Network Bandwidth Denial of Service (DoS)



Similar documents
Denial of Service Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Complete Protection against Evolving DDoS Threats

Denial of Service Attacks and Resilient Overlay Networks

Distributed Denial of Service (DDoS)

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

DDoS Protection Technology White Paper

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

SECURING APACHE : DOS & DDOS ATTACKS - I

co Characterizing and Tracing Packet Floods Using Cisco R

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

How To Block A Ddos Attack On A Network With A Firewall

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Denial of Service. Tom Chen SMU

Firewalls and Intrusion Detection

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

TDC s perspective on DDoS threats

How Cisco IT Protects Against Distributed Denial of Service Attacks

Distributed Denial of Service Attacks & Defenses

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

A Defense Framework for Flooding-based DDoS Attacks

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Denial of Service Attacks

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network.

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

DDoS Mitigation Solutions

A Selective Survey of DDoS Related Research

/ Staminus Communications

Chapter 8 Security Pt 2

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Denial Of Service. Types of attacks

Queuing Algorithms Performance against Buffer Size and Attack Intensities

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

VALIDATING DDoS THREAT PROTECTION

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Content Distribution Networks (CDN)

Abstract. Introduction. Section I. What is Denial of Service Attack?

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Modern Denial of Service Protection

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Strategies to Protect Against Distributed Denial of Service (DD

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Denial of Service (DoS)

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Application Security Backgrounder

How To Protect A Dns Authority Server From A Flood Attack

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

A S B

DETECTING AND PREVENTING THE PACKET FOR TRACE BACK DDOS ATTACK IN MOBILE AD-HOC NETWORK

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

DoS/DDoS Attacks and Protection on VoIP/UC

Mitigating Denial-of-Service and Distributed Denial-of-Service Attacks Using Server Hopping Model Using Distributed Firewall

Firewalls, IDS and IPS

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Gaurav Gupta CMSC 681

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

DoS: Attack and Defense

Survey on DDoS Attack Detection and Prevention in Cloud

Denial of Service Attacks, What They are and How to Combat Them

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Chapter 8 Network Security

Denial of Service (DoS) Technical Primer

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

DDoS attacks in CESNET2

Cloud-based DDoS Attacks and Defenses

DDoS Overview and Incident Response Guide. July 2014

Announcements. No question session this week

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Arbor s Solution for ISP

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Application of Netflow logs in Analysis and Detection of DDoS Attacks

DoS Attacks Flood Techniques

DDoS Mitigation. Maintaining Business Continuity in the Face of Malicious Attacks. Technical Note

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Steps Towards a DoS-resistant Internet Architecture. Mark Handley Adam Greenhalgh University College London

A Brief Discussion of Network Denial of Service Attacks. by Eben Schaeffer SE 4C03 Winter 2004 Last Revised: Thursday, March 31

Safeguards Against Denial of Service Attacks for IP Phones

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

How To Understand A Network Attack

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Transcription:

Network Bandwidth Denial of Service (DoS) Angelos D. Keromytis Department of Computer Science Columbia University Synonyms Network flooding attack, packet flooding attack, network DoS Related Concepts and Keywords SYN flood attack, application-level DoS, algorithmic DoS, memory and state exhaustion DoS, distributed DoS (DDoS) Definition Network bandwidth denial of service (DoS) attacks seek to consume the available bandwidth or router resources at or near a target host or network, such that legitimate traffic cannot reach its destination. The primary means for achieving this goal by sending large traffic volumes (packet floods) that do not respect congestion control signals, such as that in the Transmission Control Protocol (TCP) or Explicit Congestion Notification (ECN). In wireless networks, such attacks can also be carried out through radio jamming. Background Network bandwidth DoS attacks have been seen on the Internet since at least 1996, with a TCP SYN flood attack against Panix, an Internet Service Provider. Large-scale DoS attacks against some high-visibility sites including Ebay, Yahoo, CNN.com and E*trade were widely reported in the news in February 2000. Since then, network DoS attacks are a common phenomenon, with as many as 700-800 observed in a single day. The effectiveness of such attacks has increased with the advent of large-scale botnets, compromised hosts that are under the control of a single entity. While early attacks appear to have been launched primarily for amateurish reasons, more recently DoS attacks have been used for financial crime (extortion, corporate warfare) and political purposes. Notable cases of the latter include the DoS attacks against government websites in Estonia (2007), Georgia (2008), Iran (2009), South Korea and USA (2009), against the Cloud 9 ISP in the UK (2002), and against a specific user on Twitter (2009). In addition to their targets, such attacks cause significant collateral damage, by affecting the available bandwidth and router resources in links close, but otherwise unrelated to the target site.

Application Bandwidth DoS attacks target the availability of networked services by preventing legitimate users from successfully communicating with the target of the attack. The easiest way of achieving this goal involves the transmission of large volumes of traffic toward the destination. Packetswitched networks such as the Internet use statistical multiplexing to allocate limited resources to large numbers of users. In addition, the Internet is an open network: any host can attach and transmit traffic, as long as it obeys some very basic rules with respect to packet format. Because of these two design properties of the Internet, bandwidth DoS attacks can saturate network links and consume scarce router resources, especially at the edges of the network (i.e., topologically near end-hosts and networks). DoS attack traffic generally does not respect congestion control signaling, such as TCP s built-in exponential back-off algorithm or ECN packet markings. User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) traffic, due to its inherent statelessness and lack of congestion control in the protocol, is extensively used in many such attacks. However, legitimate TCP traffic may also be used, especially when large numbers of hosts can be made to initiate connections. Several attacks also involve fabricated TCP traffic, i.e., TCP packets that are not part of any actual connection but are generated by attack tools for the purposes of evading detection. The volume of traffic that is necessary to successfully cause a DoS attack depends primarily on the link capacity of the target site. For well-provisioned sites, a single attacking host may not be able of generating enough attack traffic volume. With the prevalence of botnets in recent years, large-scale DoS attacks involving many thousands of attacking hosts have become common. In most cases, such DDoS attacks aggregate enough traffic to saturate the network links of their targets. Even when a DoS attack does not consume enough bandwidth to saturate its target or upstream links, quality of service may be significantly affected for legitimate clients. Depending on the type of traffic that such clients generate, the effect of an incomplete DoS attack may be equivalent to a fully saturating one. The content of the attack traffic is not relevant to the attack itself. However, recent attack tools seek to create traffic that could have been generated by legitimate clients. The purpose is to avoid detection and blocking by various Intrusion Detection and Intrusion Prevention Systems (IDS/IPS). Given a large enough population of attack hosts, an attacker can simply instruct them to visit the target website (or other service) by faithfully following the relevant protocol interactions. In doing so, the attacker is simulating a flash crowd, albeit one in which the majority of the crowd are automata under his or her control. One countermeasure against such attacks involves the use of Reverse Turing Tests, which seek to discriminate between human users and automata by posing (hopefully) problems that are currently hard to solve algorithmically. Examples of such problems include the recognition of words or characters in a distorted image, or the identification of an image with specific features from among a larger set of images (e.g., select the image that shows a dog running in a park ). DoS attacks sometimes use evasive tactics to hide their origin and to mask any distinguishing characteristics that could be used for block them. The earliest and most obvious strategy involved using a fake source IP address (spoofing). This was a necessity when only a few hosts were participating in the attack, and thus could be identified and easily blocked. With the advent of large

botnets and the use of anti-spoofing techniques by ISPs, address spoofing is neither crucial for an attack s success nor as common. Other ways of hiding the attack s true origins involve the use of reflectors. These are hosts (and protocols/services) that will respond to traffic sent to them, without validating the source IP address. Typically, such services are connectionless, e.g., ICMP packets or certain UDP-based protocols. Attackers can send traffic to these hosts, purporting to originate from the target site by using address spoofing, causing all response traffic to go to the target. Other than re-designing the protocol, the only countermeasure available to reflection involves traffic shaping, i.e., limiting the amount of such unverified/unverifiable traffic that a host will generate per unit time. Reflectors become an even more serious problem when they also act as amplifiers. Amplifiers are hosts (and protocols/services) that respond with a large volume of traffic in response to a much smaller request. Examples of traffic amplification include Domain Name System (DNS) zone transfers over UDP, targeted subnet broadcast, and streaming media traffic (such as Voice over IP streams). Protocol re-design seems to be the best way of avoiding such vulnerabilities. The use of spoofing, reflection and amplification make it difficult to impersonate a legitimate host and to blend attack traffic with legitimate traffic for the purposes of evading detection. One exception to this involves the redirection of large numbers of clients toward the target. The means of such redirection depend on the particular type of traffic and protocol that is being redirected. One example of such redirection is causing web browsers to contact the target site by including either static content pointers to the target or active content (e.g., Javascript or Flash scripts) that repeatedly attempts to connect to the target without the legitimate user s action or consent, by including such pointers or active content in a popular web page, often in a compromised server. Another example involves redirecting requests for searched-for content in a peer-to-peer network toward the target site, causing a large number of download requests from clients that seek to retrieve said content. Bandwidth DoS attacks are often combined with other types of DoS attacks. For example, they may be combined with memory/state exhaustion attacks, as is the case with TCP SYN flood attacks that seek to fill up operating system tables, or with algorithmic DoS attacks that try to induce excessive computation at the target host, e.g., by repeatedly invoking operations that result in expensive database lookups. In this way, the impact of the attack is multiplied. Furthermore, even if the attack volume proves insufficient to saturate the target s available bandwidth, the secondary effects may be sufficient to deny service to legitimate clients. Another way to amplify an attack composed of legitimate-looking traffic, is to seek access to large resources, e.g., big files or media content. Because modern network links are full-duplex (i.e., traffic can flow in both directions without interference), most network DoS attacks affect primarily the target s downstream bandwidth (i.e., from the Internet to the target). By seeking to access large-volume content, attacks can also saturate the upstream bandwidth. In some cases, attacks primarily focus on the upstream bandwidth. Such attacks can be particularly effective, since they require relatively little attack traffic to cause disproportionately large responses. However, such DoS attacks are easy to identify and remedy at the target site. Tools for launching bandwidth DoS attacks can be commonly found on the Internet. Their sophistication and effectiveness varies. Practically all botnet software allows its controllers to launch

bandwidth DoS attacks, sometimes offering sophisticated features such as pulsing attacks (where an attack is turned on and off, in an effort to confound detection and defense), rotation (where different subsets of the botnet may participate in the attack at different times, again towards confounding defense), scheduled attacks, etc. In some recent cases, especially where DoS attacks were launched for political purposes, tools were made available for sympathizing users to download and purposely use to contribute to the attacks. Defending against bandwidth DoS attacks is often difficult for the target site, because the congestion usually occurs upstream (farther in the network) from any equipment that the site controls (e.g., a router or firewall). For an effective response, a target site typically needs to coordinate a response with its parent ISP. If the attack traffic is easy to characterize or otherwise stands out, such as a UDP packet flood against a web site, blocking at an appropriate upstream location by the ISP is relatively straightforward. When the attack traffic is not easy to characterize, or the necessary router resources or features are not available for filtering, ISPs resort to blackholing. In that case, a routing entry for the target s network prefix (which may include other, otherwise un-targeted sites) is injected into the ISP s routing protocol. That entry points effectively causes all traffic to the target, both legitimate and attack, to be dropped by the ISP routers. In this way, the attack traffic is dropped as soon as it enters the ISP s network, thereby avoiding link congestion. Since legitimate traffic to the target site is also dropped, blackholing does not help restore access to said site. Another practical defense against network bandwidth attacks involves the use of Content Delivery Networks (CDNs). For relatively static content, this allows a website to effectively create many different instances of itself distributed around the Internet, making it difficult for an attacker to completely deny access to all of them. However, this approach does not work well for sites with dynamic or interactive content. Modern routers and firewalls offer some defenses against bandwidth DoS attacks, such as terminating TCP handshakes to mitigate against SYN flood attacks and applying statistical means to detecting network traffic anomalies. The effectiveness of such schemes varies against the different types of attack traffic, as does their impact on router performance. Many of these features are available on customer-premises equipment (as opposed to ISP-grade equipment), reducing their relevance in defending against attacks that cause congestion in upstream links. Other types of DoS attacks, such as those that exhaust available memory on a system or cause excessive CPU utilization by exploiting worst-case algorithmic behavior via carefully selected inputs, can be used to the same effect. However, these typically require an good understanding of the particular system and application that is being attacked. In contrast, bandwidth DoS attacks can be launched against any host or network with little or no knowledge of the services that are available in the target. Open Problems Considerable research has been conducted in the areas of traffic characterization and anomaly detection, proactive network architecture design, reactive mechanism retrofitting, attack tolerance

and avoidance, and attribution [MDDR2005]. The problem of detecting and defending against bandwidth denial of service attacks in open networks, and specifically in the Internet, remains unsolved. Recommended Reading List [MDDR2005] Mirkovic J., Dietrich S., Dittrich D., Reiher P., Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, 2005.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information