How To Defend Against A Ddos Attack On A Web Server

Transcription

1 [main] Hello, My name is Kanghyo Lee, I m a member of infosec. Today, I am here to present about A taxonomy of DDoS attack and DDoS defense mechanisms. [index] this is the procedure of my presentation [Introduction] I talk you using Taxonomies, What are the different ways of perpetrating a DDoS attack? Why is DDoS a difficult problem to handle? What attacks have been handled effectively by existing defense systems? What attacks still remain unaddressed and why? [Introduction] Given two defense mechanisms, A and B, how would they perform if attack C occurred? What are their vulnerabilities? Can they complement each other and how? Are there some deployment points that are better suited for A than B and vice versa? How can I contribute to the DDoS field? A Distributed Denial-of-Service Attack Deploys multiple machines to prevent legitimate users of a service from using that service Denied by sending a stream of packets to a victim that Consumes key resources, rendering it unavailable to legitimate clients Provides the attacker with unlimited access to the victim machine so he can inflict arbitrary damage DoS : when a single host attacks DDoS : when multiple hosts attack simultaneously What makes DDoS attacks possible? End-to-end paradigm Intermediate network Quality of service, reliable and robust transport or security Bare-minimum, best-effort packet forwarding service If one party in two-way communication(sender or receiver) misbehaves, it can do arbitrary damage to its peer No one will step in and stop it Internet security is highly interdependent Commonly launched from system that are subverted through security-related compromises Depends on the state of security Internet resources are limited Intelligence and resources are not collocated Storing most of the intelligence needed for service guarantees with end hosts Limiting the amount of processing in intermediate network Intelligence and resources are not collocated Malicious clients can misuse the abundant resources of the unwitting intermediate network for delivery of numerous

2 messages to a less provisioned victim Accountability is not enforced Control is distributed Each network is run according to local policies defined by its owners No way to enforce global deployment of a particular security mechanism or security policy Recruits multiple agent machines Automatically through scanning of remote machines Looking for security holes that will enable subversion Exploited to break into recruited machines and infect them with the attack code By sending messages with infected attachments Subverted agent machines are used to send the attack packets Attackers often hide the identity of subverted machines during the attack through spoofing of the source address field in attack packets To inflict damage on the victim For personal reasons A significant number of DDoS attacks are against home computers, presumably for puposes of revenge For material gain Damaging competitor s resources DA: Degree of Automation DA-1: Manual The attacker manually scans remote machines for vulnerabilities, breaks into them, installs attack code, and then commands the onset of attack All of the recruitment actions were soon automated DA-2: Semi-Automatic The DDoS network consists of handler(master) and agent(slave, daemon, zombie) machines The recruit, exploit and infect phases are automated DA: Degree of Automation DA-2:CM-1: Direct Communication Hard-coding the IP address of the handler machines in the attack code that is later installed at the agent machine Discovery of one compromised machine can expose the whole DDoS network DA-2:CM-2: Indirect Communication The legitimate IRC service and control packets cannot be easily differentiated from legitimate chat traffic To further avoid discovery, attackers frequently deploy channel-hopping, using any given IRC channel for short periods of time DA: Degree of Automation DA-3: Automatic Automate the use phase in addition to the recruit, exploit and infect phases, and thus avoid the need for any communication between attacker and agent machines

3 Preprogrammed in the attack code The start time of the attack, attack type, duration and victim The propagation mechanisms usually leave a back-door to the compromised machine open, enabling easy future access and modification of the attack code DA-2 and DA-3:HSS: Host Scanning and Vulnerability Scanning Strategy Host Scanning Strategy To chose addresses of potentially vulnerable machines to scan Vulnerability Scanning Strategy To go through chosen list of address and probes for vulnerabilities Each compromised host probes random addresses in the IP address space Creates large amount of traffic and spreads very quickly DA-2 and DA-3:HSS-2: Hitlist Scanning Probes all addresses from an externally supplied list When it detects the vulnerable machine, it sends one half This technique allows for great propagation speed No collisions during the scanning phase half of the initial hitlist to the recipient and keeps the other DA-2 and DA-3:HSS-3: Signpost Scanning Use the information on the compromised host to select new targets All worms use topological scanning, exploiting information from address books for their spread DA-2 and DA-3:HSS-4: Permutation Scanning Pseudo-random permutation of IP space is shared among all infected machines Newly infected machine starts at a random point DA: Degree of Automation DA-2 and DA-3:HSS-5: Local Subnet Scanning Scan for targets that reside on the same subnet as the compromised host A single copy of the scanning program can compromise many vulnerable machines behind a firewall DA-2/DA-3:VSS-1: Horizontal Scanning DA-2/DA-3:VSS-2: Vertical Scanning DA-2/DA-3:VSS-3: Coordinated Scanning Machines probe the same port(s) at multiple machines within a local subnet DA-2/DA-3:VSS-4: Stealthy Scanning DA-2 and DA-3:PM: Propagation Mechanism After the recruit and exploit phases, the agent machine is infected with the attack code DA-2 and DA-3:PM-1: Central Source Propagation The attack code resides on a central server or set of servers. After compromise of the agent machine, the code is downloaded from the central source through a file mechanism. transfer DA-2 and DA-3:PM-2: Back-Chaining Propagation The attack code is downloaded from the machine that was used to exploit the system

4 The infected machine then becomes the source for the next propagation step Back-chaining propagation is more survivable than central-source propagation since it avoids a single point of failure DA-2 and DA-3:PM-3: Autonomous Propagation Autonomous propagation avoids the file retrieval step by injecting attack instructions directly into the target host during the exploitation phase Ex. Code Red, various worms, Warhol worm idea EW: Exploited Weakness to Deny Service EW-1: Semantic Protocol attacks exploit a specific feature or implementation bug of some protocol installed at the victim in order to consume excess resources Ex. TCP SYN attack Exploited feature is allocation of substantial space in a connection queue immediately upon receipt of a TCP SYN EW-2: Brute-Force Brute-force attacks are performed by initiating a vast amount of seemingly legitimate transactions Ex: Flood Attacks SAV: Source Address Validity SAV-1: Spoofed Source Address SAV-1:AR: Address Routability This is not the attacker s address, but can it be routed? SAV-1:AR-1: Routable Source Address To perform a reflector attack on the machine whose address was hijacked SAV-1:AR-2: Non-Routable Source Address Attack packets carrying reserved address can be easily detected and discarded SAV: Source Address Validity SAV-1:ST-1: Random Spoofed Source Address Random 32-bit number Prevented using ingress filtering, route-based filtering SAV-1:ST-2: Subnet Spoofed Source Address Spoofs a random address from the address space assigned to the machine s subnet Ex. A machine in the /24 chooses in the range to SAV: Source Address Validity SAV-1:ST-3: En Route Spoofed Source Address Spoof address of a machine or subnet along the path to victim SAV-1:ST-4: Fixed Spoofed Source Address Choose a source address from a specific list Reflector attack ARD: Attack Rate Dynamics ARD-1: Constant Rate Used in majority of known attacks

5 Best cost-effectiveness: minimal number of computers needed Obvious anomaly in traffic ARD-2: Variable Rate ARD-2:RCM-1: Increasing Rate Gradually increasing rate leads to a slow exhaustion of victim s resources Could manipulate defense that train their baseline models ARD-2:RCM-2: Fluctuating Rate Adjust the attack rate based on victim s behavior or preprogrammed timing Ex. Pulsing attack PC: Possibility of Characterization Characterization may lead to filtering rules PC-1: Characterizable Those that target specific protocols or applications at the victim Can be identified by a combination of IP header and transport protocol header values or packet contents Ex. TCP SYN attack SYN bit set PC-1:RAVS: Relation of Attack to Victim Services PC-1:RAVS-1: Filterable Traffic made of malformed packets or packets for non-critical services of the victim s operation Ex. ICMP ECHO flood attack on a web server PC-1:RAVS-2: Non-Filterable Well-formed packets that request legitimate and critical services Filtering all packets that match attack characterization would lead to a denial of service PC-2: Non-Characterizable Traffic that uses a variety of packets that engage different applications and protocols Classification depends on resources that can be used to characterize and the level of characterization Ex. Attack uses a mixture of TCP packets with various combinations of TCP header fields Characterizable as TCP attack, but nothing finer without vast resources PAS: Persistence of Agent Set Some attacks vary their set of active agent machines Avoid detection and hinder traceback PAS-1: Constant Agent Set PAS-2: Variable Agent Set VT: Victim Type VT-1: Application Ex. Bogus signature attack on an authentication server Authentication not possible, but other applications still available VT-2: Host Disable access to the target machine Overloading, disabling communications, crash machine, freeze machine, reboot machine

6 Ex. TCP SYN attack overloads communications of machine VT-3: Resource Attacks Target a critical resource in the victim s network Ex. DNS server, router Prevented by replicating critical services, designing robust network topology VT-4: Network Attacks Consume the incoming bandwidth of a target network Victim must request help from upstream networks VT-5: Infrastructure Target a distributed service that is crucial for global Internet operation Ex. Root DNS server attacks in October 2002, February 2007 IV: Impact on the Victim IV-1: Disruptive Completely deny the victim s service to its clients All currently reported attacks are this kind IV-2: Degrading Consume some portion of a victim s resources, seriously degrading service to customers Could remain undetected for long time IV: Impact on the Victim IV-1:PDR: Possibility of Dynamic Recovery IV-1:PDR-1: Self-Recoverable Ex. UDP flooding attack IV-1:PDR-2: Human-Recoverable Ex. Computer freezes, requires reboot IV-1:PDR-3: Non-Recoverable Permanent damage to victim s hardware No reliable accounts of these attacks [DDoS Defense Challenge] Need for a distributed response at many points on the Internet The response be deployed at many points on the Internet to cover diverse choices of agents and victims Economic and social factors A distributed response system must be deployed by parties that aren t directly damaged by a DDoS attack [DDoS Defense Challenge] Lack of defense system benchmarks No benchmark suite of attack scenarios or established evaluation methodologies Lack of detailed attack information We have information on control programs Information on frequency of various attack types is lacking Information on rate, duration, packet size, etc. are lacking [DDoS Defense Challenge] Difficulty of large-scale testing

7 No large-scale test beds U.S. National Science Foundation is funding development of a large-scale cybersecurity test bed No safe ways to perform live distributed experiments across the Internet No detailed and realistic simulation tools that support thousands of nodes AL: Activity Level AL-1: Preventive Eliminate possibility of DDoS attacks or enable victims to endure the attack without denial of service AL-1:PG: Prevention Goal AL-1:PG-1: Attack Prevention The system is trying to prevent attacks Modify systems and protocols on the Internet to eliminate the possibility of subversion or of performing a DDoS attack AL-1:PG-1:ST: Secured Target AL-1:PG-1:ST-1: System Security Secure the system Guard against illegitimate accesses to a machine Remove application bugs, Update protocol installations Ex. Firewall systems, IDSs, Automated updates AL-1:PG-1:ST-2: Protocol Security Secure the protocols Bad protocol design examples: TCP SYN Attack, Authentication server attack, IP source address spoofing Ex. Deployment of a powerful proxy server that completes TCP connections Ex. TCP SYN cookies AL-1:PG: Prevention Goal AL-1:PG-2: DoS Prevention The system is trying to prevent a denial of service Enable the victim to endure attack attempts without denying service Enforce policies for resource consumption Ensure that abundant resources exist AL-1:PG-2:PM: Prevention Method AL-1:PG-2:PM-1: Resource Accounting Police the access of each user to resources based on the privileges of the user and user s behavior Let real, good users have access Coupled with legitimacy-based access mechanisms AL-1:PG-2:PM-2: Resource Multiplication Ex. Pool of servers with load balancer, high bandwidth network AL-2: Reactive Defense systems try to alleviate the impact of an attack Detect attack and respond to it as early as possible AL-2:ADS: Attack Detection Strategy

8 AL-2:ADS-1: Pattern Detection Store signatures of known attacks and monitor communications for the presence of patterns Only known attacks can be detected Ex. Snort AL-2:ADS-2: Anomaly Detection Compare current state of system to a model of normal system behavior Previously unknown attacks can be discovered Tradeoff between detecting all attacks and false positives AL-2:ADS-2:NBS: Normal Behavior Specification AL-2:ADS-2:NBS-1: Standard Rely on some protocol standard or set of rules Ex. TCP protocol specification describes three-way handshake Detect half-open TCP connections No false positives, but sophisticated attacks can be left undetected AL-2:ADS-2:NBS-2: Trained Monitor network traffic and system behavior Generate threshold values for different parameters Communications exceeding one or more thresholds are marked as anomalous Low threshold leads to many false positives, high threshold reduces sensitivity Model of normal behavior must be updated Attacker can slowly increase traffic rate so that new models are higher and higher AL-2: Reactive AL-2:ADS-3: Third-Party Detection Rely on external message that signals occurrence of attack and attack characterization AL-2:ARS: Attack Response Strategy What does the system do to minimize impact of attack? Goal is to relieve impact of attack on victim with minimal collateral damage AL-2:ARS: Attack Response Strategy AL-2:ARS-1: Agent Identification Provides victim with information about the ID of the attacking machines Ex. Traceback techniques AL-2:ARS-2: Rate-Limiting Extremely high-scale attacks might still be effective AL-2:ARS-3: Filtering Filter out attack streams Risk of accidental DoS to legitimate traffic, clever attackers might use as DoS tools Ex. Dynamically deployed firewalls AL-2:ARS-4: Reconfiguration Change topology of victim or intermediate network Add more resources or isolate attack machines

9 Ex. Reconfigurable overlay networks, replication services CD: Cooperation Degree CD-1: Autonomous Independent defense at point of deployment Ex. Firewalls, IDSs CD-2: Cooperative Capable of autonomous detection/response Cooperate with other entities for better performance Ex. Aggregate Congestion Control (ACC) with pushback mechanism Autonomously detect, characterize and act on attack Better performance if rate-limit requests sent to upstream routers CD-3: Interdependent Cannot operate on own Require deployment at multiple networks or rely on other entities for attack prevention, detection or efficient response Ex. Traceback mechanism on one router is useless DL: Deployment Location DL-1: Victim Network Ex. Resource accounting, protocol security mechanisms DL-2: Intermediate Network Provide defense service to a large number of hosts Ex. Pushback, traceback techniques DL-3: Source Network Prevent network customers from generating DDoS attacks [Using The Taxonomies] How can the taxonomies be used? A map of DDoS research Exploring new attack strategies DDoS benchmark generation Common vocabulary Design of attack class-specific solutions Understanding of solution constraints Identifying unexplored research areas [Conclusion] Good taxonomies will facilitate communication and offer the a common language for discussing solutions Attackers cooperate to exchange attack code and information about vulnerable machines, and to organize their agents into coordinated networks to achieve immense power and survivability

10