Lesson One: DDoS Attacks
Low rate SYN flood defence
Syncookies: remove state from server (does have small performance overhead.
Server Application
The attack is targeted to a specific application on a server
Network Access
The attack is used to overload or crash the communication mechanism of a network
DoS via route hijacking
The attack we present is to strategically create channels with low fees, which attract many nodes to route through them. The attacker then deliberately fails to execute transfers, thereby executing a wide DoS attack.
Infrastructure
The motivation of this attack is a crucial service of a global internet operation, for example core router
Fixed Spoofing
The spoofed address is the address of the target.
Which of these are reasons why the UDP-based NTP protocol is particularly vulnerable to amplification attacks 1. A small command can generate a large response 2. Vulnerable to source IP spoofing 3. Difficult to ensure computers communicate only with legitimate NTP servers
Which of these are reasons why the UDP-based NTP protocol is particularly vulnerable to amplification attacks ALL ARE TRUE - A small command can generate a large response - Vulnerable to source IP spoofing - Difficult to ensure computers communicate only with legitimate NTP servers
TCP Handshake
syn + syn/ack + ack The protocol by which a client and server machine establish communication for the transfer of data.
Permutation Scanning
All compromised computers share a common pseudo-random permutation of the IP address space.
NTP (Network Time Protocol)
An Internet protocol that enables synchronization of computer clock times in a network of computers by exchanging time signals.
Amplification Attack
An attack instigated using small, simple requests that trigger very large responses from the target. DNS, NTP, ICMP, and SNMP lend themselves to being used in these kinds of attacks. Small number of attacks Two types: DoS Bug, DoS Flood
Random Spoofing
Generate 32-bit numbers and stamp packets with them.
Subnet Spoofing
Generate random addresses within a given address space.
IP Layer Properties
IP layer is connectionless, unreliable, and best effort. main weakness is no authentication
DoS Mitigation Techniques - Source Identification
ISP filters out using ingress filtering - all ISP has to do this for it to work - 25% of auto systems are spoofable
Which of the following are assumptions that can be made about Traceback? 1. Attackers can generate limited types of packets 2. Attackers may work alone or in groups 3. Attackers are not aware of the tracing mechanism
1. Attackers can generate limited types of packets 2. Attackers may work alone or in groups [TRUE] 3. Attackers are not aware of the tracing mechanism
With regards to a UDP flood attack, which of the following statements are true: 1. Attackers can spoof the IP address of their UDP packets 2. The attack can be mitigated using firewalls 3. Firewalls cannot stop a flood because the firewall is susceptible to flooding.
1. Attackers can spoof the IP address of their UDP packets [TRUE] 2. The attack can be mitigated using firewalls packets all looks similar 3. Firewalls cannot stop a flood because the firewall is susceptible to flooding. [TRUE]
Which of the following statements are true? 1. Client puzzles should be hard to construct. This is an indication of the level of difficulty to solve them. 2. Client puzzles should be stateless 3. Puzzle complexity should increase as the strength of the attack increases.
1. Client puzzles should be hard to construct. This is an indication of the level of difficulty to solve them. 2. Client puzzles should be stateless [TRUE] 3. Puzzle complexity should increase as the strength of the attack increases. [TRUE]
DoS Summary
1. Denial of Service attacks are real. 2. Must be considered at design time. 3. Sad truth: Internet is ill-equipped to handle DDoS attacks Commercial solutions: CloudFlare, Prolexic 4. Many good proposals for Internet core redesign.
Self defense against reflector attacks should incorporate: 1. Filtering - filter DNS traffic as close to the victim as possible. 2. Server redundancy - servers should be located in multiple networks and locations. 3. Traffic limiting - traffic from a name server should be limited to reasonable thresholds
1. Filtering - filter DNS traffic as close to the victim as possible. 2. Server redundancy - servers should be located in multiple networks and locations. [TRUE] 3. Traffic limiting - traffic from a name server should be limited to reasonable thresholds
Select all the statements that are true for edge sampling: 1. Multiple attackers can be identified since edge identifies splits in reverse path 2. It is difficult for victims to reconstruct a path to the attacker 3. Requires space in the IP packet header
1. Multiple attackers can be identified since edge identifies splits in reverse path [TRUE] 2. It is difficult for victims to reconstruct a path to the attacker 3. Requires space in the IP packet header [TRUE]
Syn Cookies (select true statements) 1. SYN cookies require modified versions of TCP 2. SYN cookies lead to overall slower performance 3. The server must reject all TCP options because the server discards the SYN queue entry
1. SYN cookies require modified versions of TCP 2. SYN cookies lead to overall slower performance 3. The server must reject all TCP options because the server discards the SYN queue entry [TRUE]
TCP Header Format
Session based, congestion control, in order delivery.
Amplification Example
A DNS amplification can be broken down into four steps: 1. The attacker uses a compromised endpoint to send UDP packets with spoofed IP addresses to a DNS recursor. The spoofed address on the packets points to the real IP address of the victim. 2. Each one of the UDP packets makes a request to a DNS resolver, often passing an argument such as "ANY" in order to receive the largest response possible. 3. After receiving the requests, the DNS resolver, which is trying to be helpful by responding, sends a large response to the spoofed IP address. 4. The IP address of the target receives the response and the surrounding network infrastructure becomes overwhelmed with the deluge of traffic, resulting in a denial-of-service.
DoS Mitigation Techniques - Traceback
A list of code that was executed just before an exception stopped the program. Change routers to record info in packets
Hitlist Scanning
A portion of a list of targets is supplied to a compromised computer.
Reflector Attack
A reflection attack involves an attacker spoofing a target's IP address and sending a request for information, primarily using the User Datagram Protocol (UDP) or in some caes, the Transmission Control Protocol (TCP). The server then responds to the request, sending an answer to the target's IP address. This "reflection"—using the same protocol in both directions—is why this is called a reflection attack.. Any server operating UDP or TCP-based services can be targeted as a reflector.
SSL/TLS Handshake
Client Hello: The client kicks off the TLS handshake by sending configuration information to the server. This includes data like the TLS version(s) supported by the client, which cipher suites it can use, and some random data called the "client random". Server Hello: The server responds with a message including its choices of TLS version and cipher suite, its digital certificate, and the "server random". Premaster Secret: The digital certificate provided by the server contains its public key, which can be used for encrypting messages sent to the server. After verifying the validity of the certificate, the client generates another random value called the premaster secret. Using the server's public key, the client encrypts this value and sends it to the server. Session Keys: The server uses its private key to decrypt the premaster secret. At this point, both the client and the server have the client random, server random, and the premaster secret. From these, they calculate a shared session key. Since the premaster secret is a secret value - it was only sent in an encrypted form over the network - the session key is secret as well. Client Finished: To complete the TLS handshake, the client sends a message to the server that is encrypted with the session key. The server decrypts this message and verifies its correctness. If it matches, the server knows that the client correctly calculated the session key. Server Finished: The server also sends a message encrypted with the shared session key. Decrypting and verifying this message proves to the client that the server correctly calculated the session key.
DoS Mitigation Techniques - Client Puzzles
Client Puzzles - slow down the attacker and is easy for server to check answer (client hashes problem once) + hardness of challenge can be decided based on DoS attack volume - required changes to both client and server - hurts low power legitimate clients during attack Another varient is to use memory bound functions. Can be easily scaled
DoS Flood
Command botnet to generate flood of requests
DoS Mitigation Techniques - Capcha
Completely Automated Public Turing Test To Tell Computers and Humans Apart Idea is that only human can solve the capcha meaning connection is from human
DoS Bug
Design flaw allowing one machine to disrupt a service
Random Scanning
Each compromised computer probes random addresses.
TCP SYN flood attack
Exploits behavior inherit to the TCP protocol. The attacker creates half-open TCP connections by sending the initial SYN packet with a forged IP address, and never acknowledges the SYN /ACK from the host with an ACK, leading to the host reaching a limit and stop accepting connections from legitimate users. SYN flood attacks work by exploiting the handshake process of a TCP connection. Under normal conditions, TCP connection exhibits three distinct processes in order to make a connection. 1. First, the client sends a SYN packet to the server in order to initiate the connection. 2. The server then responds to that initial packet with a SYN/ACK packet, in order to acknowledge the communication. 3. Finally, the client returns an ACK packet to acknowledge the receipt of the packet from the server. After completing this sequence of packet sending and receiving, the TCP connection is open and able to send and receive data. SYN packets with random source IP's Fills up backlog queue on server No further connections possible
TCP SYN flood example
MS Blaster worm (2003)
DoS Mitigation Techniques - Edge Sampling
Packet includes IP's at edge and distance/# of hops Packet received -
Layers of the Network
Physical (e.g. cable, RJ45) Data Link (e.g. MAC, switches) Network (e.g. IP, routers) Transport (e.g. TCP, UDP, port numbers) Session (e.g. Syn/Ack) Presentation (e.g. encryption, ASCII, PNG, MIDI) Application (e.g. SNMP, HTTP, FTP)
Capability Defense
Receivers can specify what packets they want - Sender requests capability in SYN packet - Path identified used to limit # of requests from one source - Receiver responds with capability Routers only forward request packets and packets with valid capability
Signpost Scanning
Uses the communication patterns of the compromised computer to find new target.
DDoS Attack
denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Goal is to take out a large site with little computing