Denial of Service Attacks

1
Denial of ServiceAttacks
Esphion

• SRIG-Bsec
• INSECURITY Seminar
• Auckland, November 26th, 2001
• Juergen Brendel
• CTO VP of Engineering
• Esphion Ltd.

2
Agenda

• DoS attacks Why and how
• About floods, Smurfs, sick minds and Zombies
• Possible defenses
• Reacting, defending, detecting and filtering
• Inside of a flood attack
• Squeezing out the good guys
• Placement of detection/filter devices in network
• Ingress and Egress filtering, detection, alerting
  and network self-defense

3
Aim of the Attack

• DoS Denial of Service. Making sure that
  legitimate users of the site/server cannot be
  served.
• Some attacks exploit specific bugs or
  vulnerabilities to crash a server or router.
  Patches!
• Many attacks are depleting resources.
• Possible resources Memory on servers, router
  capacity, name servers, network bandwidth, etc.
• Often accomplished by sending huge quantities of
  network traffic to a victims site, which can
  drain different resources Flood Attack

4
Flood Attacks

• Distributed Denial of Service (DDoS) attacks.
• Typically using many compromised systems as
  traffic generators (Zombies, SMURF amplifiers,
  etc.).
• Addresses of compromised machines are traded on
  the Internet, tools are available for download.
• As a result Its extremely easy to start flood
  attacks! (ScriptKiddies)

5
Spoofing

• Source addresses of packets may be spoofed (wrong
  IP source address).
• Two benefits
• Attack is difficult to track.
• A third party can get into trouble.
• Not all DDoS attacks use spoofed addresses.
• Some UDP flood tools dont spoof the source.
• SYN-flood always spoofs.
• Smurf attack packets have proper source, but
  reply to a spoofed address.

6
Attack overview
7
Attack overview
8
How to make a Zombie

• Poorly secured computers at work or home are
  targeted.
• Especially those on always-on, high-bandwidth
  connections (DSL) are attractive to attackers.
• Two stage attack
• Zombie machines are compromised Zombies are
  victims.
• Attack tools are installed on Zombies.
• Zombies are used to attack target Zombies are
  attackers.

9
Gaining control

• Automated tools for finding vulnerabilities and
  compromising are available
• rootkits
• scanning for vulnerabilities
• e-mail and newsgroup viruses
• It just takes a few seconds.
• Backdoors (Trojans) are installed, e.g. SubSeven
• Compromised machines report back and are ready to
  follow their masters commands.
• Often IRC is used as communication channel.
• Depending on installed Trojan, attacker can
  play with Zombie, extract different data and
  run different executables.

10
Tools of the trade

• Trin00, TFN (Tribe Flood Network), Stacheldraht,
  shaft, TFN2K, mstream, Trinity, more.
• Generate UDP, SYN, ICMP, Smurf, etc. floods.
• Tools allow selection of attack type and target
  via mouse-click or menu.
• Typically written by knowledgeable hackers
• typically used by clueless ScriptKiddies.

11
The Doomsday scenario Worms

• CodeRed targeted well-connected systems Servers.
• Last incarnation automatically infected new
  systems, and installed backdoors!
• Depending on the exploit, a well designed worm
  can spread rapidly.
• Results in a huge army of Zombies.
• These Zombies would all be well connected, and
  powerful systems.

12
Why?

• Grabbing headlines, and feeling the power.
• Disliking someone, for example in IRC.
• Taking out a competitor.
• Cyber-terrorism against organizations or whole
  countries.
• Collateral damage The network.

13
Why not retaliate?

• For the most part, attackers cannot be easily
  identified.
• Source address may point at innocent party.
• Shooting back becomes a DoS attack on the
  network infrastructure in itself.
• Legal issues A huge can of worms.

14
What you can do Not much!

• Train your staff and prepare.
• After attack is detected, try to characterize it
  (protocol, source addresses, type of packet,
  etc.).
• Implement filters on your routers to keep network
  attack traffic free (ingress filtering). Works
  better on some routers than on others.
• Move site to different IP address and network (be
  a moving target). Works if attacker does not
  track.
• Call up your ISP and hope for the best
• Hard to find the proper contact
• Filters may reduce performance for other
  customers
• They still like to bill you for the used
  bandwidth

15
What really works

• Install dedicated DoS solutions
• Early detection devices
• Devices which utilize the capabilities of your
  network
• Specialized filters for DoS traffic
• Choose ISPs which have those solutions installed
• Either they offer it as add on for extra fee,
  always on
• or you can rent the protection when you need it.

16
Detecting an attack is tricky!

• Is a spike in traffic-volume an attack or did
  your marketing finally generate some hits?
• On some sites, some attacks are easily detected
• on other sites its a different story.
• It is an arms race The attacks will become more
  stealthy, i.e. they will look more like
  legitimate traffic.
• Early detection is important E.g. Yahoo

17
Filtering is just as difficult

• Requires very powerful hardware for fast links.
• Only a mixture of capabilities from IDSs,
  statistical traffic analysis and firewalls works.
• Detection and filtering requires rules,
  statistics about traffic profiles, understanding
  of changing long-term policies and usage
  patterns, etc.
• Rules and policies need to be flexible and
  adaptable to new traffic patterns and new kinds
  of attack.
• Rules will look different for every site! There
  is no magic bullet which works for all sites.

18
The attack Depleting resources
19
Filtering at target
20
Pros/Cons of filtering at target
Protects internal network/computing
resources! Site remains operational
internally. Site remains accessible through
possible other links. - The available
bandwidth on the attacked link(s) is still maxed
out.
21
Filtering on the Big Pipes
Resource
Activating filters
Maximum available resource
Attack Traffic
Legitimate Traffic
Time
22
Pros/Cons of Big Pipe filtering
Protects network/computing resources! The
attack fails completely! - Requires
high-performance hardware.
23
Defending a site (ingress filter)
24
Defending a site (ingress filter)
25
Attack prevention (egress filter)
26
Attack prevention (egress filter)
27
Between networks
28
Monitoring and alerting
ALERT!
ALERT!
ALERT!
ALERT!
ALERT!
29
Network self-defense
30
Network self-defense
31
We want it all!

• Especially complex networks will require all
  three modes of operation Filters, detectors and
  network controllers.
• ISPs can use all three modes to provide better
  service for their hosting customers.
• ISPs can also use all three modes to prevent the
  attacks in the first place.
• Any solution needs to be able to compete in the
  arms race.

32
Introducing netDeFlect

• Monitors and alerts for DoS attacks
• Controls upstream routers and other devices to
  filter attack traffic
• Powerful, wire-speed DoS traffic filter(ingress
  and egress)
• Utilizes rules, pattern matching and statistical
  traffic profiles for comprehensive, flexible
  attack detection and deflection
• Easy customization for individual sites
• Beta end of October, first product release Q1
  2002

33
The End

• Thank you very much!