IIT Indore © Neminath Hubballi Denial of Service Attacks Dr. Neminath Hubballi.
-
Upload
alyson-morrison -
Category
Documents
-
view
220 -
download
1
Transcript of IIT Indore © Neminath Hubballi Denial of Service Attacks Dr. Neminath Hubballi.
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Denial of Service AttacksDenial of Service AttacksDr. Neminath HubballiDr. Neminath Hubballi
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
OutlineOutline
IntroductionIntroduction Types of denial of serviceTypes of denial of service
Protocol based Protocol based ICMP based denial of service attackICMP based denial of service attack DHCP based denial of service attackDHCP based denial of service attack
Logic basedLogic based Flood basedFlood based
SYN flood denial of service attacksSYN flood denial of service attacks Distributed denial of service attacksDistributed denial of service attacks
Defense MechanismsDefense Mechanisms
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Denial of ServiceDenial of Service
Making a resource unavailable or deliberately Making a resource unavailable or deliberately withholding it to make it unavailablewithholding it to make it unavailable
Example: Example: 1.1. Deliberate calls made to a person where he spends Deliberate calls made to a person where he spends
lot of time in just answering lot of time in just answering 2.2. Putting a road blocker so that no vehicles are able Putting a road blocker so that no vehicles are able
to use a particular roadto use a particular road3.3. Cutting a fiber cable and disrupting the Cutting a fiber cable and disrupting the
communication communication Denial of service do occur in many situations Denial of service do occur in many situations
we particularly study computer or data network we particularly study computer or data network related denial of services related denial of services
Ex. SBI online banking service going offlineEx. SBI online banking service going offline
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
History of Denial Of ServiceHistory of Denial Of Service In Dec 1987 an employee of IBM sent an email greeting for Christmas.This In Dec 1987 an employee of IBM sent an email greeting for Christmas.This
email message had some malicious code in it which automatically sent email message had some malicious code in it which automatically sent copies of itself to all in the contact book of recipient copies of itself to all in the contact book of recipient IBM mail server was exhausted of memoryIBM mail server was exhausted of memory
Many DoS attacks of 90 were simple and launched from a single computerMany DoS attacks of 90 were simple and launched from a single computer In 1997 – trinoo In 1997 – trinoo In 1998 – TFN In 1998 – TFN In 2000 – TFN2KIn 2000 – TFN2K Year 2000 witnessed several massive scale attacks on sites like Year 2000 witnessed several massive scale attacks on sites like
YahooYahoo AmazonAmazon Ebay andEbay and CNN.comCNN.com
American government and military sites have experienced attacks in the American government and military sites have experienced attacks in the pastpast
Most recently wikileaks site had a massive DoS attack against its web Most recently wikileaks site had a massive DoS attack against its web serverserver
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
ICMP based Denial of ServiceICMP based Denial of Service
ICMP messages are used for sending error messagesICMP messages are used for sending error messages They are also used for status information They are also used for status information PING utility uses ICMP ECHO REQUEST and ICMP PING utility uses ICMP ECHO REQUEST and ICMP
ECHO REPLY messagesECHO REPLY messages In this case a powerful machine can send too many ping In this case a powerful machine can send too many ping
messages and hog the slower machinemessages and hog the slower machine One of the earliest discovered attacks in networksOne of the earliest discovered attacks in networks Normally ping reply messages are more than request Normally ping reply messages are more than request
messagesmessages
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Smurf AttackSmurf Attack
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Smurf AttackSmurf Attack A variation of ICMP based attackA variation of ICMP based attack Normally happens due to misconfigured networkNormally happens due to misconfigured network Many networks allow ICMP broadcast request messagesMany networks allow ICMP broadcast request messages An attacker creates a spoofed ECHO REQUEST An attacker creates a spoofed ECHO REQUEST
message with spoofed IP address (using IP of a victim)message with spoofed IP address (using IP of a victim) Every machine on the network will hear the ping Every machine on the network will hear the ping
message message All these messages go to victim instead of attackerAll these messages go to victim instead of attacker For the victim all these are unsolicited messagesFor the victim all these are unsolicited messages Spends significant amount of processing power, memory Spends significant amount of processing power, memory
and time in handling these ping repliesand time in handling these ping replies Can not do any useful computation there by deny Can not do any useful computation there by deny
services to usersservices to users
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
DHCP OperationDHCP Operation
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
10
DHCP Starvation AttackDHCP Starvation Attack
Consuming the IP address space allocated by a DHCP Consuming the IP address space allocated by a DHCP serverserver
An attacker broadcasts a large number of DHCP An attacker broadcasts a large number of DHCP requests using spoofed MAC addressesrequests using spoofed MAC addresses
The DHCP server will lease its IP addresses one by one The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, to the attacker until it runs out of available IPs for new, normal clientsnormal clients
Leads to DoSLeads to DoS Can easily be achieved with tools such as gobblerCan easily be achieved with tools such as gobbler PreventionPrevention
Do not allow more than certain number of requests per port Do not allow more than certain number of requests per port
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Flooding based Denial Of ServiceFlooding based Denial Of Service
Send too many packets to overwhelm the Send too many packets to overwhelm the recipient recipient
Victim spends lot of time in responding and Victim spends lot of time in responding and processingprocessing
There are different types of flooding attacksThere are different types of flooding attacks SYN floodSYN flood UDP floodUDP flood Random floodRandom flood
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
SYN Flood AttackSYN Flood Attack
Uses TCP connectionsUses TCP connections Obviously too many of them to make Obviously too many of them to make
victim irresponsive victim irresponsive
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Three-way HandshakeThree-way Handshake
SYN SEQ1
SYN SEQ2 +ACK SEQ1+1
ACK SEQ2+1
LISTEN
SYN_RCVD
CONNECTED
C S
Initialize sequence numbers for a new connection (SEQ1, SEQ2)
Resources allocated
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
How SYN Flooding Attack How SYN Flooding Attack Works?Works?
Client connecting to TCP port
I have ACKed these connections but I have not received an ACK back!
Resources allocated for every half open connection
Victim
Limit on number of half open connections
SYN
SYN
SYN
SYN + ACK
SYN + ACK
SYN + ACK
Attacker
Uses spoofed addresses
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Types of SYN FloodsTypes of SYN Floods
Direct attackDirect attack Use your own machine to send SYN packetsUse your own machine to send SYN packets Need to somehow make OS not respond to SYN-ACK packets Need to somehow make OS not respond to SYN-ACK packets
coming from servercoming from server Connect() socket call can be used to do this kind of attackConnect() socket call can be used to do this kind of attack
Spoofing based attackSpoofing based attack Hide the identity of attackerHide the identity of attacker Shields the attacker from receiving SYN-ACKsShields the attacker from receiving SYN-ACKs Spoofed source should not respond with SYN-ACKSpoofed source should not respond with SYN-ACK They will not respond in anywayThey will not respond in anyway It is more effective if a non existent IP address is chosen It is more effective if a non existent IP address is chosen Ingress and egress filtering can be a deterrent Ingress and egress filtering can be a deterrent
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Distributed Denial of ServiceDistributed Denial of Service
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Transmission Control BlockTransmission Control Block
TCB is a data structure holding resources in TCB is a data structure holding resources in many Operating Systemsmany Operating Systems
The state of connection is stored in this data The state of connection is stored in this data structure structure
How much memory each TCB takes How much memory each TCB takes Actual memory footprint depends on implementations Actual memory footprint depends on implementations Usually it will be more than 280 bytesUsually it will be more than 280 bytes In some OS it is 1300 bytesIn some OS it is 1300 bytes TCB is created upon arrival of a SYN packet i.e., TCB is created upon arrival of a SYN packet i.e.,
before a legitimate connection is establishedbefore a legitimate connection is established Opens scope for denial of serviceOpens scope for denial of service
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
SYN Flood Attack ParametersSYN Flood Attack Parameters
TCB becomes inactive or deleted after a timeout TCB becomes inactive or deleted after a timeout called as backlogcalled as backlog
Different OS use different timeoutsDifferent OS use different timeouts How does knowing the timeout helpHow does knowing the timeout help
Can send burst of SYN packets once and exhaust Can send burst of SYN packets once and exhaust memory at victim and wait till timeout memory at victim and wait till timeout
Periodically send such bursts equal to timeout periodPeriodically send such bursts equal to timeout period
Default backlog timeout is 1028 SecondsDefault backlog timeout is 1028 Seconds You can change the value You can change the value
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Shrew AttacksShrew Attacks
Works on TCP Works on TCP Adds some intelligence to SYN flooding attackAdds some intelligence to SYN flooding attack TCP waits for sometime before retransmitting TCP waits for sometime before retransmitting
the packets for lost ones the packets for lost ones Use this timing to generate large number of Use this timing to generate large number of
packets packets Many connections drop Many connections drop Repeat the flood after RTT time Repeat the flood after RTT time
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Other Flooding based DoS AttacksOther Flooding based DoS Attacks
UDP Flood- send many UDP packets to UDP Flood- send many UDP packets to the targetthe target
ICMP Flood- send many ICMP packets to ICMP Flood- send many ICMP packets to the targetthe target
Random Flood- send packets randomly Random Flood- send packets randomly generated generated
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Symptoms of ManifestationSymptoms of Manifestation
Slow network performanceSlow network performance Non availability of certain online services and Non availability of certain online services and
websiteswebsites Increase in number of useless network trafficIncrease in number of useless network traffic Consistent new IP addresses showing upConsistent new IP addresses showing up Unusually high number of packets from a sourceUnusually high number of packets from a source Disconnection of a wired or wireless connectionDisconnection of a wired or wireless connection
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Logic Based DoS : User Specified Object Logic Based DoS : User Specified Object AllocationAllocation
String TotalObjects = request.getParameter(“numberofobjects”); String TotalObjects = request.getParameter(“numberofobjects”); int NumOfObjects = Integer.parseInt(TotalObjects);int NumOfObjects = Integer.parseInt(TotalObjects); ComplexObject[] anArray = new ComplexObject[NumOfObjects]; ComplexObject[] anArray = new ComplexObject[NumOfObjects];
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Logic Based DoS : User Input as a Loop Logic Based DoS : User Input as a Loop CounterCounter
public class MyServlet extends ActionServlet public class MyServlet extends ActionServlet { { public void doPost(HttpServletRequest request, public void doPost(HttpServletRequest request,
HttpServletResponse response) throws HttpServletResponse response) throws ServletException, IOException ServletException, IOException
{ . . . { . . . String [] values = String [] values =
request.getParameterValues("CheckboxField"); request.getParameterValues("CheckboxField"); // Process the data without length check for reasonable // Process the data without length check for reasonable
range – wrong! range – wrong! for ( int i=0; i<values.length; i++) for ( int i=0; i<values.length; i++) { // lots of logic to process the request } . . . } . . . } { // lots of logic to process the request } . . . } . . . }
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Other Logic based Denial of Service Attacks Other Logic based Denial of Service Attacks –Appeared around 2000–Appeared around 2000
Teardrop- send oversized fragments which overlaps on Teardrop- send oversized fragments which overlaps on each other portions each other portions Crashed many OSs in the pastCrashed many OSs in the past
Land- send a IP packet with same source and Land- send a IP packet with same source and destination IP addressdestination IP address Many OSs crashed Many OSs crashed On a router it can create a loop consuming lot of processing On a router it can create a loop consuming lot of processing
power and badwidthpower and badwidth
10.10.10.10 10.10.10.10
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Defending SYN Flood AttacksDefending SYN Flood Attacks
End Host MechanismsEnd Host Mechanisms Increase the backlog periodIncrease the backlog period
More connections open means - refusal to new requestsMore connections open means - refusal to new requests Slightly counter intuitive Slightly counter intuitive
SYN Cache - initially do not create a full fledged TCB SYN Cache - initially do not create a full fledged TCB SYN cookie SYN cookie
Completely stateless - do not create any state or TCB till Completely stateless - do not create any state or TCB till connection is completely establishedconnection is completely established
Make the initial sequence number a function of parameters Make the initial sequence number a function of parameters of packetof packet
Almost all IP spoofing mitigation techniques will Almost all IP spoofing mitigation techniques will also help mitigate DoS attacksalso help mitigate DoS attacks
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Playing With /proc ParametersPlaying With /proc Parameters
/proc is a virtual file system created by kernel /proc is a virtual file system created by kernel when it bootswhen it boots
Has different data structures and information Has different data structures and information gathered from the kernel at runtime gathered from the kernel at runtime
Several configurable and non configurable Several configurable and non configurable parameters are thereparameters are there
/proc/sys/net/ipv4/proc/sys/net/ipv4 which contains all the which contains all the configurable settings for the IPv4 stack, configurable settings for the IPv4 stack, including TCP, UDP, ICMP and ARP tunable including TCP, UDP, ICMP and ARP tunable settings settings
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Playing With /proc ParametersPlaying With /proc Parameters tcp_abort_on_overflow tcp_abort_on_overflow 1000 1000 tcp_adv_win_scale tcp_adv_win_scale – Amount of socket buffer space to be used – Amount of socket buffer space to be used
for TCP window sizefor TCP window size tcp_fin_timeouttcp_fin_timeout – 60 seconds , how long to wait for an – 60 seconds , how long to wait for an
acknowledgement for FIN requestacknowledgement for FIN request tcp_keepalive_probes- tcp_keepalive_probes- 50 , tells the kernel how many TCP 50 , tells the kernel how many TCP
keepalive probes to send out before it decides a specific connection keepalive probes to send out before it decides a specific connection is broken is broken
tcp_keepalive_intvl- tcp_keepalive_intvl- tells the kernel how long to wait for a reply on tells the kernel how long to wait for a reply on each keepalive probe each keepalive probe
tcp_keepalive_time- tcp_keepalive_time- 7200 seconds, or 2 hours , how often to send 7200 seconds, or 2 hours , how often to send TCP keepalive packets to keep a connection alive if it is currently TCP keepalive packets to keep a connection alive if it is currently unused unused
tcp_max_orphans- tcp_max_orphans- 8192 8192 tells the kernel how many TCP sockets tells the kernel how many TCP sockets that are not attached to any user file handle to maintain. that are not attached to any user file handle to maintain.
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Playing With /proc ParametersPlaying With /proc Parameters
tcp_max_syn_backlog-tcp_max_syn_backlog- 1028 how many SYN requests to keep in 1028 how many SYN requests to keep in memory that we have yet to get the third packet in a 3-way memory that we have yet to get the third packet in a 3-way handshake handshake
tcp_syncookies- 0/10/1 used to send out so called syncookies to used to send out so called syncookies to hosts when the kernels syn backlog queue for a specific socket is hosts when the kernels syn backlog queue for a specific socket is overflowedoverflowed