DDoS - Distributed Denial of Service

Transcription

1 September 2013 Distributed Denial of Service Attacks COMPROMISING NETWORKS AND ORGANISATIONS Executive Summary Distributed Denial of Service (DDoS) attacks are a major cause of disruption for networks and the distributed applications they host. With enhancements of routers and intermediate network devices and appliances, the level of attention given to DDoS attacks has reduced over time, as they have been viewed as less of a security issue. These traditional volumetric attacks were often mitigated upstream, however low and slow DDoS attacks are still a significant issue and bypass routers and intermediate network devices causing an application-layer attack which overloads a service or database with application calls. DDoS attacks against the application layer may be both more subtle and potentially more damaging.

2 Introduction DDoS attacks have a long history of disrupting services provided through the internet, by targeting the lower network layers. By flooding lower network layers (the seven OSI layers are explained in more detail at the end of this document) with a massive surge in traffic, intermediate network devices, such as firewalls and intrusion detection/prevention systems, and hosts at the target installation can quickly become overwhelmed and crash. This then denies service to legitimate users who wish to use applications and services at higher network and application layers. For example, an attacker might use a rented botnet to simultaneously command 50,000 hosts to ping a target with numerous HTTP GET or POST requests (which could be 2G in size each). Alternatively, a worm (such as MyDoom) could generate 64 GET requests every second from every host infected by the worm (further technical examples are given at the conclusion of this document). The possibilities for generating this type of traffic are endless, and early attempts to deal with the problem were ineffective. However, most commercial ISPs and organisations offering web applications and services now invest in perimeter defence, such as a specialised router or Intrusion Detection System (IDS), which is able to quickly detect rising and unusual levels of traffic before they can cause servers to fail. Connections which are detected as being part of a DDoS attack can be terminated downstream, or high availability and cloud services can result in legitimate requests being rerouted to other hosts while a DDoS response is implemented. Unfortunately DDoS attacks are still a significant problem for organisations of all shapes and sizes. As usual, attackers have responded to an enhanced threat response at the transport layer by devising more sophisticated attacks directed at the application layer, which have the same impact: denial of service to legitimate users. The key message in relation to these attacks is that the perimeter defence technologies that About the Centre for Internet Safety The Centre for Internet Safety at the University of Canberra was created to foster a safer, more trusted Internet by providing thought leadership and policy advice on the social, legal, political and economic impacts of cybercrime and threats to cyber security. The Centre for Internet Safety is hosted within the Faculty of Law at the University of Canberra. The University of Canberra is Australia's capital university and focuses on preparing students for a successful and rewarding career. work well in deflecting transport layer attacks fail when confronted with an application layer attack, because such attacks only become active once the apparently legitimate traffic has passed through the perimeter defence. That's not to say perimeter defence cannot play a role in defeating such attacks, but that the perimeter would need a significantly higher level of intelligence about what is happening deep within the network to implement an effective response. DDoS Report 2

3 Current Issues Recent changes in the online threat environment have brought DDoS back into focus. A key theme of many advisories and publicised attacks over the past few years has been the persistent rise of hacktivists, such as the group Anonymous. Hacktivist groups identify somewhat arbitrary targets often through a loose collective decision making process, with DDoS being the typical mode of attack. Hacktivists can also identify and attack targets with a more political dimension or focus, but the motives are not always clear, and attacks are often difficult to predict. While most democracies are based around notions of free speech and the right to legitimate protest, actions which result in damage of property (for example street protests) are generally illegal. In the internet domain, a corollary might be that citizens should be free to express their views on blogs, wikis, forums etc but not to engage in online criminal damage. Unfortunately, many hacktivist groups set out to cause as much destruction and damage as possible, incurring real costs for site and infrastructure owners, and denying often critical online services. For example, since late 2010, Anonymous has initiated a number of DDoS attacks, including: Targeted attacks against the HBGary (February 2011) - servers broken into, s pillaged and published to the world, data destroyed, and its website defaced. Operation Payback (December 2010) - revenge attacks against major credit and financial institutions in the US & Europe after they cancelled dealings with and froze donations to WikiLeaks following political pressure surrounding secret US diplomatic cable leaks. Vatican website attacks (March 2012) - Disruption of the Vatican website in protests against what was claimed to be corruption in the Catholic Church. Operation Australia (July 2012) - Anonymous defaces several Queensland Government websites and threatens to release multiple GB of user data stolen from AAPT in protest of new data retention laws being discussed in Australia. The attacks subsequently moved onto the Federal Government Departments ASIO, AFP and ASD. In each case, governments, corporations and community organisation websites have experienced significant downtime, data loss, defacement and/or serious disruption of service. These effects can t be trivialised and cost an organisation time, money and brand reputation. The integration of application layer attacks, such as SQL injection with more traditional volumetric, networkbased DDoS attacks is a worrying trend, and has significantly increased the risk of a sophisticated attack for any organisation which may find itself being disapproved of for political or social reasons. Furthermore, identifying the source of an attack and participants can be challenging due to the distributed nature of the attacks; unlike some botnet infections, where client software is installed surreptitiously on an end-user s device without their knowledge, users are actively recruited by hacktivist groups to join the cause. In practice, this means non-technical users are encouraged to download and install tools like the Low Orbit Ion Canon (LOIC) and its variants such as Mobile LOIC and Web LOIC. Distribution of such tools and their widespread use (often by minors) can make prevention and prosecution of offenders very difficult, especially given geographic and jurisdictional issues. A hacktivist campaign could last for several days which is likely to be severe for most organisations, especially when the media may be recruited to provide favourable coverage to the attackers. 3 DDoS Report

4 Remedies What is the best approach to solving application layer attacks? While the attacks are likely to slow down servers behind the firewall, and well within the trusted core of servers, an enhanced security strategy would typically dictate pushing out defensive barriers towards the perimeter, where hardware-based blocking of connections from malicious hosts can be most effectively achieved. Yet, such perimeter defences will need some knowledge of the business rules which govern acceptable program behaviour for databases and application servers, and be able to identify true positive attacks from false positive blocking, which may further exacerbate an attack by blocking legitimate users. One technique would involve identifying strings which are likely to be flagged as risky or not appropriate for hosted applications. Using behavioral and signature based technologies organisations may defend against both network and application-level attacks. Identifying attacks and modifying protection rules can guard against future attack attempts. Furthermore, Network Behavioural Analysis (NBA) of network and application access patterns combined with pattern recognition and data mining technology could be used to recognise those patterns which are likely to lead to application layer attacks. This might include attempts to scan for known vulnerabilities or common attack patterns, such as SQL injection. NBA technologies must be adaptive, able to learn from past errors and incorporate feedback mechanisms. Devices using an NBA approach must be able to defend against both volume attacks as well as low rate attacks, since the high volume, SYN flooding approach may simply be a smokescreen for the actual attack payload, intended to penetrate deep inside corporate networks and systems. This implies that standard, lower layer firewalls are not sufficient to protect against attacks which are low rate and target the application layer; software is needed that can analyse, interpret and predict the end-result of changing patterns of HTTP requests based on their content. Coordination and detection of attacks at different network layers could be used to detect significant penetrations more effectively. Advanced Action Escalation Technology Another technique to defeat modern threats is to use a mechanism whereby new connections are challenged prior to establishing a session with the server. This Advanced Action Escalation Technology is often associated with and deployed as part of Anti-DoS and NBA protection components. The process works in conjunction with real-time signature and closed feedback modules with the aim of the escalation approach being to first detect suspicious users (through the real-time signature generation module) and second, to start and activate a set of actions beginning with the most gentle one that will have negligible, if any, impact on legitimate users. Based on a closed feedback loop, the system will decide if escalating to a more aggressive action is required. Actions include: SYN cookies TCP-Reset & Safe-Reset challenges 302 & JavaScript challenges (for HTTP/S traffic) The approach aims to minimise the impact on the human user experience while presenting a more accurate and adaptive response to the artificial users (for example, a bot). Ideally, network security devices need to be able to share information and parameters between the different layers of network and application cyber protection. For example, having cloud-based protection being able to leverage more detailed network and attack characteristics obtained by Common Platform Enumeration (CPE)-based protection, as well as targeted layer 7 protection web application firewall being able to inform CPE and cloud-based protection of DDoS Report 4

5 malicious hosts and sources in order to block at lower levels of the application or network. In effect this provides a unified and synchronised IT security model that extends from cloud scrubbing services, to customer-based perimeter network protection to targeted application and web protection and back. A CPE-based perimeter protection device, with information relating to specific application and layer 7 malicious hosts and sources may mitigate this issue. The correlation of this information with other network level intelligence will assist in offloading and mitigating applicationbased attacks at the perimeter. The ability to send specific information relating to the customer s network environment to cloud scrubbing services will provide more effective and immediate protection against volumetric network-based attacks upstream. Summary By combining a multi-layered approach, organisations can build on the success of defending against simple, transport layer DDoS attacks by considering how best to achieve operational assurance against application layer DDoS attacks. By securing the network from the perimeter inwards, and by implementing solutions which can detect attacks at different layers, real and pressing threats to network and system integrity can be mitigated. The OSI Model The Open Systems Interconnection (OSI) model was developed as a computer communications architecture and a framework for developing protocol standards. The upper layers of the OSI model represent software that implements network services like connection management. The lower layers of the OSI model implement hardwareoriented functions like routing and addressing. It consists of the following seven layers: Segments Packets Frames Bits DDoS Examples Layer Application Presentation Session Transport Network Link Physical A simple scenario may use HTTP POST, which has been flagged by the Open Source Web Application Security Project (OWASP) as a simple yet effective attack against the application layer. In the scenario involving malformed SYN requests, the perimeter defence can identify these readily as being improper and block them. But what about a spike in the size and quantity of image uploads? A naive perimeter defence would have no basis for blocking legitimate-appearing requests which were "legal" HTTP requests. Still, a clever perimeter defence might deprioritise such traffic, at the expense of denying access to legitimate clients during periods of high volume. A more sophisticated attack (such as DDoS over the Secure Sockets Layer, or SSL; see below) would provide no alerts at all at the perimeter because only a small amount of traffic would be involved; yet the impact on hosts actually providing a web service or application could be enormous, and potentially very difficult to diagnose and remedy. What is the link between DDoS and SQL injection? Rather than using SQL injection to drop a table of users, or damage data, it could be used to issue commands to the database which would considerably slow down response times to application requests. For example, a web application providing a view onto a Microsoft SQL Server database could be used to force an index rebuild on all tables, which may result in locking of database resources making them unavailable to legitimate users. 5 DDoS Report

6 Such an attack is not specific to SQL Servers; all databases and application servers have functions which can be exploited and misused in this way. Most importantly, the slow rate and volume of SQL injection attacks (or other application layer exploits) means that traditional security devices may fail to recognise and defend against them. Indeed, the focus on high volume dumb attacks means that other more sophisticated attacks can be undertaken while devices are paying attention to the most obvious but least worrying tactics. In this sense, a SYN flood may attract the attention of a CERT team, acting as a smokescreen or battering ram, while more sophisticated, low-volume attacks may fail to be detected and succeed often over a long period of time. This technique became clearly evident in the Sony PlayStation Network data breach of In a letter to US Congress, Sony chairman Kazuo Hirai wrote, Security teams were working very hard to defend against denial of service attacks, and that may have made it more difficult to detect this intrusion quickly. Other attacks may have volume characteristics, but still attack the application layer. For example, the RUDY (R U Dead Yet) tool attempts to exploit connection limits on webserver connections, by creating other legitimate connections that are not disconnected, thereby denying service in a manner akin to a traditional DDoS. Yet most devices would not be able to detect this type of maliciousness. As mentioned above, a more sophisticated and recent attack trend involves using SSL to attack the application layer. How does this work? Surely, SSL provides application layer security? SSL certainly provides end-toend confidentiality, but that confidentiality also reduces the effectiveness of perimeter defences, since the encrypted packets cannot be inspected to examine their contents and determine if they are malicious. Once malicious packets have passed through the firewall, there are a number of attack vectors which are possible. For example, the computational costs of decrypting large numbers of packets are likely to be very high compared to vanilla HTTP. The THC-SSL- DOS attack estimates a 15x overhead in using SSL versus HTTP for application layer DDoS1. It is well-known that even small reductions in response latency can have a highly non-linear effect on consumer behavior: Amazon, for example, found that every 100ms of latency would result in a 1% fall in sales, while every half second of lag for Google in presenting search results would reduce traffic by 20% ms-of-latency-cost-them-1-in-sales/ DDoS Report 6