Security Event Trust and Confidence in a Fast and Mobile Environment, July 2004 Denial of Service Attacks: Classification and Response Christos Douligeris, Aikaterini Mitrokotsa Department of, University of Piraeus cdoulig@unipi.gr, mitrokat@unipi.gr
Denial of Service Attacks Attacks designed to render a computer or network incapable of providing normal services. Take place only when access to a computer or network resource is intentionally blocked or degraded as a result of malicious action taken by another user. Do not necessarily damage data directly or permanently, but they intentionally compromise the availability of the resources.
Denial of Service Attacks X A Denial of Service (DoS) attack is a cyber event that is meant to disrupt the availability of a target network, therefore disallowing legitimate access to online resources. Legitimate User Internet Firewall Web Server Malicious Attackers
Denial of Service Attacks This Denial of Service condition can be achieved by Exhausting the available resources of your servers. Exhausting the available resources of your firewall. Over utilizing bandwidth between your network and your service provider. Some of the advanced tactics used in these attacks are: Distributed Denial of Service Attack Spoofing Adding intelligence (randomizing the attack)
Denial of Service Attacks DOS Model Transformation: model development into three stages: DOS, DDOS, DRDOS Attacker Attacker Attacker Each new stage = previous stage + new elements MASTERS SLAVES New element: increases the attacker s computational power Web Server (A) DoS Web Server (B) DDoS Web Server (C) DRDoS REFLECTORS (A) Denial of Service (DOS) Attack (B) Distributed DOS(DDOS) Attack (C) DDOS using reflectors (DRDOS)
Who can launch a Denial of Service Attack? Script kiddies who download DoS utilities from IRC chat rooms, AOL chat rooms, or even directly off web sites. Machines or Zombies that have been compromised by automated DDoS tools or hacker groups. A typical home broadband internet connection such as a cable modem or DSL line has enough speed to take out one or more web servers. DoS attacks often take little intelligence to perform.
What are motivations for launching DoS Attacks? Sub-cultural status Revenge Political Reasons Economic Reasons Competitive Advantage Terrorism (Information Warfare)
Denial-of-Service Attacks client WinNuke syn flood UDP packet storm Land Teardrop Bonk spoofs as target client ping broadcast host Smurf ping flood ICMP storm LAN host host host host host target target
Victims of Denial of Service Attacks On February 7, 2000, Yahoo s web site seemingly disappeared from the Internet and in the following days it happened to many others. ebay, Amazon.com, Buy.com, ZDNet, CNN.com, E*Trade and MSN.com joined Yahoo, dropping off the Web for hours at a time. Overall, Internet traffic slowed by as much as 26 percent, according to Net performance watcher Keynote Systems. On May 25, 2001 the University of California at San Diego announced that there were more than 4,000 DoS attacks launched every week. CERT Hit By Denial-Of-Service Attack May 24, 2001 CERT, which provides Internet security vulnerability information, was hit with a distributed denial-of-service attack. The Web site, which provides Internet security vulnerability information to the public, has been largely unavailable.
Victims of Denial of Service Attacks DoS Attack hits NY Times Started receiving a huge amount of electronic transmissions that flooded the machinery that protects the paper from hacker attacks," Date: 10/30/2001 Type of Attack: Flooding (Resource Exhaustion) Attacks Notable Tactic: External defenses were overwhelmed Economic Impact: Online content made unavailable to users for two hours. Perpetrator: Unknown. "Our technical staff is trying to determine a reason for this. At this time, we do not know the cause."
Victims of Denial of Service Attacks MSNBC knocked offline for nearly two hours. The Web news site experienced a SYN attack at 7:30 a.m. ET that caused its content to be unavailable to users, according to MSNBC.com s technical production staff. Date: 4/25/2002 htype of Attack: SYN Flooding (Resource Exhaustion) Attacks hnotable Tactic: Source addressed was Spoofed heconomic Impact: Online content made unavailable to users for two hours. hperpetrator: Unknown.
Victims of Denial of Service Attacks Cloud Nine blown away, blames hack attack Basingstoke-based ISP Cloud Nine has closed its operation this morning after being hit by a crippling security attack. Date: 1/22/2002 Type of Attack: Flooding (Resource Exhaustion) Attacks Notable Tactic: Attacks were both internal and external. Spoofing was used. Economic Impact: Business operations ceased. Forcing the corporation to liquidate. Perpetrator: Unknown. "This is not just an attack against us, but against all our customers."
Victims of Denial of Service Attacks On September 9, 2003 Siliconvalley.internet.com sited that SCO Group was the target of a DoS attack aimed at open source software, such as LINUX. They were attacked 3 times within four months. Each attack rendered the site inaccessible. Blaster worm attack The Blaster worm was programmed to launch a denial-of-service attack starting Aug. 16, in 2003, against windowsupdate.com, an Internet domain owned by Microsoft and used to distribute software updates to Windows customers. However, an error in Blaster's design, combined with last-minute actions by Microsoft to change the registration of windowsupdate.com, cut short that attack.
Similarities of Recent Attacks The types of attacks that occurred were Flood based attacks. Spoofing was used to shield the identity of the attacker. The network staff couldn t isolate the problem. In every case business ceased to operate for a given amount of time.
Attack Tools More Powerful and Easy to Use
DoS Attacks on the Rise 40% 35% 30% 25% 24% 27% 38% Frequency of DoS attacks increased 60% over the last three years and still rising 20% 15% 10% 5% Source: Sixth Annual Computer Crime and Security Survey; and E-Marketect. 0% 1999 2000 2001 2003
DoS Attacks on the Rise Many attacks: Over 4000 DoS/DDoS attacks per week Short duration: 80% last less than 30 minutes Source: Inferring Internet Denial of Service Activity; Moore, Voelker, Savage, UCSD May 2001
DoS Attacks on the Rise Denial of Service Attacks in Organizations Reporting Financial Loss (by number) 140 120 100 80 60 40 20 0 74 101 95 123 111 1999 1 2000 2 2001 3 2002 4 2003 5
DoS Attacks on the Rise CSI/FBI 2003 Computer Crime and Security Survey WWW Site Insidents: What Types of Unauthorized Access or Misuse? Other 36% 19% 6% Theft of Transaction Information Denial of Service 4% 35% Financial Fraud Vandalism
Why should companies worry? Downtime costs dollars These types of attacks can cripple your online resources for hours even days. These attacks are easy for anyone to launch at any time. The source of these attacks is very hard to trace. Negative media coverage can tarnish your public image. Your competition can gain an advantage Your company is not immune
Impact of DoS Attacks Loss of Revenue Costs of losses from the February 2000 Attacks: Estimated lost business from DDoS attacks at Amazon.com: Estimated costs of 24-hour outages: Brokerage Firm Cisco ebay Airline Estimated cost of lost user access from one medium-grade attack: $1.2 billion cumulative $200-300K/hour $156 million $30 million $4.5 million $2.1 million $23K Sources: Forrester, Yankee Group, IDC Damage to Corporate Image and Brand Cost of Over-engineering Network Resources Cost to diagnose and rebuild systems Forensic cost estimated by University of Washington to be $22,000 per event Violation of service level agreements (SLAs) Risk of litigation Increase in insurance protection
Impact of DoS Attacks Dollar amount of Losses by Type
DoS classification Remote Denial of Service Attacks Network Device level OS level Application level Data flood Protocol feature attack
DoS Classification Network Device Level: attacks caused by taking advantage of bugs or software, or by trying to exhaust the hardware resources of network devices. OS Level: take advantage of the ways operating systems implement protocols. Application-based attacks: take advantage of the ways operating systems implement protocols. Data flooding attacks: attempt to use the bandwidth available to a network, host or device to its greatest extent. Attacks based on protocol features: take advantage of standard protocol features.
DDoS attacks A DDoS attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the DoS significantly by harnessing the resources of multiple unwitting accomplice computers. The attacks achieve their desired effect by the sheer volume of attack packets, and can afford to vary all packet fields to avoid characterization and tracing. Take advantage of the internet architecture and this is that makes them even more powerful.
DDoS attacks Steps for preparation and conduction of a DDoS attack: 1. Selection of agents that will perform the attack. 2. Compromise 3. Communication 4. Attack DDoS Tools Agent-based DDoS attack tools Trinoo, TFN, TFN2K, Stacheldraht, mstream, Shaft IRC-based DDoS attack tools Trinity, myserver, Plague Knight,Kaiten
Stacheldraht (Barbed Wire) Distributed Denial-of-Service (DDOS) Attack Tool combines features of trinoo and Tribe Flood Network (TFN) encrypted client client master master master thousands of compromised systems (buffer overflows) agent agent agent agent agent agent agent target target target SYN flood ping flood UDP flood smurf
Classification of DDoS attacks Classification by degree of automation Manual Semi-Automatic Direct Classification by exploited vulnerability Flood attack UDP flood ICMP flood DDoS Attacks Classification by attack rate dynamics Continuous Variable Flunctuating Classification by impact Disruptive Degrading Indirect Automatic Amplification attack Smurf attack Increasing Fraggle attack Protocol Exploit attack Malformed University of Packet Piraeus, attack Department of
Classification by activity DDoS Defense Mechanisms Classification by location Intrusion Prevention Using Globally Coordinated Filters Ingress Filtering Egress Filtering Route-Based Distributed Packet Filtering History-based IP filtering Secure Overlay Services Disabling Unused Services Applying Security Patches Changing IP Address Disabling IP Broadcasts Load Balancing Honeypots Intrusion Detection Anomaly Detection Statistical analysis techniques Data mining techniques Rate limiting techniques Misuse Detection Intrusion Response IP Traceback ICMP Traceback Link-testing Traceback Probabilistic Packet Marking Hash-based IP Traceback Sleepy Traceback Center-Track Traffic Pattern Analysis Analysis of event logs Intrusion Tolerance And Mitigation Fault Tolerance Quality Of Service IntServ DiffServ Class-based queuing Proactive Server Roaming Resource accounting Resource pricing Replication Pushback Throttling Victim Network Intermediate Network Source Network
Classification of DDoS defense mechanisms Classification by activity DDoS Defense Mechanisms Classification by location Intrusion Prevention Intrusion Detection Intrusion Response Intrusion Tolerance And Mitigation Victim Network Intermediate Network Source Network
Classification of DDoS defense mechanisms By activity Intrusion Prevention: try to stop DDoS attacks from being launched in the first place. Intrusion Detection: guard a host computer or network against being a source or a victim of DDoS attacks. Intrusion Response: identify the attack source and block its traffic accordingly. Intrusion Tolerance and Mitigation: focuses on minimizing the attack impact and on maximizing the quality of its services.
Classification of DDoS defense mechanisms Intrusion Prevention Using globally coordinated filters: filtering mechanisms stop packets before they aggregate to lethal proportions. Disabling unused services: services not needed or used should be disabled to prevent attacks. Applying security patches: armor the hosts against DDoS attacks. Changing IP address: moving target defense, practical for local DDoS attacks. Disabling IP broadcasts: host computers can no longer be used as amplifiers. Load Balancing: increase the bandwidth on critical connections and prevent them from going down. Honeypots: trick the attacker to attack the honeypot and not the actual system.
Classification of DDoS defense mechanisms Intrusion Detection Anomaly detection: relies on detecting behaviors that are abnormal with respect to some normal standard. Misuse detection: identifies well-defined patterns of known exploits and then looks out for the occurrences of such patterns. Examples: NID, Real Secure, NFR-NID.
Classification of DDoS defense mechanisms Intrusion Response IP Traceback: traces the attacks back towards their origin, so one can find out their true identity of the attacker and achieve detection of asymmetric routes. Traffic Pattern Analysis: traffic pattern data can be stored and then analyzed after the attack, to find specific characteristics and features that may indicate an attack. Analysis of event logs: selection of event logs that occurred during the setup and the execution of the attack in order to discover the type of DDoS attacks.
Classification of DDoS defense mechanisms Intrusion Tolerance and Mitigation Fault tolerance: by duplicating the network s services and diversifying its access points, the network can continue offering its services when flooding traffic congests one network link. Quality of Service: describes the assurance of the ability of a network to deliver predictable results for certain types of applications or traffic.
What can you do? Adopt a security policy and educate your employees. Use multiple ISPs. Practice good balancing. Ensure redundancy in all network devices, servers and power sources. Protect your critical systems with a hardened firewall. Keep your system simple and shut down all the operating systems that are not required.
What can you do? Stay current on upgrades, updates, vendor advisories, and security bulletins. Enable basic spoof protection on your routers. Filter out the RFC 1918 address classes that are nonroutable or private. Stay vigilant through testing and monitoring. Be ready to respond.
Hope for The Future Increased security awareness Growing number of information security experts Growing security industry, with new and better products and services Growing number of public and private sector security initiatives New laws to facilitate investigations International cooperation to fight cyber crime Sponsor research into survivable systems that are better able to resist, recognize and recover from attacks Test deployment and continue research in anomaly-based, and other forms of intrusion detection
Conclusions Denial of Service Attacks remain the most lethal of all attacks that exist today. Millions of new unprotected hosts are added to the Internet each month, on average an unprotected host on the Internet is compromised within a few hours. In the near future there will be a rise in Denial of Service attacks or complex attacks that result in Denial of Service The need for enterprise level Denial of Service protection is evident.