History Securing Availability Distributed Denial of Service (DDoS) Attacks Mitigation Techniques Prevention Detection Response Case Study on TRAPS Summer 1999, new breed of attack on availability developed Distributed Denial of Service First tool developed was Trinoo Trinoo network of at least 227 systems used on August 17, 1999 to flood a single system at University of Minnessota Swamped the target network with an approximate capacity of 90 Mbps rendering it unusable for over 2 days Securing Availability Vrizlynn Thing 2 Attacks on Availability (1) Attacks on Availability (2) Recent years, high profile attacks over the Internet focused on disrupting availability. Feb 2000, Yahoo down for 3 hrs (losses: ~US$500k); Amazon 10 hrs (losses: US$600k); Buy.com availability dropped to 9.4%; Zdnet.com and E*Trade.com virtually unreachable July 2001, Code Red worm infected > 250k systems in 9 hrs and carried out flooding attacks Oct 2002, attack on the 13 DNS root servers (7 down and 2 badly crippled ) - Feb. 2004, Hacker threats to bookies probed, BBC Technology News - Mar. 2005, Duo charged over DDoS for hire scam, The Register - Mar. 2005, Dutch hackers sentenced for attack on government sites, The Register - Apr. 2005, Rootkit Web sites fall to DDoS attack, IDG News Service - May 2005, Extortion via DDoS on the rise, Network World - Sept. 2005, Hackers Admit to Wave of Attacks, Wired - Dec. 2005, Man admits to ebay DDoS attack, The Register - Jan. 2006, Blackmailers try to black out Million Dollar Homepage, CNET News - Jan. 2006, 'Botmaster' pleads guilty to computer crimes, Reuters - Mar. 2006, VeriSign reports a new DDoS attack, The Inquirer Securing Availability Vrizlynn Thing 3 Securing Availability Vrizlynn Thing 4
Attacks on Availability (3) What is Denial-of-Service By extortionists and business rivals On websites of banking and financial companies, online gambling firms, web retailers, government, etc. Worldwide ISP survey by Arbor Networks, in 2005, shows DDoS is most significant operational security concern of 36 worldwide ISPs CSI/FBI survey, in 2004, shows virus and DDoS are the most costly cyber-crime Availability ensure that resources can be accessed by people who should have access Denial-of-Service (DoS) attack attacks launched to disrupt and deprive legitimate access to resources Internet Target Securing Availability Vrizlynn Thing 5 Securing Availability Vrizlynn Thing 6 Distributed Denial-of-Service Attack DDoS Attack Models (1) Multiple compromised machines, Zombies Coordinated attack More powerful More difficult to mitigate Zombie 1 Zombie 2 Zombie 3 Target...... Zombie N 1 Handler 1 Handler 2 Target...... Handler 3...... 2 3 4 5...... Handler M N-1 N - Handler Attack Model s communicate with attack network through handlers s are compromised system to carry out attack Securing Availability Vrizlynn Thing 7 Securing Availability Vrizlynn Thing 8
DDoS Attack Models (2) Classifications of DDoS Attacks...... IRC Network 1 2 3 4 5...... N-1 N Target IRC-Based Attack Model s communicate with attack network through IRC channels Advantages: Legitimate port no. and large volume of IRC traffic allow camouflaging Resources Directed at end target/victim Routes to resources Indirect, disrupts paths to end target/victim Network layer Targets design or implementation flaws of protocols Network link Bandwidth depletion on end target/victim s link/s End-Host Targets victim s system resources Securing Availability Vrizlynn Thing 9 Securing Availability Vrizlynn Thing 10 TCP SYN Flood Zombie Client A SYN A SYN B + ACK A ACK B X Server B TCP 3-Way Handshake Exploit TCP handshaking procedure Attack hosts Zombies spoof source IP addresses Server s resources tied up while waiting for ACK packet +1 +1 Securing Availability Vrizlynn Thing 11 UDP Flood User Datagram Protocol Connectionless Attack by sending large number of UDP packets to random ports of target Spoof source IP addresses in attack packets For each packet, target checks what services is listening on the destination port If nothing, returns message notifying destination unreachable How to prevent and mitigate attack? Securing Availability Vrizlynn Thing 12
ICMP Flood Reflection attack (1) Internet Control Message Protocol ICMP Echo Request Message = ping packet Send large number of them to target Spoof source IP addresses Target handles requests by sending replies Overwhelm processing and bandwidth resources Prevention? Mitigation? Spoofed addresses + replies = further exploit? Make use of request/reply protocols Spoof victim s source IP address in legitimate requests to servers (e.g. TCP SYN or DNS) Overwhelm victim with replies Securing Availability Vrizlynn Thing 13 Securing Availability Vrizlynn Thing 14 Reflection attack (2) DNS attack Domain Name System Distributed database system for mapping hostnames to IP addresses Attack involves sending bogus requests to flood servers In Oct. 2002, DNS attack against all 13 root servers Lasted for an hour bringing down 7 Diagram source from www.grc.com Securing Availability Vrizlynn Thing 15 Securing Availability Vrizlynn Thing 16
Border Gateway Protocol (BGP) Inter-autonomous system routing protocol (e.g. for ISPs) Apr. 1997, AS7007 incident Misconfigured router flooded Internet with incorrect advertisements announcing AS7007 as origin of best route to essentially the entire Internet AS7007 becomes major traffic sink, disrupted reachability to many networks for hours Similar events in Apr. 1998 and Apr. 2001 DoS but not attack? How easy is it to compromise a BGP router? And BGP session hijacking? DDoS Mitigation Prevention Guard against attacks from having any effect on the target Detection Trigger alarm for an on-going attack Response Take actions to alleviate damaging effects caused by attack and identify attackers to institute accountability Securing Availability Vrizlynn Thing 17 Securing Availability Vrizlynn Thing 18 DDoS Prevention (1) DDoS Prevention (2) Egress filtering: Prevent source address spoofing by filtering on traffic from Internet to customer sites with illegitimate source addresses Ingress filtering: Removes any traffic from customer sites to Internet with invalid source addresses Foolproof? Proposed in year 2000 but study by MIT last year shows spoofing remains a serious security concern. Why? Block access to all non-service ports (e.g. unallocated port numbers, services deemed potentially harmful or not used) Examples: ICMP echoes, ports used for propagation by known attacks, etc. Securing Availability Vrizlynn Thing 19 Securing Availability Vrizlynn Thing 20
DDoS Prevention (3) SYN cookies Server returns SYN/ACK packet with sequence number, n, computed as follows: First 5 bits: t mod 32 (t is a counter incremented every 64 secs) Next 3 bits: encoded value representing m (m is the Maximum segment size value stored by the server in the SYN queue entry) Final 24 bits: s, result of secret cryptographic function computed over server IP address and port, client IP address and port and t Server reconstructs needed information from client s ACK sequence number, n+1, to establish connection Securing Availability Vrizlynn Thing 21 DDoS Detection (1) TCP SYN Flood Detection Based on protocol behavior of TCP SYN-FIN (RST) pairs Anomaly detected when abrupt rise occurs between the difference in counts of SYN and FIN/RST packets Diagram source from Detecting SYN Flooding Attacks paper by H. Wang et. Al. Securing Availability Vrizlynn Thing 22 DDoS Detection (2) D-WARD Detect outgoing DDoS attacks Source end deployment Per-destination and per-connection statistics gathering at exit routers of own network Observe and detect non-responsive foreign hosts (aggressive sending rate coupled with low response rate) Define thresholds for TCP, ICMP and UDP applications Attack detected if threshold exceeded DDoS Detection (3) MULTOPS Monitors disproportional packet rates to or from hosts and subnets Uses tree-shaped data structure to collect statistics 4-level (256 entries per table) tree to cover entire IPv4 address space Each entry contains 3 fields (to rate, from rate and pointer to node in next level of tree) Securing Availability Vrizlynn Thing 23 Securing Availability Vrizlynn Thing 24
DDoS Detection (4) MULTOPS Diagram source from MULTOPS: a data-structure for bandwidth attack detection paper by Thomer M. Gil et. al. Securing Availability Vrizlynn Thing 25 Responses to DDoS (1) Traceback 2 addresses in IP packets: Source and Destination Destination address: used by routing architecture to deliver packet Source address: used by destination to determine from whom the packet is from Problem: No entity responsible for verifying correctness of source address (similar to postal service) Securing Availability Vrizlynn Thing 26 Responses to DDoS (2) Traceback: IP Marking Traceback IP Marking Intermediate routers mark IP packets with information on path they traverse Probabilistic approach Uses 16-bit IP Identification field Encode path information using hashing schemes Target of attack collects information and compute to identify source of attack by decoding Disadvantages? Attack Path Encoding path information in identification field Diagram source from Practical network support for IP Traceback paper by Stefan Savage et. al. Securing Availability Vrizlynn Thing 27 Securing Availability Vrizlynn Thing 28
Traceback: IP Marking Traceback: IP Marking Each router computes a 32-bit hash of its address 64-bit Bit-Interleave : odd = original, even = hash With a probability, a router marks a packet with a fragment and set distance to 0 Next router, xor its corresponding fragment to the edge id field if distance is 0, and increment distance Diagram source from Practical network support for IP Traceback paper by Stefan Savage et. al. Securing Availability Vrizlynn Thing 29 Securing Availability Vrizlynn Thing 30 Traceback: IP Marking Example R3 (IP address is 211.126.2.59, and hash address is 136.41.5.89) decides to mark the packet with its 3 rd fragment 211.126.2.59 = 11010011.01111110.00000010.00111011 136.41.5.89 = 10001000.00101001.00000101.01011001 Bit-interleave = 11100010.01001010.00101110.11101001. 00000000.00011001.00011011.11001011 R3 s 3 rd fragment is 00101110 R3 writes 010.00000.00101110 into ID field Assuming R2 s 3 rd fragment is 11101111, R2 changes the ID field to 010.00001.11000001 If R1 decides not to mark, it would just increment distance Victim sees ID field as 010.00010.11000001 Traceback: IP Marking Victim collect all the fragments for the edges Edge ID with 0 distance away carries R1 s address Performs hash of odd bits of edge id and compare with even bits to check marking info was not corrupted XOR the edge id with the next uplink s to get the previous router s address Securing Availability Vrizlynn Thing 31 Securing Availability Vrizlynn Thing 32
Responses to DDoS (3) Traceback: ICMP Traceback New ICMP message type, ICMP Traceback ITrace Out-of-band messaging (no modification to original data packets) Probabilistic generation of ITrace message for data packets at intermediate routers ITrace messages sent to the target of the attack (i.e. victim) Responses to DDoS (5) Traceback: ICMP Traceback Contents of ITrace message include information of the back and forward links of the intermediate router and signature of the original data packet Victim reconstructs attack path based on the ITrace messages received Disadvantages? Securing Availability Vrizlynn Thing 33 Securing Availability Vrizlynn Thing 34 Responses to DDoS (6) Responses to DDoS (7) Filtering Drop all attack packets Used when it is possible to differentiate between attack and legitimate packets Else will result in self-inflicted DoS Rate Limiting Decrease traffic suspected to be malicious to prevent victim from being totally overwhelmed Ease the impact of damage Client Puzzles Client Service request R O.K. Server Buffer Securing Availability Vrizlynn Thing 35 Diagram source from Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks by A. Juels et. al. Securing Availability Vrizlynn Thing 36
Responses to DDoS (8) Client Puzzles Server assigns unique client puzzles to each client making a connection request Resources allocated to clients with correctly solved puzzles only forced to commit considerable resources Constructing puzzles? Case Study Traffic Redirection Attack Protection System (TRAPS) Attack detection based on resource usage pattern monitoring with threshold levels to indicate severity Suspicious traffic rate limited based on current attack severity level Victim performs virtual relocation and informs suspicious users (i.e. virtually moves to a new address) Diagram source from Client Puzzles as a Defense Against Network Denial of Service by Deanna Koike Securing Availability Vrizlynn Thing 37 Securing Availability Vrizlynn Thing 38 TRAPS TRAPS s using spoofed source addresses to attack Victim 2. At Gateways (GWs, i.e. entrance points to network) and intermediate Routers, filter off incoming packets with no knowledge of victim s new configuration. s GWs Routers Victim Legitimate Clients 1. Reconfigure at Victim. Since traffic is coming from clients, inform them to send subsequent traffic based on Victim s new configuration. Traffic Redirection Attack Protection System (TRAPS) No changes to Internet infrastructure due to usage of IP mobility protocols Zero false positive when using filtering Ensure ability to handle services for legitimate users during attacks Guarantee communication of signals required for mitigation during attacks Ability to mitigate brute-force flooding attacks Securing Availability Vrizlynn Thing 39 Securing Availability Vrizlynn Thing 40
TRAPS Summary A51 - A100 N1 - N25 A1 - A50 R1 N26 N50 R2 R5 R6 R8 R9 V R3 A101 - A150 R7 R 10 R4 N51 N75 Attack traffic redirected to and filtered off at proxy A151 - A200 N76 - N100 Attacks on availability escalate to become one of the most serious and expensive network security problems of today Main reasons due to flaws in protocol and software designs and implementations, wide spread availability of attack tools, and monetary gains for extortionists and business rivals Successful attack mitigation requires efficient and effective prevention, detection and response techniques Securing Availability Vrizlynn Thing 41 Securing Availability Vrizlynn Thing 42 References Haining Wang, Danlu Zhang, and Kang G. Shin, "Detecting SYN flooding attacks", IEEE INFOCOMM, 2002. Jelena Mirkovic, "D-WARD: DDoS Network Attack Recognition and Defence", PhD Thesis, Computer Science Department, University of California, Los Angeles, Jun. 2003. Thomer M. Gil and Massimiliano Poletto, "MULTOPS: a data-structure for bandwidth attack detection", 10th USENIX Security Symposium, Feb. 2001. Stefan Savage, et al., "Practical Network Support for IP Traceback", ACM Sigcomm, Aug. 2000. Steve Bellovin, Marcus Leech, and Tom Taylor, "ICMP Traceback Messages", IETF Internet Draft, Version 4, Feb. 2003 (Work in progress). Ari Juels and John Brainard, "Client puzzles: A cryptographic countermeasure against connection depletion attacks", Networks and Distributed Security Systems, Feb. 1999. Vrizlynn L. L. Thing, Henry C. J. Lee, and Morris Sloman, "Traffic Redirection Attack Protection System (TRAPS)", IFIP International Information Security Conference (SEC), May 2005, Makuhari-Messe, Chiba, Japan, Springer-Kluwer. Securing Availability Vrizlynn Thing 43