What is a DoS attack?

Transcription

1 CprE 592-YG Computer and Network Forensics Log-based Signature Analysis Denial of Service Attacks - from analyst s point of view Yong Guan 3216 Coover Tel: (515) [email protected] October 9, What is a DoS attack?! A DoS attack can be defined as an attack designed to disrupt or completely deny legitimate users access to networks, servers, services, or other resources. A brief history: o Fall of 1999, Carnegie Mellon CERT Coordination Center released a message that warned of a new type of attack denial of service. o Spring 2000, DoS attacks shut down Yahoo, CNN, and ebay. 1

2 3 Classification of DoS attacks! Target resource starvation A resource starvation attack attempts to deny service to a particular machine or a particular service on a machine.! Network bandwidth consumption Network bandwidth consumption attacks target an entire network aiming to shut out all legitimate access, both inbound and outbound. 4 Last time, one example - Snork! DoS Resource Starvation! Land Attack Windows NT 4.0, pre-sp4 15:13: Protect-50.sawyer.af.mil.135 > Protect-50.sawyer.af.mil.135 : udp 46! Attack mechanism:! Spoofed RPC datagrams to UDP dest port 135:! One RPC server sends bad data to another RPC server. The second server returns a REJECT packet and the first server replies with another REJECT packet and create a loop that is not broken until a packet dropped.! If this spoofed UDP packet is sent to multiple dests, many loops may be created, consuming processor resources and network bandwidth. 2

3 5 Last time, another example SYN flood! DoS Resource Starvation! SYN Flood! TCP three-way handshake: SYN -> SYN-ACK -> ACK! Use good packet in a bad way (instead of bad packet)! Trace! See next slide Last time, another example SYN flood (cont.) [**] Unknown FTP access [**] 04/27 20:08: :3299 > xxx.xxx.xxx.189:21 TCP TTL: 45 TOS:0x0 ID:33389 DF **S***** Seq: 0xF883F9 Ack: 0x0 Win: 0x7D78 TCP options =>MSS: 1460 SackOK TS: NOP WS: /27 20:08: xxx.xxx.xxx.189:21 > :3299 TCP TTL: 64 TOS:0x0 ID:95 DF **S***A* Seq: 0x5BA70BF Ack: 0xF883FA Win: 0x4470 TCP options =>MSS: /27 20:08: xxx.xxx.xxx.189:21 > :3299 TCP TTL: 64 TOS:0x0 ID:96 DF **S***A* Seq: 0x5BA70BF Ack: 0xF883FA Win: 0x4470 TCP options =>MSS: /27 20:09: :3299 > xxx.xxx.xxx.189:21 TCP TTL: 236 TOS:0x0 ID:34629 ****R*** Seq: 0xF883F9 Ack: 0x0 Win: 0x

4 Last time, another example SYN flood (cont.) 7 Source address was spoofed: TTL difference 10 seconds elapsed between the time when xxx.xxx.xxx.189 sent SYN-ACK and the time RST was received. 8 TCP: TCP segment format Source Port Destination Port Sequence Number Header Length Reserved Acknowledgement Number U RG A CK P SH R ST S YN F IN Window Size Checksum Options Urgent Pointer Padding Data Figure

5 9 TCP: TCP segment format (cont.) " Source / Destination Ports (16b unsinged int): the source and sink port numbers of transport user " Sequence (Acknowledgement) Numbers (32b unsigned int): number of first byte sent (expected from other side) in the segment to other side Initial Sequence Number (ISN) by sender (ISN + 1) (SYN)» ISN is (must) be chosen at random. Acknowledgement Number is byte expected next (ACK) " Header Length: in 32b words " Reserved (0) TCP: TCP segment format (cont.) 10 " Flags: URG: urgent pointer is valid ACK: Acknowledgement number is valid PSH: deliver data received by receiving TCP immediately RST: Receving TCP must abort connection SYN: Connection Request with ISN = SN; FIN: Sender has no more data to send to receiving TCP;» shutdown(sd, 1) /* C */; " ( Advertised ) Window Size: amount of data receiver is willing to accept. Credit of data " Urgent Pointer (if URG flag is set) points to last byte of urgent data; any data from beginning of segment to UP are urgent 5

6 IP Datagram Format IP protocol version number header length (words) Type of Service Time-to-Leave max number remaining hops (decremented at each router) Upper layer protocol to deliver payload to ICMP=1, TCP=6, UDP=17, OSPF=89, etc. 32 bits ver head. type of length len service fragment 16-bit identifier flgs offset time to upper Internet live layer checksum 32 bit source IP address 32 bit destination IP address Options (if any) data (variable length, typically a TCP or UDP segment) total datagram length (bytes) 11 fragmentation / reassembly minimum fragment size = 576 Options timestamp, record route taken, specify list of routers to visit, etc. IP Datagram Format (cont.) 12 " IPversion [0.0..3] 4 = current, 6 = next generation IP IPng or IPv6, 5 = ST2 (a Real-Time stream protocol) " Header Length [0.4..7] in 32bit words " Type of Service [ ] (preferences 4b, priorities 3b): min delay, min $cost, max throughput, max reliability; most routers ignore ToS; OSPF can use it; DiffServ uses it as» differentiated Service (DS) Field (6 bits)» other two bits used by ECN (Early Congestion Notification). " Total Length [ ] in bytes 2 16 " Id, Flags, Offset [ ] used in fragmentation " Time To Live (TTL) [2.0..7] maximum number of hops DG can be forwarded. 6

7 13 Small Footprint DoS! With the attack, one packet can kill certain process that listen promiscuously on a network and make network monitoring ineffective.! Example: By crafting a packet with an IP version of 0 and header length of 0, the attack can crash certain version of TCPdump.! Anyone can see this packet should not exist. Packet irregularities: IP version 0, IP header length 0, protocol field 4 (IP in IP encapsulation)! How it works? Upon receiving an IP packet with protocol 4 and ihl=0, TCPdump enters an infinite loop within ip_print() from file print_ip.c.! See trace on transparency. 14 Telnet DoS attack! No need to kill to harm! No shutdown the network, no completely deny service to a particular machine or port.! Just want to make things a little slower. (Time-sensitive data transmission)! By sending many many Control-D (0x04) characters, the target machine cannot cleanly close the connection with a FIN packet and is forced to resort to sending RST packet.! This attack may come from a malicious attacker or a careless user who happens to sit on the keyboard in the wrong place at the wrong time.! Attack against old SunOS and Solaris! How it works?! Setup a connection to the telnet (23/TCP) on the victim machine and negotiate telnet options, and then send a continual stream of ^D characters.! See trace on transparency. 7

8 Summary of Resource Starvation DoS attacks 15! Causing RS DOS attacks is not that hard. It could happen for completely legitimate reasons.! Ask the guy streaming audio from your file server to stop for a while and see how much better your system performs.! Several points:! Source address in most DoS attacks are spoofed.! Look for packets that are unusual.! So far, all these DoS attacks have just one target. Next, we comes to a new class of DoS attacks that affect entire network target bandwidth utilization. 16 DoS attacks Bandwidth Consumption! To consume bandwidth so that no legitimate data can be processed, much bogus data need be generated to flood the network # Impossible to generate tremendous number of packets from attacker s workstation # Amplification method: one packet generates many response. (DDOS)! Exception: Normal traffic may have the same effect to cause a huge problem. (9/11, CNN website) # This is called slashshot effect. # As long as there are finite resources, there will always be a way to exceed those resources. 8

9 17 Internet Control Message Protocol (ICMP) " ICMP [RFC 792] is a sibling protocol with IP and it is used by hosts, routers, gateways to communicate network-level information among each other. " ICMP is a Request / Reply protocol. " Services: ECHO Request / Reply (ping) Timestamp Request / Reply (ping) Redirect (from router to source host) Destination unreachable (protocol, port, or host) TTL exceeded (stop datagram endless cycling ) Checksum failed Reassembly failed Cannot fragment ICMP (cont.) 18 " ICMP is used by hosts, routers, gateways to communicate networklevel information error reporting: unreachable host, network, port, protocol echo request/reply (used by ping) " network-layer above IP: ICMP msgs carried in IP datagrams " ICMP message: type, code plus first 8 bytes of IP datagram causing error " ping " traceroute Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 5 x redirects 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header 13 0 timestamp request, addrmask request, + 9

10 19 Smurf Attacks! Smurf uses the broadcast IP to amplify one packet into many.! Sending a stream of ICMP echo request packets from spoofed IP addresses to an open network broadcast address. All the hosts on the destination subnet will send ICMP echo replies to the spoofed source address.! A few hundred packets can generate thousands of packets that can deny service to targeted networks.! See trace in transparency. 20 Echo-Chargen Looping Attacks! UDP port 7: echo port It echoes the received packet back to the source.! UDP port 19: character generator Upon receiving a packet, it replies with a random string of characters.! If an attacker finds these ports available, one spoofed packet can generate many thousands of additional packets.! The chargen port generates characters to the echo port, which echoes them back to the chargen port, which gernrates characters to the echo port, and so on. Consume CPU cycles and network bandwidth Syslog: June 4 18::23:14 router inetd[204]: chargen/udp:eco/dup loop request REFUSED from

11 21 Spoofed DNS queries - DoomDNS! UDP does not perform authentication of the packet received.! DoomDNS sends odd queries to BIND servers that can elicit many responses from the server. When successful, of these packets can generate responses. Consume CPU cycles and network bandwidth! Use spoofed source IP address Syslog: Apr 21 18::23:14 s1 named[13168]: refused query on non-query socket from Apr 21 18::23:56 s1 named[13168]: refused query on non-query socket from Apr 21 18::45:14 s1 named[13168]: refused query on non-query socket from Apr 21 19::10:11 s1 named[13168]: refused query on non-query socket from Apr 21 19::23:35 s1 named[13168]: refused query on non-query socket from