Denial of Service Attacks: Detection and Reaction

1
Denial of Service AttacksDetection and Reaction

• Georgios Koutepas, Basil Maglaris
• National Technical University of Athens, Greece
• Cyprus Conference on Information Security 2002
• October 12, 2002

2
What is "Denial of Service"?

• An attack to suspend the availability of a
  service
• Until recently the "bad guys" tried to enter our
  systems. Now its
• "If not us, then Nobody"
• No break-in attempts, no information stealing,
  although they can be combined with other attacks
  to confuse Intrusion Detection Systems.
• No easy solutions! DoS still mostly a research
  issue

3
Main Characteristics of DoS

• Variable targets
• Single hosts or whole domains
• Computer systems or networks
• Important Active network components (e.g.
  routers) also vulnerable and possible targets!
• Variable uses effects
• Hacker "turf" wars
• High profile commercial targets (or just
  competitors).
• Useful in cyber-warfare, terrorism etc

4
Brief History

• First Phase (starting in the '90s) DoS
• Started as bug/vulnerability exploitation
• Single hosts - single services were the first
  targets
• Single malicious packets
• Second Phase (1996-2000)
• Resource consuming requests from many sources
• Internet infrastructure used for attack
  amplification
• Third Phase (after 2000) Distributed DoS
• Bandwidth of network connections is the main
  target
• Use of many pirated machines, possibly many
  attack stages, escalation effect to saturate the
  victims

5
Brief History (cont.)

• Important Events
• February 7-11 2000 Big commercial sites (CNN,
  Yahoo, E-Bay) are taken down by flooding of their
  networks.
• The attacks capture the attention of the media
• The US President assembles emergency council
  members of Internet, e-commerce companies, civil
  liberties organizations, and security experts to
  jointly announce actions strengthening Internet
  and computer network security
• January 2002 The British ISP CloudNine suspends
  operations because of continuous interruption in
  Internet connectivity.

6
Host DoS Attacks

• Usually one attacker - one target
• Methods used are derivatives of ones used for
  unauthorized access
• Buffer Overflows on wrongly designed input fields
  can overwrite parts of the memory stack. The
  results open doors or failure of the
  service/system
• Ambiguities in network protocols and their
  implementations. Specially designed packets can
  halt the protocol stack or the whole system

7
Examples of Host DoS Attacks

• Land IP DoS attack Special SYN packets with same
  source and destination
• Teardrop attack It sends IP fragments to a
  network-connected machine. It exploits an
  overlapping IP fragment bug present in various
  TCP/IP implementations.

8
Host Resource DoS Attacks

• Target continues (most of the times) operation
  but cannot offer any useful services.
• Resource exhaustion through legitimate requests
  to the target host
• SYN Flooding attack
• Ping Flooding attack
• Smurf attack the ping flow is "amplified" by
  being first sent to a number of network broadcast
  addresses with the victims return address in the
  packets

9
Example of a "Smurf " Attack
Target (web Server) victim.host
Attacker
ICMP Echo reply Destinationvictim.host
ICMP Echo reply Destinationvictim.host
ICMP Echo reply Destinationvictim.host
Unsecured LAN
10
Network Attacks Distributed DoS
Target domain
Attacker
X
Admin Problem 2 The network allows
outgoing packets with wrong source addresses
Admin Problem 1 Active "zombies"
11
Main Characteristics of DDoS

• Some hundred of persistent flows are enough to
  knock a large network off the Internet
• Incoming traffic has to be controlled, outside
  the victims domain, at the upstream providers
• Usually source IPs spoofed on attack packets
• Offending systems may be controlled without their
  users suspecting it
• Possible many levels of command control
• Attacker-Manager-Agents
• Examples of automatic tools for such attacks
  "Trinoo", "Stacheldraht", and "TFN2K", also
  called rootkits

12
Multi-tier attack
Attack Master
Admin Problem No detection of malicious
activities
Target domain
"zombies" Attack Agents
X
Attacker
Attack Master
13
Reflection DDoS Attack
Attack Master
Legitimate TCP SYN requests
Web or other servers
Target domain
X
Attacker
TCP SYN-ACK answers
"zombies"
Routers
14
PART II What Can We Do
15
Detection

• Host DoS attacks
• Border Defenses must be kept up to date
• Host and Network based Intrusion Detection
  Systems
• Investigate suspicious activity indications

16
Detection (cont.)

• Distributed DoS attacks - on the Network
• Offensive flows must be identified quickly
• Tip set generalized Pass filters on the border
  routers and see what they catch (high number of
  matches attack)
• Use Netflow or other monitoring tool
• Follow router indications
• Tip Check router load for abnormal signs
• Distributed DoS attacks - in the Domain
• Perform often security audits for hidden
  malicious code ("zombies") or attack rootkits
• Install an anti-virus package

17
Reaction to DDoS

• The malicious flows have to be determined. Timely
  reaction is critical!
• The attack characteristics have to be
  communicated (in any way possible) upstream. This
  usually has to be done manually and is an
  uncertain and time-consuming procedure.
• Filters that will block attack traffic must be
  set up and maintained. The effectiveness of the
  actions must be verified.
• The bandwidth penalty is still present throughout
  all the affected networks. Actions are required
  on all the networks on the attack path

18
Reaction to DDoS (cont.)

• Another possible solution (helps the ISP) stop
  all traffic to the target. Direct it to a central
  point and discard it. Completes the attack!
• Trace-back efforts
• Following the routing (if sources not spoofed)
• Step by step through ISPs. Difficult to convince
  them if not concerned about the bandwidth penalty
• The conclusion not a matter of a single site

19
Prevention - Preperation

• Good administrative practices a must
• Backup!
• Have a recovery plan, possibly a stand-by system
• Train your personnel, have someone aware of
  security issues available at all times
• Have emergency contact points with your ISPs and
  CERTs, know beforehand whom to call and have
  clear service policies on what they are obliged
  to do
• Care for the rest of the world
• Prevent spoofed traffic from exiting your network
• Filter pings to broadcast addresses (smurf
  amplifier)

20
PART III Research Directions
21
Main DoS Research Problems

• DoS
• Is mostly an Intusion Detection / Prevention
  Problem
• Not many things possible since a single packet
  can do all the damage
• Some efforts to have an "Immune System" type of
  detection for anomalous system call sequenses.
• DDoS
• Timely attack detection
• Source tracing
• Traffic flow control and attack suppression
• Intrusion Detection Systems not very helpful

22
CenterTrack
Target domain
X

• R Stone, "CenterTrack An IP Overlay Network for
  Tracking DoS Floods", 9th USENIX Security
  Symposium, Denver Col., USA, August 2000

23
PushBack
Target domain
4. Continue to the next router in the attack path
using the Pushback protocol
3. Containment filter set locally
X
1. Aggregate characteristics determined
2. Incoming traffic I/f determined

• J. Ioannidis and S. Bellovin, "Pushback
  Router-Based Defense Against DDoS Attacks", NDSS,
  February 2002

24
Panoptis
3. Automatic filter configuration
Panoptis Analysis Engine
Target domain
X
1. Aggregate characteristics determined
NetFlowBorder Routers
2. Traffic I/fs determined

• C. Kotsokalis, D.Kalogeras, and B. Maglaris,
  "Router-Based Detection of DoS and DDoS Attacks",
  HP OpenView University association (HPOVUA)
  Conference '01, Berlin, Ger-many, June 2001

25
Trans-Domain Cooperative IDS Entities
Cooperative IDS Entity
Activation of filters and reaction according to
local Policies
Participating Domain
Non-participating Domain
Notification Propagation (Multicast)

• G. Koutepas, F. Stamatelopoulos, B. Maglaris "A
  Trans-Domain Framework Against Denial of Service
  Attacks", Submitted to the 10th Annual Network
  and Distributed System Security Symposium, San
  Diego, California, February 2003

26
Questions and Answers