Denial of Service Attacks

1
Denial of Service Attacks

• A presentation by
• Greg Allen and Paul Sanchez
• ETH Zürich, May 20, 2003
• For Seminar on Security Protocols and Applications

2
Introduction

• Denial of Service attacks made headline news in
  February 2000, when several high profile sites
  including Yahoo, Ebay and Etrade and CNN were
  attacked.
• A recent account of such attacks was reported
  when the web site of Al-Jazeera, an Arabic news
  provider, suffered a DoS attack.

3
Motivation for Attacks

• Attacks can be performed by mischievous teenagers
  for negative attention
• Other attacks may have more sinister motives such
  as sabotage, censorship or politics

4
Goals of DoS Attacks

• Ultimately, the goal is to disrupt and deny
  access to computer systems.
• This is done by overwhelming computer resources.
• Computer resources include
• The systems ability to connect to the Internet
• The systems ability to perform calculations or
  resolve problems

5
Presentation Overview

• Types of Denial of Service attacks
• SYN Bombing
• Zombie Attack
• Distributed Reflection Denial of Service Attack
• Real-life Cases
• Preventing further Denial of Service attacks

6
Types of Denial of Service Attacks

• Types
• Design weaknesses in Internet protocols
• Bandwidth attacks
• Errors in computer software
• Causes
• Tools are readily available on the Internet
• Attacker needs little or no programming knowledge
• May also be the result of heavy network traffic

7
SYN Flooding

• Example of attack on protocol vulnerability
• The first publicized denial of service attack
  occurred in September 1996
• Panix, a New York Internet Service Provider was
  subject to a SYN Flooding attack

8
TCP Three-way Handshake

• Client sends a SYN packet to the server
• Server responds by sending a SYN/ACK
• Client sends a ACK to the server

9
What is a SYN Packet?

• Contains information including clients address
  and port number
• Server allocates memory and stores information
  about the client

10
TCP Vulnerability

• If server does not receive final ACK packet,
  SYN/ACK is resent
• The system times out, the allocated memory will
  be de-allocated for a new request
• For normal traffic load, this is not a problem

11
SYN Flooding Attack

• With Raw Sockets it is possible to change the
  return address in the SYN packet
• The server sends an SYN/ACK packet to a bogus
  address
• However, problems arise when millions of
  erroneous packets are sent to a server
• By bombarding a server with a large amount of SYN
  packets can crash the server
• Known as SYN Flooding

12
SYN Flooding Attack (continued)

• A server has no way of distinguishing a
  fraudulent packet from legitimate packet
• Eventually all of the systems resources will be
  tied up handling these fraudulent messages
• Valid message can no longer be handled and in
  some cases, the system will crash

13
Countermeasures

• No permanent defense against such attacks
• One solution may be to consider how SYN packets
  are handled
• Limit the amount of times SYN/ACK messages is
  resent
• Shorten the expected time for reply
• There are also several software solutions
  available such as SYN cookies in Linux

14
Distributed Denial of Service Attack

• Multiple distributed computers are used to denial
  service on the victims system
• More potent because of more malicious computing
  power

15
A Documented Attack Against grc.com

• Early in 2001, the site of Steve Gibson, a
  security researcher and author, was the victim of
  a Denial of Service attack
• In a few minutes, the output traffic dropped to
  zero
• Access to the site was denied

16
The Attack

• The server was bombarded by millions of UDP
  packets.
• System resources were not effected due to
  firewall
• Bandwidth of the system filled with malicious
  packets

17
The Perpetrators

• 474 Windows PCs had been infected by a Trojan
  program known as a Zombie
• Zombies cause no harm to the infected computer
• IRC Zombie client automatically connects with
  master program
• Cause little or no disruption to the
  communication potential

18
Attack Characteristics

• Ping of Death
• The ping command produces a low speed stream of
  packets
• If several hundred machines send pings
  simultaneously, the effect is significant
• UDP Packet Attack
• Maximum size UDP packets are sent to the victims
  computer

19
Transfer of IRC Trojan

• Transferred via e-mail attachments or in
  downloads on the net or through user groups
• No need for an attacker to search for their
  Zombies because they automatically connect to the
  master program
• Once enough Zombies scattered throughout the net,
  an effective attack may be launched

20
Countermeasures

• Check ports for IRC ClientTypically, IRC
  Zombies run on port the default IRC port
  6667.An active connection may be checked using
  the following commandnetstat -an find
  "6667"An active IRC connection will return the
  following lineTCP 192.168.1.1011026    
  70.13.215.896667 ESTABLISHED

21
Countermeasures (continued)

• Check ports for Identification ServerIRC client
  application almost always includes a local
  identification server for identify.It's default
  port is usually 113.The following line will
  reveal whether the server is running on the
  machinenetstat -an find "113 "An active
  server will return the following lineTCP
  0.0.0.0.0113       0.0.0.00      LISTENING

22
Countermeasures (continued)

• Defense using FirewallsAn effective firewall
  may notify a user if a IRC server is trying to
  connect to a client Zombie installed on a machine
• Unfortunately, some firewall applications have
  demonstrated to be ineffective against such
  attacks One such example is BlackICE defender

23
Distributed Reflection DoS Attacks

• An attacker can further remove himself from the
  source of an attack
• Can be described as an extension of a Distributed
  Denial of Service attack
• Uses reflectors in addition to zombies

24
Reflectors

• Reflector is any IP address on the Internet that
  will return a packet when it receives one
• Web servers
• DNS servers
• Routers
• The Internet is comprised of millions of such
  entities.

25
Attack Characteristics

• The attack works by force, filling the victims
  bandwidth
• Though the victim can easily trace the attack
  back to the reflectors, the reflectors cannot
  easily locate the zombie sending the spoofed
  packets

26
Attack Characteristics (continued)

• Can take advantage of several Internet protocols
  such as ICMP or TCP
• Focuses on filling bandwidth instead of
  exhausting victim resources
• For example, when a reflector receives a SYN
  packet from a compromised zombie, it can only
  respond with a SYN/ACK
• Return address of SYN packets are spoofed with
  the victim IP address, not an invalid IP

27
Gathering Reflectors

• Attacker uses a list of available reflectors
• Easy to compile with a port scan through high
  bandwidth IP regions or by using other tools such
  as backtrace to generate lists of candidate
  reflectors

28
Cases of DoS Attacks

29
Case 1 Code Red

• Exploited buffer overflow error in IIS
• Several different versions
• Date-based
• 1-19th attempted to infect random IPs
• 20-28th attack whitehouse.gov
• After 28th dormant
• At peak more than 2,000 new hosts were infected
  each minute

30
Case 2 Sapphire/Slammer

• Fastest virus spread in history
• Exploited buffer overflow in MS SQL Server
• Used UDP instead of TCP
• Allowed faster spread no response needed
• Limited only by bandwidth
• Problems affected customers, ex. automatic cash
  machines

31
Case 3 Unreal Tournament

• Communicates using UDP
• Simple queries for players or status can be
  combined to return large (11 Kbytes) packets
• Huge spoofed packets can overload a victim

32

• Defending against Distributed Denial of Service
  attacks

33
Filtering Packets

• History-Based IP Filtering
• Based on number of days accessed or number of
  packets sent from client IP addresses
• Hop Count
• Filter packets based on an anticipated number of
  hop counts that an attacker cannot modify

34
Filtering Packets (continued)

• Internet Service Provider filtering can provide a
  defense against Denial of Service attacks
• Requires a lot of effort and bandwidth may be
  unnecessarily reduced
• May also compromise system
• Doesn't provide a permanent solution

35
Increasing Individual Computer Security

• Many insecure systems connected to high-bandwidth
  ISPs
• grc.com was attacked from PCs connected to the
  top two U.S. residential high-speed ISPs
• High-bandwidth providers are often the most
  sought after by hackers
• A sensible policy would be a mandatory
  client-side firewall

36
Economic Incentives

• When security costs are more the benefits, any
  motivations to secure systems are usually
  diminished.
• The good economics of Denial of Service attacks
• All Denial of Service tools do not cause any
  harms to the computers file system, hardware and
  bandwidth
• Thus, the owner of the computer has little or no
  incentive to regularly monitor their computer

37
A nice theory but...

• Such global regulation of security is not
  achievable in the foreseeable future
• If firewalls had a 99 percent market penetration,
  there would still be enough machines to perform
  such attacks
• An environment vulnerable to such attacks is
  being created at a faster rate than present
  security problems are being solved

38
Distributed Responsibility

• Internet nodes should be responsible for traffic
  passing through its system
• End users are responsible for preventing
  malicious software from being downloaded onto
  their system
• Operating Systems should not support malicious
  Internet software
• Distributed responsibility may not prevent all
  further Denial of Service attacks, however they
  may improve the overall state of Internet security

39
E-Postal System

• How to motivate people to take more interest in
  security problems?
• Introduce a usage-pay systemA nice idea
  but...Industry would not be prepared to
  implement such drastic changes

40
Redesigning the Internet

• Before the telephone system was redesigned in
  1980's, phone phreakers were able to whistle or
  click into a telephone and causing it to do
  things that it wasn't designed to do
• The old system used only one channel for voice
  and signaling data
• Moving the signal out-of-band fixed the problems
• Redesigning the Internet would be almost
  impossible to undertake

41
Quality of Software Implementation

• The solution lies in the hands of the system
  architects designing and building better more
  secure systems
• Well-known and new vulnerabilities must be
  considered when designing and implementing new
  systems
• Security is a process not a product - Schneier

42
Software Vulnerabilities

• Commonly lead to Denial of Service attacks
• Software engineers are responsible for testing
  software and providing patches when bugs appear
• System administrators and end users are
  responsible for taking appropriate action to fix
  software flaws

43
Conclusion

• Internet growth and dependency have encouraged
  Denial of Service attacks
• If vulnerabilities exist, so will exploitations
• New vulnerabilities are created and discovered in
  software and protocols
• Computer security is not about providing a
  solution to every security vulnerability, rather
  risk management