DoS Attacks Flood Techniques

Transcription

1 International Journal of Combinatorial Optimization Problems and Informatics, Vol. 3, No. 2, May-Aug 2012, pp ISSN: DoS Attacks Flood Techniques Lidia Prudente T., Eleazar Aguirre A., Alba F. Moreno Hdez., Rubén J. García V. Instituto Politécnico Nacional. Escuela Superior de Ingeniería Mecánica y Eléctrica Unidad Culhuacan, México D.F. [email protected], [email protected], [email protected], [email protected] Abstract. DoS attacks (Denial of Service) are one of the main problems on computer security field. Usually these attacks result in the loss of network connectivity due to excessive bandwidth-consuming and resource bottlenecks of the system attacked. DoS attacks can occur in various ways; however all of them have in common the use of IP protocol. This work presents the effects on network elements and security controls by the application of DoS attacks by flooding techniques in computer networks, with the aim of mitigating them. Keywords: Network Attacks, Spoofing, DoS 1 Introduction A Denial of Service attack is characterized by an explicit attempt to avoid legitimate users of a service make use of it; for example, flooding a network with fake packets and thereby avoid legitimate network traffic, disrupt connections between computers, which block access to a general or special service. Nowadays it is difficult to detect and mitigate network attacks opportunely [1]; DoS attacks on network systems cause a service or resource unavailable to valid users. These attacks are implemented by sending a multitude of simultaneous requests to a service, which processes primarily saturate with much network flows and causing the impossibility of the server to answer to so many requests [2]. The use of TCP/IP protocols is common in these kinds of attacks, since packets sent during the attack are often introduced as ICMP, UDP or TCP and thus not raise suspicion in the Control of Network Security. To make an attack of this kind, usually done in several ways, basically consist of consuming resources such as bandwidth, memory space or all available processing capacity in order to alter the configuration information, status routes and termination of sessions [2][3]. DoS attacks spectrum of this work focuses mainly on flooding techniques using network protocols that allow Access Controls to pass from one network to another. There are 3 types of flooding for DoS attacks that are essential [4]: SYN Flood, ICMP Flood, UDP Flood and the detail of each one will be discussed in section 2. In this context, the paper is organized as follows. The first section is a brief introduction to the problems that occur with DoS attacks. The second section describes the DoS attacks. In the third section shows in detail what are the attacks by flooding techniques. The fourth section presents the probes network architecture applied and its characteristics, and finally fifth section presents the results and analysis to end with conclusions and references. 2 DoS Attacks The Denial of Service (DoS) is designed to hinder or completely stop the normal functioning of a website, network, server or other resource. DoS attacks usually overwhelm servers with incessant requests until the servers are slow [3]. Received Oct 10, 2011 / Accepted Dec 31, 2011 Editorial Académica Dragón Azteca (EDITADA.ORG)

2 A distributed denial of service attack DDoS, only differs with DoS from the method. A DoS is made from a system or network, while a DDoS attack is organized to happen simultaneously from a large number of systems or networks [5]. There is a wide taxonomy for DoS attacks [6], however in the scope of this paper considers two basic methods: the exploitation of a vulnerability discovered in a target known as attack vulnerability and sending to the victim of a large number of legitimate appearance packages known as flood attack. 2.1 DoS by vulnerability technique The technique used consists of exploiting vulnerabilities by sending one or more packages built specially like a request to execute a procedure that has security holes. The vulnerability is generally a failure on the design, errors on the implementation of a software application or a deficiency in the configuration files. This effect can be triggered by requests from network drives and data applications through application commands to perform buffer overflow or delivery a shell session with super-user permissions. The intentional formed packets from the attacker may cause a state in an application that the developer did not foresee at the time of its design. The feature of one of the attacks is to send many requests with random active TCP flags, called attack of the Christmas tree. Thus, the arrival of these packages can generate a seriously infinite loop lags to the system, causing it to stop, restart or consume large amounts of memory, resulting in all cases, the Denial or Degradation of Service provided to legitimate users [7]. 2.2 DoS by Flood technique Flood attacks are executed by sending a large number of messages to a destination that becomes the victim of the attack, so that processing involves the depletion of critical resources in such a victim. The technique used is through brute force; the success of the attack depends on the fact that the force of the attacker is greater than the force of the scheme or security architecture of the network object. Most networks currently deployed security schemes based on check point systems, within this group are the Network Access Controls known like firewalls, responsible for allowing or blocking the passage of packets. Alternatively, the attackers must examine which protocols and ports are enabled for use them at the attack [3]. 3 Flood Attacks Flood attack is based to consume the bandwidth of the victim's. The process involves sending junk information to the victim at the highest speed allowed by the connection line to the attacker's network [8]. For example, the processing of complex requests may require a large CPU time, the transmission of long messages can exhaust the available bandwidth for communications and receiving messages to initiate communications with new clients can exhaust the available memory. Once a resource is exhausted, legitimate clients may not use the service, it is difficult to identify the legitimate requests that happen before the system shows signs of exhaustion. The main characteristic of flood attacks consists in that their strength lies more in the volume of the traffic than in their content [9]. This has two major implications: Attackers can send a variety of packets. The attack traffic can even be similar to the legitimate and adopt within certain limits its structure and arbitrary behavior, which greatly facilitates the concealment of the attack. The attack traffic flow must be such as to consume the resources of the attacked. There are 3 techniques also known as flood or flooding; SYN flood, ICMP and UDP. 3.1 Flood by SYNchrony request SYNchrony flood attack is developed by sends a flood of TCP packets with the SYN flag on, often with spoofed source address. Figure (1a) shows the process to establish a TCP connection, when a host starts a connection to another host, it initializes the conversation with a SYN (synchronous) request, the other end receives the SYN and responds with a SYN + 4

3 ACKnowledgement finally the host that started the connection responds with an ACK and thus establishing a full duplex communication channel to start transmitting user data, this is known as three-way handshake. The SYN flood attack is used by hackers to send a large amount of SYN connection requests, the victim machine send the SYN- ACK back to answer the SYN received. The victim reserves memory space for receiving and sending data, but the attacker does not answer with an ACK to complete the fullduplex connection. This operation is repeated many times and each SYN received in the attack lapse creates a temporary open connection for each request. Furthermore, these half-open connections use memory resources equivalent to a full connection, and after a brief moment the victim machine is saturated and cannot accept more connections [10]. This behavior is shown in Figure 1.b. This type of denial of service only affects the target machine. Client SYN seq=x SYN, ACK=x+1 seq=y Server Client SYN SYN, ACK ACK Server ACK=y+1 seq=x+1 DATA SYN SYN, ACK ACK Fig. 1a. Diagram of the connection establishment phase of TCP. Fig. 1b. Schematic phase SYN Flood Attack. 3.2 Flood by control and error messages The ICMP flood intended to exhaust the bandwidth of the victim. It consists of continuously send a large number of ICMP echo request (ping) of considerable size to the victim, so it has to respond to ICMP echo reply (pong), the complete process represents an overload on the network so as in the victim system. Depending on the relationship between processing capacity of the victim and attacker, the degree of overhead varies, ie, if an attacker has a much greater capacity, the victim cannot handle the traffic generated. The address for this attack may also be fake or intentionally created to make more effective resource depletion [3]. 3.3 Flood by no connection oriented datagram s request UDP flooding generates large amounts of UDP packets sent to the chosen victim. Due to the nature of the UDP, protocol nonoriented connection, this type of attack is often accompanied by IP spoofing and unlike connection oriented Transport Protocol communications the attacker requires the consumption of processing resources. The application of this type of attack does not imply that the victim reserves a memory space to respond the requests. It is usual to apply this attack on machines running the echo service so that messages are generated echo of a large size [2, 3]. 4 Probes Scenario The methodology and behavior of this attacks was verified with tests done over a typical network topology based on security controls. The test scenario for DoS attacks includes connectivity devices like routers and switches, as well as Access Controls and Zone Delimitation with pertinent politics. Figure 2 details the distribution for each one of these elements. 5

4 Fig. 2. Probes Network Topology Figure 2 shows a Firewall device delimiting three zones DMZ, MZ and PZ. Each one is configured with the typical network security politics. The Military Zone contains the internal network, where the organization users are situated. The Demilitarized Zone delimits the HTTP and DNS application servers. In the Public Zone are situated the external users and attacking machines. The implemented politics on the Firewall are shown in the Table 1, which the default politic is Accept. 6

5 Table 1. Zone politics implemented on the Firewall Source Zone Source Port Destination Zone Destination Port Protocol Action MZ Any PZ 80 HTTP ACCEPT (Mascaraed) MZ Any DMZ 80 HTTP DROP DMZ Any PZ 80 HTTP DROP DMZ Any MZ 80 HTTP DROP PZ Any MZ 80 HTTP DROP PZ Any DMZ 80 HTTP ACCEPT (Mascaraed) MZ Any PZ 53 DNS ACCEPT (Mascaraed) MZ Any DMZ 53 DNS DROP DMZ Any PZ 53 DNS ACCEPT (Mascaraed) DMZ Any MZ 53 DNS DROP PZ Any MZ 53 DNS DROP PZ Any DMZ 53 DNS ACCEPT (Mascaraed) Any Any Any 53 (TCP) DNS DROP Any Any Any Any ICMP ACCEPT Any Any Any Any TCP DROP Any Any Any Any UDP DROP The Network Access Control (Firewall) is a system with three Network Interface Cards installed with the following characteristics and configurations: eth0: connects the Military Zone (MZ) with IP address eth1: connects the Public Zone (PZ) with two IP address and The two IP address are used to create a NAT between the DMZ and MZ. eth2: connects the Demilitarized Zone (DMZ) with IP address In Table 2 are enlisted the hardware specifications for systems shown in the Figure 2. Table 2. Hardware Specifications System Operation System Procesor Firewall Kubuntu Intel Core 2 v Pro (3 GHz) Memory Network Interface Card RAM 3 GB eth0 (Realtek 10/100 Mbps PCI) eth1 (Realtek 10/100 Mbps PCI) eth2 (Intel 10/100 Mbps) User located on Military Zone Server located on Demilitarized Zone Attacker located on Public Zone Windows XP Professional Ubuntu Backtrack 4 Intel Core 2 v Pro (3 GHz) Intel Core 2 Duo (2.4 GHz) AMD Athlon X2 Dual Core QL-62 3 GB eth2 (Intel 10/100 Mbps) 1 GB Intel 10/100 Mbps 3 GB Realtek 10/100 Mbps PCI 7

6 HTTP and DNS services were configured in a system located on the Demilitarized Zone with the specifications indicated in Table 2, the HTTP service was configured with Apache 2.2 and the DNS service with Bind The network devices used were: Two switches Catalyst 2960 to connect the DMZ and the MZ. One switch CISCO 3560 G Series One router CISCO 3800 Series The functionality of all the attacks mentioned above was verified with tools to watch the effects of a flood attack over the network elements. 5 Application of DoS attacks with Flooding techniques 5.1 ICMP Flood attack with Spoofed IP The first attack to monitor was the ICMP Flood attack, which consist of sending the most possible amount of ICMP solicitudes to the victim in order to consume all the available bandwidth in the network using spoofed IP address to avoid the trace the origin of the attack. In this case the attack was executed from a system situated in the Public Zone according to the specifications of the Table 2 and was targeted to a victim situated in the DMZ thru a NAT in the firewall. The attack was executed with the tool Hping in BackTrack 4 installed in the attacker system, targeting to the HTTP server. The command applied was: hping a With this syntax the Hping tool generates ICMP packets from the spoofed specified IP address. Then the packets are sent to the victim (HTTP server), through the Access Control System. This produces that the server tries to answer the ICMP requests to the spoofed IP address. As there is not a system to answer the traffic produced when the server retransmits the answer to the spoofed address the bandwidth and the CPU of the victim used increase rapidly and this goes on until the server cancels the transmission. Using the network analyzer Wireshark is possible to watch the format of the attacking ICMP packets sent to overflow the network of the victim. In figure 3 is shown the structure of the packet sent to the victim, the IP source address in the packet corresponds to the spoofed IP address use in Hping tool; the IP destination address is the victim and the protocol requests are ICMP. Fig. 3. Format of an ICMP attack packet 8

7 In Figure 4 a, b, c and d are shown the result of the use of resources in the Demilitarized Zone system during the attack. Fig. 4b. Initial state of the Processor. Fig. 4c. Incremented used of the Processor. Fig. 4a. Initial State of victim. Fig. 4d. End of the Attack. In figure 4a is shown the state of the HTTP server before being attacked, where there is not abnormal activity registered, in the figure 4b is shown the initial state of the processor in the HTTP server system once the attack has started. In Figure 4c is shown the usage increase of the processor, and the Figure 4d shows how the usage of resources returns to normal when the attacks ends. The effects occasioned by the attack decrease the service offered by the HTTP server to answer requests from real users. In figures 5a, b, c is shown the usage of resources in the Firewall during the attack. In this system the effects on the processor are less than in the HTTP server because the hardware resources are greater, never the less the effects are similar, so if the number of attacking solicitudes increases the use of processor may increase exponentially. Figure 5a shows the initial state of the firewall processor before the attack is launched. Figure 5b shows the increment of processor usage due to the attack. Figure 5c shows the state of the firewall processor after the end of the attack. Fig. 5a. Firewall Initial State. Fig. 5b. Increase of Firewall Processor usage. Fig. 5c. Firewall at the end of the attack. 9

8 The attack is based on spoof IP address to avoid the attacked system to trace back the packets to the origin. If the IP address used in the attack is not spoofed, all the server answers would reach the origin and consume the network bandwidth that is supposed to be used to attack and the effect of retransmitting answers would not happen. 5.2 Jumbo ICMP Flood Attack This attack uses ICMP type 8 packets to overflow the network, which is applied by ping command on the attacking system. ping s This command sends ICMP packets with the allowed maximum size to the victim. Due to the limitations in the medium used to transmit packets, the message was fragmented in 44 packets of 1480 octets. The elapse time for the attack was ms in which 156 packets were sent to the victim with the maximum octet size of In figure 6 is shown the capture of a packet using Wireshark, the size is octets of the all packets. Due to the network capacity the packets are segmented by the IP Protocol in packets with 1480 octets in size until get the specified size. Fig. 6. Jumbo ICMP Flood attack packet At figures 7a, b, c and d is shown the HTTP server processor activity when the packet size is octets. 10

9 Fig. 7b. Attacked system initial state. Fig. 7c. Increased Processor Usage. Fig. 7a. Network usage increase. Fig. 7d. Attack end. In figures 7a and 7b show the HTTP server initial state, figure 7c shows the increase of processor usage during the attack, and figure 7d shows how the resource usage returns to normal after the attack ends. The same way in figure 8 is shown the initial state and processor usage in the firewall. This attack affects only the victim while it is joining the fragmented packets, so the Firewall is not affected. Fig. 8a. Firewall Initial State. Fig. 8b. Processor Increase usage during attack. Fig. 8c. Resource Usage during attack. Fig. 8d. Firewall state after attack. 11

10 5.3 SYN Flood Attack The SYN Flood attack was aimed to the Web server in order to block the service to the real users. The attack was applied from the Public Zone with the command Hping2 installed in Backtrack. hping S rand-source destport 80 debug w 2048 This command creates packets with spoofed IP address with SYN flag up, targeting the HTTP port and using 2048 as the windows size. This attack attempts to open connections with the HTTP server and keep them open until the connection time out. This is done by not sending the last packet in the three-way handshake in TCP. The target of this attack is the HTTP server connection capacity. In the Figure 9 is shown the initial state of the network in the HTTP Server. Figure 10 shows the start of the attack. Fig. 9. Initial State of the Web Server. Fig. 10. Start of the SYN Flood Attack The attack bandwidth of the attack corresponds to 1,4 Kbits/s and it is constant during all the attack. The normal bandwidth and processor used by the HTTP server is shown in the Figure 11. Fig. 11. Normal HTTP Server Resource Usages. The HTTP server uses 3.4 Mbps of Bandwidth while a user is connect to the service, to receive the information. The attack ends when the Web Server does not respond to new connections, in the test the effect of the attack during between 3min 30s and 5min periods. This state lasts 5 minutes after the end of the attack. 12

11 The firewall state was normal during the attack like in the figure 8. This is due to the small attack bandwidth and the fact that it is supposed to be real traffic to use the HTTP service. 6 Comparisons and Conclusions During the ICMP attack an increase of the victim s processor usage was shown, but the bandwidth usage stayed normal. Meanwhile the firewall, bandwidth usage increased due to the lack of response from the spoofed IP Address, this happens because the Firewall controls the communication to the Public Zone. In the Jumbo ICMP attack, the victim showed increased usage of processor and bandwidth due to the multiple answers and fragmentation for the Jumbo Packet. In the firewall side there was not a significant change in processor usage because it was like normal traffic between the server and the attacker. The performance of the SYN flood attack to the HTTP server processor and bandwidth stays normal due that the attack bandwidth is small compared with the used by the normal users. The normal Bandwidth is times greater than the attack. This makes this attack silent to a bandwidth or processor monitor. The firewall treats this attack like normal traffic. This attack is different from the other two because is not focused in the bandwidth; instead it is focused to the connection capacity of the HTTP server. The security controls like the used in this probes based in control access are susceptible to flood DoS attacks because they cannot detect, either respond to the behavior of network packets. It is needed to propose a distributed schema capable to monitor, detect, control and modify the actions of the access controls systems in order to respond or minimize the effects of this kind of attacks. The effectiveness in the mitigation of the attacks is in locating the initial moment of the attack and reacting of opportune way by means a distributed corrective scheme, which contemplates policies that diminish the effects produced in the different elements from the network. At the time of this publication we are working on the construction of a scheme distributed that mitigates the attacks in Web servers. Acknowledgements We are thankful for the support granted to IPN and CONACyT the development of this research. References [1] CERT Coordination Center: Overview of Attack Trends. US (2002) [2] Acens The Hosting Company: Definición y métodos de Ataques DoS, Accessed May [3] CERT Coordination Center: Denial of Service Attacks, US, (June 2001) [4] Tuncer, T., Tatar, Y.: Detection SYN Flooding Attacks Using Fuzzy Logic. Firat University Department of Computer Engineering, (April 2010) [5] Yan, J., Early, S., Anderson, R.: The XenoService A Distributed Defeat for Distributed Denial of Service. Computer Laboratory, Pembroke Street, Cambridge, UK. [6] Howard, J. D., Longstaff, T. A.: A Common Language for Computer Security Incidents, (October 1998) [7] Neuromante: Sobre Vulnerabilidades, Accessed May [8] Mirkovic, J., Dietrich, S., Dittrich, D., and Reiher, P.: Internet Denial of Service Attack and Defense Mechanisms. Prentice Hall. (2004) [9] Maciá Fernández, G.: Ataques de Denegación de Servicio a Baja Tasa contra Servidores, Tesis Doctoral, Departamento de Teoría de la Señal, Telemática y Comunicaciones, Universidad de Granada, [10] CERT Coordination Center: TCP SYN Flooding and IP Spoofing Attacks. US, September (1996) Accessed May