Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Transcription

1 Denial of Service attacks: analysis and countermeasures Marek Ostaszewski

2 DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users - Wikipedia. Types of DoS: Vulnerability attack - malformed packets interact with some network protocol or application weakness present at victim. Flooding attack - sends the victim a large, occasionally continuous, amount of network traffic workload.

3 DoS Flooding attacks (1) Regular DoS - attacker sends great amount of network traffic to another machine. Condition - the attacker s bandwidth is greater than the victim s.

4 DoS Flooding attacks (2) Distributed DoS - attacker takes control over a group of computers in the network (bots, zombies, slaves) and uses them to flood the victim.

5 DoS Flooding attacks (3) Distributed Reflection DoS - attacker sends a constant flow of packets to a certain group of well-known servers. The source address is spoofed and points at the victim. The servers reply to the victim, invoking the flooding effect.

6 Analysis (1) DoS attack can be detected on two levels: As a flood of one or many connections to the internet, blocking their access and making data transfer impossible; on level of a victim. As a misbehavior, only in case 2 and 3; on level the intermediate nodes (if they are unaware victims). Dealing with DoS on those levels has different goals: Victim: To block accurately the unwanted flood without denying access to legitimate users. Intermediate node: To avoid accusation of partnership in an attack.

7 Analysis (2): Flood The effect is almost immediate block of internet connection due to traffic that is impossible to handle. The reaction time should be measured in hours. Dealing with DoS in real time is almost impossible; there is no slow start for DoS attack, the flood is immediate and overwhelming. All cases are characterized by network traffic having fixed origin. Even if some of the properties of the generated traffic are spoofed, certain characteristics of the network traffic remain unchanged: TCP/IP packet construction Number of hops Protocols used Startup time

8 Analysis (3): Misbehavior Acting as intermediate node causes no serious malfunctioning in internet communication, although it can be noticed. Remote control (Distributed DoS) is performed by malicious software, usually a trojan horse. Such activity characterizes itself with: Activity of unauthorized software Unauthorized incoming and outgoing connections Constant flow (Distributed Reflection DoS) is also an anomaly. Usually the flow consists of TCP SYN packets or DNS queries and its characteristics are: The anomalous structure of such flow The source address is spoofed, so the intermediate server witnesses anomalous requests from previously regular source

9 Countermeasures: Misbehavior Methods Monitoring the system for unauthorized system calls and outgoing/incoming connections on forbidden ports (HIDS). Monitoring the network for prohibited incoming/outgoing connections and unusual bandwidth consumption (NIDS). Support Signature and anomaly-based intrusion detection systems Remarks The model may include receiving information from the victim, that network/computer is a source of a DoS attack. The model may include the scenario of tracking the real attacker, controlling the intermediate node.

10 Countermeasures: Flood (1) Methods Filtering (on many levels) of malicious traffic: Network traffic needs to be accurately classified, to tell which packets should be discarded. Contact with source of attack, or its provider: The flow can be stopped at its source and a proper investigation can be carried out. Support Both methods require precise information about the source of the flood. An efficient and precise clustering and classification algorithm is needed, to find regularities in analyzed traffic Remarks Mistakes in such classification lead to blocking legitimate users from access to legitimate services - which is the sole purpose of DoS attacks.

11 Countermeasures: Flood (2) Information about traffic can be gathered using a technique called passive fingerprinting, used for gathering information about an operating system and the topology of its network only on the basis of construction of TCP/IP headers This information then can be analyzed using Context-aware Immune System (CAIS) presented by Mohr, Ryan and Timmis (2003) - their algorithm allows to construct an immune-based memory allowing classification and dynamically reflecting changes in analyzed data. The data to be analyzed using CAIS may be: IP and provider Distance Up time Protocol - specific information (ports, type of protocol, protocol flags)

12 Solution: CAIS(1) CAIS using passive fingerprinting information: Every parameter of analyzed data is represented by ARB ARBs are created according to principles of immune memory model proposed by Neal Dimensions (classes) are aggregation of ARBs describing similar objects Cross-dimensional links describe connections between parameters present in many classes

13 Solution: CAIS(2)

14 Solution: CAIS(3)

15 Solution: CAIS (4) ARBs are storing information in a compressed form, stimulation level of ARB describes how many values of certain parameter appeared. ARBs are stimulating each other if they describe similar information, this emphasizes relations between them. Every ARB has certain level of resources and a stimulation level, which decreases with time (Decay function). Noise is reduced, and the system keeps only information about traffic that are up to date. Different dimensions (classes) describe different relations between general information, like overview of system (Location, System info) and protocol specific information. Particular information are of specific meaning: Software used for conducting distributed attacks is especially effective in cases of particular operating systems (dedicated). Packets generated for the flooding are usually of narrow set of types, having only certain configuration of flags set Some providers or locations in the network (Russia, China) are more preferably chosen as sources of distributed attack because of their loose security policy.

16 Solution: CAIS based strategy Filtering - Information about dominant network traffic during flooding can be used for constructing accurate filters. The most active ARBs will provide information about protocol fields and their values. Contacting the source - information about location stored in ARBs could be used to contact The provider of hosts responsible for the flood and apply host own filters. The servers responsible for Reflection DoS. Tracing the real attacker - combination of two previous strategies would be to contact the provider of computers used for the attack and to contact those computer themselves to gather information that can be used to track the responsible for launching the DDoS or DRDoS attack.