IIT Indore © Neminath Hubballi Denial of Service Attacks Dr. Neminath Hubballi.

IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi

Denial of Service AttacksDenial of Service AttacksDr. Neminath HubballiDr. Neminath Hubballi


OutlineOutline

IntroductionIntroduction Types of denial of serviceTypes of denial of service

Protocol based Protocol based ICMP based denial of service attackICMP based denial of service attack DHCP based denial of service attackDHCP based denial of service attack

Logic basedLogic based Flood basedFlood based

SYN flood denial of service attacksSYN flood denial of service attacks Distributed denial of service attacksDistributed denial of service attacks

Defense MechanismsDefense Mechanisms


Denial of ServiceDenial of Service

Making a resource unavailable or deliberately Making a resource unavailable or deliberately withholding it to make it unavailablewithholding it to make it unavailable

Example: Example: 1.1. Deliberate calls made to a person where he spends Deliberate calls made to a person where he spends

lot of time in just answering lot of time in just answering 2.2. Putting a road blocker so that no vehicles are able Putting a road blocker so that no vehicles are able

to use a particular roadto use a particular road3.3. Cutting a fiber cable and disrupting the Cutting a fiber cable and disrupting the

communication communication Denial of service do occur in many situations Denial of service do occur in many situations

we particularly study computer or data network we particularly study computer or data network related denial of services related denial of services

Ex. SBI online banking service going offlineEx. SBI online banking service going offline


History of Denial Of ServiceHistory of Denial Of Service In Dec 1987 an employee of IBM sent an email greeting for Christmas.This In Dec 1987 an employee of IBM sent an email greeting for Christmas.This

email message had some malicious code in it which automatically sent email message had some malicious code in it which automatically sent copies of itself to all in the contact book of recipient copies of itself to all in the contact book of recipient IBM mail server was exhausted of memoryIBM mail server was exhausted of memory

Many DoS attacks of 90 were simple and launched from a single computerMany DoS attacks of 90 were simple and launched from a single computer In 1997 – trinoo In 1997 – trinoo In 1998 – TFN In 1998 – TFN In 2000 – TFN2KIn 2000 – TFN2K Year 2000 witnessed several massive scale attacks on sites like Year 2000 witnessed several massive scale attacks on sites like

YahooYahoo AmazonAmazon Ebay andEbay and CNN.comCNN.com

American government and military sites have experienced attacks in the American government and military sites have experienced attacks in the pastpast

Most recently wikileaks site had a massive DoS attack against its web Most recently wikileaks site had a massive DoS attack against its web serverserver


ICMP based Denial of ServiceICMP based Denial of Service

ICMP messages are used for sending error messagesICMP messages are used for sending error messages They are also used for status information They are also used for status information PING utility uses ICMP ECHO REQUEST and ICMP PING utility uses ICMP ECHO REQUEST and ICMP

ECHO REPLY messagesECHO REPLY messages In this case a powerful machine can send too many ping In this case a powerful machine can send too many ping

messages and hog the slower machinemessages and hog the slower machine One of the earliest discovered attacks in networksOne of the earliest discovered attacks in networks Normally ping reply messages are more than request Normally ping reply messages are more than request

messagesmessages


Smurf AttackSmurf Attack


Smurf AttackSmurf Attack A variation of ICMP based attackA variation of ICMP based attack Normally happens due to misconfigured networkNormally happens due to misconfigured network Many networks allow ICMP broadcast request messagesMany networks allow ICMP broadcast request messages An attacker creates a spoofed ECHO REQUEST An attacker creates a spoofed ECHO REQUEST

message with spoofed IP address (using IP of a victim)message with spoofed IP address (using IP of a victim) Every machine on the network will hear the ping Every machine on the network will hear the ping

message message All these messages go to victim instead of attackerAll these messages go to victim instead of attacker For the victim all these are unsolicited messagesFor the victim all these are unsolicited messages Spends significant amount of processing power, memory Spends significant amount of processing power, memory

and time in handling these ping repliesand time in handling these ping replies Can not do any useful computation there by deny Can not do any useful computation there by deny

services to usersservices to users


DHCP OperationDHCP Operation


10

DHCP Starvation AttackDHCP Starvation Attack

Consuming the IP address space allocated by a DHCP Consuming the IP address space allocated by a DHCP serverserver

An attacker broadcasts a large number of DHCP An attacker broadcasts a large number of DHCP requests using spoofed MAC addressesrequests using spoofed MAC addresses

The DHCP server will lease its IP addresses one by one The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, to the attacker until it runs out of available IPs for new, normal clientsnormal clients

Leads to DoSLeads to DoS Can easily be achieved with tools such as gobblerCan easily be achieved with tools such as gobbler PreventionPrevention

Do not allow more than certain number of requests per port Do not allow more than certain number of requests per port


Flooding based Denial Of ServiceFlooding based Denial Of Service

Send too many packets to overwhelm the Send too many packets to overwhelm the recipient recipient

Victim spends lot of time in responding and Victim spends lot of time in responding and processingprocessing

There are different types of flooding attacksThere are different types of flooding attacks SYN floodSYN flood UDP floodUDP flood Random floodRandom flood


SYN Flood AttackSYN Flood Attack

Uses TCP connectionsUses TCP connections Obviously too many of them to make Obviously too many of them to make

victim irresponsive victim irresponsive


Three-way HandshakeThree-way Handshake

SYN SEQ1

SYN SEQ2 +ACK SEQ1+1

ACK SEQ2+1

LISTEN

SYN_RCVD

CONNECTED

C S

Initialize sequence numbers for a new connection (SEQ1, SEQ2)

Resources allocated


How SYN Flooding Attack How SYN Flooding Attack Works?Works?

Client connecting to TCP port

I have ACKed these connections but I have not received an ACK back!

Resources allocated for every half open connection

Victim

Limit on number of half open connections

SYN

SYN

SYN

SYN + ACK

SYN + ACK

SYN + ACK

Attacker

Uses spoofed addresses


Types of SYN FloodsTypes of SYN Floods

Direct attackDirect attack Use your own machine to send SYN packetsUse your own machine to send SYN packets Need to somehow make OS not respond to SYN-ACK packets Need to somehow make OS not respond to SYN-ACK packets

coming from servercoming from server Connect() socket call can be used to do this kind of attackConnect() socket call can be used to do this kind of attack

Spoofing based attackSpoofing based attack Hide the identity of attackerHide the identity of attacker Shields the attacker from receiving SYN-ACKsShields the attacker from receiving SYN-ACKs Spoofed source should not respond with SYN-ACKSpoofed source should not respond with SYN-ACK They will not respond in anywayThey will not respond in anyway It is more effective if a non existent IP address is chosen It is more effective if a non existent IP address is chosen Ingress and egress filtering can be a deterrent Ingress and egress filtering can be a deterrent


Distributed Denial of ServiceDistributed Denial of Service


Transmission Control BlockTransmission Control Block

TCB is a data structure holding resources in TCB is a data structure holding resources in many Operating Systemsmany Operating Systems

The state of connection is stored in this data The state of connection is stored in this data structure structure

How much memory each TCB takes How much memory each TCB takes Actual memory footprint depends on implementations Actual memory footprint depends on implementations Usually it will be more than 280 bytesUsually it will be more than 280 bytes In some OS it is 1300 bytesIn some OS it is 1300 bytes TCB is created upon arrival of a SYN packet i.e., TCB is created upon arrival of a SYN packet i.e.,

before a legitimate connection is establishedbefore a legitimate connection is established Opens scope for denial of serviceOpens scope for denial of service


SYN Flood Attack ParametersSYN Flood Attack Parameters

TCB becomes inactive or deleted after a timeout TCB becomes inactive or deleted after a timeout called as backlogcalled as backlog

Different OS use different timeoutsDifferent OS use different timeouts How does knowing the timeout helpHow does knowing the timeout help

Can send burst of SYN packets once and exhaust Can send burst of SYN packets once and exhaust memory at victim and wait till timeout memory at victim and wait till timeout

Periodically send such bursts equal to timeout periodPeriodically send such bursts equal to timeout period

Default backlog timeout is 1028 SecondsDefault backlog timeout is 1028 Seconds You can change the value You can change the value


Shrew AttacksShrew Attacks

Works on TCP Works on TCP Adds some intelligence to SYN flooding attackAdds some intelligence to SYN flooding attack TCP waits for sometime before retransmitting TCP waits for sometime before retransmitting

the packets for lost ones the packets for lost ones Use this timing to generate large number of Use this timing to generate large number of

packets packets Many connections drop Many connections drop Repeat the flood after RTT time Repeat the flood after RTT time


Other Flooding based DoS AttacksOther Flooding based DoS Attacks

UDP Flood- send many UDP packets to UDP Flood- send many UDP packets to the targetthe target

ICMP Flood- send many ICMP packets to ICMP Flood- send many ICMP packets to the targetthe target

Random Flood- send packets randomly Random Flood- send packets randomly generated generated


Symptoms of ManifestationSymptoms of Manifestation

Slow network performanceSlow network performance Non availability of certain online services and Non availability of certain online services and

websiteswebsites Increase in number of useless network trafficIncrease in number of useless network traffic Consistent new IP addresses showing upConsistent new IP addresses showing up Unusually high number of packets from a sourceUnusually high number of packets from a source Disconnection of a wired or wireless connectionDisconnection of a wired or wireless connection


Logic Based DoS : User Specified Object Logic Based DoS : User Specified Object AllocationAllocation

String TotalObjects = request.getParameter(“numberofobjects”); String TotalObjects = request.getParameter(“numberofobjects”); int NumOfObjects = Integer.parseInt(TotalObjects);int NumOfObjects = Integer.parseInt(TotalObjects); ComplexObject[] anArray = new ComplexObject[NumOfObjects]; ComplexObject[] anArray = new ComplexObject[NumOfObjects];


Logic Based DoS : User Input as a Loop Logic Based DoS : User Input as a Loop CounterCounter

public class MyServlet extends ActionServlet public class MyServlet extends ActionServlet { { public void doPost(HttpServletRequest request, public void doPost(HttpServletRequest request,

HttpServletResponse response) throws HttpServletResponse response) throws ServletException, IOException ServletException, IOException

{ . . . { . . . String [] values = String [] values =

request.getParameterValues("CheckboxField"); request.getParameterValues("CheckboxField"); // Process the data without length check for reasonable // Process the data without length check for reasonable

range – wrong! range – wrong! for ( int i=0; i<values.length; i++) for ( int i=0; i<values.length; i++) { // lots of logic to process the request } . . . } . . . } { // lots of logic to process the request } . . . } . . . }


Other Logic based Denial of Service Attacks Other Logic based Denial of Service Attacks –Appeared around 2000–Appeared around 2000

Teardrop- send oversized fragments which overlaps on Teardrop- send oversized fragments which overlaps on each other portions each other portions Crashed many OSs in the pastCrashed many OSs in the past

Land- send a IP packet with same source and Land- send a IP packet with same source and destination IP addressdestination IP address Many OSs crashed Many OSs crashed On a router it can create a loop consuming lot of processing On a router it can create a loop consuming lot of processing

power and badwidthpower and badwidth

10.10.10.10 10.10.10.10


Defending SYN Flood AttacksDefending SYN Flood Attacks

End Host MechanismsEnd Host Mechanisms Increase the backlog periodIncrease the backlog period

More connections open means - refusal to new requestsMore connections open means - refusal to new requests Slightly counter intuitive Slightly counter intuitive

SYN Cache - initially do not create a full fledged TCB SYN Cache - initially do not create a full fledged TCB SYN cookie SYN cookie

Completely stateless - do not create any state or TCB till Completely stateless - do not create any state or TCB till connection is completely establishedconnection is completely established

Make the initial sequence number a function of parameters Make the initial sequence number a function of parameters of packetof packet

Almost all IP spoofing mitigation techniques will Almost all IP spoofing mitigation techniques will also help mitigate DoS attacksalso help mitigate DoS attacks


Playing With /proc ParametersPlaying With /proc Parameters

/proc is a virtual file system created by kernel /proc is a virtual file system created by kernel when it bootswhen it boots

Has different data structures and information Has different data structures and information gathered from the kernel at runtime gathered from the kernel at runtime

Several configurable and non configurable Several configurable and non configurable parameters are thereparameters are there

/proc/sys/net/ipv4/proc/sys/net/ipv4 which contains all the which contains all the configurable settings for the IPv4 stack, configurable settings for the IPv4 stack, including TCP, UDP, ICMP and ARP tunable including TCP, UDP, ICMP and ARP tunable settings settings


Playing With /proc ParametersPlaying With /proc Parameters tcp_abort_on_overflow tcp_abort_on_overflow 1000 1000 tcp_adv_win_scale tcp_adv_win_scale – Amount of socket buffer space to be used – Amount of socket buffer space to be used

for TCP window sizefor TCP window size tcp_fin_timeouttcp_fin_timeout – 60 seconds , how long to wait for an – 60 seconds , how long to wait for an

acknowledgement for FIN requestacknowledgement for FIN request tcp_keepalive_probes- tcp_keepalive_probes- 50 , tells the kernel how many TCP 50 , tells the kernel how many TCP

keepalive probes to send out before it decides a specific connection keepalive probes to send out before it decides a specific connection is broken is broken

tcp_keepalive_intvl- tcp_keepalive_intvl- tells the kernel how long to wait for a reply on tells the kernel how long to wait for a reply on each keepalive probe each keepalive probe

tcp_keepalive_time- tcp_keepalive_time- 7200 seconds, or 2 hours , how often to send 7200 seconds, or 2 hours , how often to send TCP keepalive packets to keep a connection alive if it is currently TCP keepalive packets to keep a connection alive if it is currently unused unused

tcp_max_orphans- tcp_max_orphans- 8192 8192 tells the kernel how many TCP sockets tells the kernel how many TCP sockets that are not attached to any user file handle to maintain. that are not attached to any user file handle to maintain.


Playing With /proc ParametersPlaying With /proc Parameters

tcp_max_syn_backlog-tcp_max_syn_backlog- 1028 how many SYN requests to keep in 1028 how many SYN requests to keep in memory that we have yet to get the third packet in a 3-way memory that we have yet to get the third packet in a 3-way handshake handshake

tcp_syncookies- 0/10/1 used to send out so called syncookies to used to send out so called syncookies to hosts when the kernels syn backlog queue for a specific socket is hosts when the kernels syn backlog queue for a specific socket is overflowedoverflowed

IIT Indore © Neminath Hubballi Denial of Service Attacks Dr. Neminath Hubballi.

Documents

Transcript of IIT Indore © Neminath Hubballi Denial of Service Attacks Dr. Neminath Hubballi.