(Distributed) Denial of Service

Nick FeamsterCS 4251

Spring 2008

Distributed Denial of Service (DDoS)

Victim

Daemon

Daemon

DaemonDaemon

Daemon

Master

Real Attacker

Asymmetry comes in the form of a large farm of machines.IP addresses no longer need to be spoofed

February 2000: DDoS

Traditional protection techniques no longer applicable.

DDoS Attack: Yahoo!

• February 2000

• Intermittent outages for nearly three hours

• Estimated to have cost Yahoo $500,000 due to fewer page hits during the attack

• Attacker caught and successfully prosecuted

• Other companies (eBay, CNN) attacked in the same way the following days

DDoS Attack: Microsoft

• Target of multiple DDoS attacks

• Some successful, some not

• Successful one in January 2001• Attacked router in front of Microsoft’s DNS servers• During attack, as few as 2% of web page requests

were being fulfilled

DDoS Attack: DNS Root Servers

• October 2002 for 1 hour• Ping flood to all 13 of the DNS root servers • Successfully halted operations on 9

• Did not cause major impact on Internet• DNS NS record caching at local resolvers helped• Several root servers are very well-provisioned

DDoS: Setting up the Infrastructure

• Zombies– Slow-spreading installations can be difficult to detect– Can be spread quickly with worms

• Indirection makes attacker harder to locate– No need to spoof IP addresses

What is a Worm?

• Code that replicates and propagates across the network– Often carries a “payload”

• Usually spread via exploiting flaws in open services– “Viruses” require user action to spread

• First worm: Robert Morris, November 1988– 6-10% of all Internet hosts infected (!)

• Many more since, but none on that scale until July 2001

Example Worm: Code Red

• Initial version: July 13, 2001

• Exploited known ISAPI vulnerability in Microsoft IIS Web servers

• 1st through 20th of each month: spread20th through end of each month: attack

• Payload: Web site defacement• Scanning: Random IP addresses• Bug: failure to seed random number generator

Why Denial-of-Service “Works”

• Asymmetry: generating a request is cheaper than formulating a response

• One attack machine can generate a lot of requests, and effectively multiply its power

• Not always possible to achieve this asymmetry