attack " Attack
Attacker
Unsecured LAN
ICMP Echo requestDestination: LAN broadcastSource: victim.host
AdminProblem: Router allows Ping to LAN
broadcast
Target (web Server)
victim.hostICMP Echo replyDestination:victim.hostICMP Echo replyDestination:victim.hostICMP Echo replyDestination:victim.host
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Admin Problem 1:Active "zombies"
Admin Problem 2:The network allows outgoingpackets with wrong sourceaddresses
1. Taking Control
2. Commandingthe attack
Network Attacks: Distributed DoSNetwork Attacks: Distributed DoS
Target
domain
"zombies"
Pirated machines
Domain A
Pirated machines
Domain B
Attacker
X
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Main Characteristics of DDoSMain Characteristics of DDoS
• Some hundred of persistent flows are enough to knock a large network off the Internet
• Incoming traffic has to be controlled, outside the victim’s domain, at the upstream providers
• Usually source IPs spoofed on attack packets• Offending systems may be controlled without their
users suspecting it• Possible many levels of command & control:
– Attacker-Manager-Agents
– Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Multi-tier attackMulti-tier attack
Admin Problem:No detection of malicious activities
Target
domain
"zombies"Attack Agents
Attacker
X
AttackMaster
AttackMaster
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Reflection DDoS AttackReflection DDoS Attack
Target
domain
"zombies"
Attacker
X
AttackMaster
Routers
Web or otherservers
Legitimate TCP SYNrequests
TCP SYN-ACKanswers
PART IIPART II What Can We DoWhat Can We Do
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
DetectionDetection
• Host DoS attacks:– Border Defenses must be kept up to date– Host and Network based Intrusion Detection
Systems– Investigate suspicious activity indications
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Detection (cont.)Detection (cont.)
• Distributed DoS attacks - on the Network– Offensive flows must be identified quickly
• Tip: set generalized Pass filters on the border routers and see what they catch (high number of matches: attack)
• Use Netflow or other monitoring tool
– Follow router indications• Tip: Check router load for abnormal signs
• Distributed DoS attacks - in the Domain– Perform often security audits for hidden
malicious code ("zombies") or attack rootkits– Install an anti-virus package
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Reaction to DDoSReaction to DDoS
• The malicious flows have to be determined. Timely reaction is critical!
• The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure.
• Filters that will block attack traffic must be set up and maintained. The effectiveness of the actions must be verified.
• The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks on the attack path
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Reaction to DDoS (cont.)Reaction to DDoS (cont.)
• Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack!
• Trace-back efforts:– Following the routing (if sources not spoofed)– Step by step through ISPs. Difficult to convince
them if not concerned about the bandwidth penalty
• The conclusion: not a matter of a single site
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Prevention - PreperationPrevention - Preperation
• Good administrative practices: a must– Backup!– Have a recovery plan, possibly a stand-by system– Train your personnel, have someone aware of
security issues available at all times– Have emergency contact points with your ISPs and
CERTs, know beforehand whom to call and have clear service policies on what they are obliged to do
• Care for the rest of the world– Prevent spoofed traffic from exiting your network– Filter pings to broadcast addresses (smurf
amplifier)
PART IIIPART III Research DirectionsResearch Directions
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Main DoS Research ProblemsMain DoS Research Problems
• DoS– Is mostly an Intusion Detection / Prevention
Problem– Not many things possible since a single packet can
do all the damage– Some efforts to have an "Immune System" type of
detection for anomalous system call sequenses.
• DDoS– Timely attack detection– Source tracing– Traffic flow control and attack suppression– Intrusion Detection Systems not very helpful
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
CenterTrackCenterTrack
• R Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods", 9th USENIX Security Symposium, Denver Col., USA, August 2000
Target
domain
X
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
PushBackPushBack
• J. Ioannidis and S. Bellovin, "Pushback: Router-Based Defense Against DDoS Attacks", NDSS, February 2002
Target
domain
1. Aggregatecharacteristicsdetermined2. Incoming
traffic I/f determined
3. Containment filter set locally
X
4. Continue to the next router in the attack path using the Pushback protocol
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
PanoptisPanoptis
• C. Kotsokalis, D.Kalogeras, and B. Maglaris, "Router-Based Detection of DoS and DDoS Attacks", HP OpenView University association (HPOVUA) Conference '01, Berlin, Ger-many, June 2001
Target
domain
X
NetFlowBorder Routers
Panoptis Analysis Engine
1. Aggregatecharacteristicsdetermined2. Traffic I/fsdetermined
3. Automatic filterconfiguration
DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002
Trans-Domain Cooperative IDS Trans-Domain Cooperative IDS EntitiesEntities
• G. Koutepas, F. Stamatelopoulos, B. Maglaris "A Trans-Domain Framework Against Denial of Service Attacks", Submitted to the 10th Annual Network and Distributed System Security Symposium, San Diego, California, February 2003
Cooperative IDSEntity
Non-participatingDomain
ParticipatingDomain
NotificationPropagation(Multicast)
Activation offilters and reactionaccordingto local Policies
Questions and AnswersQuestions and Answers