(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

10
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008

Transcript of (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Page 1: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service

Nick FeamsterCS 4251

Spring 2008

Page 2: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Distributed Denial of Service (DDoS)

Victim

Daemon

Daemon

DaemonDaemon

Daemon

Master

Real Attacker

Asymmetry comes in the form of a large farm of machines.IP addresses no longer need to be spoofed

Page 3: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

February 2000: DDoS

Traditional protection techniques no longer applicable.

Page 4: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

DDoS Attack: Yahoo!

• February 2000

• Intermittent outages for nearly three hours

• Estimated to have cost Yahoo $500,000 due to fewer page hits during the attack

• Attacker caught and successfully prosecuted

• Other companies (eBay, CNN) attacked in the same way the following days

Page 5: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

DDoS Attack: Microsoft

• Target of multiple DDoS attacks

• Some successful, some not

• Successful one in January 2001• Attacked router in front of Microsoft’s DNS servers• During attack, as few as 2% of web page requests

were being fulfilled

Page 6: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

DDoS Attack: DNS Root Servers

• October 2002 for 1 hour• Ping flood to all 13 of the DNS root servers • Successfully halted operations on 9

• Did not cause major impact on Internet• DNS NS record caching at local resolvers helped• Several root servers are very well-provisioned

Page 7: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

DDoS: Setting up the Infrastructure

• Zombies– Slow-spreading installations can be difficult to detect– Can be spread quickly with worms

• Indirection makes attacker harder to locate– No need to spoof IP addresses

Page 8: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

What is a Worm?

• Code that replicates and propagates across the network– Often carries a “payload”

• Usually spread via exploiting flaws in open services– “Viruses” require user action to spread

• First worm: Robert Morris, November 1988– 6-10% of all Internet hosts infected (!)

• Many more since, but none on that scale until July 2001

Page 9: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Example Worm: Code Red

• Initial version: July 13, 2001

• Exploited known ISAPI vulnerability in Microsoft IIS Web servers

• 1st through 20th of each month: spread20th through end of each month: attack

• Payload: Web site defacement• Scanning: Random IP addresses• Bug: failure to seed random number generator

Page 10: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Why Denial-of-Service “Works”

• Asymmetry: generating a request is cheaper than formulating a response

• One attack machine can generate a lot of requests, and effectively multiply its power

• Not always possible to achieve this asymmetry