COMP 7320

1
COMP 7320
Internet Security
Prevention of DDoS Attacks
By Dack Phillips
2
Presentation Overview

• What are DoS Attacks?
• DoS Facts and Figures
• Current Solutions
• Problems
• Proposed Solutions
• Conclusions
• References
• Questions

3
What are DoS Attacks?

• A malicious attack that consumes resources of
  remote hosts or networks denying or degrading
  service to legitimate users, 11.

4
Types of DoS Attacks

• Bandwidth Consumption
• Program Flaw Exploitation
• Resource Starvation
• Routing/DNS Attacks
• SYN Floods
• DDoS Attacks

5
Bandwidth Consumption

• A computer having more bandwidth floods a smaller
  server with packets. The smaller server can not
  respond to the overwhelming load.
• A computer with small bandwidth convinces a
  network to flood a host with more bandwidth
• - A 56 Kbps modem can take down a T1 line
  like this

6
Program Flaw Exploitation

• An attacker sends an operating system,
  application, or hardware exceptional conditions
  that it cant handle.
• - OOB Port 139 on Windows 95 boxen
• - F00FC7C8 Pentium Instruction

7
Resource Starvation

• Attacker aims to deplete system, rather than
  network resources.
• - CPU
• - Memory
• - File System Quotas

8
Routing/DNS Attacks

• Routing Information Protocol (RIP) and Border
  Gateway Protocol (BGP) have very weak
  authentication. Routing tables are changed to
  route traffic through an attackers network,
  another network, or a black hole (non-existent
  network)
• DNS is similar except DNS tables are falsified

9
SYN Floods

• TCP Connection Handshake
• client sends server TCP SYN
• server sends client TCP SYN ACK
• client sends server ACK or RST
• In case of a spoofed source address, server keeps
  trying to send SYN ACKs. Connection Queue fills
  up with these requests and no legitimate traffic
  is served

10
DDoS Attacks

• An attacker compromises many machines (agents or
  zombies) and installs DoS daemons
• The attacker uses a controlling machine (handler)
  to control the zombie machines to attack a
  server.
• More than one handler to prevent single point of
  failure

11
DoS Facts and Figures

• One of the hardest security problems
• Simple to implement
• Difficult to prevent
• Difficult to trace
• 1989 95 CERT reports DoS attacks increased 50
  per year
• Tools are easy to find and use Smurf, Fraggle,
  Teardrop, Stream, TFN, Trinoo Stacheldracht,
  Shaft, Plague, Trinity, et al.
• February 2000 eBay, Yahoo, Amazon, etc.

12
Current Solutions

• Preventative
• Make the OS/IP stack more robust
• Reactive
• Phone ISPs and trace back manually, call next
  ISP in the chain
• This is time consuming and ISPs are often
  unwilling to spend time doing this. In addition,
  the trace has to be done while the attack is
  still in progress.

13
Problems

• The Internet is stateless destination driven
• Source addresses can be easily falsified
  (spoofed)
• Attackers use connection chains to hide
  identities
• Routers can be compromised
• Login chains and address spoofing have legitimate
  uses

14
Proposed Solutions

• Ingress Filtering
• Upstream Router Mapping
• Counter Flooding Trace
• Probabilistic Packet Marking
• ICMP Traceback Messages
• Stepping Stone Tracking
• Traceback Network (CenterTrack or STM)

15
Ingress Filtering

• Defined in RFC 2267
• Edge Routers drop and log packets with invalid
  Source IPs or those coming from outside the
  network
• Border Routers should not be allowed to transmit
  broadcast packets (MAC address FFFFFFFFFFFF)
  to other routers by default

16
Ingress Filtering (cont)

• System Diagnostic UDP packets from outside
  domains should not be allowed into a network
• Ingress filtering poses problems with Mobile IP.
  Currently the Mobile IP Working Group is
  investigating reverse tunneling to solve this
  problem.

17
Upstream Router Mapping

• Network Administrators should make an upstream
  router map
• Manually via traceroute
• Mercator program that uses hop limited probes
  and source routers to create upstream maps

18
Counter Flooding

• Network Administrators send UDP chargen floods
  upstream (small scale DoS attack). If a router
  is perturbed then it is probably being used in
  the attack. Repeat upstream.
• Ethical issue If the trace causes more damage
  than the attack, should it be used?

19
PPM

• PPM Probabilistic Packet Marking
• 4 schemes
• Savage, Wetherall, Karlin Anderson
• Song Perrig
• Park Lee
• Dean, Franklin Stubblefield

20
PPM (cont)

• These schemes overload the IP Identification
  field used for packet fragmentation
• In most schemes, a hashing function computes a
  hash of the routers IP address and writes this
  hash to the Identification field
• A distance field is normally included as well
  that keeps track of how many hops a packet has
  travelled

21
PPM (cont)

• Typical IP Packet

22
PPM (cont)

• Dean, etc. employ an algebraic scheme rather than
  a hash based wherein routers stamp coefficients
  of their IP addresses a prime number

23
PPM (cont)

• Assumptions
• Most paths are less than 25 hops
• Packets can be addressed to more than one host
• Duplicate Packets can exist
• Routers can be compromised
• Attackers know they can be traced

24
PPM (cont)

• PPM schemes must minimize false positives while
  eliminating false negatives
• Adding bits to IP headers causes packet
  fragmentation

25
PPM (cont)

• Problems
• Packets can take more than one path to a
  destination
• IPSec requires IP Identification field
• IP fragmentation is small (lt0.25 of traffic)
  but does exist
• Routers do not need more overhead

26
ICMP Traceback

• Traceroute only works in the forward direction,
  not in reverse
• Routers send out ICMP traceback information
  (interface name, Time stamp) probabilistically
  (1/1000 1/20000)
• Public key system used to authenticate packets
• TTL set to 255 to show distance
• Problem ICMP is filtered in some networks

27
Stepping Stone Traceback

• Stepping Stone one link in a connection chain
• If ON/OFF timing between 2 hosts is similar, it
  is probably a stepping stone
• Packets often encrypted, check headers
• Check clear text packets to see if the text from
  one host is transmitted to another
• Problem too much legitimate traffic, not an
  adequate solution

28
CenterTrack

• Edge routers are connected to a special overlay
  network composed of tracing routers via IP
  Tunnels
• In case of attack, the packets are forwarded to
  the tracking routers which follow the stream back
  to the source of the attack

29
CenterTrack (cont)

• Full packet capture can be added easily to
  provide attack evidence
• Problems Attacks have to be detected to be
  rerouted
• TTL is modified and ICMP TTL exceeded messages
  are sent back, possibly alerting the attacker to
  the trace

30
CenterTrack (contd)
GW Gateway CT CenterTrack Router TR/XR
Transfer Router
31
STM Network

• SPIEs (Source Path Isolation Engines) are
  installed in routers, or connected to them
• These SPIEs generate packet digests from 28 non
  changing bits in the packet (20 from the header,
  8 from the payload).
• The digest is stored in router memory or external
  storage

32
STM Network (cont)

• SPIEs transfer data to SCARs (SPIE Collection and
  Reduction Agents) if interesting traffic occurs
• A SCAR can produce an attack graph of a local
  network
• STMs (SPIE Traceback Managers) can request
  information from one or more SCARs and generate a
  complete attack graph

33
Conclusions

• ISPs, unless they offer Mobile IP should use
  Ingress Filtering
• Network Administrators should make upstream
  router maps
• IPv6 should employ better packet tracing methods

34
References

• 1 S. Bellovin. ICMP traceback messages.
  Internet Draft, IETF, Mar. 2000.
  draft-bellovin-itrace-05.txt (work in progress).
•  
• 2 H. Burch and B. Cheswick. Tracing
  anonymous packets to their approximate source.
  In Proc. USENIX LISA 00 (Dec. 2000).
• 3 D. Dean, M. Franklin, and A. Stubblefield,
  "An Algebraic Approach to IP Traceback," in
  Network and Distributed System Security
  Symposium, NDSS '01, February 2001. 

35
References

• 4 S. Dietrich, N. Long, and D. Dittrich,
  Analyzing ditributed denial of service attack
  tools The shaft case, in 14th Systems
  Administration Conference, LISA 2000, 2000,
  http//netsec.gsfc.nasa.gov/spock/lisa2000-shaft.
  pdf.
• 7 P. Ferguson and D. Senie. Network ingress
  filtering Defeating denial of service attacks
  which employ IP source address spoofing. May
  2000.RFC 2827. IEEE INFOCOM 2001.
•  
• 8 R. Govindan and H. Tangmunarunkit.
  Heuristics for Internet Map Discovery. In
  Proc. of the 2000 IEEE INFOCOM Conference, Tel
  Aviv, Israel, Mar. 2000.

36
References

• 10 K. Park and H. Lee. On the effectiveness
  of probabilistic packet marking for IP traceback
  under denial of service attack. In Proc. IEEE
  INFOCOM 2001, pages 338-347, 2001.
•  
• 11 S. Savage, D. Wetherall, A. Karlin, and T.
  Anderson. Practical network support for IP
  traceback. In Proc. of ACM SIGCOMM 00, pages
  295-306, Aug.2000.
•  
• 12 A. Snoeren, and C. Partridge. Hash-based
  IP Traceback. In Proc. ACM SIGCOMM 01, pages
  3-14, Aug. 2001.

37
References

• 13 D. Song and A. Perrig. Advanced and
  authenticated marking schemes for IP traceback.
  Technical Report UCB/CSD-00-1107, Computer
  Science Department,
• University of California, Berkeley, 2000. In
  Proc. IEEE INFOCOM 2001.
•  
• 14 R. Stone. CenterTrack An IP Overlay
  Network for Tracking DoS Floods. In Proc. of
  the 2000 USENIX Security Symposium, Denver, CO,
  July 2000.
• 15 J. Scambray, S. McClure, and G. Kurtz.
  Hacking Exposed Network Security Secrets and
  Solutions. Second Edition. New York
  Osborne/McGraw-Hill, 2001. pages 484-506.

38
References

• 17 Y. Zhang and V. Paxson. Stepping Stone
  Detection. In Proc. of the 2000 USENIX Security
  Symposium, Denver, CO, July 2000.

39
Questions?